diff options
Diffstat (limited to 'system')
21 files changed, 97 insertions, 168 deletions
diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix deleted file mode 100644 index b2f0778..0000000 --- a/system/impermanence/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{...}: { - # TODO: Only activate them if their module is also active - imports = [ - ./mods/acme.nix - ./mods/mail.nix - ./mods/mastodon.nix - ./mods/matrix.nix - ./mods/minecraft.nix - ./mods/murmur.nix - ./mods/nix-sync.nix - ./mods/openssh.nix - ./mods/postgresql.nix - ./mods/taskserver.nix - ./mods/users.nix - ]; - - environment.persistence."/srv" = { - hideMounts = true; - directories = [ - "/etc/nixos" - "/var/log" - "/var/lib/nixos" - ]; - files = [ - "/etc/machine-id" - ]; - }; -} diff --git a/system/impermanence/mods/acme.nix b/system/impermanence/mods/acme.nix deleted file mode 100644 index b16171e..0000000 --- a/system/impermanence/mods/acme.nix +++ /dev/null @@ -1,5 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - "/var/lib/acme" - ]; -} diff --git a/system/impermanence/mods/fail2ban.nix b/system/impermanence/mods/fail2ban.nix deleted file mode 100644 index a817876..0000000 --- a/system/impermanence/mods/fail2ban.nix +++ /dev/null @@ -1,10 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - { - directory = "/var/lib/fail2ban"; - user = "fail2ban"; - group = "fail2ban"; - mode = "0700"; - } - ]; -} diff --git a/system/impermanence/mods/mastodon.nix b/system/impermanence/mods/mastodon.nix deleted file mode 100644 index a5bdbfd..0000000 --- a/system/impermanence/mods/mastodon.nix +++ /dev/null @@ -1,10 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - { - directory = "/var/lib/mastodon"; - user = "mastodon"; - group = "mastodon"; - mode = "0700"; - } - ]; -} diff --git a/system/impermanence/mods/matrix.nix b/system/impermanence/mods/matrix.nix deleted file mode 100644 index 3af6530..0000000 --- a/system/impermanence/mods/matrix.nix +++ /dev/null @@ -1,19 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - { - directory = "/var/lib/matrix"; - user = "matrix-synapse"; - group = "matrix-synapse"; - mode = "0700"; - } - { - directory = "/var/lib/mautrix-whatsapp"; - user = "mautrix-whatsapp"; - group = "matrix-synapse"; - mode = "0750"; - } - ]; - systemd.tmpfiles.rules = [ - "d /etc/matrix 0755 matrix-synapse matrix-synapse" - ]; -} diff --git a/system/impermanence/mods/minecraft.nix b/system/impermanence/mods/minecraft.nix deleted file mode 100644 index 2a02626..0000000 --- a/system/impermanence/mods/minecraft.nix +++ /dev/null @@ -1,10 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - { - directory = "/var/lib/minecraft"; - user = "minecraft"; - group = "minecraft"; - mode = "0700"; - } - ]; -} diff --git a/system/impermanence/mods/murmur.nix b/system/impermanence/mods/murmur.nix deleted file mode 100644 index 48912e1..0000000 --- a/system/impermanence/mods/murmur.nix +++ /dev/null @@ -1,10 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - { - directory = "/var/lib/murmur"; - user = "murmur"; - group = "murmur"; - mode = "0700"; - } - ]; -} diff --git a/system/impermanence/mods/nix-sync.nix b/system/impermanence/mods/nix-sync.nix deleted file mode 100644 index 11449ea..0000000 --- a/system/impermanence/mods/nix-sync.nix +++ /dev/null @@ -1,10 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - { - directory = "/var/lib/nix-sync"; - user = "nix-sync"; - group = "nix-sync"; - mode = "0700"; - } - ]; -} diff --git a/system/impermanence/mods/openssh.nix b/system/impermanence/mods/openssh.nix deleted file mode 100644 index 0373a83..0000000 --- a/system/impermanence/mods/openssh.nix +++ /dev/null @@ -1,21 +0,0 @@ -{...}: { - /* - FIXME: - This results in a boot error, as the `/var/lib/sshd` directory is only mounted _after_ the stage 2 init and with it the system activation. - Agenix needs the sshd hostkey however to decrypt the secrets and such we have to ensure that this directory is mounted _before_ the system activation. - Alas the only way I see to achieve that is to store the ssh hostkey directly on /srv, which is mounted before (it's marked as 'neededForBoot' after all). - - It should be possible to achieve this with impermanence however, as `/var/log` is mounted in the stage 1 init; The problem is that I have no idea _why_ only - this is mounted and nothing else. - - - environment.persistence."/srv".directories = [ - { - directory = "/var/lib/sshd"; - user = "root"; - group = "root"; - mode = "0755"; - } - ]; - */ -} diff --git a/system/impermanence/mods/postgresql.nix b/system/impermanence/mods/postgresql.nix deleted file mode 100644 index 63b02f5..0000000 --- a/system/impermanence/mods/postgresql.nix +++ /dev/null @@ -1,5 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - "/var/lib/postgresql" - ]; -} diff --git a/system/impermanence/mods/taskserver.nix b/system/impermanence/mods/taskserver.nix deleted file mode 100644 index 9208aa4..0000000 --- a/system/impermanence/mods/taskserver.nix +++ /dev/null @@ -1,5 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - "/var/lib/taskserver" - ]; -} diff --git a/system/impermanence/mods/users.nix b/system/impermanence/mods/users.nix deleted file mode 100644 index 897d4f7..0000000 --- a/system/impermanence/mods/users.nix +++ /dev/null @@ -1,34 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - { - directory = "/home"; - user = "root"; - group = "root"; - mode = "0755"; - } - { - directory = "/home/sils"; - user = "sils"; - group = "sils"; - mode = "0700"; - } - { - directory = "/home/soispha"; - user = "soispha"; - group = "soispha"; - mode = "0700"; - } - { - directory = "/home/nightingale"; - user = "nightingale"; - group = "nightingale"; - mode = "0700"; - } - { - directory = "/root/.ssh"; - user = "root"; - group = "root"; - mode = "0700"; - } - ]; -} diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix index f1487e4..1c47568 100644 --- a/system/services/fail2ban/default.nix +++ b/system/services/fail2ban/default.nix @@ -1,4 +1,13 @@ {...}: { + vhack.persist.directories = [ + { + directory = "/var/lib/fail2ban"; + user = "fail2ban"; + group = "fail2ban"; + mode = "0700"; + } + ]; + services.fail2ban = { enable = true; maxretry = 7; # ban after 7 failures diff --git a/system/services/mail/default.nix b/system/services/mail/default.nix index 382a87f..c69e6bd 100644 --- a/system/services/mail/default.nix +++ b/system/services/mail/default.nix @@ -6,6 +6,10 @@ ]; users = import ./users.nix {}; in { + imports = [ + ./impermanence.nix + ]; + mailserver = lib.recursiveUpdate { enable = true; diff --git a/system/impermanence/mods/mail.nix b/system/services/mail/impermanence.nix index a306ccf..22a5318 100644 --- a/system/impermanence/mods/mail.nix +++ b/system/services/mail/impermanence.nix @@ -1,5 +1,5 @@ {...}: { - environment.persistence."/srv".directories = [ + vhack.persist.directories = [ { directory = "/var/lib/mail/backup"; user = "virtualMail"; diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index f613bf3..15b8609 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -9,6 +9,15 @@ patches = (attrs.patches or []) ++ [./patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch]; }); in { + vhack.persist.directories = [ + { + directory = "/var/lib/mastodon"; + user = "mastodon"; + group = "mastodon"; + mode = "0700"; + } + ]; + services.mastodon = { enable = true; diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix index b75d1f1..043d9c0 100644 --- a/system/services/matrix/default.nix +++ b/system/services/matrix/default.nix @@ -14,6 +14,24 @@ in { networking.firewall.allowedTCPPorts = [80 443]; + vhack.persist.directories = [ + { + directory = "/var/lib/matrix"; + user = "matrix-synapse"; + group = "matrix-synapse"; + mode = "0700"; + } + { + directory = "/var/lib/mautrix-whatsapp"; + user = "mautrix-whatsapp"; + group = "matrix-synapse"; + mode = "0750"; + } + ]; + systemd.tmpfiles.rules = [ + "d /etc/matrix 0755 matrix-synapse matrix-synapse" + ]; + services = { postgresql = { enable = true; diff --git a/system/services/minecraft/default.nix b/system/services/minecraft/default.nix index e659af0..9bc98b9 100644 --- a/system/services/minecraft/default.nix +++ b/system/services/minecraft/default.nix @@ -1,4 +1,13 @@ {lib, ...}: { + vhack.persist.directories = [ + { + directory = "/var/lib/minecraft"; + user = "minecraft"; + group = "minecraft"; + mode = "0700"; + } + ]; + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "minecraft-server" diff --git a/system/services/murmur/default.nix b/system/services/murmur/default.nix index 1dcd781..dec79ba 100644 --- a/system/services/murmur/default.nix +++ b/system/services/murmur/default.nix @@ -1,6 +1,15 @@ {...}: let murmurStore = "/var/lib/murmur"; in { + vhack.persist.directories = [ + { + directory = "/var/lib/murmur"; + user = "murmur"; + group = "murmur"; + mode = "0700"; + } + ]; + services.murmur = { enable = true; openFirewall = true; diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix index 2e4370f..04b6a8b 100644 --- a/system/services/taskserver/default.nix +++ b/system/services/taskserver/default.nix @@ -4,6 +4,11 @@ in { environment.etc = { "tmpfiles.d/taskserver.conf".source = config.age.secrets.taskserverSystemdTmpfiles.path; }; + + vhack.persist.directories = [ + "/var/lib/taskserver" + ]; + services.taskserver = { enable = true; pki.manual = { diff --git a/system/users/default.nix b/system/users/default.nix index 1b7b29b..0da0515 100644 --- a/system/users/default.nix +++ b/system/users/default.nix @@ -1,4 +1,37 @@ {pkgs, ...}: { + vhack.persist.directories = [ + { + directory = "/home"; + user = "root"; + group = "root"; + mode = "0755"; + } + { + directory = "/home/sils"; + user = "sils"; + group = "sils"; + mode = "0700"; + } + { + directory = "/home/soispha"; + user = "soispha"; + group = "soispha"; + mode = "0700"; + } + { + directory = "/home/nightingale"; + user = "nightingale"; + group = "nightingale"; + mode = "0700"; + } + { + directory = "/root/.ssh"; + user = "root"; + group = "root"; + mode = "0700"; + } + ]; + users = { mutableUsers = false; defaultUserShell = pkgs.zsh; |