From 7815ef2a22e3ae684852f1f28cedae6354263034 Mon Sep 17 00:00:00 2001 From: Soispha Date: Sat, 8 Jul 2023 13:53:11 +0200 Subject: Fix(treewide): Move all persistent dirs to impermanence to set permissions --- system/impermanence/default.nix | 25 ++++----- system/impermanence/mods/acme.nix | 5 ++ system/impermanence/mods/fail2ban.nix | 10 ++++ system/impermanence/mods/keycloak.nix | 5 ++ system/impermanence/mods/mail.nix | 28 ++++++++++ system/impermanence/mods/minecraft.nix | 10 ++++ system/impermanence/mods/nix-sync.nix | 10 ++++ system/impermanence/mods/openssh.nix | 10 ++++ system/impermanence/mods/users.nix | 22 ++++++++ system/services/fail2ban/default.nix | 4 +- system/services/mail/default.nix | 8 +-- system/services/minecraft/default.nix | 2 +- system/users/default.nix | 93 +++++++++++++++++----------------- 13 files changed, 164 insertions(+), 68 deletions(-) create mode 100644 system/impermanence/mods/acme.nix create mode 100644 system/impermanence/mods/fail2ban.nix create mode 100644 system/impermanence/mods/keycloak.nix create mode 100644 system/impermanence/mods/mail.nix create mode 100644 system/impermanence/mods/minecraft.nix create mode 100644 system/impermanence/mods/nix-sync.nix create mode 100644 system/impermanence/mods/openssh.nix create mode 100644 system/impermanence/mods/users.nix diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix index 32ad9f7..198eeba 100644 --- a/system/impermanence/default.nix +++ b/system/impermanence/default.nix @@ -1,23 +1,20 @@ {...}: { + # TODO: Only activate them if their module is also active + imports = [ + ./mods/acme.nix + ./mods/keycloak.nix + ./mods/mail.nix + ./mods/minecraft.nix + ./mods/nix-sync.nix + ./mods/openssh.nix + ./mods/users.nix + ]; + environment.persistence."/srv" = { hideMounts = true; directories = [ "/etc/nixos" "/var/log" - "/var/lib/postgresql" - "/var/lib/acme" - { - directory = "/var/lib/nix-sync"; - user = "nix-sync"; - group = "nix-sync"; - mode = "0700"; - } - { - directory = "/var/lib/sshd"; - user = "root"; - group = "root"; - mode = "0755"; - } ]; files = [ "/etc/machine-id" diff --git a/system/impermanence/mods/acme.nix b/system/impermanence/mods/acme.nix new file mode 100644 index 0000000..b16171e --- /dev/null +++ b/system/impermanence/mods/acme.nix @@ -0,0 +1,5 @@ +{...}: { + environment.persistence."/srv".directories = [ + "/var/lib/acme" + ]; +} diff --git a/system/impermanence/mods/fail2ban.nix b/system/impermanence/mods/fail2ban.nix new file mode 100644 index 0000000..a817876 --- /dev/null +++ b/system/impermanence/mods/fail2ban.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/fail2ban"; + user = "fail2ban"; + group = "fail2ban"; + mode = "0700"; + } + ]; +} diff --git a/system/impermanence/mods/keycloak.nix b/system/impermanence/mods/keycloak.nix new file mode 100644 index 0000000..63b02f5 --- /dev/null +++ b/system/impermanence/mods/keycloak.nix @@ -0,0 +1,5 @@ +{...}: { + environment.persistence."/srv".directories = [ + "/var/lib/postgresql" + ]; +} diff --git a/system/impermanence/mods/mail.nix b/system/impermanence/mods/mail.nix new file mode 100644 index 0000000..fc21ce7 --- /dev/null +++ b/system/impermanence/mods/mail.nix @@ -0,0 +1,28 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/mail/backup"; + user = "virtualMail"; + group = "virtualMail"; + mode = "0700"; + } + { + directory = "/var/lib/mail/sieve"; + user = "virtualMail"; + group = "virtualMail"; + mode = "0700"; + } + { + directory = "/var/lib/mail/vmail"; + user = "virtualMail"; + group = "virtualMail"; + mode = "0700"; + } + { + directory = "/var/lib/mail/dkim"; + user = "opendkim"; + group = "opendkim"; + mode = "0700"; + } + ]; +} diff --git a/system/impermanence/mods/minecraft.nix b/system/impermanence/mods/minecraft.nix new file mode 100644 index 0000000..2a02626 --- /dev/null +++ b/system/impermanence/mods/minecraft.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/minecraft"; + user = "minecraft"; + group = "minecraft"; + mode = "0700"; + } + ]; +} diff --git a/system/impermanence/mods/nix-sync.nix b/system/impermanence/mods/nix-sync.nix new file mode 100644 index 0000000..11449ea --- /dev/null +++ b/system/impermanence/mods/nix-sync.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/nix-sync"; + user = "nix-sync"; + group = "nix-sync"; + mode = "0700"; + } + ]; +} diff --git a/system/impermanence/mods/openssh.nix b/system/impermanence/mods/openssh.nix new file mode 100644 index 0000000..656f96e --- /dev/null +++ b/system/impermanence/mods/openssh.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/sshd"; + user = "root"; + group = "root"; + mode = "0755"; + } + ]; +} diff --git a/system/impermanence/mods/users.nix b/system/impermanence/mods/users.nix new file mode 100644 index 0000000..3b121e0 --- /dev/null +++ b/system/impermanence/mods/users.nix @@ -0,0 +1,22 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/home/sils"; + user = "sils"; + group = "sils"; + mode = "0700"; + } + { + directory = "/home/soispha"; + user = "soispha"; + group = "soispha"; + mode = "0700"; + } + { + directory = "/home/nightingale"; + user = "nightingale"; + group = "nightingale"; + mode = "0700"; + } + ]; +} diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix index 5aee097..3e6244b 100644 --- a/system/services/fail2ban/default.nix +++ b/system/services/fail2ban/default.nix @@ -1,4 +1,3 @@ -# vim: ts=2 {...}: { services.fail2ban = { enable = true; @@ -8,7 +7,7 @@ logtarget = SYSLOG socket = /run/fail2ban/fail2ban.sock pidfile = /run/fail2ban/fail2ban.pid - dbfile = /srv/fail2ban/fail2ban.sqlite3 + dbfile = /var/lib/fail2ban/db.sqlite3 ''; bantime-increment = { enable = true; @@ -28,3 +27,4 @@ }; }; } + diff --git a/system/services/mail/default.nix b/system/services/mail/default.nix index 5bfdb8c..0640fc7 100644 --- a/system/services/mail/default.nix +++ b/system/services/mail/default.nix @@ -19,10 +19,10 @@ in { "admin@vhack.eu" = all_admins; }; - mailDirectory = "/srv/mail/vmail"; - dkimKeyDirectory = "/srv/mail/dkim"; - sieveDirectory = "/srv/mail/sieve"; - backup.snapshotRoot = "/srv/mail/backup"; + mailDirectory = "/var/lib/mail/vmail"; + dkimKeyDirectory = "/var/lib/mail/dkim"; + sieveDirectory = "/var/lib/mail/sieve"; + backup.snapshotRoot = "/var/lib/mail/backup"; enableImap = false; enableImapSsl = true; diff --git a/system/services/minecraft/default.nix b/system/services/minecraft/default.nix index e69ffb1..e659af0 100644 --- a/system/services/minecraft/default.nix +++ b/system/services/minecraft/default.nix @@ -7,7 +7,7 @@ enable = true; declarative = true; eula = true; - dataDir = "/srv/minecraft"; + dataDir = "/var/lib/minecraft"; openFirewall = true; jvmOpts = "-Xmx8192M -Xms8192M"; whitelist = { diff --git a/system/users/default.nix b/system/users/default.nix index 3555221..7ea88c5 100644 --- a/system/users/default.nix +++ b/system/users/default.nix @@ -1,54 +1,53 @@ {pkgs, ...}: { - users.mutableUsers = false; - users.defaultUserShell = pkgs.zsh; + users = { + mutableUsers = false; + defaultUserShell = pkgs.zsh; + users = { + root = { + initialHashedPassword = null; # to lock root + openssh.authorizedKeys.keys = []; + }; - users.users = { - root = { - #uid = 0; - initialHashedPassword = null; # to lock root - openssh.authorizedKeys.keys = [ - ]; - }; - - sils = { - name = "sils"; - isNormalUser = true; - home = "/srv/home/sils"; - initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; - uid = 1000; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" - ]; - }; + sils = { + name = "sils"; + isNormalUser = true; + home = "/home/sils"; + initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; + uid = 1000; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" + ]; + }; - soispha = { - name = "soispha"; - isNormalUser = true; - home = "/srv/home/soispha"; - initialHashedPassword = "$y$jFT$3.8XmUyukZvpExMUxDZkI.$IVrJgm8ysNDF/0vDD2kF6w73ozXgr1LMVRNN4Bq7pv1"; - uid = 1001; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" - ]; - }; + soispha = { + name = "soispha"; + isNormalUser = true; + home = "/home/soispha"; + initialHashedPassword = "$y$jFT$3.8XmUyukZvpExMUxDZkI.$IVrJgm8ysNDF/0vDD2kF6w73ozXgr1LMVRNN4Bq7pv1"; + uid = 1001; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" + ]; + }; - nightingale = { - name = "nightingale"; - isNormalUser = true; - home = "/srv/home/nightingale"; - initialHashedPassword = null; # TODO CHANGE - uid = 1002; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = [ - ]; + nightingale = { + name = "nightingale"; + isNormalUser = true; + home = "/home/nightingale"; + initialHashedPassword = null; # TODO CHANGE + uid = 1002; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + ]; + }; }; }; } -- cgit 1.4.1