I’m trying to run the mealie module from Nixos. By default it works, and puts the database under /var and /var/private through systemd dynamic user stuff.
For backup reasons, I actually want to set the mealie DATA_DIR option to put these files in my zfs zpool (/tank/mealie for example). I setup a tmpfilesRules to make /tank/mealie and make the mealie user the owner. Unfortunately, this does not seem to work and I think it has to do with an interaction between systemd dynamic user and how StateDirectory works.
I assume I’m going to have to modify the module to actually be able to relocate the DATA_DIR at this point, but I’m not sure what the best option is. Can I conditionally set some other systemd variable to allow the mealie process access to the path under /tank? ReadWritePaths or something? Or is systemd DynamicUser only compatible with persistent data stored under /var and I need to modify it to use a normal user?
You can do a bunch of stuff. Two approaches spring to mind
override stuff by accessing the underlying service directly (i.e. systemd.services.mealie.serviceConfig) using systemd service props.
make a systemd.packages addition to add a drop-in file (man systemd.unit and seach for “drop-in”) which could override arbitray service configuration properties.
I’m less concerned with the mechanics of changing the systemd config, and more wondering if someone can comment on whether you can have a dynamicuser StateDirectory not under /var. Systemd apparently does a fair bit with permissions and symlinks and so on to make this fs access work for a random ephemeral uid/gid.
To be clear, I’ve already made a different folder and set DATA_DIR in the app to point at it, and it will work for a bit but it doesn’t seem to survive restarting the service because the user changes.
I really wish systemd had a mechanism here. Being able to create some dir that a dynamic user has certain privileges for is a common need and I’ve seen all sorts of patterns implemented around this problem.
I don’t really need/want DynamicUser necessarily, but I was interested in making it work so I could use the upstream nixpkgs module so I don’t have to develop/maintain a forked one… Oh well.