dunkirk.sh
Kieran's opinionated (and probably slightly dumb) nix config
feat: use state dir to prevent the directory locking
+7
-4
modules/lib/mkService.nix
+7
-4
modules/lib/mkService.nix
···
270
270
Restart = "on-failure";
271
271
RestartSec = "10s";
272
272
TimeoutStartSec = "60s";
273
-
273
+
274
+
# Automatic state directory management
275
+
# Creates /var/lib/${name} with proper ownership before namespace setup
276
+
StateDirectory = name;
277
+
StateDirectoryMode = "0755";
278
+
274
279
# Security hardening
275
280
NoNewPrivileges = true;
276
281
ProtectSystem = "strict";
277
282
ProtectHome = true;
278
-
ReadWritePaths = [ cfg.dataDir ];
279
283
PrivateTmp = true;
280
284
};
281
285
···
290
294
];
291
295
};
292
296
293
-
# Ensure working directory exists before service starts
297
+
# StateDirectory handles base dir, tmpfiles creates subdirectories
294
298
systemd.tmpfiles.rules = [
295
-
"d ${cfg.dataDir} 0755 ${name} services -"
296
299
"d ${cfg.dataDir}/app 0755 ${name} services -"
297
300
"d ${cfg.dataDir}/data 0755 ${name} services -"
298
301
];