Fix(treewide): Move all persistent dirs to impermanence to set permissions

13 files changed, 164 insertions, 68 deletions

diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix
index 32ad9f7..198eeba 100644
--- a/system/impermanence/default.nix
+++ b/system/impermanence/default.nix
@@ -1,23 +1,20 @@
 {...}: {
+  # TODO: Only activate them if their module is also active
+  imports = [
+    ./mods/acme.nix
+    ./mods/keycloak.nix
+    ./mods/mail.nix
+    ./mods/minecraft.nix
+    ./mods/nix-sync.nix
+    ./mods/openssh.nix
+    ./mods/users.nix
+  ];
+
   environment.persistence."/srv" = {
     hideMounts = true;
     directories = [
       "/etc/nixos"
       "/var/log"
-      "/var/lib/postgresql"
-      "/var/lib/acme"
-      {
-        directory = "/var/lib/nix-sync";
-        user = "nix-sync";
-        group = "nix-sync";
-        mode = "0700";
-      }
-      {
-        directory = "/var/lib/sshd";
-        user = "root";
-        group = "root";
-        mode = "0755";
-      }
     ];
     files = [
       "/etc/machine-id"
diff --git a/system/impermanence/mods/acme.nix b/system/impermanence/mods/acme.nix
new file mode 100644
index 0000000..b16171e
--- /dev/null
+++ b/system/impermanence/mods/acme.nix
@@ -0,0 +1,5 @@
+{...}: {
+  environment.persistence."/srv".directories = [
+    "/var/lib/acme"
+  ];
+}
diff --git a/system/impermanence/mods/fail2ban.nix b/system/impermanence/mods/fail2ban.nix
new file mode 100644
index 0000000..a817876
--- /dev/null
+++ b/system/impermanence/mods/fail2ban.nix
@@ -0,0 +1,10 @@
+{...}: {
+  environment.persistence."/srv".directories = [
+    {
+      directory = "/var/lib/fail2ban";
+      user = "fail2ban";
+      group = "fail2ban";
+      mode = "0700";
+    }
+  ];
+}
diff --git a/system/impermanence/mods/keycloak.nix b/system/impermanence/mods/keycloak.nix
new file mode 100644
index 0000000..63b02f5
--- /dev/null
+++ b/system/impermanence/mods/keycloak.nix
@@ -0,0 +1,5 @@
+{...}: {
+  environment.persistence."/srv".directories = [
+    "/var/lib/postgresql"
+  ];
+}
diff --git a/system/impermanence/mods/mail.nix b/system/impermanence/mods/mail.nix
new file mode 100644
index 0000000..fc21ce7
--- /dev/null
+++ b/system/impermanence/mods/mail.nix
@@ -0,0 +1,28 @@
+{...}: {
+  environment.persistence."/srv".directories = [
+    {
+      directory = "/var/lib/mail/backup";
+      user = "virtualMail";
+      group = "virtualMail";
+      mode = "0700";
+    }
+    {
+      directory = "/var/lib/mail/sieve";
+      user = "virtualMail";
+      group = "virtualMail";
+      mode = "0700";
+    }
+    {
+      directory = "/var/lib/mail/vmail";
+      user = "virtualMail";
+      group = "virtualMail";
+      mode = "0700";
+    }
+    {
+      directory = "/var/lib/mail/dkim";
+      user = "opendkim";
+      group = "opendkim";
+      mode = "0700";
+    }
+  ];
+}
diff --git a/system/impermanence/mods/minecraft.nix b/system/impermanence/mods/minecraft.nix
new file mode 100644
index 0000000..2a02626
--- /dev/null
+++ b/system/impermanence/mods/minecraft.nix
@@ -0,0 +1,10 @@
+{...}: {
+  environment.persistence."/srv".directories = [
+    {
+      directory = "/var/lib/minecraft";
+      user = "minecraft";
+      group = "minecraft";
+      mode = "0700";
+    }
+  ];
+}
diff --git a/system/impermanence/mods/nix-sync.nix b/system/impermanence/mods/nix-sync.nix
new file mode 100644
index 0000000..11449ea
--- /dev/null
+++ b/system/impermanence/mods/nix-sync.nix
@@ -0,0 +1,10 @@
+{...}: {
+  environment.persistence."/srv".directories = [
+    {
+      directory = "/var/lib/nix-sync";
+      user = "nix-sync";
+      group = "nix-sync";
+      mode = "0700";
+    }
+  ];
+}
diff --git a/system/impermanence/mods/openssh.nix b/system/impermanence/mods/openssh.nix
new file mode 100644
index 0000000..656f96e
--- /dev/null
+++ b/system/impermanence/mods/openssh.nix
@@ -0,0 +1,10 @@
+{...}: {
+  environment.persistence."/srv".directories = [
+    {
+      directory = "/var/lib/sshd";
+      user = "root";
+      group = "root";
+      mode = "0755";
+    }
+  ];
+}
diff --git a/system/impermanence/mods/users.nix b/system/impermanence/mods/users.nix
new file mode 100644
index 0000000..3b121e0
--- /dev/null
+++ b/system/impermanence/mods/users.nix
@@ -0,0 +1,22 @@
+{...}: {
+  environment.persistence."/srv".directories = [
+    {
+      directory = "/home/sils";
+      user = "sils";
+      group = "sils";
+      mode = "0700";
+    }
+    {
+      directory = "/home/soispha";
+      user = "soispha";
+      group = "soispha";
+      mode = "0700";
+    }
+    {
+      directory = "/home/nightingale";
+      user = "nightingale";
+      group = "nightingale";
+      mode = "0700";
+    }
+  ];
+}
diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix
index 5aee097..3e6244b 100644
--- a/system/services/fail2ban/default.nix
+++ b/system/services/fail2ban/default.nix
@@ -1,4 +1,3 @@
-# vim: ts=2
 {...}: {
   services.fail2ban = {
     enable = true;
@@ -8,7 +7,7 @@
       logtarget = SYSLOG
       socket    = /run/fail2ban/fail2ban.sock
       pidfile   = /run/fail2ban/fail2ban.pid
-      dbfile    = /srv/fail2ban/fail2ban.sqlite3
+      dbfile    = /var/lib/fail2ban/db.sqlite3
     '';
     bantime-increment = {
       enable = true;
@@ -28,3 +27,4 @@
     };
   };
 }
+
diff --git a/system/services/mail/default.nix b/system/services/mail/default.nix
index 5bfdb8c..0640fc7 100644
--- a/system/services/mail/default.nix
+++ b/system/services/mail/default.nix
@@ -19,10 +19,10 @@ in {
         "admin@vhack.eu" = all_admins;
       };
 
-      mailDirectory = "/srv/mail/vmail";
-      dkimKeyDirectory = "/srv/mail/dkim";
-      sieveDirectory = "/srv/mail/sieve";
-      backup.snapshotRoot = "/srv/mail/backup";
+      mailDirectory = "/var/lib/mail/vmail";
+      dkimKeyDirectory = "/var/lib/mail/dkim";
+      sieveDirectory = "/var/lib/mail/sieve";
+      backup.snapshotRoot = "/var/lib/mail/backup";
 
       enableImap = false;
       enableImapSsl = true;
diff --git a/system/services/minecraft/default.nix b/system/services/minecraft/default.nix
index e69ffb1..e659af0 100644
--- a/system/services/minecraft/default.nix
+++ b/system/services/minecraft/default.nix
@@ -7,7 +7,7 @@
     enable = true;
     declarative = true;
     eula = true;
-    dataDir = "/srv/minecraft";
+    dataDir = "/var/lib/minecraft";
     openFirewall = true;
     jvmOpts = "-Xmx8192M -Xms8192M";
     whitelist = {
diff --git a/system/users/default.nix b/system/users/default.nix
index 3555221..7ea88c5 100644
--- a/system/users/default.nix
+++ b/system/users/default.nix
@@ -1,54 +1,53 @@
 {pkgs, ...}: {
-  users.mutableUsers = false;
-  users.defaultUserShell = pkgs.zsh;
+  users = {
+    mutableUsers = false;
+    defaultUserShell = pkgs.zsh;
+    users = {
+      root = {
+        initialHashedPassword = null; # to lock root
+        openssh.authorizedKeys.keys = [];
+      };
 
-  users.users = {
-    root = {
-      #uid = 0;
-      initialHashedPassword = null; # to lock root
-      openssh.authorizedKeys.keys = [
-      ];
-    };
-
-    sils = {
-      name = "sils";
-      isNormalUser = true;
-      home = "/srv/home/sils";
-      initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC";
-      uid = 1000;
-      extraGroups = [
-        "wheel"
-      ];
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils"
-      ];
-    };
+      sils = {
+        name = "sils";
+        isNormalUser = true;
+        home = "/home/sils";
+        initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC";
+        uid = 1000;
+        extraGroups = [
+          "wheel"
+        ];
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils"
+        ];
+      };
 
-    soispha = {
-      name = "soispha";
-      isNormalUser = true;
-      home = "/srv/home/soispha";
-      initialHashedPassword = "$y$jFT$3.8XmUyukZvpExMUxDZkI.$IVrJgm8ysNDF/0vDD2kF6w73ozXgr1LMVRNN4Bq7pv1";
-      uid = 1001;
-      extraGroups = [
-        "wheel"
-      ];
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha"
-      ];
-    };
+      soispha = {
+        name = "soispha";
+        isNormalUser = true;
+        home = "/home/soispha";
+        initialHashedPassword = "$y$jFT$3.8XmUyukZvpExMUxDZkI.$IVrJgm8ysNDF/0vDD2kF6w73ozXgr1LMVRNN4Bq7pv1";
+        uid = 1001;
+        extraGroups = [
+          "wheel"
+        ];
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha"
+        ];
+      };
 
-    nightingale = {
-      name = "nightingale";
-      isNormalUser = true;
-      home = "/srv/home/nightingale";
-      initialHashedPassword = null; # TODO CHANGE
-      uid = 1002;
-      extraGroups = [
-        "wheel"
-      ];
-      openssh.authorizedKeys.keys = [
-      ];
+      nightingale = {
+        name = "nightingale";
+        isNormalUser = true;
+        home = "/home/nightingale";
+        initialHashedPassword = null; # TODO CHANGE
+        uid = 1002;
+        extraGroups = [
+          "wheel"
+        ];
+        openssh.authorizedKeys.keys = [
+        ];
+      };
     };
   };
 }