From 05fdbcdb7613b89c1f7e9d83d1a205d89c9d9765 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Sat, 11 Nov 2023 18:35:24 +0000 Subject: [PATCH 01/42] flake: add 'impermanence' --- flake.lock | 17 +++++++++++++++++ flake.nix | 7 +++++++ 2 files changed, 24 insertions(+) diff --git a/flake.lock b/flake.lock index cd3f50c..55d50b0 100644 --- a/flake.lock +++ b/flake.lock @@ -150,6 +150,22 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1697303681, + "narHash": "sha256-caJ0rXeagaih+xTgRduYtYKL1rZ9ylh06CIrt1w5B4g=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "0f317c2e9e56550ce12323eb39302d251618f5b5", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "impermanence", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1732521221, @@ -214,6 +230,7 @@ "flake-parts": "flake-parts", "futils": "futils", "home-manager": "home-manager", + "impermanence": "impermanence", "nixpkgs": "nixpkgs", "nur": "nur", "pre-commit-hooks": "pre-commit-hooks", diff --git a/flake.nix b/flake.nix index a07ee15..5a5b0ef 100644 --- a/flake.nix +++ b/flake.nix @@ -43,6 +43,13 @@ }; }; + impermanence = { + type = "github"; + owner = "nix-community"; + repo = "impermanence"; + ref = "master"; + }; + nixpkgs = { type = "github"; owner = "NixOS"; From 0f2109c4b0f6b594cd167ab59b254280c9f3c0d1 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 13:52:04 +0200 Subject: [PATCH 02/42] WIP: nixos: system: add persist This is the module that takes care of configuring impermanence at the system level. WIP: * address FIXMEs * activate home-manager persistence? * set `programs.fuse.userAllowOther = true;` ? * point `age` to persisted paths [1] ? * make sure all services and modules are persisted correctly... [1]: https://github.com/lovesegfault/nix-config/commit/b1d18d25b8cc1e50c521020442b907de377a147d --- modules/nixos/system/default.nix | 1 + modules/nixos/system/persist/default.nix | 66 ++++++++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 modules/nixos/system/persist/default.nix diff --git a/modules/nixos/system/default.nix b/modules/nixos/system/default.nix index e6fb25b..3531847 100644 --- a/modules/nixos/system/default.nix +++ b/modules/nixos/system/default.nix @@ -9,6 +9,7 @@ ./language ./nix ./packages + ./persist ./podman ./polkit ./printing diff --git a/modules/nixos/system/persist/default.nix b/modules/nixos/system/persist/default.nix new file mode 100644 index 0000000..e0a1eeb --- /dev/null +++ b/modules/nixos/system/persist/default.nix @@ -0,0 +1,66 @@ +# Ephemeral root configuration +{ config, inputs, lib, ... }: +let + cfg = config.my.system.persist; +in +{ + imports = [ + inputs.impermanence.nixosModules.impermanence + ]; + + options.my.system.persist = with lib; { + enable = mkEnableOption "stateless system configuration"; + + mountPoint = lib.mkOption { + type = types.str; + default = "/persistent"; + example = "/etc/nix/persist"; + description = '' + Which mount point should be used to persist this system's files and + directories. + ''; + }; + + files = lib.mkOption { + type = with types; listOf str; + default = [ ]; + example = [ + "/etc/nix/id_rsa" + ]; + description = '' + Additional files in the root to link to persistent storage. + ''; + }; + + directories = lib.mkOption { + type = with types; listOf str; + default = [ ]; + example = [ + "/var/lib/libvirt" + ]; + description = '' + Additional directories in the root to link to persistent storage. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + environment.persistence."${cfg.mountPoint}" = { + files = [ + "/etc/machine-id" # Machine-specific ID + "/etc/adjtime" # Clock drift factor and offsets + ] + ++ cfg.files + ; + + directories = [ + "/etc/nixos" # In case it's storage directory of our configuration + "/var/log" # Logs + "/var/lib/nixos" # UID/GID maps + "/var/lib/systemd/coredump" # Coredumps + ] + ++ cfg.directories + ; + }; + }; +} From 828621041afd68a45357939fb7711b4ed321b407 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 7 Nov 2024 14:53:34 +0000 Subject: [PATCH 03/42] nixos: system: docker: persist data --- modules/nixos/system/docker/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/system/docker/default.nix b/modules/nixos/system/docker/default.nix index f051814..cab9fb5 100644 --- a/modules/nixos/system/docker/default.nix +++ b/modules/nixos/system/docker/default.nix @@ -23,5 +23,9 @@ in ]; }; }; + + my.system.persist.directories = [ + "/var/lib/docker" + ]; }; } From d0a7ec4d81be67e07432dec6ac51e8e266163db4 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 7 Nov 2024 14:53:50 +0000 Subject: [PATCH 04/42] nixos: system: podman: persist data --- modules/nixos/system/podman/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/system/podman/default.nix b/modules/nixos/system/podman/default.nix index 52630c7..8400dfd 100644 --- a/modules/nixos/system/podman/default.nix +++ b/modules/nixos/system/podman/default.nix @@ -44,5 +44,9 @@ in ]; }; }; + + my.system.persist.directories = [ + "/var/lib/containers" + ]; }; } From 7e568c29ce025b95d82a43e3fa06ce7f5419dd6f Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 14:06:26 +0200 Subject: [PATCH 05/42] nixos: hardware: bluetooth: persist connections --- modules/nixos/hardware/bluetooth/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/nixos/hardware/bluetooth/default.nix b/modules/nixos/hardware/bluetooth/default.nix index e9b1991..efce5c4 100644 --- a/modules/nixos/hardware/bluetooth/default.nix +++ b/modules/nixos/hardware/bluetooth/default.nix @@ -18,6 +18,13 @@ in services.blueman.enable = true; } + # Persist bluetooth files + { + my.system.persist.directories = [ + "/var/lib/bluetooth" + ]; + } + # Support for additional bluetooth codecs (lib.mkIf cfg.loadExtraCodecs { hardware.pulseaudio = { From 4be4f5e3cdd0c3d4620e4fea2f637f05180c7844 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 14:06:03 +0200 Subject: [PATCH 06/42] nixos: hardware: networking persist connections --- modules/nixos/hardware/networking/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/nixos/hardware/networking/default.nix b/modules/nixos/hardware/networking/default.nix index f0806fe..dac5e9a 100644 --- a/modules/nixos/hardware/networking/default.nix +++ b/modules/nixos/hardware/networking/default.nix @@ -22,6 +22,16 @@ in config = lib.mkMerge [ (lib.mkIf cfg.wireless.enable { networking.networkmanager.enable = true; + + # Persist NetworkManager files + my.system.persist.files = [ + "/var/lib/NetworkManager/secret_key" + "/var/lib/NetworkManager/seen-bssids" + "/var/lib/NetworkManager/timestamps" + ]; + my.system.persist.directories = [ + "/etc/NetworkManager/system-connections" + ]; }) ]; } From 5efdd891dbc54c7d6b83cd009495481efc4aafd7 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 14:05:42 +0200 Subject: [PATCH 07/42] nixos: services: ssh-server: persist host keys --- modules/nixos/services/ssh-server/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/nixos/services/ssh-server/default.nix b/modules/nixos/services/ssh-server/default.nix index 9ae0fa8..c4d1fd6 100644 --- a/modules/nixos/services/ssh-server/default.nix +++ b/modules/nixos/services/ssh-server/default.nix @@ -20,6 +20,13 @@ in }; }; + # Persist SSH keys + my.system.persist.files = + let + pubAndPrivKey = key: [ key.path "${key.path}.pub" ]; + in + lib.concatMap pubAndPrivKey config.services.openssh.hostKeys; + # Opens the relevant UDP ports. programs.mosh.enable = true; }; From 110aef16e4151c71c823c71b495faedd7fa10f48 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Nov 2024 21:45:43 +0000 Subject: [PATCH 08/42] nixos: services: aria: persist data --- modules/nixos/services/aria/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/nixos/services/aria/default.nix b/modules/nixos/services/aria/default.nix index acbf0b7..227cbac 100644 --- a/modules/nixos/services/aria/default.nix +++ b/modules/nixos/services/aria/default.nix @@ -69,6 +69,11 @@ in }; }; + my.system.persist.directories = [ + cfg.downloadDir + config.users.users.aria2.home + ]; + # NOTE: unfortunately aria2 does not log connection failures for fail2ban }; } From e74aceee247b15b1743a759dce3c71d98d7ed65c Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Nov 2024 21:45:58 +0000 Subject: [PATCH 09/42] nixos: services: audiobookshelf: persist data --- modules/nixos/services/audiobookshelf/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/services/audiobookshelf/default.nix b/modules/nixos/services/audiobookshelf/default.nix index 04ec8b9..5e79990 100644 --- a/modules/nixos/services/audiobookshelf/default.nix +++ b/modules/nixos/services/audiobookshelf/default.nix @@ -34,6 +34,10 @@ in }; }; + my.system.persist.directories = [ + "/var/lib/${config.services.audiobookshelf.dataDir}" + ]; + services.fail2ban.jails = { audiobookshelf = '' enabled = true From f2b5290df7d25e51352878bf000cacc6efa0faf0 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 14:19:57 +0200 Subject: [PATCH 10/42] nixos: services: blog: persist website data --- modules/nixos/services/blog/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/nixos/services/blog/default.nix b/modules/nixos/services/blog/default.nix index e4d2d42..aadc4f0 100644 --- a/modules/nixos/services/blog/default.nix +++ b/modules/nixos/services/blog/default.nix @@ -41,5 +41,12 @@ in # Those are all subdomains, no problem my.services.nginx.virtualHosts = hostsInfo; + + my.system.persist.directories = [ + "/var/www/blog" + "/var/www/cv" + "/var/www/dev" + "/var/www/key" + ]; }; } From 075a52f8db981e48c822bcba73774a82cb08e52b Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 14:43:05 +0100 Subject: [PATCH 11/42] nixos: services: calibre-web: persist library --- modules/nixos/services/calibre-web/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/nixos/services/calibre-web/default.nix b/modules/nixos/services/calibre-web/default.nix index b7bf9df..8a8af33 100644 --- a/modules/nixos/services/calibre-web/default.nix +++ b/modules/nixos/services/calibre-web/default.nix @@ -53,6 +53,11 @@ in ]; }; + my.system.persist.directories = [ + "/var/lib/${config.services.calibre-web.dataDir}" + cfg.libraryPath + ]; + services.fail2ban.jails = { calibre-web = '' enabled = true From 34592cfd5271517eba02d67dd1d8559568824195 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Nov 2024 21:46:13 +0000 Subject: [PATCH 12/42] nixos: services: fail2ban: persist data --- modules/nixos/services/fail2ban/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/services/fail2ban/default.nix b/modules/nixos/services/fail2ban/default.nix index be5f7da..a40e03e 100644 --- a/modules/nixos/services/fail2ban/default.nix +++ b/modules/nixos/services/fail2ban/default.nix @@ -33,5 +33,9 @@ in bantime = "10m"; }; }; + + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.fail2ban.serviceConfig.StateDirectory}" + ]; }; } From 0ac6fef30805d5de293662d2ed5d56c9ce440dbd Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Nov 2024 21:46:25 +0000 Subject: [PATCH 13/42] nixos: services: flood: persist data --- modules/nixos/services/flood/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/services/flood/default.nix b/modules/nixos/services/flood/default.nix index f3fe90b..b4fecef 100644 --- a/modules/nixos/services/flood/default.nix +++ b/modules/nixos/services/flood/default.nix @@ -28,6 +28,10 @@ in }; }; + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.flood.serviceConfig.StateDirectory}" + ]; + # NOTE: unfortunately flood does not log connection failures for fail2ban }; } From 8c5ada0d6dbc77461ff8bf4b6da6a443c0f7d113 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Tue, 2 Jul 2024 16:31:54 +0000 Subject: [PATCH 14/42] nixos: services: forgejo: persist repositories --- modules/nixos/services/forgejo/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/nixos/services/forgejo/default.nix b/modules/nixos/services/forgejo/default.nix index 511724b..b7cc0c5 100644 --- a/modules/nixos/services/forgejo/default.nix +++ b/modules/nixos/services/forgejo/default.nix @@ -147,6 +147,11 @@ in ]; }; + my.system.persist.directories = [ + config.services.forgejo.lfs.contentDir + config.services.forgejo.repositoryRoot + ]; + services.fail2ban.jails = { forgejo = '' enabled = true From 88f8f8a6cd355e647f0714db6b1996536840bbb0 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 14:43:28 +0100 Subject: [PATCH 15/42] nixos: services: gitea: persist repositories --- modules/nixos/services/gitea/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/nixos/services/gitea/default.nix b/modules/nixos/services/gitea/default.nix index 95bdf42..76de5dd 100644 --- a/modules/nixos/services/gitea/default.nix +++ b/modules/nixos/services/gitea/default.nix @@ -131,6 +131,11 @@ in ]; }; + my.system.persist.directories = [ + config.services.gitea.lfs.contentDir + config.services.gitea.repositoryRoot + ]; + services.fail2ban.jails = { gitea = '' enabled = true From 72ffc1c25af875e40840b90a75ac5ad52c1faec2 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Nov 2024 21:46:39 +0000 Subject: [PATCH 16/42] nixos: services: grocy: persist data --- modules/nixos/services/grocy/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/nixos/services/grocy/default.nix b/modules/nixos/services/grocy/default.nix index 9045b03..57295f1 100644 --- a/modules/nixos/services/grocy/default.nix +++ b/modules/nixos/services/grocy/default.nix @@ -37,6 +37,16 @@ in useACMEHost = config.networking.domain; }; + my.services.backup = { + paths = [ + config.services.grocy.dataDir + ]; + }; + + my.system.persist.directories = [ + config.services.grocy.dataDir + ]; + # NOTE: unfortunately grocy does not log connection failures for fail2ban }; } From dc0d7536252845971aba672fab88f7f532860862 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 14:30:25 +0100 Subject: [PATCH 17/42] nixos: services: indexers: persist data --- modules/nixos/services/indexers/default.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/modules/nixos/services/indexers/default.nix b/modules/nixos/services/indexers/default.nix index 8a42345..332ae30 100644 --- a/modules/nixos/services/indexers/default.nix +++ b/modules/nixos/services/indexers/default.nix @@ -33,6 +33,10 @@ in port = jackettPort; }; }; + + my.system.persist.directories = [ + config.services.jackett.dataDir + ]; }) (lib.mkIf cfg.nzbhydra.enable { @@ -45,6 +49,10 @@ in port = nzbhydraPort; }; }; + + my.system.persist.directories = [ + config.services.nzbhydra2.dataDir + ]; }) (lib.mkIf cfg.prowlarr.enable { @@ -58,6 +66,10 @@ in }; }; + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.prowlarr.serviceConfig.StateDirectory}" + ]; + services.fail2ban.jails = { prowlarr = '' enabled = true From 79274dac408de61d168282d81347733dc78ee2de Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:11:05 +0100 Subject: [PATCH 18/42] nixos: services: jellyfin: persist data --- modules/nixos/services/jellyfin/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/services/jellyfin/default.nix b/modules/nixos/services/jellyfin/default.nix index 6edeb67..d5de6d5 100644 --- a/modules/nixos/services/jellyfin/default.nix +++ b/modules/nixos/services/jellyfin/default.nix @@ -38,6 +38,10 @@ in }; }; + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.jellyfin.serviceConfig.StateDirectory}" + ]; + services.fail2ban.jails = { jellyfin = '' enabled = true From c07d3f4c0bd4bf685be96138000ecc237f0f1ab6 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Nov 2024 21:46:55 +0000 Subject: [PATCH 19/42] nixos: services: komga: persist data --- modules/nixos/services/komga/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/services/komga/default.nix b/modules/nixos/services/komga/default.nix index e1dc780..15e4fbb 100644 --- a/modules/nixos/services/komga/default.nix +++ b/modules/nixos/services/komga/default.nix @@ -36,6 +36,10 @@ in }; }; + my.system.persist.directories = [ + config.services.komga.stateDir + ]; + services.fail2ban.jails = { komga = '' enabled = true From 19c4586073110c9dc539dc33248f7b43a11aab46 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:11:12 +0100 Subject: [PATCH 20/42] nixos: services: lohr: persist data --- modules/nixos/services/lohr/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/services/lohr/default.nix b/modules/nixos/services/lohr/default.nix index 21ed93b..64925a2 100644 --- a/modules/nixos/services/lohr/default.nix +++ b/modules/nixos/services/lohr/default.nix @@ -107,5 +107,9 @@ in }; }; }; + + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.lohr.serviceConfig.StateDirectory}" + ]; }; } From dbc919e3d80181ae0b13a96fbced9fb158b32af4 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 17:12:32 +0100 Subject: [PATCH 21/42] nixos: services: matrix: persist data --- modules/nixos/services/matrix/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/services/matrix/default.nix b/modules/nixos/services/matrix/default.nix index f423834..cb41a0f 100644 --- a/modules/nixos/services/matrix/default.nix +++ b/modules/nixos/services/matrix/default.nix @@ -214,5 +214,9 @@ in config.services.matrix-synapse.dataDir ]; }; + + my.system.persist.directories = [ + config.services.matrix-synapse.dataDir + ]; }; } From fce6fd6e79af89daa788cd059ed3df0cb5271015 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Nov 2024 21:47:06 +0000 Subject: [PATCH 22/42] nixos: services: mealie: persist data --- modules/nixos/services/mealie/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/nixos/services/mealie/default.nix b/modules/nixos/services/mealie/default.nix index 664d5ba..920081a 100644 --- a/modules/nixos/services/mealie/default.nix +++ b/modules/nixos/services/mealie/default.nix @@ -72,6 +72,16 @@ in }; }; + my.services.backup = { + paths = [ + config.systemd.services.mealie.environment.DATA_DIR + ]; + }; + + my.system.persist.directories = [ + config.systemd.services.mealie.environment.DATA_DIR + ]; + services.fail2ban.jails = { mealie = '' enabled = true From f09db979608e6c96a0e35f430ce5e3e23864ccb5 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:40:29 +0100 Subject: [PATCH 23/42] nixos: services: monitoring: persist data --- modules/nixos/services/monitoring/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/nixos/services/monitoring/default.nix b/modules/nixos/services/monitoring/default.nix index 49919c1..4415cb5 100644 --- a/modules/nixos/services/monitoring/default.nix +++ b/modules/nixos/services/monitoring/default.nix @@ -130,5 +130,10 @@ in inherit (cfg.grafana) port; }; }; + + my.system.persist.directories = [ + config.services.grafana.dataDir + "/var/lib/${config.services.prometheus.stateDir}" + ]; }; } From 2854952f0bbb5b09e087890aaddddd23fd6eb4f2 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:11:23 +0100 Subject: [PATCH 24/42] nixos: services: navidrome: persist data --- modules/nixos/services/navidrome/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/services/navidrome/default.nix b/modules/nixos/services/navidrome/default.nix index c513b91..106e01d 100644 --- a/modules/nixos/services/navidrome/default.nix +++ b/modules/nixos/services/navidrome/default.nix @@ -53,6 +53,10 @@ in }; }; + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.navidrome.serviceConfig.StateDirectory}" + ]; + services.fail2ban.jails = { navidrome = '' enabled = true From 18b078ae097021f697c19b527e5189b46b8d84cb Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:37:51 +0100 Subject: [PATCH 25/42] nixos: services: nginx: persist SSL certificates --- modules/nixos/services/nginx/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/services/nginx/default.nix b/modules/nixos/services/nginx/default.nix index 3bba9f4..32c1b7d 100644 --- a/modules/nixos/services/nginx/default.nix +++ b/modules/nixos/services/nginx/default.nix @@ -486,5 +486,9 @@ in } ]; }; + + my.system.persist.directories = [ + config.users.user.acme.home + ]; }; } From 420ea0dbbf209e66bd12626e27240d9c86239a52 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:11:35 +0100 Subject: [PATCH 26/42] nixos: services: nextcloud: persist data --- modules/nixos/services/nextcloud/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix index fe94177..e561ce2 100644 --- a/modules/nixos/services/nextcloud/default.nix +++ b/modules/nixos/services/nextcloud/default.nix @@ -92,6 +92,11 @@ in ]; }; + my.system.persist.directories = [ + config.services.nextcloud.home + config.services.nextcloud.datadir + ]; + services.fail2ban.jails = { nextcloud = '' enabled = true From 0842666f67e774724d6011e0251b0f0874f03553 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 17:12:42 +0100 Subject: [PATCH 27/42] nixos: services: paperless: persist data --- modules/nixos/services/paperless/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/nixos/services/paperless/default.nix b/modules/nixos/services/paperless/default.nix index c8967e1..22ca8ad 100644 --- a/modules/nixos/services/paperless/default.nix +++ b/modules/nixos/services/paperless/default.nix @@ -146,5 +146,10 @@ in config.services.paperless.mediaDir ]; }; + + my.system.persist.directories = [ + config.services.paperless-ng.dataDir + config.services.paperless-ng.mediaDir + ]; }; } From 3068850c5c8627c1d0c928acc49b1847ab4c092d Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Nov 2024 21:47:24 +0000 Subject: [PATCH 28/42] nixos: services: pdf-edit: persist data --- modules/nixos/services/pdf-edit/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/services/pdf-edit/default.nix b/modules/nixos/services/pdf-edit/default.nix index d59507b..0928a14 100644 --- a/modules/nixos/services/pdf-edit/default.nix +++ b/modules/nixos/services/pdf-edit/default.nix @@ -54,6 +54,10 @@ in }; }; + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.stirling-pdf.serviceConfig.StateDirectory}" + ]; + services.fail2ban.jails = { stirling-pdf = '' enabled = true From df917ad9f032ab6cb681ececbd644d845071f462 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:58:07 +0100 Subject: [PATCH 29/42] nixos: services: pirate: persist data --- modules/nixos/services/servarr/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/nixos/services/servarr/default.nix b/modules/nixos/services/servarr/default.nix index e25d9cf..3330b0f 100644 --- a/modules/nixos/services/servarr/default.nix +++ b/modules/nixos/services/servarr/default.nix @@ -19,6 +19,16 @@ let enable = true; group = "media"; }; + + my.system.persist.directories = + let + # Bazarr breaks the mold unfortunately + dataDir = + if service != "bazarr" + then config.services.${service}.dataDir + else config.users.user.${service}.home; + in + [ dataDir ]; }; mkRedirection = service: { From e68aa49f2990cfda10bbbadea68655b29ef72dd2 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:20:11 +0100 Subject: [PATCH 30/42] nixos: services: podgrab: persist data --- modules/nixos/services/podgrab/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/nixos/services/podgrab/default.nix b/modules/nixos/services/podgrab/default.nix index 3ced8d3..ec6ecb2 100644 --- a/modules/nixos/services/podgrab/default.nix +++ b/modules/nixos/services/podgrab/default.nix @@ -51,5 +51,10 @@ in inherit (cfg) port; }; }; + + my.system.persist.directories = [ + config.systemd.services.podgrab.environment.CONFIG + config.systemd.services.podgrab.environment.DATA + ]; }; } From df809a24f8747abb035a9bbf53906f73286709f2 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 17:13:13 +0100 Subject: [PATCH 31/42] nixos: services: postgresql: persist data --- modules/nixos/services/postgresql/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/nixos/services/postgresql/default.nix b/modules/nixos/services/postgresql/default.nix index bbe46d4..cea4c88 100644 --- a/modules/nixos/services/postgresql/default.nix +++ b/modules/nixos/services/postgresql/default.nix @@ -18,6 +18,13 @@ in }; }) + # Only persist directory if the actual service is enabled + (lib.mkIf config.services.postgresql.enable { + my.system.persist.directories = [ + config.services.postgresql.dataDir + ]; + }) + # Taken from the manual (lib.mkIf cfg.upgradeScript { environment.systemPackages = From f0d0c06276a5dc77b0ac0e056c7dc21897a3792f Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 17:12:58 +0100 Subject: [PATCH 32/42] nixos: services: postgresql-backup: persist data --- modules/nixos/services/postgresql-backup/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/services/postgresql-backup/default.nix b/modules/nixos/services/postgresql-backup/default.nix index dff5494..3d6c03b 100644 --- a/modules/nixos/services/postgresql-backup/default.nix +++ b/modules/nixos/services/postgresql-backup/default.nix @@ -24,5 +24,9 @@ in (config.services.postgresqlBackup.location + "/*.prev.sql.gz") ]; }; + + my.system.persist.directories = [ + config.services.postgresqlBackup.location + ]; }; } From 6450545bd96540fcce7e7b47e8a55d23dcaf1f80 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Nov 2024 21:47:37 +0000 Subject: [PATCH 33/42] nixos: services: pyload: persist data --- modules/nixos/services/pyload/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/nixos/services/pyload/default.nix b/modules/nixos/services/pyload/default.nix index 7257d0f..a8ec3b2 100644 --- a/modules/nixos/services/pyload/default.nix +++ b/modules/nixos/services/pyload/default.nix @@ -53,6 +53,11 @@ in }; }; + my.system.persist.directories = [ + cfg.downloadDirectory + "/var/lib/${config.systemd.services.pyload.StateDirectory}" + ]; + services.fail2ban.jails = { pyload = '' enabled = true From 7bdf6ce35e349bc4bfad4b8be4bd518983f8285b Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 21:51:04 +0100 Subject: [PATCH 34/42] nixos: services: quassel: persist data --- modules/nixos/services/quassel/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/services/quassel/default.nix b/modules/nixos/services/quassel/default.nix index 695f9e0..0065195 100644 --- a/modules/nixos/services/quassel/default.nix +++ b/modules/nixos/services/quassel/default.nix @@ -46,5 +46,9 @@ in # Because Quassel does not use the socket, I simply trust its connection authentication = "host quassel quassel localhost trust"; }; + + my.system.persist.directories = [ + config.services.quassel.dataDir + ]; }; } From f4c15a1e3b6b28a01915704d3412ef5e9e11141a Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:21:42 +0100 Subject: [PATCH 35/42] nixos: services: rss-bridge: persist data --- modules/nixos/services/rss-bridge/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/services/rss-bridge/default.nix b/modules/nixos/services/rss-bridge/default.nix index 52b1030..977b431 100644 --- a/modules/nixos/services/rss-bridge/default.nix +++ b/modules/nixos/services/rss-bridge/default.nix @@ -22,5 +22,9 @@ in forceSSL = true; useACMEHost = config.networking.domain; }; + + my.system.persist.directories = [ + config.services.rss-bridge.dataDir + ]; }; } From 9b9f55081e9c54de682eba2aeeae8c5aff7ffdee Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:25:44 +0100 Subject: [PATCH 36/42] nixos: services: sabnzbd: persist data --- modules/nixos/services/sabnzbd/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/services/sabnzbd/default.nix b/modules/nixos/services/sabnzbd/default.nix index 9e0d9c3..86202ab 100644 --- a/modules/nixos/services/sabnzbd/default.nix +++ b/modules/nixos/services/sabnzbd/default.nix @@ -24,6 +24,10 @@ in }; }; + my.system.persist.files = [ + config.services.sabnzbd.configFile + ]; + services.fail2ban.jails = { sabnzbd = '' enabled = true From 0ccc4b576b612bc85a13161990ea6fb4f5c5286e Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Nov 2024 21:47:51 +0000 Subject: [PATCH 37/42] nixos: services: tandoor-recipes: persist data --- modules/nixos/services/tandoor-recipes/default.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/modules/nixos/services/tandoor-recipes/default.nix b/modules/nixos/services/tandoor-recipes/default.nix index 3447bee..ea45e74 100644 --- a/modules/nixos/services/tandoor-recipes/default.nix +++ b/modules/nixos/services/tandoor-recipes/default.nix @@ -83,6 +83,19 @@ in }; }; + my.services.backup = { + paths = [ + "/var/lib/${config.systemd.services.tandoor-recipes.StateDirectory}" + config.systemd.services.tandoor-recipes.environment.MEDIA_ROOT + ]; + }; + + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.tandoor-recipes.StateDirectory}" + config.systemd.services.tandoor-recipes.environment.MEDIA_ROOT + ]; + + # NOTE: unfortunately tandoor-recipes does not log connection failures for fail2ban }; } From 9b0c8c1910e176c1b2a5286145b36669f659905f Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:25:50 +0100 Subject: [PATCH 38/42] nixos: services: transmission: persist data --- modules/nixos/services/transmission/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/services/transmission/default.nix b/modules/nixos/services/transmission/default.nix index ac8b24d..674fa81 100644 --- a/modules/nixos/services/transmission/default.nix +++ b/modules/nixos/services/transmission/default.nix @@ -91,6 +91,10 @@ in allowedUDPPorts = [ cfg.peerPort ]; }; + my.system.persist.directories = [ + config.services.transmission.home + ]; + # NOTE: unfortunately transmission does not log connection failures for fail2ban }; } From 4eb7d0cd3814e90179ba8670d19aea05017d5851 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 14:43:16 +0100 Subject: [PATCH 39/42] nixos: services: vikunja: persist data --- modules/nixos/services/vikunja/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/services/vikunja/default.nix b/modules/nixos/services/vikunja/default.nix index 2753da3..d902449 100644 --- a/modules/nixos/services/vikunja/default.nix +++ b/modules/nixos/services/vikunja/default.nix @@ -100,6 +100,10 @@ in ]; }; + my.system.persist.directories = [ + config.services.vikunja.settings.files.basepath + ]; + # NOTE: unfortunately vikunja does not log connection failures for fail2ban }; } From 11bd7b30c153a7ad366d27d7efff5f422d9009c4 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 14:43:16 +0100 Subject: [PATCH 40/42] WIP: add notes for missing persistence/backup TODO: * Do home-manager * Look at for more inspiration github.com:nix-community/impermanence/pull/108 * Common files github.com:nix-community/impermanence/issues/10 * Useful config: github.com:chayleaf/dotfiles/blob/f77271b249e0c08368573c22a5c34f0737d3a766/system/modules/impermanence.nix --- modules/nixos/services/drone/runner-docker/default.nix | 2 ++ modules/nixos/services/drone/runner-exec/default.nix | 2 ++ modules/nixos/services/drone/server/default.nix | 2 ++ modules/nixos/services/nextcloud/collabora.nix | 2 ++ modules/nixos/services/woodpecker/agent-docker/default.nix | 2 ++ modules/nixos/services/woodpecker/agent-exec/default.nix | 2 ++ modules/nixos/services/woodpecker/server/default.nix | 2 ++ modules/nixos/system/printing/default.nix | 2 ++ 8 files changed, 16 insertions(+) diff --git a/modules/nixos/services/drone/runner-docker/default.nix b/modules/nixos/services/drone/runner-docker/default.nix index e53c608..1db263b 100644 --- a/modules/nixos/services/drone/runner-docker/default.nix +++ b/modules/nixos/services/drone/runner-docker/default.nix @@ -39,5 +39,7 @@ in extraGroups = [ "docker" ]; # Give access to the daemon }; users.groups.drone-runner-docker = { }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/drone/runner-exec/default.nix b/modules/nixos/services/drone/runner-exec/default.nix index a9bb563..c30a1a2 100644 --- a/modules/nixos/services/drone/runner-exec/default.nix +++ b/modules/nixos/services/drone/runner-exec/default.nix @@ -63,5 +63,7 @@ in group = "drone-runner-exec"; }; users.groups.drone-runner-exec = { }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/drone/server/default.nix b/modules/nixos/services/drone/server/default.nix index a3a1e49..b5d5df7 100644 --- a/modules/nixos/services/drone/server/default.nix +++ b/modules/nixos/services/drone/server/default.nix @@ -50,5 +50,7 @@ in inherit (cfg) port; }; }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/nextcloud/collabora.nix b/modules/nixos/services/nextcloud/collabora.nix index f8f42a7..dce1a99 100644 --- a/modules/nixos/services/nextcloud/collabora.nix +++ b/modules/nixos/services/nextcloud/collabora.nix @@ -46,5 +46,7 @@ in ]; }; }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/woodpecker/agent-docker/default.nix b/modules/nixos/services/woodpecker/agent-docker/default.nix index 79d3299..2e74b67 100644 --- a/modules/nixos/services/woodpecker/agent-docker/default.nix +++ b/modules/nixos/services/woodpecker/agent-docker/default.nix @@ -38,5 +38,7 @@ in ]; }; }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/woodpecker/agent-exec/default.nix b/modules/nixos/services/woodpecker/agent-exec/default.nix index 24161b0..4210242 100644 --- a/modules/nixos/services/woodpecker/agent-exec/default.nix +++ b/modules/nixos/services/woodpecker/agent-exec/default.nix @@ -62,5 +62,7 @@ in ]; }; }; + + # FIXME: persistence? }; } diff --git a/modules/nixos/services/woodpecker/server/default.nix b/modules/nixos/services/woodpecker/server/default.nix index adf533e..5d25284 100644 --- a/modules/nixos/services/woodpecker/server/default.nix +++ b/modules/nixos/services/woodpecker/server/default.nix @@ -61,5 +61,7 @@ in port = cfg.rpcPort; }; }; + + # FIXME: persistence }; } diff --git a/modules/nixos/system/printing/default.nix b/modules/nixos/system/printing/default.nix index 0dfab0f..3e21b25 100644 --- a/modules/nixos/system/printing/default.nix +++ b/modules/nixos/system/printing/default.nix @@ -65,5 +65,7 @@ in # Allow resolution of '.local' addresses nssmdns4 = true; }; + + # FIXME: persistence? }; } From 5d56a8ddf023a3287e19429bbb69f10482deeec2 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Nov 2024 22:00:58 +0000 Subject: [PATCH 41/42] WIP: even more directories? Maybe? --- modules/nixos/system/persist/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/nixos/system/persist/default.nix b/modules/nixos/system/persist/default.nix index e0a1eeb..3033595 100644 --- a/modules/nixos/system/persist/default.nix +++ b/modules/nixos/system/persist/default.nix @@ -58,6 +58,10 @@ in "/var/log" # Logs "/var/lib/nixos" # UID/GID maps "/var/lib/systemd/coredump" # Coredumps + + "/var/lib/systemd" # FIXME: needed? + "/var/spool" # FIXME: needed? + "/var/tmp" # FIXME: needed? ] ++ cfg.directories ; From 376a622549a92a8a0bc01b7d0233ec698a96bbd8 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Nov 2024 22:01:38 +0000 Subject: [PATCH 42/42] WIP: add note about 'iwd' --- modules/nixos/hardware/networking/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/nixos/hardware/networking/default.nix b/modules/nixos/hardware/networking/default.nix index dac5e9a..9e85966 100644 --- a/modules/nixos/hardware/networking/default.nix +++ b/modules/nixos/hardware/networking/default.nix @@ -23,6 +23,8 @@ in (lib.mkIf cfg.wireless.enable { networking.networkmanager.enable = true; + # IWD needs persistence if enabled + # Persist NetworkManager files my.system.persist.files = [ "/var/lib/NetworkManager/secret_key"