Commit f9d4c1321210
Changed files (1)
modules
nix-flake-updater
modules/nix-flake-updater/default.nix
@@ -160,6 +160,9 @@ let
ExecStart = "${mkUpdateScript name instanceCfg}";
Environment = ''"GIT_SSH_COMMAND=ssh -o ControlMaster=no"'';
+ # Don't fail if update fails (e.g., no changes, build failures)
+ SuccessExitStatus = "0 1";
+
# Security hardening
PrivateTmp = true;
ProtectSystem = "strict";
@@ -181,11 +184,6 @@ let
StandardError = "journal";
SyslogIdentifier = "nix-flake-updater-${name}";
};
-
- # Don't fail if update fails (e.g., no changes, build failures)
- unitConfig = {
- SuccessExitStatus = "0 1";
- };
};
mkTimer =
@@ -209,18 +207,28 @@ in
description = "Automated Nix flake.lock updater instances";
};
- config = mkIf (cfg != { }) {
- systemd.services = listToAttrs (
- mapAttrsToList (name: instanceCfg: mkService name instanceCfg) (filterAttrs (_: v: v.enable) cfg)
- );
+ config = mkIf (cfg != { }) (
+ let
+ # Collect all unique users from enabled instances
+ users = unique (
+ mapAttrsToList (_: instanceCfg: instanceCfg.user) (filterAttrs (_: v: v.enable) cfg)
+ );
+ in
+ {
+ systemd.services = listToAttrs (
+ mapAttrsToList (name: instanceCfg: mkService name instanceCfg) (filterAttrs (_: v: v.enable) cfg)
+ );
- systemd.timers = listToAttrs (
- mapAttrsToList (name: instanceCfg: mkTimer name instanceCfg) (filterAttrs (_: v: v.enable) cfg)
- );
+ systemd.timers = listToAttrs (
+ mapAttrsToList (name: instanceCfg: mkTimer name instanceCfg) (filterAttrs (_: v: v.enable) cfg)
+ );
- # Ensure log directory exists (shared by all instances)
- systemd.tmpfiles.rules = [
- "d /var/log/nix-flake-updater 0750 root root -"
- ];
- };
+ # Ensure log directory exists (shared by all instances)
+ # Create with permissions for all users that need access
+ systemd.tmpfiles.rules = [
+ "d /var/log/nix-flake-updater 0775 root users -"
+ ]
+ ++ map (user: "Z /var/log/nix-flake-updater - ${user} - -") users;
+ }
+ );
}