diff --git a/sp-modules/bitwarden/module.nix b/sp-modules/bitwarden/module.nix index ccf6b62..4e2cb0c 100644 --- a/sp-modules/bitwarden/module.nix +++ b/sp-modules/bitwarden/module.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: let secrets-filepath = "/etc/selfprivacy/secrets.json"; + backup-dir = "/var/lib/bitwarden/backup"; inherit (import ./common.nix config) bitwarden-env sp; in { @@ -19,17 +20,25 @@ in fileSystems = lib.mkIf sp.useBinds { "/var/lib/bitwarden" = { device = "/volumes/${sp.modules.bitwarden.location}/bitwarden"; - options = [ "bind" ]; + options = [ + "bind" + "x-systemd.required-by=bitwarden-secrets.service" + "x-systemd.required-by=vaultwarden.service" + ]; }; "/var/lib/bitwarden_rs" = { device = "/volumes/${sp.modules.bitwarden.location}/bitwarden_rs"; - options = [ "bind" ]; + options = [ + "bind" + "x-systemd.required-by=bitwarden-secrets.service" + "x-systemd.required-by=vaultwarden.service" + ]; }; }; services.vaultwarden = { enable = true; dbBackend = "sqlite"; - backupDir = "/var/lib/bitwarden/backup"; + backupDir = backup-dir; environmentFile = "${bitwarden-env}"; config = { domain = "https://password.${sp.domain}/"; @@ -52,15 +61,13 @@ in else bitwarden_env="ADMIN_TOKEN=$token" fi - # TODO revise this permissions mode - install -m 0640 -o vaultwarden -g vaultwarden -DT \ + + install -C -m 0700 -o vaultwarden -g vaultwarden \ + -d /var/lib/bitwarden + + install -C -m 0600 -o vaultwarden -g vaultwarden -DT \ <(printf "%s" "$bitwarden_env") ${bitwarden-env} ''; }; - systemd.tmpfiles.rules = [ - "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" - "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" - "f ${bitwarden-env} 0640 vaultwarden vaultwarden - -" - ]; }; } diff --git a/sp-modules/gitea/module.nix b/sp-modules/gitea/module.nix index eef50b6..823eb43 100644 --- a/sp-modules/gitea/module.nix +++ b/sp-modules/gitea/module.nix @@ -1,6 +1,10 @@ { config, lib, ... }: let sp = config.selfprivacy; + stateDir = + if sp.useBinds + then "/volumes/${sp.modules.gitea.location}/gitea" + else "/var/lib/gitea"; in { options.selfprivacy.modules.gitea = { @@ -15,20 +19,10 @@ in }; config = lib.mkIf config.selfprivacy.modules.gitea.enable { - fileSystems = lib.mkIf sp.useBinds { - "/var/lib/gitea" = { - device = "/volumes/${sp.modules.gitea.location}/gitea"; - options = [ "bind" ]; - }; - }; - systemd.services.gitea.unitConfig = lib.mkIf sp.useBinds { - RequiresMountsFor = "/var/lib/gitea"; - ConditionPathIsMountPoint = "/var/lib/gitea"; - }; services = { gitea = { enable = true; - stateDir = "/var/lib/gitea"; + inherit stateDir; # log = { # rootPath = "/var/lib/gitea/log"; # level = "Warn"; @@ -39,7 +33,7 @@ in host = "127.0.0.1"; name = "gitea"; user = "gitea"; - path = "/var/lib/gitea/data/gitea.db"; + path = "${stateDir}/data/gitea.db"; createDatabase = true; }; # ssh = { @@ -48,10 +42,10 @@ in # }; lfs = { enable = true; - contentDir = "/var/lib/gitea/lfs"; + contentDir = "${stateDir}/lfs"; }; appName = "SelfPrivacy git Service"; - repositoryRoot = "/var/lib/gitea/repositories"; + repositoryRoot = "${stateDir}/repositories"; domain = "git.${sp.domain}"; rootUrl = "https://git.${sp.domain}/"; httpAddress = "0.0.0.0"; @@ -78,11 +72,13 @@ in COOKIE_SECURE = true; }; log = { - ROOT_PATH = "/var/lib/gitea/log"; + ROOT_PATH = "${stateDir}/log"; LEVEL = "Warn"; }; }; }; }; + systemd.services.gitea.unitConfig.RequiresMountsFor = + lib.mkIf sp.useBinds "/volumes/${sp.modules.gitea.location}/gitea"; }; } diff --git a/sp-modules/nextcloud/module.nix b/sp-modules/nextcloud/module.nix index bcf93b0..cac3cce 100644 --- a/sp-modules/nextcloud/module.nix +++ b/sp-modules/nextcloud/module.nix @@ -20,7 +20,11 @@ fileSystems = lib.mkIf sp.useBinds { "/var/lib/nextcloud" = { device = "/volumes/${sp.modules.nextcloud.location}/nextcloud"; - options = [ "bind" ]; + options = [ + "bind" + "x-systemd.required-by=nextcloud-setup.service" + "x-systemd.required-by=nextcloud-secrets.service" + ]; }; }; systemd.services.nextcloud-secrets = { @@ -29,11 +33,11 @@ serviceConfig.Type = "oneshot"; path = with pkgs; [ coreutils jq ]; script = '' - install -m 0440 -o nextcloud -g nextcloud -DT \ + install -C -m 0440 -o nextcloud -g nextcloud -DT \ <(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath}) \ ${db-pass-filepath} - install -m 0440 -o nextcloud -g nextcloud -DT \ + install -C -m 0440 -o nextcloud -g nextcloud -DT \ <(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath}) \ ${admin-pass-filepath} ''; diff --git a/sp-modules/pleroma/module.nix b/sp-modules/pleroma/module.nix index 5413133..6be1d95 100644 --- a/sp-modules/pleroma/module.nix +++ b/sp-modules/pleroma/module.nix @@ -18,11 +18,19 @@ in fileSystems = lib.mkIf sp.useBinds { "/var/lib/pleroma" = { device = "/volumes/${sp.modules.pleroma.location}/pleroma"; - options = [ "bind" ]; + options = [ + "bind" + "x-systemd.required-by=pleroma-secrets.service" + "x-systemd.required-by=pleroma.service" + ]; }; "/var/lib/postgresql" = { device = "/volumes/${sp.modules.pleroma.location}/postgresql"; - options = [ "bind" ]; + options = [ + "bind" + "x-systemd.required-by=pleroma-secrets.service" + "x-systemd.required-by=pleroma.service" + ]; }; }; services = { @@ -70,14 +78,12 @@ in EOF ) - install -m 0750 -o pleroma -g pleroma -DT \ + install -C -m 0700 -o pleroma -g pleroma -d /var/lib/pleroma + + install -C -m 0700 -o pleroma -g pleroma -DT \ <(printf "%s" "$filecontents") ${secrets-exs} ''; }; - systemd.tmpfiles.rules = [ - "d /var/lib/pleroma 0700 pleroma pleroma - -" - "f ${secrets-exs} 0755 pleroma pleroma - -" - ]; environment.etc."setup.psql".text = '' CREATE USER pleroma; CREATE DATABASE pleroma OWNER pleroma;