treewide: impermanence configuration

hosts/vps1/gitea.nix

@@ -86,4 +86,12 @@ in
       packages.CHUNKED_UPLOAD_PATH = lib.mkForce "${stateDir}/data/tmp/package-upload";
     };
   };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = config.services.gitea.stateDir;
+      inherit (config.services.gitea) user group;
+      mode = "0700";
+    }
+  ];
 }

hosts/vps1/headscale.nix

@@ -48,6 +48,13 @@ in
     };
   };
 
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/headscale";
+      inherit (config.services.headscale) user group;
+    }
+  ];
+
   services.nginx.virtualHosts = {
     "${domain}" = {
       forceSSL = true;

hosts/vps1/kanidm.nix

@@ -49,4 +49,13 @@ in
     postRun = "systemctl restart kanidm.service";
     group = "acme";
   };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/kanidm";
+      user = "kanidm";
+      group = "kanidm";
+      mode = "0700";
+    }
+  ];
 }

hosts/vps1/matrix.nix

@@ -216,4 +216,23 @@ in
     }
     // commonBridgeSettings "mautrix-whatsapp";
   };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = config.services.matrix-synapse.dataDir;
+      user = "matrix-synapse";
+      group = "matrix-synapse";
+      mode = "0700";
+    }
+    {
+      directory = "/var/lib/mautrix-signal";
+      user = "mautrix-signal";
+      group = "mautrix-signal";
+    }
+    {
+      directory = "/var/lib/mautrix-whatsapp";
+      user = "mautrix-whatsapp";
+      group = "mautrix-whatsapp";
+    }
+  ];
 }

hosts/vps1/photoprism.nix

@@ -32,6 +32,14 @@ in
     file = "${inputs.secrets}/passwords/services/photoprism/admin.age";
   };
 
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/private/photoprism";
+      user = "photoprism";
+      group = "photoprism";
+    }
+  ];
+
   services.photoprism = {
     enable = true;
     address = "localhost";