treewide: tmpfiles.rules -> tmpfiles.settings

nixos/modules/programs/ccache.nix

@@ -33,7 +33,11 @@ in {
   config = lib.mkMerge [
     # host configuration
     (lib.mkIf cfg.enable {
-      systemd.tmpfiles.rules = [ "d ${cfg.cacheDir} 0770 ${cfg.owner} ${cfg.group} -" ];
+      systemd.tmpfiles.settings."10-ccache".${cfg.cacheDir}.d = {
+        user = cfg.owner;
+        inherit (cfg) group;
+        mode = "0770";
+      };
 
       # "nix-ccache --show-stats" and "nix-ccache --clear"
       security.wrappers.nix-ccache = {

nixos/modules/programs/nncp.nix

@@ -63,10 +63,18 @@ in {
       log = lib.mkDefault "/var/spool/nncp/log";
     };
 
-    systemd.tmpfiles.rules = [
-      "d ${programCfg.settings.spool} 0770 root ${programCfg.group}"
-      "f ${programCfg.settings.log} 0770 root ${programCfg.group}"
-    ];
+    systemd.tmpfiles.settings."10-nncp" = {
+      ${programCfg.settings.spool}.d = {
+        user = "root";
+        inherit (programCfg) group;
+        mode = "0770";
+      };
+      ${programCfg.settings.log}.f = {
+        user = "root";
+        inherit (programCfg) group;
+        mode = "0770";
+      };
+    };
 
     systemd.services.nncp-config = {
       path = [ pkg ];

nixos/modules/programs/singularity.nix

@@ -112,8 +112,12 @@ in
       group = "root";
       source = "${cfg.packageOverriden}/libexec/${cfg.packageOverriden.projectName}/bin/starter-suid.orig";
     };
-    systemd.tmpfiles.rules = lib.mkIf cfg.enableExternalLocalStateDir [
-      "d /var/lib/${cfg.packageOverriden.projectName}/mnt/session 0770 root root -"
-    ];
+    systemd.tmpfiles.settings."10-singularity" = lib.mkIf cfg.enableExternalLocalStateDir {
+      "/var/lib/${cfg.packageOverriden.projectName}/mnt/session".d = {
+        user = "root";
+        group = "root";
+        mode = "0770";
+      };
+    };
   };
 }

nixos/modules/services/audio/slimserver.nix

@@ -37,9 +37,10 @@ in {
 
   config = mkIf cfg.enable {
 
-    systemd.tmpfiles.rules = [
-      "d '${cfg.dataDir}' - slimserver slimserver - -"
-    ];
+    systemd.tmpfiles.settings."10-slimserver".${cfg.dataDir}.d = {
+      user = "slimserver";
+      group = "slimserver";
+    };
 
     systemd.services.slimserver = {
       after = [ "network.target" ];

nixos/modules/services/backup/btrbk.nix

@@ -252,11 +252,24 @@ in
         cfg.sshAccess;
     };
     users.groups.btrbk = { };
-    systemd.tmpfiles.rules = [
-      "d /var/lib/btrbk 0750 btrbk btrbk"
-      "d /var/lib/btrbk/.ssh 0700 btrbk btrbk"
-      "f /var/lib/btrbk/.ssh/config 0700 btrbk btrbk - StrictHostKeyChecking=accept-new"
-    ];
+    systemd.tmpfiles.settings."10-btrbk" = {
+      "/var/lib/btrbk".d = {
+        user = "btrbk";
+        group = "btrbk";
+        mode = "0750";
+      };
+      "/var/lib/btrbk/.ssh".d = {
+        user = "btrbk";
+        group = "btrbk";
+        mode = "0700";
+      };
+      "/var/lib/btrbk/.ssh/config".f = {
+        user = "btrbk";
+        group = "btrbk";
+        mode = "0700";
+        argument = "StrictHostKeyChecking=accept-new";
+      };
+    };
     environment.etc = mapAttrs'
       (
         name: instance: {

nixos/modules/services/backup/duplicity.nix

@@ -197,7 +197,11 @@ in
         startAt = cfg.frequency;
       };
 
-      tmpfiles.rules = optional (localTarget != null) "d ${localTarget} 0700 root root -";
+      tmpfiles.settings."10-duplicity".${localTarget}.d = {
+        user = "root";
+        group = "root";
+        mode = "0700";
+      };
     };
 
     assertions = singleton {

nixos/modules/services/backup/postgresql-backup.nix

@@ -156,9 +156,10 @@ in {
       ];
     }
     (lib.mkIf cfg.enable {
-      systemd.tmpfiles.rules = [
-        "d '${cfg.location}' 0700 postgres - - -"
-      ];
+      systemd.tmpfiles.settings."10-postgresql-backup".${cfg.location}.d = {
+        user = "postgres";
+        mode = "0700";
+      };
     })
     (lib.mkIf (cfg.enable && cfg.backupAll) {
       systemd.services.postgresqlBackup =

nixos/modules/services/cluster/hadoop/yarn.nix

@@ -141,9 +141,9 @@ in
     (mkIf cfg.yarn.nodemanager.enable {
       # Needed because yarn hardcodes /bin/bash in container start scripts
       # These scripts can't be patched, they are generated at runtime
-      systemd.tmpfiles.rules = [
-        (mkIf cfg.yarn.nodemanager.addBinBash "L /bin/bash - - - - /run/current-system/sw/bin/bash")
-      ];
+      systemd.tmpfiles.settings."10-yarn" = mkIf cfg.yarn.nodemanager.addBinBash {
+        "/bin/bash".L.argument = "/run/current-system/sw/bin/bash";
+      };
 
       systemd.services.yarn-nodemanager = {
         description = "Hadoop YARN NodeManager";

nixos/modules/services/databases/firebird.nix

@@ -82,10 +82,16 @@ in
 
     environment.systemPackages = [cfg.package];
 
-    systemd.tmpfiles.rules = [
-      "d '${dataDir}' 0700 ${cfg.user} - - -"
-      "d '${systemDir}' 0700 ${cfg.user} - - -"
-    ];
+    systemd.tmpfiles.settings."10-firebird" = {
+      ${dataDir}.d = {
+        inherit (cfg) user;
+        mode = "0700";
+      };
+      ${systemDir}.d = {
+        inherit (cfg) user;
+        mode = "0700";
+      };
+    };
 
     systemd.services.firebird =
       { description = "Firebird Super-Server";

nixos/modules/services/hardware/sane.nix

@@ -175,9 +175,11 @@ in
       users.groups.scanner.gid = config.ids.gids.scanner;
       networking.firewall.allowedUDPPorts = lib.mkIf config.hardware.sane.openFirewall [ 8612 ];
 
-      systemd.tmpfiles.rules = [
-        "d /var/lock/sane 0770 root scanner - -"
-      ];
+      systemd.tmpfiles.settings."10-sane"."/var/lock/sane".d = {
+        user = "root";
+        group = "scanner";
+        mode = "0770";
+      };
     })
 
     (lib.mkIf config.services.saned.enable {

nixos/modules/services/hardware/tcsd.nix

@@ -127,10 +127,10 @@ in
       ACTION=="add", KERNEL=="tpm[0-9]*", TAG+="systemd"
     '';
 
-    systemd.tmpfiles.rules = [
-      # Initialise the state directory
-      "d ${cfg.stateDir} 0770 ${cfg.user} ${cfg.group} - -"
-    ];
+    systemd.tmpfiles.settings."10-tcsd".${cfg.stateDir}.d = {
+      inherit (cfg) user group;
+      mode = "0770";
+    };
 
     systemd.services.tcsd = {
       description = "Manager for Trusted Computing resources";

nixos/modules/services/hardware/vdr.nix

@@ -50,10 +50,15 @@ in
 
   config = mkIf cfg.enable {
 
-    systemd.tmpfiles.rules = [
-      "d ${cfg.videoDir} 0755 ${cfg.user} ${cfg.group} -"
-      "Z ${cfg.videoDir} - ${cfg.user} ${cfg.group} -"
-    ];
+    systemd.tmpfiles.settings."10-vdr".${cfg.videoDir} = {
+      d = {
+        inherit (cfg) user group;
+        mode = "0755";
+      };
+      Z = {
+        inherit (cfg) user group;
+      };
+    };
 
     systemd.services.vdr = {
       description = "VDR";

nixos/modules/services/logging/graylog.nix

@@ -138,9 +138,9 @@ in
     };
     users.groups = lib.mkIf (cfg.user == "graylog") { graylog = {}; };
 
-    systemd.tmpfiles.rules = [
-      "d '${cfg.messageJournalDir}' - ${cfg.user} - - -"
-    ];
+    systemd.tmpfiles.settings."10-graylog".${cfg.messageJournalDir}.d = {
+      inherit (cfg) user;
+    };
 
     systemd.services.graylog = {
       description = "Graylog Server";

nixos/modules/services/logging/heartbeat.nix

@@ -55,9 +55,10 @@ in
 
   config = lib.mkIf cfg.enable {
 
-    systemd.tmpfiles.rules = [
-      "d '${cfg.stateDir}' - nobody nogroup - -"
-    ];
+    systemd.tmpfiles.settings."10-heartbeat".${cfg.stateDir}.d = {
+      user = "nobody";
+      group = "nogroup";
+    };
 
     systemd.services.heartbeat = with pkgs; {
       description = "heartbeat log shipper";

nixos/modules/services/mail/nullmailer.nix

@@ -207,12 +207,17 @@
       groups.${cfg.group} = { };
     };
 
-    systemd.tmpfiles.rules = [
-      "d /var/spool/nullmailer - ${cfg.user} ${cfg.group} - -"
-      "d /var/spool/nullmailer/failed 770 ${cfg.user} ${cfg.group} - -"
-      "d /var/spool/nullmailer/queue 770 ${cfg.user} ${cfg.group} - -"
-      "d /var/spool/nullmailer/tmp 770 ${cfg.user} ${cfg.group} - -"
-    ];
+    systemd.tmpfiles.settings."10-nullmailer" = let
+      defaultConfig = {
+        inherit (cfg) user group;
+        mode = "0770";
+      };
+    in {
+      "/var/spool/nullmailer".d = defaultConfig;
+      "/var/spool/nullmailer/failed".d = defaultConfig;
+      "/var/spool/nullmailer/queue".d = defaultConfig;
+      "/var/spool/nullmailer/tmp".d = defaultConfig;
+    };
 
     systemd.services.nullmailer = {
       description = "nullmailer";

nixos/modules/services/mail/opendkim.nix

@@ -102,9 +102,9 @@ in {
 
     environment.systemPackages = [ pkgs.opendkim ];
 
-    systemd.tmpfiles.rules = [
-      "d '${cfg.keyPath}' - ${cfg.user} ${cfg.group} - -"
-    ];
+    systemd.tmpfiles.settings."10-opendkim".${cfg.keyPath}.d = {
+      inherit (cfg) user group;
+    };
 
     systemd.services.opendkim = {
       description = "OpenDKIM signing and verification daemon";

nixos/modules/services/mail/opensmtpd.nix

@@ -105,11 +105,22 @@ in {
     services.mail.sendmailSetuidWrapper = lib.mkIf cfg.setSendmail
       (security.wrappers.smtpctl // { program = "sendmail"; });
 
-    systemd.tmpfiles.rules = [
-      "d /var/spool/smtpd 711 root - - -"
-      "d /var/spool/smtpd/offline 770 root smtpq - -"
-      "d /var/spool/smtpd/purge 700 smtpq root - -"
-    ];
+    systemd.tmpfiles.settings."10-opensmtpd" = {
+      "/var/spool/smtpd".d = {
+        user = "root";
+        mode = "0711";
+      };
+      "/var/spool/smtpd/offline" = {
+        user = "root";
+        group = "smtpq";
+        mode = "0770";
+      };
+      "/var/spool/smtpd/purge" = {
+        user = "smtpq";
+        group = "root";
+        mode = "0700";
+      };
+    };
 
     systemd.services.opensmtpd = let
       procEnv = pkgs.buildEnv {

nixos/modules/services/misc/apache-kafka.nix

@@ -179,7 +179,12 @@ in {
     };
     users.groups.apache-kafka = {};
 
-    systemd.tmpfiles.rules = map (logDir: "d '${logDir}' 0700 apache-kafka - - -") cfg.settings."log.dirs";
+    systemd.tmpfiles.settings."10-apache-kafka" = lib.genAttrs (_: {
+      d = {
+        user = "apache-kafka";
+        mode = "0700";
+      };
+    }) cfg.settings."log.dirs";
 
     systemd.services.apache-kafka = {
       description = "Apache Kafka Daemon";

nixos/modules/services/misc/etebase-server.nix

@@ -172,11 +172,17 @@ in
       '')
     ];
 
-    systemd.tmpfiles.rules = [
-      "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
-    ] ++ lib.optionals (cfg.unixSocket != null) [
-      "d '${builtins.dirOf cfg.unixSocket}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
-    ];
+    systemd.tmpfiles.settings."10-etebase-server" = {
+      ${cfg.dataDir}.d = {
+        inherit (cfg) user;
+        inherit (config.users.users.${cfg.user}) group;
+      };
+    } // (lib.optionalAttrs (cfg.unixSocket != null) {
+      ${builtins.dirOf cfg.unixSocket}.d = {
+        inherit (cfg) user;
+        inherit (config.users.users.${cfg.user}) group;
+      };
+    });
 
     systemd.services.etebase-server = {
       description = "An Etebase (EteSync 2.0) server";

nixos/modules/services/misc/gitea.nix

@@ -492,33 +492,40 @@ in
       ];
     };
 
-    systemd.tmpfiles.rules = [
-      "d '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -"
-      "z '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -"
-      "d '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -"
-      "z '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -"
-      "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"
-      "d '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -"
-      "d '${cfg.customDir}' 0750 ${cfg.user} ${cfg.group} - -"
-      "d '${cfg.customDir}/conf' 0750 ${cfg.user} ${cfg.group} - -"
-      "d '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -"
-      "d '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -"
-      "z '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"
-      "z '${cfg.stateDir}/.ssh' 0700 ${cfg.user} ${cfg.group} - -"
-      "z '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -"
-      "z '${cfg.customDir}' 0750 ${cfg.user} ${cfg.group} - -"
-      "z '${cfg.customDir}/conf' 0750 ${cfg.user} ${cfg.group} - -"
-      "z '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -"
-      "z '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -"
+    systemd.tmpfiles.settings."10-gitea" = let
+      defaultConfig = {
+        inherit (cfg) user group;
+        mode = "0750";
+      };
+    in {
+      ${cfg.dump.backupDir}.d = defaultConfig;
+      ${cfg.dump.backupDir}.z = defaultConfig;
+      ${cfg.repositoryRoot}.d = defaultConfig;
+      ${cfg.repositoryRoot}.z = defaultConfig;
+
+      ${cfg.stateDir}.d = defaultConfig;
+      "${cfg.stateDir}/conf".d = defaultConfig;
+      ${cfg.customDir}.d = defaultConfig;
+      "${cfg.customDir}/conf".d = defaultConfig;
+      "${cfg.stateDir}/data".d = defaultConfig;
+      "${cfg.stateDir}/log".d = defaultConfig;
+      ${cfg.stateDir}.z = defaultConfig;
+      "${cfg.stateDir}/.ssh".z = defaultConfig // { mode = "0700"; };
+      "${cfg.stateDir}/conf".z = defaultConfig;
+      ${cfg.customDir}.z = defaultConfig;
+      "${cfg.customDir}/conf".z = defaultConfig;
+      "${cfg.stateDir}/data".z = defaultConfig;
+      "${cfg.stateDir}/log".z = defaultConfig;
 
       # If we have a folder or symlink with gitea locales, remove it
       # And symlink the current gitea locales in place
-      "L+ '${cfg.stateDir}/conf/locale' - - - - ${cfg.package.out}/locale"
+      "${cfg.stateDir}/conf/locale"."L+".argument = "${cfg.package.out}/locale";
 
-    ] ++ lib.optionals cfg.lfs.enable [
-      "d '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -"
-      "z '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -"
-    ];
+      ${cfg.lfs.contentDir} = lib.mkIf cfg.lfs.enable {
+        d = defaultConfig;
+        z = defaultConfig;
+      };
+    };
 
     systemd.services.gitea = {
       description = "gitea";