nixos/logrotate: Copy default configFile to /etc

When running logrotate in a user namespaced environment, such as an nspawn container with PrivateUsers=pick, logrotate may refuse to start as its config file is not owned by root. Using environment.etc we can copy the file from the store and set the proper permissions during activation.
NixOS · Jan 15, 2025 · ee4f850 · ee4f850
1 parent 7a04de8
commit ee4f850
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 13 deletions.
diff --git a/nixos/modules/services/logging/logrotate.nix b/nixos/modules/services/logging/logrotate.nix
@@ -191,10 +191,7 @@ in
 
       configFile = lib.mkOption {
         type = lib.types.path;
-        default = configFile;
-        defaultText = ''
-          A configuration file automatically generated by NixOS.
-        '';
+        default = "/etc/logrotate.conf";
         description = ''
           Override the configuration file used by logrotate. By default,
           NixOS generates one automatically from [](#opt-services.logrotate.settings).
@@ -240,6 +237,18 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    # logrotate config has an include directive. As such, always generate the built-in config
+    # in case it is useful to the user.
+    # Users could choose to disable it with environment.etc."logrotate.conf".enable = false;
+    environment.etc."logrotate.conf" = {
+      source = configFile;
+      # logrotate mandates that its config is always owned by root.
+      # Copy into /etc to avoid user namespacing issues.
+      mode = "0600";
+      user = "root";
+      group = "root";
+    };
+
     systemd.services.logrotate = {
       description = "Logrotate Service";
       documentation = [

diff --git a/nixos/tests/logrotate.nix b/nixos/tests/logrotate.nix
@@ -103,15 +103,13 @@ import ./make-test-python.nix ({ pkgs, ... }: rec {
           machine.succeed("systemctl cat logrotate.service | grep -- --mail")
       with subtest("check generated config matches expectation"):
           machine.succeed(
-              # copy conf to /tmp/logrotate.conf for easy grep
-              "conf=$(systemctl cat logrotate | grep -oE '/nix/store[^ ]*logrotate.conf'); cp $conf /tmp/logrotate.conf",
-              "! grep weekly /tmp/logrotate.conf",
-              "grep -E '^delaycompress' /tmp/logrotate.conf",
-              "tail -n 1 /tmp/logrotate.conf | grep shred",
-              "sed -ne '/\"sendmail\" {/,/}/p' /tmp/logrotate.conf | grep 'mail [email protected]'",
-              "sed -ne '/\"postrotate\" {/,/}/p' /tmp/logrotate.conf | grep endscript",
-              "grep '\"file1\"\n\"file2\" {' /tmp/logrotate.conf",
-              "sed -ne '/\"import\" {/,/}/p' /tmp/logrotate.conf | grep noolddir",
+              "! grep weekly /etc/logrotate.conf",
+              "grep -E '^delaycompress' /etc/logrotate.conf",
+              "tail -n 1 /etc/logrotate.conf | grep shred",
+              "sed -ne '/\"sendmail\" {/,/}/p' /etc/logrotate.conf | grep 'mail [email protected]'",
+              "sed -ne '/\"postrotate\" {/,/}/p' /etc/logrotate.conf | grep endscript",
+              "grep '\"file1\"\n\"file2\" {' /etc/logrotate.conf",
+              "sed -ne '/\"import\" {/,/}/p' /etc/logrotate.conf | grep noolddir",
           )
           # also check configFile option
           failingMachine.succeed(