From 7b56c342ad5e7ca8889b718fbaf9210f8abe116f Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Mon, 18 Sep 2023 13:43:33 +0000 Subject: [PATCH 01/49] modules: services: paperless: beef-up workers This should parallelize the number of documents ingested at once (workers), as well as the speed of the ingestion per document (threads). --- modules/services/paperless/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/paperless/default.nix b/modules/services/paperless/default.nix index c9d6220..1ca1f66 100644 --- a/modules/services/paperless/default.nix +++ b/modules/services/paperless/default.nix @@ -73,6 +73,10 @@ in # OCR settings PAPERLESS_OCR_LANGUAGE = "fra+eng"; + # Workers + PAPERLESS_TASK_WORKERS = 3; + PAPERLESS_THREADS_PER_WORKER = 4; + # Misc PAPERLESS_TIME_ZONE = config.time.timeZone; PAPERLESS_ADMIN_USER = cfg.username; From 61fe480e6b337500335f6926e0bfc74186357437 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Tue, 26 Sep 2023 16:38:27 +0000 Subject: [PATCH 02/49] home: calibre: remove obsolete NOTE --- home/calibre/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/calibre/default.nix b/home/calibre/default.nix index e0f2069..6edf654 100644 --- a/home/calibre/default.nix +++ b/home/calibre/default.nix @@ -9,7 +9,7 @@ in config = lib.mkIf cfg.enable { home.packages = with pkgs; [ - calibre # NOTE: relies on my overlay to add necessary plug-in dependencies + calibre ]; }; } From e81de7faadfdeda12f80d2e6b0ec688e0f203fcd Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Tue, 26 Sep 2023 16:51:46 +0000 Subject: [PATCH 03/49] pkgs: rbw-pass: fix program name in usage string --- pkgs/rbw-pass/rbw-pass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/rbw-pass/rbw-pass b/pkgs/rbw-pass/rbw-pass index 90e916c..23363dc 100755 --- a/pkgs/rbw-pass/rbw-pass +++ b/pkgs/rbw-pass/rbw-pass @@ -1,7 +1,7 @@ #!/usr/bin/env bash usage() { - printf '%s\n' "Usage: bw-pass [directory name] " >&2 + printf '%s\n' "Usage: rbw-pass [directory name] " >&2 } error_out() { From 03a1f704aaabefc12d08b6abe7726c89c07fabb4 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 27 Sep 2023 19:22:04 +0200 Subject: [PATCH 04/49] flake: bump inputs --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 3d28d8d..6e070fc 100644 --- a/flake.lock +++ b/flake.lock @@ -11,11 +11,11 @@ ] }, "locked": { - "lastModified": 1690228878, - "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=", + "lastModified": 1695384796, + "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=", "owner": "ryantm", "repo": "agenix", - "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792", + "rev": "1f677b3e161d3bdbfd08a939e8f25de2568e0ef4", "type": "github" }, "original": { @@ -131,11 +131,11 @@ ] }, "locked": { - "lastModified": 1694585439, - "narHash": "sha256-70BlfEsdURx5f8sioj8JuM+R4/SZFyE8UYrULMknxlI=", + "lastModified": 1695738267, + "narHash": "sha256-LTNAbTQ96xSj17xBfsFrFS9i56U2BMLpD0BduhrsVkU=", "owner": "nix-community", "repo": "home-manager", - "rev": "a0ddf43b6268f1717afcda54133dea30435eb178", + "rev": "0f4e5b4999fd6a42ece5da8a3a2439a50e48e486", "type": "github" }, "original": { @@ -147,11 +147,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1694422566, - "narHash": "sha256-lHJ+A9esOz9vln/3CJG23FV6Wd2OoOFbDeEs4cMGMqc=", + "lastModified": 1695644571, + "narHash": "sha256-asS9dCCdlt1lPq0DLwkVBbVoEKuEuz+Zi3DG7pR/RxA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3a2786eea085f040a66ecde1bc3ddc7099f6dbeb", + "rev": "6500b4580c2a1f3d0f980d32d285739d8e156d92", "type": "github" }, "original": { @@ -163,11 +163,11 @@ }, "nur": { "locked": { - "lastModified": 1694601892, - "narHash": "sha256-rGK2Y9vQJQ+v729LfpvTuxDfTE7ns2g34XAPSr9+Z0E=", + "lastModified": 1695824843, + "narHash": "sha256-c1Z+y9oUXOkcU8gVBCyaujUqYLpYoI2b6L9Cq4ywOcA=", "owner": "nix-community", "repo": "NUR", - "rev": "71a739d93f1e95967e9d641623cbb97d0c8b801a", + "rev": "8349f3e37cf21a9da032a2fdb8e7ac45366d01f3", "type": "github" }, "original": { @@ -192,11 +192,11 @@ ] }, "locked": { - "lastModified": 1694364351, - "narHash": "sha256-oadhSCqopYXxURwIA6/Anpe5IAG11q2LhvTJNP5zE6o=", + "lastModified": 1695576016, + "narHash": "sha256-71KxwRhTfVuh7kNrg3/edNjYVg9DCyKZl2QIKbhRggg=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "4f883a76282bc28eb952570afc3d8a1bf6f481d7", + "rev": "cb770e93516a1609652fa8e945a0f310e98f10c0", "type": "github" }, "original": { From 24d41e829efb8cd7b58bd96cc8ce875b96df47e1 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:57:04 +0000 Subject: [PATCH 05/49] modules: system: users: fix deprecated option name --- modules/system/users/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/system/users/default.nix b/modules/system/users/default.nix index 27557bd..655b31e 100644 --- a/modules/system/users/default.nix +++ b/modules/system/users/default.nix @@ -17,11 +17,11 @@ in users = { root = { - passwordFile = secrets."users/root/hashed-password".path; + hashedPasswordFile = secrets."users/root/hashed-password".path; }; ${config.my.user.name} = { - passwordFile = secrets."users/ambroisie/hashed-password".path; + hashedPasswordFile = secrets."users/ambroisie/hashed-password".path; description = "Bruno BELANYI"; isNormalUser = true; shell = pkgs.zsh; From 6ef0abd5962c904fe0acc9590debb883caff1769 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Tue, 10 Oct 2023 15:36:14 +0000 Subject: [PATCH 06/49] home: xdg: set 'REPO_CONFIG_DIR' Unfortunately, it will create a `.repoconfig` inside that directory. But that's still better than littering my $HOME. --- home/xdg/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home/xdg/default.nix b/home/xdg/default.nix index 3fd8dc9..af9ec18 100644 --- a/home/xdg/default.nix +++ b/home/xdg/default.nix @@ -47,6 +47,7 @@ in LESSHISTFILE = "${dataHome}/less/history"; LESSKEY = "${configHome}/less/lesskey"; PSQL_HISTORY = "${dataHome}/psql_history"; + REPO_CONFIG_DIR = "${configHome}/repo"; REDISCLI_HISTFILE = "${dataHome}/redis/rediscli_history"; XCOMPOSECACHE = "${dataHome}/X11/xcompose"; }; From f9541cbc33d196fc3e811167d67a38d0d47cb422 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 12 Oct 2023 12:56:41 +0000 Subject: [PATCH 07/49] hosts: homes: mousqueton: disable 'git' package I had some troubles with `git` once again... This reverts commit 13769429f6db871d8d8d64391584e280860a3fc7. --- hosts/homes/ambroisie@mousqueton/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hosts/homes/ambroisie@mousqueton/default.nix b/hosts/homes/ambroisie@mousqueton/default.nix index f54453b..9096610 100644 --- a/hosts/homes/ambroisie@mousqueton/default.nix +++ b/hosts/homes/ambroisie@mousqueton/default.nix @@ -1,5 +1,5 @@ # Google Cloudtop configuration -{ ... }: +{ lib, pkgs, ... }: { # Google specific configuration home.homeDirectory = "/usr/local/google/home/ambroisie"; @@ -13,6 +13,8 @@ LD_PRELOAD = "/lib/x86_64-linux-gnu/libnss_cache.so.2\${LD_PRELOAD:+:}$LD_PRELOAD"; }; + programs.git.package = lib.mkForce pkgs.emptyDirectory; + # I use scripts that use the passthrough sequence often on this host my.home.tmux.enablePassthrough = true; } From fd093465267cf0d53ebc2c710b4ac27c9ce1836f Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 12 Oct 2023 13:40:22 +0000 Subject: [PATCH 08/49] direnv: remove explicit 'shellHooks' evaluation I _think_ nix-direnv does it automatically, so no need to do it myself. --- .envrc | 2 -- 1 file changed, 2 deletions(-) diff --git a/.envrc b/.envrc index 95ed6fb..7f5642d 100644 --- a/.envrc +++ b/.envrc @@ -6,5 +6,3 @@ use flake watch_file ./flake/checks.nix watch_file ./flake/dev-shells.nix - -eval "$shellHooks" From e09899d59c8c383773e9e76bb9cd7268ca775143 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 12 Oct 2023 13:41:36 +0000 Subject: [PATCH 09/49] direnv: fix 'watch_file' directives I should use `nix_direnv_watch_file` and call it _before_ `use_flake`. --- .envrc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.envrc b/.envrc index 7f5642d..956a218 100644 --- a/.envrc +++ b/.envrc @@ -2,7 +2,7 @@ if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.2.1/direnvrc" "sha256-zelF0vLbEl5uaqrfIzbgNzJWGmLzCmYAkInj/LNxvKs=" fi -use flake +nix_direnv_watch_file ./flake/checks.nix +nix_direnv_watch_file ./flake/dev-shells.nix -watch_file ./flake/checks.nix -watch_file ./flake/dev-shells.nix +use flake From aca743dea7a76fe96c489f974b435ac2d6ab5b6c Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 12 Oct 2023 13:47:01 +0000 Subject: [PATCH 10/49] templates: simplify direnv configurations This was mostly a copy-paste error (the `watch_file` calls). As for the shell hooks, it looks like `nix-direnv` takes care of that automatically. --- templates/c++-cmake/.envrc | 5 ----- templates/c++-meson/.envrc | 5 ----- 2 files changed, 10 deletions(-) diff --git a/templates/c++-cmake/.envrc b/templates/c++-cmake/.envrc index 95ed6fb..f347aa9 100644 --- a/templates/c++-cmake/.envrc +++ b/templates/c++-cmake/.envrc @@ -3,8 +3,3 @@ if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then fi use flake - -watch_file ./flake/checks.nix -watch_file ./flake/dev-shells.nix - -eval "$shellHooks" diff --git a/templates/c++-meson/.envrc b/templates/c++-meson/.envrc index 95ed6fb..f347aa9 100644 --- a/templates/c++-meson/.envrc +++ b/templates/c++-meson/.envrc @@ -3,8 +3,3 @@ if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then fi use flake - -watch_file ./flake/checks.nix -watch_file ./flake/dev-shells.nix - -eval "$shellHooks" From ce19887f77e7ab7e735882eb6c5163ccf6d30145 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 12 Oct 2023 15:17:26 +0000 Subject: [PATCH 11/49] treewide: update 'nix-direnv' bootstrapping --- .envrc | 4 ++-- templates/c++-cmake/.envrc | 4 ++-- templates/c++-meson/.envrc | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.envrc b/.envrc index 956a218..9222bda 100644 --- a/.envrc +++ b/.envrc @@ -1,5 +1,5 @@ -if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then - source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.2.1/direnvrc" "sha256-zelF0vLbEl5uaqrfIzbgNzJWGmLzCmYAkInj/LNxvKs=" +if ! has nix_direnv_version || ! nix_direnv_version 2.4.0; then + source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.4.0/direnvrc" "sha256-XQzUAvL6pysIJnRJyR7uVpmUSZfc7LSgWQwq/4mBr1U=" fi nix_direnv_watch_file ./flake/checks.nix diff --git a/templates/c++-cmake/.envrc b/templates/c++-cmake/.envrc index f347aa9..ccf325e 100644 --- a/templates/c++-cmake/.envrc +++ b/templates/c++-cmake/.envrc @@ -1,5 +1,5 @@ -if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then - source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.2.1/direnvrc" "sha256-zelF0vLbEl5uaqrfIzbgNzJWGmLzCmYAkInj/LNxvKs=" +if ! has nix_direnv_version || ! nix_direnv_version 2.4.0; then + source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.4.0/direnvrc" "sha256-XQzUAvL6pysIJnRJyR7uVpmUSZfc7LSgWQwq/4mBr1U=" fi use flake diff --git a/templates/c++-meson/.envrc b/templates/c++-meson/.envrc index f347aa9..ccf325e 100644 --- a/templates/c++-meson/.envrc +++ b/templates/c++-meson/.envrc @@ -1,5 +1,5 @@ -if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then - source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.2.1/direnvrc" "sha256-zelF0vLbEl5uaqrfIzbgNzJWGmLzCmYAkInj/LNxvKs=" +if ! has nix_direnv_version || ! nix_direnv_version 2.4.0; then + source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.4.0/direnvrc" "sha256-XQzUAvL6pysIJnRJyR7uVpmUSZfc7LSgWQwq/4mBr1U=" fi use flake From a5febc40e4043bd00c552acde7bf2442f072fa34 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 12 Oct 2023 15:19:44 +0000 Subject: [PATCH 12/49] home: comma: remove 'COMMA_PKGS_FLAKE' definition Now that my configurations also set `nixpkgs` in `NIX_PATH`, there's isn't a need for this to be defined anymore. --- home/comma/default.nix | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/home/comma/default.nix b/home/comma/default.nix index cc6a0ad..60de863 100644 --- a/home/comma/default.nix +++ b/home/comma/default.nix @@ -5,25 +5,11 @@ in { options.my.home.comma = with lib; { enable = my.mkDisableOption "comma configuration"; - - pkgsFlake = mkOption { - type = types.str; - default = "pkgs"; - example = "nixpkgs"; - description = '' - Which flake from the registry should be used with - nix shell. - ''; - }; }; config = lib.mkIf cfg.enable { home.packages = with pkgs; [ ambroisie.comma ]; - - home.sessionVariables = { - COMMA_PKGS_FLAKE = cfg.pkgsFlake; - }; }; } From 2d36ffd96dba1ac9acab698d9370983eec0b3574 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 12 Oct 2023 15:19:44 +0000 Subject: [PATCH 13/49] pkgs: comma: rename 'COMMA_{,NIX}PKGS_FLAKE' This aligns with the rust implementation of this tool [1]. [1]: https://github.com/nix-community/comma/commit/17a4f3384954a43cec0f91361f153cda908fe3d3 --- pkgs/comma/comma | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/comma/comma b/pkgs/comma/comma index ba5c6ae..4367a26 100755 --- a/pkgs/comma/comma +++ b/pkgs/comma/comma @@ -30,4 +30,4 @@ if [ -z "$PROGRAM" ]; then exit 1 fi -nix shell "${COMMA_PKGS_FLAKE:-nixpkgs}#$PROGRAM" -c "$@" +nix shell "${COMMA_NIXPKGS_FLAKE:-nixpkgs}#$PROGRAM" -c "$@" From dae1a434d558b96d8ed3424b8eef09610aecb122 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 18:02:22 +0200 Subject: [PATCH 14/49] modules: services: transmission: bump to 4 Not sure why exactly this isn't the default, I'll have to watch out for when upstream catches up. --- modules/services/transmission/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/services/transmission/default.nix b/modules/services/transmission/default.nix index dcba0aa..28df477 100644 --- a/modules/services/transmission/default.nix +++ b/modules/services/transmission/default.nix @@ -3,7 +3,7 @@ # Inspired by [1] # # [1]: https://github.com/delroth/infra.delroth.net/blob/master/roles/seedbox.nix -{ config, lib, ... }: +{ config, lib, pkgs, ... }: let cfg = config.my.services.transmission; in @@ -45,6 +45,7 @@ in config = lib.mkIf cfg.enable { services.transmission = { enable = true; + package = pkgs.transmission_4; group = "media"; downloadDirPermissions = "775"; From 3b3e7093beb225810a728b44f31afeb24f2f247c Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 6 Oct 2023 23:11:46 +0200 Subject: [PATCH 15/49] modules: services: pirate: make more fine-grained --- modules/services/pirate/default.nix | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/modules/services/pirate/default.nix b/modules/services/pirate/default.nix index 7c341e7..59f9794 100644 --- a/modules/services/pirate/default.nix +++ b/modules/services/pirate/default.nix @@ -29,7 +29,7 @@ let ]; }; - mkFail2Ban = service: { + mkFail2Ban = service: lib.mkIf cfg.${service}.enable { services.fail2ban.jails = { ${service} = '' enabled = true @@ -47,14 +47,30 @@ let }; }; - mkFullConfig = service: lib.mkMerge [ + mkFullConfig = service: lib.mkIf cfg.${service}.enable (lib.mkMerge [ (mkService service) (mkRedirection service) - ]; + ]); in { options.my.services.pirate = { enable = lib.mkEnableOption "Media automation"; + + bazarr = { + enable = lib.my.mkDisableOption "Bazarr"; + }; + + lidarr = { + enable = lib.my.mkDisableOption "Lidarr"; + }; + + radarr = { + enable = lib.my.mkDisableOption "Radarr"; + }; + + sonarr = { + enable = lib.my.mkDisableOption "Sonarr"; + }; }; config = lib.mkIf cfg.enable (lib.mkMerge [ From f8a0eef4dd993d43dafec88aa33b099b9d05d11c Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 6 Oct 2023 23:13:47 +0200 Subject: [PATCH 16/49] hosts: nixos: porthos: services: disable lidarr --- hosts/nixos/porthos/services.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix index 863048c..8487157 100644 --- a/hosts/nixos/porthos/services.nix +++ b/hosts/nixos/porthos/services.nix @@ -116,7 +116,13 @@ in secretKeyFile = secrets."paperless/secret-key".path; }; # The whole *arr software suite - pirate.enable = true; + pirate = { + enable = true; + # ... But not Lidarr because I don't care for music that much + lidarr = { + enable = false; + }; + }; # Podcast automatic downloader podgrab = { enable = true; From fcdb5ba59329dc129e93ab228e38943fc90fe978 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 18 Oct 2023 21:36:09 +0200 Subject: [PATCH 17/49] modules: services: woodpecker: remove DNS hack I'm not sure what changed, but it looks like I don't need it anymore. Initially I wanted to apply the same DNS fix as [1]. [1]: https://blog.kotatsu.dev/posts/2023-04-21-woodpecker-nix-caching/ --- modules/services/woodpecker/agent-docker/default.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/services/woodpecker/agent-docker/default.nix b/modules/services/woodpecker/agent-docker/default.nix index b18d075..79d3299 100644 --- a/modules/services/woodpecker/agent-docker/default.nix +++ b/modules/services/woodpecker/agent-docker/default.nix @@ -27,9 +27,6 @@ in # Make sure it is activated in that case my.system.docker.enable = true; - # FIXME: figure out the issue - services.unbound.resolveLocalQueries = false; - # Adjust runner service for nix usage systemd.services.woodpecker-agent-docker = { after = [ "docker.socket" ]; # Needs the socket to be available From 1398425b91ed383c32a418341a666d5b9039d561 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 19 Oct 2023 10:42:19 +0000 Subject: [PATCH 18/49] hosts: homes: cloudtop: disable gpg-agent It doesn't work well in this environment anyway. --- hosts/homes/ambroisie@mousqueton/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/homes/ambroisie@mousqueton/default.nix b/hosts/homes/ambroisie@mousqueton/default.nix index 9096610..0bd2272 100644 --- a/hosts/homes/ambroisie@mousqueton/default.nix +++ b/hosts/homes/ambroisie@mousqueton/default.nix @@ -15,6 +15,8 @@ programs.git.package = lib.mkForce pkgs.emptyDirectory; + services.gpg-agent.enable = lib.mkForce false; + # I use scripts that use the passthrough sequence often on this host my.home.tmux.enablePassthrough = true; } From 31fbd7aa4fcad34b969348e806b157b4eb0c3b30 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:28:11 +0000 Subject: [PATCH 19/49] modules: services: matrix: refactor vhost --- modules/services/matrix/default.nix | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index c73afed..9acd8c2 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -13,6 +13,7 @@ let federationPort = { public = 8448; private = 11338; }; clientPort = { public = 443; private = 11339; }; domain = config.networking.domain; + matrixDomain = "matrix.${domain}"; in { options.my.services.matrix = with lib; { @@ -52,7 +53,7 @@ in settings = { server_name = domain; - public_baseurl = "https://matrix.${domain}"; + public_baseurl = "https://${matrixDomain}"; enable_registration = false; @@ -98,7 +99,7 @@ in conf = { default_server_config = { "m.homeserver" = { - "base_url" = "https://matrix.${domain}"; + "base_url" = "https://${matrixDomain}"; "server_name" = domain; }; "m.identity_server" = { @@ -120,7 +121,7 @@ in # Those are too complicated to use my wrapper... services.nginx.virtualHosts = { - "matrix.${domain}" = { + ${matrixDomain} = { onlySSL = true; useACMEHost = domain; @@ -148,9 +149,9 @@ in }; # same as above, but listening on the federation port - "matrix.${domain}_federation" = { + "${matrixDomain}_federation" = { onlySSL = true; - serverName = "matrix.${domain}"; + serverName = matrixDomain; useACMEHost = domain; locations."/".return = "404"; @@ -171,7 +172,7 @@ in locations."= /.well-known/matrix/server".extraConfig = let - server = { "m.server" = "matrix.${domain}:${toString federationPort.public}"; }; + server = { "m.server" = "${matrixDomain}:${toString federationPort.public}"; }; in '' add_header Content-Type application/json; @@ -181,7 +182,7 @@ in locations."= /.well-known/matrix/client".extraConfig = let client = { - "m.homeserver" = { "base_url" = "https://matrix.${domain}"; }; + "m.homeserver" = { "base_url" = "https://${matrixDomain}"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; }; # ACAO required to allow element-web on any URL to request this json file From ad976e2097b24b6fe7de3bbabbc512320c93fee1 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:53:46 +0000 Subject: [PATCH 20/49] hosts: nixos: porthos: secrets: add matrix sync --- .../nixos/porthos/secrets/matrix/sliding-sync-secret.age | 9 +++++++++ hosts/nixos/porthos/secrets/secrets.nix | 3 +++ 2 files changed, 12 insertions(+) create mode 100644 hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age diff --git a/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age b/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age new file mode 100644 index 0000000..d375a35 --- /dev/null +++ b/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg N182xey8TWRVUWTRP16rT0zlhYZNr/pOZVR7YRnlIkk +HVqAag55z1cKLgjR3WsUj2wvaVjxm169JcDRJGRvCVU +-> ssh-ed25519 jPowng Dc+aaUTxDsMTY+oOst0SC3ldq1e6zX8F5A5uBL5RHhc +JWZou6+VaFc5f2OLRIrmFFWg3Er6WSY+TloXU0mP1K8 +-> |9_9Aqh%-grease $ X8Mn|5 aKnl' fl Date: Thu, 28 Sep 2023 18:42:13 +0200 Subject: [PATCH 21/49] modules: services: matrix: register dummy vhosts This is simply to make use of my infrastructure for port collision detection. --- modules/services/matrix/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 9acd8c2..42c5cda 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -117,6 +117,15 @@ in }; }; } + # Dummy VHosts for port collision detection + { + subdomain = "matrix-federation"; + port = federationPort.private; + } + { + subdomain = "matrix-client"; + port = clientPort.private; + } ]; # Those are too complicated to use my wrapper... From 08212e49cd372578342a2252ae7f2cd5bbfbf137 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:53:46 +0000 Subject: [PATCH 22/49] modules: services: matrix: add sliding sync --- hosts/nixos/porthos/services.nix | 3 +++ modules/services/matrix/default.nix | 40 +++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix index 8487157..d73cdc1 100644 --- a/hosts/nixos/porthos/services.nix +++ b/hosts/nixos/porthos/services.nix @@ -64,6 +64,9 @@ in mailConfigFile = secrets."matrix/mail".path; # Only necessary when doing the initial registration secretFile = secrets."matrix/secret".path; + slidingSync = { + secretFile = secrets."matrix/sliding-sync-secret".path; + }; }; miniflux = { enable = true; diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 42c5cda..52b60c5 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -26,6 +26,21 @@ in description = "Shared secret to register users"; }; + slidingSync = { + port = mkOption { + type = types.port; + default = 8009; + example = 8084; + description = "Port used by sliding sync server"; + }; + + secretFile = mkOption { + type = types.str; + example = "/var/lib/matrix/sliding-sync-secret-file.env"; + description = "Secret file which contains SYNCV3_SECRET definition"; + }; + }; + mailConfigFile = mkOption { type = types.str; example = "/var/lib/matrix/email-config.yaml"; @@ -89,6 +104,17 @@ in extraConfigFiles = [ cfg.mailConfigFile ] ++ lib.optional (cfg.secretFile != null) cfg.secretFile; + + sliding-sync = { + enable = true; + + settings = { + SYNCV3_SERVER = "https://${matrixDomain}"; + SYNCV3_BINDADDR = "127.0.0.1:${toString cfg.slidingSync.port}"; + }; + + environmentFile = cfg.slidingSync.secretFile; + }; }; my.services.nginx.virtualHosts = [ @@ -105,6 +131,9 @@ in "m.identity_server" = { "base_url" = "https://vector.im"; }; + "org.matrix.msc3575.proxy" = { + "url" = "https://matrix-sync.${domain}"; + }; }; showLabsSettings = true; defaultCountryCode = "FR"; # cocorico @@ -126,6 +155,11 @@ in subdomain = "matrix-client"; port = clientPort.private; } + # Sliding sync + { + subdomain = "matrix-sync"; + inherit (cfg.slidingSync) port; + } ]; # Those are too complicated to use my wrapper... @@ -148,6 +182,11 @@ in "/_matrix" = proxyToClientPort; "/_synapse/client" = proxyToClientPort; + + # Sliding sync + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { + proxyPass = "http://${config.services.matrix-synapse.sliding-sync.settings.SYNCV3_BINDADDR}"; + }; }; listen = [ @@ -193,6 +232,7 @@ in client = { "m.homeserver" = { "base_url" = "https://${matrixDomain}"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; + "org.matrix.msc3575.proxy" = { "url" = "https://matrix-sync.${domain}"; }; }; # ACAO required to allow element-web on any URL to request this json file in From 270f9f02a255532890fd31d7c43b9e68376cc9dd Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 13:45:36 +0200 Subject: [PATCH 23/49] flake: add 'impermanence' --- flake.lock | 17 +++++++++++++++++ flake.nix | 7 +++++++ 2 files changed, 24 insertions(+) diff --git a/flake.lock b/flake.lock index 6e070fc..cd8218c 100644 --- a/flake.lock +++ b/flake.lock @@ -145,6 +145,22 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1694622745, + "narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "impermanence", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1695644571, @@ -212,6 +228,7 @@ "flake-parts": "flake-parts", "futils": "futils", "home-manager": "home-manager", + "impermanence": "impermanence", "nixpkgs": "nixpkgs", "nur": "nur", "pre-commit-hooks": "pre-commit-hooks" diff --git a/flake.nix b/flake.nix index 8e46ea3..7970759 100644 --- a/flake.nix +++ b/flake.nix @@ -39,6 +39,13 @@ }; }; + impermanence = { + type = "github"; + owner = "nix-community"; + repo = "impermanence"; + ref = "master"; + }; + nixpkgs = { type = "github"; owner = "NixOS"; From ab5ebae2cb6096cf184f56b630089d63a0ae90a7 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 13:52:04 +0200 Subject: [PATCH 24/49] WIP: modules: systems: add persist This is the module that takes care of configuring impermanence at the system level. WIP: * address FIXMEs * activate home-manager persistence? * set `programs.fuse.userAllowOther = true;` ? * point `age` to persisted paths [1] ? * make sure all services and modules are persisted correctly... [1]: https://github.com/lovesegfault/nix-config/commit/b1d18d25b8cc1e50c521020442b907de377a147d --- modules/system/default.nix | 1 + modules/system/persist/default.nix | 67 ++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 modules/system/persist/default.nix diff --git a/modules/system/default.nix b/modules/system/default.nix index 9fe3b57..b3d9385 100644 --- a/modules/system/default.nix +++ b/modules/system/default.nix @@ -9,6 +9,7 @@ ./language ./nix ./packages + ./persist ./podman ./users ]; diff --git a/modules/system/persist/default.nix b/modules/system/persist/default.nix new file mode 100644 index 0000000..4c0682c --- /dev/null +++ b/modules/system/persist/default.nix @@ -0,0 +1,67 @@ +# Ephemeral root configuration +{ config, inputs, lib, ... }: +let + cfg = config.my.system.persist; +in +{ + imports = [ + inputs.impermanence.nixosModules.impermanence + ]; + + options.my.system.persist = with lib; { + enable = mkEnableOption "stateless system configuration"; + + mountPoint = lib.mkOption { + type = types.str; + default = "/persistent"; + example = "/etc/nix/persist"; + description = '' + Which mount point should be used to persist this system's files and + directories. + ''; + }; + + files = lib.mkOption { + type = with types; listOf str; + default = [ ]; + example = [ + "/etc/nix/id_rsa" + ]; + description = '' + Additional files in the root to link to persistent storage. + ''; + }; + + directories = lib.mkOption { + type = with types; listOf str; + default = [ ]; + example = [ + "/var/lib/libvirt" + ]; + description = '' + Additional directories in the root to link to persistent storage. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + environment.persistence."${cfg.mountPoint}" = { + files = [ + "/etc/machine-id" + ] + ++ cfg.files + ; + + directories = [ + "/etc/nixos" + "/var/log" + "/var/lib/systemd/coredump" + ] + ++ (lib.optionals config.virtualisation.docker.enable [ + "/var/lib/docker" + ]) + ++ cfg.directories + ; + }; + }; +} From 5125ca329e41a22b5ee7bafbe09163178d8dfd06 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 14:05:42 +0200 Subject: [PATCH 25/49] modules: services: ssh-server: persist host keys --- modules/services/ssh-server/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/services/ssh-server/default.nix b/modules/services/ssh-server/default.nix index 9ae0fa8..0cabc6f 100644 --- a/modules/services/ssh-server/default.nix +++ b/modules/services/ssh-server/default.nix @@ -20,6 +20,14 @@ in }; }; + # Persist SSH keys + my.system.persist.files = [ + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + # Opens the relevant UDP ports. programs.mosh.enable = true; }; From 86b42568ed0f6594b7f0ca6ba93e5600765cdbd1 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 14:06:03 +0200 Subject: [PATCH 26/49] modules: hardware: netowrking persist connections --- modules/hardware/networking/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/hardware/networking/default.nix b/modules/hardware/networking/default.nix index f0806fe..51dcfce 100644 --- a/modules/hardware/networking/default.nix +++ b/modules/hardware/networking/default.nix @@ -22,6 +22,11 @@ in config = lib.mkMerge [ (lib.mkIf cfg.wireless.enable { networking.networkmanager.enable = true; + + # Persist NetworkManager files + my.system.persist.directories = [ + "/etc/NetworkManager/system-connections" + ]; }) ]; } From e86ab34a627b1d24567fe3d94a0bbd37e6a5b2e2 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 14:06:26 +0200 Subject: [PATCH 27/49] modules: hardware: bluetooth: persist connections --- modules/hardware/bluetooth/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/hardware/bluetooth/default.nix b/modules/hardware/bluetooth/default.nix index 2d840f9..3dd44e6 100644 --- a/modules/hardware/bluetooth/default.nix +++ b/modules/hardware/bluetooth/default.nix @@ -18,6 +18,13 @@ in services.blueman.enable = true; } + # Persist bluetooth files + { + my.system.persist.directories = [ + "/var/lib/bluetooth" + ]; + } + # Support for additional bluetooth codecs (lib.mkIf cfg.loadExtraCodecs { hardware.pulseaudio = { From ea5f9d181fef65741a20342db8d5f55d46c8e1c2 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 14:19:57 +0200 Subject: [PATCH 28/49] modules: services: blog: persist website data --- modules/services/blog/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/services/blog/default.nix b/modules/services/blog/default.nix index 4b646c3..6752ac2 100644 --- a/modules/services/blog/default.nix +++ b/modules/services/blog/default.nix @@ -42,5 +42,12 @@ in # Those are all subdomains, no problem my.services.nginx.virtualHosts = hostsInfo; + + my.system.persist.directories = [ + "/var/www/blog" + "/var/www/cv" + "/var/www/dev" + "/var/www/key" + ]; }; } From a3b4b3072a295681f48c984ab8bd8d118d31e1b0 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 14:43:05 +0100 Subject: [PATCH 29/49] modules: services: calibre-web: persist library --- modules/services/calibre-web/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/calibre-web/default.nix b/modules/services/calibre-web/default.nix index 858851c..b6e70d8 100644 --- a/modules/services/calibre-web/default.nix +++ b/modules/services/calibre-web/default.nix @@ -54,6 +54,11 @@ in ]; }; + my.system.persist.directories = [ + "/var/lib/${config.services.calibre-web.dataDir}" + cfg.libraryPath + ]; + services.fail2ban.jails = { calibre-web = '' enabled = true From 53af6d3fa64b772f95f910f54cbf62d17b593048 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 14:43:16 +0100 Subject: [PATCH 30/49] modules: services: flood: persist data --- modules/services/flood/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/flood/default.nix b/modules/services/flood/default.nix index ff5d941..79b6c75 100644 --- a/modules/services/flood/default.nix +++ b/modules/services/flood/default.nix @@ -46,5 +46,9 @@ in inherit (cfg) port; } ]; + + my.system.persist.directories = [ + "/var/lib/${cfg.stateDir}" + ]; }; } From 604d594deca0ac2d445de75df4c15926adee5de3 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 14:43:28 +0100 Subject: [PATCH 31/49] modules: services: gitea: persist repositories --- modules/services/gitea/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/gitea/default.nix b/modules/services/gitea/default.nix index 28a448d..93edf57 100644 --- a/modules/services/gitea/default.nix +++ b/modules/services/gitea/default.nix @@ -135,6 +135,11 @@ in ]; }; + my.system.persist.directories = [ + config.services.gitea.lfs.contentDir + config.services.gitea.repositoryRoot + ]; + services.fail2ban.jails = { gitea = '' enabled = true From 4fcc69f34ea5c5230ef76de53d07d32706b8d407 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 17:12:32 +0100 Subject: [PATCH 32/49] modules: services: matrix: persist data --- modules/services/matrix/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 52b60c5..87494c9 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -257,5 +257,9 @@ in config.services.matrix-synapse.dataDir ]; }; + + my.system.persist.directories = [ + config.services.matrix-synapse.dataDir + ]; }; } From 706fad7e7f917a2755cba3bc1fe45114f881b4fe Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 17:12:42 +0100 Subject: [PATCH 33/49] modules: services: paperless: persist data --- modules/services/paperless/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/paperless/default.nix b/modules/services/paperless/default.nix index 1ca1f66..702627d 100644 --- a/modules/services/paperless/default.nix +++ b/modules/services/paperless/default.nix @@ -164,5 +164,10 @@ in config.services.paperless.mediaDir ]; }; + + my.system.persist.directories = [ + config.services.paperless-ng.dataDir + config.services.paperless-ng.mediaDir + ]; }; } From 72baa4e84fddbbfca73d0e4ec26922e47cf807c5 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 17:12:58 +0100 Subject: [PATCH 34/49] modules: services: postgresql-backup: persist data --- modules/services/postgresql-backup/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/postgresql-backup/default.nix b/modules/services/postgresql-backup/default.nix index dff5494..3d6c03b 100644 --- a/modules/services/postgresql-backup/default.nix +++ b/modules/services/postgresql-backup/default.nix @@ -24,5 +24,9 @@ in (config.services.postgresqlBackup.location + "/*.prev.sql.gz") ]; }; + + my.system.persist.directories = [ + config.services.postgresqlBackup.location + ]; }; } From 3e28075906a916e2962203e05354bdc3a508154f Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 17:13:13 +0100 Subject: [PATCH 35/49] modules: services: postgresql: persist data --- modules/services/postgresql/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/services/postgresql/default.nix b/modules/services/postgresql/default.nix index 6f51f3e..175c1ce 100644 --- a/modules/services/postgresql/default.nix +++ b/modules/services/postgresql/default.nix @@ -18,6 +18,13 @@ in }; }) + # Only persist directory if the actual service is enabled + (lib.mkIf config.services.postgresql.enable { + my.system.persist.directories = [ + config.services.postgresql.dataDir + ]; + }) + # Taken from the manual (lib.mkIf cfg.upgradeScript { containers.temp-pg.config.services.postgresql = { From 843c4a80971d556e0e28a17497663dc7786c0679 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 14:30:25 +0100 Subject: [PATCH 36/49] modules: services: indexers: persist data --- modules/services/indexers/default.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/modules/services/indexers/default.nix b/modules/services/indexers/default.nix index fb06a0b..28a7007 100644 --- a/modules/services/indexers/default.nix +++ b/modules/services/indexers/default.nix @@ -34,6 +34,10 @@ in port = jackettPort; } ]; + + my.system.persist.directories = [ + config.services.jackett.dataDir + ]; }) (lib.mkIf cfg.nzbhydra.enable { @@ -47,6 +51,10 @@ in port = nzbhydraPort; } ]; + + my.system.persist.directories = [ + config.services.nzbhydra2.dataDir + ]; }) (lib.mkIf cfg.prowlarr.enable { @@ -61,6 +69,10 @@ in } ]; + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.prowlarr.serviceConfig.StateDirectory}" + ]; + services.fail2ban.jails = { prowlarr = '' enabled = true From 993bdbd3e7b3910204c00a8e3648c2a47cc100aa Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:11:05 +0100 Subject: [PATCH 37/49] modules: services: jellyfin: persist data --- modules/services/jellyfin/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/jellyfin/default.nix b/modules/services/jellyfin/default.nix index 2fcf51e..0692dcc 100644 --- a/modules/services/jellyfin/default.nix +++ b/modules/services/jellyfin/default.nix @@ -35,5 +35,9 @@ in }; } ]; + + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.jellyfin.serviceConfig.StateDirectory}" + ]; }; } From 775ac426494c9629b0d374966d018a5a74d100b1 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:11:12 +0100 Subject: [PATCH 38/49] modules: services: lohr: persist data --- modules/services/lohr/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/lohr/default.nix b/modules/services/lohr/default.nix index 245567c..7aac1ac 100644 --- a/modules/services/lohr/default.nix +++ b/modules/services/lohr/default.nix @@ -104,5 +104,9 @@ in inherit (cfg) port; } ]; + + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.lohr.serviceConfig.StateDirectory}" + ]; }; } From b0622f56960d395400672d6fdd83e7b66503b619 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:11:23 +0100 Subject: [PATCH 39/49] modules: services: navidrome: persist data --- modules/services/navidrome/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/navidrome/default.nix b/modules/services/navidrome/default.nix index 6c001fd..08c6a88 100644 --- a/modules/services/navidrome/default.nix +++ b/modules/services/navidrome/default.nix @@ -53,5 +53,9 @@ in inherit (cfg) port; } ]; + + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.navidrome.serviceConfig.StateDirectory}" + ]; }; } From 3328cf62d948f1c2b0d2180eb2f27e38c30ecba8 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:11:35 +0100 Subject: [PATCH 40/49] modules: services: nextcloud: persist data --- modules/services/nextcloud/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/nextcloud/default.nix b/modules/services/nextcloud/default.nix index 1477c13..55972ab 100644 --- a/modules/services/nextcloud/default.nix +++ b/modules/services/nextcloud/default.nix @@ -83,5 +83,10 @@ in "${config.services.nextcloud.home}/data/appdata_*/preview" ]; }; + + my.system.persist.directories = [ + config.services.nextcloud.home + config.services.nextcloud.datadir + ]; }; } From 1d23a6caa85d5c3bbca39d7fe7f3a5830dfa1c0d Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:20:11 +0100 Subject: [PATCH 41/49] modules: services: podgrab: persist data --- modules/services/podgrab/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/podgrab/default.nix b/modules/services/podgrab/default.nix index 9793d60..2994fc8 100644 --- a/modules/services/podgrab/default.nix +++ b/modules/services/podgrab/default.nix @@ -37,5 +37,10 @@ in inherit (cfg) port; } ]; + + my.system.persist.directories = + builtins.map + (d: "/var/lib/${d}") + config.systemd.services.podgrab.serviceConfig.StateDirectory; }; } From 30a632a261d2728003edd5af7f9e171fef9d78a0 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:21:42 +0100 Subject: [PATCH 42/49] modules: services: rss-bridge: persist data --- modules/services/rss-bridge/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/rss-bridge/default.nix b/modules/services/rss-bridge/default.nix index 85e37c2..66858dc 100644 --- a/modules/services/rss-bridge/default.nix +++ b/modules/services/rss-bridge/default.nix @@ -20,5 +20,9 @@ in forceSSL = true; useACMEHost = config.networking.domain; }; + + my.system.persist.directories = [ + config.services.rss-bridge.dataDir + ]; }; } From dbd33f7d62ce0c20304de560146632afc14a5997 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:25:44 +0100 Subject: [PATCH 43/49] modules: services: sabnzbd: persist data --- modules/services/sabnzbd/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/sabnzbd/default.nix b/modules/services/sabnzbd/default.nix index 7ab145f..ef13d4b 100644 --- a/modules/services/sabnzbd/default.nix +++ b/modules/services/sabnzbd/default.nix @@ -25,6 +25,10 @@ in } ]; + my.system.persist.files = [ + config.services.sabnzbd.configFile + ]; + services.fail2ban.jails = { sabnzbd = '' enabled = true From b48048aa5f92a2f2375705ea72df1086131992f2 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:25:50 +0100 Subject: [PATCH 44/49] modules: services: transmission: persist data --- modules/services/transmission/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/transmission/default.nix b/modules/services/transmission/default.nix index 28df477..37e4f0f 100644 --- a/modules/services/transmission/default.nix +++ b/modules/services/transmission/default.nix @@ -91,5 +91,9 @@ in allowedTCPPorts = [ cfg.peerPort ]; allowedUDPPorts = [ cfg.peerPort ]; }; + + my.system.persist.directories = [ + config.services.transmission.home + ]; }; } From 9ebabb251b25f40b7b8a8ae81ec274130da88daf Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:37:51 +0100 Subject: [PATCH 45/49] modules: services: nginx: persist SSL certificates --- modules/services/nginx/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/nginx/default.nix b/modules/services/nginx/default.nix index dcaaa0f..a2f357f 100644 --- a/modules/services/nginx/default.nix +++ b/modules/services/nginx/default.nix @@ -470,5 +470,9 @@ in } ]; }; + + my.system.persist.directories = [ + config.users.user.acme.home + ]; }; } From b83c917a9e7b4e6e3b39cc2a3fb1b3da0207997d Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:40:29 +0100 Subject: [PATCH 46/49] modules: services: monitoring: persist data --- modules/services/monitoring/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/monitoring/default.nix b/modules/services/monitoring/default.nix index 829bfe0..c7489f4 100644 --- a/modules/services/monitoring/default.nix +++ b/modules/services/monitoring/default.nix @@ -131,5 +131,10 @@ in inherit (cfg.grafana) port; } ]; + + my.system.persist.directories = [ + config.services.grafana.dataDir + "/var/lib/${config.services.prometheus.stateDir}" + ]; }; } From 7c7eadbf4540d6fb229bf94eea1cb7a8f26c2c3e Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:58:07 +0100 Subject: [PATCH 47/49] modules: services: pirate: persist data --- modules/services/pirate/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/pirate/default.nix b/modules/services/pirate/default.nix index 59f9794..cfabc90 100644 --- a/modules/services/pirate/default.nix +++ b/modules/services/pirate/default.nix @@ -18,6 +18,11 @@ let enable = true; group = "media"; }; + + # Thankfully those old style services all define users with homes + my.system.persist.directories = [ + config.users.user.${service}.home + ]; }; mkRedirection = service: { From 4b6d332e9b83bc73882fbb992c4813a88f6571d0 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 21:51:04 +0100 Subject: [PATCH 48/49] modules: services: quassel: persist data --- modules/services/quassel/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/quassel/default.nix b/modules/services/quassel/default.nix index ec686e1..18d084a 100644 --- a/modules/services/quassel/default.nix +++ b/modules/services/quassel/default.nix @@ -46,5 +46,9 @@ in # Because Quassel does not use the socket, I simply trust its connection authentication = "host quassel quassel localhost trust"; }; + + my.system.persist.directories = [ + config.services.quassel.dataDir + ]; }; } From 534cda6d916f977d9bbd580b85875dc01ec98f56 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 21 Sep 2023 15:55:56 +0000 Subject: [PATCH 49/49] WIP: add notes for missing persistence/backup TODO: * Look at for more inspiration https://github.com/nix-community/impermanence/pull/108 * Do home-manager * Common files https://github.com/nix-community/impermanence/issues/10 --- modules/services/grocy/default.nix | 3 +++ modules/services/miniflux/default.nix | 3 +++ modules/services/tandoor-recipes/default.nix | 3 +++ modules/services/vikunja/default.nix | 2 ++ modules/system/persist/default.nix | 1 + 5 files changed, 12 insertions(+) diff --git a/modules/services/grocy/default.nix b/modules/services/grocy/default.nix index 87927d6..4a3183e 100644 --- a/modules/services/grocy/default.nix +++ b/modules/services/grocy/default.nix @@ -36,5 +36,8 @@ in forceSSL = true; useACMEHost = config.networking.domain; }; + + # FIXME: backup + # FIXME: persistence }; } diff --git a/modules/services/miniflux/default.nix b/modules/services/miniflux/default.nix index 6d9ffc8..4667912 100644 --- a/modules/services/miniflux/default.nix +++ b/modules/services/miniflux/default.nix @@ -49,5 +49,8 @@ in inherit (cfg) port; } ]; + + # FIXME: backup + # FIXME: persistence }; } diff --git a/modules/services/tandoor-recipes/default.nix b/modules/services/tandoor-recipes/default.nix index d78bef3..82350d7 100644 --- a/modules/services/tandoor-recipes/default.nix +++ b/modules/services/tandoor-recipes/default.nix @@ -75,5 +75,8 @@ in inherit (cfg) port; } ]; + + # FIXME: backup + # FIXME: persistence }; } diff --git a/modules/services/vikunja/default.nix b/modules/services/vikunja/default.nix index 1cdef5f..076dd4a 100644 --- a/modules/services/vikunja/default.nix +++ b/modules/services/vikunja/default.nix @@ -119,5 +119,7 @@ in config.services.vikunja.settings.files.basepath ]; }; + + # FIXME: persistence }; } diff --git a/modules/system/persist/default.nix b/modules/system/persist/default.nix index 4c0682c..18302f3 100644 --- a/modules/system/persist/default.nix +++ b/modules/system/persist/default.nix @@ -60,6 +60,7 @@ in ++ (lib.optionals config.virtualisation.docker.enable [ "/var/lib/docker" ]) + # FIXME: podman ++ cfg.directories ; };