From 085c563d7538b238e0a180fa0627de27e9ca069d Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 19 Oct 2023 10:42:19 +0000 Subject: [PATCH 01/36] hosts: homes: mousqueton: disable gpg-agent It doesn't work well in this environment anyway. --- hosts/homes/ambroisie@mousqueton/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/homes/ambroisie@mousqueton/default.nix b/hosts/homes/ambroisie@mousqueton/default.nix index 9096610..0bd2272 100644 --- a/hosts/homes/ambroisie@mousqueton/default.nix +++ b/hosts/homes/ambroisie@mousqueton/default.nix @@ -15,6 +15,8 @@ programs.git.package = lib.mkForce pkgs.emptyDirectory; + services.gpg-agent.enable = lib.mkForce false; + # I use scripts that use the passthrough sequence often on this host my.home.tmux.enablePassthrough = true; } From 1425c424899752f4f955a7f2fd1c73711abd9ed5 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:28:11 +0000 Subject: [PATCH 02/36] modules: services: matrix: refactor vhost --- modules/services/matrix/default.nix | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index c73afed..9acd8c2 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -13,6 +13,7 @@ let federationPort = { public = 8448; private = 11338; }; clientPort = { public = 443; private = 11339; }; domain = config.networking.domain; + matrixDomain = "matrix.${domain}"; in { options.my.services.matrix = with lib; { @@ -52,7 +53,7 @@ in settings = { server_name = domain; - public_baseurl = "https://matrix.${domain}"; + public_baseurl = "https://${matrixDomain}"; enable_registration = false; @@ -98,7 +99,7 @@ in conf = { default_server_config = { "m.homeserver" = { - "base_url" = "https://matrix.${domain}"; + "base_url" = "https://${matrixDomain}"; "server_name" = domain; }; "m.identity_server" = { @@ -120,7 +121,7 @@ in # Those are too complicated to use my wrapper... services.nginx.virtualHosts = { - "matrix.${domain}" = { + ${matrixDomain} = { onlySSL = true; useACMEHost = domain; @@ -148,9 +149,9 @@ in }; # same as above, but listening on the federation port - "matrix.${domain}_federation" = { + "${matrixDomain}_federation" = { onlySSL = true; - serverName = "matrix.${domain}"; + serverName = matrixDomain; useACMEHost = domain; locations."/".return = "404"; @@ -171,7 +172,7 @@ in locations."= /.well-known/matrix/server".extraConfig = let - server = { "m.server" = "matrix.${domain}:${toString federationPort.public}"; }; + server = { "m.server" = "${matrixDomain}:${toString federationPort.public}"; }; in '' add_header Content-Type application/json; @@ -181,7 +182,7 @@ in locations."= /.well-known/matrix/client".extraConfig = let client = { - "m.homeserver" = { "base_url" = "https://matrix.${domain}"; }; + "m.homeserver" = { "base_url" = "https://${matrixDomain}"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; }; # ACAO required to allow element-web on any URL to request this json file From 52413dcaf7d937a69002be661b8a6c26443e162c Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:53:46 +0000 Subject: [PATCH 03/36] hosts: nixos: porthos: secrets: add matrix sync --- .../nixos/porthos/secrets/matrix/sliding-sync-secret.age | 9 +++++++++ hosts/nixos/porthos/secrets/secrets.nix | 3 +++ 2 files changed, 12 insertions(+) create mode 100644 hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age diff --git a/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age b/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age new file mode 100644 index 0000000..d375a35 --- /dev/null +++ b/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg N182xey8TWRVUWTRP16rT0zlhYZNr/pOZVR7YRnlIkk +HVqAag55z1cKLgjR3WsUj2wvaVjxm169JcDRJGRvCVU +-> ssh-ed25519 jPowng Dc+aaUTxDsMTY+oOst0SC3ldq1e6zX8F5A5uBL5RHhc +JWZou6+VaFc5f2OLRIrmFFWg3Er6WSY+TloXU0mP1K8 +-> |9_9Aqh%-grease $ X8Mn|5 aKnl' fl Date: Thu, 28 Sep 2023 18:42:13 +0200 Subject: [PATCH 04/36] modules: services: matrix: register dummy vhosts This is simply to make use of my infrastructure for port collision detection. --- modules/services/matrix/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 9acd8c2..42c5cda 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -117,6 +117,15 @@ in }; }; } + # Dummy VHosts for port collision detection + { + subdomain = "matrix-federation"; + port = federationPort.private; + } + { + subdomain = "matrix-client"; + port = clientPort.private; + } ]; # Those are too complicated to use my wrapper... From b4c2cc581b6b79db1961e0aa840fad6d17ee6652 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:53:46 +0000 Subject: [PATCH 05/36] modules: services: matrix: add sliding sync --- hosts/nixos/porthos/services.nix | 3 +++ modules/services/matrix/default.nix | 40 +++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix index 8487157..d73cdc1 100644 --- a/hosts/nixos/porthos/services.nix +++ b/hosts/nixos/porthos/services.nix @@ -64,6 +64,9 @@ in mailConfigFile = secrets."matrix/mail".path; # Only necessary when doing the initial registration secretFile = secrets."matrix/secret".path; + slidingSync = { + secretFile = secrets."matrix/sliding-sync-secret".path; + }; }; miniflux = { enable = true; diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 42c5cda..52b60c5 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -26,6 +26,21 @@ in description = "Shared secret to register users"; }; + slidingSync = { + port = mkOption { + type = types.port; + default = 8009; + example = 8084; + description = "Port used by sliding sync server"; + }; + + secretFile = mkOption { + type = types.str; + example = "/var/lib/matrix/sliding-sync-secret-file.env"; + description = "Secret file which contains SYNCV3_SECRET definition"; + }; + }; + mailConfigFile = mkOption { type = types.str; example = "/var/lib/matrix/email-config.yaml"; @@ -89,6 +104,17 @@ in extraConfigFiles = [ cfg.mailConfigFile ] ++ lib.optional (cfg.secretFile != null) cfg.secretFile; + + sliding-sync = { + enable = true; + + settings = { + SYNCV3_SERVER = "https://${matrixDomain}"; + SYNCV3_BINDADDR = "127.0.0.1:${toString cfg.slidingSync.port}"; + }; + + environmentFile = cfg.slidingSync.secretFile; + }; }; my.services.nginx.virtualHosts = [ @@ -105,6 +131,9 @@ in "m.identity_server" = { "base_url" = "https://vector.im"; }; + "org.matrix.msc3575.proxy" = { + "url" = "https://matrix-sync.${domain}"; + }; }; showLabsSettings = true; defaultCountryCode = "FR"; # cocorico @@ -126,6 +155,11 @@ in subdomain = "matrix-client"; port = clientPort.private; } + # Sliding sync + { + subdomain = "matrix-sync"; + inherit (cfg.slidingSync) port; + } ]; # Those are too complicated to use my wrapper... @@ -148,6 +182,11 @@ in "/_matrix" = proxyToClientPort; "/_synapse/client" = proxyToClientPort; + + # Sliding sync + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { + proxyPass = "http://${config.services.matrix-synapse.sliding-sync.settings.SYNCV3_BINDADDR}"; + }; }; listen = [ @@ -193,6 +232,7 @@ in client = { "m.homeserver" = { "base_url" = "https://${matrixDomain}"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; + "org.matrix.msc3575.proxy" = { "url" = "https://matrix-sync.${domain}"; }; }; # ACAO required to allow element-web on any URL to request this json file in From 5248eb59f8480c3531e8e3775580c7ac8941852a Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 26 Oct 2023 12:27:31 +0000 Subject: [PATCH 06/36] hosts: homes: mousqueton: fix `tmux` 24-bit color This is based on this answer [1] from Stack Overflow. I'll have to look into what the proper fix would be in general, this is just a band-aid to get it working correctly while SSH-ing from my laptop. [1]: https://stackoverflow.com/a/41786092 --- hosts/homes/ambroisie@mousqueton/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/homes/ambroisie@mousqueton/default.nix b/hosts/homes/ambroisie@mousqueton/default.nix index 0bd2272..ac73da6 100644 --- a/hosts/homes/ambroisie@mousqueton/default.nix +++ b/hosts/homes/ambroisie@mousqueton/default.nix @@ -19,4 +19,9 @@ # I use scripts that use the passthrough sequence often on this host my.home.tmux.enablePassthrough = true; + + programs.tmux.extraConfig = '' + # Setup 24-bit color explicitly, as the default terminfo entry does not + set-option -sa terminal-overrides ",xterm-256color:Tc" + ''; } From 8055636fafe07cb905a4beb676c218a029087cb0 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 18 Oct 2023 15:26:07 +0000 Subject: [PATCH 07/36] flake: bump inputs --- flake.lock | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/flake.lock b/flake.lock index 6e070fc..5fd6c45 100644 --- a/flake.lock +++ b/flake.lock @@ -11,11 +11,11 @@ ] }, "locked": { - "lastModified": 1695384796, + "lastModified": 1696775529, "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=", "owner": "ryantm", "repo": "agenix", - "rev": "1f677b3e161d3bdbfd08a939e8f25de2568e0ef4", + "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4", "type": "github" }, "original": { @@ -70,11 +70,11 @@ ] }, "locked": { - "lastModified": 1693611461, - "narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=", + "lastModified": 1696343447, + "narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca", + "rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4", "type": "github" }, "original": { @@ -131,11 +131,11 @@ ] }, "locked": { - "lastModified": 1695738267, - "narHash": "sha256-LTNAbTQ96xSj17xBfsFrFS9i56U2BMLpD0BduhrsVkU=", + "lastModified": 1698250431, + "narHash": "sha256-qs2gTeH4wpnWPO6Oi6sOhp2IhG0i0DzcnrJxIY3/CP8=", "owner": "nix-community", "repo": "home-manager", - "rev": "0f4e5b4999fd6a42ece5da8a3a2439a50e48e486", + "rev": "09587fbbc6a669f7725613e044c2577dc5d43ab5", "type": "github" }, "original": { @@ -147,11 +147,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1695644571, - "narHash": "sha256-asS9dCCdlt1lPq0DLwkVBbVoEKuEuz+Zi3DG7pR/RxA=", + "lastModified": 1698134075, + "narHash": "sha256-foCD+nuKzfh49bIoiCBur4+Fx1nozo+4C/6k8BYk4sg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6500b4580c2a1f3d0f980d32d285739d8e156d92", + "rev": "8efd5d1e283604f75a808a20e6cde0ef313d07d4", "type": "github" }, "original": { @@ -163,11 +163,11 @@ }, "nur": { "locked": { - "lastModified": 1695824843, - "narHash": "sha256-c1Z+y9oUXOkcU8gVBCyaujUqYLpYoI2b6L9Cq4ywOcA=", + "lastModified": 1698317227, + "narHash": "sha256-jzSJjjxJr/IPvoPSWB1ZobmlAKku6eeggh9ffGV7Sig=", "owner": "nix-community", "repo": "NUR", - "rev": "8349f3e37cf21a9da032a2fdb8e7ac45366d01f3", + "rev": "32a38be31067b0a2f4919fd9e7a49bbefc34d25f", "type": "github" }, "original": { @@ -192,11 +192,11 @@ ] }, "locked": { - "lastModified": 1695576016, - "narHash": "sha256-71KxwRhTfVuh7kNrg3/edNjYVg9DCyKZl2QIKbhRggg=", + "lastModified": 1698227354, + "narHash": "sha256-Fi5H9jbaQLmLw9qBi/mkR33CoFjNbobo5xWdX4tKz1Q=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "cb770e93516a1609652fa8e945a0f310e98f10c0", + "rev": "bd38df3d508dfcdff52cd243d297f218ed2257bf", "type": "github" }, "original": { From 67f8ef538ed94d2e6a2ab7f8710dbcc19d2e6d82 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 26 Oct 2023 12:50:59 +0000 Subject: [PATCH 08/36] overlays: add 'gruvbox-nvim-old-diff' I dislike the new style of diff [1]. Thankfully somebody wrote a patch to configure it [2] (though not completely to my liking, so the local patch here is a bit different). I used it as a basis, but made it always revert, rather than configurable. [1]: https://github.com/ellisonleao/gruvbox.nvim/issues/290 [2]: https://github.com/ellisonleao/gruvbox.nvim/pull/291 --- overlays/gruvbox-nvim-old-diff/default.nix | 4 +++ overlays/gruvbox-nvim-old-diff/generated.nix | 24 ++++++++++++++++ .../gruvbox-nvim-old-diff/old-colours.patch | 28 +++++++++++++++++++ 3 files changed, 56 insertions(+) create mode 100644 overlays/gruvbox-nvim-old-diff/default.nix create mode 100644 overlays/gruvbox-nvim-old-diff/generated.nix create mode 100644 overlays/gruvbox-nvim-old-diff/old-colours.patch diff --git a/overlays/gruvbox-nvim-old-diff/default.nix b/overlays/gruvbox-nvim-old-diff/default.nix new file mode 100644 index 0000000..832e71d --- /dev/null +++ b/overlays/gruvbox-nvim-old-diff/default.nix @@ -0,0 +1,4 @@ +self: prev: +{ + vimPlugins = prev.vimPlugins.extend (self.callPackage ./generated.nix { }); +} diff --git a/overlays/gruvbox-nvim-old-diff/generated.nix b/overlays/gruvbox-nvim-old-diff/generated.nix new file mode 100644 index 0000000..05f6271 --- /dev/null +++ b/overlays/gruvbox-nvim-old-diff/generated.nix @@ -0,0 +1,24 @@ +{ vimUtils, fetchFromGitHub }: + +_final: _prev: { + gruvbox-nvim = vimUtils.buildVimPlugin { + pname = "gruvbox.nvim"; + version = "2023-10-07"; + + src = fetchFromGitHub { + owner = "ellisonleao"; + repo = "gruvbox.nvim"; + rev = "477c62493c82684ed510c4f70eaf83802e398898"; + sha256 = "0250c24c6n6yri48l288irdawhqs16qna3y74rdkgjd2jvh66vdm"; + }; + + patches = [ + # Inspired by https://github.com/ellisonleao/gruvbox.nvim/pull/291 + ./old-colours.patch + ]; + + meta = { + homepage = "https://github.com/ellisonleao/gruvbox.nvim/"; + }; + }; +} diff --git a/overlays/gruvbox-nvim-old-diff/old-colours.patch b/overlays/gruvbox-nvim-old-diff/old-colours.patch new file mode 100644 index 0000000..99c39b4 --- /dev/null +++ b/overlays/gruvbox-nvim-old-diff/old-colours.patch @@ -0,0 +1,28 @@ +From 416b3c9c5e783d173ac0fd5310a76c1b144b92c1 Mon Sep 17 00:00:00 2001 +From: eeeXun +Date: Thu, 19 Oct 2023 02:34:12 +0800 +Subject: feat: make invert_diff configurable + +--- + README.md | 3 ++- + lua/gruvbox.lua | 7 ++++--- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/lua/gruvbox.lua b/lua/gruvbox.lua +index ceba0735..a319fc6a 100644 +--- a/lua/gruvbox.lua ++++ b/lua/gruvbox.lua +@@ -360,9 +361,9 @@ local function get_groups() + PmenuSel = { fg = colors.bg2, bg = colors.blue, bold = config.bold }, + PmenuSbar = { bg = colors.bg2 }, + PmenuThumb = { bg = colors.bg4 }, +- DiffDelete = { bg = colors.dark_red }, +- DiffAdd = { bg = colors.dark_green }, +- DiffChange = { bg = colors.dark_aqua }, +- DiffText = { bg = colors.yellow, fg = colors.bg0 }, ++ DiffDelete = { fg = colors.bg0, bg = colors.red, reverse = config.inverse }, ++ DiffAdd = { fg = colors.bg0, bg = colors.green, reverse = config.inverse }, ++ DiffChange = { fg = colors.bg0, bg = colors.aqua, reverse = config.inverse }, ++ DiffText = { bg = colors.yellow, fg = colors.bg0, reverse = config.inverse }, + SpellCap = { link = "GruvboxBlueUnderline" }, + SpellBad = { link = "GruvboxRedUnderline" }, From 14be4c2a6b9ed457b242b662b1c9ff1294d4553c Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 18 Oct 2023 15:26:35 +0000 Subject: [PATCH 09/36] home: vim: migrate to 'none-ls-nvim' This is the community-maintained fork of the plug-in. --- home/vim/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/vim/default.nix b/home/vim/default.nix index ec18f5c..871bf40 100644 --- a/home/vim/default.nix +++ b/home/vim/default.nix @@ -67,7 +67,7 @@ in nvim-lspconfig # Easy LSP configuration lsp-format-nvim # Simplified formatting configuration lsp_lines-nvim # Show diagnostics *over* regions - null-ls-nvim # LSP integration for linters and formatters + none-ls-nvim # LSP integration for linters and formatters nvim-treesitter.withAllGrammars # Better highlighting nvim-treesitter-textobjects # More textobjects nvim-ts-context-commentstring # Comment string in nested language blocks From 903bf4724f4270453eac8f23e9120078e517758a Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 13:45:36 +0200 Subject: [PATCH 10/36] flake: add 'impermanence' --- flake.lock | 17 +++++++++++++++++ flake.nix | 7 +++++++ 2 files changed, 24 insertions(+) diff --git a/flake.lock b/flake.lock index 5fd6c45..1c7b71b 100644 --- a/flake.lock +++ b/flake.lock @@ -145,6 +145,22 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1694622745, + "narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "impermanence", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1698134075, @@ -212,6 +228,7 @@ "flake-parts": "flake-parts", "futils": "futils", "home-manager": "home-manager", + "impermanence": "impermanence", "nixpkgs": "nixpkgs", "nur": "nur", "pre-commit-hooks": "pre-commit-hooks" diff --git a/flake.nix b/flake.nix index 8e46ea3..7970759 100644 --- a/flake.nix +++ b/flake.nix @@ -39,6 +39,13 @@ }; }; + impermanence = { + type = "github"; + owner = "nix-community"; + repo = "impermanence"; + ref = "master"; + }; + nixpkgs = { type = "github"; owner = "NixOS"; From ed6fc4948f5518788de83a340582abc18c9e0368 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 13:52:04 +0200 Subject: [PATCH 11/36] WIP: modules: systems: add persist This is the module that takes care of configuring impermanence at the system level. WIP: * address FIXMEs * activate home-manager persistence? * set `programs.fuse.userAllowOther = true;` ? * point `age` to persisted paths [1] ? * make sure all services and modules are persisted correctly... [1]: https://github.com/lovesegfault/nix-config/commit/b1d18d25b8cc1e50c521020442b907de377a147d --- modules/system/default.nix | 1 + modules/system/persist/default.nix | 67 ++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 modules/system/persist/default.nix diff --git a/modules/system/default.nix b/modules/system/default.nix index 9fe3b57..b3d9385 100644 --- a/modules/system/default.nix +++ b/modules/system/default.nix @@ -9,6 +9,7 @@ ./language ./nix ./packages + ./persist ./podman ./users ]; diff --git a/modules/system/persist/default.nix b/modules/system/persist/default.nix new file mode 100644 index 0000000..4c0682c --- /dev/null +++ b/modules/system/persist/default.nix @@ -0,0 +1,67 @@ +# Ephemeral root configuration +{ config, inputs, lib, ... }: +let + cfg = config.my.system.persist; +in +{ + imports = [ + inputs.impermanence.nixosModules.impermanence + ]; + + options.my.system.persist = with lib; { + enable = mkEnableOption "stateless system configuration"; + + mountPoint = lib.mkOption { + type = types.str; + default = "/persistent"; + example = "/etc/nix/persist"; + description = '' + Which mount point should be used to persist this system's files and + directories. + ''; + }; + + files = lib.mkOption { + type = with types; listOf str; + default = [ ]; + example = [ + "/etc/nix/id_rsa" + ]; + description = '' + Additional files in the root to link to persistent storage. + ''; + }; + + directories = lib.mkOption { + type = with types; listOf str; + default = [ ]; + example = [ + "/var/lib/libvirt" + ]; + description = '' + Additional directories in the root to link to persistent storage. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + environment.persistence."${cfg.mountPoint}" = { + files = [ + "/etc/machine-id" + ] + ++ cfg.files + ; + + directories = [ + "/etc/nixos" + "/var/log" + "/var/lib/systemd/coredump" + ] + ++ (lib.optionals config.virtualisation.docker.enable [ + "/var/lib/docker" + ]) + ++ cfg.directories + ; + }; + }; +} From 175f799dd0ba253f6a9990605c481b757f6949ba Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 14:05:42 +0200 Subject: [PATCH 12/36] modules: services: ssh-server: persist host keys --- modules/services/ssh-server/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/services/ssh-server/default.nix b/modules/services/ssh-server/default.nix index 9ae0fa8..0cabc6f 100644 --- a/modules/services/ssh-server/default.nix +++ b/modules/services/ssh-server/default.nix @@ -20,6 +20,14 @@ in }; }; + # Persist SSH keys + my.system.persist.files = [ + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + # Opens the relevant UDP ports. programs.mosh.enable = true; }; From 28892446091ce1cda55b3aaf0453d8cc42ff06c4 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 14:06:03 +0200 Subject: [PATCH 13/36] modules: hardware: netowrking persist connections --- modules/hardware/networking/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/hardware/networking/default.nix b/modules/hardware/networking/default.nix index f0806fe..51dcfce 100644 --- a/modules/hardware/networking/default.nix +++ b/modules/hardware/networking/default.nix @@ -22,6 +22,11 @@ in config = lib.mkMerge [ (lib.mkIf cfg.wireless.enable { networking.networkmanager.enable = true; + + # Persist NetworkManager files + my.system.persist.directories = [ + "/etc/NetworkManager/system-connections" + ]; }) ]; } From 660fd9f12c89c4923b1e669ab5d6dbb229bfa8ff Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 14:06:26 +0200 Subject: [PATCH 14/36] modules: hardware: bluetooth: persist connections --- modules/hardware/bluetooth/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/hardware/bluetooth/default.nix b/modules/hardware/bluetooth/default.nix index 2d840f9..3dd44e6 100644 --- a/modules/hardware/bluetooth/default.nix +++ b/modules/hardware/bluetooth/default.nix @@ -18,6 +18,13 @@ in services.blueman.enable = true; } + # Persist bluetooth files + { + my.system.persist.directories = [ + "/var/lib/bluetooth" + ]; + } + # Support for additional bluetooth codecs (lib.mkIf cfg.loadExtraCodecs { hardware.pulseaudio = { From 8b5a59e6bb325e100e4d77e36053189e23941062 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 14:19:57 +0200 Subject: [PATCH 15/36] modules: services: blog: persist website data --- modules/services/blog/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/services/blog/default.nix b/modules/services/blog/default.nix index 4b646c3..6752ac2 100644 --- a/modules/services/blog/default.nix +++ b/modules/services/blog/default.nix @@ -42,5 +42,12 @@ in # Those are all subdomains, no problem my.services.nginx.virtualHosts = hostsInfo; + + my.system.persist.directories = [ + "/var/www/blog" + "/var/www/cv" + "/var/www/dev" + "/var/www/key" + ]; }; } From 5d189eb15b22776a50d96e2fe6286185215c1b81 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 14:43:05 +0100 Subject: [PATCH 16/36] modules: services: calibre-web: persist library --- modules/services/calibre-web/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/calibre-web/default.nix b/modules/services/calibre-web/default.nix index 858851c..b6e70d8 100644 --- a/modules/services/calibre-web/default.nix +++ b/modules/services/calibre-web/default.nix @@ -54,6 +54,11 @@ in ]; }; + my.system.persist.directories = [ + "/var/lib/${config.services.calibre-web.dataDir}" + cfg.libraryPath + ]; + services.fail2ban.jails = { calibre-web = '' enabled = true From f29083c26fda2956a521887bcd10011247f0c3d3 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 14:43:16 +0100 Subject: [PATCH 17/36] modules: services: flood: persist data --- modules/services/flood/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/flood/default.nix b/modules/services/flood/default.nix index ff5d941..79b6c75 100644 --- a/modules/services/flood/default.nix +++ b/modules/services/flood/default.nix @@ -46,5 +46,9 @@ in inherit (cfg) port; } ]; + + my.system.persist.directories = [ + "/var/lib/${cfg.stateDir}" + ]; }; } From 3d90b8c429b71808825120ec8605ea1ab6453e63 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 14:43:28 +0100 Subject: [PATCH 18/36] modules: services: gitea: persist repositories --- modules/services/gitea/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/gitea/default.nix b/modules/services/gitea/default.nix index 28a448d..93edf57 100644 --- a/modules/services/gitea/default.nix +++ b/modules/services/gitea/default.nix @@ -135,6 +135,11 @@ in ]; }; + my.system.persist.directories = [ + config.services.gitea.lfs.contentDir + config.services.gitea.repositoryRoot + ]; + services.fail2ban.jails = { gitea = '' enabled = true From c132b6872260b0ca45ea6056d46a8fc7770a7629 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 17:12:32 +0100 Subject: [PATCH 19/36] modules: services: matrix: persist data --- modules/services/matrix/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 52b60c5..87494c9 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -257,5 +257,9 @@ in config.services.matrix-synapse.dataDir ]; }; + + my.system.persist.directories = [ + config.services.matrix-synapse.dataDir + ]; }; } From 9e223ec943cf0c5b75c40e57c0773121628d6592 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 17:12:42 +0100 Subject: [PATCH 20/36] modules: services: paperless: persist data --- modules/services/paperless/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/paperless/default.nix b/modules/services/paperless/default.nix index 1ca1f66..702627d 100644 --- a/modules/services/paperless/default.nix +++ b/modules/services/paperless/default.nix @@ -164,5 +164,10 @@ in config.services.paperless.mediaDir ]; }; + + my.system.persist.directories = [ + config.services.paperless-ng.dataDir + config.services.paperless-ng.mediaDir + ]; }; } From 6a20598cba8319446e9ce638595307d0f28ed9ac Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 17:12:58 +0100 Subject: [PATCH 21/36] modules: services: postgresql-backup: persist data --- modules/services/postgresql-backup/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/postgresql-backup/default.nix b/modules/services/postgresql-backup/default.nix index dff5494..3d6c03b 100644 --- a/modules/services/postgresql-backup/default.nix +++ b/modules/services/postgresql-backup/default.nix @@ -24,5 +24,9 @@ in (config.services.postgresqlBackup.location + "/*.prev.sql.gz") ]; }; + + my.system.persist.directories = [ + config.services.postgresqlBackup.location + ]; }; } From e0859d5c0eb39e5fb217358b01df7657cea37f85 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 17:13:13 +0100 Subject: [PATCH 22/36] modules: services: postgresql: persist data --- modules/services/postgresql/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/services/postgresql/default.nix b/modules/services/postgresql/default.nix index 6f51f3e..175c1ce 100644 --- a/modules/services/postgresql/default.nix +++ b/modules/services/postgresql/default.nix @@ -18,6 +18,13 @@ in }; }) + # Only persist directory if the actual service is enabled + (lib.mkIf config.services.postgresql.enable { + my.system.persist.directories = [ + config.services.postgresql.dataDir + ]; + }) + # Taken from the manual (lib.mkIf cfg.upgradeScript { containers.temp-pg.config.services.postgresql = { From d56d29ed4a4dd3bf6a04d894eafa5ff59dc0be67 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 14:30:25 +0100 Subject: [PATCH 23/36] modules: services: indexers: persist data --- modules/services/indexers/default.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/modules/services/indexers/default.nix b/modules/services/indexers/default.nix index fb06a0b..28a7007 100644 --- a/modules/services/indexers/default.nix +++ b/modules/services/indexers/default.nix @@ -34,6 +34,10 @@ in port = jackettPort; } ]; + + my.system.persist.directories = [ + config.services.jackett.dataDir + ]; }) (lib.mkIf cfg.nzbhydra.enable { @@ -47,6 +51,10 @@ in port = nzbhydraPort; } ]; + + my.system.persist.directories = [ + config.services.nzbhydra2.dataDir + ]; }) (lib.mkIf cfg.prowlarr.enable { @@ -61,6 +69,10 @@ in } ]; + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.prowlarr.serviceConfig.StateDirectory}" + ]; + services.fail2ban.jails = { prowlarr = '' enabled = true From da5779ba6a66eab5154bfcc5468bdfced6bfe611 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:11:05 +0100 Subject: [PATCH 24/36] modules: services: jellyfin: persist data --- modules/services/jellyfin/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/jellyfin/default.nix b/modules/services/jellyfin/default.nix index 2fcf51e..0692dcc 100644 --- a/modules/services/jellyfin/default.nix +++ b/modules/services/jellyfin/default.nix @@ -35,5 +35,9 @@ in }; } ]; + + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.jellyfin.serviceConfig.StateDirectory}" + ]; }; } From 59248dadf459cd54bbf95f76a81eb6bd2ac51e80 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:11:12 +0100 Subject: [PATCH 25/36] modules: services: lohr: persist data --- modules/services/lohr/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/lohr/default.nix b/modules/services/lohr/default.nix index 245567c..7aac1ac 100644 --- a/modules/services/lohr/default.nix +++ b/modules/services/lohr/default.nix @@ -104,5 +104,9 @@ in inherit (cfg) port; } ]; + + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.lohr.serviceConfig.StateDirectory}" + ]; }; } From e273dacb9658aca33c4bf6574802010ccdb3ca90 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:11:23 +0100 Subject: [PATCH 26/36] modules: services: navidrome: persist data --- modules/services/navidrome/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/navidrome/default.nix b/modules/services/navidrome/default.nix index 6c001fd..08c6a88 100644 --- a/modules/services/navidrome/default.nix +++ b/modules/services/navidrome/default.nix @@ -53,5 +53,9 @@ in inherit (cfg) port; } ]; + + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.navidrome.serviceConfig.StateDirectory}" + ]; }; } From bfbcee8c5daa168faa97a722f6b8cd126a469ffc Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:11:35 +0100 Subject: [PATCH 27/36] modules: services: nextcloud: persist data --- modules/services/nextcloud/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/nextcloud/default.nix b/modules/services/nextcloud/default.nix index 1477c13..55972ab 100644 --- a/modules/services/nextcloud/default.nix +++ b/modules/services/nextcloud/default.nix @@ -83,5 +83,10 @@ in "${config.services.nextcloud.home}/data/appdata_*/preview" ]; }; + + my.system.persist.directories = [ + config.services.nextcloud.home + config.services.nextcloud.datadir + ]; }; } From acdd19c76ea343ecba62c9d40a0b303d8899883e Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:20:11 +0100 Subject: [PATCH 28/36] modules: services: podgrab: persist data --- modules/services/podgrab/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/podgrab/default.nix b/modules/services/podgrab/default.nix index 9793d60..2994fc8 100644 --- a/modules/services/podgrab/default.nix +++ b/modules/services/podgrab/default.nix @@ -37,5 +37,10 @@ in inherit (cfg) port; } ]; + + my.system.persist.directories = + builtins.map + (d: "/var/lib/${d}") + config.systemd.services.podgrab.serviceConfig.StateDirectory; }; } From 9d40d2bd0fcdbcc48b33cb6b9e40de042deede52 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:21:42 +0100 Subject: [PATCH 29/36] modules: services: rss-bridge: persist data --- modules/services/rss-bridge/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/rss-bridge/default.nix b/modules/services/rss-bridge/default.nix index 85e37c2..66858dc 100644 --- a/modules/services/rss-bridge/default.nix +++ b/modules/services/rss-bridge/default.nix @@ -20,5 +20,9 @@ in forceSSL = true; useACMEHost = config.networking.domain; }; + + my.system.persist.directories = [ + config.services.rss-bridge.dataDir + ]; }; } From 6fcba8d0ee0536e9403db83bfc9bb977b9f246bb Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:25:44 +0100 Subject: [PATCH 30/36] modules: services: sabnzbd: persist data --- modules/services/sabnzbd/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/sabnzbd/default.nix b/modules/services/sabnzbd/default.nix index 7ab145f..ef13d4b 100644 --- a/modules/services/sabnzbd/default.nix +++ b/modules/services/sabnzbd/default.nix @@ -25,6 +25,10 @@ in } ]; + my.system.persist.files = [ + config.services.sabnzbd.configFile + ]; + services.fail2ban.jails = { sabnzbd = '' enabled = true From 4ceb9ab5b217e3b71e2a5d979033a70181c85c8f Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:25:50 +0100 Subject: [PATCH 31/36] modules: services: transmission: persist data --- modules/services/transmission/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/transmission/default.nix b/modules/services/transmission/default.nix index 28df477..37e4f0f 100644 --- a/modules/services/transmission/default.nix +++ b/modules/services/transmission/default.nix @@ -91,5 +91,9 @@ in allowedTCPPorts = [ cfg.peerPort ]; allowedUDPPorts = [ cfg.peerPort ]; }; + + my.system.persist.directories = [ + config.services.transmission.home + ]; }; } From 2570ac273cd9806da269ff00a209c4e3c8a656f6 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:37:51 +0100 Subject: [PATCH 32/36] modules: services: nginx: persist SSL certificates --- modules/services/nginx/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/nginx/default.nix b/modules/services/nginx/default.nix index dcaaa0f..a2f357f 100644 --- a/modules/services/nginx/default.nix +++ b/modules/services/nginx/default.nix @@ -470,5 +470,9 @@ in } ]; }; + + my.system.persist.directories = [ + config.users.user.acme.home + ]; }; } From c3881ff7e77e4e3df6177b7475496296548ea0f4 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:40:29 +0100 Subject: [PATCH 33/36] modules: services: monitoring: persist data --- modules/services/monitoring/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/monitoring/default.nix b/modules/services/monitoring/default.nix index 829bfe0..c7489f4 100644 --- a/modules/services/monitoring/default.nix +++ b/modules/services/monitoring/default.nix @@ -131,5 +131,10 @@ in inherit (cfg.grafana) port; } ]; + + my.system.persist.directories = [ + config.services.grafana.dataDir + "/var/lib/${config.services.prometheus.stateDir}" + ]; }; } From 3f2aedc64e451c5e9212c7b68913d68cd9ebe595 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:58:07 +0100 Subject: [PATCH 34/36] modules: services: pirate: persist data --- modules/services/pirate/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/pirate/default.nix b/modules/services/pirate/default.nix index 59f9794..cfabc90 100644 --- a/modules/services/pirate/default.nix +++ b/modules/services/pirate/default.nix @@ -18,6 +18,11 @@ let enable = true; group = "media"; }; + + # Thankfully those old style services all define users with homes + my.system.persist.directories = [ + config.users.user.${service}.home + ]; }; mkRedirection = service: { From b0edbd1ecc15bccd13d37c06cca90622bcb1a334 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 21:51:04 +0100 Subject: [PATCH 35/36] modules: services: quassel: persist data --- modules/services/quassel/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/quassel/default.nix b/modules/services/quassel/default.nix index ec686e1..18d084a 100644 --- a/modules/services/quassel/default.nix +++ b/modules/services/quassel/default.nix @@ -46,5 +46,9 @@ in # Because Quassel does not use the socket, I simply trust its connection authentication = "host quassel quassel localhost trust"; }; + + my.system.persist.directories = [ + config.services.quassel.dataDir + ]; }; } From 17a20af6cf59024b41e37773465169587deb5dcd Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 21 Sep 2023 15:55:56 +0000 Subject: [PATCH 36/36] WIP: add notes for missing persistence/backup TODO: * Look at for more inspiration https://github.com/nix-community/impermanence/pull/108 * Do home-manager * Common files https://github.com/nix-community/impermanence/issues/10 --- modules/services/grocy/default.nix | 3 +++ modules/services/miniflux/default.nix | 3 +++ modules/services/tandoor-recipes/default.nix | 3 +++ modules/services/vikunja/default.nix | 2 ++ modules/system/persist/default.nix | 1 + 5 files changed, 12 insertions(+) diff --git a/modules/services/grocy/default.nix b/modules/services/grocy/default.nix index 87927d6..4a3183e 100644 --- a/modules/services/grocy/default.nix +++ b/modules/services/grocy/default.nix @@ -36,5 +36,8 @@ in forceSSL = true; useACMEHost = config.networking.domain; }; + + # FIXME: backup + # FIXME: persistence }; } diff --git a/modules/services/miniflux/default.nix b/modules/services/miniflux/default.nix index 6d9ffc8..4667912 100644 --- a/modules/services/miniflux/default.nix +++ b/modules/services/miniflux/default.nix @@ -49,5 +49,8 @@ in inherit (cfg) port; } ]; + + # FIXME: backup + # FIXME: persistence }; } diff --git a/modules/services/tandoor-recipes/default.nix b/modules/services/tandoor-recipes/default.nix index d78bef3..82350d7 100644 --- a/modules/services/tandoor-recipes/default.nix +++ b/modules/services/tandoor-recipes/default.nix @@ -75,5 +75,8 @@ in inherit (cfg) port; } ]; + + # FIXME: backup + # FIXME: persistence }; } diff --git a/modules/services/vikunja/default.nix b/modules/services/vikunja/default.nix index 1cdef5f..076dd4a 100644 --- a/modules/services/vikunja/default.nix +++ b/modules/services/vikunja/default.nix @@ -119,5 +119,7 @@ in config.services.vikunja.settings.files.basepath ]; }; + + # FIXME: persistence }; } diff --git a/modules/system/persist/default.nix b/modules/system/persist/default.nix index 4c0682c..18302f3 100644 --- a/modules/system/persist/default.nix +++ b/modules/system/persist/default.nix @@ -60,6 +60,7 @@ in ++ (lib.optionals config.virtualisation.docker.enable [ "/var/lib/docker" ]) + # FIXME: podman ++ cfg.directories ; };