diff --git a/hosts/common/default.nix b/hosts/common/default.nix index 0bd16c2e..9e427945 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -18,7 +18,7 @@ sane.packages.enableConsolePkgs = true; sane.packages.enableSystemPkgs = true; - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ "/var/log" "/var/backup" # for e.g. postgres dumps # TODO: move elsewhere diff --git a/hosts/common/users.nix b/hosts/common/users.nix index 4a1ab6fd..ff1d2ce6 100644 --- a/hosts/common/users.nix +++ b/hosts/common/users.nix @@ -82,7 +82,7 @@ in mode = config.users.users.colin.homeMode; }; - sane.impermanence.dirs.home.plaintext = [ + sane.persist.dirs.home.plaintext = [ "archive" "dev" # TODO: records should be private @@ -100,7 +100,7 @@ in ".local/share/keyrings" ]; # TODO: fix this ugly solution that allows moby to have firefox cache not erased every boot. - sane.impermanence.dirs.home.cryptClearOnBoot = lib.mkIf (config.networking.hostName != "moby") [ + sane.persist.dirs.home.cryptClearOnBoot = lib.mkIf (config.networking.hostName != "moby") [ # cache is probably too big to fit on the tmpfs # ".cache" config.sane.web-browser.cacheDir @@ -116,7 +116,7 @@ in # used by password managers, e.g. unix `pass` sane.fs."/home/colin/.password-store" = mkSymlink "/home/colin/knowledge/secrets/accounts"; - sane.impermanence.dirs.sys.plaintext = mkIf cfg.guest.enable [ + sane.persist.dirs.sys.plaintext = mkIf cfg.guest.enable [ # intentionally allow other users to write to the guest folder { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; } ]; diff --git a/hosts/desko/default.nix b/hosts/desko/default.nix index 6e2b78ec..1ef4abd8 100644 --- a/hosts/desko/default.nix +++ b/hosts/desko/default.nix @@ -10,7 +10,7 @@ sane.services.duplicity.enable = true; sane.services.nixserve.enable = true; sane.services.nixserve.sopsFile = ../../secrets/desko.yaml; - sane.impermanence.enable = true; + sane.persist.enable = true; boot.loader.efi.canTouchEfiVariables = false; sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ]; @@ -52,7 +52,7 @@ remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server }; - sane.impermanence.dirs.home.plaintext = [ + sane.persist.dirs.home.plaintext = [ ".steam" ".local/share/Steam" ]; diff --git a/hosts/desko/fs.nix b/hosts/desko/fs.nix index 46cdb303..7f22679a 100644 --- a/hosts/desko/fs.nix +++ b/hosts/desko/fs.nix @@ -1,7 +1,7 @@ { ... }: { - sane.impermanence.root-on-tmpfs = true; + sane.persist.root-on-tmpfs = true; # we need a /tmp for building large nix things. # a cross-compiled kernel, particularly, will easily use 30+GB of tmp fileSystems."/tmp" = { diff --git a/hosts/lappy/default.nix b/hosts/lappy/default.nix index f3cc85ee..86dfd55c 100644 --- a/hosts/lappy/default.nix +++ b/hosts/lappy/default.nix @@ -8,7 +8,7 @@ # sane.users.guest.enable = true; sane.gui.sway.enable = true; - sane.impermanence.enable = true; + sane.persist.enable = true; sane.nixcache.enable = true; boot.loader.efi.canTouchEfiVariables = false; sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ]; diff --git a/hosts/lappy/fs.nix b/hosts/lappy/fs.nix index d4539ee3..c26b5bd2 100644 --- a/hosts/lappy/fs.nix +++ b/hosts/lappy/fs.nix @@ -1,7 +1,7 @@ { ... }: { - sane.impermanence.root-on-tmpfs = true; + sane.persist.root-on-tmpfs = true; # we need a /tmp of default size (half RAM) for building large nix things fileSystems."/tmp" = { device = "none"; diff --git a/hosts/moby/default.nix b/hosts/moby/default.nix index 987b955c..aad87500 100644 --- a/hosts/moby/default.nix +++ b/hosts/moby/default.nix @@ -24,11 +24,11 @@ }; # usability compromises - sane.impermanence.dirs.home.private = [ + sane.persist.dirs.home.private = [ config.sane.web-browser.dotDir config.sane.web-browser.cacheDir ]; - sane.impermanence.dirs.home.plaintext = [ + sane.persist.dirs.home.plaintext = [ ".config/pulse" # persist pulseaudio volume ]; @@ -38,7 +38,7 @@ ]; sane.nixcache.enable = true; - sane.impermanence.enable = true; + sane.persist.enable = true; sane.gui.phosh.enable = true; boot.loader.efi.canTouchEfiVariables = false; diff --git a/hosts/moby/fs.nix b/hosts/moby/fs.nix index 8930e0b0..d48c5889 100644 --- a/hosts/moby/fs.nix +++ b/hosts/moby/fs.nix @@ -1,7 +1,7 @@ { ... }: { - sane.impermanence.root-on-tmpfs = true; + sane.persist.root-on-tmpfs = true; fileSystems."/nix" = { device = "/dev/disk/by-uuid/1f1271f8-53ce-4081-8a29-60a4a6b5d6f9"; fsType = "btrfs"; diff --git a/hosts/servo/default.nix b/hosts/servo/default.nix index 7fd62a28..1b3b24b0 100644 --- a/hosts/servo/default.nix +++ b/hosts/servo/default.nix @@ -13,7 +13,7 @@ pkgs.matrix-synapse pkgs.freshrss ]; - sane.impermanence.enable = true; + sane.persist.enable = true; sane.services.dyn-dns.enable = true; # sane.services.duplicity.enable = true; # TODO: re-enable after HW upgrade diff --git a/hosts/servo/fs.nix b/hosts/servo/fs.nix index f6db2f27..de08c846 100644 --- a/hosts/servo/fs.nix +++ b/hosts/servo/fs.nix @@ -1,7 +1,7 @@ { ... }: { - sane.impermanence.root-on-tmpfs = true; + sane.persist.root-on-tmpfs = true; # we need a /tmp for building large nix things fileSystems."/tmp" = { device = "none"; @@ -27,7 +27,7 @@ }; # slow, external storage (for archiving, etc) - fileSystems."/mnt/impermanence/ext" = { + fileSystems."/mnt/persist/ext" = { device = "/dev/disk/by-uuid/aa272cff-0fcc-498e-a4cb-0d95fb60631b"; fsType = "btrfs"; options = [ @@ -36,18 +36,18 @@ ]; }; - sane.impermanence.stores."ext" = { - origin = "/mnt/impermanence/ext/persist"; + sane.persist.stores."ext" = { + origin = "/mnt/persist/ext/persist"; storeDescription = "external HDD storage"; }; - sane.fs."/mnt/impermanence/ext".mount = {}; + sane.fs."/mnt/persist/ext".mount = {}; - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ # TODO: this is overly broad; only need media and share directories to be persisted { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; } ]; # make sure large media is stored to the HDD - sane.impermanence.dirs.sys.ext = [ + sane.persist.dirs.sys.ext = [ { user = "colin"; group = "users"; diff --git a/hosts/servo/services/ejabberd.nix b/hosts/servo/services/ejabberd.nix index 686761c7..52e5f90c 100644 --- a/hosts/servo/services/ejabberd.nix +++ b/hosts/servo/services/ejabberd.nix @@ -19,7 +19,7 @@ # XXX: avatar support works in MUCs but not DMs # lib.mkIf false { - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; } ]; networking.firewall.allowedTCPPorts = [ diff --git a/hosts/servo/services/freshrss.nix b/hosts/servo/services/freshrss.nix index 4597d28c..84b82d7c 100644 --- a/hosts/servo/services/freshrss.nix +++ b/hosts/servo/services/freshrss.nix @@ -16,7 +16,7 @@ owner = config.users.users.freshrss.name; mode = "0400"; }; - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ { user = "freshrss"; group = "freshrss"; directory = "/var/lib/freshrss"; } ]; diff --git a/hosts/servo/services/gitea.nix b/hosts/servo/services/gitea.nix index 0ab8069e..a0069e5a 100644 --- a/hosts/servo/services/gitea.nix +++ b/hosts/servo/services/gitea.nix @@ -1,7 +1,7 @@ { config, pkgs, lib, ... }: { - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ # TODO: mode? could be more granular { user = "git"; group = "gitea"; directory = "/var/lib/gitea"; } ]; diff --git a/hosts/servo/services/ipfs.nix b/hosts/servo/services/ipfs.nix index 7af9e98c..1ec8b91f 100644 --- a/hosts/servo/services/ipfs.nix +++ b/hosts/servo/services/ipfs.nix @@ -10,7 +10,7 @@ lib.mkIf false # i don't actively use ipfs anymore { - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ # TODO: mode? could be more granular { user = "261"; group = "261"; directory = "/var/lib/ipfs"; } ]; diff --git a/hosts/servo/services/jackett.nix b/hosts/servo/services/jackett.nix index 7e3ad1a8..7114bfea 100644 --- a/hosts/servo/services/jackett.nix +++ b/hosts/servo/services/jackett.nix @@ -1,7 +1,7 @@ { ... }: { - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ # TODO: mode? we only need this to save Indexer creds ==> migrate to config? { user = "root"; group = "root"; directory = "/var/lib/jackett"; } ]; diff --git a/hosts/servo/services/jellyfin.nix b/hosts/servo/services/jellyfin.nix index cf7405e7..91d6f2fb 100644 --- a/hosts/servo/services/jellyfin.nix +++ b/hosts/servo/services/jellyfin.nix @@ -7,7 +7,7 @@ lib.mkIf false networking.firewall.allowedUDPPorts = [ 1900 7359 # DLNA: https://jellyfin.org/docs/general/networking/index.html ]; - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ # TODO: mode? could be more granular { user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; } ]; diff --git a/hosts/servo/services/matrix/default.nix b/hosts/servo/services/matrix/default.nix index 8063f056..4181e8b6 100644 --- a/hosts/servo/services/matrix/default.nix +++ b/hosts/servo/services/matrix/default.nix @@ -8,7 +8,7 @@ # ./irc.nix ]; - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; } ]; services.matrix-synapse.enable = true; diff --git a/hosts/servo/services/matrix/discord-puppet.nix b/hosts/servo/services/matrix/discord-puppet.nix index 6bf4cf9a..6a41575b 100644 --- a/hosts/servo/services/matrix/discord-puppet.nix +++ b/hosts/servo/services/matrix/discord-puppet.nix @@ -1,6 +1,6 @@ { lib, ... }: { - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/mx-puppet-discord"; } ]; diff --git a/hosts/servo/services/matrix/irc.nix b/hosts/servo/services/matrix/irc.nix index c950c925..f0919584 100644 --- a/hosts/servo/services/matrix/irc.nix +++ b/hosts/servo/services/matrix/irc.nix @@ -1,7 +1,7 @@ { config, lib, ... }: { - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ # TODO: mode? # user and group are both "matrix-appservice-irc" { user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; } diff --git a/hosts/servo/services/navidrome.nix b/hosts/servo/services/navidrome.nix index b26cc557..1fa1eaaf 100644 --- a/hosts/servo/services/navidrome.nix +++ b/hosts/servo/services/navidrome.nix @@ -1,7 +1,7 @@ { ... }: { - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ # TODO: we don't have a static user allocated for navidrome! # the chown would happen too early for us to set static perms "/var/lib/private/navidrome" diff --git a/hosts/servo/services/nginx.nix b/hosts/servo/services/nginx.nix index 15ee27a2..3f849d56 100644 --- a/hosts/servo/services/nginx.nix +++ b/hosts/servo/services/nginx.nix @@ -122,7 +122,7 @@ in users.users.acme.uid = config.sane.allocations.acme-uid; users.groups.acme.gid = config.sane.allocations.acme-gid; - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ # TODO: mode? { user = "acme"; group = "acme"; directory = "/var/lib/acme"; } { user = "colin"; group = "users"; directory = "/var/www/sites"; } diff --git a/hosts/servo/services/pleroma.nix b/hosts/servo/services/pleroma.nix index 4567022a..b291193e 100644 --- a/hosts/servo/services/pleroma.nix +++ b/hosts/servo/services/pleroma.nix @@ -6,7 +6,7 @@ { config, pkgs, ... }: { - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ # TODO: mode? could be more granular { user = "pleroma"; group = "pleroma"; directory = "/var/lib/pleroma"; } ]; diff --git a/hosts/servo/services/postfix.nix b/hosts/servo/services/postfix.nix index d93fd018..f81cc284 100644 --- a/hosts/servo/services/postfix.nix +++ b/hosts/servo/services/postfix.nix @@ -16,7 +16,7 @@ let }; in { - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ # TODO: mode? could be more granular { user = "opendkim"; group = "opendkim"; directory = "/var/lib/opendkim"; } { user = "root"; group = "root"; directory = "/var/lib/postfix"; } diff --git a/hosts/servo/services/postgres.nix b/hosts/servo/services/postgres.nix index 23952da6..27993596 100644 --- a/hosts/servo/services/postgres.nix +++ b/hosts/servo/services/postgres.nix @@ -1,7 +1,7 @@ { ... }: { - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ # TODO: mode? { user = "postgres"; group = "postgres"; directory = "/var/lib/postgresql"; } ]; diff --git a/hosts/servo/services/prosody.nix b/hosts/servo/services/prosody.nix index b2b18aed..a5cdc0d8 100644 --- a/hosts/servo/services/prosody.nix +++ b/hosts/servo/services/prosody.nix @@ -9,7 +9,7 @@ # nixnet runs ejabberd, so revisiting that. lib.mkIf false { - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ { user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; } ]; networking.firewall.allowedTCPPorts = [ diff --git a/hosts/servo/services/transmission.nix b/hosts/servo/services/transmission.nix index 0bb1de4c..0a0c4ce4 100644 --- a/hosts/servo/services/transmission.nix +++ b/hosts/servo/services/transmission.nix @@ -1,7 +1,7 @@ { pkgs, ... }: { - sane.impermanence.dirs.sys.plaintext = [ + sane.persist.dirs.sys.plaintext = [ # TODO: mode? we need this specifically for the stats tracking in .config/ { user = "transmission"; group = "transmission"; directory = "/var/lib/transmission"; } ]; diff --git a/modules/default.nix b/modules/default.nix index 44538a30..fe0ba6e2 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -8,8 +8,8 @@ ./home-manager ./packages.nix ./image.nix - ./impermanence ./nixcache.nix + ./persist ./services ./sops.nix ]; diff --git a/modules/home-manager/neovim.nix b/modules/home-manager/neovim.nix index a6f062bb..51f8c144 100644 --- a/modules/home-manager/neovim.nix +++ b/modules/home-manager/neovim.nix @@ -3,7 +3,7 @@ lib.mkIf config.sane.home-manager.enable { # private because there could be sensitive things in the swap - sane.impermanence.dirs.home.private = [ ".cache/vim-swap" ]; + sane.persist.dirs.home.private = [ ".cache/vim-swap" ]; home-manager.users.colin.programs.neovim = { # neovim: https://github.com/neovim/neovim diff --git a/modules/home-manager/zsh/default.nix b/modules/home-manager/zsh/default.nix index 2299eca4..0bbb78b6 100644 --- a/modules/home-manager/zsh/default.nix +++ b/modules/home-manager/zsh/default.nix @@ -2,7 +2,7 @@ lib.mkIf config.sane.home-manager.enable { - sane.impermanence.dirs.home.plaintext = [ + sane.persist.dirs.home.plaintext = [ # we don't need to full zsh dir -- just the history file -- # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks. # TODO: should be private? diff --git a/modules/packages.nix b/modules/packages.nix index c9c37d1c..afe1a625 100644 --- a/modules/packages.nix +++ b/modules/packages.nix @@ -307,8 +307,8 @@ in config = { environment.systemPackages = mkIf cfg.enableSystemPkgs systemPkgs; - sane.impermanence.dirs.home.plaintext = concatLists (map (p: p.dir) cfg.enabledUserPkgs); - sane.impermanence.dirs.home.private = concatLists (map (p: p.private) cfg.enabledUserPkgs); + sane.persist.dirs.home.plaintext = concatLists (map (p: p.dir) cfg.enabledUserPkgs); + sane.persist.dirs.home.private = concatLists (map (p: p.private) cfg.enabledUserPkgs); # XXX: this might not be necessary. try removing this and cacert.unbundled? environment.etc."ssl/certs".source = mkIf cfg.enableSystemPkgs "${pkgs.cacert.unbundled}/etc/ssl/certs/*"; }; diff --git a/modules/impermanence/default.nix b/modules/persist/default.nix similarity index 96% rename from modules/impermanence/default.nix rename to modules/persist/default.nix index 9aea8e55..7b2617d8 100644 --- a/modules/impermanence/default.nix +++ b/modules/persist/default.nix @@ -8,7 +8,7 @@ with lib; let path = sane-lib.path; sane-types = sane-lib.types; - cfg = config.sane.impermanence; + cfg = config.sane.persist; storeType = types.submodule { options = { @@ -131,20 +131,20 @@ let in { options = { - sane.impermanence.enable = mkOption { + sane.persist.enable = mkOption { default = false; type = types.bool; }; - sane.impermanence.root-on-tmpfs = mkOption { + sane.persist.root-on-tmpfs = mkOption { default = false; type = types.bool; description = "define / fs root to be a tmpfs. make sure to mount some other device to /nix"; }; - sane.impermanence.dirs = mkOption { + sane.persist.dirs = mkOption { type = dirsModule; default = {}; }; - sane.impermanence.stores = mkOption { + sane.persist.stores = mkOption { type = types.attrsOf storeType; default = {}; description = '' diff --git a/modules/impermanence/root-on-tmpfs.nix b/modules/persist/root-on-tmpfs.nix similarity index 86% rename from modules/impermanence/root-on-tmpfs.nix rename to modules/persist/root-on-tmpfs.nix index a3f0daad..5fd97622 100644 --- a/modules/impermanence/root-on-tmpfs.nix +++ b/modules/persist/root-on-tmpfs.nix @@ -1,7 +1,7 @@ { config, lib, ... }: let - cfg = config.sane.impermanence; + cfg = config.sane.persist; in { fileSystems."/" = lib.mkIf (cfg.enable && cfg.root-on-tmpfs) { diff --git a/modules/impermanence/stores/crypt.nix b/modules/persist/stores/crypt.nix similarity index 91% rename from modules/impermanence/stores/crypt.nix rename to modules/persist/stores/crypt.nix index 4a7f2362..fac7876e 100644 --- a/modules/impermanence/stores/crypt.nix +++ b/modules/persist/stores/crypt.nix @@ -2,17 +2,17 @@ let store = rec { - device = "/mnt/impermanence/crypt/clearedonboot"; + device = "/mnt/persist/crypt/clearedonboot"; underlying = { path = "/nix/persist/crypt/clearedonboot"; # TODO: consider moving this to /tmp, but that requires tmp be mounted first? - key = "/mnt/impermanence/crypt/clearedonboot.key"; + key = "/mnt/persist/crypt/clearedonboot.key"; }; }; in -lib.mkIf config.sane.impermanence.enable +lib.mkIf config.sane.persist.enable { - sane.impermanence.stores."cryptClearOnBoot" = { + sane.persist.stores."cryptClearOnBoot" = { storeDescription = '' stored to disk, but encrypted to an in-memory key and cleared on every boot so that it's unreadable after power-off diff --git a/modules/impermanence/stores/default.nix b/modules/persist/stores/default.nix similarity index 100% rename from modules/impermanence/stores/default.nix rename to modules/persist/stores/default.nix diff --git a/modules/impermanence/stores/plaintext.nix b/modules/persist/stores/plaintext.nix similarity index 64% rename from modules/impermanence/stores/plaintext.nix rename to modules/persist/stores/plaintext.nix index 4d1aaee6..4067cce8 100644 --- a/modules/impermanence/stores/plaintext.nix +++ b/modules/persist/stores/plaintext.nix @@ -1,9 +1,9 @@ { config, lib, ... }: let - cfg = config.sane.impermanence; + cfg = config.sane.persist; in lib.mkIf cfg.enable { - sane.impermanence.stores."plaintext" = { + sane.persist.stores."plaintext" = { origin = "/nix/persist"; }; # TODO: needed? diff --git a/modules/impermanence/stores/private.nix b/modules/persist/stores/private.nix similarity index 94% rename from modules/impermanence/stores/private.nix rename to modules/persist/stores/private.nix index 4da54a8f..3e9c3a55 100644 --- a/modules/impermanence/stores/private.nix +++ b/modules/persist/stores/private.nix @@ -1,8 +1,8 @@ { config, lib, pkgs, utils, ... }: -lib.mkIf config.sane.impermanence.enable +lib.mkIf config.sane.persist.enable { - sane.impermanence.stores."private" = { + sane.persist.stores."private" = { storeDescription = '' encrypted to the user's password and auto-unlocked at login ''; diff --git a/modules/services/duplicity.nix b/modules/services/duplicity.nix index 22a0b72a..cbdccdf3 100644 --- a/modules/services/duplicity.nix +++ b/modules/services/duplicity.nix @@ -16,7 +16,7 @@ in config = mkIf cfg.enable { # we need this mostly because of the size of duplicity's cache # TODO: move to cryptClearOnBoot and update perms - sane.impermanence.dirs.sys.plaintext = [ "/var/lib/duplicity" ]; + sane.persist.dirs.sys.plaintext = [ "/var/lib/duplicity" ]; services.duplicity.enable = true; services.duplicity.targetUrl = "$DUPLICITY_URL";