All modules with preStart: Use systemd.tmpfiles.rules

This is NixOS' recommended way to setup service dirs
https://github.com/NixOS/nixpkgs/pull/56265. This commit hands off the
initial data directory creation to systemd.tmpfiles.rules. All other
preStart scripts are left intact to limit this changes' scope.

modules/bitcoind.nix

@@ -255,19 +255,17 @@ in {
       sysperms = true;
     };
 
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
+      "d '${cfg.dataDir}/blocks' 0770 ${cfg.user} ${cfg.group} - -"
+    ];
+
     systemd.services.bitcoind = {
       description = "Bitcoin daemon";
       requires = [ "nix-bitcoin-secrets.target" ];
       after = [ "network.target" "nix-bitcoin-secrets.target" ];
       wantedBy = [ "multi-user.target" ];
       preStart = ''
-        if [[ ! -e ${cfg.dataDir} ]]; then
-          mkdir -m 0770 -p '${cfg.dataDir}'
-        fi
-        if [[ ! -e ${cfg.dataDir}/blocks ]]; then
-          mkdir -m 0770 -p '${cfg.dataDir}/blocks'
-        fi
-        chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
         ${optionalString cfg.dataDirReadableByGroup  "chmod -R g+rX '${cfg.dataDir}/blocks'"}
 
         cfg=$(cat ${configFile}; printf "rpcpassword="; cat "${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword")

modules/clightning.nix

@@ -78,6 +78,10 @@ in {
     };
     users.groups.clightning = {};
 
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0770 ${config.users.users.clightning.name} ${config.users.users.clightning.group} - -"
+    ];
+
     systemd.services.clightning = {
       description = "Run clightningd";
       path  = [ pkgs.nix-bitcoin.bitcoind ];
@@ -85,7 +89,6 @@ in {
       requires = [ "bitcoind.service" ];
       after = [ "bitcoind.service" ];
       preStart = ''
-        mkdir -m 0770 -p ${cfg.dataDir}
         cp ${configFile} ${cfg.dataDir}/config
         chown -R 'clightning:clightning' '${cfg.dataDir}'
         # The RPC socket has to be removed otherwise we might have stale sockets

modules/electrs.nix

@@ -63,14 +63,16 @@ in {
   config = mkIf cfg.enable (mkMerge [{
     environment.systemPackages = [ pkgs.nix-bitcoin.electrs ];
 
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
+    ];
+
     systemd.services.electrs = {
       description = "Electrs Electrum Server";
       wantedBy = [ "multi-user.target" ];
       requires = [ "bitcoind.service" ];
       after = [ "bitcoind.service" ];
       preStart = ''
-        mkdir -m 0770 -p ${cfg.dataDir}
-        chown -R '${cfg.user}:${cfg.group}' ${cfg.dataDir}
         echo "cookie = \"${config.services.bitcoind.rpcuser}:$(cat ${secretsDir}/bitcoin-rpcpassword)\"" \
           > electrs.toml
         '';

modules/liquid.nix

@@ -200,15 +200,17 @@ in {
       (hiPrio cfg.cli)
       (hiPrio cfg.swap-cli)
     ];
+
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
+    ];
+
     systemd.services.liquidd = {
       description = "Elements daemon providing access to the Liquid sidechain";
       requires = [ "bitcoind.service" ];
       after = [ "bitcoind.service" ];
       wantedBy = [ "multi-user.target" ];
       preStart = ''
-        if ! test -e ${cfg.dataDir}; then
-          mkdir -m 0770 -p '${cfg.dataDir}'
-        fi
         cp '${configFile}' '${cfg.dataDir}/elements.conf'
         chmod o-rw  '${cfg.dataDir}/elements.conf'
         chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}'

modules/lnd.nix

@@ -79,6 +79,10 @@ in {
   config = mkIf cfg.enable {
     environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
 
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0770 lnd lnd - -"
+    ];
+
     services.bitcoind = {
       zmqpubrawblock = "tcp://127.0.0.1:28332";
       zmqpubrawtx = "tcp://127.0.0.1:28333";
@@ -91,7 +95,6 @@ in {
       requires = [ "bitcoind.service" ];
       after = [ "bitcoind.service" ];
       preStart = ''
-        mkdir -m 0770 -p ${cfg.dataDir}
         cp ${configFile} ${cfg.dataDir}/lnd.conf
         chown -R 'lnd:lnd' '${cfg.dataDir}'
         chmod u=rw,g=r,o= ${cfg.dataDir}/lnd.conf

modules/nix-bitcoin-webindex.nix

@@ -28,9 +28,8 @@ let
   '';
   createWebIndex = pkgs.writeText "make-index.sh" ''
     set -e
-    mkdir -p /var/www/
     cp ${indexFile} /var/www/index.html
-    chown -R nginx /var/www/
+    chown -R nginx:nginx /var/www/
     nodeinfo
     . <(nodeinfo)
     sed -i "s/CLIGHTNING_ID/$CLIGHTNING_ID/g" /var/www/index.html
@@ -48,6 +47,10 @@ in {
   };
 
   config = mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      "d /var/www 0755 nginx nginx - -"
+    ];
+
     services.nginx = {
       enable = true;
       virtualHosts."_" = {

modules/onion-chef.nix

@@ -15,7 +15,6 @@ let
     # wait until tor is up
     until ls -l /var/lib/tor/state; do sleep 1; done
 
-    mkdir -p -m 0755 ${dataDir}
     cd ${dataDir}
 
     # Create directory for every user and set permissions
@@ -68,6 +67,10 @@ in {
   };
 
   config = mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      "d '${dataDir}' 0755 root root - -"
+    ];
+
     systemd.services.onion-chef = {
       description = "Run onion-chef";
       wantedBy = [ "tor.service" ];

modules/spark-wallet.nix

@@ -5,7 +5,6 @@ with lib;
 let
   cfg = config.services.spark-wallet;
   inherit (config) nix-bitcoin-services;
-  dataDir = "/var/lib/spark-wallet/";
   onion-chef-service = (if cfg.onion-service then [ "onion-chef.service" ] else []);
   run-spark-wallet = pkgs.writeScript "run-spark-wallet" ''
     CMD="${pkgs.nix-bitcoin.spark-wallet}/bin/spark-wallet --ln-path ${cfg.ln-path} -Q -k -c ${config.nix-bitcoin.secretsDir}/spark-wallet-login"