From a25c270931dc34727b937bc9c8c5a3461eeb1fe5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Patrick=20Gro=C3=9Fmann?= <patrickdgr@gmail.com>
Date: Sat, 27 May 2023 00:30:37 +0900
Subject: [PATCH] feat: impermanence

---
 flake.lock                               |  16 ++++++
 flake.nix                                |   3 +-
 hosts/common/core/default.nix            |   1 +
 hosts/common/core/impermanence.nix       |  24 +++++++++
 hosts/patricknix/fs.nix                  |  31 ++++++++++-
 hosts/patricknix/net.nix                 |   4 +-
 hosts/patricknix/secrets/secrets.nix.age | Bin 894 -> 810 bytes
 nix/generate-node.nix                    |  65 +++++++++++------------
 users/common/impermanence.nix            |  22 ++++++++
 users/patrick/default.nix                |   4 +-
 users/root/default.nix                   |   3 +-
 11 files changed, 131 insertions(+), 42 deletions(-)
 create mode 100644 hosts/common/core/impermanence.nix
 create mode 100644 users/common/impermanence.nix

diff --git a/flake.lock b/flake.lock
index ff5f918..2c61459 100644
--- a/flake.lock
+++ b/flake.lock
@@ -251,6 +251,21 @@
         "type": "github"
       }
     },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1684264534,
+        "narHash": "sha256-K0zr+ry3FwIo3rN2U/VWAkCJSgBslBisvfRIPwMbuCQ=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "89253fb1518063556edd5e54509c30ac3089d5e6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
     "nixos-hardware": {
       "locked": {
         "lastModified": 1684169666,
@@ -333,6 +348,7 @@
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
         "hyprland": "hyprland",
+        "impermanence": "impermanence",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
         "pre-commit-hooks": "pre-commit-hooks",
diff --git a/flake.nix b/flake.nix
index 59cf458..771c838 100644
--- a/flake.nix
+++ b/flake.nix
@@ -44,8 +44,7 @@
       inputs.flake-utils.follows = "flake-utils";
     };
 
-    # someday
-    #impermanence.url = "github:nix-community/impermanence";
+    impermanence.url = "github:nix-community/impermanence";
 
     nixos-hardware.url = "github:nixos/nixos-hardware";
 
diff --git a/hosts/common/core/default.nix b/hosts/common/core/default.nix
index 3cd8166..d1f41cf 100644
--- a/hosts/common/core/default.nix
+++ b/hosts/common/core/default.nix
@@ -7,6 +7,7 @@
     ./ssh.nix
     ./system.nix
     ./xdg.nix
+    ./impermanence.nix
   ];
 
   home-manager = {
diff --git a/hosts/common/core/impermanence.nix b/hosts/common/core/impermanence.nix
new file mode 100644
index 0000000..3cf3262
--- /dev/null
+++ b/hosts/common/core/impermanence.nix
@@ -0,0 +1,24 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  age.identityPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];
+  environment.persistence."/persist" = {
+    hideMounts = true;
+
+    files = [
+      "/etc/machine-id"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+    ];
+    directories = [
+      {
+        directory = "/var/lib/nixos";
+        user = "root";
+        group = "root";
+        mode = "0775";
+      }
+    ];
+  };
+}
diff --git a/hosts/patricknix/fs.nix b/hosts/patricknix/fs.nix
index faacbee..928aa43 100644
--- a/hosts/patricknix/fs.nix
+++ b/hosts/patricknix/fs.nix
@@ -1,6 +1,21 @@
-{
+{pkgs, ...}: {
   fileSystems."/" = {
-    device = "rpool/ROOT/nixos";
+    device = "rpool/local/root";
+    neededForBoot = true;
+    fsType = "zfs";
+    options = ["zfsutil" "X-mount.mkdir"];
+  };
+
+  fileSystems."/nix" = {
+    device = "rpool/local/nix";
+    neededForBoot = true;
+    fsType = "zfs";
+    options = ["zfsutil" "X-mount.mkdir"];
+  };
+
+  fileSystems."/persist" = {
+    device = "rpool/safe/persist";
+    neededForBoot = true;
     fsType = "zfs";
     options = ["zfsutil" "X-mount.mkdir"];
   };
@@ -10,5 +25,17 @@
     fsType = "vfat";
   };
 
+  # After importing the rpool, rollback the root system to be empty.
+  boot.initrd.systemd.services.impermanence-root = {
+    wantedBy = ["initrd.target"];
+    after = ["zfs-import-rpool.service"];
+    before = ["sysroot.mount"];
+    unitConfig.DefaultDependencies = "no";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.zfs}/bin/zfs rollback -r rpool/local/root@blank";
+    };
+  };
+
   swapDevices = [];
 }
diff --git a/hosts/patricknix/net.nix b/hosts/patricknix/net.nix
index ef3aa87..fb8ccce 100644
--- a/hosts/patricknix/net.nix
+++ b/hosts/patricknix/net.nix
@@ -17,7 +17,7 @@
   # I need a static global IP address for my dorm LAN
   # So to not dox myself this config file is hardcoded
   systemd.network.networks = {
-    "lan1" = {
+    "01-lan1" = {
       DHCP = "yes";
       matchConfig.MACAddress = nodeSecrets.networking.lan1.mac;
       networkConfig.IPv6PrivacyExtensions = "yes";
@@ -25,7 +25,7 @@
       address = [nodeSecrets.networking.fuckKoreanDorm.address];
       dns = ["9.9.9.9"];
     };
-    "wlan1" = {
+    "01-wlan1" = {
       DHCP = "yes";
       matchConfig.MACAddress = nodeSecrets.networking.wlan1.mac;
       networkConfig.IPv6PrivacyExtensions = "yes";
diff --git a/hosts/patricknix/secrets/secrets.nix.age b/hosts/patricknix/secrets/secrets.nix.age
index 850aab95b2e0f6663662a2a947880a4b13e8e60f..87e464fb70feb314039b212feef446331b52f001 100644
GIT binary patch
delta 757
zcmWmAU5L{L0KjpN;mPU;ey}NiV8@9%v(lt#`XM+?nkG%#q)kowamZ<N%~z8&Nt>ok
zmEH8vvB6Lg#1BxXsGx`&C_Xq8bhroIbW`+Dd{99Jeb5&<@9<Ec{%^mB|5X2({yqK?
z+)fsQB&91fFV!PLmQ&(}=18SN)oQqAq9_qzBW84|6bt%7UR+55!?>(sfRp5-4hvUY
z3<gLM;z1&pz!(f@+APx}HDBO+zoohXD}+S+WscQ&)Q=*lT!4q$ux_-1m|6)JavYwj
z6^e<HYqqjE(KV$+0}&b8vtquWS}{>=5W>=-rWFoG#k|>bTX+LeTnwROZBv)ac!#gp
zR(M~o@2e7AYjSGABZr%)hh$l=+|z>$70(w)5oaBl`c!}%6m7a2_XWK{&>+c;{Kj&x
z#VD?blCZ<}hDAq)JGBgxZ{u{EcNi)pf3`;~-9V#`plB=>%z#M~tXC=?ltv_wEyk=)
zN1_GI$Q1M@AM=R>LGpRK8m!S!DMu3;U`HdFXvxvtFdi4O9u8qCBm|di_Vc98tLsr<
zRX}cv)t2Z3GRd@u72vcHB``h(LSd?#s*bR>hKdT6B$E*VqFl~|2u{H2#SkmT@wR3q
zby-9kJ@=Cs2>9VTTWnCBdW6ZE&5W!_Tq{(=u|`gG8m^jB<FpOYL|W8JG2d7O>Hl3@
zJMGsecMY}s^mS?S9FW{J|JMBty}hj)OnLU(L#MBgtbe)b(&WC?XMfvzevJCC?8XLd
zX!QQJ3k$ka%cO)&{gc>z;^b{7G3Uyw2lcbjgI9hYI5d#%KYwoFw`+b7-Yg#<x;nb(
z#gS>-?*6^_>6&>1<1_m}U{vCS|9;FrdM{j?m=#;ULLb_BgoB6)lexF`9ldMEFMrNh
zS>E&i<^7W_>ZbBX-#5a#FXjdo9Qbn1)OUY9+%jQcDRt=R@nhRJU;cXe_!zkE!t>qT
l{f~d5PA{p>znPJ)KUzAy_U!%M$veQmz+n(Rb1`tr`Uw278vy_S

delta 842
zcmWmB?Tgz40Dy6ijnfszA%|{rOv>uPu#`*l9-X>0Ns}f`b7_)mQs<z(HffSJNt34O
zRi)l!Dx#wJhA&_C%{N4yj*0BXK*q)#invWDG7uC+=jjw=8*Xm@!1Lkvyfb}u`uX&v
zpjSy56d8b@*XhET>k%Q^z`A@VHu(+>+AUM<$i5{}c`G%9%0lE-bXO#4g0sT5KvuD4
z9nkO=!8Z`1hAa}b1w~?NNh)`LI<SYi07THVuF9@Prb!I7k+$q6R-HxztU`cnK+8RN
ztPutX@p=WqYva;9SsjegdTQvmBeop7!I-LQa^L7dP~Pm?31AG+mT2Ir5oT4$U1Ztl
zMQQ4`+87QJlUgvBx&gsfjU`Q79=eK_ReXmuy@mr+H5`K4cs0qUmSCS}DUQ)gi6Yb4
z*adVJ7*g}73RCg`EFukc)JJ)DsW0AWPY9q646TvV&&qLsEEE|%DiW2x4XX)T24d2|
z6uS;0Ma&gbZrCdKT8PI9wlt<y)XPS)C6q&;T&&8S#ZI<jP#9fPqNZ^JshH{Bh40E;
z$81FHwDtf5#)b65_)hpiX?r@8*)GjJ+M1+19|8>9SA8A_Ktu?+azH3u)AZZ8+YV%k
z7xOk<XzR^}me-{OgzQ*yc#~m)#nzxa5K|(jSxD0>l{z>W`7On)!OK!$^-!GdV#0Et
zbw#*dua7tf38l(_RqB3(P^6q)?zZB|^_{s~dc<(U1*os{Ox&{w*g@$gQz9Ilj*Pxi
zF*z0;hMkDFxd=#QHf`JZ<Asy^U;a;+TDRe5|AY3t`5hDIVdwJceY3&<4}bk5xAs(a
zbMIecKTfY4NM^2`|6#}MEf?N0l)rM}>&GA2cd_}=W$*OI<mSofp62>v@9#<OXiR4Q
z>28f2=;%%7cO)!dICJjV)LtS!v$9)z{M7I3&kFL1)z9{Rd*ogG_Q&2lCU3Et-qGDZ
zzcT*m$_C>5b7!CY<a6_@wNu{T&MzA;VVSMlR#u<*a&79*yANkRy>H#Chv`{=)AX*_
z4t^M3x(HwUEq(Hhd*|Mk@7(j!7gt|6bYN~Zf92_!TQ$E{{l><m_a1uY>*r4FJpMmK
Cr8NEk

diff --git a/nix/generate-node.nix b/nix/generate-node.nix
index 6c06f6d..e4ccbd4 100644
--- a/nix/generate-node.nix
+++ b/nix/generate-node.nix
@@ -2,43 +2,40 @@
   self,
   colmena,
   home-manager,
-  #impermanence,
+  impermanence,
   nixos-hardware,
   nixpkgs,
   agenix,
   agenix-rekey,
   hyprland,
   ...
-} @ inputs: let
-  inherit (nixpkgs.lib) optionals;
-in
-  nodeName: nodeMeta: {
-    inherit (nodeMeta) system;
-    pkgs = self.pkgs.${nodeMeta.system};
-    specialArgs = {
-      inherit (nixpkgs) lib;
-      inherit (self) nodes;
-      inherit inputs;
-      inherit nodeName;
-      inherit nodeMeta;
-      inherit hyprland;
-      nodePath = ../hosts + "/${nodeName}/";
-      secrets = self.secrets.content;
-      nodeSecrets = self.secrets.content.nodes.${nodeName};
-      nixos-hardware = nixos-hardware.nixosModules;
-      #impermanence = impermanence.nixosModules;
-    };
-    imports = [
-      (../hosts + "/${nodeName}")
-      home-manager.nixosModules.default
-      #impermanence.nixosModules.default
-      agenix.nixosModules.default
-      agenix-rekey.nixosModules.default
-      #]
-      #++ optionals nodeMeta.microVmHost [
-      #  microvm.nixosModules.host
-      #]
-      #++ optionals (nodeMeta.type == "microvm") [
-      #  microvm.nixosModules.microvm
-    ];
-  }
+} @ inputs: nodeName: nodeMeta: {
+  inherit (nodeMeta) system;
+  pkgs = self.pkgs.${nodeMeta.system};
+  specialArgs = {
+    inherit (nixpkgs) lib;
+    inherit (self) nodes;
+    inherit inputs;
+    inherit nodeName;
+    inherit nodeMeta;
+    inherit hyprland;
+    nodePath = ../hosts + "/${nodeName}/";
+    secrets = self.secrets.content;
+    nodeSecrets = self.secrets.content.nodes.${nodeName};
+    nixos-hardware = nixos-hardware.nixosModules;
+    impermanence = impermanence.nixosModules;
+  };
+  imports = [
+    (../hosts + "/${nodeName}")
+    home-manager.nixosModules.default
+    impermanence.nixosModules.impermanence
+    agenix.nixosModules.default
+    agenix-rekey.nixosModules.default
+    #]
+    #++ optionals nodeMeta.microVmHost [
+    #  microvm.nixosModules.host
+    #]
+    #++ optionals (nodeMeta.type == "microvm") [
+    #  microvm.nixosModules.microvm
+  ];
+}
diff --git a/users/common/impermanence.nix b/users/common/impermanence.nix
new file mode 100644
index 0000000..fc70782
--- /dev/null
+++ b/users/common/impermanence.nix
@@ -0,0 +1,22 @@
+{config, ...}: {
+  home.persistence."/persist/home/${config.home.username}" = {
+    files = [
+      ".ssh/know_hosts"
+    ];
+    directories = [
+      "repos"
+      "Downloads"
+      ".local/share/atuin"
+
+      # firefox muss halt
+      ".mozilla"
+
+      # nvim kinda nervig
+      ".local/share/nvim/lazy"
+      ".local/state/nvim"
+      ".cache/nvim"
+
+      ".local/share/direnv"
+    ];
+  };
+}
diff --git a/users/patrick/default.nix b/users/patrick/default.nix
index aa4ec14..2eb04f9 100644
--- a/users/patrick/default.nix
+++ b/users/patrick/default.nix
@@ -1,5 +1,6 @@
 {
   hyprland,
+  impermanence,
   pkgs,
   config,
   ...
@@ -10,7 +11,6 @@
   ];
   rekey.secrets.patrick.file = ../../secrets/patrick.passwd.age;
 
-  # Define a user account. Don't forget to set a password with ‘passwd’.
   users.users.patrick = {
     shell = pkgs.zsh;
     isNormalUser = true;
@@ -28,6 +28,8 @@
   ];
   home-manager.users.patrick.imports = [
     hyprland.homeManagerModules.default
+    impermanence.home-manager.impermanence
+    ../common/impermanence.nix
     ./patrick.nix
     ../common
   ];
diff --git a/users/root/default.nix b/users/root/default.nix
index 385bcf1..7c0b4cf 100644
--- a/users/root/default.nix
+++ b/users/root/default.nix
@@ -10,7 +10,8 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZixkix0KfKuq7Q19whS5FQQg51/AJGB5BiNF/7h/LM"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxD4GOrwrBTG4/qQhm5hoSB2CP7W9g1LPWP11oLGOjQ"
     ];
-    passwordFile = config.rekey.secrets.root.path;
+    #passwordFile = config.rekey.secrets.root.path;
+    password = "ctie";
   };
   home-manager.users.root = {
     imports = [../common];