nullbite/nixfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixfiles/hosts/nullbox/impermanence.nix

113 lines
3.2 KiB
Nix
Raw Blame History

{ pkgs, config, lib, ... }:
let
mkBtrfsInit = { prefix ? "",
volume }:
''
mkdir /btrfs_tmp
mount ${volume} /btrfs_tmp -o subvol=/
# unix is fine with multiple consecutive slashes if prefix is empty or
# contains a leading or trailing slash
mkdir -p "/btrfs_tmp/${prefix}/"
if [[ -e "/btrfs_tmp/${prefix}/volatile" ]] ; then
mkdir -p "/btrfs_tmp/${prefix}/old_roots"
timestamp=$(date --date="@$(stat -c %Y "/btrfs_tmp/${prefix}/volatile")" "+%Y-%m-%-d_%H:%M:%S")
mv "/btrfs_tmp/${prefix}/volatile" "/btrfs_tmp/${prefix}/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
# btrfs subvolume delete "$1"
echo would run: btrfs subvolume delete "$1"
echo remove this echo once you see this message
}
for i in $(find /btrfs_tmp/${prefix}/old_roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/${prefix}/volatile
umount /btrfs_tmp
'';
root_vol = "/dev/archdesktop/root";
in {
config = {
fileSystems."/persistent" = {
neededForBoot = true;
device = root_vol;
fsType = "btrfs";
options = [ "subvol=/nixos/@persistent" ];
};
boot.initrd.postDeviceCommands = lib.mkAfter (mkBtrfsInit { prefix = "nixos"; volume = root_vol; });
fileSystems."/" = lib.mkForce {
device = root_vol;
fsType = "btrfs";
options = [ "subvol=/nixos/volatile" ];
};
environment.persistence = {
"/persistent/nobackup" = {
hideMounts = true;
directories = [
"/var/lib/systemd/coredump"
"/var/lib/flatpak"
];
files = [
"/var/lib/systemd/random-seed"
];
};
"/persistent/backup" = {
hideMounts = true;
directories = [
# this affects generation/consistency of uids and gids, and should
# probably NEVER be excluded removed.
"/var/lib/nixos/"
# password files for user.user.<name>.hashedPasswordFile
{ directory = "/etc/passfile"; mode = "0700"; }
# persistent non-declarative config
"/etc/nixos"
"/etc/ssh"
{ directory = "/etc/wireguard"; mode = "0700"; }
# let's keep the root home dir as well
{ directory = "/root"; mode = "0700"; }
# system state
"/var/lib/bluetooth"
"/var/lib/blueman"
"/var/lib/cups"
"/var/lib/NetworkManager"
"/var/lib/power-profiles-daemon"
"/var/lib/systemd/rfkill"
{ directory = "/var/lib/tailscale"; mode = "0700"; }
"/var/lib/unbound"
"/var/db/sudo/lectured"
"/var/log"
# remember login stuff
"/var/cache/tuigreet"
];
files = [
"/etc/machine-id"
];
};
};
users.mutableUsers = false;
users.users.nullbite.hashedPasswordFile = "/persistent/passfile/nullbite";
users.users.nullbite.initialPassword = null;
users.users.root.hashedPasswordFile = "/persistent/passfile/root";
};
}
Reference in New Issue View Git Blame Copy Permalink