diff --git a/nixos/profiles/services/btrfs-auto-scrub/default.nix b/nixos/profiles/services/btrfs-auto-scrub/default.nix index d9e1466..9b4a41c 100644 --- a/nixos/profiles/services/btrfs-auto-scrub/default.nix +++ b/nixos/profiles/services/btrfs-auto-scrub/default.nix @@ -16,6 +16,8 @@ in { directory = "/var/lib/btrfs"; mode = "0700"; + user = "root"; + group = "root"; } ]; } diff --git a/nixos/profiles/services/caddy/default.nix b/nixos/profiles/services/caddy/default.nix index 463fc32..1e1910f 100644 --- a/nixos/profiles/services/caddy/default.nix +++ b/nixos/profiles/services/caddy/default.nix @@ -34,8 +34,18 @@ ''; preservation.preserveAt."/persist".directories = [ - config.services.caddy.dataDir - config.services.caddy.logDir + { + directory = config.services.caddy.dataDir; + mode = "-"; + user = "-"; + group = "-"; + } + { + directory = config.services.caddy.logDir; + mode = "-"; + user = "-"; + group = "-"; + } ]; services.restic.backups.b2.paths = [ diff --git a/nixos/profiles/services/journald/default.nix b/nixos/profiles/services/journald/default.nix index 1a58c09..9d668c7 100644 --- a/nixos/profiles/services/journald/default.nix +++ b/nixos/profiles/services/journald/default.nix @@ -4,5 +4,12 @@ SystemMaxUse=1G ''; - preservation.preserveAt."/persist".directories = [ "/var/log/journal" ]; + preservation.preserveAt."/persist".directories = [ + { + directory = "/var/log/journal"; + mode = "-"; + user = "-"; + group = "-"; + } + ]; } diff --git a/nixos/profiles/services/knot/primary.nix b/nixos/profiles/services/knot/primary.nix index d40004a..3a1b68c 100644 --- a/nixos/profiles/services/knot/primary.nix +++ b/nixos/profiles/services/knot/primary.nix @@ -173,7 +173,9 @@ in preservation.preserveAt."/persist".directories = [ { directory = "/var/lib/knot"; - mode = "0700"; + mode = "-"; + user = "-"; + group = "-"; } ]; diff --git a/nixos/profiles/services/knot/secondary.nix b/nixos/profiles/services/knot/secondary.nix index a8df7d1..b466aaa 100644 --- a/nixos/profiles/services/knot/secondary.nix +++ b/nixos/profiles/services/knot/secondary.nix @@ -67,7 +67,9 @@ in preservation.preserveAt."/persist".directories = [ { directory = "/var/lib/knot"; - mode = "0700"; + mode = "-"; + user = "-"; + group = "-"; } ]; } diff --git a/nixos/profiles/services/mail/dovecot.nix b/nixos/profiles/services/mail/dovecot.nix index f9305f6..4d21c76 100644 --- a/nixos/profiles/services/mail/dovecot.nix +++ b/nixos/profiles/services/mail/dovecot.nix @@ -38,10 +38,6 @@ in }; }; - systemd.tmpfiles.rules = [ - "d ${maildir} 0700 ${cfg.mailUser} ${cfg.mailGroup} -" - ]; - services.dovecot2 = { enable = true; modules = [ pkgs.dovecot_pigeonhole ]; @@ -187,10 +183,17 @@ in }; preservation.preserveAt."/persist".directories = [ - "/var/lib/dovecot" + { + directory = "/var/lib/dovecot"; + mode = "-"; + user = "-"; + group = "-"; + } { directory = maildir; mode = "0700"; + user = config.services.dovecot2.mailUser; + group = config.services.dovecot2.mailGroup; } ]; diff --git a/nixos/profiles/services/mail/postfix.nix b/nixos/profiles/services/mail/postfix.nix index e3722f7..f9f2440 100644 --- a/nixos/profiles/services/mail/postfix.nix +++ b/nixos/profiles/services/mail/postfix.nix @@ -101,5 +101,12 @@ }; }; - preservation.preserveAt."/persist".directories = [ "/var/lib/postfix" ]; + preservation.preserveAt."/persist".directories = [ + { + directory = "/var/lib/postfix"; + mode = "-"; + user = "-"; + group = "-"; + } + ]; } diff --git a/nixos/profiles/services/mail/rspamd.nix b/nixos/profiles/services/mail/rspamd.nix index d38698d..191b95f 100644 --- a/nixos/profiles/services/mail/rspamd.nix +++ b/nixos/profiles/services/mail/rspamd.nix @@ -61,11 +61,15 @@ preservation.preserveAt."/persist".directories = [ { directory = "/var/lib/rspamd"; - mode = "0700"; + mode = "-"; + user = "-"; + group = "-"; } { directory = "/var/lib/redis-rspamd"; - mode = "0700"; + mode = "-"; + user = "-"; + group = "-"; } ]; } diff --git a/nixos/profiles/services/ntfy/default.nix b/nixos/profiles/services/ntfy/default.nix index 2dc7b41..39ebfec 100644 --- a/nixos/profiles/services/ntfy/default.nix +++ b/nixos/profiles/services/ntfy/default.nix @@ -53,7 +53,14 @@ ''; }; - preservation.preserveAt."/persist".directories = [ "/var/lib/ntfy-sh" ]; + preservation.preserveAt."/persist".directories = [ + { + directory = "/var/lib/ntfy-sh"; + mode = "-"; + user = "-"; + group = "-"; + } + ]; services.restic.backups.b2.paths = [ "/persist/var/lib/ntfy-sh" ]; } diff --git a/nixos/profiles/services/pipewire/default.nix b/nixos/profiles/services/pipewire/default.nix index d25555b..25e72d1 100644 --- a/nixos/profiles/services/pipewire/default.nix +++ b/nixos/profiles/services/pipewire/default.nix @@ -13,7 +13,9 @@ preservation.preserveAt."/persist".directories = [ { directory = "/var/lib/pipewire"; - mode = "0700"; + mode = "-"; + user = "-"; + group = "-"; } ]; } diff --git a/nixos/profiles/services/postgresql/default.nix b/nixos/profiles/services/postgresql/default.nix index 9ab73c2..48d1ae9 100644 --- a/nixos/profiles/services/postgresql/default.nix +++ b/nixos/profiles/services/postgresql/default.nix @@ -50,10 +50,17 @@ in }; preservation.preserveAt."/persist".directories = [ - "/var/lib/postgresql" + { + directory = "/var/lib/postgresql"; + mode = "-"; + user = "-"; + group = "-"; + } { directory = config.services.postgresqlBackup.location; mode = "0700"; + user = "postgres"; + group = "postgres"; } ]; diff --git a/nixos/profiles/services/prometheus/server.nix b/nixos/profiles/services/prometheus/server.nix index e7e0581..e973c6a 100644 --- a/nixos/profiles/services/prometheus/server.nix +++ b/nixos/profiles/services/prometheus/server.nix @@ -252,7 +252,17 @@ in }; preservation.preserveAt."/persist".directories = [ - "/var/lib/prometheus2" - "/var/lib/private/alertmanager" + { + directory = "/var/lib/prometheus2"; + mode = "-"; + user = "-"; + group = "-"; + } + { + directory = "/var/lib/private/alertmanager"; + mode = "-"; + user = "-"; + group = "-"; + } ]; } diff --git a/nixos/profiles/services/restic/default.nix b/nixos/profiles/services/restic/default.nix index f3df797..6e20d22 100644 --- a/nixos/profiles/services/restic/default.nix +++ b/nixos/profiles/services/restic/default.nix @@ -55,7 +55,14 @@ }; }; - preservation.preserveAt."/persist".directories = [ "/var/cache/restic-backups-b2" ]; + preservation.preserveAt."/persist".directories = [ + { + directory = "/var/cache/restic-backups-b2"; + mode = "0755"; + user = "root"; + group = "root"; + } + ]; services.restic.backups.b2.paths = [ "/persist/etc/machine-id" diff --git a/nixos/profiles/services/vnstat/default.nix b/nixos/profiles/services/vnstat/default.nix index eff6bc9..b3cde42 100644 --- a/nixos/profiles/services/vnstat/default.nix +++ b/nixos/profiles/services/vnstat/default.nix @@ -10,5 +10,12 @@ systemd.services.vnstat.serviceConfig = mylib.misc.serviceHardened; - preservation.preserveAt."/persist".directories = [ "/var/lib/vnstat" ]; + preservation.preserveAt."/persist".directories = [ + { + directory = "/var/lib/vnstat"; + mode = "-"; + user = "-"; + group = "-"; + } + ]; } diff --git a/nixos/profiles/system/preservation.nix b/nixos/profiles/system/preservation.nix index 11bb955..1a33da7 100644 --- a/nixos/profiles/system/preservation.nix +++ b/nixos/profiles/system/preservation.nix @@ -26,20 +26,34 @@ directories = [ { directory = "/var/lib/machines"; - mode = "0700"; + mode = "0755"; + user = "root"; + group = "root"; } { directory = "/var/lib/nixos"; inInitrd = true; + mode = "0755"; + user = "root"; + group = "root"; } { directory = "/var/lib/portables"; - mode = "0700"; + mode = "0755"; + user = "root"; + group = "root"; + } + { + directory = "/var/lib/systemd"; + mode = "0755"; + user = "root"; + group = "root"; } - "/var/lib/systemd" { directory = "/var/tmp"; mode = "1777"; + user = "root"; + group = "root"; } ]; files = [ @@ -47,11 +61,16 @@ file = config.sops.age.keyFile; inInitrd = true; mode = "0600"; + user = "root"; + group = "root"; } { file = "/etc/machine-id"; inInitrd = true; how = "symlink"; + mode = "-"; + user = "root"; + group = "root"; configureParent = true; } ];