bundle hexchen's nopersist & bindmount moduls

the bind mount module has been tweaked in a couple ways:
 - rename hexchen.* to hacc.*
 - rename bindmount to bindMount to make it consistent with usage in
   the nixpkgs container module
 - add a hacc.bindToPersist option as shorthand for prepending /perist
   to a path via bind mount

the nopersist module has been shortened a little by moving
service-specific things which are used once out into the individual
service files, and removing those which we don't need at all (this also
means we get to loose a mkForce or two in case of mismatches between
hexchen's and our current config).

flake.nix

@@ -37,7 +37,10 @@
   };
 
   outputs = { self, nixpkgs, nix-hexchen, deploy-rs, sops-nix, ... }@inputs:
-    let modules = nix-hexchen.nixosModules;
+    let modules = nix-hexchen.nixosModules // {
+          bindMounts = import ./modules/bindmounts.nix;
+          nopersist = import ./modules/nopersist.nix;
+        };
         profiles = nix-hexchen.nixosModules.profiles // {
           container = import ./modules/container-profile.nix;
         };
@@ -53,7 +56,7 @@
             nix-hexchen.nixosModules.network.nftables
             {
               nixpkgs.pkgs = pkgs.lib.mkForce pkgs;
-              imports = [ profiles.container profiles.nopersist ];
+              imports = [ modules.nopersist profiles.container];
             }
           ];
           specialArgs = {

modules/bindmounts.nix

@@ -0,0 +1,28 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let cfg = config.hacc;
+
+in {
+
+  options.hacc.bindMounts = mkOption {
+    type = types.attrsOf types.str;
+    default = { };
+    example = { "/etc/asdf" = "/persist/asdf"; };
+  };
+  options.hacc.bindToPersist = mkOption {
+    type = types.listOf types.str;
+    default = [];
+    example = [ "postgres" ];
+  };
+
+  config.fileSystems = mapAttrs (_: device: {
+    inherit device;
+    options = [ "bind" ];
+  }) cfg.bindMounts;
+
+  config.hacc.bindMounts = listToAttrs
+    (map (name: { inherit name; value = "/persist${name}"; })
+      cfg.bindToPersist);
+}

modules/nopersist.nix

@@ -0,0 +1,52 @@
+{ config, lib, pkgs, modules, ... }:
+
+with lib;
+
+{
+  imports = [ modules.bindMounts ];
+
+  users.mutableUsers = false;
+
+  boot.initrd = mkIf (config.fileSystems."/".fsType == "zfs") {
+    network.ssh.hostKeys = mkIf config.hexchen.encboot.enable
+      (mkForce [ /persist/ssh/encboot_host ]);
+
+    postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable)
+      (mkAfter ''
+        zfs rollback -r ${config.fileSystems."/".device}@blank
+      '');
+
+    systemd = mkIf config.boot.initrd.systemd.enable {
+      storePaths = [ pkgs.zfs ];
+      services.rollback = {
+        description = "Rollback ZFS datasets to a pristine state";
+        wantedBy = [ "initrd.target" ];
+        after = [ "zfs-import-${head (splitString "/" config.fileSystems."/".device)}.service" ];
+        before = [ "sysroot.mount" ];
+        path = [ pkgs.zfs ];
+        unitConfig.DefaultDependencies = "no";
+        serviceConfig.Type = "oneshot";
+        script = ''
+          zfs rollback -r ${config.fileSystems."/".device}@blank && echo "rollback complete"
+        '';
+      };
+    };
+  };
+
+  services.openssh = {
+    hostKeys = [
+      {
+        path = "/persist/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+      {
+        path = "/persist/ssh/ssh_host_rsa_key";
+        type = "rsa";
+        bits = 4096;
+      }
+    ];
+  };
+
+  services.postgresql.dataDir =
+    "/persist/postgresql/${config.services.postgresql.package.psqlSchema}";
+}

parsons/configuration.nix

@@ -7,7 +7,7 @@
     modules.encboot
     modules.network.nftables
     modules.nftnat
-    sources.nix-hexchen.nixosModules.profiles.nopersist
+    modules.nopersist
     ./nextcloud.nix
     ./mattermost.nix
     ./murmur.nix
@@ -22,7 +22,7 @@
     ./lxc.nix
   ];
 
-  hexchen.bindmounts."/var/lib/acme" = "/persist/var/lib/acme";
+  hacc.bindToPersist = [ "/var/lib/acme" ];
 
   hexchen.encboot = {
     enable = true;

parsons/forgejo.nix

@@ -17,7 +17,7 @@
 
       environment.systemPackages = [ pkgs.forgejo ];
 
-      hexchen.bindmounts."/var/lib/forgejo" = "/persist/forgejo";
+      hacc.bindMounts."/var/lib/forgejo" = "/persist/forgejo";
 
       services.forgejo = {
         enable = true;

parsons/hedgedoc-hacc.nix

@@ -76,6 +76,7 @@
         startAt = "*-*-* 23:45:00";
         location = "/persist/backups/postgres";
       };
+      hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
     });
   };
   services.nginx.virtualHosts."pad.hacc.earth" = {

parsons/hedgedoc-i4f.nix

@@ -55,6 +55,7 @@
         startAt = "*-*-* 23:45:00";
         location = "/persist/backups/postgres";
       };
+      hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
     });
   };
 

parsons/mail.nix

@@ -202,4 +202,14 @@
     forceSSL = true;
     locations."/".proxyPass = "http://[::1]:1323";
   };
+
+  hacc.bindToPersist = [
+    "/var/lib/rspamd"
+    "/var/lib/opendkim"
+    "/var/lib/postfix"
+    "/var/lib/dovecot"
+    "/var/sieve"
+    "/var/lib/redis-rspamd"
+    "/var/dkim"
+  ];
 }

parsons/mattermost.nix

@@ -193,7 +193,7 @@
           ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; };
         } ];
         package = pkgs.mysql80;
-        dataDir = lib.mkForce "/persist/mysql";
+        dataDir = "/persist/mysql";
       };
 
       services.postgresql = {

parsons/murmur.nix

@@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 
 {
-  hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur";
-
   services.murmur = {
     enable = true;
     logDays = -1;
@@ -27,4 +25,6 @@
   };
   users.users.nginx.extraGroups = [ "mumblecert" ];
   users.users.murmur.extraGroups = [ "mumblecert" ];
+
+  hacc.bindToPersist = [ "/var/lib/murmur" ];
 }

parsons/tracktrain.nix

@@ -149,6 +149,7 @@ in
 
       systemd.services.grafana.serviceConfig.EnvironmentFile =
         "/secrets/env";
+      hacc.bindToPersist = [ "/var/lib/grafana" ];
     });
   };