From a0e13034700e6a697c1adac3050702a1d3ba0ecd Mon Sep 17 00:00:00 2001 From: sefidel Date: Thu, 11 Jan 2024 14:39:13 +0900 Subject: feat(modules)!: init persistence --- default.nix | 1 - modules/persistence.nix | 46 ++++++++++++++++++++++++++++++++++ modules/services/acme.nix | 2 +- modules/services/akkoma/default.nix | 2 +- modules/services/fail2ban.nix | 2 +- modules/services/gitolite/default.nix | 2 +- modules/services/jitsi.nix | 2 +- modules/services/ldap.nix | 2 +- modules/services/matrix-bridge.nix | 2 +- modules/services/matrix-homeserver.nix | 2 +- modules/services/matrix-moderation.nix | 2 +- modules/services/metrics.nix | 2 +- modules/services/nixos-mailserver.nix | 2 +- modules/services/obsidian-livesync.nix | 2 +- modules/services/postgresql.nix | 2 +- modules/services/rss.nix | 4 +-- modules/services/soju.nix | 2 +- modules/services/tailscale.nix | 2 +- modules/services/vikunja.nix | 2 +- systems/cobalt/default.nix | 19 +++----------- 20 files changed, 68 insertions(+), 34 deletions(-) create mode 100644 modules/persistence.nix diff --git a/default.nix b/default.nix index afcdc08..ee7e2ee 100644 --- a/default.nix +++ b/default.nix @@ -3,7 +3,6 @@ with lib; with lib.my; { imports = [ - inputs.impermanence.nixosModules.impermanence ] ++ mapModulesRec' (toString ./modules) import; networking.useDHCP = mkDefault false; diff --git a/modules/persistence.nix b/modules/persistence.nix new file mode 100644 index 0000000..4c11588 --- /dev/null +++ b/modules/persistence.nix @@ -0,0 +1,46 @@ +{ config, inputs, lib, ... }: + + +with lib; +let + cfg = config.modules.persistence; +in +{ + imports = [ + inputs.impermanence.nixosModules.impermanence + ]; + + options.modules.persistence = { + enable = mkEnableOption "impermanence persistence"; + + storagePath = lib.mkOption { + type = types.path; + description = '' + The path to persistent storage where the real + files and directories should be stored. + ''; + }; + + directories = mkOption { + type = types.listOf types.str; + }; + }; + + config = mkIf cfg.enable { + fileSystems.${cfg.storagePath}.neededForBoot = true; + + environment.persistence.${cfg.storagePath}.directories = cfg.directories; + + services.openssh.hostKeys = [ + { + path = "${cfg.storagePath}/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "${cfg.storagePath}/ssh/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + } + ]; + }; +} diff --git a/modules/services/acme.nix b/modules/services/acme.nix index 6f6e33e..9a86f18 100644 --- a/modules/services/acme.nix +++ b/modules/services/acme.nix @@ -45,7 +45,7 @@ in cfg.certs; }; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/acme" ]; }; diff --git a/modules/services/akkoma/default.nix b/modules/services/akkoma/default.nix index 3588140..91aa2e8 100644 --- a/modules/services/akkoma/default.nix +++ b/modules/services/akkoma/default.nix @@ -95,7 +95,7 @@ in ''; }; }; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/akkoma" ]; }; diff --git a/modules/services/fail2ban.nix b/modules/services/fail2ban.nix index 7d3c4bf..281ca11 100644 --- a/modules/services/fail2ban.nix +++ b/modules/services/fail2ban.nix @@ -13,7 +13,7 @@ in services.fail2ban = { enable = true; }; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/fail2ban" ]; }; diff --git a/modules/services/gitolite/default.nix b/modules/services/gitolite/default.nix index 43afb71..31cf755 100644 --- a/modules/services/gitolite/default.nix +++ b/modules/services/gitolite/default.nix @@ -37,7 +37,7 @@ in ''; }; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/gitolite" ]; diff --git a/modules/services/jitsi.nix b/modules/services/jitsi.nix index d1ed5cc..1152ac0 100644 --- a/modules/services/jitsi.nix +++ b/modules/services/jitsi.nix @@ -35,7 +35,7 @@ in networking.firewall.allowedTCPPorts = [ 80 443 ]; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/prosody" "/var/lib/jitsi-meet" ]; diff --git a/modules/services/ldap.nix b/modules/services/ldap.nix index ba19761..7c4724f 100644 --- a/modules/services/ldap.nix +++ b/modules/services/ldap.nix @@ -69,7 +69,7 @@ in users.groups.acme.members = [ "openldap" ]; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/openldap" ]; }; diff --git a/modules/services/matrix-bridge.nix b/modules/services/matrix-bridge.nix index 2a96e01..b2c089f 100644 --- a/modules/services/matrix-bridge.nix +++ b/modules/services/matrix-bridge.nix @@ -251,7 +251,7 @@ in }; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/private/mautrix-telegram" "/var/lib/private/mautrix-signal" "/var/lib/private/mautrix-whatsapp" diff --git a/modules/services/matrix-homeserver.nix b/modules/services/matrix-homeserver.nix index f830ee0..63691d3 100644 --- a/modules/services/matrix-homeserver.nix +++ b/modules/services/matrix-homeserver.nix @@ -122,7 +122,7 @@ in } ]; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/matrix-synapse" ]; diff --git a/modules/services/matrix-moderation.nix b/modules/services/matrix-moderation.nix index 0b1dcc2..b44cdf3 100644 --- a/modules/services/matrix-moderation.nix +++ b/modules/services/matrix-moderation.nix @@ -50,7 +50,7 @@ in services.matrix-synapse.plugins = with config.services.matrix-synapse.package.plugins; [ matrix-synapse-mjolnir-antispam ]; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/private/pantalaimon-mjolnir" "/var/lib/mjolnir" ]; diff --git a/modules/services/metrics.nix b/modules/services/metrics.nix index 6496a23..b06a401 100644 --- a/modules/services/metrics.nix +++ b/modules/services/metrics.nix @@ -159,7 +159,7 @@ in }; }; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/prometheus2" "/var/lib/loki" "/var/lib/grafana" diff --git a/modules/services/nixos-mailserver.nix b/modules/services/nixos-mailserver.nix index a794430..2c78780 100644 --- a/modules/services/nixos-mailserver.nix +++ b/modules/services/nixos-mailserver.nix @@ -144,7 +144,7 @@ in useACMEHost = cfg.webmail.domain; }; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/dovecot" "/var/lib/rspamd" "/var/lib/redis-rspamd" diff --git a/modules/services/obsidian-livesync.nix b/modules/services/obsidian-livesync.nix index 3377069..189d92f 100644 --- a/modules/services/obsidian-livesync.nix +++ b/modules/services/obsidian-livesync.nix @@ -50,7 +50,7 @@ ''; }; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/couchdb" ]; diff --git a/modules/services/postgresql.nix b/modules/services/postgresql.nix index 2d5fdf5..05835a4 100644 --- a/modules/services/postgresql.nix +++ b/modules/services/postgresql.nix @@ -26,7 +26,7 @@ in }; services.postgresqlBackup.enable = true; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/postgresql" "/var/backup/postgresql" ]; diff --git a/modules/services/rss.nix b/modules/services/rss.nix index c7fadd3..fa982e4 100644 --- a/modules/services/rss.nix +++ b/modules/services/rss.nix @@ -34,7 +34,7 @@ in }; }; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/freshrss" ]; @@ -51,7 +51,7 @@ in whitelist = cfg.bridge.whitelist; }; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/rss-bridge" ]; diff --git a/modules/services/soju.nix b/modules/services/soju.nix index 4302538..b2f4faf 100644 --- a/modules/services/soju.nix +++ b/modules/services/soju.nix @@ -41,7 +41,7 @@ in networking.firewall.allowedTCPPorts = [ cfg.port ]; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/private/soju" ]; }; diff --git a/modules/services/tailscale.nix b/modules/services/tailscale.nix index 8778524..97e1217 100644 --- a/modules/services/tailscale.nix +++ b/modules/services/tailscale.nix @@ -15,7 +15,7 @@ in useRoutingFeatures = "both"; }; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/tailscale" ]; }; diff --git a/modules/services/vikunja.nix b/modules/services/vikunja.nix index 61e37c2..c54870b 100644 --- a/modules/services/vikunja.nix +++ b/modules/services/vikunja.nix @@ -38,7 +38,7 @@ in } ]; - environment.persistence."/persist".directories = [ + modules.persistence.directories = [ "/var/lib/private/vikunja" ]; diff --git a/systems/cobalt/default.nix b/systems/cobalt/default.nix index 238cb28..16e7c37 100644 --- a/systems/cobalt/default.nix +++ b/systems/cobalt/default.nix @@ -133,21 +133,6 @@ in services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "prohibit-password"; - services.openssh.hostKeys = [ - { - path = "/persist/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - { - path = "/persist/ssh/ssh_host_rsa_key"; - type = "rsa"; - bits = 4096; - } - ]; - - # impermanence requirement - fileSystems."/persist".neededForBoot = true; - environment.systemPackages = with pkgs; [ bsd-finger ]; @@ -176,6 +161,10 @@ in modules = { sops.enable = true; + persistence = { + enable = true; + storagePath = "/persist"; + }; services.backup = { enable = true; -- cgit 1.4.1