persist: lift sane.persist.dirs.{home,sys} up one level

hosts/common/default.nix

@@ -18,7 +18,7 @@
   sane.packages.enableConsolePkgs = true;
   sane.packages.enableSystemPkgs = true;
 
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     "/var/log"
     "/var/backup"  # for e.g. postgres dumps
     # TODO: move elsewhere

hosts/common/users.nix

@@ -82,7 +82,7 @@ in
       mode = config.users.users.colin.homeMode;
     };
 
-    sane.persist.dirs.home.plaintext = [
+    sane.persist.home.plaintext = [
       "archive"
       "dev"
       # TODO: records should be private
@@ -100,7 +100,7 @@ in
       ".local/share/keyrings"
     ];
     # TODO: fix this ugly solution that allows moby to have firefox cache not erased every boot.
-    sane.persist.dirs.home.cryptClearOnBoot = lib.mkIf (config.networking.hostName != "moby") [
+    sane.persist.home.cryptClearOnBoot = lib.mkIf (config.networking.hostName != "moby") [
       # cache is probably too big to fit on the tmpfs
       # ".cache"
       config.sane.web-browser.cacheDir
@@ -116,7 +116,7 @@ in
     # used by password managers, e.g. unix `pass`
     sane.fs."/home/colin/.password-store" = mkSymlink "/home/colin/knowledge/secrets/accounts";
 
-    sane.persist.dirs.sys.plaintext = mkIf cfg.guest.enable [
+    sane.persist.sys.plaintext = mkIf cfg.guest.enable [
       # intentionally allow other users to write to the guest folder
       { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
     ];

hosts/desko/default.nix

@@ -52,7 +52,7 @@
     remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
     dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
   };
-  sane.persist.dirs.home.plaintext = [
+  sane.persist.home.plaintext = [
     ".steam"
     ".local/share/Steam"
   ];

hosts/moby/default.nix

@@ -24,11 +24,11 @@
   };
 
   # usability compromises
-  sane.persist.dirs.home.private = [
+  sane.persist.home.private = [
     config.sane.web-browser.dotDir
     config.sane.web-browser.cacheDir
   ];
-  sane.persist.dirs.home.plaintext = [
+  sane.persist.home.plaintext = [
     ".config/pulse"  # persist pulseaudio volume
   ];
 

hosts/servo/fs.nix

@@ -42,12 +42,12 @@
   };
   sane.fs."/mnt/persist/ext".mount = {};
 
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: this is overly broad; only need media and share directories to be persisted
     { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
   ];
   # make sure large media is stored to the HDD
-  sane.persist.dirs.sys.ext = [
+  sane.persist.sys.ext = [
     {
       user = "colin";
       group = "users";

hosts/servo/services/ejabberd.nix

@@ -19,7 +19,7 @@
 # XXX: avatar support works in MUCs but not DMs
 # lib.mkIf false
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
   ];
   networking.firewall.allowedTCPPorts = [

hosts/servo/services/freshrss.nix

@@ -16,7 +16,7 @@
     owner = config.users.users.freshrss.name;
     mode = "0400";
   };
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     { user = "freshrss"; group = "freshrss"; directory = "/var/lib/freshrss"; }
   ];
 

hosts/servo/services/gitea.nix

@@ -1,7 +1,7 @@
 { config, pkgs, lib, ... }:
 
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
     { user = "git"; group = "gitea"; directory = "/var/lib/gitea"; }
   ];

hosts/servo/services/ipfs.nix

@@ -10,7 +10,7 @@
 
 lib.mkIf false # i don't actively use ipfs anymore
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
     { user = "261"; group = "261"; directory = "/var/lib/ipfs"; }
   ];

hosts/servo/services/jackett.nix

@@ -1,7 +1,7 @@
 { ... }:
 
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
     { user = "root"; group = "root"; directory = "/var/lib/jackett"; }
   ];

hosts/servo/services/jellyfin.nix

@@ -7,7 +7,7 @@ lib.mkIf false
   networking.firewall.allowedUDPPorts = [
     1900 7359 # DLNA: https://jellyfin.org/docs/general/networking/index.html
   ];
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
     { user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; }
   ];

hosts/servo/services/matrix/default.nix

@@ -8,7 +8,7 @@
     # ./irc.nix
   ];
 
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
   ];
   services.matrix-synapse.enable = true;

hosts/servo/services/matrix/discord-puppet.nix

@@ -1,6 +1,6 @@
 { lib, ... }:
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/mx-puppet-discord"; }
   ];
 

hosts/servo/services/matrix/irc.nix

@@ -1,7 +1,7 @@
 { config, lib, ... }:
 
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode?
     # user and group are both "matrix-appservice-irc"
     { user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; }

hosts/servo/services/navidrome.nix

@@ -1,7 +1,7 @@
 { ... }:
 
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: we don't have a static user allocated for navidrome!
     # the chown would happen too early for us to set static perms
     "/var/lib/private/navidrome"

hosts/servo/services/nginx.nix

@@ -122,7 +122,7 @@ in
 
   users.users.acme.uid = config.sane.allocations.acme-uid;
   users.groups.acme.gid = config.sane.allocations.acme-gid;
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode?
     { user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
     { user = "colin"; group = "users"; directory = "/var/www/sites"; }

hosts/servo/services/pleroma.nix

@@ -6,7 +6,7 @@
 { config, pkgs, ... }:
 
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
     { user = "pleroma"; group = "pleroma"; directory = "/var/lib/pleroma"; }
   ];

hosts/servo/services/postfix.nix

@@ -16,7 +16,7 @@ let
   };
 in
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? could be more granular
     { user = "opendkim"; group = "opendkim"; directory = "/var/lib/opendkim"; }
     { user = "root"; group = "root"; directory = "/var/lib/postfix"; }

hosts/servo/services/postgres.nix

@@ -1,7 +1,7 @@
 { ... }:
 
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode?
     { user = "postgres"; group = "postgres"; directory = "/var/lib/postgresql"; }
   ];

hosts/servo/services/prosody.nix

@@ -9,7 +9,7 @@
 # nixnet runs ejabberd, so revisiting that.
 lib.mkIf false
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     { user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
   ];
   networking.firewall.allowedTCPPorts = [

hosts/servo/services/transmission.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 
 {
-  sane.persist.dirs.sys.plaintext = [
+  sane.persist.sys.plaintext = [
     # TODO: mode? we need this specifically for the stats tracking in .config/
     { user = "transmission"; group = "transmission"; directory = "/var/lib/transmission"; }
   ];

modules/home-manager/neovim.nix

@@ -3,7 +3,7 @@
 lib.mkIf config.sane.home-manager.enable
 {
   # private because there could be sensitive things in the swap
-  sane.persist.dirs.home.private = [ ".cache/vim-swap" ];
+  sane.persist.home.private = [ ".cache/vim-swap" ];
 
   home-manager.users.colin.programs.neovim = {
     # neovim: https://github.com/neovim/neovim

modules/home-manager/zsh/default.nix

@@ -2,7 +2,7 @@
 
 lib.mkIf config.sane.home-manager.enable
 {
-  sane.persist.dirs.home.plaintext = [
+  sane.persist.home.plaintext = [
     # we don't need to full zsh dir -- just the history file --
     # but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
     # TODO: should be private?

modules/packages.nix

@@ -307,8 +307,8 @@ in
 
   config = {
     environment.systemPackages = mkIf cfg.enableSystemPkgs systemPkgs;
-    sane.persist.dirs.home.plaintext = concatLists (map (p: p.dir) cfg.enabledUserPkgs);
-    sane.persist.dirs.home.private = concatLists (map (p: p.private) cfg.enabledUserPkgs);
+    sane.persist.home.plaintext = concatLists (map (p: p.dir) cfg.enabledUserPkgs);
+    sane.persist.home.private = concatLists (map (p: p.private) cfg.enabledUserPkgs);
     # XXX: this might not be necessary. try removing this and cacert.unbundled?
     environment.etc."ssl/certs".source = mkIf cfg.enableSystemPkgs "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
   };

modules/persist/computed.nix

@@ -18,5 +18,5 @@ let
     builtins.concatLists contextFreeDirSets;
 in
 {
-  sane.persist.all = (mapDirSets "/home/colin" cfg.dirs.home) ++ (mapDirSets "/" cfg.dirs.sys);
+  sane.persist.all = (mapDirSets "/home/colin" cfg.home) ++ (mapDirSets "/" cfg.sys);
 }

modules/persist/default.nix

@@ -87,21 +87,6 @@ let
   #   <option>.private.".cache/vim" = { mode = "0700"; };
   # to place ".cache/vim" into the private store and create with the appropriate mode
   dirsSubModule = types.attrsOf (types.listOf contextualizedDirOrShorthand);
-
-  dirsModule = types.submodule {
-    options = {
-      home = mkOption {
-        description = "directories to persist to disk, relative to a user's home ~";
-        default = {};
-        type = dirsSubModule;
-      };
-      sys = mkOption {
-        description = "directories to persist to disk, relative to the fs root /";
-        default = {};
-        type = dirsSubModule;
-      };
-    };
-  };
 in
 {
   options = {
@@ -114,9 +99,15 @@ in
       type = types.bool;
       description = "define / fs root to be a tmpfs. make sure to mount some other device to /nix";
     };
-    sane.persist.dirs = mkOption {
-      type = dirsModule;
+    sane.persist.home = mkOption {
+      description = "directories to persist to disk, relative to a user's home ~";
       default = {};
+      type = dirsSubModule;
+    };
+    sane.persist.sys = mkOption {
+      description = "directories to persist to disk, relative to the fs root /";
+      default = {};
+      type = dirsSubModule;
     };
     sane.persist.all = mkOption {
       type = types.listOf contextFreeDir;

modules/services/duplicity.nix

@@ -16,7 +16,7 @@ in
   config = mkIf cfg.enable {
     # we need this mostly because of the size of duplicity's cache
     # TODO: move to cryptClearOnBoot and update perms
-    sane.persist.dirs.sys.plaintext = [ "/var/lib/duplicity" ];
+    sane.persist.sys.plaintext = [ "/var/lib/duplicity" ];
 
     services.duplicity.enable = true;
     services.duplicity.targetUrl = "$DUPLICITY_URL";