diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix index 36e8647..d45b15e 100644 --- a/hosts/ward/guests/adguardhome.nix +++ b/hosts/ward/guests/adguardhome.nix @@ -34,6 +34,13 @@ in { }; }; + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/private/AdGuardHome"; + mode = "0700"; + } + ]; + networking.firewall = { allowedTCPPorts = [53]; allowedUDPPorts = [53]; diff --git a/hosts/ward/guests/forgejo.nix b/hosts/ward/guests/forgejo.nix index 4b5a441..35f6f92 100644 --- a/hosts/ward/guests/forgejo.nix +++ b/hosts/ward/guests/forgejo.nix @@ -61,6 +61,15 @@ in { # Recommended by forgejo: https://forgejo.org/docs/latest/admin/recommendations/#git-over-ssh services.openssh.settings.AcceptEnv = "GIT_PROTOCOL"; + environment.persistence."/persist".directories = [ + { + directory = config.services.gitea.stateDir; + user = "gitea"; + group = "gitea"; + mode = "0700"; + } + ]; + services.gitea = { enable = true; package = pkgs.forgejo; diff --git a/hosts/ward/guests/grafana.nix b/hosts/ward/guests/grafana.nix index 5b8dfa4..bdf5dc4 100644 --- a/hosts/ward/guests/grafana.nix +++ b/hosts/ward/guests/grafana.nix @@ -75,6 +75,15 @@ in { }; }; + environment.persistence."/persist".directories = [ + { + directory = config.services.grafana.dataDir; + user = "grafana"; + group = "grafana"; + mode = "0700"; + } + ]; + services.grafana = { enable = true; settings = { diff --git a/hosts/ward/guests/influxdb.nix b/hosts/ward/guests/influxdb.nix index 01038e7..deaf54c 100644 --- a/hosts/ward/guests/influxdb.nix +++ b/hosts/ward/guests/influxdb.nix @@ -68,6 +68,15 @@ in { group = "influxdb2"; }; + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/influxdb2"; + user = "influxdb2"; + group = "influxdb2"; + mode = "0700"; + } + ]; + services.influxdb2 = { enable = true; settings = { diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix index 637a640..cf52f31 100644 --- a/hosts/ward/guests/kanidm.nix +++ b/hosts/ward/guests/kanidm.nix @@ -80,6 +80,15 @@ in { }; }; + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/kanidm"; + user = "kanidm"; + group = "kanidm"; + mode = "0700"; + } + ]; + services.kanidm = { enableServer = true; serverSettings = { diff --git a/hosts/ward/guests/loki.nix b/hosts/ward/guests/loki.nix index 08a25cf..3935f89 100644 --- a/hosts/ward/guests/loki.nix +++ b/hosts/ward/guests/loki.nix @@ -52,6 +52,15 @@ in { }; }; + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/loki"; + user = "loki"; + group = "loki"; + mode = "0700"; + } + ]; + services.loki = let lokiDir = "/var/lib/loki"; in { diff --git a/hosts/ward/guests/paperless.nix b/hosts/ward/guests/paperless.nix index a95a4c2..7555485 100644 --- a/hosts/ward/guests/paperless.nix +++ b/hosts/ward/guests/paperless.nix @@ -46,6 +46,15 @@ in { }; }; + # TODO environment.persistence."/persist".directories = [ + # TODO { + # TODO directory = "/var/lib/???"; + # TODO user = "???"; + # TODO group = "???"; + # TODO mode = "0700"; + # TODO } + # TODO ]; + services.paperless = { enable = true; address = "0.0.0.0"; diff --git a/hosts/ward/guests/vaultwarden.nix b/hosts/ward/guests/vaultwarden.nix index 6f1230e..09cdeea 100644 --- a/hosts/ward/guests/vaultwarden.nix +++ b/hosts/ward/guests/vaultwarden.nix @@ -18,6 +18,15 @@ in { group = "vaultwarden"; }; + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/vaultwarden"; + user = "vaultwarden"; + group = "vaultwarden"; + mode = "0700"; + } + ]; + nodes.sentinel = { networking.providedDomains.vaultwarden = vaultwardenDomain; diff --git a/hosts/zackbiene/esphome.nix b/hosts/zackbiene/esphome.nix index f911121..b42696a 100644 --- a/hosts/zackbiene/esphome.nix +++ b/hosts/zackbiene/esphome.nix @@ -1,4 +1,11 @@ {config, ...}: { + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/private/esphome"; + mode = "0700"; + } + ]; + services.esphome = { enable = true; enableUnixSocket = true; diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix index 74f5991..3faeca5 100644 --- a/hosts/zackbiene/home-assistant.nix +++ b/hosts/zackbiene/home-assistant.nix @@ -9,6 +9,15 @@ in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [80]; + environment.persistence."/persist".directories = [ + { + directory = config.services.home-assistant.configDir; + user = "hass"; + group = "hass"; + mode = "0700"; + } + ]; + services.home-assistant = { enable = true; extraComponents = [ diff --git a/modules/config/impermanence.nix b/modules/config/impermanence.nix index c847cdb..78d70e3 100644 --- a/modules/config/impermanence.nix +++ b/modules/config/impermanence.nix @@ -117,14 +117,6 @@ in { [ "/var/lib/nixos" ] - ++ optionals config.hardware.bluetooth.enable [ - { - directory = "/var/lib/bluetooth"; - #user = "acme"; - #group = "acme"; - #mode = "0755"; - } - ] ++ optionals config.security.acme.acceptTerms [ { directory = "/var/lib/acme"; @@ -139,14 +131,6 @@ in { mode = "0700"; } ] - ++ optionals config.services.fail2ban.enable [ - { - directory = "/var/lib/fail2ban"; - user = "fail2ban"; - group = "fail2ban"; - mode = "0750"; - } - ] ++ optionals config.services.postgresql.enable [ { directory = "/var/lib/postgresql"; @@ -154,90 +138,6 @@ in { group = "postgres"; mode = "0700"; } - ] - ++ optionals config.services.gitea.enable [ - { - directory = config.services.gitea.stateDir; - user = "gitea"; - group = "gitea"; - mode = "0700"; - } - ] - ++ optionals config.services.caddy.enable [ - { - directory = config.services.caddy.dataDir; - user = "caddy"; - group = "caddy"; - mode = "0700"; - } - ] - ++ optionals config.services.loki.enable [ - { - directory = "/var/lib/loki"; - user = "loki"; - group = "loki"; - mode = "0700"; - } - ] - ++ optionals config.services.grafana.enable [ - { - directory = config.services.grafana.dataDir; - user = "grafana"; - group = "grafana"; - mode = "0700"; - } - ] - ++ optionals config.services.kanidm.enableServer [ - { - directory = "/var/lib/kanidm"; - user = "kanidm"; - group = "kanidm"; - mode = "0700"; - } - ] - ++ optionals config.services.vaultwarden.enable [ - { - directory = "/var/lib/vaultwarden"; - user = "vaultwarden"; - group = "vaultwarden"; - mode = "0700"; - } - ] - ++ optionals config.services.influxdb2.enable [ - { - directory = "/var/lib/influxdb2"; - user = "influxdb2"; - group = "influxdb2"; - mode = "0700"; - } - ] - ++ optionals config.services.telegraf.enable [ - { - directory = "/var/lib/telegraf"; - user = "telegraf"; - group = "telegraf"; - mode = "0700"; - } - ] - ++ optionals config.services.adguardhome.enable [ - { - directory = "/var/lib/private/AdGuardHome"; - mode = "0700"; - } - ] - ++ optionals config.services.esphome.enable [ - { - directory = "/var/lib/private/esphome"; - mode = "0700"; - } - ] - ++ optionals config.services.home-assistant.enable [ - { - directory = config.services.home-assistant.configDir; - user = "hass"; - group = "hass"; - mode = "0700"; - } ]; }; } diff --git a/modules/optional/hardware/bluetooth.nix b/modules/optional/hardware/bluetooth.nix index e6fd94b..a71adbd 100644 --- a/modules/optional/hardware/bluetooth.nix +++ b/modules/optional/hardware/bluetooth.nix @@ -1,5 +1,8 @@ {pkgs, ...}: { environment.systemPackages = with pkgs; [bluetuith]; + environment.persistence."/persist".directories = [ + "/var/lib/bluetooth" + ]; hardware.bluetooth = { enable = true; diff --git a/modules/telegraf.nix b/modules/telegraf.nix index bfeeb97..cb4271e 100644 --- a/modules/telegraf.nix +++ b/modules/telegraf.nix @@ -177,6 +177,15 @@ in { ''; }; + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/telegraf"; + user = "telegraf"; + group = "telegraf"; + mode = "0700"; + } + ]; + systemd.services.telegraf = { path = [ # Make sensors refer to the correct wrapper