minecraft: fix map perms

monero: changes
secrets: cleanup activation scripts
2026-03-04 19:40:18 -05:00 · 2026-03-04 18:56:55 -05:00 · 2026-03-04 17:35:49 -05:00
5 changed files with 13 additions and 39 deletions
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -13,11 +13,13 @@
  # Configure all agenix secrets
  age.secrets = {
    # ZFS encryption key
+    # path is set to /etc/zfs-key to match the ZFS dataset keylocation property
    zfs-key = {
      file = ../secrets/zfs-key.age;
      mode = "0400";
      owner = "root";
      group = "root";
+      path = "/etc/zfs-key";
    };

    # Secureboot keys archive
@@ -53,9 +55,9 @@

    slskd_env = {
      file = ../secrets/slskd_env.age;
-      mode = "0400";
-      owner = "root";
-      group = "root";
+      mode = "0500";
+      owner = config.services.slskd.user;
+      group = config.services.slskd.group;
    };

    # Network configuration
--- a/modules/zfs.nix
+++ b/modules/zfs.nix
@@ -4,24 +4,7 @@
  pkgs,
  ...
 }:
-let
-  # DO NOT CHANGE
-  # path is set via a zfs property
-  zfs-key = "/etc/zfs-key";
-in
 {
-  system.activationScripts = {
-    # Copy decrypted ZFS key from agenix to expected location
-    # /etc is on tmpfs due to impermanence, so no persistent storage risk
-    "zfs-key".text = ''
-      #!/bin/sh
-      rm -f ${zfs-key} || true
-      cp ${config.age.secrets.zfs-key.path} ${zfs-key}
-      chmod 0400 ${zfs-key}
-      chown root:root ${zfs-key}
-    '';
-  };
-
  boot.zfs.package = pkgs.zfs;
  boot.initrd.kernelModules = [ "zfs" ];

@@ -43,6 +26,7 @@ in
      "zfs.zfs_dirty_data_max=${builtins.toString dirty_b}"
      "zfs.zfs_delay_min_dirty_percent=80" # delay write throttling until 80% dirty (default 60%)
      "zfs.zfs_vdev_async_write_max_active=30" # more concurrent async writes to vdevs (default 10)
+      "zfs.zfs_vdev_async_read_max_active=10" # more concurrent async reads for random I/O (default 3)
    ];

  boot.supportedFilesystems = [ "zfs" ];
--- a/services/minecraft.nix
+++ b/services/minecraft.nix
@@ -18,6 +18,9 @@
    (lib.serviceFilePerms "minecraft-server-${service_configs.minecraft.server_name}" [
      "Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 700 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
      "Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web 750 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
+      # Allow caddy (in minecraft group) to traverse to squaremap/web for map.gardling.com
+      "z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 710 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
+      "z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap 710 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
    ])
  ];

@@ -190,9 +193,4 @@
    ];
  };

-  systemd.tmpfiles.rules = [
-    # Allow caddy (in minecraft group) to traverse to squaremap/web for map.gardling.com
-    "z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 710 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
-    "z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap 710 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
-  ];
 }
--- a/services/monero.nix
+++ b/services/monero.nix
@@ -17,15 +17,18 @@
    enable = true;
    dataDir = service_configs.monero.dataDir;
    rpc = {
+      address = "0.0.0.0";
      port = service_configs.ports.monero_rpc;
      restricted = true;
    };
    extraConfig = ''
      p2p-bind-port=${builtins.toString service_configs.ports.monero}
+      db-sync-mode=fast:async:1000000000bytes
    '';
  };

  networking.firewall.allowedTCPPorts = [
    service_configs.ports.monero
+    service_configs.ports.monero_rpc
  ];
 }
--- a/services/soulseek.nix
+++ b/services/soulseek.nix
@@ -6,9 +6,6 @@
  username,
  ...
 }:
-let
-  slskd_env = "/etc/slskd_env";
-in
 {
  imports = [
    (lib.serviceMountWithZpool "slskd" "" [
@@ -26,20 +23,10 @@ in

  users.groups."music" = { };

-  system.activationScripts = {
-    "skskd_env".text = ''
-      #!/bin/sh
-      rm -fr ${slskd_env} || true
-      cp ${config.age.secrets.slskd_env.path} ${slskd_env}
-      chmod 0500 ${slskd_env}
-      chown ${config.services.slskd.user}:${config.services.slskd.group} ${slskd_env}
-    '';
-  };
-
  services.slskd = {
    enable = true;
    domain = null; # null so we don't use nginx reverse proxy
-    environmentFile = slskd_env;
+    environmentFile = config.age.secrets.slskd_env.path;

    settings = {
      web = {
Author	SHA1	Message	Date
Simon Gardling	08cbc37f94	minecraft: fix map perms	2026-03-04 19:40:18 -05:00
Simon Gardling	f784f26848	monero: changes	2026-03-04 18:56:55 -05:00
Simon Gardling	b5be21ff8c	secrets: cleanup activation scripts	2026-03-04 17:35:49 -05:00