bundle hexchen's nopersist & bindmount moduls

the bind mount module has been tweaked in a couple ways:
 - rename hexchen.* to hacc.*
 - rename bindmount to bindMount to make it consistent with usage in
   the nixpkgs container module
 - add a hacc.bindToPersist option as shorthand for prepending /perist
   to a path via bind mount

the nopersist module has been shortened a little by moving
service-specific things which are used once out into the individual
service files, and removing those which we don't need at all (this also
means we get to loose a mkForce or two in case of mismatches between
hexchen's and our current config).
This commit is contained in:
stuebinm 2024-01-31 23:30:06 +01:00
parent 461cb01126
commit 39531f1c48
11 changed files with 104 additions and 8 deletions

View file

@ -37,7 +37,10 @@
};
outputs = { self, nixpkgs, nix-hexchen, deploy-rs, sops-nix, ... }@inputs:
let modules = nix-hexchen.nixosModules;
let modules = nix-hexchen.nixosModules // {
bindMounts = import ./modules/bindmounts.nix;
nopersist = import ./modules/nopersist.nix;
};
profiles = nix-hexchen.nixosModules.profiles // {
container = import ./modules/container-profile.nix;
};
@ -53,7 +56,7 @@
nix-hexchen.nixosModules.network.nftables
{
nixpkgs.pkgs = pkgs.lib.mkForce pkgs;
imports = [ profiles.container profiles.nopersist ];
imports = [ modules.nopersist profiles.container];
}
];
specialArgs = {

28
modules/bindmounts.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.hacc;
in {
options.hacc.bindMounts = mkOption {
type = types.attrsOf types.str;
default = { };
example = { "/etc/asdf" = "/persist/asdf"; };
};
options.hacc.bindToPersist = mkOption {
type = types.listOf types.str;
default = [];
example = [ "postgres" ];
};
config.fileSystems = mapAttrs (_: device: {
inherit device;
options = [ "bind" ];
}) cfg.bindMounts;
config.hacc.bindMounts = listToAttrs
(map (name: { inherit name; value = "/persist${name}"; })
cfg.bindToPersist);
}

52
modules/nopersist.nix Normal file
View file

@ -0,0 +1,52 @@
{ config, lib, pkgs, modules, ... }:
with lib;
{
imports = [ modules.bindMounts ];
users.mutableUsers = false;
boot.initrd = mkIf (config.fileSystems."/".fsType == "zfs") {
network.ssh.hostKeys = mkIf config.hexchen.encboot.enable
(mkForce [ /persist/ssh/encboot_host ]);
postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable)
(mkAfter ''
zfs rollback -r ${config.fileSystems."/".device}@blank
'');
systemd = mkIf config.boot.initrd.systemd.enable {
storePaths = [ pkgs.zfs ];
services.rollback = {
description = "Rollback ZFS datasets to a pristine state";
wantedBy = [ "initrd.target" ];
after = [ "zfs-import-${head (splitString "/" config.fileSystems."/".device)}.service" ];
before = [ "sysroot.mount" ];
path = [ pkgs.zfs ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
zfs rollback -r ${config.fileSystems."/".device}@blank && echo "rollback complete"
'';
};
};
};
services.openssh = {
hostKeys = [
{
path = "/persist/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/persist/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
services.postgresql.dataDir =
"/persist/postgresql/${config.services.postgresql.package.psqlSchema}";
}

View file

@ -7,7 +7,7 @@
modules.encboot
modules.network.nftables
modules.nftnat
sources.nix-hexchen.nixosModules.profiles.nopersist
modules.nopersist
./nextcloud.nix
./mattermost.nix
./murmur.nix
@ -22,7 +22,7 @@
./lxc.nix
];
hexchen.bindmounts."/var/lib/acme" = "/persist/var/lib/acme";
hacc.bindToPersist = [ "/var/lib/acme" ];
hexchen.encboot = {
enable = true;

View file

@ -17,7 +17,7 @@
environment.systemPackages = [ pkgs.forgejo ];
hexchen.bindmounts."/var/lib/forgejo" = "/persist/forgejo";
hacc.bindMounts."/var/lib/forgejo" = "/persist/forgejo";
services.forgejo = {
enable = true;

View file

@ -76,6 +76,7 @@
startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres";
};
hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
});
};
services.nginx.virtualHosts."pad.hacc.earth" = {

View file

@ -55,6 +55,7 @@
startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres";
};
hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
});
};

View file

@ -202,4 +202,14 @@
forceSSL = true;
locations."/".proxyPass = "http://[::1]:1323";
};
hacc.bindToPersist = [
"/var/lib/rspamd"
"/var/lib/opendkim"
"/var/lib/postfix"
"/var/lib/dovecot"
"/var/sieve"
"/var/lib/redis-rspamd"
"/var/dkim"
];
}

View file

@ -193,7 +193,7 @@
ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; };
} ];
package = pkgs.mysql80;
dataDir = lib.mkForce "/persist/mysql";
dataDir = "/persist/mysql";
};
services.postgresql = {

View file

@ -1,8 +1,6 @@
{ config, lib, pkgs, ... }:
{
hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur";
services.murmur = {
enable = true;
logDays = -1;
@ -27,4 +25,6 @@
};
users.users.nginx.extraGroups = [ "mumblecert" ];
users.users.murmur.extraGroups = [ "mumblecert" ];
hacc.bindToPersist = [ "/var/lib/murmur" ];
}

View file

@ -149,6 +149,7 @@ in
systemd.services.grafana.serviceConfig.EnvironmentFile =
"/secrets/env";
hacc.bindToPersist = [ "/var/lib/grafana" ];
});
};