servo: postgresql: port data to private store

2024-07-27 16:51:23 +00:00
parent cbe17c03e4
commit e44771f67d
3 changed files with 5 additions and 8 deletions
--- a/hosts/by-name/servo/services/postgres.nix
+++ b/hosts/by-name/servo/services/postgres.nix
@@ -6,9 +6,9 @@ let
  KiB = n: 1024*n;
 in
 {
-  sane.persist.sys.byStore.plaintext = [
-    # TODO: mode?
-    { user = "postgres"; group = "postgres"; path = "/var/lib/postgresql"; method = "bind"; }
+  sane.persist.sys.byStore.private = [
+    { user = "postgres"; group = "postgres"; mode = "0750"; path = "/var/lib/postgresql"; method = "bind"; }
+    { user = "postgres"; group = "postgres"; mode = "0750"; path = "/var/backup/postgresql"; method = "bind"; }
  ];
  services.postgresql.enable = true;

--- a/hosts/by-name/servo/services/transmission/default.nix
+++ b/hosts/by-name/servo/services/transmission/default.nix
@@ -38,6 +38,7 @@ in
  sane.persist.sys.byStore.private = [
    # TODO: mode? we need this specifically for the stats tracking in .config/
    { user = "transmission"; group = config.users.users.transmission.group; path = "/var/lib/transmission"; method = "bind"; }
+    { user = "transmission"; group = config.users.users.transmission.group; path = "/var/backup/torrents"; method = "bind"; }
  ];
  users.users.transmission.extraGroups = [ "media" ];

--- a/hosts/common/persist.nix
+++ b/hosts/common/persist.nix
@@ -2,11 +2,7 @@

 {
  sane.persist.sys.byStore.initrd = [
-    "/var/log"
-  ];
-  sane.persist.sys.byStore.plaintext = [
-    # TODO: these should be private.. somehow
-    "/var/backup"  # for e.g. postgres dumps
+    "/var/log"  #< TODO: this includes e.g. /var/log/nginx, which SHOULD NOT BE PERSISTED in plaintext
  ];
  sane.persist.sys.byStore.ephemeral = [
    "/var/lib/systemd/coredump"