servo: port legacy /var/lib users over to "method = bind" persistence

i may wittle these down in the future
2024-02-23 15:49:54 +00:00 · 2024-02-23 15:49:54 +00:00 · c6ebcfe66e
commit c6ebcfe66e
parent d7402ae170
29 changed files with 33 additions and 34 deletions
--- a/hosts/by-name/servo/fs.nix
+++ b/hosts/by-name/servo/fs.nix
@ -84,7 +84,7 @@

  sane.persist.sys.byStore.plaintext = [
    # TODO: this is overly broad; only need media and share directories to be persisted
-    { user = "colin"; group = "users"; path = "/var/lib/uninsane"; }
+    { user = "colin"; group = "users"; path = "/var/lib/uninsane"; method = "bind"; }
  ];
  # force some problematic directories to always get correct permissions:
  sane.fs."/var/lib/uninsane/media".dir.acl = {
--- a/hosts/by-name/servo/services/calibre.nix
+++ b/hosts/by-name/servo/services/calibre.nix
@ -13,7 +13,7 @@ in
 lib.mkIf false
 {
  sane.persist.sys.byStore.plaintext = [
-    { inherit user group; mode = "0700"; path = svc-dir; }
+    { inherit user group; mode = "0700"; path = svc-dir; method = "bind"; }
  ];

  services.calibre-web.enable = true;
--- a/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/bitcoin.nix
@ -30,8 +30,7 @@ let
 in
 {
  sane.persist.sys.byStore.ext = [
-    # /var/lib/monero/lmdb is what consumes most of the space
-    { user = "bitcoind-mainnet"; group = "bitcoind-mainnet"; path = "/var/lib/bitcoind-mainnet"; }
+    { user = "bitcoind-mainnet"; group = "bitcoind-mainnet"; path = "/var/lib/bitcoind-mainnet"; method = "bind"; }
  ];

  # sane.ports.ports."8333" = {
--- a/hosts/by-name/servo/services/cryptocurrencies/clightning.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/clightning.nix
@ -73,7 +73,7 @@
 { config, pkgs, ... }:
 {
  sane.persist.sys.byStore.ext = [
-    { user = "clightning"; group = "clightning"; mode = "0710"; path = "/var/lib/clightning"; }
+    { user = "clightning"; group = "clightning"; mode = "0710"; path = "/var/lib/clightning"; method = "bind"; }
  ];

  # `lightning-cli` finds its RPC file via `~/.lightning/bitcoin/lightning-rpc`, to message the daemon
--- a/hosts/by-name/servo/services/cryptocurrencies/monero.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/monero.nix
@ -3,7 +3,7 @@
 {
  sane.persist.sys.byStore.ext = [
    # /var/lib/monero/lmdb is what consumes most of the space
-    { user = "monero"; group = "monero"; path = "/var/lib/monero"; }
+    { user = "monero"; group = "monero"; path = "/var/lib/monero"; method = "bind"; }
  ];

  services.monero.enable = true;
--- a/hosts/by-name/servo/services/cryptocurrencies/tor.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/tor.nix
@ -4,7 +4,7 @@
  # tor hidden service hostnames aren't deterministic, so persist.
  # might be able to get away with just persisting /var/lib/tor/onion, not sure.
  sane.persist.sys.byStore.plaintext = [
-    { user = "tor"; group = "tor"; mode = "0710"; path = "/var/lib/tor"; }
+    { user = "tor"; group = "tor"; mode = "0710"; path = "/var/lib/tor"; method = "bind"; }
  ];

  # tor: `tor.enable` doesn't start a relay, exit node, proxy, etc. it's minimal.
--- a/hosts/by-name/servo/services/ejabberd.nix
+++ b/hosts/by-name/servo/services/ejabberd.nix
@ -45,7 +45,7 @@ in
 lib.mkIf false
 {
  sane.persist.sys.byStore.plaintext = [
-    { user = "ejabberd"; group = "ejabberd"; path = "/var/lib/ejabberd"; }
+    { user = "ejabberd"; group = "ejabberd"; path = "/var/lib/ejabberd"; method = "bind"; }
  ];
  sane.ports.ports = lib.mkMerge ([
    {
--- a/hosts/by-name/servo/services/email/postfix.nix
+++ b/hosts/by-name/servo/services/email/postfix.nix
@ -20,9 +20,9 @@ in
 {
  sane.persist.sys.byStore.plaintext = [
    # TODO: mode? could be more granular
-    { user = "opendkim"; group = "opendkim"; path = "/var/lib/opendkim"; }
-    { user = "root"; group = "root"; path = "/var/lib/postfix"; }
-    { user = "root"; group = "root"; path = "/var/spool/mail"; }
+    { user = "opendkim"; group = "opendkim"; path = "/var/lib/opendkim"; method = "bind"; }
+    { user = "root"; group = "root"; path = "/var/lib/postfix"; method = "bind"; }
+    { user = "root"; group = "root"; path = "/var/spool/mail"; method = "bind"; }
    # *probably* don't need these dirs:
    # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
    # "/var/lib/dovecot"
--- a/hosts/by-name/servo/services/export/default.nix
+++ b/hosts/by-name/servo/services/export/default.nix
@ -30,7 +30,7 @@
  # to query the quota/status:
  # - `sudo btrfs qgroup show -re /var/export/playground`
  sane.persist.sys.byStore.ext = [
-    { user = "root"; group = "export"; mode = "0775"; path = "/var/export/playground"; }
+    { user = "root"; group = "export"; mode = "0775"; path = "/var/export/playground"; method = "bind"; }
  ];

  sane.fs."/var/export/README.md" = {
--- a/hosts/by-name/servo/services/freshrss.nix
+++ b/hosts/by-name/servo/services/freshrss.nix
@ -16,7 +16,7 @@
    mode = "0400";
  };
  sane.persist.sys.byStore.plaintext = [
-    { user = "freshrss"; group = "freshrss"; path = "/var/lib/freshrss"; }
+    { user = "freshrss"; group = "freshrss"; path = "/var/lib/freshrss"; method = "bind"; }
  ];

  services.freshrss.enable = true;
--- a/hosts/by-name/servo/services/gitea.nix
+++ b/hosts/by-name/servo/services/gitea.nix
@ -4,7 +4,7 @@
 {
  sane.persist.sys.byStore.plaintext = [
    # TODO: mode? could be more granular
-    { user = "git"; group = "gitea"; path = "/var/lib/gitea"; }
+    { user = "git"; group = "gitea"; path = "/var/lib/gitea"; method = "bind"; }
  ];
  services.gitea.enable = true;
  services.gitea.user = "git";  # default is 'gitea'
--- a/hosts/by-name/servo/services/ipfs.nix
+++ b/hosts/by-name/servo/services/ipfs.nix
@ -12,7 +12,7 @@ lib.mkIf false # i don't actively use ipfs anymore
 {
  sane.persist.sys.byStore.plaintext = [
    # TODO: mode? could be more granular
-    { user = "261"; group = "261"; path = "/var/lib/ipfs"; }
+    { user = "261"; group = "261"; path = "/var/lib/ipfs"; method = "bind"; }
  ];

  networking.firewall.allowedTCPPorts = [ 4001 ];
--- a/hosts/by-name/servo/services/jackett.nix
+++ b/hosts/by-name/servo/services/jackett.nix
@ -3,7 +3,7 @@
 {
  sane.persist.sys.byStore.plaintext = [
    # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
-    { user = "root"; group = "root"; path = "/var/lib/jackett"; }
+    { user = "root"; group = "root"; path = "/var/lib/jackett"; method = "bind"; }
  ];
  services.jackett.enable = true;

--- a/hosts/by-name/servo/services/jellyfin.nix
+++ b/hosts/by-name/servo/services/jellyfin.nix
@ -41,7 +41,7 @@
  };

  sane.persist.sys.byStore.plaintext = [
-    { user = "jellyfin"; group = "jellyfin"; mode = "0700"; path = "/var/lib/jellyfin"; }
+    { user = "jellyfin"; group = "jellyfin"; mode = "0700"; path = "/var/lib/jellyfin"; method = "bind"; }
  ];
  sane.fs."/var/lib/jellyfin/config/logging.json" = {
    # "Emby.Dlna" logging: <https://jellyfin.org/docs/general/networking/dlna>
--- a/hosts/by-name/servo/services/kiwix-serve.nix
+++ b/hosts/by-name/servo/services/kiwix-serve.nix
@ -7,7 +7,7 @@
 { ... }:
 {
  sane.persist.sys.byStore.ext = [
-    { user = "colin"; group = "users"; path = "/var/lib/kiwix"; }
+    { user = "colin"; group = "users"; path = "/var/lib/kiwix"; method = "bind"; }
  ];

  sane.services.kiwix-serve = {
--- a/hosts/by-name/servo/services/komga.nix
+++ b/hosts/by-name/servo/services/komga.nix
@ -5,7 +5,7 @@ let
 in
 {
  sane.persist.sys.byStore.plaintext = [
-    { inherit user group; mode = "0700"; path = stateDir; }
+    { inherit user group; mode = "0700"; path = stateDir; method = "bind"; }
  ];

  services.komga.enable = true;
--- a/hosts/by-name/servo/services/matrix/default.nix
+++ b/hosts/by-name/servo/services/matrix/default.nix
@ -21,7 +21,7 @@
  ];

  sane.persist.sys.byStore.plaintext = [
-    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/matrix-synapse"; }
+    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/matrix-synapse"; method = "bind"; }
  ];
  services.matrix-synapse.enable = true;
  services.matrix-synapse.settings = {
--- a/hosts/by-name/servo/services/matrix/discord-puppet.nix
+++ b/hosts/by-name/servo/services/matrix/discord-puppet.nix
@ -6,7 +6,7 @@
 lib.mkIf false
 {
  sane.persist.sys.byStore.plaintext = [
-    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/mx-puppet-discord"; }
+    { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/mx-puppet-discord"; method = "bind"; }
  ];

  services.matrix-synapse.settings.app_service_config_files = [
--- a/hosts/by-name/servo/services/matrix/irc.nix
+++ b/hosts/by-name/servo/services/matrix/irc.nix
@ -103,7 +103,7 @@ in

  sane.persist.sys.byStore.plaintext = [
    # TODO: mode?
-    { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; path = "/var/lib/matrix-appservice-irc"; }
+    { user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; path = "/var/lib/matrix-appservice-irc"; method = "bind"; }
  ];

  # XXX: matrix-appservice-irc PreStart tries to chgrp the registration.yml to matrix-synapse,
--- a/hosts/by-name/servo/services/matrix/signal.nix
+++ b/hosts/by-name/servo/services/matrix/signal.nix
@ -5,8 +5,8 @@
 lib.mkIf false  # disabled 2024/01/11: i don't use it, and pkgs.mautrix-signal had some API changes
 {
  sane.persist.sys.byStore.plaintext = [
-    { user = "mautrix-signal"; group = "mautrix-signal"; path = "/var/lib/mautrix-signal"; }
-    { user = "signald"; group = "signald"; path = "/var/lib/signald"; }
+    { user = "mautrix-signal"; group = "mautrix-signal"; path = "/var/lib/mautrix-signal"; method = "bind"; }
+    { user = "signald"; group = "signald"; path = "/var/lib/signald"; method = "bind"; }
  ];

  # allow synapse to read the registration file
--- a/hosts/by-name/servo/services/navidrome.nix
+++ b/hosts/by-name/servo/services/navidrome.nix
@ -2,7 +2,7 @@

 {
  sane.persist.sys.byStore.plaintext = [
-    { user = "navidrome"; group = "navidrome"; path = "/var/lib/navidrome"; }
+    { user = "navidrome"; group = "navidrome"; path = "/var/lib/navidrome"; method = "bind"; }
  ];
  services.navidrome.enable = true;
  services.navidrome.settings = {
--- a/hosts/by-name/servo/services/nginx.nix
+++ b/hosts/by-name/servo/services/nginx.nix
@ -169,8 +169,8 @@ in
  security.acme.defaults.email = "admin.acme@uninsane.org";

  sane.persist.sys.byStore.plaintext = [
-    { user = "acme"; group = "acme"; path = "/var/lib/acme"; }
-    { user = "colin"; group = "users"; path = "/var/www/sites"; }
+    { user = "acme"; group = "acme"; path = "/var/lib/acme"; method = "bind"; }
+    { user = "colin"; group = "users"; path = "/var/www/sites"; method = "bind"; }
  ];

  # let's encrypt default chain looks like:
--- a/hosts/by-name/servo/services/ntfy/ntfy-sh.nix
+++ b/hosts/by-name/servo/services/ntfy/ntfy-sh.nix
@ -34,7 +34,7 @@ in
    # not 100% necessary to persist this, but ntfy does keep a 12hr (by default) cache
    # for pushing notifications to users who become offline.
    # ACLs also live here.
-    { user = "ntfy-sh"; group ="ntfy-sh"; path = "/var/lib/ntfy-sh"; }
+    { user = "ntfy-sh"; group ="ntfy-sh"; path = "/var/lib/ntfy-sh"; method = "bind"; }
  ];

  services.ntfy-sh.enable = true;
--- a/hosts/by-name/servo/services/pict-rs.nix
+++ b/hosts/by-name/servo/services/pict-rs.nix
@ -6,7 +6,7 @@ let
 in
 {
  sane.persist.sys.byStore.plaintext = lib.mkIf cfg.enable [
-    { user = "pict-rs"; group = "pict-rs"; path = cfg.dataDir; }
+    { user = "pict-rs"; group = "pict-rs"; path = cfg.dataDir; method = "bind"; }
  ];

  systemd.services.pict-rs.serviceConfig = {
--- a/hosts/by-name/servo/services/pleroma.nix
+++ b/hosts/by-name/servo/services/pleroma.nix
@ -15,7 +15,7 @@ let
 in
 {
  sane.persist.sys.byStore.plaintext = [
-    { user = "pleroma"; group = "pleroma"; path = "/var/lib/pleroma"; }
+    { user = "pleroma"; group = "pleroma"; path = "/var/lib/pleroma"; method = "bind"; }
  ];
  services.pleroma.enable = true;
  services.pleroma.secretConfigFile = config.sops.secrets.pleroma_secrets.path;
--- a/hosts/by-name/servo/services/postgres.nix
+++ b/hosts/by-name/servo/services/postgres.nix
@ -8,7 +8,7 @@ in
 {
  sane.persist.sys.byStore.plaintext = [
    # TODO: mode?
-    { user = "postgres"; group = "postgres"; path = "/var/lib/postgresql"; }
+    { user = "postgres"; group = "postgres"; path = "/var/lib/postgresql"; method = "bind"; }
  ];
  services.postgresql.enable = true;

--- a/hosts/by-name/servo/services/prosody/default.nix
+++ b/hosts/by-name/servo/services/prosody/default.nix
@ -57,7 +57,7 @@ let
 in
 {
  sane.persist.sys.byStore.plaintext = [
-    { user = "prosody"; group = "prosody"; path = "/var/lib/prosody"; }
+    { user = "prosody"; group = "prosody"; path = "/var/lib/prosody"; method = "bind"; }
  ];
  sane.ports.ports."5000" = {
    protocol = [ "tcp" ];
--- a/hosts/by-name/servo/services/slskd.nix
+++ b/hosts/by-name/servo/services/slskd.nix
@ -6,7 +6,7 @@
 { config, lib, ... }:
 {
  sane.persist.sys.byStore.plaintext = [
-    { user = "slskd"; group = "slskd"; path = "/var/lib/slskd"; }
+    { user = "slskd"; group = "slskd"; path = "/var/lib/slskd"; method = "bind"; }
  ];
  sops.secrets."slskd_env" = {
    owner = config.users.users.slskd.name;
--- a/hosts/by-name/servo/services/transmission.nix
+++ b/hosts/by-name/servo/services/transmission.nix
@ -26,7 +26,7 @@ in
 {
  sane.persist.sys.byStore.plaintext = [
    # TODO: mode? we need this specifically for the stats tracking in .config/
-    { user = "transmission"; group = config.users.users.transmission.group; path = "/var/lib/transmission"; }
+    { user = "transmission"; group = config.users.users.transmission.group; path = "/var/lib/transmission"; method = "bind"; }
  ];
  users.users.transmission.extraGroups = [ "media" ];