Nixpkgs: systemd's PermissionsStartOnly is deprecated

For context, here are the docs that are now no longer there:

PermissionsStartOnly

Takes a boolean argument. If true, the permission-related execution options, as configured with User= and similar options (see systemd.exec(5) for more information), are only applied to the process started with ExecStart=, and not to the various other ExecStartPre=, ExecStartPost=, ExecReload=, ExecStop=, and ExecStopPost= commands. If false, the setting is applied to all configured commands the same way. Defaults to false.

@nh2 in a lot of cases, the ExecPreStart scripts only set up a directory structure, which should probably better be done by systemd.tmpfiles.rules

The change looks easy enough. I propose we target 19.09 to deprecate this option in the NixOS systemd module with a warning and fix all of our modules until then.

@fpletz That sounds good to me.

@nh2 @flokli @fpletz I don't mind picking away at this, but I'd like to make sure I'm on the right track... does https://github.com/NixOS/nixpkgs/pull/56265 look good so far? I figured commit per module so it can easily be cherry picked.

@aanderse From a quick look, the approach looks correct to me.

I'd mention this issue in each commit message though so that people can easily find this issue from them.

How to fix services similar to hydron? https://github.com/NixOS/nixpkgs/blob/9fa52ae9a22091c978857ef5440372c06da4c99e/nixos/modules/services/web-servers/hydron.nix#L95-L123
It seems that to remove PermissionsStartOnly = true we need to replace ExecStartPre=/nix/store/...-unit-script-hydron-pre-start by ExecStartPre=+/nix/store/...-unit-script-hydron-pre-start (notice the added +), how can this be achived?
I'm asking because I have this issue in writing a module for miniflux.

@bricewge I would suggest https://github.com/NixOS/nixpkgs/pull/56720, but that PR isn't ready quite yet... I guess I should get that finished and merged.

can the location of the StateDirectory be set per unit? I'd rather have all the service information contained in the single unit rather than split to systemd.tmpfiles.rules. Also the naming seems quite wrong, I don't think it was intended for that purpose.

@zimbatm I agree that tmpfiles is an improper replacement for StateDirectory, at least conceptually ... StateDirectory can be set per unit, but I take it the motivation for using tmpfiles is greater control over mode and ownership bits. From reading the manual, however, it seems to me that setting User and Group suffices to create dirs & ensure they are owned by the user/group, which I'd imagine covers a lot of (most?) cases, but I could be missing something ...

EDIT: from the manual:

Except in case of ConfigurationDirectory=, the innermost specified directories [e.g., StateDirectory] will be owned by the user and group specified in User= and Group=. If the specified directories already exist and their owning user or group do not match the configured ones, all files and directories below the specified directories as well as the directories themselves will have their file ownership recursively changed to match what is configured. As an optimization, if the specified directories are already owned by the right user and group, files and directories below of them are left as-is, even if they do not match what is requested. The innermost specified directories will have their access mode adjusted to the what is specified in RuntimeDirectoryMode=, StateDirectoryMode=, CacheDirectoryMode=, LogsDirectoryMode= and ConfigurationDirectoryMode=.

https://www.freedesktop.org/software/systemd/man/systemd.exec.html

From #56265

Dropping the link to an old comment here here, in case it gets lost again during rebases:

https://github.com/NixOS/nixpkgs/pull/56265#discussion_r264064056

TLDR:
tmpfiles is a very unlucky name - these directories are really not temporary, and could be used if StateDirectory, RuntimeDirectory and ConfigurationDirectory aren't enough, (or more complex directory layouts inside need to be created or shared across multiple units)

We should use StateDirectory, RuntimeDirectory and ConfigurationDirectory where possible, but sometimes it's not enough (when files are shared between multiple units, symlinks needed to be set up, custom permissions etc.

Hello, I'm a bot and I thank you in the name of the community for opening this issue.

To help our human contributors focus on the most-relevant reports, I check up on old issues to see if they're still relevant. This issue has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.

The community would appreciate your effort in checking if the issue is still valid. If it isn't, please close it.

If the issue persists, and you'd like to remove the stale label, you simply need to leave a comment. Your comment can be as simple as "still important to me". If you'd like it to get more attention, you can ask for help by searching for maintainers and people that previously touched related code and @ mention them in a comment. You can use Git blame or GitHub's web interface on the relevant files to find them.

Lastly, you can always ask for help at our Discourse Forum or at #nixos' IRC channel.

rg --files-with-matches PermissionsStartOnly | wc -l outputs 37 on master, so not stale

Help wanted, but I do intend to continue chipping away at this eventually.

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/systemd-permissions/10150/5