diff --git a/modules/nixos/hardware/networking/default.nix b/modules/nixos/hardware/networking/default.nix index f0806fe..51dcfce 100644 --- a/modules/nixos/hardware/networking/default.nix +++ b/modules/nixos/hardware/networking/default.nix @@ -22,6 +22,11 @@ in config = lib.mkMerge [ (lib.mkIf cfg.wireless.enable { networking.networkmanager.enable = true; + + # Persist NetworkManager files + my.system.persist.directories = [ + "/etc/NetworkManager/system-connections" + ]; }) ]; } diff --git a/modules/nixos/services/aria/default.nix b/modules/nixos/services/aria/default.nix index acbf0b7..4946663 100644 --- a/modules/nixos/services/aria/default.nix +++ b/modules/nixos/services/aria/default.nix @@ -69,6 +69,8 @@ in }; }; + # FIXME: persistence? + # NOTE: unfortunately aria2 does not log connection failures for fail2ban }; } diff --git a/modules/nixos/services/audiobookshelf/default.nix b/modules/nixos/services/audiobookshelf/default.nix index 04ec8b9..9985a26 100644 --- a/modules/nixos/services/audiobookshelf/default.nix +++ b/modules/nixos/services/audiobookshelf/default.nix @@ -34,6 +34,8 @@ in }; }; + # FIXME: persistence? + services.fail2ban.jails = { audiobookshelf = '' enabled = true diff --git a/modules/nixos/services/blog/default.nix b/modules/nixos/services/blog/default.nix index e4d2d42..aadc4f0 100644 --- a/modules/nixos/services/blog/default.nix +++ b/modules/nixos/services/blog/default.nix @@ -41,5 +41,12 @@ in # Those are all subdomains, no problem my.services.nginx.virtualHosts = hostsInfo; + + my.system.persist.directories = [ + "/var/www/blog" + "/var/www/cv" + "/var/www/dev" + "/var/www/key" + ]; }; } diff --git a/modules/nixos/services/calibre-web/default.nix b/modules/nixos/services/calibre-web/default.nix index b7bf9df..8a8af33 100644 --- a/modules/nixos/services/calibre-web/default.nix +++ b/modules/nixos/services/calibre-web/default.nix @@ -53,6 +53,11 @@ in ]; }; + my.system.persist.directories = [ + "/var/lib/${config.services.calibre-web.dataDir}" + cfg.libraryPath + ]; + services.fail2ban.jails = { calibre-web = '' enabled = true diff --git a/modules/nixos/services/drone/runner-docker/default.nix b/modules/nixos/services/drone/runner-docker/default.nix index e53c608..1db263b 100644 --- a/modules/nixos/services/drone/runner-docker/default.nix +++ b/modules/nixos/services/drone/runner-docker/default.nix @@ -39,5 +39,7 @@ in extraGroups = [ "docker" ]; # Give access to the daemon }; users.groups.drone-runner-docker = { }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/drone/runner-exec/default.nix b/modules/nixos/services/drone/runner-exec/default.nix index a9bb563..c30a1a2 100644 --- a/modules/nixos/services/drone/runner-exec/default.nix +++ b/modules/nixos/services/drone/runner-exec/default.nix @@ -63,5 +63,7 @@ in group = "drone-runner-exec"; }; users.groups.drone-runner-exec = { }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/drone/server/default.nix b/modules/nixos/services/drone/server/default.nix index a3a1e49..b5d5df7 100644 --- a/modules/nixos/services/drone/server/default.nix +++ b/modules/nixos/services/drone/server/default.nix @@ -50,5 +50,7 @@ in inherit (cfg) port; }; }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/fail2ban/default.nix b/modules/nixos/services/fail2ban/default.nix index be5f7da..efb07c9 100644 --- a/modules/nixos/services/fail2ban/default.nix +++ b/modules/nixos/services/fail2ban/default.nix @@ -33,5 +33,7 @@ in bantime = "10m"; }; }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/flood/default.nix b/modules/nixos/services/flood/default.nix index f3fe90b..23154ed 100644 --- a/modules/nixos/services/flood/default.nix +++ b/modules/nixos/services/flood/default.nix @@ -28,6 +28,8 @@ in }; }; + # FIXME: persistence? + # NOTE: unfortunately flood does not log connection failures for fail2ban }; } diff --git a/modules/nixos/services/forgejo/default.nix b/modules/nixos/services/forgejo/default.nix index 511724b..b7cc0c5 100644 --- a/modules/nixos/services/forgejo/default.nix +++ b/modules/nixos/services/forgejo/default.nix @@ -147,6 +147,11 @@ in ]; }; + my.system.persist.directories = [ + config.services.forgejo.lfs.contentDir + config.services.forgejo.repositoryRoot + ]; + services.fail2ban.jails = { forgejo = '' enabled = true diff --git a/modules/nixos/services/gitea/default.nix b/modules/nixos/services/gitea/default.nix index 95bdf42..76de5dd 100644 --- a/modules/nixos/services/gitea/default.nix +++ b/modules/nixos/services/gitea/default.nix @@ -131,6 +131,11 @@ in ]; }; + my.system.persist.directories = [ + config.services.gitea.lfs.contentDir + config.services.gitea.repositoryRoot + ]; + services.fail2ban.jails = { gitea = '' enabled = true diff --git a/modules/nixos/services/grocy/default.nix b/modules/nixos/services/grocy/default.nix index 9045b03..67de377 100644 --- a/modules/nixos/services/grocy/default.nix +++ b/modules/nixos/services/grocy/default.nix @@ -37,6 +37,9 @@ in useACMEHost = config.networking.domain; }; + # FIXME: backup + # FIXME: persistence + # NOTE: unfortunately grocy does not log connection failures for fail2ban }; } diff --git a/modules/nixos/services/indexers/default.nix b/modules/nixos/services/indexers/default.nix index 8a42345..332ae30 100644 --- a/modules/nixos/services/indexers/default.nix +++ b/modules/nixos/services/indexers/default.nix @@ -33,6 +33,10 @@ in port = jackettPort; }; }; + + my.system.persist.directories = [ + config.services.jackett.dataDir + ]; }) (lib.mkIf cfg.nzbhydra.enable { @@ -45,6 +49,10 @@ in port = nzbhydraPort; }; }; + + my.system.persist.directories = [ + config.services.nzbhydra2.dataDir + ]; }) (lib.mkIf cfg.prowlarr.enable { @@ -58,6 +66,10 @@ in }; }; + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.prowlarr.serviceConfig.StateDirectory}" + ]; + services.fail2ban.jails = { prowlarr = '' enabled = true diff --git a/modules/nixos/services/jellyfin/default.nix b/modules/nixos/services/jellyfin/default.nix index 6edeb67..d5de6d5 100644 --- a/modules/nixos/services/jellyfin/default.nix +++ b/modules/nixos/services/jellyfin/default.nix @@ -38,6 +38,10 @@ in }; }; + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.jellyfin.serviceConfig.StateDirectory}" + ]; + services.fail2ban.jails = { jellyfin = '' enabled = true diff --git a/modules/nixos/services/komga/default.nix b/modules/nixos/services/komga/default.nix index e1dc780..9412573 100644 --- a/modules/nixos/services/komga/default.nix +++ b/modules/nixos/services/komga/default.nix @@ -36,6 +36,8 @@ in }; }; + # FIXME: persistence? + services.fail2ban.jails = { komga = '' enabled = true diff --git a/modules/nixos/services/lohr/default.nix b/modules/nixos/services/lohr/default.nix index 21ed93b..64925a2 100644 --- a/modules/nixos/services/lohr/default.nix +++ b/modules/nixos/services/lohr/default.nix @@ -107,5 +107,9 @@ in }; }; }; + + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.lohr.serviceConfig.StateDirectory}" + ]; }; } diff --git a/modules/nixos/services/matrix/default.nix b/modules/nixos/services/matrix/default.nix index f423834..cb41a0f 100644 --- a/modules/nixos/services/matrix/default.nix +++ b/modules/nixos/services/matrix/default.nix @@ -214,5 +214,9 @@ in config.services.matrix-synapse.dataDir ]; }; + + my.system.persist.directories = [ + config.services.matrix-synapse.dataDir + ]; }; } diff --git a/modules/nixos/services/mealie/default.nix b/modules/nixos/services/mealie/default.nix index 664d5ba..4eb6977 100644 --- a/modules/nixos/services/mealie/default.nix +++ b/modules/nixos/services/mealie/default.nix @@ -72,6 +72,9 @@ in }; }; + # FIXME: backup + # FIXME: persistence + services.fail2ban.jails = { mealie = '' enabled = true diff --git a/modules/nixos/services/miniflux/default.nix b/modules/nixos/services/miniflux/default.nix index 400ae00..7bcfe30 100644 --- a/modules/nixos/services/miniflux/default.nix +++ b/modules/nixos/services/miniflux/default.nix @@ -49,6 +49,9 @@ in }; }; + # FIXME: backup + # FIXME: persistence + services.fail2ban.jails = { miniflux = '' enabled = true diff --git a/modules/nixos/services/monitoring/default.nix b/modules/nixos/services/monitoring/default.nix index 49919c1..4415cb5 100644 --- a/modules/nixos/services/monitoring/default.nix +++ b/modules/nixos/services/monitoring/default.nix @@ -130,5 +130,10 @@ in inherit (cfg.grafana) port; }; }; + + my.system.persist.directories = [ + config.services.grafana.dataDir + "/var/lib/${config.services.prometheus.stateDir}" + ]; }; } diff --git a/modules/nixos/services/navidrome/default.nix b/modules/nixos/services/navidrome/default.nix index c513b91..106e01d 100644 --- a/modules/nixos/services/navidrome/default.nix +++ b/modules/nixos/services/navidrome/default.nix @@ -53,6 +53,10 @@ in }; }; + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.navidrome.serviceConfig.StateDirectory}" + ]; + services.fail2ban.jails = { navidrome = '' enabled = true diff --git a/modules/nixos/services/nextcloud/collabora.nix b/modules/nixos/services/nextcloud/collabora.nix index f8f42a7..dce1a99 100644 --- a/modules/nixos/services/nextcloud/collabora.nix +++ b/modules/nixos/services/nextcloud/collabora.nix @@ -46,5 +46,7 @@ in ]; }; }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix index fe94177..e561ce2 100644 --- a/modules/nixos/services/nextcloud/default.nix +++ b/modules/nixos/services/nextcloud/default.nix @@ -92,6 +92,11 @@ in ]; }; + my.system.persist.directories = [ + config.services.nextcloud.home + config.services.nextcloud.datadir + ]; + services.fail2ban.jails = { nextcloud = '' enabled = true diff --git a/modules/nixos/services/nginx/default.nix b/modules/nixos/services/nginx/default.nix index 3bba9f4..32c1b7d 100644 --- a/modules/nixos/services/nginx/default.nix +++ b/modules/nixos/services/nginx/default.nix @@ -486,5 +486,9 @@ in } ]; }; + + my.system.persist.directories = [ + config.users.user.acme.home + ]; }; } diff --git a/modules/nixos/services/paperless/default.nix b/modules/nixos/services/paperless/default.nix index c8967e1..22ca8ad 100644 --- a/modules/nixos/services/paperless/default.nix +++ b/modules/nixos/services/paperless/default.nix @@ -146,5 +146,10 @@ in config.services.paperless.mediaDir ]; }; + + my.system.persist.directories = [ + config.services.paperless-ng.dataDir + config.services.paperless-ng.mediaDir + ]; }; } diff --git a/modules/nixos/services/pdf-edit/default.nix b/modules/nixos/services/pdf-edit/default.nix index d59507b..73527d9 100644 --- a/modules/nixos/services/pdf-edit/default.nix +++ b/modules/nixos/services/pdf-edit/default.nix @@ -54,6 +54,8 @@ in }; }; + # FIXME: persistence? + services.fail2ban.jails = { stirling-pdf = '' enabled = true diff --git a/modules/nixos/services/podgrab/default.nix b/modules/nixos/services/podgrab/default.nix index 3ced8d3..ec6ecb2 100644 --- a/modules/nixos/services/podgrab/default.nix +++ b/modules/nixos/services/podgrab/default.nix @@ -51,5 +51,10 @@ in inherit (cfg) port; }; }; + + my.system.persist.directories = [ + config.systemd.services.podgrab.environment.CONFIG + config.systemd.services.podgrab.environment.DATA + ]; }; } diff --git a/modules/nixos/services/postgresql-backup/default.nix b/modules/nixos/services/postgresql-backup/default.nix index dff5494..3d6c03b 100644 --- a/modules/nixos/services/postgresql-backup/default.nix +++ b/modules/nixos/services/postgresql-backup/default.nix @@ -24,5 +24,9 @@ in (config.services.postgresqlBackup.location + "/*.prev.sql.gz") ]; }; + + my.system.persist.directories = [ + config.services.postgresqlBackup.location + ]; }; } diff --git a/modules/nixos/services/postgresql/default.nix b/modules/nixos/services/postgresql/default.nix index bbe46d4..cea4c88 100644 --- a/modules/nixos/services/postgresql/default.nix +++ b/modules/nixos/services/postgresql/default.nix @@ -18,6 +18,13 @@ in }; }) + # Only persist directory if the actual service is enabled + (lib.mkIf config.services.postgresql.enable { + my.system.persist.directories = [ + config.services.postgresql.dataDir + ]; + }) + # Taken from the manual (lib.mkIf cfg.upgradeScript { environment.systemPackages = diff --git a/modules/nixos/services/pyload/default.nix b/modules/nixos/services/pyload/default.nix index 7257d0f..1167509 100644 --- a/modules/nixos/services/pyload/default.nix +++ b/modules/nixos/services/pyload/default.nix @@ -53,6 +53,9 @@ in }; }; + # FIXME: backup + # FIXME: persistence + services.fail2ban.jails = { pyload = '' enabled = true diff --git a/modules/nixos/services/quassel/default.nix b/modules/nixos/services/quassel/default.nix index 695f9e0..0065195 100644 --- a/modules/nixos/services/quassel/default.nix +++ b/modules/nixos/services/quassel/default.nix @@ -46,5 +46,9 @@ in # Because Quassel does not use the socket, I simply trust its connection authentication = "host quassel quassel localhost trust"; }; + + my.system.persist.directories = [ + config.services.quassel.dataDir + ]; }; } diff --git a/modules/nixos/services/rss-bridge/default.nix b/modules/nixos/services/rss-bridge/default.nix index 52b1030..977b431 100644 --- a/modules/nixos/services/rss-bridge/default.nix +++ b/modules/nixos/services/rss-bridge/default.nix @@ -22,5 +22,9 @@ in forceSSL = true; useACMEHost = config.networking.domain; }; + + my.system.persist.directories = [ + config.services.rss-bridge.dataDir + ]; }; } diff --git a/modules/nixos/services/sabnzbd/default.nix b/modules/nixos/services/sabnzbd/default.nix index 9e0d9c3..86202ab 100644 --- a/modules/nixos/services/sabnzbd/default.nix +++ b/modules/nixos/services/sabnzbd/default.nix @@ -24,6 +24,10 @@ in }; }; + my.system.persist.files = [ + config.services.sabnzbd.configFile + ]; + services.fail2ban.jails = { sabnzbd = '' enabled = true diff --git a/modules/nixos/services/servarr/default.nix b/modules/nixos/services/servarr/default.nix index e25d9cf..9cb2a59 100644 --- a/modules/nixos/services/servarr/default.nix +++ b/modules/nixos/services/servarr/default.nix @@ -19,6 +19,11 @@ let enable = true; group = "media"; }; + + # Thankfully those old style services all define users with homes + my.system.persist.directories = [ + config.users.user.${service}.home + ]; }; mkRedirection = service: { diff --git a/modules/nixos/services/ssh-server/default.nix b/modules/nixos/services/ssh-server/default.nix index 9ae0fa8..008738f 100644 --- a/modules/nixos/services/ssh-server/default.nix +++ b/modules/nixos/services/ssh-server/default.nix @@ -20,6 +20,13 @@ in }; }; + # Persist SSH keys + my.system.persist.files = + let + pubAndPrivKey = key: [ key.path "${key.path}.pub" ]; + in + lib.concatMap pubAndPrivKey systemConfig.services.openssh.hostKeys; + # Opens the relevant UDP ports. programs.mosh.enable = true; }; diff --git a/modules/nixos/services/tandoor-recipes/default.nix b/modules/nixos/services/tandoor-recipes/default.nix index 3447bee..6282769 100644 --- a/modules/nixos/services/tandoor-recipes/default.nix +++ b/modules/nixos/services/tandoor-recipes/default.nix @@ -83,6 +83,9 @@ in }; }; + # FIXME: backup + # FIXME: persistence + # NOTE: unfortunately tandoor-recipes does not log connection failures for fail2ban }; } diff --git a/modules/nixos/services/transmission/default.nix b/modules/nixos/services/transmission/default.nix index ac8b24d..674fa81 100644 --- a/modules/nixos/services/transmission/default.nix +++ b/modules/nixos/services/transmission/default.nix @@ -91,6 +91,10 @@ in allowedUDPPorts = [ cfg.peerPort ]; }; + my.system.persist.directories = [ + config.services.transmission.home + ]; + # NOTE: unfortunately transmission does not log connection failures for fail2ban }; } diff --git a/modules/nixos/services/vikunja/default.nix b/modules/nixos/services/vikunja/default.nix index 2753da3..575ddab 100644 --- a/modules/nixos/services/vikunja/default.nix +++ b/modules/nixos/services/vikunja/default.nix @@ -100,6 +100,8 @@ in ]; }; + # FIXME: persistence + # NOTE: unfortunately vikunja does not log connection failures for fail2ban }; } diff --git a/modules/nixos/services/woodpecker/agent-docker/default.nix b/modules/nixos/services/woodpecker/agent-docker/default.nix index 79d3299..2e74b67 100644 --- a/modules/nixos/services/woodpecker/agent-docker/default.nix +++ b/modules/nixos/services/woodpecker/agent-docker/default.nix @@ -38,5 +38,7 @@ in ]; }; }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/woodpecker/agent-exec/default.nix b/modules/nixos/services/woodpecker/agent-exec/default.nix index 24161b0..4210242 100644 --- a/modules/nixos/services/woodpecker/agent-exec/default.nix +++ b/modules/nixos/services/woodpecker/agent-exec/default.nix @@ -62,5 +62,7 @@ in ]; }; }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/woodpecker/server/default.nix b/modules/nixos/services/woodpecker/server/default.nix index adf533e..5d25284 100644 --- a/modules/nixos/services/woodpecker/server/default.nix +++ b/modules/nixos/services/woodpecker/server/default.nix @@ -61,5 +61,7 @@ in port = cfg.rpcPort; }; }; + + # FIXME: persistence }; }