treewide: impermanence configuration
All checks were successful
Check flake / build-amd64-linux (push) Successful in 1m23s

This commit is contained in:
2025-08-18 20:19:55 +01:00
parent 2a005aade6
commit 65af220200
32 changed files with 446 additions and 54 deletions

View File

@@ -77,6 +77,9 @@ in
sessionVariables.WINE_BIN = getExe pkgs.wine;
};
environment.persistence."/persist".enable = mkForce true;
environment.persistence."/state".enable = mkForce true;
modules = {
services = {
borgmatic = {

View File

@@ -35,80 +35,59 @@
ashift = "12";
};
rootFsOptions = {
canmount = "off";
mountpoint = "none";
dnodesize = "auto";
compression = "zstd";
acltype = "posix";
atime = "off";
xattr = "sa";
dnodesize = "auto";
mountpoint = "none";
canmount = "off";
devices = "off";
exec = "off";
setuid = "off";
};
postCreateHook = "zfs snapshot rpool@blank";
datasets = {
local = {
"local" = {
type = "zfs_fs";
};
"local/root" = {
type = "zfs_fs";
mountpoint = "/";
options = {
mountpoint = "none";
canmount = "noauto";
mountpoint = "/";
exec = "on";
setuid = "on";
};
postCreateHook = "zfs snapshot rpool/local/root@blank";
};
"local/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options = {
atime = "off";
mountpoint = "legacy";
canmount = "noauto";
mountpoint = "/nix";
exec = "on";
setuid = "on";
};
};
"local/tmp" = {
"local/state" = {
type = "zfs_fs";
mountpoint = "/tmp";
mountpoint = "/state";
options = {
setuid = "off";
devices = "off";
mountpoint = "legacy";
canmount = "noauto";
mountpoint = "/state";
};
};
system = {
"safe" = {
type = "zfs_fs";
mountpoint = "/";
options = {
mountpoint = "legacy";
};
};
"system/var" = {
"safe/persist" = {
type = "zfs_fs";
mountpoint = "/var";
mountpoint = "/persist";
options = {
mountpoint = "legacy";
};
};
"system/var/tmp" = {
type = "zfs_fs";
mountpoint = "/var/tmp";
options = {
devices = "off";
mountpoint = "legacy";
};
};
"system/var/log" = {
type = "zfs_fs";
mountpoint = "/var/log";
options = {
compression = "on";
acltype = "posix";
mountpoint = "legacy";
};
};
user = {
type = "zfs_fs";
options = {
mountpoint = "none";
};
};
"user/home" = {
type = "zfs_fs";
mountpoint = "/home";
options = {
setuid = "off";
devices = "off";
mountpoint = "legacy";
canmount = "noauto";
mountpoint = "/persist";
};
};
};

View File

@@ -4,12 +4,12 @@
pkgs,
...
}:
{
imports = [
inputs.agenix.nixosModules.age
inputs.home-manager.nixosModules.home-manager
../modules/nixos
../modules/nixos/impermanence.nix
];
nixpkgs = {

View File

@@ -36,4 +36,11 @@
modules.services.borgmatic.directories = [
"/var/lib/private/open-webui"
];
environment.persistence."/persist".directories = [
{
directory = "/var/lib/private/open-webui";
mode = "0700";
}
];
}

View File

@@ -1,4 +1,5 @@
{
config,
...
}:
@@ -13,4 +14,13 @@
};
};
};
environment.persistence."/persist".directories = [
{
directory = config.services.grafana.dataDir;
user = "grafana";
group = "grafana";
mode = "0700";
}
];
}

View File

@@ -24,6 +24,22 @@
dataDir = "/var/lib/jellyfin";
};
environment.persistence."/state".directories = [
{
directory = config.services.jellyfin.cacheDir;
inherit (config.services.jellyfin) user group;
mode = "0700";
}
];
environment.persistence."/persist".directories = [
{
directory = config.services.jellyfin.dataDir;
inherit (config.services.jellyfin) user group;
mode = "0700";
}
];
modules.services.borgmatic.directories = [
config.services.jellyfin.dataDir
];

View File

@@ -55,4 +55,8 @@
MEILI_URL = "http://localhost:${toString config.services.meilisearch.listenPort}";
};
};
environment.persistence."/state".directories = [
config.systemd.services.jellysearch.serviceConfig.WorkingDirectory
];
}

View File

@@ -32,4 +32,13 @@
}
];
};
environment.persistence."/state".directories = [
{
directory = "/var/lib/${config.services.prometheus.stateDir}";
user = "prometheus";
group = "prometheus";
mode = "0700";
}
];
}

View File

@@ -85,4 +85,52 @@ in
smtp_destination_concurrency_limit = "20";
header_size_limit = "4096000";
};
environment.persistence."/persist".directories = [
{
directory = "/var/dkim";
user = "rspamd";
group = "rspamd";
mode = "0755";
}
{
directory = "/var/sieve";
user = "virtualMail";
group = "virtualMail";
mode = "0770";
}
{
directory = "/var/vmail";
user = "virtualMail";
group = "virtualMail";
mode = "0700";
}
{
directory = "/var/lib/rspamd";
user = "rspamd";
group = "rspamd";
mode = "0700";
}
{
directory = "/var/lib/redis-rspamd";
user = "redis-rspamd";
group = "redis-rspamd";
mode = "0700";
}
{
directory = "/var/lib/opendkim";
user = 221;
group = 221;
mode = "0700";
}
{
directory = "/var/lib/knot-resolver";
user = "knot-resolver";
group = "knot-resolver";
mode = "0770";
}
"/var/lib/dhparams"
"/var/lib/dovecot"
"/var/lib/postfix"
];
}

View File

@@ -276,6 +276,15 @@
lovelaceConfigWritable = true;
};
environment.persistence."/persist".directories = [
{
directory = config.services.home-assistant.configDir;
user = "hass";
group = "hass";
mode = "0700";
}
];
modules.services.borgmatic.directories = [
config.services.home-assistant.configDir
];

View File

@@ -69,6 +69,21 @@
};
};
environment.persistence."/persist".directories = [
{
directory = config.services.zigbee2mqtt.dataDir;
user = "zigbee2mqtt";
group = "zigbee2mqtt";
mode = "0700";
}
{
directory = config.services.mosquitto.dataDir;
user = "mosquitto";
group = "mosquitto";
mode = "0700";
}
];
modules.services.borgmatic.directories = [
config.services.mosquitto.dataDir
config.services.zigbee2mqtt.dataDir

View File

@@ -65,6 +65,13 @@ in
];
};
environment.persistence."/state".directories = [
{
directory = "/var/lib/fail2ban";
mode = "0750";
}
];
services.openssh.settings.PermitRootLogin = mkForce "prohibit-password";
modules.services.tailscale = {

View File

@@ -79,6 +79,10 @@
};
};
environment.persistence."/persist".directories = [
"/var/lib/skycam-archiver"
];
modules.services.borgmatic = {
enable = true;
directories = [

View File

@@ -86,4 +86,12 @@ in
packages.CHUNKED_UPLOAD_PATH = lib.mkForce "${stateDir}/data/tmp/package-upload";
};
};
environment.persistence."/persist".directories = [
{
directory = config.services.gitea.stateDir;
inherit (config.services.gitea) user group;
mode = "0700";
}
];
}

View File

@@ -48,6 +48,13 @@ in
};
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/headscale";
inherit (config.services.headscale) user group;
}
];
services.nginx.virtualHosts = {
"${domain}" = {
forceSSL = true;

View File

@@ -49,4 +49,13 @@ in
postRun = "systemctl restart kanidm.service";
group = "acme";
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/kanidm";
user = "kanidm";
group = "kanidm";
mode = "0700";
}
];
}

View File

@@ -216,4 +216,23 @@ in
}
// commonBridgeSettings "mautrix-whatsapp";
};
environment.persistence."/persist".directories = [
{
directory = config.services.matrix-synapse.dataDir;
user = "matrix-synapse";
group = "matrix-synapse";
mode = "0700";
}
{
directory = "/var/lib/mautrix-signal";
user = "mautrix-signal";
group = "mautrix-signal";
}
{
directory = "/var/lib/mautrix-whatsapp";
user = "mautrix-whatsapp";
group = "mautrix-whatsapp";
}
];
}

View File

@@ -32,6 +32,14 @@ in
file = "${inputs.secrets}/passwords/services/photoprism/admin.age";
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/private/photoprism";
user = "photoprism";
group = "photoprism";
}
];
services.photoprism = {
enable = true;
address = "localhost";