rebmit/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

treewide: avoid unnecessary permission management with preservation

Browse source
This commit is contained in:
Lu Wang 2024-12-27 16:46:04 +08:00
parent 4de514f6b4
commit e54ad53ab8
Signed by: rebmit
SSH key fingerprint: SHA256:3px8QV1zEerIrEWHaqtH5rR9kjetyRST5EipOPrd+bU
15 changed files with 119 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nixos/profiles/services/btrfs-auto-scrub/default.nix
View file

@ -16,6 +16,8 @@ in
{ {
directory = "/var/lib/btrfs"; directory = "/var/lib/btrfs";
mode = "0700"; mode = "0700";
user = "root";
group = "root";
} }
]; ];
} }

14
nixos/profiles/services/caddy/default.nix
View file

@ -34,8 +34,18 @@
''; '';
preservation.preserveAt."/persist".directories = [ preservation.preserveAt."/persist".directories = [
config.services.caddy.dataDir {
config.services.caddy.logDir directory = config.services.caddy.dataDir;
mode = "-";
user = "-";
group = "-";
}
{
directory = config.services.caddy.logDir;
mode = "-";
user = "-";
group = "-";
}
]; ];
services.restic.backups.b2.paths = [ services.restic.backups.b2.paths = [

9
nixos/profiles/services/journald/default.nix
View file

@ -4,5 +4,12 @@
SystemMaxUse=1G SystemMaxUse=1G
''; '';
preservation.preserveAt."/persist".directories = [ "/var/log/journal" ]; preservation.preserveAt."/persist".directories = [
{
directory = "/var/log/journal";
mode = "-";
user = "-";
group = "-";
}
];
} }

4
nixos/profiles/services/knot/primary.nix
View file

@ -173,7 +173,9 @@ in
preservation.preserveAt."/persist".directories = [ preservation.preserveAt."/persist".directories = [
{ {
directory = "/var/lib/knot"; directory = "/var/lib/knot";
mode = "0700"; mode = "-";
user = "-";
group = "-";
} }
]; ];

4
nixos/profiles/services/knot/secondary.nix
View file

@ -67,7 +67,9 @@ in
preservation.preserveAt."/persist".directories = [ preservation.preserveAt."/persist".directories = [
{ {
directory = "/var/lib/knot"; directory = "/var/lib/knot";
mode = "0700"; mode = "-";
user = "-";
group = "-";
} }
]; ];
} }

13
nixos/profiles/services/mail/dovecot.nix
View file

@ -38,10 +38,6 @@ in
}; };
}; };
systemd.tmpfiles.rules = [
"d ${maildir} 0700 ${cfg.mailUser} ${cfg.mailGroup} -"
];
services.dovecot2 = { services.dovecot2 = {
enable = true; enable = true;
modules = [ pkgs.dovecot_pigeonhole ]; modules = [ pkgs.dovecot_pigeonhole ];
@ -187,10 +183,17 @@ in
}; };
preservation.preserveAt."/persist".directories = [ preservation.preserveAt."/persist".directories = [
"/var/lib/dovecot" {
directory = "/var/lib/dovecot";
mode = "-";
user = "-";
group = "-";
}
{ {
directory = maildir; directory = maildir;
mode = "0700"; mode = "0700";
user = config.services.dovecot2.mailUser;
group = config.services.dovecot2.mailGroup;
} }
]; ];

9
nixos/profiles/services/mail/postfix.nix
View file

@ -101,5 +101,12 @@
}; };
}; };
preservation.preserveAt."/persist".directories = [ "/var/lib/postfix" ]; preservation.preserveAt."/persist".directories = [
{
directory = "/var/lib/postfix";
mode = "-";
user = "-";
group = "-";
}
];
} }

8
nixos/profiles/services/mail/rspamd.nix
View file

@ -61,11 +61,15 @@
preservation.preserveAt."/persist".directories = [ preservation.preserveAt."/persist".directories = [
{ {
directory = "/var/lib/rspamd"; directory = "/var/lib/rspamd";
mode = "0700"; mode = "-";
user = "-";
group = "-";
} }
{ {
directory = "/var/lib/redis-rspamd"; directory = "/var/lib/redis-rspamd";
mode = "0700"; mode = "-";
user = "-";
group = "-";
} }
]; ];
} }

9
nixos/profiles/services/ntfy/default.nix
View file

@ -53,7 +53,14 @@
''; '';
}; };
preservation.preserveAt."/persist".directories = [ "/var/lib/ntfy-sh" ]; preservation.preserveAt."/persist".directories = [
{
directory = "/var/lib/ntfy-sh";
mode = "-";
user = "-";
group = "-";
}
];
services.restic.backups.b2.paths = [ "/persist/var/lib/ntfy-sh" ]; services.restic.backups.b2.paths = [ "/persist/var/lib/ntfy-sh" ];
} }

4
nixos/profiles/services/pipewire/default.nix
View file

@ -13,7 +13,9 @@
preservation.preserveAt."/persist".directories = [ preservation.preserveAt."/persist".directories = [
{ {
directory = "/var/lib/pipewire"; directory = "/var/lib/pipewire";
mode = "0700"; mode = "-";
user = "-";
group = "-";
} }
]; ];
} }

9
nixos/profiles/services/postgresql/default.nix
View file

@ -50,10 +50,17 @@ in
}; };
preservation.preserveAt."/persist".directories = [ preservation.preserveAt."/persist".directories = [
"/var/lib/postgresql" {
directory = "/var/lib/postgresql";
mode = "-";
user = "-";
group = "-";
}
{ {
directory = config.services.postgresqlBackup.location; directory = config.services.postgresqlBackup.location;
mode = "0700"; mode = "0700";
user = "postgres";
group = "postgres";
} }
]; ];

14
nixos/profiles/services/prometheus/server.nix
View file

@ -252,7 +252,17 @@ in
}; };
preservation.preserveAt."/persist".directories = [ preservation.preserveAt."/persist".directories = [
"/var/lib/prometheus2" {
"/var/lib/private/alertmanager" directory = "/var/lib/prometheus2";
mode = "-";
user = "-";
group = "-";
}
{
directory = "/var/lib/private/alertmanager";
mode = "-";
user = "-";
group = "-";
}
]; ];
} }

9
nixos/profiles/services/restic/default.nix
View file

@ -55,7 +55,14 @@
}; };
}; };
preservation.preserveAt."/persist".directories = [ "/var/cache/restic-backups-b2" ]; preservation.preserveAt."/persist".directories = [
{
directory = "/var/cache/restic-backups-b2";
mode = "0755";
user = "root";
group = "root";
}
];
services.restic.backups.b2.paths = [ services.restic.backups.b2.paths = [
"/persist/etc/machine-id" "/persist/etc/machine-id"

9
nixos/profiles/services/vnstat/default.nix
View file

@ -10,5 +10,12 @@
systemd.services.vnstat.serviceConfig = mylib.misc.serviceHardened; systemd.services.vnstat.serviceConfig = mylib.misc.serviceHardened;
preservation.preserveAt."/persist".directories = [ "/var/lib/vnstat" ]; preservation.preserveAt."/persist".directories = [
{
directory = "/var/lib/vnstat";
mode = "-";
user = "-";
group = "-";
}
];
} }

25
nixos/profiles/system/preservation.nix
View file

@ -26,20 +26,34 @@
directories = [ directories = [
{ {
directory = "/var/lib/machines"; directory = "/var/lib/machines";
mode = "0700"; mode = "0755";
user = "root";
group = "root";
} }
{ {
directory = "/var/lib/nixos"; directory = "/var/lib/nixos";
inInitrd = true; inInitrd = true;
mode = "0755";
user = "root";
group = "root";
} }
{ {
directory = "/var/lib/portables"; directory = "/var/lib/portables";
mode = "0700"; mode = "0755";
user = "root";
group = "root";
}
{
directory = "/var/lib/systemd";
mode = "0755";
user = "root";
group = "root";
} }
"/var/lib/systemd"
{ {
directory = "/var/tmp"; directory = "/var/tmp";
mode = "1777"; mode = "1777";
user = "root";
group = "root";
} }
]; ];
files = [ files = [
@ -47,11 +61,16 @@
file = config.sops.age.keyFile; file = config.sops.age.keyFile;
inInitrd = true; inInitrd = true;
mode = "0600"; mode = "0600";
user = "root";
group = "root";
} }
{ {
file = "/etc/machine-id"; file = "/etc/machine-id";
inInitrd = true; inInitrd = true;
how = "symlink"; how = "symlink";
mode = "-";
user = "root";
group = "root";
configureParent = true; configureParent = true;
} }
]; ];