From 1398425b91ed383c32a418341a666d5b9039d561 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 19 Oct 2023 10:42:19 +0000 Subject: [PATCH 01/32] hosts: homes: cloudtop: disable gpg-agent It doesn't work well in this environment anyway. --- hosts/homes/ambroisie@mousqueton/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/homes/ambroisie@mousqueton/default.nix b/hosts/homes/ambroisie@mousqueton/default.nix index 9096610..0bd2272 100644 --- a/hosts/homes/ambroisie@mousqueton/default.nix +++ b/hosts/homes/ambroisie@mousqueton/default.nix @@ -15,6 +15,8 @@ programs.git.package = lib.mkForce pkgs.emptyDirectory; + services.gpg-agent.enable = lib.mkForce false; + # I use scripts that use the passthrough sequence often on this host my.home.tmux.enablePassthrough = true; } From 31fbd7aa4fcad34b969348e806b157b4eb0c3b30 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:28:11 +0000 Subject: [PATCH 02/32] modules: services: matrix: refactor vhost --- modules/services/matrix/default.nix | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index c73afed..9acd8c2 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -13,6 +13,7 @@ let federationPort = { public = 8448; private = 11338; }; clientPort = { public = 443; private = 11339; }; domain = config.networking.domain; + matrixDomain = "matrix.${domain}"; in { options.my.services.matrix = with lib; { @@ -52,7 +53,7 @@ in settings = { server_name = domain; - public_baseurl = "https://matrix.${domain}"; + public_baseurl = "https://${matrixDomain}"; enable_registration = false; @@ -98,7 +99,7 @@ in conf = { default_server_config = { "m.homeserver" = { - "base_url" = "https://matrix.${domain}"; + "base_url" = "https://${matrixDomain}"; "server_name" = domain; }; "m.identity_server" = { @@ -120,7 +121,7 @@ in # Those are too complicated to use my wrapper... services.nginx.virtualHosts = { - "matrix.${domain}" = { + ${matrixDomain} = { onlySSL = true; useACMEHost = domain; @@ -148,9 +149,9 @@ in }; # same as above, but listening on the federation port - "matrix.${domain}_federation" = { + "${matrixDomain}_federation" = { onlySSL = true; - serverName = "matrix.${domain}"; + serverName = matrixDomain; useACMEHost = domain; locations."/".return = "404"; @@ -171,7 +172,7 @@ in locations."= /.well-known/matrix/server".extraConfig = let - server = { "m.server" = "matrix.${domain}:${toString federationPort.public}"; }; + server = { "m.server" = "${matrixDomain}:${toString federationPort.public}"; }; in '' add_header Content-Type application/json; @@ -181,7 +182,7 @@ in locations."= /.well-known/matrix/client".extraConfig = let client = { - "m.homeserver" = { "base_url" = "https://matrix.${domain}"; }; + "m.homeserver" = { "base_url" = "https://${matrixDomain}"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; }; # ACAO required to allow element-web on any URL to request this json file From ad976e2097b24b6fe7de3bbabbc512320c93fee1 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:53:46 +0000 Subject: [PATCH 03/32] hosts: nixos: porthos: secrets: add matrix sync --- .../nixos/porthos/secrets/matrix/sliding-sync-secret.age | 9 +++++++++ hosts/nixos/porthos/secrets/secrets.nix | 3 +++ 2 files changed, 12 insertions(+) create mode 100644 hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age diff --git a/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age b/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age new file mode 100644 index 0000000..d375a35 --- /dev/null +++ b/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg N182xey8TWRVUWTRP16rT0zlhYZNr/pOZVR7YRnlIkk +HVqAag55z1cKLgjR3WsUj2wvaVjxm169JcDRJGRvCVU +-> ssh-ed25519 jPowng Dc+aaUTxDsMTY+oOst0SC3ldq1e6zX8F5A5uBL5RHhc +JWZou6+VaFc5f2OLRIrmFFWg3Er6WSY+TloXU0mP1K8 +-> |9_9Aqh%-grease $ X8Mn|5 aKnl' fl Date: Thu, 28 Sep 2023 18:42:13 +0200 Subject: [PATCH 04/32] modules: services: matrix: register dummy vhosts This is simply to make use of my infrastructure for port collision detection. --- modules/services/matrix/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 9acd8c2..42c5cda 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -117,6 +117,15 @@ in }; }; } + # Dummy VHosts for port collision detection + { + subdomain = "matrix-federation"; + port = federationPort.private; + } + { + subdomain = "matrix-client"; + port = clientPort.private; + } ]; # Those are too complicated to use my wrapper... From 08212e49cd372578342a2252ae7f2cd5bbfbf137 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:53:46 +0000 Subject: [PATCH 05/32] modules: services: matrix: add sliding sync --- hosts/nixos/porthos/services.nix | 3 +++ modules/services/matrix/default.nix | 40 +++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix index 8487157..d73cdc1 100644 --- a/hosts/nixos/porthos/services.nix +++ b/hosts/nixos/porthos/services.nix @@ -64,6 +64,9 @@ in mailConfigFile = secrets."matrix/mail".path; # Only necessary when doing the initial registration secretFile = secrets."matrix/secret".path; + slidingSync = { + secretFile = secrets."matrix/sliding-sync-secret".path; + }; }; miniflux = { enable = true; diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 42c5cda..52b60c5 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -26,6 +26,21 @@ in description = "Shared secret to register users"; }; + slidingSync = { + port = mkOption { + type = types.port; + default = 8009; + example = 8084; + description = "Port used by sliding sync server"; + }; + + secretFile = mkOption { + type = types.str; + example = "/var/lib/matrix/sliding-sync-secret-file.env"; + description = "Secret file which contains SYNCV3_SECRET definition"; + }; + }; + mailConfigFile = mkOption { type = types.str; example = "/var/lib/matrix/email-config.yaml"; @@ -89,6 +104,17 @@ in extraConfigFiles = [ cfg.mailConfigFile ] ++ lib.optional (cfg.secretFile != null) cfg.secretFile; + + sliding-sync = { + enable = true; + + settings = { + SYNCV3_SERVER = "https://${matrixDomain}"; + SYNCV3_BINDADDR = "127.0.0.1:${toString cfg.slidingSync.port}"; + }; + + environmentFile = cfg.slidingSync.secretFile; + }; }; my.services.nginx.virtualHosts = [ @@ -105,6 +131,9 @@ in "m.identity_server" = { "base_url" = "https://vector.im"; }; + "org.matrix.msc3575.proxy" = { + "url" = "https://matrix-sync.${domain}"; + }; }; showLabsSettings = true; defaultCountryCode = "FR"; # cocorico @@ -126,6 +155,11 @@ in subdomain = "matrix-client"; port = clientPort.private; } + # Sliding sync + { + subdomain = "matrix-sync"; + inherit (cfg.slidingSync) port; + } ]; # Those are too complicated to use my wrapper... @@ -148,6 +182,11 @@ in "/_matrix" = proxyToClientPort; "/_synapse/client" = proxyToClientPort; + + # Sliding sync + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { + proxyPass = "http://${config.services.matrix-synapse.sliding-sync.settings.SYNCV3_BINDADDR}"; + }; }; listen = [ @@ -193,6 +232,7 @@ in client = { "m.homeserver" = { "base_url" = "https://${matrixDomain}"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; + "org.matrix.msc3575.proxy" = { "url" = "https://matrix-sync.${domain}"; }; }; # ACAO required to allow element-web on any URL to request this json file in From 270f9f02a255532890fd31d7c43b9e68376cc9dd Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 13:45:36 +0200 Subject: [PATCH 06/32] flake: add 'impermanence' --- flake.lock | 17 +++++++++++++++++ flake.nix | 7 +++++++ 2 files changed, 24 insertions(+) diff --git a/flake.lock b/flake.lock index 6e070fc..cd8218c 100644 --- a/flake.lock +++ b/flake.lock @@ -145,6 +145,22 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1694622745, + "narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "impermanence", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1695644571, @@ -212,6 +228,7 @@ "flake-parts": "flake-parts", "futils": "futils", "home-manager": "home-manager", + "impermanence": "impermanence", "nixpkgs": "nixpkgs", "nur": "nur", "pre-commit-hooks": "pre-commit-hooks" diff --git a/flake.nix b/flake.nix index 8e46ea3..7970759 100644 --- a/flake.nix +++ b/flake.nix @@ -39,6 +39,13 @@ }; }; + impermanence = { + type = "github"; + owner = "nix-community"; + repo = "impermanence"; + ref = "master"; + }; + nixpkgs = { type = "github"; owner = "NixOS"; From ab5ebae2cb6096cf184f56b630089d63a0ae90a7 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 13:52:04 +0200 Subject: [PATCH 07/32] WIP: modules: systems: add persist This is the module that takes care of configuring impermanence at the system level. WIP: * address FIXMEs * activate home-manager persistence? * set `programs.fuse.userAllowOther = true;` ? * point `age` to persisted paths [1] ? * make sure all services and modules are persisted correctly... [1]: https://github.com/lovesegfault/nix-config/commit/b1d18d25b8cc1e50c521020442b907de377a147d --- modules/system/default.nix | 1 + modules/system/persist/default.nix | 67 ++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 modules/system/persist/default.nix diff --git a/modules/system/default.nix b/modules/system/default.nix index 9fe3b57..b3d9385 100644 --- a/modules/system/default.nix +++ b/modules/system/default.nix @@ -9,6 +9,7 @@ ./language ./nix ./packages + ./persist ./podman ./users ]; diff --git a/modules/system/persist/default.nix b/modules/system/persist/default.nix new file mode 100644 index 0000000..4c0682c --- /dev/null +++ b/modules/system/persist/default.nix @@ -0,0 +1,67 @@ +# Ephemeral root configuration +{ config, inputs, lib, ... }: +let + cfg = config.my.system.persist; +in +{ + imports = [ + inputs.impermanence.nixosModules.impermanence + ]; + + options.my.system.persist = with lib; { + enable = mkEnableOption "stateless system configuration"; + + mountPoint = lib.mkOption { + type = types.str; + default = "/persistent"; + example = "/etc/nix/persist"; + description = '' + Which mount point should be used to persist this system's files and + directories. + ''; + }; + + files = lib.mkOption { + type = with types; listOf str; + default = [ ]; + example = [ + "/etc/nix/id_rsa" + ]; + description = '' + Additional files in the root to link to persistent storage. + ''; + }; + + directories = lib.mkOption { + type = with types; listOf str; + default = [ ]; + example = [ + "/var/lib/libvirt" + ]; + description = '' + Additional directories in the root to link to persistent storage. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + environment.persistence."${cfg.mountPoint}" = { + files = [ + "/etc/machine-id" + ] + ++ cfg.files + ; + + directories = [ + "/etc/nixos" + "/var/log" + "/var/lib/systemd/coredump" + ] + ++ (lib.optionals config.virtualisation.docker.enable [ + "/var/lib/docker" + ]) + ++ cfg.directories + ; + }; + }; +} From 5125ca329e41a22b5ee7bafbe09163178d8dfd06 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 14:05:42 +0200 Subject: [PATCH 08/32] modules: services: ssh-server: persist host keys --- modules/services/ssh-server/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/services/ssh-server/default.nix b/modules/services/ssh-server/default.nix index 9ae0fa8..0cabc6f 100644 --- a/modules/services/ssh-server/default.nix +++ b/modules/services/ssh-server/default.nix @@ -20,6 +20,14 @@ in }; }; + # Persist SSH keys + my.system.persist.files = [ + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + # Opens the relevant UDP ports. programs.mosh.enable = true; }; From 86b42568ed0f6594b7f0ca6ba93e5600765cdbd1 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 14:06:03 +0200 Subject: [PATCH 09/32] modules: hardware: netowrking persist connections --- modules/hardware/networking/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/hardware/networking/default.nix b/modules/hardware/networking/default.nix index f0806fe..51dcfce 100644 --- a/modules/hardware/networking/default.nix +++ b/modules/hardware/networking/default.nix @@ -22,6 +22,11 @@ in config = lib.mkMerge [ (lib.mkIf cfg.wireless.enable { networking.networkmanager.enable = true; + + # Persist NetworkManager files + my.system.persist.directories = [ + "/etc/NetworkManager/system-connections" + ]; }) ]; } From e86ab34a627b1d24567fe3d94a0bbd37e6a5b2e2 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 14:06:26 +0200 Subject: [PATCH 10/32] modules: hardware: bluetooth: persist connections --- modules/hardware/bluetooth/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/hardware/bluetooth/default.nix b/modules/hardware/bluetooth/default.nix index 2d840f9..3dd44e6 100644 --- a/modules/hardware/bluetooth/default.nix +++ b/modules/hardware/bluetooth/default.nix @@ -18,6 +18,13 @@ in services.blueman.enable = true; } + # Persist bluetooth files + { + my.system.persist.directories = [ + "/var/lib/bluetooth" + ]; + } + # Support for additional bluetooth codecs (lib.mkIf cfg.loadExtraCodecs { hardware.pulseaudio = { From ea5f9d181fef65741a20342db8d5f55d46c8e1c2 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 22 Oct 2021 14:19:57 +0200 Subject: [PATCH 11/32] modules: services: blog: persist website data --- modules/services/blog/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/services/blog/default.nix b/modules/services/blog/default.nix index 4b646c3..6752ac2 100644 --- a/modules/services/blog/default.nix +++ b/modules/services/blog/default.nix @@ -42,5 +42,12 @@ in # Those are all subdomains, no problem my.services.nginx.virtualHosts = hostsInfo; + + my.system.persist.directories = [ + "/var/www/blog" + "/var/www/cv" + "/var/www/dev" + "/var/www/key" + ]; }; } From a3b4b3072a295681f48c984ab8bd8d118d31e1b0 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 14:43:05 +0100 Subject: [PATCH 12/32] modules: services: calibre-web: persist library --- modules/services/calibre-web/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/calibre-web/default.nix b/modules/services/calibre-web/default.nix index 858851c..b6e70d8 100644 --- a/modules/services/calibre-web/default.nix +++ b/modules/services/calibre-web/default.nix @@ -54,6 +54,11 @@ in ]; }; + my.system.persist.directories = [ + "/var/lib/${config.services.calibre-web.dataDir}" + cfg.libraryPath + ]; + services.fail2ban.jails = { calibre-web = '' enabled = true From 53af6d3fa64b772f95f910f54cbf62d17b593048 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 14:43:16 +0100 Subject: [PATCH 13/32] modules: services: flood: persist data --- modules/services/flood/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/flood/default.nix b/modules/services/flood/default.nix index ff5d941..79b6c75 100644 --- a/modules/services/flood/default.nix +++ b/modules/services/flood/default.nix @@ -46,5 +46,9 @@ in inherit (cfg) port; } ]; + + my.system.persist.directories = [ + "/var/lib/${cfg.stateDir}" + ]; }; } From 604d594deca0ac2d445de75df4c15926adee5de3 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 14:43:28 +0100 Subject: [PATCH 14/32] modules: services: gitea: persist repositories --- modules/services/gitea/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/gitea/default.nix b/modules/services/gitea/default.nix index 28a448d..93edf57 100644 --- a/modules/services/gitea/default.nix +++ b/modules/services/gitea/default.nix @@ -135,6 +135,11 @@ in ]; }; + my.system.persist.directories = [ + config.services.gitea.lfs.contentDir + config.services.gitea.repositoryRoot + ]; + services.fail2ban.jails = { gitea = '' enabled = true From 4fcc69f34ea5c5230ef76de53d07d32706b8d407 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 17:12:32 +0100 Subject: [PATCH 15/32] modules: services: matrix: persist data --- modules/services/matrix/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 52b60c5..87494c9 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -257,5 +257,9 @@ in config.services.matrix-synapse.dataDir ]; }; + + my.system.persist.directories = [ + config.services.matrix-synapse.dataDir + ]; }; } From 706fad7e7f917a2755cba3bc1fe45114f881b4fe Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 17:12:42 +0100 Subject: [PATCH 16/32] modules: services: paperless: persist data --- modules/services/paperless/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/paperless/default.nix b/modules/services/paperless/default.nix index 1ca1f66..702627d 100644 --- a/modules/services/paperless/default.nix +++ b/modules/services/paperless/default.nix @@ -164,5 +164,10 @@ in config.services.paperless.mediaDir ]; }; + + my.system.persist.directories = [ + config.services.paperless-ng.dataDir + config.services.paperless-ng.mediaDir + ]; }; } From 72baa4e84fddbbfca73d0e4ec26922e47cf807c5 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 17:12:58 +0100 Subject: [PATCH 17/32] modules: services: postgresql-backup: persist data --- modules/services/postgresql-backup/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/postgresql-backup/default.nix b/modules/services/postgresql-backup/default.nix index dff5494..3d6c03b 100644 --- a/modules/services/postgresql-backup/default.nix +++ b/modules/services/postgresql-backup/default.nix @@ -24,5 +24,9 @@ in (config.services.postgresqlBackup.location + "/*.prev.sql.gz") ]; }; + + my.system.persist.directories = [ + config.services.postgresqlBackup.location + ]; }; } From 3e28075906a916e2962203e05354bdc3a508154f Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Wed, 3 Nov 2021 17:13:13 +0100 Subject: [PATCH 18/32] modules: services: postgresql: persist data --- modules/services/postgresql/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/services/postgresql/default.nix b/modules/services/postgresql/default.nix index 6f51f3e..175c1ce 100644 --- a/modules/services/postgresql/default.nix +++ b/modules/services/postgresql/default.nix @@ -18,6 +18,13 @@ in }; }) + # Only persist directory if the actual service is enabled + (lib.mkIf config.services.postgresql.enable { + my.system.persist.directories = [ + config.services.postgresql.dataDir + ]; + }) + # Taken from the manual (lib.mkIf cfg.upgradeScript { containers.temp-pg.config.services.postgresql = { From 843c4a80971d556e0e28a17497663dc7786c0679 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 14:30:25 +0100 Subject: [PATCH 19/32] modules: services: indexers: persist data --- modules/services/indexers/default.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/modules/services/indexers/default.nix b/modules/services/indexers/default.nix index fb06a0b..28a7007 100644 --- a/modules/services/indexers/default.nix +++ b/modules/services/indexers/default.nix @@ -34,6 +34,10 @@ in port = jackettPort; } ]; + + my.system.persist.directories = [ + config.services.jackett.dataDir + ]; }) (lib.mkIf cfg.nzbhydra.enable { @@ -47,6 +51,10 @@ in port = nzbhydraPort; } ]; + + my.system.persist.directories = [ + config.services.nzbhydra2.dataDir + ]; }) (lib.mkIf cfg.prowlarr.enable { @@ -61,6 +69,10 @@ in } ]; + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.prowlarr.serviceConfig.StateDirectory}" + ]; + services.fail2ban.jails = { prowlarr = '' enabled = true From 993bdbd3e7b3910204c00a8e3648c2a47cc100aa Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:11:05 +0100 Subject: [PATCH 20/32] modules: services: jellyfin: persist data --- modules/services/jellyfin/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/jellyfin/default.nix b/modules/services/jellyfin/default.nix index 2fcf51e..0692dcc 100644 --- a/modules/services/jellyfin/default.nix +++ b/modules/services/jellyfin/default.nix @@ -35,5 +35,9 @@ in }; } ]; + + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.jellyfin.serviceConfig.StateDirectory}" + ]; }; } From 775ac426494c9629b0d374966d018a5a74d100b1 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:11:12 +0100 Subject: [PATCH 21/32] modules: services: lohr: persist data --- modules/services/lohr/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/lohr/default.nix b/modules/services/lohr/default.nix index 245567c..7aac1ac 100644 --- a/modules/services/lohr/default.nix +++ b/modules/services/lohr/default.nix @@ -104,5 +104,9 @@ in inherit (cfg) port; } ]; + + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.lohr.serviceConfig.StateDirectory}" + ]; }; } From b0622f56960d395400672d6fdd83e7b66503b619 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:11:23 +0100 Subject: [PATCH 22/32] modules: services: navidrome: persist data --- modules/services/navidrome/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/navidrome/default.nix b/modules/services/navidrome/default.nix index 6c001fd..08c6a88 100644 --- a/modules/services/navidrome/default.nix +++ b/modules/services/navidrome/default.nix @@ -53,5 +53,9 @@ in inherit (cfg) port; } ]; + + my.system.persist.directories = [ + "/var/lib/${config.systemd.services.navidrome.serviceConfig.StateDirectory}" + ]; }; } From 3328cf62d948f1c2b0d2180eb2f27e38c30ecba8 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:11:35 +0100 Subject: [PATCH 23/32] modules: services: nextcloud: persist data --- modules/services/nextcloud/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/nextcloud/default.nix b/modules/services/nextcloud/default.nix index 1477c13..55972ab 100644 --- a/modules/services/nextcloud/default.nix +++ b/modules/services/nextcloud/default.nix @@ -83,5 +83,10 @@ in "${config.services.nextcloud.home}/data/appdata_*/preview" ]; }; + + my.system.persist.directories = [ + config.services.nextcloud.home + config.services.nextcloud.datadir + ]; }; } From 1d23a6caa85d5c3bbca39d7fe7f3a5830dfa1c0d Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:20:11 +0100 Subject: [PATCH 24/32] modules: services: podgrab: persist data --- modules/services/podgrab/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/podgrab/default.nix b/modules/services/podgrab/default.nix index 9793d60..2994fc8 100644 --- a/modules/services/podgrab/default.nix +++ b/modules/services/podgrab/default.nix @@ -37,5 +37,10 @@ in inherit (cfg) port; } ]; + + my.system.persist.directories = + builtins.map + (d: "/var/lib/${d}") + config.systemd.services.podgrab.serviceConfig.StateDirectory; }; } From 30a632a261d2728003edd5af7f9e171fef9d78a0 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:21:42 +0100 Subject: [PATCH 25/32] modules: services: rss-bridge: persist data --- modules/services/rss-bridge/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/rss-bridge/default.nix b/modules/services/rss-bridge/default.nix index 85e37c2..66858dc 100644 --- a/modules/services/rss-bridge/default.nix +++ b/modules/services/rss-bridge/default.nix @@ -20,5 +20,9 @@ in forceSSL = true; useACMEHost = config.networking.domain; }; + + my.system.persist.directories = [ + config.services.rss-bridge.dataDir + ]; }; } From dbd33f7d62ce0c20304de560146632afc14a5997 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:25:44 +0100 Subject: [PATCH 26/32] modules: services: sabnzbd: persist data --- modules/services/sabnzbd/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/sabnzbd/default.nix b/modules/services/sabnzbd/default.nix index 7ab145f..ef13d4b 100644 --- a/modules/services/sabnzbd/default.nix +++ b/modules/services/sabnzbd/default.nix @@ -25,6 +25,10 @@ in } ]; + my.system.persist.files = [ + config.services.sabnzbd.configFile + ]; + services.fail2ban.jails = { sabnzbd = '' enabled = true From b48048aa5f92a2f2375705ea72df1086131992f2 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:25:50 +0100 Subject: [PATCH 27/32] modules: services: transmission: persist data --- modules/services/transmission/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/transmission/default.nix b/modules/services/transmission/default.nix index 28df477..37e4f0f 100644 --- a/modules/services/transmission/default.nix +++ b/modules/services/transmission/default.nix @@ -91,5 +91,9 @@ in allowedTCPPorts = [ cfg.peerPort ]; allowedUDPPorts = [ cfg.peerPort ]; }; + + my.system.persist.directories = [ + config.services.transmission.home + ]; }; } From 9ebabb251b25f40b7b8a8ae81ec274130da88daf Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:37:51 +0100 Subject: [PATCH 28/32] modules: services: nginx: persist SSL certificates --- modules/services/nginx/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/nginx/default.nix b/modules/services/nginx/default.nix index dcaaa0f..a2f357f 100644 --- a/modules/services/nginx/default.nix +++ b/modules/services/nginx/default.nix @@ -470,5 +470,9 @@ in } ]; }; + + my.system.persist.directories = [ + config.users.user.acme.home + ]; }; } From b83c917a9e7b4e6e3b39cc2a3fb1b3da0207997d Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:40:29 +0100 Subject: [PATCH 29/32] modules: services: monitoring: persist data --- modules/services/monitoring/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/monitoring/default.nix b/modules/services/monitoring/default.nix index 829bfe0..c7489f4 100644 --- a/modules/services/monitoring/default.nix +++ b/modules/services/monitoring/default.nix @@ -131,5 +131,10 @@ in inherit (cfg.grafana) port; } ]; + + my.system.persist.directories = [ + config.services.grafana.dataDir + "/var/lib/${config.services.prometheus.stateDir}" + ]; }; } From 7c7eadbf4540d6fb229bf94eea1cb7a8f26c2c3e Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 15:58:07 +0100 Subject: [PATCH 30/32] modules: services: pirate: persist data --- modules/services/pirate/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/services/pirate/default.nix b/modules/services/pirate/default.nix index 59f9794..cfabc90 100644 --- a/modules/services/pirate/default.nix +++ b/modules/services/pirate/default.nix @@ -18,6 +18,11 @@ let enable = true; group = "media"; }; + + # Thankfully those old style services all define users with homes + my.system.persist.directories = [ + config.users.user.${service}.home + ]; }; mkRedirection = service: { From 4b6d332e9b83bc73882fbb992c4813a88f6571d0 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 5 Nov 2021 21:51:04 +0100 Subject: [PATCH 31/32] modules: services: quassel: persist data --- modules/services/quassel/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/services/quassel/default.nix b/modules/services/quassel/default.nix index ec686e1..18d084a 100644 --- a/modules/services/quassel/default.nix +++ b/modules/services/quassel/default.nix @@ -46,5 +46,9 @@ in # Because Quassel does not use the socket, I simply trust its connection authentication = "host quassel quassel localhost trust"; }; + + my.system.persist.directories = [ + config.services.quassel.dataDir + ]; }; } From 534cda6d916f977d9bbd580b85875dc01ec98f56 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 21 Sep 2023 15:55:56 +0000 Subject: [PATCH 32/32] WIP: add notes for missing persistence/backup TODO: * Look at for more inspiration https://github.com/nix-community/impermanence/pull/108 * Do home-manager * Common files https://github.com/nix-community/impermanence/issues/10 --- modules/services/grocy/default.nix | 3 +++ modules/services/miniflux/default.nix | 3 +++ modules/services/tandoor-recipes/default.nix | 3 +++ modules/services/vikunja/default.nix | 2 ++ modules/system/persist/default.nix | 1 + 5 files changed, 12 insertions(+) diff --git a/modules/services/grocy/default.nix b/modules/services/grocy/default.nix index 87927d6..4a3183e 100644 --- a/modules/services/grocy/default.nix +++ b/modules/services/grocy/default.nix @@ -36,5 +36,8 @@ in forceSSL = true; useACMEHost = config.networking.domain; }; + + # FIXME: backup + # FIXME: persistence }; } diff --git a/modules/services/miniflux/default.nix b/modules/services/miniflux/default.nix index 6d9ffc8..4667912 100644 --- a/modules/services/miniflux/default.nix +++ b/modules/services/miniflux/default.nix @@ -49,5 +49,8 @@ in inherit (cfg) port; } ]; + + # FIXME: backup + # FIXME: persistence }; } diff --git a/modules/services/tandoor-recipes/default.nix b/modules/services/tandoor-recipes/default.nix index d78bef3..82350d7 100644 --- a/modules/services/tandoor-recipes/default.nix +++ b/modules/services/tandoor-recipes/default.nix @@ -75,5 +75,8 @@ in inherit (cfg) port; } ]; + + # FIXME: backup + # FIXME: persistence }; } diff --git a/modules/services/vikunja/default.nix b/modules/services/vikunja/default.nix index 1cdef5f..076dd4a 100644 --- a/modules/services/vikunja/default.nix +++ b/modules/services/vikunja/default.nix @@ -119,5 +119,7 @@ in config.services.vikunja.settings.files.basepath ]; }; + + # FIXME: persistence }; } diff --git a/modules/system/persist/default.nix b/modules/system/persist/default.nix index 4c0682c..18302f3 100644 --- a/modules/system/persist/default.nix +++ b/modules/system/persist/default.nix @@ -60,6 +60,7 @@ in ++ (lib.optionals config.virtualisation.docker.enable [ "/var/lib/docker" ]) + # FIXME: podman ++ cfg.directories ; };