rebmit/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

treewide: avoid unnecessary permission management with preservation

Browse source
This commit is contained in:
Lu Wang 2024-12-27 16:46:04 +08:00
parent 4de514f6b4
commit e54ad53ab8
Signed by: rebmit
SSH key fingerprint: SHA256:3px8QV1zEerIrEWHaqtH5rR9kjetyRST5EipOPrd+bU
15 changed files with 119 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nixos/profiles/services/btrfs-auto-scrub/default.nix
View file

@ -16,6 +16,8 @@ in
{
directory = "/var/lib/btrfs";
mode = "0700";
user = "root";
group = "root";
}
];
}

14
nixos/profiles/services/caddy/default.nix
View file

@ -34,8 +34,18 @@
'';
preservation.preserveAt."/persist".directories = [
config.services.caddy.dataDir
config.services.caddy.logDir
{
directory = config.services.caddy.dataDir;
mode = "-";
user = "-";
group = "-";
}
{
directory = config.services.caddy.logDir;
mode = "-";
user = "-";
group = "-";
}
];
services.restic.backups.b2.paths = [

9
nixos/profiles/services/journald/default.nix
View file

@ -4,5 +4,12 @@
SystemMaxUse=1G
'';
preservation.preserveAt."/persist".directories = [ "/var/log/journal" ];
preservation.preserveAt."/persist".directories = [
{
directory = "/var/log/journal";
mode = "-";
user = "-";
group = "-";
}
];
}

4
nixos/profiles/services/knot/primary.nix
View file

@ -173,7 +173,9 @@ in
preservation.preserveAt."/persist".directories = [
{
directory = "/var/lib/knot";
mode = "0700";
mode = "-";
user = "-";
group = "-";
}
];

4
nixos/profiles/services/knot/secondary.nix
View file

@ -67,7 +67,9 @@ in
preservation.preserveAt."/persist".directories = [
{
directory = "/var/lib/knot";
mode = "0700";
mode = "-";
user = "-";
group = "-";
}
];
}

13
nixos/profiles/services/mail/dovecot.nix
View file

@ -38,10 +38,6 @@ in
};
};
systemd.tmpfiles.rules = [
"d ${maildir} 0700 ${cfg.mailUser} ${cfg.mailGroup} -"
];
services.dovecot2 = {
enable = true;
modules = [ pkgs.dovecot_pigeonhole ];
@ -187,10 +183,17 @@ in
};
preservation.preserveAt."/persist".directories = [
"/var/lib/dovecot"
{
directory = "/var/lib/dovecot";
mode = "-";
user = "-";
group = "-";
}
{
directory = maildir;
mode = "0700";
user = config.services.dovecot2.mailUser;
group = config.services.dovecot2.mailGroup;
}
];

9
nixos/profiles/services/mail/postfix.nix
View file

@ -101,5 +101,12 @@
};
};
preservation.preserveAt."/persist".directories = [ "/var/lib/postfix" ];
preservation.preserveAt."/persist".directories = [
{
directory = "/var/lib/postfix";
mode = "-";
user = "-";
group = "-";
}
];
}

8
nixos/profiles/services/mail/rspamd.nix
View file

@ -61,11 +61,15 @@
preservation.preserveAt."/persist".directories = [
{
directory = "/var/lib/rspamd";
mode = "0700";
mode = "-";
user = "-";
group = "-";
}
{
directory = "/var/lib/redis-rspamd";
mode = "0700";
mode = "-";
user = "-";
group = "-";
}
];
}

9
nixos/profiles/services/ntfy/default.nix
View file

@ -53,7 +53,14 @@
'';
};
preservation.preserveAt."/persist".directories = [ "/var/lib/ntfy-sh" ];
preservation.preserveAt."/persist".directories = [
{
directory = "/var/lib/ntfy-sh";
mode = "-";
user = "-";
group = "-";
}
];
services.restic.backups.b2.paths = [ "/persist/var/lib/ntfy-sh" ];
}

4
nixos/profiles/services/pipewire/default.nix
View file

@ -13,7 +13,9 @@
preservation.preserveAt."/persist".directories = [
{
directory = "/var/lib/pipewire";
mode = "0700";
mode = "-";
user = "-";
group = "-";
}
];
}

9
nixos/profiles/services/postgresql/default.nix
View file

@ -50,10 +50,17 @@ in
};
preservation.preserveAt."/persist".directories = [
"/var/lib/postgresql"
{
directory = "/var/lib/postgresql";
mode = "-";
user = "-";
group = "-";
}
{
directory = config.services.postgresqlBackup.location;
mode = "0700";
user = "postgres";
group = "postgres";
}
];

14
nixos/profiles/services/prometheus/server.nix
View file

@ -252,7 +252,17 @@ in
};
preservation.preserveAt."/persist".directories = [
"/var/lib/prometheus2"
"/var/lib/private/alertmanager"
{
directory = "/var/lib/prometheus2";
mode = "-";
user = "-";
group = "-";
}
{
directory = "/var/lib/private/alertmanager";
mode = "-";
user = "-";
group = "-";
}
];
}

9
nixos/profiles/services/restic/default.nix
View file

@ -55,7 +55,14 @@
};
};
preservation.preserveAt."/persist".directories = [ "/var/cache/restic-backups-b2" ];
preservation.preserveAt."/persist".directories = [
{
directory = "/var/cache/restic-backups-b2";
mode = "0755";
user = "root";
group = "root";
}
];
services.restic.backups.b2.paths = [
"/persist/etc/machine-id"

9
nixos/profiles/services/vnstat/default.nix
View file

@ -10,5 +10,12 @@
systemd.services.vnstat.serviceConfig = mylib.misc.serviceHardened;
preservation.preserveAt."/persist".directories = [ "/var/lib/vnstat" ];
preservation.preserveAt."/persist".directories = [
{
directory = "/var/lib/vnstat";
mode = "-";
user = "-";
group = "-";
}
];
}

25
nixos/profiles/system/preservation.nix
View file

@ -26,20 +26,34 @@
directories = [
{
directory = "/var/lib/machines";
mode = "0700";
mode = "0755";
user = "root";
group = "root";
}
{
directory = "/var/lib/nixos";
inInitrd = true;
mode = "0755";
user = "root";
group = "root";
}
{
directory = "/var/lib/portables";
mode = "0700";
mode = "0755";
user = "root";
group = "root";
}
{
directory = "/var/lib/systemd";
mode = "0755";
user = "root";
group = "root";
}
"/var/lib/systemd"
{
directory = "/var/tmp";
mode = "1777";
user = "root";
group = "root";
}
];
files = [
@ -47,11 +61,16 @@
file = config.sops.age.keyFile;
inInitrd = true;
mode = "0600";
user = "root";
group = "root";
}
{
file = "/etc/machine-id";
inInitrd = true;
how = "symlink";
mode = "-";
user = "root";
group = "root";
configureParent = true;
}
];