Move server to persistence, still have stuff to fix

2025-01-17 17:06:28 -05:00 · 2025-01-17 17:06:28 -05:00 · cc68f883ba
parent ce6ffd9ee7
commit cc68f883ba
35 changed files with 293 additions and 235 deletions
--- a/hosts/kitty/boot/default.nix
+++ b/hosts/kitty/boot/default.nix
@ -1,11 +1,7 @@
 { config, lib, pkgs, ... }:
 {
-  boot = {
-    kernelPackages = pkgs.linuxPackages_hardened;
-    initrd.systemd.services.root-reset.enable = lib.mkForce false;
-    swraid = {
+  boot.swraid = {
    enable = true;
    mdadmConf = "MAILADDR contact@${config.domains.p2}";
  };
-  };
 }
--- a/hosts/kitty/default.nix
+++ b/hosts/kitty/default.nix
@ -14,13 +14,12 @@
    hostId = "38ba3f57";
  };

-  environment.persistence."/persist".enable = lib.mkForce false;
-
  system = {
    desktop.enable = false;
    server.enable = true;
+    webserver.enable = true;
    fileserver.enable = true;
-    socials.enable = true;
+    socialserver.enable = true;
    wireless.enable = false;
    wireguard.server.enable = true;
    stateVersion = "24.05";
--- a/hosts/kitty/filesystems/default.nix
+++ b/hosts/kitty/filesystems/default.nix
@ -4,22 +4,23 @@
    "/" = {
      device = "/dev/disk/by-uuid/b8b7ed47-c98c-4a49-af01-b2832dde1287";
      fsType = "btrfs";
-      options = [ "subvol=@" ];
+      options = [ "subvol=root" ];
    };
-    "/home" = {
+    "/prev" = {
      device = "/dev/disk/by-uuid/b8b7ed47-c98c-4a49-af01-b2832dde1287";
      fsType = "btrfs";
-      options = [ "subvol=@home" ];
+      options = [ "subvol=prev" ];
+    };
+    "/persist" = {
+      device = "/dev/disk/by-uuid/acf95700-8669-45c7-9a72-bf3215b3c325";
+      fsType = "btrfs";
+      neededForBoot = true;
+      options = [ "subvol=persist" "compress=zstd" ];
    };
    "/nix" = {
      device = "/dev/disk/by-uuid/b8b7ed47-c98c-4a49-af01-b2832dde1287";
      fsType = "btrfs";
-      options = [ "subvol=@nix" ];
-    };
-    "/var" = {
-      device = "/dev/disk/by-uuid/acf95700-8669-45c7-9a72-bf3215b3c325";
-      fsType = "btrfs";
-      options = [ "subvol=@var" ];
+      options = [ "subvol=nix" ];
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/CD94-1D3F";
@ -28,23 +29,12 @@
    };

    # Subvols and bindmounts
-    "/persist" = {
-      device = "/dev/disk/by-uuid/acf95700-8669-45c7-9a72-bf3215b3c325";
-      fsType = "btrfs";
-      options = [ "subvol=persist" "compress=zstd" ];
-    };
    "/export/KittyNFS" = {
      depends = [ "/persist" ];
      device = "/persist/export/KittyNFS";
      fsType = "none";
      options = [ "bind" ];
    };
-    "/srv/minecraft" = {
-      depends = [ "/persist" ];
-      device = "/persist/srv/minecraft";
-      fsType = "none";
-      options = [ "bind" ];
-    };
  };

  swapDevices = [
--- a/modules/system/services/server/acme/default.nix
+++ b/modules/system/services/server/acme/default.nix
@ -1,7 +0,0 @@
-{ config, ... }:
-{
-  security.acme = { 
-    acceptTerms = true;
-    defaults.email = "contact@${config.domains.p2}";
-  };
-}
--- a/modules/system/services/server/ddclient/default.nix
+++ b/modules/system/services/server/ddclient/default.nix
@ -1,21 +0,0 @@
-{ pkgs, config, ... }:
-{
-  services.ddclient = {
-    enable = config.system.server.enable;
-    protocol = "cloudflare";
-    zone = "${config.domains.p2}";
-    usev6 = "";
-    username = "token";
-    passwordFile = "${pkgs.writeText "cloudflareapikey" config.secrets.flareApiKey}";
-    domains = [
-      "${config.domains.p2}"
-      "*.${config.domains.p2}"
-      "sv.${config.domains.p2}"
-      "git.${config.domains.p2}"
-      "turn.${config.domains.p2}"
-      "dew.${config.domains.p2}"
-      "john.${config.domains.p2}"
-      "rogue.${config.domains.p2}"
-    ];
-  };
-}
--- a/modules/system/services/server/default.nix
+++ b/modules/system/services/server/default.nix
@ -1,17 +1,15 @@
 { ... }:
 {
  imports = [
-    ./acme
-    ./ddclient
    ./fileserver
    ./forgejo
    ./icecast
    ./mailserver
    ./minecraft
    ./mysql
-    ./nginx
-    ./social
+    ./socialserver
    ./transmission
    ./vaultwarden
+    ./webserver
  ];
 }
--- a/modules/system/services/server/fileserver/jellyfin/default.nix
+++ b/modules/system/services/server/fileserver/jellyfin/default.nix
@ -1,8 +1,13 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
  imports = [
    ./nginx
  ];

-  services.jellyfin.enable = config.system.fileserver.enable;
+  config = lib.mkIf config.system.fileserver.enable {
+    services.jellyfin.enable = true;
+    environment.persistence."/persist".directories = [
+      "/var/lib/jellyfin"
+    ];
+  };
 }
--- a/modules/system/services/server/fileserver/nextcloud/default.nix
+++ b/modules/system/services/server/fileserver/nextcloud/default.nix
@ -1,15 +1,15 @@
-{ pkgs, config, ... }:
+{ config, lib, pkgs, ... }:
 {
  imports = [
    ./collabora
    ./nginx
  ];

+  config = lib.mkIf config.system.fileserver.enable {
    services.nextcloud = {
-    enable = config.system.fileserver.enable;
+      enable = true;
      package = pkgs.nextcloud30;
      hostName = "cloud.${config.domains.p2}";
-    datadir = "/mnt/nextcloud";
      https = true;
      config = {
        adminuser = config.sysusers.main;
@ -29,4 +29,8 @@
        mail_smtpport = 587;
      };
    };
+    environment.persistence."/persist".directories = [
+      "/var/lib/nextcloud"
+    ];
+  };
 }
--- a/modules/system/services/server/forgejo/default.nix
+++ b/modules/system/services/server/forgejo/default.nix
@ -30,5 +30,9 @@
    };

    networking.firewall.allowedTCPPorts = [ 2299 ];
+
+    environment.persistence."/persist".directories = [
+      "/var/lib/forgejo"
+    ];
  };
 }
--- a/modules/system/services/server/minecraft/default.nix
+++ b/modules/system/services/server/minecraft/default.nix
@ -1,4 +1,4 @@
-{ minecraft, config, ... }:
+{ minecraft, config, lib, ... }:
 {
  imports = [
    minecraft.nixosModules.minecraft-servers
@ -10,10 +10,16 @@
    ./servers/uberbeta
  ];

+  config = lib.mkIf config.system.server.enable {
    nixpkgs.overlays = [ minecraft.overlay ];

    services.minecraft-servers = {
-    enable = config.system.server.enable;
+      enable = true;
      eula = true;
    };
+
+    environment.persistence."/persist".directories = [
+      "/srv/minecraft"
+    ];
+  };
 }
--- a/modules/system/services/server/mysql/default.nix
+++ b/modules/system/services/server/mysql/default.nix
@ -1,9 +1,9 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 {
+  config = lib.mkIf config.system.server.enable {
    services.mysql = {
-    enable = config.system.server.enable;
+      enable = true;
      package = pkgs.mariadb;
-    dataDir = "/var/lib/mysql";
      ensureDatabases = [
        "minecraft"
      ];
@ -16,4 +16,8 @@
        }
      ];
    };
+    environment.persistence."/persist".directories = [
+      "/var/lib/mysql"
+    ];
+  };
 }
--- a/modules/system/services/server/social/mastodon/default.nix
+++ b/modules/system/services/server/social/mastodon/default.nix
@ -1,18 +0,0 @@
-{ pkgs, config, ... }:
-{
-  services.mastodon = {
-    enable = config.system.socials.enable;
-    localDomain = "social.${config.domains.p2}";
-    streamingProcesses = 4;
-    configureNginx = true;
-    smtp = {
-      createLocally = false;
-      host = "mx.${config.domains.p1}";
-      port = 587;
-      authenticate = true;
-      fromAddress = "NixFox Mastodon <noreply@${config.domains.p2}>";
-      user = "noreply@${config.domains.p2}";
-      passwordFile = pkgs.writeText "smtp_pass.txt" config.secrets.noreplyPassword;
-    };
-  };
-}
--- a/modules/system/services/server/social/matrix/synapse/default.nix
+++ b/modules/system/services/server/social/matrix/synapse/default.nix
@ -1,73 +0,0 @@
-{ pkgs, config, ... }:
-{
-  imports = [
-    ./nginx
-  ];
-
-  services.matrix-synapse = {
-    enable = config.system.socials.enable;
-    settings = {
-      server_name = "${config.domains.p1}";
-      public_baseurl = "https://matrix.${config.domains.p1}";
-      suppress_key_server_warning = true;
-
-      listeners = [
-        {
-          port = 8008;
-          bind_addresses = [ "::" "0.0.0.0" ];
-          resources = [{
-            compress = true;
-            names = [
-              "client"
-              "federation"
-            ];
-          }];
-          type = "http";
-          tls = false;
-          x_forwarded = true;
-        }
-      ];
-
-      email = {
-        notif_from = "NixFox Matrix <noreply@${config.domains.p2}>";
-        smtp_host = "mx.${config.domains.p1}";
-        smtp_user = "noreply@${config.domains.p2}";
-        smtp_pass = config.secrets.noreplyPassword;
-        enable_tls = true;
-        smtp_port = 587;
-        require_transport_security = true;
-      };
-
-      # Disable registration without email
-      registrations_require_3pid = [ "email" ];
-
-      # Allow only this range of emails
-      allowed_local_3pids = [
-        {
-          medium = "email";
-          pattern = ''^[^@]+@nixfox\.ca$'';
-        }
-        {
-          medium = "email";
-          pattern = ''^[^@]+@freecorn1854\.win$'';
-        }
-        {
-          medium = "email";
-          pattern = ''^[^@]+@lunamoonlight\.xyz$'';
-        }
-      ];
-
-      # Set the type of database
-      database.name = "sqlite3";
-
-      # Allow account registration
-      enable_registration = true;
-
-      # General settings
-      url_preview_enabled = true;
-      max_upload_size = "50M";
-      report_stats = false;
-      burst_count = 15;
-    };
-  };
-}
--- a/modules/system/services/server/social/owncast/default.nix
+++ b/modules/system/services/server/social/owncast/default.nix
@ -1,11 +0,0 @@
-{ config, ... }:
-{
-  imports = [ ./nginx ];
-
-  services.owncast = {
-    enable = config.system.socials.enable;
-    port = 8060;
-    rtmp-port = 1945;
-    listen = "0.0.0.0";
-  };
-}
--- a/modules/system/services/server/socialserver/default.nix
+++ b/modules/system/services/server/socialserver/default.nix
@ -1,6 +1,6 @@
 { lib, ... }:
 {
-  options.system.socials.enable = lib.mkOption {
+  options.system.socialserver.enable = lib.mkOption {
    type = lib.types.bool;
    default = false;
  };
--- a/modules/system/services/server/socialserver/mastodon/default.nix
+++ b/modules/system/services/server/socialserver/mastodon/default.nix
@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+{
+  config = lib.mkIf config.system.socialserver.enable {
+    services.mastodon = {
+      enable = true;
+      localDomain = "social.${config.domains.p2}";
+      streamingProcesses = 4;
+      configureNginx = true;
+      smtp = {
+        createLocally = false;
+        host = "mx.${config.domains.p1}";
+        port = 587;
+        authenticate = true;
+        fromAddress = "NixFox Mastodon <noreply@${config.domains.p2}>";
+        user = "noreply@${config.domains.p2}";
+        passwordFile = pkgs.writeText "smtp_pass.txt" config.secrets.noreplyPassword;
+      };
+    };
+    environment.persistence."/persist".directories = [
+      "/var/lib/mastodon"
+    ];
+  };
+}
--- a/modules/system/services/server/socialserver/matrix/coturn/default.nix
+++ b/modules/system/services/server/socialserver/matrix/coturn/default.nix
--- a/modules/system/services/server/socialserver/matrix/coturn/nginx/default.nix
+++ b/modules/system/services/server/socialserver/matrix/coturn/nginx/default.nix
--- a/modules/system/services/server/socialserver/matrix/default.nix
+++ b/modules/system/services/server/socialserver/matrix/default.nix
--- a/modules/system/services/server/socialserver/matrix/element/default.nix
+++ b/modules/system/services/server/socialserver/matrix/element/default.nix
--- a/modules/system/services/server/socialserver/matrix/element/nginx/default.nix
+++ b/modules/system/services/server/socialserver/matrix/element/nginx/default.nix
--- a/modules/system/services/server/socialserver/matrix/synapse/default.nix
+++ b/modules/system/services/server/socialserver/matrix/synapse/default.nix
@ -0,0 +1,78 @@
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    ./nginx
+  ];
+
+  config = lib.mkIf config.system.socialserver.enable {
+    services.matrix-synapse = {
+      enable = true;
+      settings = {
+        server_name = "${config.domains.p1}";
+        public_baseurl = "https://matrix.${config.domains.p1}";
+        suppress_key_server_warning = true;
+
+        listeners = [
+          {
+            port = 8008;
+            bind_addresses = [ "::" "0.0.0.0" ];
+            resources = [{
+              compress = true;
+              names = [
+                "client"
+                "federation"
+              ];
+            }];
+            type = "http";
+            tls = false;
+            x_forwarded = true;
+          }
+        ];
+
+        email = {
+          notif_from = "NixFox Matrix <noreply@${config.domains.p2}>";
+          smtp_host = "mx.${config.domains.p1}";
+          smtp_user = "noreply@${config.domains.p2}";
+          smtp_pass = config.secrets.noreplyPassword;
+          enable_tls = true;
+          smtp_port = 587;
+          require_transport_security = true;
+        };
+
+        # Disable registration without email
+        registrations_require_3pid = [ "email" ];
+
+        # Allow only this range of emails
+        allowed_local_3pids = [
+          {
+            medium = "email";
+            pattern = ''^[^@]+@nixfox\.ca$'';
+          }
+          {
+            medium = "email";
+            pattern = ''^[^@]+@freecorn1854\.win$'';
+          }
+          {
+            medium = "email";
+            pattern = ''^[^@]+@lunamoonlight\.xyz$'';
+          }
+        ];
+
+        # Set the type of database
+        database.name = "sqlite3";
+
+        # Allow account registration
+        enable_registration = true;
+
+        # General settings
+        url_preview_enabled = true;
+        max_upload_size = "50M";
+        report_stats = false;
+        burst_count = 15;
+      };
+    };
+    environment.persistence."/persist".directories = [
+      "/var/lib/matrix-synapse"
+    ];
+  };
+}
--- a/modules/system/services/server/socialserver/matrix/synapse/nginx/default.nix
+++ b/modules/system/services/server/socialserver/matrix/synapse/nginx/default.nix
--- a/modules/system/services/server/socialserver/owncast/default.nix
+++ b/modules/system/services/server/socialserver/owncast/default.nix
@ -0,0 +1,16 @@
+{ config, lib, ... }:
+{
+  imports = [ ./nginx ];
+
+  config = lib.mkIf config.system.socialserver.enable {
+    services.owncast = {
+      enable = true;
+      port = 8060;
+      rtmp-port = 1945;
+      listen = "0.0.0.0";
+    };
+    environment.persistence."/persist".directories = [
+      "/var/lib/owncast"
+    ];
+  };
+}
--- a/modules/system/services/server/socialserver/owncast/nginx/default.nix
+++ b/modules/system/services/server/socialserver/owncast/nginx/default.nix
--- a/modules/system/services/server/transmission/default.nix
+++ b/modules/system/services/server/transmission/default.nix
@ -1,11 +1,16 @@
-{ pkgs, config, ... }:
+{ config, lib, pkgs, ... }:
 {
  imports = [ ./nginx ];

+  config = lib.mkIf config.system.server.enable {
    services.transmission = {
-    enable = config.system.server.enable;
+      enable = true;
      credentialsFile = pkgs.writeText "credentials" config.secrets.transmissionCredFile;
      openPeerPorts = true;
      settings.rpc-authentication-required = true;
    };
+    environment.persistence."/persist".directories = [
+      "/var/lib/transmission"
+    ];
+  };
 }
--- a/modules/system/services/server/vaultwarden/default.nix
+++ b/modules/system/services/server/vaultwarden/default.nix
@ -1,9 +1,10 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
  imports = [ ./nginx ];

+  config = lib.mkIf config.system.server.enable {
    services.vaultwarden = {
-    enable = config.system.server.enable;
+      enable = true;
      config = {
        DOMAIN = "https://pass.${config.domains.p2}";
        SIGNUPS_ALLOWED = false;
@ -22,4 +23,8 @@
        SMTP_TIMEOUT = 15;
      };
    };
+    environment.persistence."/persist".directories = [
+      "/var/lib/bitwarden_rs"
+    ];
+  };
 }
--- a/modules/system/services/server/webserver/acme/default.nix
+++ b/modules/system/services/server/webserver/acme/default.nix
@ -0,0 +1,12 @@
+{ config, lib, ... }:
+{
+  config = lib.mkIf config.system.webserver.enable {
+    security.acme = { 
+      acceptTerms = true;
+      defaults.email = "contact@${config.domains.p2}";
+    };
+    environment.persistence."/persist".directories = [
+      "/var/lib/acme"
+    ];
+  };
+}
--- a/modules/system/services/server/webserver/ddclient/default.nix
+++ b/modules/system/services/server/webserver/ddclient/default.nix
@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }:
+{
+  config = lib.mkIf config.system.webserver.enable {
+    services.ddclient = {
+      enable = true;
+      protocol = "cloudflare";
+      zone = "${config.domains.p2}";
+      usev6 = "";
+      username = "token";
+      passwordFile = "${pkgs.writeText "cloudflareapikey" config.secrets.flareApiKey}";
+      domains = [
+        "${config.domains.p2}"
+        "*.${config.domains.p2}"
+        "sv.${config.domains.p2}"
+        "git.${config.domains.p2}"
+        "turn.${config.domains.p2}"
+        "dew.${config.domains.p2}"
+        "john.${config.domains.p2}"
+        "rogue.${config.domains.p2}"
+      ];
+    };
+    environment.persistence."/persist".directories = [
+      "/var/lib/private/ddclient"
+    ];
+  };
+}
--- a/modules/system/services/server/webserver/default.nix
+++ b/modules/system/services/server/webserver/default.nix
@ -0,0 +1,13 @@
+{ lib, ... }: 
+{
+  options.system.webserver.enable = lib.mkOption {
+    type = lib.types.bool;
+    default = false;
+  };
+
+  imports = [
+    ./acme
+    ./ddclient
+    ./nginx
+  ];
+}
--- a/modules/system/services/server/webserver/nginx/default.nix
+++ b/modules/system/services/server/webserver/nginx/default.nix
@ -5,7 +5,7 @@
    ./virtualhosts
  ];

-  config = lib.mkIf (config.system.server.enable || config.system.mailserver.enable) {
+  config = lib.mkIf config.system.webserver.enable {
    services.nginx = {
      enable = true;
      recommendedTlsSettings = true;
@ -14,6 +14,10 @@
      recommendedProxySettings = true;
    };

+    environment.persistence."/persist".directories = [
+      "/var/www"
+    ];
+
    networking.firewall.allowedTCPPorts = [
      80
      443
--- a/modules/system/services/server/webserver/nginx/rtmp/default.nix
+++ b/modules/system/services/server/webserver/nginx/rtmp/default.nix
--- a/modules/system/services/server/webserver/nginx/virtualhosts/default.nix
+++ b/modules/system/services/server/webserver/nginx/virtualhosts/default.nix
--- a/modules/system/services/server/webserver/nginx/virtualhosts/p1/default.nix
+++ b/modules/system/services/server/webserver/nginx/virtualhosts/p1/default.nix
--- a/modules/system/services/server/webserver/nginx/virtualhosts/p2/default.nix
+++ b/modules/system/services/server/webserver/nginx/virtualhosts/p2/default.nix