jan-leila/nix-config
1
0
Fork 1
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

feat: moved services over to using the new storage datasets

Browse source
This commit is contained in:
Leyla Becker 2025-11-15 16:37:10 -06:00
parent 757a3892e1
commit c2701ea8f0
23 changed files with 281 additions and 606 deletions
Download patch file Download diff file Expand all files Collapse all files

60
modules/nixos-modules/ollama/storage.nix
View file

@ -10,40 +10,28 @@
}; };
}; };
config = lib.mkIf config.services.ollama.enable ( config = lib.mkIf (config.services.ollama.enable) {
lib.mkMerge [ storage.datasets.replicate."system/root" = {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ directories."/var/lib/private/ollama" = lib.mkIf config.services.ollama.impermanence.enable {
{ enable = true;
# Ollama needs persistent storage for models and configuration owner.name = config.services.ollama.user;
} group.name = config.services.ollama.group;
(lib.mkIf (!config.services.ollama.impermanence.enable) { owner.permissions = {
# TODO: placeholder to configure a unique dataset for this service read = true;
}) write = true;
(lib.mkIf config.services.ollama.impermanence.enable { execute = false;
storage.impermanence.datasets."persist/replicate/system/root" = { };
directories."/var/lib/private/ollama" = { group.permissions = {
enable = true; read = false;
owner.name = config.services.ollama.user; write = false;
group.name = config.services.ollama.group; execute = false;
owner.permissions = { };
read = true; other.permissions = {
write = true; read = false;
execute = false; write = false;
}; execute = false;
group.permissions = { };
read = false; };
write = false; };
execute = false; };
};
other.permissions = {
read = false;
write = false;
execute = false;
};
};
};
})
]))
]
);
} }

35
modules/nixos-modules/server/actual/storage.nix
View file

@ -11,31 +11,12 @@ in {
default = config.services.actual.enable && config.storage.impermanence.enable; default = config.services.actual.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.actual.enable (lib.mkMerge [ config = lib.mkIf config.services.actual.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate."system/root" = {
{ directories."${dataDirectory}" = lib.mkIf config.services.actual.impermanence.enable {
assertions = [ owner.name = "actual";
{ group.name = "actual";
assertion = config.services.actual.settings.dataDir == dataDirectory; };
message = "actual data location does not match persistence\nconfig directory: ${config.services.actual.settings.dataDir}\npersistence directory: ${dataDirectory}"; };
} };
{
assertion = config.systemd.services.actual.serviceConfig.DynamicUser or false;
message = "actual systemd service must have DynamicUser enabled to use private directory";
}
];
}
(lib.mkIf (!config.services.actual.impermanence.enable) {
# TODO: placeholder to configure a unique dataset for this service
})
(lib.mkIf config.services.actual.impermanence.enable {
storage.impermanence.datasets."persist/replicate/system/root" = {
directories."${dataDirectory}" = {
owner.name = "actual";
group.name = "actual";
};
};
})
]))
]);
} }

31
modules/nixos-modules/server/bazarr/storage.nix
View file

@ -10,27 +10,12 @@ in {
default = config.services.bazarr.enable && config.storage.impermanence.enable; default = config.services.bazarr.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.bazarr.enable (lib.mkMerge [ config = lib.mkIf config.services.bazarr.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate."system/root" = {
{ directories."${bazarr_data_directory}" = lib.mkIf config.services.bazarr.impermanence.enable {
assertions = [ owner.name = "bazarr";
{ group.name = "bazarr";
assertion = config.services.bazarr.dataDir == bazarr_data_directory; };
message = "bazarr data directory does not match persistence"; };
} };
];
}
(lib.mkIf (!config.services.bazarr.impermanence.enable) {
# TODO: placeholder to configure a unique dataset for this service
})
(lib.mkIf config.services.bazarr.impermanence.enable {
storage.impermanence.datasets."persist/replicate/system/root" = {
directories."${bazarr_data_directory}" = {
owner.name = "bazarr";
group.name = "bazarr";
};
};
})
]))
]);
} }

32
modules/nixos-modules/server/crab-hole/storage.nix
View file

@ -10,28 +10,12 @@ in {
default = config.services.crab-hole.enable && config.storage.impermanence.enable; default = config.services.crab-hole.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.crab-hole.enable (lib.mkMerge [ config = lib.mkIf config.services.crab-hole.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate."system/root" = {
{ directories."${workingDirectory}" = lib.mkIf config.services.crab-hole.impermanence.enable {
assertions = [ owner.name = "crab-hole";
{ group.name = "crab-hole";
assertion = };
config.systemd.services.crab-hole.serviceConfig.WorkingDirectory == (builtins.replaceStrings ["/private"] [""] workingDirectory); };
message = "crab-hole working directory does not match persistence"; };
}
];
}
(lib.mkIf (!config.services.crab-hole.impermanence.enable) {
# TODO: placeholder to configure a unique dataset for this service
})
(lib.mkIf config.services.crab-hole.impermanence.enable {
storage.impermanence.datasets."persist/replicate/system/root" = {
directories."${workingDirectory}" = {
owner.name = "crab-hole";
group.name = "crab-hole";
};
};
})
]))
]);
} }

31
modules/nixos-modules/server/fail2ban/storage.nix
View file

@ -11,27 +11,12 @@ in {
default = config.services.fail2ban.enable && config.storage.impermanence.enable; default = config.services.fail2ban.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.fail2ban.enable (lib.mkMerge [ config = lib.mkIf config.services.fail2ban.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate."system/root" = {
{ directories."${dataFolder}" = lib.mkIf config.services.fail2ban.impermanence.enable {
assertions = [ owner.name = "fail2ban";
{ group.name = "fail2ban";
assertion = config.services.fail2ban.daemonSettings.Definition.dbfile == "${dataFolder}/${dataFile}"; };
message = "fail2ban data file does not match persistence"; };
} };
];
}
(lib.mkIf (!config.services.fail2ban.impermanence.enable) {
# TODO: placeholder to configure a unique dataset for this service
})
(lib.mkIf config.services.fail2ban.impermanence.enable {
storage.impermanence.datasets."persist/replicate/system/root" = {
directories."${dataFolder}" = {
owner.name = "fail2ban";
group.name = "fail2ban";
};
};
})
]))
]);
} }

23
modules/nixos-modules/server/flaresolverr/storage.nix
View file

@ -8,19 +8,12 @@
default = config.services.flaresolverr.enable && config.storage.impermanence.enable; default = config.services.flaresolverr.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.flaresolverr.enable (lib.mkMerge [ config = lib.mkIf config.services.flaresolverr.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate."system/root" = {
(lib.mkIf (!config.services.flaresolverr.impermanence.enable) { directories."/var/lib/flaresolverr" = lib.mkIf config.services.flaresolverr.impermanence.enable {
# TODO: placeholder to configure a unique dataset for this service owner.name = "flaresolverr";
}) group.name = "flaresolverr";
(lib.mkIf config.services.flaresolverr.impermanence.enable { };
storage.impermanence.datasets."persist/replicate/system/root" = { };
directories."/var/lib/flaresolverr" = { };
owner.name = "flaresolverr";
group.name = "flaresolverr";
};
};
})
]))
]);
} }

31
modules/nixos-modules/server/forgejo/storage.nix
View file

@ -10,27 +10,12 @@ in {
default = config.services.forgejo.enable && config.storage.impermanence.enable; default = config.services.forgejo.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.forgejo.enable (lib.mkMerge [ config = lib.mkIf config.services.forgejo.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate."system/root" = {
{ directories."${stateDir}" = lib.mkIf config.services.forgejo.impermanence.enable {
assertions = [ owner.name = "forgejo";
{ group.name = "forgejo";
assertion = config.services.forgejo.stateDir == stateDir; };
message = "forgejo state directory does not match persistence"; };
} };
];
}
(lib.mkIf (!config.services.forgejo.impermanence.enable) {
# TODO: placeholder to configure a unique dataset for this service
})
(lib.mkIf config.services.forgejo.impermanence.enable {
storage.impermanence.datasets."persist/replicate/system/root" = {
directories."${stateDir}" = {
owner.name = "forgejo";
group.name = "forgejo";
};
};
})
]))
]);
} }

31
modules/nixos-modules/server/home-assistant/storage.nix
View file

@ -10,27 +10,12 @@ in {
default = config.services.home-assistant.enable && config.storage.impermanence.enable; default = config.services.home-assistant.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.home-assistant.enable (lib.mkMerge [ config = lib.mkIf config.services.home-assistant.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate."system/root" = {
{ directories."${configDir}" = lib.mkIf config.services.home-assistant.impermanence.enable {
assertions = [ owner.name = "hass";
{ group.name = "hass";
assertion = config.services.home-assistant.configDir == configDir; };
message = "home assistant config directory does not match persistence"; };
} };
];
}
(lib.mkIf (!config.services.home-assistant.impermanence.enable) {
# TODO: placeholder to configure a unique dataset for this service
})
(lib.mkIf config.services.home-assistant.impermanence.enable {
storage.impermanence.datasets."persist/replicate/system/root" = {
directories."${configDir}" = {
owner.name = "hass";
group.name = "hass";
};
};
})
]))
]);
} }

31
modules/nixos-modules/server/immich/storage.nix
View file

@ -10,27 +10,12 @@ in {
default = config.services.immich.enable && config.storage.impermanence.enable; default = config.services.immich.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.immich.enable (lib.mkMerge [ config = lib.mkIf config.services.immich.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate."system/root" = {
{ directories."${mediaLocation}" = lib.mkIf config.services.immich.impermanence.enable {
assertions = [ owner.name = "immich";
{ group.name = "immich";
assertion = config.services.immich.mediaLocation == mediaLocation; };
message = "immich media location does not match persistence"; };
} };
];
}
(lib.mkIf (!config.services.immich.impermanence.enable) {
# TODO: placeholder to configure a unique dataset for this service
})
(lib.mkIf config.services.immich.impermanence.enable {
storage.impermanence.datasets."persist/replicate/system/root" = {
directories."${mediaLocation}" = {
owner.name = "immich";
group.name = "immich";
};
};
})
]))
]);
} }

31
modules/nixos-modules/server/jackett/storage.nix
View file

@ -10,27 +10,12 @@ in {
default = config.services.jackett.enable && config.storage.impermanence.enable; default = config.services.jackett.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.jackett.enable (lib.mkMerge [ config = lib.mkIf config.services.jackett.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate."system/root" = {
{ directories."${jackett_data_directory}" = lib.mkIf config.services.jackett.impermanence.enable {
assertions = [ owner.name = "jackett";
{ group.name = "jackett";
assertion = config.services.jackett.dataDir == jackett_data_directory; };
message = "jackett data directory does not match persistence"; };
} };
];
}
(lib.mkIf (!config.services.jackett.impermanence.enable) {
# TODO: placeholder to configure a unique dataset for this service
})
(lib.mkIf config.services.jackett.impermanence.enable {
storage.impermanence.datasets."persist/replicate/system/root" = {
directories."${jackett_data_directory}" = {
owner.name = "jackett";
group.name = "jackett";
};
};
})
]))
]);
} }

99
modules/nixos-modules/server/jellyfin/storage.nix
View file

@ -11,66 +11,47 @@ in {
default = config.services.jellyfin.enable && config.storage.impermanence.enable; default = config.services.jellyfin.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.jellyfin.enable (lib.mkMerge [ config = lib.mkIf config.services.jellyfin.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate = {
{ "system/root" = {
assertions = [ directories = {
{ "${jellyfin_data_directory}" = lib.mkIf config.services.jellyfin.impermanence.enable {
assertion = config.services.jellyfin.dataDir == jellyfin_data_directory; enable = true;
message = "jellyfin data directory does not match persistence"; owner.name = "jellyfin";
} group.name = "jellyfin";
{
assertion = config.services.jellyfin.cacheDir == jellyfin_cache_directory;
message = "jellyfin cache directory does not match persistence";
}
];
}
(lib.mkIf (!config.services.jellyfin.impermanence.enable) {
# TODO: placeholder to configure a unique dataset for this service
})
(lib.mkIf config.services.jellyfin.impermanence.enable {
storage.impermanence.datasets = {
"persist/replicate/system/root" = {
directories = {
"${jellyfin_data_directory}" = {
enable = true;
owner.name = "jellyfin";
group.name = "jellyfin";
};
"${jellyfin_cache_directory}" = {
enable = true;
owner.name = "jellyfin";
group.name = "jellyfin";
};
};
}; };
"persist/replicate/system/jellyfin" = { "${jellyfin_cache_directory}" = lib.mkIf config.services.jellyfin.impermanence.enable {
atime = "off"; enable = true;
relatime = "off"; owner.name = "jellyfin";
group.name = "jellyfin";
directories."${config.services.jellyfin.media_directory}" = {
enable = true;
owner.name = "jellyfin";
group.name = "jellyfin_media";
owner.permissions = {
read = true;
write = true;
execute = true;
};
group.permissions = {
read = true;
write = true;
execute = true;
};
other.permissions = {
read = false;
write = false;
execute = false;
};
};
}; };
}; };
}) };
])) "system/jellyfin" = {
]); atime = "off";
relatime = "off";
directories."${config.services.jellyfin.media_directory}" = lib.mkIf config.services.jellyfin.impermanence.enable {
enable = true;
owner.name = "jellyfin";
group.name = "jellyfin_media";
owner.permissions = {
read = true;
write = true;
execute = true;
};
group.permissions = {
read = true;
write = true;
execute = true;
};
other.permissions = {
read = false;
write = false;
execute = false;
};
};
};
};
};
} }

31
modules/nixos-modules/server/lidarr/storage.nix
View file

@ -10,27 +10,12 @@ in {
default = config.services.lidarr.enable && config.storage.impermanence.enable; default = config.services.lidarr.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.lidarr.enable (lib.mkMerge [ config = lib.mkIf config.services.lidarr.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate."system/root" = {
{ directories."${lidarr_data_directory}" = lib.mkIf config.services.lidarr.impermanence.enable {
assertions = [ owner.name = "lidarr";
{ group.name = "lidarr";
assertion = config.services.lidarr.dataDir == lidarr_data_directory; };
message = "lidarr data directory does not match persistence"; };
} };
];
}
(lib.mkIf (!config.services.lidarr.impermanence.enable) {
# TODO: placeholder to configure a unique dataset for this service
})
(lib.mkIf config.services.lidarr.impermanence.enable {
storage.impermanence.datasets."persist/replicate/system/root" = {
directories."${lidarr_data_directory}" = {
owner.name = "lidarr";
group.name = "lidarr";
};
};
})
]))
]);
} }

30
modules/nixos-modules/server/panoramax/storage.nix
View file

@ -8,26 +8,12 @@
default = config.services.panoramax.enable && config.storage.impermanence.enable; default = config.services.panoramax.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.panoramax.enable (lib.mkMerge [ config = lib.mkIf config.services.panoramax.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate."system/root" = {
{ directories."/var/lib/panoramax" = lib.mkIf config.services.panoramax.impermanence.enable {
# TODO: configure impermanence for panoramax data owner.name = "panoramax";
# This would typically include directories like: group.name = "panoramax";
# - /var/lib/panoramax };
# - panoramax storage directories };
# - any cache or temporary directories that need to persist };
}
(lib.mkIf (!config.services.panoramax.impermanence.enable) {
# TODO: placeholder to configure a unique dataset for this service
})
(lib.mkIf config.services.panoramax.impermanence.enable {
storage.impermanence.datasets."persist/replicate/system/root" = {
directories."/var/lib/panoramax" = {
owner.name = "panoramax";
group.name = "panoramax";
};
};
})
]))
]);
} }

31
modules/nixos-modules/server/paperless/storage.nix
View file

@ -10,27 +10,12 @@ in {
default = config.services.paperless.enable && config.storage.impermanence.enable; default = config.services.paperless.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.paperless.enable (lib.mkMerge [ config = lib.mkIf config.services.paperless.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate."system/root" = {
{ directories."${dataDir}" = lib.mkIf config.services.paperless.impermanence.enable {
assertions = [ owner.name = "paperless";
{ group.name = "paperless";
assertion = config.services.paperless.dataDir == dataDir; };
message = "paperless data location does not match persistence"; };
} };
];
}
(lib.mkIf (!config.services.paperless.impermanence.enable) {
# TODO: placeholder to configure a unique dataset for this service
})
(lib.mkIf config.services.paperless.impermanence.enable {
storage.impermanence.datasets."persist/replicate/system/root" = {
directories."${dataDir}" = {
owner.name = "paperless";
group.name = "paperless";
};
};
})
]))
]);
} }

31
modules/nixos-modules/server/postgres/storage.nix
View file

@ -10,27 +10,12 @@ in {
default = config.services.postgresql.enable && config.storage.impermanence.enable; default = config.services.postgresql.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.postgresql.enable (lib.mkMerge [ config = lib.mkIf config.services.postgresql.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate."system/root" = {
{ directories."${dataDir}" = lib.mkIf config.services.postgresql.impermanence.enable {
assertions = [ owner.name = "postgres";
{ group.name = "postgres";
assertion = config.services.postgresql.dataDir == dataDir; };
message = "postgres data directory does not match persistence"; };
} };
];
}
(lib.mkIf (!config.services.postgresql.impermanence.enable) {
# TODO: placeholder to configure a unique dataset for this service
})
(lib.mkIf config.services.postgresql.impermanence.enable {
storage.impermanence.datasets."persist/replicate/system/root" = {
directories."${dataDir}" = {
owner.name = "postgres";
group.name = "postgres";
};
};
})
]))
]);
} }

78
modules/nixos-modules/server/qbittorent/storage.nix
View file

@ -10,53 +10,35 @@ in {
default = config.services.qbittorrent.enable && config.storage.impermanence.enable; default = config.services.qbittorrent.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.qbittorrent.enable (lib.mkMerge [ config = lib.mkIf config.services.qbittorrent.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate = {
{ "system/root" = {
assertions = [ directories."${qbittorent_profile_directory}" = lib.mkIf config.services.qbittorrent.impermanence.enable {
{ owner.name = "qbittorrent";
assertion = config.services.qbittorrent.profileDir == qbittorent_profile_directory; group.name = "qbittorrent";
message = "qbittorrent data directory does not match persistence"; };
} };
]; "system/qbittorrent" = {
} directories."${config.services.qbittorrent.mediaDir}" = lib.mkIf config.services.qbittorrent.impermanence.enable {
(lib.mkIf (!config.services.qbittorrent.impermanence.enable) { owner.name = "qbittorrent";
# TODO: placeholder to configure a unique dataset for this service group.name = "qbittorrent";
}) owner.permissions = {
( read = true;
lib.mkIf config.services.qbittorrent.impermanence.enable write = true;
{ execute = true;
storage.impermanence.datasets = {
"persist/replicate/system/root" = {
directories."${qbittorent_profile_directory}" = {
owner.name = "qbittorrent";
group.name = "qbittorrent";
};
};
"persist/replicate/system/qbittorrent" = {
directories."${config.services.qbittorrent.mediaDir}" = {
owner.name = "qbittorrent";
group.name = "qbittorrent";
owner.permissions = {
read = true;
write = true;
execute = true;
};
group.permissions = {
read = true;
write = true;
execute = true;
};
other.permissions = {
read = true;
write = false;
execute = true;
};
};
};
}; };
} group.permissions = {
) read = true;
])) write = true;
]); execute = true;
};
other.permissions = {
read = true;
write = false;
execute = true;
};
};
};
};
};
} }

31
modules/nixos-modules/server/radarr/storage.nix
View file

@ -10,27 +10,12 @@ in {
default = config.services.radarr.enable && config.storage.impermanence.enable; default = config.services.radarr.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.radarr.enable (lib.mkMerge [ config = lib.mkIf config.services.radarr.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate."system/root" = {
{ directories."${radarr_data_directory}" = lib.mkIf config.services.radarr.impermanence.enable {
assertions = [ owner.name = "radarr";
{ group.name = "radarr";
assertion = config.services.radarr.dataDir == radarr_data_directory; };
message = "radarr data directory does not match persistence"; };
} };
];
}
(lib.mkIf (!config.services.radarr.impermanence.enable) {
# TODO: placeholder to configure a unique dataset for this service
})
(lib.mkIf config.services.radarr.impermanence.enable {
storage.impermanence.datasets."persist/replicate/system/root" = {
directories."${radarr_data_directory}" = {
owner.name = "radarr";
group.name = "radarr";
};
};
})
]))
]);
} }

23
modules/nixos-modules/server/reverseProxy/storage.nix
View file

@ -10,19 +10,12 @@ in {
default = config.services.reverseProxy.enable && config.storage.impermanence.enable; default = config.services.reverseProxy.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.reverseProxy.enable (lib.mkMerge [ config = lib.mkIf config.services.reverseProxy.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate."system/root" = {
(lib.mkIf (!config.services.reverseProxy.impermanence.enable) { directories."${dataDir}" = lib.mkIf config.services.reverseProxy.impermanence.enable {
# TODO: placeholder to configure a unique dataset for this service owner.name = "acme";
}) group.name = "acme";
(lib.mkIf config.services.reverseProxy.impermanence.enable { };
storage.impermanence.datasets."persist/replicate/system/root" = { };
directories."${dataDir}" = { };
owner.name = "acme";
group.name = "acme";
};
};
})
]))
]);
} }

31
modules/nixos-modules/server/sonarr/storage.nix
View file

@ -10,27 +10,12 @@ in {
default = config.services.sonarr.enable && config.storage.impermanence.enable; default = config.services.sonarr.enable && config.storage.impermanence.enable;
}; };
config = lib.mkIf config.services.sonarr.enable (lib.mkMerge [ config = lib.mkIf config.services.sonarr.enable {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ storage.datasets.replicate."system/root" = {
{ directories."${sonarr_data_directory}" = lib.mkIf config.services.sonarr.impermanence.enable {
assertions = [ owner.name = "sonarr";
{ group.name = "sonarr";
assertion = config.services.sonarr.dataDir == sonarr_data_directory; };
message = "sonarr data directory does not match persistence"; };
} };
];
}
(lib.mkIf (!config.services.sonarr.impermanence.enable) {
# TODO: placeholder to configure a unique dataset for this service
})
(lib.mkIf config.services.sonarr.impermanence.enable {
storage.impermanence.datasets."persist/replicate/system/root" = {
directories."${sonarr_data_directory}" = {
owner.name = "sonarr";
group.name = "sonarr";
};
};
})
]))
]);
} }

69
modules/nixos-modules/ssh.nix
View file

@ -10,46 +10,35 @@
}; };
}; };
config = lib.mkMerge [ config = {
{ services = {
services = { openssh = {
openssh = { enable = true;
enable = true; ports = [22];
ports = [22]; settings = {
settings = { PasswordAuthentication = false;
PasswordAuthentication = false; UseDns = true;
UseDns = true; X11Forwarding = false;
X11Forwarding = false;
};
}; };
}; };
} };
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [
{ storage.datasets.replicate."system/root" = {
# SSH host keys need to be persisted to maintain server identity files = lib.mkIf config.services.openssh.impermanence.enable (builtins.listToAttrs (
} lib.lists.flatten (
(lib.mkIf (!config.services.openssh.impermanence.enable) { builtins.map (hostKey: [
# TODO: placeholder to configure a unique dataset for this service {
}) name = hostKey.path;
(lib.mkIf config.services.openssh.impermanence.enable { value = {enable = true;};
storage.impermanence.datasets."persist/replicate/system/root" = { }
files = builtins.listToAttrs ( {
lib.lists.flatten ( name = "${hostKey.path}.pub";
builtins.map (hostKey: [ value = {enable = true;};
{ }
name = hostKey.path; ])
value = {enable = true;}; config.services.openssh.hostKeys
} )
{ ));
name = "${hostKey.path}.pub"; };
value = {enable = true;}; };
}
])
config.services.openssh.hostKeys
)
);
};
})
]))
];
} }

57
modules/nixos-modules/sync/storage.nix
View file

@ -13,45 +13,20 @@ in {
}; };
}; };
config = lib.mkIf config.services.syncthing.enable ( config = lib.mkIf config.services.syncthing.enable {
lib.mkMerge [ storage.datasets.replicate."system/root" = {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ directories = {
{ "${mountDir}" = lib.mkIf config.services.syncthing.impermanence.enable {
# Syncthing needs persistent storage for configuration and data enable = true;
} owner.name = "syncthing";
(lib.mkIf (!config.services.syncthing.impermanence.enable) { group.name = "syncthing";
# TODO: placeholder to configure a unique dataset for this service };
}) "${configDir}" = lib.mkIf config.services.syncthing.impermanence.enable {
(lib.mkIf config.services.syncthing.impermanence.enable { enable = true;
assertions = owner.name = "syncthing";
[ group.name = "syncthing";
{ };
assertion = config.services.syncthing.configDir == configDir; };
message = "syncthing config dir does not match persistence"; };
} };
]
++ lib.attrsets.mapAttrsToList (_: folder: {
assertion = lib.strings.hasPrefix mountDir folder.path;
message = "syncthing folder ${folder.label} is stored at ${folder.path} which not under the persisted path of ${mountDir}";
})
config.services.syncthing.settings.folders;
storage.impermanence.datasets."persist/replicate/system/root" = {
directories = {
"${mountDir}" = {
enable = true;
owner.name = "syncthing";
group.name = "syncthing";
};
"${configDir}" = {
enable = true;
owner.name = "syncthing";
group.name = "syncthing";
};
};
};
})
]))
]
);
} }

30
modules/nixos-modules/tailscale/storage.nix
View file

@ -12,25 +12,13 @@ in {
}; };
}; };
config = lib.mkIf config.services.tailscale.enable ( config = lib.mkIf config.services.tailscale.enable {
lib.mkMerge [ storage.datasets.replicate."system/root" = {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ directories."${tailscale_data_directory}" = lib.mkIf config.services.tailscale.impermanence.enable {
{ enable = true;
# Tailscale needs persistent storage for keys and configuration owner.name = "root";
} group.name = "root";
(lib.mkIf (!config.services.tailscale.impermanence.enable) { };
# TODO: placeholder to configure a unique dataset for this service };
}) };
(lib.mkIf config.services.tailscale.impermanence.enable {
storage.impermanence.datasets."persist/replicate/system/root" = {
directories."${tailscale_data_directory}" = {
enable = true;
owner.name = "root";
group.name = "root";
};
};
})
]))
]
);
} }

10
modules/nixos-modules/users.nix
View file

@ -402,7 +402,7 @@ in {
(lib.mkIf config.storage.zfs.enable (lib.mkMerge [ (lib.mkIf config.storage.zfs.enable (lib.mkMerge [
{ {
# sops age key needs to be available to pre persist for user generation # sops age key needs to be available to pre persist for user generation
storage.zfs.datasets."persist/local/system/sops" = { storage.datasets.local."system/sops" = {
type = "zfs_fs"; type = "zfs_fs";
mount = { mount = {
enable = true; enable = true;
@ -413,9 +413,9 @@ in {
}; };
} }
(lib.mkIf (!config.storage.impermanence.enable) { (lib.mkIf (!config.storage.impermanence.enable) {
storage.zfs.datasets = lib.mkMerge ( storage.datasets.replicate = lib.mkMerge (
builtins.map (user: { builtins.map (user: {
"persist/replicate/home/${user.name}" = { "home/${user.name}" = {
type = "zfs_fs"; type = "zfs_fs";
mount = { mount = {
enable = true; enable = true;
@ -428,9 +428,9 @@ in {
); );
}) })
(lib.mkIf config.storage.impermanence.enable { (lib.mkIf config.storage.impermanence.enable {
storage.zfs.datasets = lib.mkMerge ( storage.datasets.ephemeral = lib.mkMerge (
builtins.map (user: { builtins.map (user: {
"ephemeral/home/${user.name}" = { "home/${user.name}" = {
type = "zfs_fs"; type = "zfs_fs";
mount = { mount = {
enable = true; enable = true;