From 39531f1c484cd3dcead2298917a55419cfcdbf87 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Wed, 31 Jan 2024 23:30:06 +0100 Subject: [PATCH] bundle hexchen's nopersist & bindmount moduls the bind mount module has been tweaked in a couple ways: - rename hexchen.* to hacc.* - rename bindmount to bindMount to make it consistent with usage in the nixpkgs container module - add a hacc.bindToPersist option as shorthand for prepending /perist to a path via bind mount the nopersist module has been shortened a little by moving service-specific things which are used once out into the individual service files, and removing those which we don't need at all (this also means we get to loose a mkForce or two in case of mismatches between hexchen's and our current config). --- flake.nix | 7 ++++-- modules/bindmounts.nix | 28 +++++++++++++++++++++ modules/nopersist.nix | 52 +++++++++++++++++++++++++++++++++++++++ parsons/configuration.nix | 4 +-- parsons/forgejo.nix | 2 +- parsons/hedgedoc-hacc.nix | 1 + parsons/hedgedoc-i4f.nix | 1 + parsons/mail.nix | 10 ++++++++ parsons/mattermost.nix | 2 +- parsons/murmur.nix | 4 +-- parsons/tracktrain.nix | 1 + 11 files changed, 104 insertions(+), 8 deletions(-) create mode 100644 modules/bindmounts.nix create mode 100644 modules/nopersist.nix diff --git a/flake.nix b/flake.nix index c1d7b35..17b8997 100644 --- a/flake.nix +++ b/flake.nix @@ -37,7 +37,10 @@ }; outputs = { self, nixpkgs, nix-hexchen, deploy-rs, sops-nix, ... }@inputs: - let modules = nix-hexchen.nixosModules; + let modules = nix-hexchen.nixosModules // { + bindMounts = import ./modules/bindmounts.nix; + nopersist = import ./modules/nopersist.nix; + }; profiles = nix-hexchen.nixosModules.profiles // { container = import ./modules/container-profile.nix; }; @@ -53,7 +56,7 @@ nix-hexchen.nixosModules.network.nftables { nixpkgs.pkgs = pkgs.lib.mkForce pkgs; - imports = [ profiles.container profiles.nopersist ]; + imports = [ modules.nopersist profiles.container]; } ]; specialArgs = { diff --git a/modules/bindmounts.nix b/modules/bindmounts.nix new file mode 100644 index 0000000..ddbe5c9 --- /dev/null +++ b/modules/bindmounts.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let cfg = config.hacc; + +in { + + options.hacc.bindMounts = mkOption { + type = types.attrsOf types.str; + default = { }; + example = { "/etc/asdf" = "/persist/asdf"; }; + }; + options.hacc.bindToPersist = mkOption { + type = types.listOf types.str; + default = []; + example = [ "postgres" ]; + }; + + config.fileSystems = mapAttrs (_: device: { + inherit device; + options = [ "bind" ]; + }) cfg.bindMounts; + + config.hacc.bindMounts = listToAttrs + (map (name: { inherit name; value = "/persist${name}"; }) + cfg.bindToPersist); +} diff --git a/modules/nopersist.nix b/modules/nopersist.nix new file mode 100644 index 0000000..e598f67 --- /dev/null +++ b/modules/nopersist.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, modules, ... }: + +with lib; + +{ + imports = [ modules.bindMounts ]; + + users.mutableUsers = false; + + boot.initrd = mkIf (config.fileSystems."/".fsType == "zfs") { + network.ssh.hostKeys = mkIf config.hexchen.encboot.enable + (mkForce [ /persist/ssh/encboot_host ]); + + postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable) + (mkAfter '' + zfs rollback -r ${config.fileSystems."/".device}@blank + ''); + + systemd = mkIf config.boot.initrd.systemd.enable { + storePaths = [ pkgs.zfs ]; + services.rollback = { + description = "Rollback ZFS datasets to a pristine state"; + wantedBy = [ "initrd.target" ]; + after = [ "zfs-import-${head (splitString "/" config.fileSystems."/".device)}.service" ]; + before = [ "sysroot.mount" ]; + path = [ pkgs.zfs ]; + unitConfig.DefaultDependencies = "no"; + serviceConfig.Type = "oneshot"; + script = '' + zfs rollback -r ${config.fileSystems."/".device}@blank && echo "rollback complete" + ''; + }; + }; + }; + + services.openssh = { + hostKeys = [ + { + path = "/persist/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/persist/ssh/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + } + ]; + }; + + services.postgresql.dataDir = + "/persist/postgresql/${config.services.postgresql.package.psqlSchema}"; +} diff --git a/parsons/configuration.nix b/parsons/configuration.nix index 18af386..690ce4e 100644 --- a/parsons/configuration.nix +++ b/parsons/configuration.nix @@ -7,7 +7,7 @@ modules.encboot modules.network.nftables modules.nftnat - sources.nix-hexchen.nixosModules.profiles.nopersist + modules.nopersist ./nextcloud.nix ./mattermost.nix ./murmur.nix @@ -22,7 +22,7 @@ ./lxc.nix ]; - hexchen.bindmounts."/var/lib/acme" = "/persist/var/lib/acme"; + hacc.bindToPersist = [ "/var/lib/acme" ]; hexchen.encboot = { enable = true; diff --git a/parsons/forgejo.nix b/parsons/forgejo.nix index 89d08fe..5787f79 100644 --- a/parsons/forgejo.nix +++ b/parsons/forgejo.nix @@ -17,7 +17,7 @@ environment.systemPackages = [ pkgs.forgejo ]; - hexchen.bindmounts."/var/lib/forgejo" = "/persist/forgejo"; + hacc.bindMounts."/var/lib/forgejo" = "/persist/forgejo"; services.forgejo = { enable = true; diff --git a/parsons/hedgedoc-hacc.nix b/parsons/hedgedoc-hacc.nix index f72cf62..533cd54 100644 --- a/parsons/hedgedoc-hacc.nix +++ b/parsons/hedgedoc-hacc.nix @@ -76,6 +76,7 @@ startAt = "*-*-* 23:45:00"; location = "/persist/backups/postgres"; }; + hacc.bindToPersist = [ "/var/lib/hedgedoc" ]; }); }; services.nginx.virtualHosts."pad.hacc.earth" = { diff --git a/parsons/hedgedoc-i4f.nix b/parsons/hedgedoc-i4f.nix index 99644f8..1e65359 100644 --- a/parsons/hedgedoc-i4f.nix +++ b/parsons/hedgedoc-i4f.nix @@ -55,6 +55,7 @@ startAt = "*-*-* 23:45:00"; location = "/persist/backups/postgres"; }; + hacc.bindToPersist = [ "/var/lib/hedgedoc" ]; }); }; diff --git a/parsons/mail.nix b/parsons/mail.nix index 1645885..7f4af6e 100644 --- a/parsons/mail.nix +++ b/parsons/mail.nix @@ -202,4 +202,14 @@ forceSSL = true; locations."/".proxyPass = "http://[::1]:1323"; }; + + hacc.bindToPersist = [ + "/var/lib/rspamd" + "/var/lib/opendkim" + "/var/lib/postfix" + "/var/lib/dovecot" + "/var/sieve" + "/var/lib/redis-rspamd" + "/var/dkim" + ]; } diff --git a/parsons/mattermost.nix b/parsons/mattermost.nix index e667665..1f46059 100644 --- a/parsons/mattermost.nix +++ b/parsons/mattermost.nix @@ -193,7 +193,7 @@ ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; }; } ]; package = pkgs.mysql80; - dataDir = lib.mkForce "/persist/mysql"; + dataDir = "/persist/mysql"; }; services.postgresql = { diff --git a/parsons/murmur.nix b/parsons/murmur.nix index 3147ddd..b7c1e31 100644 --- a/parsons/murmur.nix +++ b/parsons/murmur.nix @@ -1,8 +1,6 @@ { config, lib, pkgs, ... }: { - hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur"; - services.murmur = { enable = true; logDays = -1; @@ -27,4 +25,6 @@ }; users.users.nginx.extraGroups = [ "mumblecert" ]; users.users.murmur.extraGroups = [ "mumblecert" ]; + + hacc.bindToPersist = [ "/var/lib/murmur" ]; } diff --git a/parsons/tracktrain.nix b/parsons/tracktrain.nix index 42eca90..0440e57 100644 --- a/parsons/tracktrain.nix +++ b/parsons/tracktrain.nix @@ -149,6 +149,7 @@ in systemd.services.grafana.serviceConfig.EnvironmentFile = "/secrets/env"; + hacc.bindToPersist = [ "/var/lib/grafana" ]; }); };