patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity
nix-config/config/basic/impermanence.nix

98 lines
3 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
...
}:
let
onlyHost = lib.mkIf (!config.boot.isContainer);
prune =
folder:
pkgs.writers.writePython3Bin "impermanence-prune" { } ''
import os
import sys
mounts = [${
lib.concatStringsSep ", " (
(map (
x: "\"" + (if x.home != null then x.home + "/" else "") + x.directory + "\""
) config.environment.persistence.${folder}.directories)
++ (map (
x: "\"" + (if x.home != null then x.home + "/" else "") + x.file + "\""
) config.environment.persistence.${folder}.files)
)
}] # noqa: E501
mounts = [os.path.normpath(x) for x in mounts]
mounts.sort()
real_mounts = mounts[:1]
for i in mounts[1:]:
if i.startswith(real_mounts[-1] + "/"):
continue
real_mounts.append(i)
erg = set()
for i in real_mounts:
dir = os.path.dirname(i)
try:
content = [dir + "/" + x for x in os.listdir("${folder}" + dir)]
for j in content:
if not any([x.startswith(j) for x in real_mounts]):
erg.add("${folder}" + j)
except PermissionError:
print(f"{dir} could not be accessed. Try running as root",
file=sys.stderr)
print("\n".join(erg))
'';
in
{
# https://github.com/nix-community/impermanence/issues/229
boot.initrd.systemd.suppressedUnits = [ "systemd-machine-id-commit.service" ];
systemd.suppressedSystemUnits = [ "systemd-machine-id-commit.service" ];
# to allow all users to access hm managed persistent folders
lib.scripts.impermanence.pruneScripts = lib.mapAttrs (k: _: prune k) config.environment.persistence;
programs.fuse.userAllowOther = true;
services.openssh.hostKeys = lib.mkForce [
{
path = "/state/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
environment.persistence."/state" = {
hideMounts = true;
files = [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
] ++ lib.lists.optionals (!config.boot.isContainer) [ "/etc/machine-id" ];
directories = [
"/var/log"
"/var/lib/systemd"
"/var/lib/nixos"
{
directory = "/var/tmp/nix-import-encrypted/";
mode = "0777";
}
{
directory = "/var/tmp/agenix-rekey";
mode = "0777";
}
];
};
environment.persistence."/persist" = {
hideMounts = true;
directories = [ ];
};
fileSystems."/persist".neededForBoot = true;
fileSystems."/state".neededForBoot = true;
# After importing the rpool, rollback the root system to be empty.
boot.initrd.systemd.services.impermanence-root = onlyHost {
wantedBy = [ "initrd.target" ];
after = [ "zfs-import-rpool.service" ];
before = [ "sysroot.mount" ];
unitConfig.DefaultDependencies = "no";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.zfs}/bin/zfs rollback -r rpool/local/root@blank";
};
};
}
Reference in a new issue View git blame Copy permalink