From 7b3ac169ff056393290c14e36d61ba97e5c1c881 Mon Sep 17 00:00:00 2001
From: Florian Jacob <projects+git@florianjacob.de>
Date: Sat, 13 Apr 2019 20:33:39 +0200
Subject: [PATCH 1/3] journalwatch: fix pytest checks

---
 pkgs/tools/system/journalwatch/default.nix | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/pkgs/tools/system/journalwatch/default.nix b/pkgs/tools/system/journalwatch/default.nix
index 473d245618fa..40606a45f639 100644
--- a/pkgs/tools/system/journalwatch/default.nix
+++ b/pkgs/tools/system/journalwatch/default.nix
@@ -20,14 +20,10 @@ buildPythonPackage rec {
 
 
   doCheck = true;
-
+  checkInputs = [ pytest ];
   checkPhase = ''
-    pytest test_journalwatch.py
-  '';
-
-  buildInputs = [
     pytest
-  ];
+  '';
 
   propagatedBuildInputs = [
     systemd

From 68c6f3f27e7427774f30c65f0e06101acfd73797 Mon Sep 17 00:00:00 2001
From: Florian Jacob <projects+git@florianjacob.de>
Date: Sat, 13 Apr 2019 20:55:49 +0200
Subject: [PATCH 2/3] journalwatch: use fetchFromGitHub for normalization See
 #32997

---
 pkgs/tools/system/journalwatch/default.nix | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/pkgs/tools/system/journalwatch/default.nix b/pkgs/tools/system/journalwatch/default.nix
index 40606a45f639..e0aaee31217c 100644
--- a/pkgs/tools/system/journalwatch/default.nix
+++ b/pkgs/tools/system/journalwatch/default.nix
@@ -1,15 +1,15 @@
-{ stdenv, buildPythonPackage, fetchurl, pythonOlder, systemd, pytest }:
+{ stdenv, buildPythonPackage, fetchFromGitHub, pythonOlder, systemd, pytest }:
 
 buildPythonPackage rec {
   pname = "journalwatch";
-  name = "${pname}-${version}";
   version = "1.1.0";
   disabled = pythonOlder "3.3";
 
-
-  src = fetchurl {
-    url = "https://github.com/The-Compiler/${pname}/archive/v${version}.tar.gz";
-    sha512 = "3hvbgx95hjfivz9iv0hbhj720wvm32z86vj4a60lji2zdfpbqgr2b428lvg2cpvf71l2xn6ca5v0hzyz57qylgwqzgfrx7hqhl5g38s";
+  src = fetchFromGitHub {
+    owner = "The-Compiler";
+    repo = pname;
+    rev = "v${version}";
+    sha512 = "11g2f1w9lfqw6zxxyg7qrqpb914s6w71j0gnpw7qr7cak2l5jlf2l39dlg30y55rw7jgmf0yg77wwzd0c430mq1n6q1v8w86g1rwkzb";
   };
 
   # can be removed post 1.1.0

From e916cdf02de684c963b65cbd07df78031ddc54a0 Mon Sep 17 00:00:00 2001
From: Florian Jacob <projects+git@florianjacob.de>
Date: Sat, 13 Apr 2019 22:08:43 +0200
Subject: [PATCH 3/3] nixos/journalwatch: permissionsStartOnly is deprecated
 See #53852 for details, related to the efforts in #56265

---
 .../modules/services/logging/journalwatch.nix | 42 +++++++++++++------
 1 file changed, 30 insertions(+), 12 deletions(-)

diff --git a/nixos/modules/services/logging/journalwatch.nix b/nixos/modules/services/logging/journalwatch.nix
index d0824df38ae3..576c646c0f58 100644
--- a/nixos/modules/services/logging/journalwatch.nix
+++ b/nixos/modules/services/logging/journalwatch.nix
@@ -4,6 +4,8 @@ with lib;
 let
   cfg = config.services.journalwatch;
   user = "journalwatch";
+  # for journal access
+  group = "systemd-journal";
   dataDir = "/var/lib/${user}";
 
   journalwatchConfig = pkgs.writeText "config" (''
@@ -31,6 +33,17 @@ let
 
   '') filterBlocks);
 
+  # can't use joinSymlinks directly, because when we point $XDG_CONFIG_HOME
+  # to the /nix/store path, we still need the subdirectory "journalwatch" inside that
+  # to match journalwatch's expectations
+  journalwatchConfigDir = pkgs.runCommand "journalwatch-config"
+    { preferLocalBuild = true; allowSubstitutes = false; }
+    ''
+      mkdir -p $out/journalwatch
+      ln -sf ${journalwatchConfig} $out/journalwatch/config
+      ln -sf ${journalwatchPatterns} $out/journalwatch/patterns
+    '';
+
 
 in {
   options = {
@@ -199,33 +212,38 @@ in {
 
     users.users.${user} = {
       isSystemUser = true;
-      createHome = true;
       home = dataDir;
-      # for journal access
-      group = "systemd-journal";
+      group = group;
     };
 
+    systemd.tmpfiles.rules = [
+      # present since NixOS 19.09: remove old stateful symlink join directory,
+      # which has been replaced with the journalwatchConfigDir store path
+      "R ${dataDir}/config"
+    ];
+
     systemd.services.journalwatch = {
+
       environment = {
+        # journalwatch stores the last processed timpestamp here
+        # the share subdirectory is historic now that config home lives in /nix/store,
+        # but moving this in a backwards-compatible way is much more work than what's justified
+        # for cleaning that up.
         XDG_DATA_HOME = "${dataDir}/share";
-        XDG_CONFIG_HOME = "${dataDir}/config";
+        XDG_CONFIG_HOME = journalwatchConfigDir;
       };
       serviceConfig = {
         User = user;
+        Group = group;
         Type = "oneshot";
-        PermissionsStartOnly = true;
+        # requires a relative directory name to create beneath /var/lib
+        StateDirectory = user;
+        StateDirectoryMode = 0750;
         ExecStart = "${pkgs.python3Packages.journalwatch}/bin/journalwatch mail";
         # lowest CPU and IO priority, but both still in best-effort class to prevent starvation
         Nice=19;
         IOSchedulingPriority=7;
       };
-      preStart = ''
-        chown -R ${user}:systemd-journal ${dataDir}
-        chmod -R u+rwX,go-w ${dataDir}
-        mkdir -p ${dataDir}/config/journalwatch
-        ln -sf ${journalwatchConfig} ${dataDir}/config/journalwatch/config
-        ln -sf ${journalwatchPatterns} ${dataDir}/config/journalwatch/patterns
-      '';
     };
 
     systemd.timers.journalwatch = {