diff --git a/modules/nixos/hardware/networking/default.nix b/modules/nixos/hardware/networking/default.nix index dac5e9a..9e85966 100644 --- a/modules/nixos/hardware/networking/default.nix +++ b/modules/nixos/hardware/networking/default.nix @@ -23,6 +23,8 @@ in (lib.mkIf cfg.wireless.enable { networking.networkmanager.enable = true; + # IWD needs persistence if enabled + # Persist NetworkManager files my.system.persist.files = [ "/var/lib/NetworkManager/secret_key" diff --git a/modules/nixos/services/drone/runner-docker/default.nix b/modules/nixos/services/drone/runner-docker/default.nix index e53c608..1db263b 100644 --- a/modules/nixos/services/drone/runner-docker/default.nix +++ b/modules/nixos/services/drone/runner-docker/default.nix @@ -39,5 +39,7 @@ in extraGroups = [ "docker" ]; # Give access to the daemon }; users.groups.drone-runner-docker = { }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/drone/runner-exec/default.nix b/modules/nixos/services/drone/runner-exec/default.nix index a9bb563..c30a1a2 100644 --- a/modules/nixos/services/drone/runner-exec/default.nix +++ b/modules/nixos/services/drone/runner-exec/default.nix @@ -63,5 +63,7 @@ in group = "drone-runner-exec"; }; users.groups.drone-runner-exec = { }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/drone/server/default.nix b/modules/nixos/services/drone/server/default.nix index a3a1e49..b5d5df7 100644 --- a/modules/nixos/services/drone/server/default.nix +++ b/modules/nixos/services/drone/server/default.nix @@ -50,5 +50,7 @@ in inherit (cfg) port; }; }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/mealie/default.nix b/modules/nixos/services/mealie/default.nix index 664d5ba..920081a 100644 --- a/modules/nixos/services/mealie/default.nix +++ b/modules/nixos/services/mealie/default.nix @@ -72,6 +72,16 @@ in }; }; + my.services.backup = { + paths = [ + config.systemd.services.mealie.environment.DATA_DIR + ]; + }; + + my.system.persist.directories = [ + config.systemd.services.mealie.environment.DATA_DIR + ]; + services.fail2ban.jails = { mealie = '' enabled = true diff --git a/modules/nixos/services/monitoring/default.nix b/modules/nixos/services/monitoring/default.nix index 49919c1..4415cb5 100644 --- a/modules/nixos/services/monitoring/default.nix +++ b/modules/nixos/services/monitoring/default.nix @@ -130,5 +130,10 @@ in inherit (cfg.grafana) port; }; }; + + my.system.persist.directories = [ + config.services.grafana.dataDir + "/var/lib/${config.services.prometheus.stateDir}" + ]; }; } diff --git a/modules/nixos/services/navidrome/default.nix b/modules/nixos/services/navidrome/default.nix index c513b91..106e01d 100644 --- a/modules/nixos/services/navidrome/default.nix +++ b/modules/nixos/services/navidrome/default.nix @@ -53,6 +53,10 @@ in }; }; + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.navidrome.serviceConfig.StateDirectory}" + ]; + services.fail2ban.jails = { navidrome = '' enabled = true diff --git a/modules/nixos/services/nextcloud/collabora.nix b/modules/nixos/services/nextcloud/collabora.nix index f8f42a7..dce1a99 100644 --- a/modules/nixos/services/nextcloud/collabora.nix +++ b/modules/nixos/services/nextcloud/collabora.nix @@ -46,5 +46,7 @@ in ]; }; }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix index fe94177..e561ce2 100644 --- a/modules/nixos/services/nextcloud/default.nix +++ b/modules/nixos/services/nextcloud/default.nix @@ -92,6 +92,11 @@ in ]; }; + my.system.persist.directories = [ + config.services.nextcloud.home + config.services.nextcloud.datadir + ]; + services.fail2ban.jails = { nextcloud = '' enabled = true diff --git a/modules/nixos/services/nginx/default.nix b/modules/nixos/services/nginx/default.nix index 3bba9f4..32c1b7d 100644 --- a/modules/nixos/services/nginx/default.nix +++ b/modules/nixos/services/nginx/default.nix @@ -486,5 +486,9 @@ in } ]; }; + + my.system.persist.directories = [ + config.users.user.acme.home + ]; }; } diff --git a/modules/nixos/services/paperless/default.nix b/modules/nixos/services/paperless/default.nix index c8967e1..22ca8ad 100644 --- a/modules/nixos/services/paperless/default.nix +++ b/modules/nixos/services/paperless/default.nix @@ -146,5 +146,10 @@ in config.services.paperless.mediaDir ]; }; + + my.system.persist.directories = [ + config.services.paperless-ng.dataDir + config.services.paperless-ng.mediaDir + ]; }; } diff --git a/modules/nixos/services/pdf-edit/default.nix b/modules/nixos/services/pdf-edit/default.nix index d59507b..0928a14 100644 --- a/modules/nixos/services/pdf-edit/default.nix +++ b/modules/nixos/services/pdf-edit/default.nix @@ -54,6 +54,10 @@ in }; }; + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.stirling-pdf.serviceConfig.StateDirectory}" + ]; + services.fail2ban.jails = { stirling-pdf = '' enabled = true diff --git a/modules/nixos/services/podgrab/default.nix b/modules/nixos/services/podgrab/default.nix index 3ced8d3..ec6ecb2 100644 --- a/modules/nixos/services/podgrab/default.nix +++ b/modules/nixos/services/podgrab/default.nix @@ -51,5 +51,10 @@ in inherit (cfg) port; }; }; + + my.system.persist.directories = [ + config.systemd.services.podgrab.environment.CONFIG + config.systemd.services.podgrab.environment.DATA + ]; }; } diff --git a/modules/nixos/services/postgresql-backup/default.nix b/modules/nixos/services/postgresql-backup/default.nix index dff5494..3d6c03b 100644 --- a/modules/nixos/services/postgresql-backup/default.nix +++ b/modules/nixos/services/postgresql-backup/default.nix @@ -24,5 +24,9 @@ in (config.services.postgresqlBackup.location + "/*.prev.sql.gz") ]; }; + + my.system.persist.directories = [ + config.services.postgresqlBackup.location + ]; }; } diff --git a/modules/nixos/services/postgresql/default.nix b/modules/nixos/services/postgresql/default.nix index bbe46d4..cea4c88 100644 --- a/modules/nixos/services/postgresql/default.nix +++ b/modules/nixos/services/postgresql/default.nix @@ -18,6 +18,13 @@ in }; }) + # Only persist directory if the actual service is enabled + (lib.mkIf config.services.postgresql.enable { + my.system.persist.directories = [ + config.services.postgresql.dataDir + ]; + }) + # Taken from the manual (lib.mkIf cfg.upgradeScript { environment.systemPackages = diff --git a/modules/nixos/services/pyload/default.nix b/modules/nixos/services/pyload/default.nix index 7257d0f..a8ec3b2 100644 --- a/modules/nixos/services/pyload/default.nix +++ b/modules/nixos/services/pyload/default.nix @@ -53,6 +53,11 @@ in }; }; + my.system.persist.directories = [ + cfg.downloadDirectory + "/var/lib/${config.systemd.services.pyload.StateDirectory}" + ]; + services.fail2ban.jails = { pyload = '' enabled = true diff --git a/modules/nixos/services/quassel/default.nix b/modules/nixos/services/quassel/default.nix index 695f9e0..0065195 100644 --- a/modules/nixos/services/quassel/default.nix +++ b/modules/nixos/services/quassel/default.nix @@ -46,5 +46,9 @@ in # Because Quassel does not use the socket, I simply trust its connection authentication = "host quassel quassel localhost trust"; }; + + my.system.persist.directories = [ + config.services.quassel.dataDir + ]; }; } diff --git a/modules/nixos/services/rss-bridge/default.nix b/modules/nixos/services/rss-bridge/default.nix index 52b1030..977b431 100644 --- a/modules/nixos/services/rss-bridge/default.nix +++ b/modules/nixos/services/rss-bridge/default.nix @@ -22,5 +22,9 @@ in forceSSL = true; useACMEHost = config.networking.domain; }; + + my.system.persist.directories = [ + config.services.rss-bridge.dataDir + ]; }; } diff --git a/modules/nixos/services/sabnzbd/default.nix b/modules/nixos/services/sabnzbd/default.nix index 9e0d9c3..86202ab 100644 --- a/modules/nixos/services/sabnzbd/default.nix +++ b/modules/nixos/services/sabnzbd/default.nix @@ -24,6 +24,10 @@ in }; }; + my.system.persist.files = [ + config.services.sabnzbd.configFile + ]; + services.fail2ban.jails = { sabnzbd = '' enabled = true diff --git a/modules/nixos/services/servarr/default.nix b/modules/nixos/services/servarr/default.nix index e25d9cf..3330b0f 100644 --- a/modules/nixos/services/servarr/default.nix +++ b/modules/nixos/services/servarr/default.nix @@ -19,6 +19,16 @@ let enable = true; group = "media"; }; + + my.system.persist.directories = + let + # Bazarr breaks the mold unfortunately + dataDir = + if service != "bazarr" + then config.services.${service}.dataDir + else config.users.user.${service}.home; + in + [ dataDir ]; }; mkRedirection = service: { diff --git a/modules/nixos/services/tandoor-recipes/default.nix b/modules/nixos/services/tandoor-recipes/default.nix index 3447bee..ea45e74 100644 --- a/modules/nixos/services/tandoor-recipes/default.nix +++ b/modules/nixos/services/tandoor-recipes/default.nix @@ -83,6 +83,19 @@ in }; }; + my.services.backup = { + paths = [ + "/var/lib/${config.systemd.services.tandoor-recipes.StateDirectory}" + config.systemd.services.tandoor-recipes.environment.MEDIA_ROOT + ]; + }; + + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.tandoor-recipes.StateDirectory}" + config.systemd.services.tandoor-recipes.environment.MEDIA_ROOT + ]; + + # NOTE: unfortunately tandoor-recipes does not log connection failures for fail2ban }; } diff --git a/modules/nixos/services/transmission/default.nix b/modules/nixos/services/transmission/default.nix index ac8b24d..674fa81 100644 --- a/modules/nixos/services/transmission/default.nix +++ b/modules/nixos/services/transmission/default.nix @@ -91,6 +91,10 @@ in allowedUDPPorts = [ cfg.peerPort ]; }; + my.system.persist.directories = [ + config.services.transmission.home + ]; + # NOTE: unfortunately transmission does not log connection failures for fail2ban }; } diff --git a/modules/nixos/services/vikunja/default.nix b/modules/nixos/services/vikunja/default.nix index 2753da3..d902449 100644 --- a/modules/nixos/services/vikunja/default.nix +++ b/modules/nixos/services/vikunja/default.nix @@ -100,6 +100,10 @@ in ]; }; + my.system.persist.directories = [ + config.services.vikunja.settings.files.basepath + ]; + # NOTE: unfortunately vikunja does not log connection failures for fail2ban }; } diff --git a/modules/nixos/services/woodpecker/agent-docker/default.nix b/modules/nixos/services/woodpecker/agent-docker/default.nix index 79d3299..2e74b67 100644 --- a/modules/nixos/services/woodpecker/agent-docker/default.nix +++ b/modules/nixos/services/woodpecker/agent-docker/default.nix @@ -38,5 +38,7 @@ in ]; }; }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/woodpecker/agent-exec/default.nix b/modules/nixos/services/woodpecker/agent-exec/default.nix index 24161b0..4210242 100644 --- a/modules/nixos/services/woodpecker/agent-exec/default.nix +++ b/modules/nixos/services/woodpecker/agent-exec/default.nix @@ -62,5 +62,7 @@ in ]; }; }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/woodpecker/server/default.nix b/modules/nixos/services/woodpecker/server/default.nix index adf533e..5d25284 100644 --- a/modules/nixos/services/woodpecker/server/default.nix +++ b/modules/nixos/services/woodpecker/server/default.nix @@ -61,5 +61,7 @@ in port = cfg.rpcPort; }; }; + + # FIXME: persistence }; } diff --git a/modules/nixos/system/persist/default.nix b/modules/nixos/system/persist/default.nix index e0a1eeb..3033595 100644 --- a/modules/nixos/system/persist/default.nix +++ b/modules/nixos/system/persist/default.nix @@ -58,6 +58,10 @@ in "/var/log" # Logs "/var/lib/nixos" # UID/GID maps "/var/lib/systemd/coredump" # Coredumps + + "/var/lib/systemd" # FIXME: needed? + "/var/spool" # FIXME: needed? + "/var/tmp" # FIXME: needed? ] ++ cfg.directories ; diff --git a/modules/nixos/system/printing/default.nix b/modules/nixos/system/printing/default.nix index 0dfab0f..3e21b25 100644 --- a/modules/nixos/system/printing/default.nix +++ b/modules/nixos/system/printing/default.nix @@ -65,5 +65,7 @@ in # Allow resolution of '.local' addresses nssmdns4 = true; }; + + # FIXME: persistence? }; }