| 9 Jul 2025 |
 hexa | i remember systemd migrating state between dynamicuser=true/false | 00:39:47 |
 Zhaofeng Li | oh really? | 00:40:06 |
| Zhaofeng Li | but still, if you have some kind of impermanence setup where you mount /var/lib/private/kea you are still screwed | 00:40:31 |
| hexa | e.g. https://github.com/systemd/systemd/pull/15033 | 00:40:40 |
| hexa | true, but there is not much we can do about that, right"? | 00:40:55 |
| hexa | * true, but there is not much we can do about that, right? | 00:40:56 |
| Zhaofeng Li | but it's kind of rude to break stable like that | 00:42:46 |
| hexa | yeah, true | 00:43:05 |
| hexa | so we hack around with chmod in prestart? | 00:43:21 |
| hexa | * so we hack around with chmod in prestart for now | 00:44:09 |
| Zhaofeng Li | yeah, looks like the least dramatic option, though not ideal | 00:45:06 |
| Zhaofeng Li | maybe we can migrate to a static user, but force everyone with stateVersion <= 25.11 to explicitly set stateDir to acknowledge the migration | 00:46:41 |
| Zhaofeng Li | * maybe we can migrate to a static user in unstable, but force everyone with stateVersion <= 25.11 to explicitly set stateDir to acknowledge the migration | 00:47:13 |
| hexa | diff --git a/nixos/modules/services/networking/kea.nix b/nixos/modules/services/networking/kea.nix
index 6e0af62425a4..6f815659f567 100644
--- a/nixos/modules/services/networking/kea.nix
+++ b/nixos/modules/services/networking/kea.nix
@@ -272,12 +272,13 @@ in
};
commonServiceConfig = {
- ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+ ExecStartPre = "${lib.getExe' pkgs.coreutils "chmod"} 0750 /run/kea";
+ ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID";
DynamicUser = true;
User = "kea";
ConfigurationDirectory = "kea";
RuntimeDirectory = "kea";
- RuntimeDirectoryMode = "750";
+ RuntimeDirectoryMode = "0750";
RuntimeDirectoryPreserve = true;
StateDirectory = "kea";
UMask = "0077";
| 00:47:46 |
| hexa | this change nothing | 00:47:56 |
| hexa | * this changes nothing | 00:48:38 |
| Zhaofeng Li | it seems racy... I added the chmod to script (not ExecStartPre) and it failed once but worked the next two tries? | 00:52:03 |
| Zhaofeng Li | what even is going on | 00:52:11 |
| hexa | can only be systemd doing this | 00:52:45 |
| Zhaofeng Li | this is beyond cursed | 00:54:40 |
| Zhaofeng Li | how about we patch kea to skip the permission check if NIXPKGS_HACK_ASSUME_THAT_THE_SOCKET_DIR_IS_PROTECTED_BY_SYSTEMD is set | 00:55:22 |
| hexa | but it isn't protected, it is 0755 😄 | 00:56:04 |
| hexa | * but it isn't protected, it is fucking 0755 😄 | 00:56:09 |
| Zhaofeng Li | /var/run/private is protected, right? | 00:57:42 |
| hexa | uhhh yeah | 00:58:46 |
| hexa | I think so | 00:58:54 |
| hexa | Zhaofeng Li: Restart = "on-failure" 🫣 | 01:14:38 |
