Remove more persistence references and move to a simpler, global system

system/devices/disks/impermanence/root/default.nix

@@ -4,7 +4,7 @@
     hideMounts = true;
     directories = [
       "/etc/nixos"
-      "/etc/secureboot"
+      "/etc/ssh/"
       "/var"
     ];
     files = [

system/devices/networking/default.nix

@@ -23,8 +23,5 @@
     dnsovertls = "true";
   };
 
-  environment = {
+  environment.systemPackages = with pkgs; [ impala ];
-    systemPackages = with pkgs; [ impala ];
-    persistence."/persist".directories = [ "/var/lib/iwd/" ];
-  };
 }

system/services/general/libvirtd/default.nix

@@ -17,23 +17,10 @@
       };
     };
 
-    programs.virt-manager.enable = true;
-
-    environment.persistence."/persist".directories = [
-      "/var/lib/libvirt/dnsmasq"
-      "/var/lib/libvirt/nwfilter"
-      "/var/lib/libvirt/qemu"
-      "/var/lib/libvirt/secrets"
-      "/var/lib/libvirt/storage"
-      "/var/lib/libvirt/swtpm"
-    ];
-
     # Needed to make NAT work
     networking.firewall.trustedInterfaces = [
       "virbr0"
       "virbr1"
     ];
-
-    systemd.tmpfiles.rules = [ "f /dev/shm/looking-glass 0660 - libvirtd -" ];
   };
 }

system/services/general/ssh/default.nix

@@ -1,22 +1,20 @@
 { lib, ... }:
 {
-  imports = [ ./fail2ban ];
+  services = {
-
+    openssh = {
-  services.openssh = {
+      enable = true;
-    enable = true;
+      settings = {
-    settings = {
+        PermitRootLogin = lib.mkForce "no";
-      PermitRootLogin = lib.mkForce "no";
+        PrintLastLog = "no";
-      PrintLastLog = "no";
+        PasswordAuthentication = false;
-      PasswordAuthentication = false;
+        UsePAM = false;
-      UsePAM = false;
+        X11Forwarding = false;
-      X11Forwarding = false;
+      };
+    };
+    fail2ban = {
+      enable = true;
+      maxretry = 5;
+      bantime = "10m";
     };
   };
-
-  environment.persistence."/persist".files = [
-    "/etc/ssh/ssh_host_ed25519_key"
-    "/etc/ssh/ssh_host_ed25519_key.pub"
-    "/etc/ssh/ssh_host_rsa_key"
-    "/etc/ssh/ssh_host_rsa_key.pub"
-  ];
 }

system/services/server/fileserver/jellyfin/default.nix

@@ -1,11 +1,6 @@
-{ config, lib, ... }:
+{ config, ... }:
 {
-  imports = [
+  imports = [ ./nginx ];
-    ./nginx
-  ];
 
-  config = lib.mkIf config.system.fileserver.enable {
+  services.jellyfin.enable = config.system.server.enable;
-    services.jellyfin.enable = true;
-    environment.persistence."/persist".directories = [ "/var/lib/jellyfin" ];
-  };
 }

system/services/server/webserver/acme/default.nix

@@ -1,10 +1,7 @@
 { config, lib, ... }:
 {
-  config = lib.mkIf config.services.nginx.enable {
+  security.acme = lib.mkIf config.services.nginx.enable { 
-    security.acme = { 
+    acceptTerms = true;
-      acceptTerms = true;
+    defaults.email = "contact@example.com";
-      defaults.email = "contact@nixfox.ca";
-    };
-    environment.persistence."/persist".directories = [ "/var/lib/acme" ];
   };
 }