refactor: added flake parts

2026-04-06 22:18:17 -05:00 · 2026-04-06 22:18:17 -05:00 · 88041e86bd
commit 88041e86bd
parent db7ac35613
66 changed files with 3538 additions and 2163 deletions
--- a/modules/hosts/nixos/defiant/legacy-impermanence.nix
+++ b/modules/hosts/nixos/defiant/legacy-impermanence.nix
@ -0,0 +1,298 @@
+{...}: {
+  # Legacy impermanence module for defiant
+  # See legacy-storage.nix for the full incremental migration plan.
+  #
+  # This file is consumed in two phases:
+  #
+  # Phase 3 (after generateBase is enabled):
+  #   Remove the SYSTEM-LEVEL entries marked [PHASE 3] below. These will be
+  #   handled automatically by storage.nix, ssh.nix, and the impermanence module:
+  #     - var-lib-private-permissions activation script
+  #     - /etc/machine-id
+  #     - SSH host keys
+  #     - /var/lib/nixos
+  #     - /var/lib/systemd/coredump
+  #     - /persist/system/var/log persistence block
+  #
+  # Phase 4 (migrate services one at a time, any order):
+  #   For each service:
+  #     1. Remove the service's section marked [PHASE 4] from this file
+  #     2. Remove `impermanence.enable = false` for that service in configuration.nix
+  #   For jellyfin/qbittorrent, also remove the separate media persistence blocks.
+  #
+  # Phase 5: Delete this file once empty.
+  flake.nixosModules.defiantLegacyImpermanence = {
+    config,
+    lib,
+    ...
+  }: {
+    config = lib.mkIf config.storage.impermanence.enable {
+      # [PHASE 3] Remove this activation script after enabling generateBase
+      system.activationScripts = {
+        "var-lib-private-permissions" = {
+          deps = ["specialfs"];
+          text = ''
+            mkdir -p /persist/system/root/var/lib/private
+            chmod 0700 /persist/system/root/var/lib/private
+          '';
+        };
+      };
+
+      environment.persistence."/persist/system/root" = {
+        enable = true;
+        hideMounts = true;
+        # [PHASE 3] Remove this files block after enabling generateBase
+        files = lib.mkMerge [
+          ["/etc/machine-id"]
+          # SSH host keys
+          (lib.mkIf config.services.openssh.enable (
+            lib.lists.flatten (
+              builtins.map (hostKey: [
+                hostKey.path
+                "${hostKey.path}.pub"
+              ])
+              config.services.openssh.hostKeys
+            )
+          ))
+        ];
+        directories = lib.mkMerge [
+          # [PHASE 3] Remove these system directories after enabling generateBase
+          [
+            "/var/lib/nixos"
+            "/var/lib/systemd/coredump"
+          ]
+
+          # [PHASE 4] PostgreSQL
+          (lib.mkIf config.services.postgresql.enable [
+            {
+              directory = "/var/lib/postgresql/16";
+              user = "postgres";
+              group = "postgres";
+            }
+          ])
+
+          # [PHASE 4] Reverse Proxy (ACME)
+          (lib.mkIf config.services.reverseProxy.enable [
+            {
+              directory = "/var/lib/acme";
+              user = "acme";
+              group = "acme";
+            }
+          ])
+
+          # [PHASE 4] Ollama
+          (lib.mkIf config.services.ollama.enable [
+            {
+              directory = "/var/lib/private/ollama";
+              user = config.services.ollama.user;
+              group = config.services.ollama.group;
+              mode = "0700";
+            }
+          ])
+
+          # [PHASE 4] Tailscale
+          (lib.mkIf config.services.tailscale.enable [
+            {
+              directory = "/var/lib/tailscale";
+              user = "root";
+              group = "root";
+            }
+          ])
+
+          # [PHASE 4] Syncthing
+          (lib.mkIf config.services.syncthing.enable [
+            {
+              directory = "/mnt/sync";
+              user = "syncthing";
+              group = "syncthing";
+            }
+            {
+              directory = "/etc/syncthing";
+              user = "syncthing";
+              group = "syncthing";
+            }
+          ])
+
+          # [PHASE 4] Fail2ban
+          (lib.mkIf config.services.fail2ban.enable [
+            {
+              directory = "/var/lib/fail2ban";
+              user = "fail2ban";
+              group = "fail2ban";
+            }
+          ])
+
+          # [PHASE 4] Jellyfin (data/cache only - media is on separate dataset)
+          (lib.mkIf config.services.jellyfin.enable [
+            {
+              directory = "/var/lib/jellyfin";
+              user = "jellyfin";
+              group = "jellyfin";
+            }
+            {
+              directory = "/var/cache/jellyfin";
+              user = "jellyfin";
+              group = "jellyfin";
+            }
+          ])
+
+          # [PHASE 4] Immich
+          (lib.mkIf config.services.immich.enable [
+            {
+              directory = "/var/lib/immich";
+              user = "immich";
+              group = "immich";
+            }
+          ])
+
+          # [PHASE 4] Forgejo
+          (lib.mkIf config.services.forgejo.enable [
+            {
+              directory = "/var/lib/forgejo";
+              user = "forgejo";
+              group = "forgejo";
+            }
+          ])
+
+          # [PHASE 4] Actual
+          (lib.mkIf config.services.actual.enable [
+            {
+              directory = "/var/lib/private/actual";
+              user = "actual";
+              group = "actual";
+            }
+          ])
+
+          # [PHASE 4] Home Assistant
+          (lib.mkIf config.services.home-assistant.enable [
+            {
+              directory = "/var/lib/hass";
+              user = "hass";
+              group = "hass";
+            }
+          ])
+
+          # [PHASE 4] Paperless
+          (lib.mkIf config.services.paperless.enable [
+            {
+              directory = "/var/lib/paperless";
+              user = "paperless";
+              group = "paperless";
+            }
+          ])
+
+          # [PHASE 4] Crab-hole
+          (lib.mkIf config.services.crab-hole.enable [
+            {
+              directory = "/var/lib/private/crab-hole";
+              user = "crab-hole";
+              group = "crab-hole";
+            }
+          ])
+
+          # [PHASE 4] qBittorrent (config only - media is on separate dataset)
+          (lib.mkIf config.services.qbittorrent.enable [
+            {
+              directory = "/var/lib/qBittorrent/";
+              user = "qbittorrent";
+              group = "qbittorrent";
+            }
+          ])
+
+          # [PHASE 4] Sonarr
+          (lib.mkIf config.services.sonarr.enable [
+            {
+              directory = "/var/lib/sonarr/.config/NzbDrone";
+              user = "sonarr";
+              group = "sonarr";
+            }
+          ])
+
+          # [PHASE 4] Radarr
+          (lib.mkIf config.services.radarr.enable [
+            {
+              directory = "/var/lib/radarr/.config/Radarr";
+              user = "radarr";
+              group = "radarr";
+            }
+          ])
+
+          # [PHASE 4] Bazarr
+          (lib.mkIf config.services.bazarr.enable [
+            {
+              directory = "/var/lib/bazarr";
+              user = "bazarr";
+              group = "bazarr";
+            }
+          ])
+
+          # [PHASE 4] Lidarr
+          (lib.mkIf config.services.lidarr.enable [
+            {
+              directory = "/var/lib/lidarr/.config/Lidarr";
+              user = "lidarr";
+              group = "lidarr";
+            }
+          ])
+
+          # [PHASE 4] Jackett
+          (lib.mkIf config.services.jackett.enable [
+            {
+              directory = "/var/lib/jackett/.config/Jackett";
+              user = "jackett";
+              group = "jackett";
+            }
+          ])
+
+          # [PHASE 4] FlareSolverr
+          (lib.mkIf config.services.flaresolverr.enable [
+            {
+              directory = "/var/lib/flaresolverr";
+              user = "flaresolverr";
+              group = "flaresolverr";
+            }
+          ])
+        ];
+      };
+
+      # [PHASE 4 - LAST] Jellyfin media on separate dataset
+      # Requires Phase 2 media dataset merge before migrating (several days of data copy)
+      environment.persistence."/persist/system/jellyfin" = lib.mkIf config.services.jellyfin.enable {
+        enable = true;
+        hideMounts = true;
+        directories = [
+          {
+            directory = config.services.jellyfin.media_directory;
+            user = "jellyfin";
+            group = "jellyfin_media";
+            mode = "1770";
+          }
+        ];
+      };
+
+      # [PHASE 4 - LAST] qBittorrent media on separate dataset
+      # Requires Phase 2 media dataset merge before migrating (several days of data copy)
+      environment.persistence."/persist/system/qbittorrent" = lib.mkIf config.services.qbittorrent.enable {
+        enable = true;
+        hideMounts = true;
+        directories = [
+          {
+            directory = config.services.qbittorrent.mediaDir;
+            user = "qbittorrent";
+            group = "qbittorrent";
+            mode = "1775";
+          }
+        ];
+      };
+
+      # [PHASE 3] /var/log persistence - handled by storage.nix after generateBase
+      environment.persistence."/persist/system/var/log" = {
+        enable = true;
+        hideMounts = true;
+        directories = [
+          "/var/log"
+        ];
+      };
+    };
+  };
+}