146 lines
3.9 KiB
Nix
146 lines
3.9 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
lib,
|
|
...
|
|
}: let
|
|
inherit (lib) escapeShellArg;
|
|
# (wip) more configurable than old one, will be used by volatile btrfs module
|
|
mkBtrfsInit = {
|
|
volatileRoot ? "/volatile",
|
|
oldRoots ? "/old_roots",
|
|
volume,
|
|
}: ''
|
|
mkdir -p /btrfs_tmp
|
|
mount ${escapeShellArg volume} /btrfs_tmp -o subvol=/
|
|
|
|
# ensure subvol parent directory exists
|
|
mkdir -p $(dirname /btrfs_tmp/${escapeShellArg volatileRoot})
|
|
|
|
if [[ -e /btrfs_tmp/${escapeShellArg volatileRoot} ]] ; then
|
|
mkdir -p /btrfs_tmp/${escapeShellArg oldRoots}
|
|
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/${escapeShellArg volatileRoot})" "+%Y-%m-%-d_%H:%M:%S")
|
|
mv /btrfs_tmp/${escapeShellArg volatileRoot} /btrfs_tmp/${escapeShellArg oldRoots}/"$timestamp"
|
|
fi
|
|
|
|
btrfs subvolume create /btrfs_tmp/${escapeShellArg volatileRoot}
|
|
|
|
umount /btrfs_tmp
|
|
|
|
# TODO implement deletion once system is booted. the old implementation did
|
|
# it here, which is not safe until system time is at least monotonic.
|
|
# systemd tmpfiles is good enough, just mount it to somewhere in /run
|
|
'';
|
|
|
|
root_vol = "/dev/archdesktop/root";
|
|
in {
|
|
config = lib.mkIf (!(config.virtualisation ? qemu)) {
|
|
fileSystems."/persist" = {
|
|
neededForBoot = true;
|
|
device = root_vol;
|
|
fsType = "btrfs";
|
|
options = ["subvol=/nixos/@persist"];
|
|
};
|
|
|
|
# TODO volatile btrfs module
|
|
boot.initrd.postDeviceCommands = lib.mkAfter (mkBtrfsInit {
|
|
volume = root_vol;
|
|
volatileRoot = "/nixos/volatile";
|
|
oldRoots = "/nixos/old_roots";
|
|
});
|
|
|
|
fileSystems."/" = lib.mkForce {
|
|
device = root_vol;
|
|
fsType = "btrfs";
|
|
options = ["subvol=/nixos/volatile"];
|
|
};
|
|
|
|
# agenix fix
|
|
fileSystems."/etc/ssh".neededForBoot = true;
|
|
|
|
environment.persistence = {
|
|
"/persist/nobackup" = {
|
|
hideMounts = true;
|
|
directories = [
|
|
"/var/lib/systemd/coredump"
|
|
"/var/lib/flatpak"
|
|
"/var/log"
|
|
];
|
|
|
|
files = [
|
|
"/var/lib/systemd/random-seed"
|
|
];
|
|
};
|
|
|
|
"/persist/backup" = {
|
|
hideMounts = true;
|
|
directories = [
|
|
# this affects generation/consistency of uids and gids, and should
|
|
# probably NEVER be excluded removed.
|
|
"/var/lib/nixos/"
|
|
# password files for user.user.<name>.hashedPasswordFile
|
|
{
|
|
directory = "/etc/passfile";
|
|
mode = "0700";
|
|
}
|
|
|
|
# persistent non-declarative config
|
|
"/etc/nixos"
|
|
"/etc/ssh"
|
|
{
|
|
directory = "/etc/wireguard";
|
|
mode = "0700";
|
|
}
|
|
|
|
# let's keep the root home dir as well
|
|
{
|
|
directory = "/root";
|
|
mode = "0700";
|
|
}
|
|
|
|
# system state
|
|
"/etc/NetworkManager/system-connections"
|
|
"/var/lib/bluetooth"
|
|
"/var/lib/blueman"
|
|
"/var/lib/cups"
|
|
"/var/lib/NetworkManager"
|
|
"/var/lib/power-profiles-daemon"
|
|
"/var/lib/systemd/rfkill"
|
|
"/var/lib/systemd/timesync"
|
|
{
|
|
directory = "/var/lib/tailscale";
|
|
mode = "0700";
|
|
}
|
|
"/var/lib/unbound"
|
|
"/var/db/sudo/lectured"
|
|
|
|
# remember login stuff
|
|
{
|
|
directory = "/var/cache/tuigreet";
|
|
user = "greeter";
|
|
group = "greeter";
|
|
}
|
|
{
|
|
directory = "/var/cache/regreet";
|
|
user = "greeter";
|
|
group = "greeter";
|
|
}
|
|
{
|
|
directory = "/var/lib/regreet";
|
|
user = "greeter";
|
|
group = "greeter";
|
|
}
|
|
];
|
|
|
|
files = [
|
|
"/etc/machine-id"
|
|
];
|
|
};
|
|
};
|
|
|
|
users.mutableUsers = false;
|
|
users.users.nullbite.hashedPasswordFile = "/persist/passfile/nullbite";
|
|
users.users.root.hashedPasswordFile = "/persist/passfile/root";
|
|
};
|
|
}
|