summary refs log tree commit diff stats
path: root/system
diff options
context:
space:
mode:
Diffstat (limited to 'system')
-rw-r--r--system/impermanence/default.nix28
-rw-r--r--system/impermanence/mods/acme.nix5
-rw-r--r--system/impermanence/mods/fail2ban.nix10
-rw-r--r--system/impermanence/mods/mastodon.nix10
-rw-r--r--system/impermanence/mods/matrix.nix19
-rw-r--r--system/impermanence/mods/minecraft.nix10
-rw-r--r--system/impermanence/mods/murmur.nix10
-rw-r--r--system/impermanence/mods/nix-sync.nix10
-rw-r--r--system/impermanence/mods/openssh.nix21
-rw-r--r--system/impermanence/mods/postgresql.nix5
-rw-r--r--system/impermanence/mods/taskserver.nix5
-rw-r--r--system/impermanence/mods/users.nix34
-rw-r--r--system/services/fail2ban/default.nix9
-rw-r--r--system/services/mail/default.nix4
-rw-r--r--system/services/mail/impermanence.nix (renamed from system/impermanence/mods/mail.nix)2
-rw-r--r--system/services/mastodon/default.nix9
-rw-r--r--system/services/matrix/default.nix18
-rw-r--r--system/services/minecraft/default.nix9
-rw-r--r--system/services/murmur/default.nix9
-rw-r--r--system/services/taskserver/default.nix5
-rw-r--r--system/users/default.nix33
21 files changed, 97 insertions, 168 deletions
diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix
deleted file mode 100644
index b2f0778..0000000
--- a/system/impermanence/default.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{...}: {
-  # TODO: Only activate them if their module is also active
-  imports = [
-    ./mods/acme.nix
-    ./mods/mail.nix
-    ./mods/mastodon.nix
-    ./mods/matrix.nix
-    ./mods/minecraft.nix
-    ./mods/murmur.nix
-    ./mods/nix-sync.nix
-    ./mods/openssh.nix
-    ./mods/postgresql.nix
-    ./mods/taskserver.nix
-    ./mods/users.nix
-  ];
-
-  environment.persistence."/srv" = {
-    hideMounts = true;
-    directories = [
-      "/etc/nixos"
-      "/var/log"
-      "/var/lib/nixos"
-    ];
-    files = [
-      "/etc/machine-id"
-    ];
-  };
-}
diff --git a/system/impermanence/mods/acme.nix b/system/impermanence/mods/acme.nix
deleted file mode 100644
index b16171e..0000000
--- a/system/impermanence/mods/acme.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{...}: {
-  environment.persistence."/srv".directories = [
-    "/var/lib/acme"
-  ];
-}
diff --git a/system/impermanence/mods/fail2ban.nix b/system/impermanence/mods/fail2ban.nix
deleted file mode 100644
index a817876..0000000
--- a/system/impermanence/mods/fail2ban.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{...}: {
-  environment.persistence."/srv".directories = [
-    {
-      directory = "/var/lib/fail2ban";
-      user = "fail2ban";
-      group = "fail2ban";
-      mode = "0700";
-    }
-  ];
-}
diff --git a/system/impermanence/mods/mastodon.nix b/system/impermanence/mods/mastodon.nix
deleted file mode 100644
index a5bdbfd..0000000
--- a/system/impermanence/mods/mastodon.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{...}: {
-  environment.persistence."/srv".directories = [
-    {
-      directory = "/var/lib/mastodon";
-      user = "mastodon";
-      group = "mastodon";
-      mode = "0700";
-    }
-  ];
-}
diff --git a/system/impermanence/mods/matrix.nix b/system/impermanence/mods/matrix.nix
deleted file mode 100644
index 3af6530..0000000
--- a/system/impermanence/mods/matrix.nix
+++ /dev/null
@@ -1,19 +0,0 @@
-{...}: {
-  environment.persistence."/srv".directories = [
-    {
-      directory = "/var/lib/matrix";
-      user = "matrix-synapse";
-      group = "matrix-synapse";
-      mode = "0700";
-    }
-    {
-      directory = "/var/lib/mautrix-whatsapp";
-      user = "mautrix-whatsapp";
-      group = "matrix-synapse";
-      mode = "0750";
-    }
-  ];
-  systemd.tmpfiles.rules = [
-    "d /etc/matrix 0755 matrix-synapse matrix-synapse"
-  ];
-}
diff --git a/system/impermanence/mods/minecraft.nix b/system/impermanence/mods/minecraft.nix
deleted file mode 100644
index 2a02626..0000000
--- a/system/impermanence/mods/minecraft.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{...}: {
-  environment.persistence."/srv".directories = [
-    {
-      directory = "/var/lib/minecraft";
-      user = "minecraft";
-      group = "minecraft";
-      mode = "0700";
-    }
-  ];
-}
diff --git a/system/impermanence/mods/murmur.nix b/system/impermanence/mods/murmur.nix
deleted file mode 100644
index 48912e1..0000000
--- a/system/impermanence/mods/murmur.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{...}: {
-  environment.persistence."/srv".directories = [
-    {
-      directory = "/var/lib/murmur";
-      user = "murmur";
-      group = "murmur";
-      mode = "0700";
-    }
-  ];
-}
diff --git a/system/impermanence/mods/nix-sync.nix b/system/impermanence/mods/nix-sync.nix
deleted file mode 100644
index 11449ea..0000000
--- a/system/impermanence/mods/nix-sync.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{...}: {
-  environment.persistence."/srv".directories = [
-    {
-      directory = "/var/lib/nix-sync";
-      user = "nix-sync";
-      group = "nix-sync";
-      mode = "0700";
-    }
-  ];
-}
diff --git a/system/impermanence/mods/openssh.nix b/system/impermanence/mods/openssh.nix
deleted file mode 100644
index 0373a83..0000000
--- a/system/impermanence/mods/openssh.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{...}: {
-  /*
-   FIXME:
-    This results in a boot error, as the `/var/lib/sshd` directory is only mounted _after_ the stage 2 init and with it the system activation.
-    Agenix needs the sshd hostkey however to decrypt the secrets and such we have to ensure that this directory is mounted _before_ the system activation.
-    Alas the only way I see to achieve that is to store the ssh hostkey directly on /srv, which is mounted before (it's marked as 'neededForBoot' after all).
-
-    It should be possible to achieve this with impermanence however, as `/var/log` is mounted in the stage 1 init; The problem is that I have no idea _why_ only
-    this is mounted and nothing else.
-
-
-  environment.persistence."/srv".directories = [
-    {
-      directory = "/var/lib/sshd";
-      user = "root";
-      group = "root";
-      mode = "0755";
-    }
-  ];
-  */
-}
diff --git a/system/impermanence/mods/postgresql.nix b/system/impermanence/mods/postgresql.nix
deleted file mode 100644
index 63b02f5..0000000
--- a/system/impermanence/mods/postgresql.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{...}: {
-  environment.persistence."/srv".directories = [
-    "/var/lib/postgresql"
-  ];
-}
diff --git a/system/impermanence/mods/taskserver.nix b/system/impermanence/mods/taskserver.nix
deleted file mode 100644
index 9208aa4..0000000
--- a/system/impermanence/mods/taskserver.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{...}: {
-  environment.persistence."/srv".directories = [
-    "/var/lib/taskserver"
-  ];
-}
diff --git a/system/impermanence/mods/users.nix b/system/impermanence/mods/users.nix
deleted file mode 100644
index 897d4f7..0000000
--- a/system/impermanence/mods/users.nix
+++ /dev/null
@@ -1,34 +0,0 @@
-{...}: {
-  environment.persistence."/srv".directories = [
-    {
-      directory = "/home";
-      user = "root";
-      group = "root";
-      mode = "0755";
-    }
-    {
-      directory = "/home/sils";
-      user = "sils";
-      group = "sils";
-      mode = "0700";
-    }
-    {
-      directory = "/home/soispha";
-      user = "soispha";
-      group = "soispha";
-      mode = "0700";
-    }
-    {
-      directory = "/home/nightingale";
-      user = "nightingale";
-      group = "nightingale";
-      mode = "0700";
-    }
-    {
-      directory = "/root/.ssh";
-      user = "root";
-      group = "root";
-      mode = "0700";
-    }
-  ];
-}
diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix
index f1487e4..1c47568 100644
--- a/system/services/fail2ban/default.nix
+++ b/system/services/fail2ban/default.nix
@@ -1,4 +1,13 @@
 {...}: {
+  vhack.persist.directories = [
+    {
+      directory = "/var/lib/fail2ban";
+      user = "fail2ban";
+      group = "fail2ban";
+      mode = "0700";
+    }
+  ];
+
   services.fail2ban = {
     enable = true;
     maxretry = 7; # ban after 7 failures
diff --git a/system/services/mail/default.nix b/system/services/mail/default.nix
index 382a87f..c69e6bd 100644
--- a/system/services/mail/default.nix
+++ b/system/services/mail/default.nix
@@ -6,6 +6,10 @@
   ];
   users = import ./users.nix {};
 in {
+  imports = [
+    ./impermanence.nix
+  ];
+
   mailserver =
     lib.recursiveUpdate {
       enable = true;
diff --git a/system/impermanence/mods/mail.nix b/system/services/mail/impermanence.nix
index a306ccf..22a5318 100644
--- a/system/impermanence/mods/mail.nix
+++ b/system/services/mail/impermanence.nix
@@ -1,5 +1,5 @@
 {...}: {
-  environment.persistence."/srv".directories = [
+  vhack.persist.directories = [
     {
       directory = "/var/lib/mail/backup";
       user = "virtualMail";
diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix
index f613bf3..15b8609 100644
--- a/system/services/mastodon/default.nix
+++ b/system/services/mastodon/default.nix
@@ -9,6 +9,15 @@
       patches = (attrs.patches or []) ++ [./patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch];
     });
 in {
+  vhack.persist.directories = [
+    {
+      directory = "/var/lib/mastodon";
+      user = "mastodon";
+      group = "mastodon";
+      mode = "0700";
+    }
+  ];
+
   services.mastodon = {
     enable = true;
 
diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix
index b75d1f1..043d9c0 100644
--- a/system/services/matrix/default.nix
+++ b/system/services/matrix/default.nix
@@ -14,6 +14,24 @@
 in {
   networking.firewall.allowedTCPPorts = [80 443];
 
+  vhack.persist.directories = [
+    {
+      directory = "/var/lib/matrix";
+      user = "matrix-synapse";
+      group = "matrix-synapse";
+      mode = "0700";
+    }
+    {
+      directory = "/var/lib/mautrix-whatsapp";
+      user = "mautrix-whatsapp";
+      group = "matrix-synapse";
+      mode = "0750";
+    }
+  ];
+  systemd.tmpfiles.rules = [
+    "d /etc/matrix 0755 matrix-synapse matrix-synapse"
+  ];
+
   services = {
     postgresql = {
       enable = true;
diff --git a/system/services/minecraft/default.nix b/system/services/minecraft/default.nix
index e659af0..9bc98b9 100644
--- a/system/services/minecraft/default.nix
+++ b/system/services/minecraft/default.nix
@@ -1,4 +1,13 @@
 {lib, ...}: {
+  vhack.persist.directories = [
+    {
+      directory = "/var/lib/minecraft";
+      user = "minecraft";
+      group = "minecraft";
+      mode = "0700";
+    }
+  ];
+
   nixpkgs.config.allowUnfreePredicate = pkg:
     builtins.elem (lib.getName pkg) [
       "minecraft-server"
diff --git a/system/services/murmur/default.nix b/system/services/murmur/default.nix
index 1dcd781..dec79ba 100644
--- a/system/services/murmur/default.nix
+++ b/system/services/murmur/default.nix
@@ -1,6 +1,15 @@
 {...}: let
   murmurStore = "/var/lib/murmur";
 in {
+  vhack.persist.directories = [
+    {
+      directory = "/var/lib/murmur";
+      user = "murmur";
+      group = "murmur";
+      mode = "0700";
+    }
+  ];
+
   services.murmur = {
     enable = true;
     openFirewall = true;
diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix
index 2e4370f..04b6a8b 100644
--- a/system/services/taskserver/default.nix
+++ b/system/services/taskserver/default.nix
@@ -4,6 +4,11 @@ in {
   environment.etc = {
     "tmpfiles.d/taskserver.conf".source = config.age.secrets.taskserverSystemdTmpfiles.path;
   };
+
+  vhack.persist.directories = [
+    "/var/lib/taskserver"
+  ];
+
   services.taskserver = {
     enable = true;
     pki.manual = {
diff --git a/system/users/default.nix b/system/users/default.nix
index 1b7b29b..0da0515 100644
--- a/system/users/default.nix
+++ b/system/users/default.nix
@@ -1,4 +1,37 @@
 {pkgs, ...}: {
+  vhack.persist.directories = [
+    {
+      directory = "/home";
+      user = "root";
+      group = "root";
+      mode = "0755";
+    }
+    {
+      directory = "/home/sils";
+      user = "sils";
+      group = "sils";
+      mode = "0700";
+    }
+    {
+      directory = "/home/soispha";
+      user = "soispha";
+      group = "soispha";
+      mode = "0700";
+    }
+    {
+      directory = "/home/nightingale";
+      user = "nightingale";
+      group = "nightingale";
+      mode = "0700";
+    }
+    {
+      directory = "/root/.ssh";
+      user = "root";
+      group = "root";
+      mode = "0700";
+    }
+  ];
+
   users = {
     mutableUsers = false;
     defaultUserShell = pkgs.zsh;