diff options
author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-12-24 16:09:20 +0100 |
---|---|---|
committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-12-24 16:09:20 +0100 |
commit | b5fc07416652a445f15946ce7e5fc48766cf6722 (patch) | |
tree | de37587f0673e4aea12bc0532ee1b3879ab1e31c /modules | |
parent | fix(modules/back): Set now needed source code URL environment variable (diff) | |
download | nixos-server-b5fc07416652a445f15946ce7e5fc48766cf6722.zip |
refactor(modules/impermanence): Migrate to by-name while distributing mods
Diffstat (limited to 'modules')
-rw-r--r-- | modules/by-name/im/impermanence/module.nix | 35 | ||||
-rw-r--r-- | modules/by-name/ng/nginx/module.nix | 3 | ||||
-rw-r--r-- | modules/by-name/ni/nix-sync/module.nix | 9 | ||||
-rw-r--r-- | modules/by-name/op/openssh/module.nix | 32 | ||||
-rw-r--r-- | modules/by-name/po/postgresql/module.nix | 19 |
5 files changed, 94 insertions, 4 deletions
diff --git a/modules/by-name/im/impermanence/module.nix b/modules/by-name/im/impermanence/module.nix new file mode 100644 index 0000000..d645bcb --- /dev/null +++ b/modules/by-name/im/impermanence/module.nix @@ -0,0 +1,35 @@ +{ + config, + lib, + ... +}: let + cfg = config.vhack.persist; +in { + options.vhack.persist = { + enable = lib.mkEnableOption "impermanence"; + + directories = lib.mkOption { + description = "The list of directories to persist"; + type = lib.types.listOf (lib.types.coercedTo lib.types.str (d: {directory = d;}) (lib.types.attrsOf lib.types.anything)); + }; + }; + + config = lib.mkIf cfg.enable { + environment.persistence."/srv" = { + hideMounts = true; + directories = + [ + "/etc/nixos" + "/var/log" + + # TODO(@bpeetz): Instead of persisting that, encode each uid/gid directly in the + # config. <2024-12-24> + "/var/lib/nixos" + ] + ++ cfg.directories; + files = [ + "/etc/machine-id" + ]; + }; + }; +} diff --git a/modules/by-name/ng/nginx/module.nix b/modules/by-name/ng/nginx/module.nix index 6a82147..9c77652 100644 --- a/modules/by-name/ng/nginx/module.nix +++ b/modules/by-name/ng/nginx/module.nix @@ -36,6 +36,9 @@ in { }; config = lib.mkIf cfg.enable { + vhack.persist.directories = [ + "/var/lib/acme" + ]; security.acme = { acceptTerms = true; defaults = { diff --git a/modules/by-name/ni/nix-sync/module.nix b/modules/by-name/ni/nix-sync/module.nix index 0a92888..de096b9 100644 --- a/modules/by-name/ni/nix-sync/module.nix +++ b/modules/by-name/ni/nix-sync/module.nix @@ -50,6 +50,15 @@ in { }; config = lib.mkIf cfg.enable { + vhack.persist.directories = [ + { + directory = "/var/lib/nix-sync"; + user = "nix-sync"; + group = "nix-sync"; + mode = "0700"; + } + ]; + services.nix-sync = { enable = true; repositories = nixSyncRepositories; diff --git a/modules/by-name/op/openssh/module.nix b/modules/by-name/op/openssh/module.nix index 30d16a6..49290b9 100644 --- a/modules/by-name/op/openssh/module.nix +++ b/modules/by-name/op/openssh/module.nix @@ -12,16 +12,40 @@ in { }; config = lib.mkIf cfg.enable { + /* + FIXME(@bpeetz): + This results in a boot error, as the `/var/lib/sshd` directory + is only mounted _after_ the stage 2 init and with it the system + activation. `agenix` needs the sshd hostkey however to decrypt the + secrets and thus we have to ensure that this directory is mounted + _before_ the system activation. Alas the only way I see to achieve + that is to store the ssh hostkey directly on /srv, which is mounted + before (it's marked as 'neededForBoot' after all). + + It should be possible to achieve this with impermanence however, + as `/var/log` is mounted in the stage 1 init; The problem is that + I have no idea _why_ only this is mounted and nothing else. + + + vhack.persist.directories = [ + { + directory = "/var/lib/sshd"; + user = "root"; + group = "root"; + mode = "0755"; + } + ]; + */ + services.openssh = { enable = true; settings.PasswordAuthentication = false; hostKeys = [ { - # See the explanation for this in /system/impermanence/mods/openssh.nix - # path = "/var/lib/sshd/ssh_host_ed25519_key"; - - # FIXME: Remove this workaround + # FIXME: Remove the dependency on `/srv` this workaround. + # See the explanation for using `/srv` above. path = "/srv/var/lib/sshd/ssh_host_ed25519_key"; + rounds = 1000; type = "ed25519"; } diff --git a/modules/by-name/po/postgresql/module.nix b/modules/by-name/po/postgresql/module.nix new file mode 100644 index 0000000..319c3ac --- /dev/null +++ b/modules/by-name/po/postgresql/module.nix @@ -0,0 +1,19 @@ +{ + config, + lib, + ... +}: let + cfg = config.vhack.postgresql; +in { + options.vhack.postgresql = { + enable = lib.mkEnableOption "postgresql"; + }; + + config = lib.mkIf cfg.enable { + vhack.persist.directories = [ + "/var/lib/postgresql" + ]; + + services.postgresql.enable = true; + }; +} |