bundle hexchen's nopersist & bindmount moduls
the bind mount module has been tweaked in a couple ways: - rename hexchen.* to hacc.* - rename bindmount to bindMount to make it consistent with usage in the nixpkgs container module - add a hacc.bindToPersist option as shorthand for prepending /perist to a path via bind mount the nopersist module has been shortened a little by moving service-specific things which are used once out into the individual service files, and removing those which we don't need at all (this also means we get to loose a mkForce or two in case of mismatches between hexchen's and our current config).
This commit is contained in:
parent
461cb01126
commit
39531f1c48
11 changed files with 104 additions and 8 deletions
|
@ -37,7 +37,10 @@
|
|||
};
|
||||
|
||||
outputs = { self, nixpkgs, nix-hexchen, deploy-rs, sops-nix, ... }@inputs:
|
||||
let modules = nix-hexchen.nixosModules;
|
||||
let modules = nix-hexchen.nixosModules // {
|
||||
bindMounts = import ./modules/bindmounts.nix;
|
||||
nopersist = import ./modules/nopersist.nix;
|
||||
};
|
||||
profiles = nix-hexchen.nixosModules.profiles // {
|
||||
container = import ./modules/container-profile.nix;
|
||||
};
|
||||
|
@ -53,7 +56,7 @@
|
|||
nix-hexchen.nixosModules.network.nftables
|
||||
{
|
||||
nixpkgs.pkgs = pkgs.lib.mkForce pkgs;
|
||||
imports = [ profiles.container profiles.nopersist ];
|
||||
imports = [ modules.nopersist profiles.container];
|
||||
}
|
||||
];
|
||||
specialArgs = {
|
||||
|
|
28
modules/bindmounts.nix
Normal file
28
modules/bindmounts.nix
Normal file
|
@ -0,0 +1,28 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let cfg = config.hacc;
|
||||
|
||||
in {
|
||||
|
||||
options.hacc.bindMounts = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
default = { };
|
||||
example = { "/etc/asdf" = "/persist/asdf"; };
|
||||
};
|
||||
options.hacc.bindToPersist = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
example = [ "postgres" ];
|
||||
};
|
||||
|
||||
config.fileSystems = mapAttrs (_: device: {
|
||||
inherit device;
|
||||
options = [ "bind" ];
|
||||
}) cfg.bindMounts;
|
||||
|
||||
config.hacc.bindMounts = listToAttrs
|
||||
(map (name: { inherit name; value = "/persist${name}"; })
|
||||
cfg.bindToPersist);
|
||||
}
|
52
modules/nopersist.nix
Normal file
52
modules/nopersist.nix
Normal file
|
@ -0,0 +1,52 @@
|
|||
{ config, lib, pkgs, modules, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
imports = [ modules.bindMounts ];
|
||||
|
||||
users.mutableUsers = false;
|
||||
|
||||
boot.initrd = mkIf (config.fileSystems."/".fsType == "zfs") {
|
||||
network.ssh.hostKeys = mkIf config.hexchen.encboot.enable
|
||||
(mkForce [ /persist/ssh/encboot_host ]);
|
||||
|
||||
postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable)
|
||||
(mkAfter ''
|
||||
zfs rollback -r ${config.fileSystems."/".device}@blank
|
||||
'');
|
||||
|
||||
systemd = mkIf config.boot.initrd.systemd.enable {
|
||||
storePaths = [ pkgs.zfs ];
|
||||
services.rollback = {
|
||||
description = "Rollback ZFS datasets to a pristine state";
|
||||
wantedBy = [ "initrd.target" ];
|
||||
after = [ "zfs-import-${head (splitString "/" config.fileSystems."/".device)}.service" ];
|
||||
before = [ "sysroot.mount" ];
|
||||
path = [ pkgs.zfs ];
|
||||
unitConfig.DefaultDependencies = "no";
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = ''
|
||||
zfs rollback -r ${config.fileSystems."/".device}@blank && echo "rollback complete"
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
hostKeys = [
|
||||
{
|
||||
path = "/persist/ssh/ssh_host_ed25519_key";
|
||||
type = "ed25519";
|
||||
}
|
||||
{
|
||||
path = "/persist/ssh/ssh_host_rsa_key";
|
||||
type = "rsa";
|
||||
bits = 4096;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
services.postgresql.dataDir =
|
||||
"/persist/postgresql/${config.services.postgresql.package.psqlSchema}";
|
||||
}
|
|
@ -7,7 +7,7 @@
|
|||
modules.encboot
|
||||
modules.network.nftables
|
||||
modules.nftnat
|
||||
sources.nix-hexchen.nixosModules.profiles.nopersist
|
||||
modules.nopersist
|
||||
./nextcloud.nix
|
||||
./mattermost.nix
|
||||
./murmur.nix
|
||||
|
@ -22,7 +22,7 @@
|
|||
./lxc.nix
|
||||
];
|
||||
|
||||
hexchen.bindmounts."/var/lib/acme" = "/persist/var/lib/acme";
|
||||
hacc.bindToPersist = [ "/var/lib/acme" ];
|
||||
|
||||
hexchen.encboot = {
|
||||
enable = true;
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
|
||||
environment.systemPackages = [ pkgs.forgejo ];
|
||||
|
||||
hexchen.bindmounts."/var/lib/forgejo" = "/persist/forgejo";
|
||||
hacc.bindMounts."/var/lib/forgejo" = "/persist/forgejo";
|
||||
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
|
|
|
@ -76,6 +76,7 @@
|
|||
startAt = "*-*-* 23:45:00";
|
||||
location = "/persist/backups/postgres";
|
||||
};
|
||||
hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
|
||||
});
|
||||
};
|
||||
services.nginx.virtualHosts."pad.hacc.earth" = {
|
||||
|
|
|
@ -55,6 +55,7 @@
|
|||
startAt = "*-*-* 23:45:00";
|
||||
location = "/persist/backups/postgres";
|
||||
};
|
||||
hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
|
||||
});
|
||||
};
|
||||
|
||||
|
|
|
@ -202,4 +202,14 @@
|
|||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://[::1]:1323";
|
||||
};
|
||||
|
||||
hacc.bindToPersist = [
|
||||
"/var/lib/rspamd"
|
||||
"/var/lib/opendkim"
|
||||
"/var/lib/postfix"
|
||||
"/var/lib/dovecot"
|
||||
"/var/sieve"
|
||||
"/var/lib/redis-rspamd"
|
||||
"/var/dkim"
|
||||
];
|
||||
}
|
||||
|
|
|
@ -193,7 +193,7 @@
|
|||
ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; };
|
||||
} ];
|
||||
package = pkgs.mysql80;
|
||||
dataDir = lib.mkForce "/persist/mysql";
|
||||
dataDir = "/persist/mysql";
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur";
|
||||
|
||||
services.murmur = {
|
||||
enable = true;
|
||||
logDays = -1;
|
||||
|
@ -27,4 +25,6 @@
|
|||
};
|
||||
users.users.nginx.extraGroups = [ "mumblecert" ];
|
||||
users.users.murmur.extraGroups = [ "mumblecert" ];
|
||||
|
||||
hacc.bindToPersist = [ "/var/lib/murmur" ];
|
||||
}
|
||||
|
|
|
@ -149,6 +149,7 @@ in
|
|||
|
||||
systemd.services.grafana.serviceConfig.EnvironmentFile =
|
||||
"/secrets/env";
|
||||
hacc.bindToPersist = [ "/var/lib/grafana" ];
|
||||
});
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue