diff options
Diffstat (limited to '')
-rw-r--r-- | system/impermanence/default.nix | 23 | ||||
-rw-r--r-- | system/impermanence/mods/acme.nix | 5 | ||||
-rw-r--r-- | system/impermanence/mods/fail2ban.nix | 10 | ||||
-rw-r--r-- | system/impermanence/mods/keycloak.nix | 5 | ||||
-rw-r--r-- | system/impermanence/mods/mail.nix | 34 | ||||
-rw-r--r-- | system/impermanence/mods/minecraft.nix | 10 | ||||
-rw-r--r-- | system/impermanence/mods/nix-sync.nix | 10 | ||||
-rw-r--r-- | system/impermanence/mods/openssh.nix | 21 | ||||
-rw-r--r-- | system/impermanence/mods/users.nix | 28 |
9 files changed, 146 insertions, 0 deletions
diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix new file mode 100644 index 0000000..198eeba --- /dev/null +++ b/system/impermanence/default.nix @@ -0,0 +1,23 @@ +{...}: { + # TODO: Only activate them if their module is also active + imports = [ + ./mods/acme.nix + ./mods/keycloak.nix + ./mods/mail.nix + ./mods/minecraft.nix + ./mods/nix-sync.nix + ./mods/openssh.nix + ./mods/users.nix + ]; + + environment.persistence."/srv" = { + hideMounts = true; + directories = [ + "/etc/nixos" + "/var/log" + ]; + files = [ + "/etc/machine-id" + ]; + }; +} diff --git a/system/impermanence/mods/acme.nix b/system/impermanence/mods/acme.nix new file mode 100644 index 0000000..b16171e --- /dev/null +++ b/system/impermanence/mods/acme.nix @@ -0,0 +1,5 @@ +{...}: { + environment.persistence."/srv".directories = [ + "/var/lib/acme" + ]; +} diff --git a/system/impermanence/mods/fail2ban.nix b/system/impermanence/mods/fail2ban.nix new file mode 100644 index 0000000..a817876 --- /dev/null +++ b/system/impermanence/mods/fail2ban.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/fail2ban"; + user = "fail2ban"; + group = "fail2ban"; + mode = "0700"; + } + ]; +} diff --git a/system/impermanence/mods/keycloak.nix b/system/impermanence/mods/keycloak.nix new file mode 100644 index 0000000..63b02f5 --- /dev/null +++ b/system/impermanence/mods/keycloak.nix @@ -0,0 +1,5 @@ +{...}: { + environment.persistence."/srv".directories = [ + "/var/lib/postgresql" + ]; +} diff --git a/system/impermanence/mods/mail.nix b/system/impermanence/mods/mail.nix new file mode 100644 index 0000000..18151ad --- /dev/null +++ b/system/impermanence/mods/mail.nix @@ -0,0 +1,34 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/mail/backup"; + user = "virtualMail"; + group = "virtualMail"; + mode = "0700"; + } + { + directory = "/var/lib/mail/sieve"; + user = "virtualMail"; + group = "virtualMail"; + mode = "0700"; + } + { + directory = "/var/lib/mail/vmail"; + user = "virtualMail"; + group = "virtualMail"; + mode = "0700"; + } + { + directory = "/var/lib/mail/dkim"; + user = "opendkim"; + group = "opendkim"; + mode = "0700"; + } + { + directory = "/var/lib/rspamd"; + user = "rspamd"; + group = "rspamd"; + mode = "0700"; + } + ]; +} diff --git a/system/impermanence/mods/minecraft.nix b/system/impermanence/mods/minecraft.nix new file mode 100644 index 0000000..2a02626 --- /dev/null +++ b/system/impermanence/mods/minecraft.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/minecraft"; + user = "minecraft"; + group = "minecraft"; + mode = "0700"; + } + ]; +} diff --git a/system/impermanence/mods/nix-sync.nix b/system/impermanence/mods/nix-sync.nix new file mode 100644 index 0000000..11449ea --- /dev/null +++ b/system/impermanence/mods/nix-sync.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/nix-sync"; + user = "nix-sync"; + group = "nix-sync"; + mode = "0700"; + } + ]; +} diff --git a/system/impermanence/mods/openssh.nix b/system/impermanence/mods/openssh.nix new file mode 100644 index 0000000..0373a83 --- /dev/null +++ b/system/impermanence/mods/openssh.nix @@ -0,0 +1,21 @@ +{...}: { + /* + FIXME: + This results in a boot error, as the `/var/lib/sshd` directory is only mounted _after_ the stage 2 init and with it the system activation. + Agenix needs the sshd hostkey however to decrypt the secrets and such we have to ensure that this directory is mounted _before_ the system activation. + Alas the only way I see to achieve that is to store the ssh hostkey directly on /srv, which is mounted before (it's marked as 'neededForBoot' after all). + + It should be possible to achieve this with impermanence however, as `/var/log` is mounted in the stage 1 init; The problem is that I have no idea _why_ only + this is mounted and nothing else. + + + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/sshd"; + user = "root"; + group = "root"; + mode = "0755"; + } + ]; + */ +} diff --git a/system/impermanence/mods/users.nix b/system/impermanence/mods/users.nix new file mode 100644 index 0000000..0692b00 --- /dev/null +++ b/system/impermanence/mods/users.nix @@ -0,0 +1,28 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/home"; + user = "root"; + group = "root"; + mode = "0755"; + } + { + directory = "/home/sils"; + user = "sils"; + group = "sils"; + mode = "0700"; + } + { + directory = "/home/soispha"; + user = "soispha"; + group = "soispha"; + mode = "0700"; + } + { + directory = "/home/nightingale"; + user = "nightingale"; + group = "nightingale"; + mode = "0700"; + } + ]; +} |