titaniumtown/server-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

impermanence

Browse Source
This commit is contained in:
Simon Gardling 2025-10-07 01:24:37 -04:00
parent a4bf2a0ea9
commit 83a639a20e
Signed by: titaniumtown
GPG Key ID: 9AB28AC10ECE533D
15 changed files with 128 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
configuration.nix
View File

@ -13,6 +13,7 @@
imports = [
./hardware.nix
./zfs.nix
./impermanence.nix
./services/postgresql.nix
./services/jellyfin.nix
@ -97,6 +98,7 @@
initrd = {
compressor = "zstd";
supportedFilesystems = [ "f2fs" ];
};
loader.systemd-boot.enable = lib.mkForce false;
@ -284,7 +286,7 @@
];
# TODO! use proper secrets management
# hashedPasswordFile = builtins.toString ./secrets/hashedPass;
hashedPassword = lib.strings.trim (builtins.readFile ./secrets/hashedPass);
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
@ -339,7 +341,7 @@
# };
# systemd.tmpfiles.rules = [
# "d /tank/music 775 ${username} users"
# "Z /tank/music 775 ${username} users"
# ];
system.stateVersion = "24.11";

27
disk-config.nix
View File

@ -15,17 +15,40 @@
mountpoint = "/boot";
};
};
root = {
persistent = {
size = "20G";
content = {
type = "filesystem";
format = "f2fs";
mountpoint = "/persistent";
};
};
nix = {
size = "100%";
content = {
type = "filesystem";
format = "f2fs";
mountpoint = "/";
mountpoint = "/nix";
};
};
};
};
};
};
nodev = {
"/" = {
fsType = "tmpfs";
mountOptions = [
"defaults"
"size=2G"
"mode=755"
];
};
};
};
fileSystems."/persistent".neededForBoot = true;
fileSystems."/nix".neededForBoot = true;
}

28
flake.lock generated
View File

@ -205,6 +205,21 @@
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1737831083,
"narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
@ -238,11 +253,11 @@
]
},
"locked": {
"lastModified": 1759669067,
"narHash": "sha256-L0R8SAoVvZIGG8zH/7BDWFdgsISzViZJHzeimcIOIqY=",
"lastModified": 1759814657,
"narHash": "sha256-AZ8CPyyI4Nn9ietsOKu28zle5r0JiJrwOHy1m9sUmbM=",
"owner": "ggml-org",
"repo": "llama.cpp",
"rev": "ca71fb9b368e3db96e028f80c4c9df6b6b370edd",
"rev": "0123ff38f53d34752f29239a29d0e40a6dc4110f",
"type": "github"
},
"original": {
@ -291,11 +306,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1759580034,
"narHash": "sha256-YWo57PL7mGZU7D4WeKFMiW4ex/O6ZolUS6UNBHTZfkI=",
"lastModified": 1759735786,
"narHash": "sha256-a0+h02lyP2KwSNrZz4wLJTu9ikujNsTWIC874Bv7IJ0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3bcc93c5f7a4b30335d31f21e2f1281cba68c318",
"rev": "20c4598c84a671783f741e02bf05cbfaf4907cff",
"type": "github"
},
"original": {
@ -348,6 +363,7 @@
"deploy-rs": "deploy-rs",
"disko": "disko",
"home-manager": "home-manager",
"impermanence": "impermanence",
"lanzaboote": "lanzaboote",
"llamacpp": "llamacpp",
"nix-minecraft": "nix-minecraft",

7
flake.nix
View File

@ -43,6 +43,10 @@
inputs.nixpkgs.follows = "nixpkgs";
};
impermanence = {
url = "github:nix-community/impermanence";
};
senior_project-website = {
url = "github:Titaniumtown/senior-project-website";
flake = false;
@ -66,6 +70,7 @@
disko,
srvos,
deploy-rs,
impermanence,
...
}@inputs:
let
@ -196,6 +201,8 @@
disko.nixosModules.disko
./configuration.nix
impermanence.nixosModules.impermanence
vpn-confinement.nixosModules.default
# get nix-minecraft working!

52
impermanence.nix Normal file
View File

@ -0,0 +1,52 @@
{
config,
lib,
pkgs,
username,
service_configs,
...
}:
{
environment.persistence."/persistent" = {
hideMounts = true;
directories = [
"/var/log"
"/var/lib/systemd/coredump"
"/var/lib/nixos"
"/var/lib/systemd/timers"
];
files = [
# SSH host keys
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
# Machine ID
"/etc/machine-id"
# ZFS cache
"/etc/zfs/zpool.cache"
];
users.${username} = {
files = [
".local/share/fish/fish_history"
];
};
users.root = {
home = "/root";
files = [
".local/share/fish/fish_history"
];
};
};
systemd.tmpfiles.rules = [
"d /etc 755 root"
];
}

4
services/bitwarden.nix
View File

@ -42,7 +42,7 @@
'';
systemd.tmpfiles.rules = [
"d ${service_configs.vaultwarden.path} 0700 vaultwarden vaultwarden"
"d ${config.services.vaultwarden.backupDir} 0700 vaultwarden vaultwarden"
"Z ${service_configs.vaultwarden.path} 0700 vaultwarden vaultwarden"
"Z ${config.services.vaultwarden.backupDir} 0700 vaultwarden vaultwarden"
];
}

2
services/gitea.nix
View File

@ -45,7 +45,7 @@
systemd.tmpfiles.rules = [
# 0700 for ssh permission reasons
"d ${config.services.gitea.stateDir} 0700 ${config.services.gitea.user} ${config.services.gitea.group}"
"Z ${config.services.gitea.stateDir} 0700 ${config.services.gitea.user} ${config.services.gitea.group}"
];
services.postgresql = {

2
services/immich.nix
View File

@ -30,7 +30,7 @@
'';
systemd.tmpfiles.rules = [
"d ${config.services.immich.mediaLocation} 0770 ${config.services.immich.user} ${config.services.immich.group}"
"Z ${config.services.immich.mediaLocation} 0770 ${config.services.immich.user} ${config.services.immich.group}"
];
environment.systemPackages = with pkgs; [

4
services/jellyfin.nix
View File

@ -32,8 +32,8 @@
'';
systemd.tmpfiles.rules = [
"d ${config.services.jellyfin.dataDir} 0700 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"
"d ${config.services.jellyfin.cacheDir} 0700 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"
"Z ${config.services.jellyfin.dataDir} 0700 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"
"Z ${config.services.jellyfin.cacheDir} 0700 ${config.services.jellyfin.user} ${config.services.jellyfin.group}"
];
users.users.${config.services.jellyfin.user}.extraGroups = [

2
services/matrix.nix
View File

@ -50,7 +50,7 @@
};
systemd.tmpfiles.rules = [
"d /var/lib/private/matrix-conduit 0770 conduit conduit"
"Z /var/lib/private/matrix-conduit 0770 conduit conduit"
];
# for federation

4
services/minecraft.nix
View File

@ -142,7 +142,7 @@
};
systemd.tmpfiles.rules = [
"d ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 700 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
"d ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web 750 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
"Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 700 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
"Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web 750 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
];
}

2
services/owntracks.nix
View File

@ -32,7 +32,7 @@ in
};
systemd.tmpfiles.rules = [
"d ${service_configs.owntracks.data_dir} 0770 owntracks owntracks"
"Z ${service_configs.owntracks.data_dir} 0770 owntracks owntracks"
];
services.caddy.virtualHosts."owntracks.${service_configs.https.domain}".extraConfig = ''

2
services/postgresql.nix
View File

@ -20,7 +20,7 @@
systemd.tmpfiles.rules = [
# postgresql requires 0700
"d ${config.services.postgresql.dataDir} 0700 postgresql postgresql"
"Z ${config.services.postgresql.dataDir} 0700 postgresql postgresql"
];
users.users.${username}.extraGroups = [

6
services/qbittorrent.nix
View File

@ -208,9 +208,9 @@
};
systemd.tmpfiles.rules = [
"d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0750 ${config.services.qbittorrent.user} ${service_configs.media_group}"
"d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
"d ${config.services.qbittorrent.profileDir} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
"Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0750 ${config.services.qbittorrent.user} ${service_configs.media_group}"
"Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
"Z ${config.services.qbittorrent.profileDir} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
];
services.caddy.virtualHosts."torrent.${service_configs.https.domain}".extraConfig = ''

8
services/soulseek.nix
View File

@ -68,10 +68,10 @@ in
users.users.${username}.extraGroups = [ "music" ];
systemd.tmpfiles.rules = [
"d ${service_configs.music_dir} 0750 ${username} music"
"d ${service_configs.slskd.base} 0750 ${config.services.slskd.user} ${config.services.slskd.group}"
"d ${service_configs.slskd.downloads} 0750 ${config.services.slskd.user} music"
"d ${service_configs.slskd.incomplete} 0750 ${config.services.slskd.user} music"
"Z ${service_configs.music_dir} 0750 ${username} music"
"Z ${service_configs.slskd.base} 0750 ${config.services.slskd.user} ${config.services.slskd.group}"
"Z ${service_configs.slskd.downloads} 0750 ${config.services.slskd.user} music"
"Z ${service_configs.slskd.incomplete} 0750 ${config.services.slskd.user} music"
];
# doesn't work with auth????