From b5fc07416652a445f15946ce7e5fc48766cf6722 Mon Sep 17 00:00:00 2001 From: Benedikt Peetz Date: Tue, 24 Dec 2024 16:09:20 +0100 Subject: refactor(modules/impermanence): Migrate to by-name while distributing mods --- modules/by-name/im/impermanence/module.nix | 35 +++++++++++++++++++++++ modules/by-name/ng/nginx/module.nix | 3 ++ modules/by-name/ni/nix-sync/module.nix | 9 ++++++ modules/by-name/op/openssh/module.nix | 32 ++++++++++++++++++--- modules/by-name/po/postgresql/module.nix | 19 ++++++++++++ system/impermanence/default.nix | 28 ------------------ system/impermanence/mods/acme.nix | 5 ---- system/impermanence/mods/fail2ban.nix | 10 ------- system/impermanence/mods/mail.nix | 46 ------------------------------ system/impermanence/mods/mastodon.nix | 10 ------- system/impermanence/mods/matrix.nix | 19 ------------ system/impermanence/mods/minecraft.nix | 10 ------- system/impermanence/mods/murmur.nix | 10 ------- system/impermanence/mods/nix-sync.nix | 10 ------- system/impermanence/mods/openssh.nix | 21 -------------- system/impermanence/mods/postgresql.nix | 5 ---- system/impermanence/mods/taskserver.nix | 5 ---- system/impermanence/mods/users.nix | 34 ---------------------- system/services/fail2ban/default.nix | 9 ++++++ system/services/mail/default.nix | 4 +++ system/services/mail/impermanence.nix | 46 ++++++++++++++++++++++++++++++ system/services/mastodon/default.nix | 9 ++++++ system/services/matrix/default.nix | 18 ++++++++++++ system/services/minecraft/default.nix | 9 ++++++ system/services/murmur/default.nix | 9 ++++++ system/services/taskserver/default.nix | 5 ++++ system/users/default.nix | 33 +++++++++++++++++++++ 27 files changed, 236 insertions(+), 217 deletions(-) create mode 100644 modules/by-name/im/impermanence/module.nix create mode 100644 modules/by-name/po/postgresql/module.nix delete mode 100644 system/impermanence/default.nix delete mode 100644 system/impermanence/mods/acme.nix delete mode 100644 system/impermanence/mods/fail2ban.nix delete mode 100644 system/impermanence/mods/mail.nix delete mode 100644 system/impermanence/mods/mastodon.nix delete mode 100644 system/impermanence/mods/matrix.nix delete mode 100644 system/impermanence/mods/minecraft.nix delete mode 100644 system/impermanence/mods/murmur.nix delete mode 100644 system/impermanence/mods/nix-sync.nix delete mode 100644 system/impermanence/mods/openssh.nix delete mode 100644 system/impermanence/mods/postgresql.nix delete mode 100644 system/impermanence/mods/taskserver.nix delete mode 100644 system/impermanence/mods/users.nix create mode 100644 system/services/mail/impermanence.nix diff --git a/modules/by-name/im/impermanence/module.nix b/modules/by-name/im/impermanence/module.nix new file mode 100644 index 0000000..d645bcb --- /dev/null +++ b/modules/by-name/im/impermanence/module.nix @@ -0,0 +1,35 @@ +{ + config, + lib, + ... +}: let + cfg = config.vhack.persist; +in { + options.vhack.persist = { + enable = lib.mkEnableOption "impermanence"; + + directories = lib.mkOption { + description = "The list of directories to persist"; + type = lib.types.listOf (lib.types.coercedTo lib.types.str (d: {directory = d;}) (lib.types.attrsOf lib.types.anything)); + }; + }; + + config = lib.mkIf cfg.enable { + environment.persistence."/srv" = { + hideMounts = true; + directories = + [ + "/etc/nixos" + "/var/log" + + # TODO(@bpeetz): Instead of persisting that, encode each uid/gid directly in the + # config. <2024-12-24> + "/var/lib/nixos" + ] + ++ cfg.directories; + files = [ + "/etc/machine-id" + ]; + }; + }; +} diff --git a/modules/by-name/ng/nginx/module.nix b/modules/by-name/ng/nginx/module.nix index 6a82147..9c77652 100644 --- a/modules/by-name/ng/nginx/module.nix +++ b/modules/by-name/ng/nginx/module.nix @@ -36,6 +36,9 @@ in { }; config = lib.mkIf cfg.enable { + vhack.persist.directories = [ + "/var/lib/acme" + ]; security.acme = { acceptTerms = true; defaults = { diff --git a/modules/by-name/ni/nix-sync/module.nix b/modules/by-name/ni/nix-sync/module.nix index 0a92888..de096b9 100644 --- a/modules/by-name/ni/nix-sync/module.nix +++ b/modules/by-name/ni/nix-sync/module.nix @@ -50,6 +50,15 @@ in { }; config = lib.mkIf cfg.enable { + vhack.persist.directories = [ + { + directory = "/var/lib/nix-sync"; + user = "nix-sync"; + group = "nix-sync"; + mode = "0700"; + } + ]; + services.nix-sync = { enable = true; repositories = nixSyncRepositories; diff --git a/modules/by-name/op/openssh/module.nix b/modules/by-name/op/openssh/module.nix index 30d16a6..49290b9 100644 --- a/modules/by-name/op/openssh/module.nix +++ b/modules/by-name/op/openssh/module.nix @@ -12,16 +12,40 @@ in { }; config = lib.mkIf cfg.enable { + /* + FIXME(@bpeetz): + This results in a boot error, as the `/var/lib/sshd` directory + is only mounted _after_ the stage 2 init and with it the system + activation. `agenix` needs the sshd hostkey however to decrypt the + secrets and thus we have to ensure that this directory is mounted + _before_ the system activation. Alas the only way I see to achieve + that is to store the ssh hostkey directly on /srv, which is mounted + before (it's marked as 'neededForBoot' after all). + + It should be possible to achieve this with impermanence however, + as `/var/log` is mounted in the stage 1 init; The problem is that + I have no idea _why_ only this is mounted and nothing else. + + + vhack.persist.directories = [ + { + directory = "/var/lib/sshd"; + user = "root"; + group = "root"; + mode = "0755"; + } + ]; + */ + services.openssh = { enable = true; settings.PasswordAuthentication = false; hostKeys = [ { - # See the explanation for this in /system/impermanence/mods/openssh.nix - # path = "/var/lib/sshd/ssh_host_ed25519_key"; - - # FIXME: Remove this workaround + # FIXME: Remove the dependency on `/srv` this workaround. + # See the explanation for using `/srv` above. path = "/srv/var/lib/sshd/ssh_host_ed25519_key"; + rounds = 1000; type = "ed25519"; } diff --git a/modules/by-name/po/postgresql/module.nix b/modules/by-name/po/postgresql/module.nix new file mode 100644 index 0000000..319c3ac --- /dev/null +++ b/modules/by-name/po/postgresql/module.nix @@ -0,0 +1,19 @@ +{ + config, + lib, + ... +}: let + cfg = config.vhack.postgresql; +in { + options.vhack.postgresql = { + enable = lib.mkEnableOption "postgresql"; + }; + + config = lib.mkIf cfg.enable { + vhack.persist.directories = [ + "/var/lib/postgresql" + ]; + + services.postgresql.enable = true; + }; +} diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix deleted file mode 100644 index b2f0778..0000000 --- a/system/impermanence/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{...}: { - # TODO: Only activate them if their module is also active - imports = [ - ./mods/acme.nix - ./mods/mail.nix - ./mods/mastodon.nix - ./mods/matrix.nix - ./mods/minecraft.nix - ./mods/murmur.nix - ./mods/nix-sync.nix - ./mods/openssh.nix - ./mods/postgresql.nix - ./mods/taskserver.nix - ./mods/users.nix - ]; - - environment.persistence."/srv" = { - hideMounts = true; - directories = [ - "/etc/nixos" - "/var/log" - "/var/lib/nixos" - ]; - files = [ - "/etc/machine-id" - ]; - }; -} diff --git a/system/impermanence/mods/acme.nix b/system/impermanence/mods/acme.nix deleted file mode 100644 index b16171e..0000000 --- a/system/impermanence/mods/acme.nix +++ /dev/null @@ -1,5 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - "/var/lib/acme" - ]; -} diff --git a/system/impermanence/mods/fail2ban.nix b/system/impermanence/mods/fail2ban.nix deleted file mode 100644 index a817876..0000000 --- a/system/impermanence/mods/fail2ban.nix +++ /dev/null @@ -1,10 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - { - directory = "/var/lib/fail2ban"; - user = "fail2ban"; - group = "fail2ban"; - mode = "0700"; - } - ]; -} diff --git a/system/impermanence/mods/mail.nix b/system/impermanence/mods/mail.nix deleted file mode 100644 index a306ccf..0000000 --- a/system/impermanence/mods/mail.nix +++ /dev/null @@ -1,46 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - { - directory = "/var/lib/mail/backup"; - user = "virtualMail"; - group = "virtualMail"; - mode = "0700"; - } - { - directory = "/var/lib/mail/sieve"; - user = "virtualMail"; - group = "virtualMail"; - mode = "0700"; - } - { - directory = "/var/lib/mail/vmail"; - user = "virtualMail"; - group = "virtualMail"; - mode = "0700"; - } - { - directory = "/var/lib/mail/dkim"; - user = "opendkim"; - group = "opendkim"; - mode = "0700"; - } - { - directory = "/var/lib/postfix/data"; - user = "postfix"; - group = "postfix"; - mode = "0700"; - } - { - directory = "/var/lib/postfix/queue"; - user = "postfix"; - group = "postfix"; - mode = "0700"; - } - { - directory = "/var/lib/rspamd"; - user = "rspamd"; - group = "rspamd"; - mode = "0700"; - } - ]; -} diff --git a/system/impermanence/mods/mastodon.nix b/system/impermanence/mods/mastodon.nix deleted file mode 100644 index a5bdbfd..0000000 --- a/system/impermanence/mods/mastodon.nix +++ /dev/null @@ -1,10 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - { - directory = "/var/lib/mastodon"; - user = "mastodon"; - group = "mastodon"; - mode = "0700"; - } - ]; -} diff --git a/system/impermanence/mods/matrix.nix b/system/impermanence/mods/matrix.nix deleted file mode 100644 index 3af6530..0000000 --- a/system/impermanence/mods/matrix.nix +++ /dev/null @@ -1,19 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - { - directory = "/var/lib/matrix"; - user = "matrix-synapse"; - group = "matrix-synapse"; - mode = "0700"; - } - { - directory = "/var/lib/mautrix-whatsapp"; - user = "mautrix-whatsapp"; - group = "matrix-synapse"; - mode = "0750"; - } - ]; - systemd.tmpfiles.rules = [ - "d /etc/matrix 0755 matrix-synapse matrix-synapse" - ]; -} diff --git a/system/impermanence/mods/minecraft.nix b/system/impermanence/mods/minecraft.nix deleted file mode 100644 index 2a02626..0000000 --- a/system/impermanence/mods/minecraft.nix +++ /dev/null @@ -1,10 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - { - directory = "/var/lib/minecraft"; - user = "minecraft"; - group = "minecraft"; - mode = "0700"; - } - ]; -} diff --git a/system/impermanence/mods/murmur.nix b/system/impermanence/mods/murmur.nix deleted file mode 100644 index 48912e1..0000000 --- a/system/impermanence/mods/murmur.nix +++ /dev/null @@ -1,10 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - { - directory = "/var/lib/murmur"; - user = "murmur"; - group = "murmur"; - mode = "0700"; - } - ]; -} diff --git a/system/impermanence/mods/nix-sync.nix b/system/impermanence/mods/nix-sync.nix deleted file mode 100644 index 11449ea..0000000 --- a/system/impermanence/mods/nix-sync.nix +++ /dev/null @@ -1,10 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - { - directory = "/var/lib/nix-sync"; - user = "nix-sync"; - group = "nix-sync"; - mode = "0700"; - } - ]; -} diff --git a/system/impermanence/mods/openssh.nix b/system/impermanence/mods/openssh.nix deleted file mode 100644 index 0373a83..0000000 --- a/system/impermanence/mods/openssh.nix +++ /dev/null @@ -1,21 +0,0 @@ -{...}: { - /* - FIXME: - This results in a boot error, as the `/var/lib/sshd` directory is only mounted _after_ the stage 2 init and with it the system activation. - Agenix needs the sshd hostkey however to decrypt the secrets and such we have to ensure that this directory is mounted _before_ the system activation. - Alas the only way I see to achieve that is to store the ssh hostkey directly on /srv, which is mounted before (it's marked as 'neededForBoot' after all). - - It should be possible to achieve this with impermanence however, as `/var/log` is mounted in the stage 1 init; The problem is that I have no idea _why_ only - this is mounted and nothing else. - - - environment.persistence."/srv".directories = [ - { - directory = "/var/lib/sshd"; - user = "root"; - group = "root"; - mode = "0755"; - } - ]; - */ -} diff --git a/system/impermanence/mods/postgresql.nix b/system/impermanence/mods/postgresql.nix deleted file mode 100644 index 63b02f5..0000000 --- a/system/impermanence/mods/postgresql.nix +++ /dev/null @@ -1,5 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - "/var/lib/postgresql" - ]; -} diff --git a/system/impermanence/mods/taskserver.nix b/system/impermanence/mods/taskserver.nix deleted file mode 100644 index 9208aa4..0000000 --- a/system/impermanence/mods/taskserver.nix +++ /dev/null @@ -1,5 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - "/var/lib/taskserver" - ]; -} diff --git a/system/impermanence/mods/users.nix b/system/impermanence/mods/users.nix deleted file mode 100644 index 897d4f7..0000000 --- a/system/impermanence/mods/users.nix +++ /dev/null @@ -1,34 +0,0 @@ -{...}: { - environment.persistence."/srv".directories = [ - { - directory = "/home"; - user = "root"; - group = "root"; - mode = "0755"; - } - { - directory = "/home/sils"; - user = "sils"; - group = "sils"; - mode = "0700"; - } - { - directory = "/home/soispha"; - user = "soispha"; - group = "soispha"; - mode = "0700"; - } - { - directory = "/home/nightingale"; - user = "nightingale"; - group = "nightingale"; - mode = "0700"; - } - { - directory = "/root/.ssh"; - user = "root"; - group = "root"; - mode = "0700"; - } - ]; -} diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix index f1487e4..1c47568 100644 --- a/system/services/fail2ban/default.nix +++ b/system/services/fail2ban/default.nix @@ -1,4 +1,13 @@ {...}: { + vhack.persist.directories = [ + { + directory = "/var/lib/fail2ban"; + user = "fail2ban"; + group = "fail2ban"; + mode = "0700"; + } + ]; + services.fail2ban = { enable = true; maxretry = 7; # ban after 7 failures diff --git a/system/services/mail/default.nix b/system/services/mail/default.nix index 382a87f..c69e6bd 100644 --- a/system/services/mail/default.nix +++ b/system/services/mail/default.nix @@ -6,6 +6,10 @@ ]; users = import ./users.nix {}; in { + imports = [ + ./impermanence.nix + ]; + mailserver = lib.recursiveUpdate { enable = true; diff --git a/system/services/mail/impermanence.nix b/system/services/mail/impermanence.nix new file mode 100644 index 0000000..22a5318 --- /dev/null +++ b/system/services/mail/impermanence.nix @@ -0,0 +1,46 @@ +{...}: { + vhack.persist.directories = [ + { + directory = "/var/lib/mail/backup"; + user = "virtualMail"; + group = "virtualMail"; + mode = "0700"; + } + { + directory = "/var/lib/mail/sieve"; + user = "virtualMail"; + group = "virtualMail"; + mode = "0700"; + } + { + directory = "/var/lib/mail/vmail"; + user = "virtualMail"; + group = "virtualMail"; + mode = "0700"; + } + { + directory = "/var/lib/mail/dkim"; + user = "opendkim"; + group = "opendkim"; + mode = "0700"; + } + { + directory = "/var/lib/postfix/data"; + user = "postfix"; + group = "postfix"; + mode = "0700"; + } + { + directory = "/var/lib/postfix/queue"; + user = "postfix"; + group = "postfix"; + mode = "0700"; + } + { + directory = "/var/lib/rspamd"; + user = "rspamd"; + group = "rspamd"; + mode = "0700"; + } + ]; +} diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix index f613bf3..15b8609 100644 --- a/system/services/mastodon/default.nix +++ b/system/services/mastodon/default.nix @@ -9,6 +9,15 @@ patches = (attrs.patches or []) ++ [./patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch]; }); in { + vhack.persist.directories = [ + { + directory = "/var/lib/mastodon"; + user = "mastodon"; + group = "mastodon"; + mode = "0700"; + } + ]; + services.mastodon = { enable = true; diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix index b75d1f1..043d9c0 100644 --- a/system/services/matrix/default.nix +++ b/system/services/matrix/default.nix @@ -14,6 +14,24 @@ in { networking.firewall.allowedTCPPorts = [80 443]; + vhack.persist.directories = [ + { + directory = "/var/lib/matrix"; + user = "matrix-synapse"; + group = "matrix-synapse"; + mode = "0700"; + } + { + directory = "/var/lib/mautrix-whatsapp"; + user = "mautrix-whatsapp"; + group = "matrix-synapse"; + mode = "0750"; + } + ]; + systemd.tmpfiles.rules = [ + "d /etc/matrix 0755 matrix-synapse matrix-synapse" + ]; + services = { postgresql = { enable = true; diff --git a/system/services/minecraft/default.nix b/system/services/minecraft/default.nix index e659af0..9bc98b9 100644 --- a/system/services/minecraft/default.nix +++ b/system/services/minecraft/default.nix @@ -1,4 +1,13 @@ {lib, ...}: { + vhack.persist.directories = [ + { + directory = "/var/lib/minecraft"; + user = "minecraft"; + group = "minecraft"; + mode = "0700"; + } + ]; + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "minecraft-server" diff --git a/system/services/murmur/default.nix b/system/services/murmur/default.nix index 1dcd781..dec79ba 100644 --- a/system/services/murmur/default.nix +++ b/system/services/murmur/default.nix @@ -1,6 +1,15 @@ {...}: let murmurStore = "/var/lib/murmur"; in { + vhack.persist.directories = [ + { + directory = "/var/lib/murmur"; + user = "murmur"; + group = "murmur"; + mode = "0700"; + } + ]; + services.murmur = { enable = true; openFirewall = true; diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix index 2e4370f..04b6a8b 100644 --- a/system/services/taskserver/default.nix +++ b/system/services/taskserver/default.nix @@ -4,6 +4,11 @@ in { environment.etc = { "tmpfiles.d/taskserver.conf".source = config.age.secrets.taskserverSystemdTmpfiles.path; }; + + vhack.persist.directories = [ + "/var/lib/taskserver" + ]; + services.taskserver = { enable = true; pki.manual = { diff --git a/system/users/default.nix b/system/users/default.nix index 1b7b29b..0da0515 100644 --- a/system/users/default.nix +++ b/system/users/default.nix @@ -1,4 +1,37 @@ {pkgs, ...}: { + vhack.persist.directories = [ + { + directory = "/home"; + user = "root"; + group = "root"; + mode = "0755"; + } + { + directory = "/home/sils"; + user = "sils"; + group = "sils"; + mode = "0700"; + } + { + directory = "/home/soispha"; + user = "soispha"; + group = "soispha"; + mode = "0700"; + } + { + directory = "/home/nightingale"; + user = "nightingale"; + group = "nightingale"; + mode = "0700"; + } + { + directory = "/root/.ssh"; + user = "root"; + group = "root"; + mode = "0700"; + } + ]; + users = { mutableUsers = false; defaultUserShell = pkgs.zsh; -- cgit 1.4.1