-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathimpermanence.nix
140 lines (135 loc) · 3.86 KB
/
impermanence.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
{
config,
lib,
...
}:
let
inherit (lib)
attrNames
flip
isAttrs
mapAttrs
mkMerge
mkOption
optionals
types
;
in
{
# Give agenix access to the hostkey independent of impermanence activation
age.identityPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
# Expose a home manager module for each user that allows extending
# environment.persistence.${sourceDir}.users.${userName} simply by
# specifying home.persistence.${sourceDir} in home manager.
home-manager.sharedModules = [
{
options.home.persistence = mkOption {
description = "Additional persistence config for the given source path";
default = { };
type = types.attrsOf (
types.submodule {
options = {
files = mkOption {
description = "Additional files to persist via NixOS impermanence.";
type = types.listOf (types.either types.attrs types.str);
default = [ ];
};
directories = mkOption {
description = "Additional directories to persist via NixOS impermanence.";
type = types.listOf (types.either types.attrs types.str);
default = [ ];
};
};
}
);
};
}
];
# For each user that has a home-manager config, merge the locally defined
# persistence options that we defined above.
imports =
let
mkUserFiles = map (
x: { parentDirectory.mode = "700"; } // (if isAttrs x then x else { file = x; })
);
mkUserDirs = map (x: { mode = "700"; } // (if isAttrs x then x else { directory = x; }));
in
[
{
environment.persistence = mkMerge (
flip map (attrNames config.home-manager.users) (
user:
let
hmUserCfg = config.home-manager.users.${user};
in
flip mapAttrs hmUserCfg.home.persistence (
_: sourceCfg: {
users.${user} = {
files = mkUserFiles sourceCfg.files;
directories = mkUserDirs sourceCfg.directories;
};
}
)
)
);
}
];
# State that should be kept across reboots, but is otherwise
# NOT important information in any way that needs to be backed up.
fileSystems."/state".neededForBoot = true;
environment.persistence."/state" = {
hideMounts = true;
directories =
[
"/var/lib/systemd"
"/var/log"
"/var/spool"
#{ directory = "/tmp"; mode = "1777"; }
#{ directory = "/var/tmp"; mode = "1777"; }
]
++ optionals config.networking.wireless.iwd.enable [
{
directory = "/var/lib/iwd";
mode = "0700";
}
];
};
# State that should be kept forever, and backed up accordingly.
fileSystems."/persist".neededForBoot = true;
environment.persistence."/persist" = {
hideMounts = true;
files = [
# For ephemeral nixos-containers we cannot link the /etc/machine-id file,
# because it will be generated based on a stable container uuid.
(lib.mkIf (!config.boot.isContainer) "/etc/machine-id")
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
];
directories =
[
"/var/lib/nixos"
]
++ optionals config.security.acme.acceptTerms [
{
directory = "/var/lib/acme";
user = "acme";
group = "acme";
mode = "0755";
}
]
++ optionals config.services.printing.enable [
{
directory = "/var/lib/cups";
mode = "0700";
}
]
++ optionals config.services.postgresql.enable [
{
directory = "/var/lib/postgresql";
user = "postgres";
group = "postgres";
mode = "0700";
}
];
};
}