nixos/archisteamfarm: don't use asf abbreviation for more clarity

2023-12-04 22:05:25 +01:00 · 2023-12-04 22:05:25 +01:00 · 2d324fc242
commit 2d324fc242
parent b9019a84b7
3 changed files with 22 additions and 19 deletions
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@ -121,6 +121,9 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
  We have added a warning for services that are
  `after = [ "network-online.target" ]` but do not depend on it (e.g. using `wants`).

+- `services.archisteamfarm` no longer uses the abbreviation `asf` for its state directory (`/var/lib/asf`), user and group (both `asf`). Instead the long name `archisteamfarm` is used.
+  Configurations with `system.stateVersion` 23.11 or earlier, default to the old stateDirectory until the 24.11 release and must either set the option explicitly or move the data to the new directory.
+
 - `networking.iproute2.enable` now does not set `environment.etc."iproute2/rt_tables".text`.

  Setting `environment.etc."iproute2/{CONFIG_FILE_NAME}".text` will override the whole configuration file instead of appending it to the upstream configuration file.
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -506,7 +506,7 @@
  ./services/editors/haste.nix
  ./services/editors/infinoted.nix
  ./services/finance/odoo.nix
-  ./services/games/asf.nix
+  ./services/games/archisteamfarm.nix
  ./services/games/crossfire-server.nix
  ./services/games/deliantra-server.nix
  ./services/games/factorio.nix
--- a/nixos/modules/services/games/archisteamfarm.nix
+++ b/nixos/modules/services/games/archisteamfarm.nix
@ -7,7 +7,7 @@ let

  format = pkgs.formats.json { };

-  asf-config = format.generate "ASF.json" (cfg.settings // {
+  configFile = format.generate "ASF.json" (cfg.settings // {
    # we disable it because ASF cannot update itself anyways
    # and nixos takes care of restarting the service
    # is in theory not needed as this is already the default for default builds
@ -76,7 +76,7 @@ in

    dataDir = mkOption {
      type = types.path;
-      default = "/var/lib/asf";
+      default = "/var/lib/archisteamfarm";
      description = lib.mdDoc ''
        The ASF home directory used to store all data.
        If left as the default value this directory will automatically be created before the ASF server starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.'';
@ -99,7 +99,7 @@ in
    ipcPasswordFile = mkOption {
      type = types.nullOr types.path;
      default = null;
-      description = lib.mdDoc "Path to a file containing the password. The file must be readable by the `asf` user/group.";
+      description = lib.mdDoc "Path to a file containing the password. The file must be readable by the `archisteamfarm` user/group.";
    };

    ipcSettings = mkOption {
@ -130,7 +130,7 @@ in
          };
          passwordFile = mkOption {
            type = types.path;
-            description = lib.mdDoc "Path to a file containing the password. The file must be readable by the `asf` user/group.";
+            description = lib.mdDoc "Path to a file containing the password. The file must be readable by the `archisteamfarm` user/group.";
          };
          enabled = mkOption {
            type = types.bool;
@ -152,7 +152,7 @@ in
      example = {
        exampleBot = {
          username = "alice";
-          passwordFile = "/var/lib/asf/secrets/password";
+          passwordFile = "/var/lib/archisteamfarm/secrets/password";
          settings = { SteamParentalCode = "1234"; };
        };
      };
@ -161,31 +161,33 @@ in
  };

  config = mkIf cfg.enable {
+    # TODO: drop with 24.11
+    services.archisteamfarm.dataDir = lib.mkIf (lib.versionAtLeast config.system.stateVersion "24.05") (lib.mkDefault "/var/lib/asf");

    users = {
-      users.asf = {
+      users.archisteamfarm = {
        home = cfg.dataDir;
        isSystemUser = true;
-        group = "asf";
+        group = "archisteamfarm";
        description = "Archis-Steam-Farm service user";
      };
-      groups.asf = { };
+      groups.archisteamfarm = { };
    };

    systemd.services = {
-      asf = {
+      archisteamfarm = {
        description = "Archis-Steam-Farm Service";
        after = [ "network.target" ];
        wantedBy = [ "multi-user.target" ];

        serviceConfig = mkMerge [
-          (mkIf (cfg.dataDir == "/var/lib/asf") {
-            StateDirectory = "asf";
+          (mkIf (lib.hasPrefix "/var/lib/" cfg.dataDir) {
+            StateDirectory = lib.last (lib.splitString "/" cfg.dataDir);
            StateDirectoryMode = "700";
          })
          {
-            User = "asf";
-            Group = "asf";
+            User = "archisteamfarm";
+            Group = "archisteamfarm";
            WorkingDirectory = cfg.dataDir;
            Type = "simple";
            ExecStart = "${lib.getExe cfg.package} --no-restart --process-required --service --system-required --path ${cfg.dataDir}";
@ -217,12 +219,10 @@ in
            RestrictNamespaces = true;
            RestrictRealtime = true;
            RestrictSUIDSGID = true;
-            SystemCallArchitectures = "native";
-            UMask = "0077";
-
-            # we luckily already have systemd v247+
            SecureBits = "noroot-locked";
+            SystemCallArchitectures = "native";
            SystemCallFilter = [ "@system-service" "~@privileged" ];
+            UMask = "0077";
          }
        ];

@ -242,7 +242,7 @@ in
          ''
            mkdir -p config

-            cp --no-preserve=mode ${asf-config} config/ASF.json
+            cp --no-preserve=mode ${configFile} config/ASF.json

            ${optionalString (cfg.ipcPasswordFile != null) ''
              ${replaceSecretBin} '#ipcPassword#' '${cfg.ipcPasswordFile}' config/ASF.json