treewide: impermanence configuration
All checks were successful
Check flake / build-amd64-linux (push) Successful in 1m23s
All checks were successful
Check flake / build-amd64-linux (push) Successful in 1m23s
This commit is contained in:
@@ -77,6 +77,9 @@ in
|
||||
sessionVariables.WINE_BIN = getExe pkgs.wine;
|
||||
};
|
||||
|
||||
environment.persistence."/persist".enable = mkForce true;
|
||||
environment.persistence."/state".enable = mkForce true;
|
||||
|
||||
modules = {
|
||||
services = {
|
||||
borgmatic = {
|
||||
|
@@ -35,80 +35,59 @@
|
||||
ashift = "12";
|
||||
};
|
||||
rootFsOptions = {
|
||||
canmount = "off";
|
||||
mountpoint = "none";
|
||||
dnodesize = "auto";
|
||||
compression = "zstd";
|
||||
acltype = "posix";
|
||||
atime = "off";
|
||||
xattr = "sa";
|
||||
dnodesize = "auto";
|
||||
mountpoint = "none";
|
||||
canmount = "off";
|
||||
devices = "off";
|
||||
exec = "off";
|
||||
setuid = "off";
|
||||
};
|
||||
postCreateHook = "zfs snapshot rpool@blank";
|
||||
datasets = {
|
||||
local = {
|
||||
"local" = {
|
||||
type = "zfs_fs";
|
||||
};
|
||||
"local/root" = {
|
||||
type = "zfs_fs";
|
||||
mountpoint = "/";
|
||||
options = {
|
||||
mountpoint = "none";
|
||||
canmount = "noauto";
|
||||
mountpoint = "/";
|
||||
exec = "on";
|
||||
setuid = "on";
|
||||
};
|
||||
postCreateHook = "zfs snapshot rpool/local/root@blank";
|
||||
};
|
||||
"local/nix" = {
|
||||
type = "zfs_fs";
|
||||
mountpoint = "/nix";
|
||||
options = {
|
||||
atime = "off";
|
||||
mountpoint = "legacy";
|
||||
canmount = "noauto";
|
||||
mountpoint = "/nix";
|
||||
exec = "on";
|
||||
setuid = "on";
|
||||
};
|
||||
};
|
||||
"local/tmp" = {
|
||||
"local/state" = {
|
||||
type = "zfs_fs";
|
||||
mountpoint = "/tmp";
|
||||
mountpoint = "/state";
|
||||
options = {
|
||||
setuid = "off";
|
||||
devices = "off";
|
||||
mountpoint = "legacy";
|
||||
canmount = "noauto";
|
||||
mountpoint = "/state";
|
||||
};
|
||||
};
|
||||
system = {
|
||||
"safe" = {
|
||||
type = "zfs_fs";
|
||||
mountpoint = "/";
|
||||
options = {
|
||||
mountpoint = "legacy";
|
||||
};
|
||||
};
|
||||
"system/var" = {
|
||||
"safe/persist" = {
|
||||
type = "zfs_fs";
|
||||
mountpoint = "/var";
|
||||
mountpoint = "/persist";
|
||||
options = {
|
||||
mountpoint = "legacy";
|
||||
};
|
||||
};
|
||||
"system/var/tmp" = {
|
||||
type = "zfs_fs";
|
||||
mountpoint = "/var/tmp";
|
||||
options = {
|
||||
devices = "off";
|
||||
mountpoint = "legacy";
|
||||
};
|
||||
};
|
||||
"system/var/log" = {
|
||||
type = "zfs_fs";
|
||||
mountpoint = "/var/log";
|
||||
options = {
|
||||
compression = "on";
|
||||
acltype = "posix";
|
||||
mountpoint = "legacy";
|
||||
};
|
||||
};
|
||||
user = {
|
||||
type = "zfs_fs";
|
||||
options = {
|
||||
mountpoint = "none";
|
||||
};
|
||||
};
|
||||
"user/home" = {
|
||||
type = "zfs_fs";
|
||||
mountpoint = "/home";
|
||||
options = {
|
||||
setuid = "off";
|
||||
devices = "off";
|
||||
mountpoint = "legacy";
|
||||
canmount = "noauto";
|
||||
mountpoint = "/persist";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@@ -4,12 +4,12 @@
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports = [
|
||||
inputs.agenix.nixosModules.age
|
||||
inputs.home-manager.nixosModules.home-manager
|
||||
../modules/nixos
|
||||
../modules/nixos/impermanence.nix
|
||||
];
|
||||
|
||||
nixpkgs = {
|
||||
|
@@ -36,4 +36,11 @@
|
||||
modules.services.borgmatic.directories = [
|
||||
"/var/lib/private/open-webui"
|
||||
];
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = "/var/lib/private/open-webui";
|
||||
mode = "0700";
|
||||
}
|
||||
];
|
||||
}
|
||||
|
@@ -1,4 +1,5 @@
|
||||
{
|
||||
config,
|
||||
...
|
||||
}:
|
||||
|
||||
@@ -13,4 +14,13 @@
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = config.services.grafana.dataDir;
|
||||
user = "grafana";
|
||||
group = "grafana";
|
||||
mode = "0700";
|
||||
}
|
||||
];
|
||||
}
|
||||
|
@@ -24,6 +24,22 @@
|
||||
dataDir = "/var/lib/jellyfin";
|
||||
};
|
||||
|
||||
environment.persistence."/state".directories = [
|
||||
{
|
||||
directory = config.services.jellyfin.cacheDir;
|
||||
inherit (config.services.jellyfin) user group;
|
||||
mode = "0700";
|
||||
}
|
||||
];
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = config.services.jellyfin.dataDir;
|
||||
inherit (config.services.jellyfin) user group;
|
||||
mode = "0700";
|
||||
}
|
||||
];
|
||||
|
||||
modules.services.borgmatic.directories = [
|
||||
config.services.jellyfin.dataDir
|
||||
];
|
||||
|
@@ -55,4 +55,8 @@
|
||||
MEILI_URL = "http://localhost:${toString config.services.meilisearch.listenPort}";
|
||||
};
|
||||
};
|
||||
|
||||
environment.persistence."/state".directories = [
|
||||
config.systemd.services.jellysearch.serviceConfig.WorkingDirectory
|
||||
];
|
||||
}
|
||||
|
@@ -32,4 +32,13 @@
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
environment.persistence."/state".directories = [
|
||||
{
|
||||
directory = "/var/lib/${config.services.prometheus.stateDir}";
|
||||
user = "prometheus";
|
||||
group = "prometheus";
|
||||
mode = "0700";
|
||||
}
|
||||
];
|
||||
}
|
||||
|
@@ -85,4 +85,52 @@ in
|
||||
smtp_destination_concurrency_limit = "20";
|
||||
header_size_limit = "4096000";
|
||||
};
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = "/var/dkim";
|
||||
user = "rspamd";
|
||||
group = "rspamd";
|
||||
mode = "0755";
|
||||
}
|
||||
{
|
||||
directory = "/var/sieve";
|
||||
user = "virtualMail";
|
||||
group = "virtualMail";
|
||||
mode = "0770";
|
||||
}
|
||||
{
|
||||
directory = "/var/vmail";
|
||||
user = "virtualMail";
|
||||
group = "virtualMail";
|
||||
mode = "0700";
|
||||
}
|
||||
{
|
||||
directory = "/var/lib/rspamd";
|
||||
user = "rspamd";
|
||||
group = "rspamd";
|
||||
mode = "0700";
|
||||
}
|
||||
{
|
||||
directory = "/var/lib/redis-rspamd";
|
||||
user = "redis-rspamd";
|
||||
group = "redis-rspamd";
|
||||
mode = "0700";
|
||||
}
|
||||
{
|
||||
directory = "/var/lib/opendkim";
|
||||
user = 221;
|
||||
group = 221;
|
||||
mode = "0700";
|
||||
}
|
||||
{
|
||||
directory = "/var/lib/knot-resolver";
|
||||
user = "knot-resolver";
|
||||
group = "knot-resolver";
|
||||
mode = "0770";
|
||||
}
|
||||
"/var/lib/dhparams"
|
||||
"/var/lib/dovecot"
|
||||
"/var/lib/postfix"
|
||||
];
|
||||
}
|
||||
|
@@ -276,6 +276,15 @@
|
||||
lovelaceConfigWritable = true;
|
||||
};
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = config.services.home-assistant.configDir;
|
||||
user = "hass";
|
||||
group = "hass";
|
||||
mode = "0700";
|
||||
}
|
||||
];
|
||||
|
||||
modules.services.borgmatic.directories = [
|
||||
config.services.home-assistant.configDir
|
||||
];
|
||||
|
@@ -69,6 +69,21 @@
|
||||
};
|
||||
};
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = config.services.zigbee2mqtt.dataDir;
|
||||
user = "zigbee2mqtt";
|
||||
group = "zigbee2mqtt";
|
||||
mode = "0700";
|
||||
}
|
||||
{
|
||||
directory = config.services.mosquitto.dataDir;
|
||||
user = "mosquitto";
|
||||
group = "mosquitto";
|
||||
mode = "0700";
|
||||
}
|
||||
];
|
||||
|
||||
modules.services.borgmatic.directories = [
|
||||
config.services.mosquitto.dataDir
|
||||
config.services.zigbee2mqtt.dataDir
|
||||
|
@@ -65,6 +65,13 @@ in
|
||||
];
|
||||
};
|
||||
|
||||
environment.persistence."/state".directories = [
|
||||
{
|
||||
directory = "/var/lib/fail2ban";
|
||||
mode = "0750";
|
||||
}
|
||||
];
|
||||
|
||||
services.openssh.settings.PermitRootLogin = mkForce "prohibit-password";
|
||||
|
||||
modules.services.tailscale = {
|
||||
|
@@ -79,6 +79,10 @@
|
||||
};
|
||||
};
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
"/var/lib/skycam-archiver"
|
||||
];
|
||||
|
||||
modules.services.borgmatic = {
|
||||
enable = true;
|
||||
directories = [
|
||||
|
@@ -86,4 +86,12 @@ in
|
||||
packages.CHUNKED_UPLOAD_PATH = lib.mkForce "${stateDir}/data/tmp/package-upload";
|
||||
};
|
||||
};
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = config.services.gitea.stateDir;
|
||||
inherit (config.services.gitea) user group;
|
||||
mode = "0700";
|
||||
}
|
||||
];
|
||||
}
|
||||
|
@@ -48,6 +48,13 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = "/var/lib/headscale";
|
||||
inherit (config.services.headscale) user group;
|
||||
}
|
||||
];
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
"${domain}" = {
|
||||
forceSSL = true;
|
||||
|
@@ -49,4 +49,13 @@ in
|
||||
postRun = "systemctl restart kanidm.service";
|
||||
group = "acme";
|
||||
};
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = "/var/lib/kanidm";
|
||||
user = "kanidm";
|
||||
group = "kanidm";
|
||||
mode = "0700";
|
||||
}
|
||||
];
|
||||
}
|
||||
|
@@ -216,4 +216,23 @@ in
|
||||
}
|
||||
// commonBridgeSettings "mautrix-whatsapp";
|
||||
};
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = config.services.matrix-synapse.dataDir;
|
||||
user = "matrix-synapse";
|
||||
group = "matrix-synapse";
|
||||
mode = "0700";
|
||||
}
|
||||
{
|
||||
directory = "/var/lib/mautrix-signal";
|
||||
user = "mautrix-signal";
|
||||
group = "mautrix-signal";
|
||||
}
|
||||
{
|
||||
directory = "/var/lib/mautrix-whatsapp";
|
||||
user = "mautrix-whatsapp";
|
||||
group = "mautrix-whatsapp";
|
||||
}
|
||||
];
|
||||
}
|
||||
|
@@ -32,6 +32,14 @@ in
|
||||
file = "${inputs.secrets}/passwords/services/photoprism/admin.age";
|
||||
};
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = "/var/lib/private/photoprism";
|
||||
user = "photoprism";
|
||||
group = "photoprism";
|
||||
}
|
||||
];
|
||||
|
||||
services.photoprism = {
|
||||
enable = true;
|
||||
address = "localhost";
|
||||
|
Reference in New Issue
Block a user