# Legacy impermanence module for defiant # See legacy-storage.nix for the full incremental migration plan. # # This file is consumed in two phases: # # Phase 3 (after generateBase is enabled): # Remove the SYSTEM-LEVEL entries marked [PHASE 3] below. These will be # handled automatically by storage.nix, ssh.nix, and the impermanence module: # - var-lib-private-permissions activation script # - /etc/machine-id # - SSH host keys # - /var/lib/nixos # - /var/lib/systemd/coredump # - /persist/system/var/log persistence block # # Phase 4 (migrate services one at a time, any order): # For each service: # 1. Remove the service's section marked [PHASE 4] from this file # 2. Remove `impermanence.enable = false` for that service in configuration.nix # For jellyfin/qbittorrent, also remove the separate media persistence blocks. # # Phase 5: Delete this file once empty. { config, lib, ... }: { config = lib.mkIf config.storage.impermanence.enable { # [PHASE 3] Remove this activation script after enabling generateBase system.activationScripts = { "var-lib-private-permissions" = { deps = ["specialfs"]; text = '' mkdir -p /persist/system/root/var/lib/private chmod 0700 /persist/system/root/var/lib/private ''; }; }; environment.persistence."/persist/system/root" = { enable = true; hideMounts = true; # [PHASE 3] Remove this files block after enabling generateBase files = lib.mkMerge [ ["/etc/machine-id"] # SSH host keys (lib.mkIf config.services.openssh.enable ( lib.lists.flatten ( builtins.map (hostKey: [ hostKey.path "${hostKey.path}.pub" ]) config.services.openssh.hostKeys ) )) ]; directories = lib.mkMerge [ # [PHASE 3] Remove these system directories after enabling generateBase [ "/var/lib/nixos" "/var/lib/systemd/coredump" ] # [PHASE 4] PostgreSQL (lib.mkIf config.services.postgresql.enable [ { directory = "/var/lib/postgresql/16"; user = "postgres"; group = "postgres"; } ]) # [PHASE 4] Reverse Proxy (ACME) (lib.mkIf config.services.reverseProxy.enable [ { directory = "/var/lib/acme"; user = "acme"; group = "acme"; } ]) # [PHASE 4] Ollama (lib.mkIf config.services.ollama.enable [ { directory = "/var/lib/private/ollama"; user = config.services.ollama.user; group = config.services.ollama.group; mode = "0700"; } ]) # [PHASE 4] Tailscale (lib.mkIf config.services.tailscale.enable [ { directory = "/var/lib/tailscale"; user = "root"; group = "root"; } ]) # [PHASE 4] Syncthing (lib.mkIf config.services.syncthing.enable [ { directory = "/mnt/sync"; user = "syncthing"; group = "syncthing"; } { directory = "/etc/syncthing"; user = "syncthing"; group = "syncthing"; } ]) # [PHASE 4] Fail2ban (lib.mkIf config.services.fail2ban.enable [ { directory = "/var/lib/fail2ban"; user = "fail2ban"; group = "fail2ban"; } ]) # [PHASE 4] Jellyfin (data/cache only - media is on separate dataset) (lib.mkIf config.services.jellyfin.enable [ { directory = "/var/lib/jellyfin"; user = "jellyfin"; group = "jellyfin"; } { directory = "/var/cache/jellyfin"; user = "jellyfin"; group = "jellyfin"; } ]) # [PHASE 4] Immich (lib.mkIf config.services.immich.enable [ { directory = "/var/lib/immich"; user = "immich"; group = "immich"; } ]) # [PHASE 4] Forgejo (lib.mkIf config.services.forgejo.enable [ { directory = "/var/lib/forgejo"; user = "forgejo"; group = "forgejo"; } ]) # [PHASE 4] Actual (lib.mkIf config.services.actual.enable [ { directory = "/var/lib/private/actual"; user = "actual"; group = "actual"; } ]) # [PHASE 4] Home Assistant (lib.mkIf config.services.home-assistant.enable [ { directory = "/var/lib/hass"; user = "hass"; group = "hass"; } ]) # [PHASE 4] Paperless (lib.mkIf config.services.paperless.enable [ { directory = "/var/lib/paperless"; user = "paperless"; group = "paperless"; } ]) # [PHASE 4] Crab-hole (lib.mkIf config.services.crab-hole.enable [ { directory = "/var/lib/private/crab-hole"; user = "crab-hole"; group = "crab-hole"; } ]) # [PHASE 4] qBittorrent (config only - media is on separate dataset) (lib.mkIf config.services.qbittorrent.enable [ { directory = "/var/lib/qBittorrent/"; user = "qbittorrent"; group = "qbittorrent"; } ]) # [PHASE 4] Sonarr (lib.mkIf config.services.sonarr.enable [ { directory = "/var/lib/sonarr/.config/NzbDrone"; user = "sonarr"; group = "sonarr"; } ]) # [PHASE 4] Radarr (lib.mkIf config.services.radarr.enable [ { directory = "/var/lib/radarr/.config/Radarr"; user = "radarr"; group = "radarr"; } ]) # [PHASE 4] Bazarr (lib.mkIf config.services.bazarr.enable [ { directory = "/var/lib/bazarr"; user = "bazarr"; group = "bazarr"; } ]) # [PHASE 4] Lidarr (lib.mkIf config.services.lidarr.enable [ { directory = "/var/lib/lidarr/.config/Lidarr"; user = "lidarr"; group = "lidarr"; } ]) # [PHASE 4] Jackett (lib.mkIf config.services.jackett.enable [ { directory = "/var/lib/jackett/.config/Jackett"; user = "jackett"; group = "jackett"; } ]) # [PHASE 4] FlareSolverr (lib.mkIf config.services.flaresolverr.enable [ { directory = "/var/lib/flaresolverr"; user = "flaresolverr"; group = "flaresolverr"; } ]) ]; }; # [PHASE 4 - LAST] Jellyfin media on separate dataset # Requires Phase 2 media dataset merge before migrating (several days of data copy) environment.persistence."/persist/system/jellyfin" = lib.mkIf config.services.jellyfin.enable { enable = true; hideMounts = true; directories = [ { directory = config.services.jellyfin.media_directory; user = "jellyfin"; group = "jellyfin_media"; mode = "1770"; } ]; }; # [PHASE 4 - LAST] qBittorrent media on separate dataset # Requires Phase 2 media dataset merge before migrating (several days of data copy) environment.persistence."/persist/system/qbittorrent" = lib.mkIf config.services.qbittorrent.enable { enable = true; hideMounts = true; directories = [ { directory = config.services.qbittorrent.mediaDir; user = "qbittorrent"; group = "qbittorrent"; mode = "1775"; } ]; }; # [PHASE 3] /var/log persistence - handled by storage.nix after generateBase environment.persistence."/persist/system/var/log" = { enable = true; hideMounts = true; directories = [ "/var/log" ]; }; }; }