refactor(modules/impermanence): Migrate to by-name while distributing mods

author: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2024-12-24 16:09:20 +0100
committer: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2024-12-24 16:09:20 +0100
commit: b5fc07416652a445f15946ce7e5fc48766cf6722 (patch)
tree: de37587f0673e4aea12bc0532ee1b3879ab1e31c /modules/by-name
parent: fix(modules/back): Set now needed source code URL environment variable (diff)
download: nixos-server-b5fc07416652a445f15946ce7e5fc48766cf6722.zip
5 files changed, 94 insertions, 4 deletions
diff --git a/modules/by-name/im/impermanence/module.nix b/modules/by-name/im/impermanence/module.nix
new file mode 100644
index 0000000..d645bcb
--- /dev/null
+++ b/modules/by-name/im/impermanence/module.nix
@@ -0,0 +1,35 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.persist;
+in {
+  options.vhack.persist = {
+    enable = lib.mkEnableOption "impermanence";
+
+    directories = lib.mkOption {
+      description = "The list of directories to persist";
+      type = lib.types.listOf (lib.types.coercedTo lib.types.str (d: {directory = d;}) (lib.types.attrsOf lib.types.anything));
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.persistence."/srv" = {
+      hideMounts = true;
+      directories =
+        [
+          "/etc/nixos"
+          "/var/log"
+
+          # TODO(@bpeetz): Instead of persisting that, encode each uid/gid directly in the
+          # config. <2024-12-24>
+          "/var/lib/nixos"
+        ]
+        ++ cfg.directories;
+      files = [
+        "/etc/machine-id"
+      ];
+    };
+  };
+}
diff --git a/modules/by-name/ng/nginx/module.nix b/modules/by-name/ng/nginx/module.nix
index 6a82147..9c77652 100644
--- a/modules/by-name/ng/nginx/module.nix
+++ b/modules/by-name/ng/nginx/module.nix
@@ -36,6 +36,9 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    vhack.persist.directories = [
+      "/var/lib/acme"
+    ];
     security.acme = {
       acceptTerms = true;
       defaults = {
diff --git a/modules/by-name/ni/nix-sync/module.nix b/modules/by-name/ni/nix-sync/module.nix
index 0a92888..de096b9 100644
--- a/modules/by-name/ni/nix-sync/module.nix
+++ b/modules/by-name/ni/nix-sync/module.nix
@@ -50,6 +50,15 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    vhack.persist.directories = [
+      {
+        directory = "/var/lib/nix-sync";
+        user = "nix-sync";
+        group = "nix-sync";
+        mode = "0700";
+      }
+    ];
+
     services.nix-sync = {
       enable = true;
       repositories = nixSyncRepositories;
diff --git a/modules/by-name/op/openssh/module.nix b/modules/by-name/op/openssh/module.nix
index 30d16a6..49290b9 100644
--- a/modules/by-name/op/openssh/module.nix
+++ b/modules/by-name/op/openssh/module.nix
@@ -12,16 +12,40 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    /*
+     FIXME(@bpeetz):
+      This results in a boot error, as the `/var/lib/sshd` directory
+      is only mounted _after_ the stage 2 init and with it the system
+      activation. `agenix` needs the sshd hostkey however to decrypt the
+      secrets and thus we have to ensure that this directory is mounted
+      _before_ the system activation. Alas the only way I see to achieve
+      that is to store the ssh hostkey directly on /srv, which is mounted
+      before (it's marked as 'neededForBoot' after all).
+
+      It should be possible to achieve this with impermanence however,
+      as `/var/log` is mounted in the stage 1 init; The problem is that
+      I have no idea _why_ only this is mounted and nothing else.
+
+
+    vhack.persist.directories = [
+      {
+        directory = "/var/lib/sshd";
+        user = "root";
+        group = "root";
+        mode = "0755";
+      }
+    ];
+    */
+
     services.openssh = {
       enable = true;
       settings.PasswordAuthentication = false;
       hostKeys = [
         {
-          # See the explanation for this in /system/impermanence/mods/openssh.nix
-          # path = "/var/lib/sshd/ssh_host_ed25519_key";
-
-          # FIXME: Remove this workaround
+          # FIXME: Remove the dependency on `/srv` this workaround.
+          # See the explanation for using `/srv` above.
           path = "/srv/var/lib/sshd/ssh_host_ed25519_key";
+
           rounds = 1000;
           type = "ed25519";
         }
diff --git a/modules/by-name/po/postgresql/module.nix b/modules/by-name/po/postgresql/module.nix
new file mode 100644
index 0000000..319c3ac
--- /dev/null
+++ b/modules/by-name/po/postgresql/module.nix
@@ -0,0 +1,19 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.postgresql;
+in {
+  options.vhack.postgresql = {
+    enable = lib.mkEnableOption "postgresql";
+  };
+
+  config = lib.mkIf cfg.enable {
+    vhack.persist.directories = [
+      "/var/lib/postgresql"
+    ];
+
+    services.postgresql.enable = true;
+  };
+}
author	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2024-12-24 16:09:20 +0100
committer	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2024-12-24 16:09:20 +0100
commit	b5fc07416652a445f15946ce7e5fc48766cf6722 (patch)
tree	de37587f0673e4aea12bc0532ee1b3879ab1e31c /modules/by-name
parent	fix(modules/back): Set now needed source code URL environment variable (diff)
download	nixos-server-b5fc07416652a445f15946ce7e5fc48766cf6722.zip