nix-files/modules/impermanence.nix

# borrows from:
#   https://xeiaso.net/blog/paranoid-nixos-2021-07-18
#   https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
#   https://github.com/nix-community/impermanence
{ lib, config, impermanence, ... }:

with lib;
let
  cfg = config.colinsane.impermanence;
in
{
  options = {
    colinsane.impermanence.enable = mkOption {
      default = false;
      type = types.bool;
    };
  };

  config = let
    map-dir = defaults: dir: if isString dir then
        map-dir defaults { directory = "${defaults.directory}${dir}"; }
      else
        defaults // dir
      ;
    map-dirs = defaults: dirs: builtins.map (map-dir defaults) dirs;

    map-home-dirs = map-dirs { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/"; };
    map-sys-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
    map-service-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
  in mkIf cfg.enable {
    environment.persistence."/nix/persist" = {
      directories = (map-home-dirs [
        "archive"
        "dev"
        "records"
        "ref"
        "tmp"
        "use"
        "Music"
        "Pictures"
        "Videos"
        # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
        ".bitmonero"
        # cache is probably too big to fit on the tmpfs
        # TODO: we could bind-mount it to something which gets cleared per boot, though.
        ".cache"
        ".cargo"
        ".rustup"
        ".ssh"
        # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
        ".zcash"
        # intentionally omitted:
        # ".config"  # managed by home-manager
        # ".local"   # nothing useful in here
        # ".mozilla" # managed by home-manager
        # creds. TODO: can i manage this with home-manager?
        ".config/spotify"
        # creds, but also 200 MB of node modules, etc
        ".config/discord"
        # creds/session keys, etc
        ".config/Element"
        # creds, media
        ".config/Signal"
      ]) ++ (map-sys-dirs [
        { mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
        # "/etc/nixos"
        "/etc/ssh"
        "/var/log"
        "/var/backup"  # for e.g. postgres dumps
        # TODO: what even GOES in /srv?
        "/srv"
      ]) ++ (map-service-dirs [
        # "/var/lib/AccountsService"   # not sure what this is, but it's empty
        "/var/lib/alsa"                # preserve output levels, default devices
        # "/var/lib/blueman"           # files aren't human readable
        "/var/lib/bluetooth"           # preserve bluetooth handshakes
        "/var/lib/colord"              # preserve color calibrations (?)
        "/var/lib/duplicity"           # we need this mostly because of the size of duplicity's cache
        # "/var/lib/dhclient"          # empty on lappy; dunno about desko
        # "/var/lib/fwupd"             # not sure why this would need persistent state
        # "/var/lib/geoclue"           # empty on lappy
        # "/var/lib/lockdown"          # empty on desko; might store secrets after iOS handshake?
        # "/var/lib/logrotate.status"  # seems redundant with what's in /var/log?
        "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
        # "/var/lib/misc"              # empty on lappy
        # "/var/lib/NetworkManager"    # looks to be mostly impermanent state?
        # "/var/lib/NetworkManager-fortisslvpn" # empty on lappy
        "/var/lib/nixos"               # has some uid/gid maps; not sure what happens if we lose this.
        # "/var/lib/PackageKit"        # wtf is this?
        # "/var/lib/power-profiles-daemon"  # redundant with nixos declarations
        # "/var/lib/private"           # empty on lappy
        # "/var/lib/systemd"           # nothing obviously necessary
        # "/var/lib/udisks2"           # empty on lappy
        # "/var/lib/upower"            # historic charge data. unnecessary, but maybe used somewhere?
        #
        # servo additions:
        { user = "998"; group = "996"; directory = "/var/lib/acme"; }  # TODO: mode?
        # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
        # "/var/lib/dovecot"
        # "/var/lib/duplicity"
        { user = "994"; group = "993"; directory = "/var/lib/gitea"; } # TODO: mode? could be more granular
        { user = "261"; group = "261"; directory = "/var/lib/ipfs"; }  # TODO: mode? could be more granular
        { user = "root"; group = "root"; directory = "/var/lib/jackett"; } # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
        { user = "996"; group = "994"; directory = "/var/lib/jellyfin"; } # TODO: mode? could be more granular
        { user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; } # TODO: mode?
        { user = "224"; group = "224"; directory = "/var/lib/matrix-synapse"; } # TODO: mode?
        { user = "221"; group = "221"; directory = "/var/lib/opendkim"; } # TODO: mode? move this to the nix config (SOPS)
        { user = "997"; group = "995"; directory = "/var/lib/pleroma"; } # TODO: mode? could be more granular
        { user = "71"; group = "71"; directory = "/var/lib/postgresql"; } # TODO: mode?
        { user = "root"; group = "root"; directory = "/var/lib/postfix"; } # TODO: mode? could be more granular
        { user = "70"; group = "70"; directory = "/var/lib/transmission"; } # TODO: mode? we need this specifically for the stats tracking in .config/
        { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
      ]);
      files = [
        "/etc/machine-id"
        # "/home/colin/knowledge"
        "/home/colin/.zsh_history"
        # # XXX these only need persistence because i have mutableUsers = true, i think
        # "/etc/group"
        # "/etc/passwd"
        # "/etc/shadow"
        # { file = "/home/test2"; persistentStoragePath = "/nix/persist"; }
      ];
    };

    systemd.services.sane-sops = {
      description = "sops relies on /etc/ssh being available, so re-run its activation AFTER fs-local";
      script = config.system.activationScripts.setupSecrets.text;
      after = [ "fs-local.target" ];
      wantedBy = [ "multi-user.target" ];
    };
  };
}
lappy: enable impermanence it mostly went smooth, though i lost a .ssh key. probably the best upgrade process is to do most of the heavy work in the initrd: write the new nix config, notably, configuring a tmpfs / mount and moving the previous / to /nix. then boot and in the initrd, move all the `/nix/nix/...` items up a level. 2022-06-20 10:28:01 +00:00			`# borrows from:`
			`# https://xeiaso.net/blog/paranoid-nixos-2021-07-18`
			`# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/`
			`# https://github.com/nix-community/impermanence`
			`{ lib, config, impermanence, ... }:`

			`with lib;`
			`let`
			`cfg = config.colinsane.impermanence;`
			`in`
			`{`
			`options = {`
			`colinsane.impermanence.enable = mkOption {`
			`default = false;`
			`type = types.bool;`
			`};`
			`};`

impermanence: abstract the creation of ~/ sub-dirs 2022-07-10 21:42:33 +00:00			`config = let`
impermanence: abstract the creation of root-owned system directories 2022-07-10 22:06:55 +00:00			`map-dir = defaults: dir: if isString dir then`
			`map-dir defaults { directory = "${defaults.directory}${dir}"; }`
			`else`
			`defaults // dir`
			`;`
			`map-dirs = defaults: dirs: builtins.map (map-dir defaults) dirs;`

			`map-home-dirs = map-dirs { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/"; };`
			`map-sys-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };`
impermanence: abstract the creation of service directories better would be to not directly call out user/group, but force them to be looked up. 2022-07-10 22:15:34 +00:00			`map-service-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };`
impermanence: abstract the creation of ~/ sub-dirs 2022-07-10 21:42:33 +00:00			`in mkIf cfg.enable {`
lappy: enable impermanence it mostly went smooth, though i lost a .ssh key. probably the best upgrade process is to do most of the heavy work in the initrd: write the new nix config, notably, configuring a tmpfs / mount and moving the previous / to /nix. then boot and in the initrd, move all the `/nix/nix/...` items up a level. 2022-06-20 10:28:01 +00:00			`environment.persistence."/nix/persist" = {`
impermanence: abstract the creation of ~/ sub-dirs 2022-07-10 21:42:33 +00:00			`directories = (map-home-dirs [`
			`"archive"`
			`"dev"`
			`"records"`
			`"ref"`
			`"tmp"`
			`"use"`
			`"Music"`
			`"Pictures"`
			`"Videos"`
add monero (as package and as persisted directory) 2022-07-09 04:56:49 +00:00			`# actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)`
impermanence: abstract the creation of ~/ sub-dirs 2022-07-10 21:42:33 +00:00			`".bitmonero"`
impermanence: granualize the /home/colin mounts 2022-06-21 08:59:31 +00:00			`# cache is probably too big to fit on the tmpfs`
			`# TODO: we could bind-mount it to something which gets cleared per boot, though.`
impermanence: abstract the creation of ~/ sub-dirs 2022-07-10 21:42:33 +00:00			`".cache"`
			`".cargo"`
			`".rustup"`
			`".ssh"`
persist: zcash directory 2022-07-09 08:00:17 +00:00			`# zcash coins. safe to delete, just slow to regenerate (10-60 minutes)`
impermanence: abstract the creation of ~/ sub-dirs 2022-07-10 21:42:33 +00:00			`".zcash"`
impermanence: granualize the /home/colin mounts 2022-06-21 08:59:31 +00:00			`# intentionally omitted:`
impermanence: abstract the creation of ~/ sub-dirs 2022-07-10 21:42:33 +00:00			`# ".config" # managed by home-manager`
			`# ".local" # nothing useful in here`
			`# ".mozilla" # managed by home-manager`
impermanence: cache discord creds 2022-06-26 05:11:16 +00:00			`# creds. TODO: can i manage this with home-manager?`
impermanence: abstract the creation of ~/ sub-dirs 2022-07-10 21:42:33 +00:00			`".config/spotify"`
impermanence: cache discord creds 2022-06-26 05:11:16 +00:00			`# creds, but also 200 MB of node modules, etc`
impermanence: abstract the creation of ~/ sub-dirs 2022-07-10 21:42:33 +00:00			`".config/discord"`
persist the Element session keys 2022-07-01 08:05:46 +00:00			`# creds/session keys, etc`
impermanence: abstract the creation of ~/ sub-dirs 2022-07-10 21:42:33 +00:00			`".config/Element"`
persist Signal 2022-07-06 22:14:36 +00:00			`# creds, media`
impermanence: abstract the creation of ~/ sub-dirs 2022-07-10 21:42:33 +00:00			`".config/Signal"`
impermanence: abstract the creation of root-owned system directories 2022-07-10 22:06:55 +00:00			`]) ++ (map-sys-dirs [`
			`{ mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }`
move nixos config from /etc/nixos to /home/colin/dev/nixos 2022-06-21 09:23:19 +00:00			`# "/etc/nixos"`
impermanence: abstract the creation of root-owned system directories 2022-07-10 22:06:55 +00:00			`"/etc/ssh"`
			`"/var/log"`
			`"/var/backup" # for e.g. postgres dumps`
			`# TODO: what even GOES in /srv?`
			`"/srv"`
impermanence: abstract the creation of service directories better would be to not directly call out user/group, but force them to be looked up. 2022-07-10 22:15:34 +00:00			`]) ++ (map-service-dirs [`
tune /var/lib impermanence (for lappy) 2022-06-25 04:10:49 +00:00			`# "/var/lib/AccountsService" # not sure what this is, but it's empty`
impermanence: abstract the creation of service directories better would be to not directly call out user/group, but force them to be looked up. 2022-07-10 22:15:34 +00:00			`"/var/lib/alsa" # preserve output levels, default devices`
tune /var/lib impermanence (for lappy) 2022-06-25 04:10:49 +00:00			`# "/var/lib/blueman" # files aren't human readable`
impermanence: abstract the creation of service directories better would be to not directly call out user/group, but force them to be looked up. 2022-07-10 22:15:34 +00:00			`"/var/lib/bluetooth" # preserve bluetooth handshakes`
			`"/var/lib/colord" # preserve color calibrations (?)`
			`"/var/lib/duplicity" # we need this mostly because of the size of duplicity's cache`
tune /var/lib impermanence (for lappy) 2022-06-25 04:10:49 +00:00			`# "/var/lib/dhclient" # empty on lappy; dunno about desko`
			`# "/var/lib/fwupd" # not sure why this would need persistent state`
			`# "/var/lib/geoclue" # empty on lappy`
add desko /var/lib entries to impermanence 2022-06-25 21:53:15 +00:00			`# "/var/lib/lockdown" # empty on desko; might store secrets after iOS handshake?`
tune /var/lib impermanence (for lappy) 2022-06-25 04:10:49 +00:00			`# "/var/lib/logrotate.status" # seems redundant with what's in /var/log?`
impermanence: abstract the creation of service directories better would be to not directly call out user/group, but force them to be looked up. 2022-07-10 22:15:34 +00:00			`"/var/lib/machines" # maybe not needed, but would be painful to add a VM and forget.`
tune /var/lib impermanence (for lappy) 2022-06-25 04:10:49 +00:00			`# "/var/lib/misc" # empty on lappy`
			`# "/var/lib/NetworkManager" # looks to be mostly impermanent state?`
			`# "/var/lib/NetworkManager-fortisslvpn" # empty on lappy`
impermanence: abstract the creation of service directories better would be to not directly call out user/group, but force them to be looked up. 2022-07-10 22:15:34 +00:00			`"/var/lib/nixos" # has some uid/gid maps; not sure what happens if we lose this.`
tune /var/lib impermanence (for lappy) 2022-06-25 04:10:49 +00:00			`# "/var/lib/PackageKit" # wtf is this?`
			`# "/var/lib/power-profiles-daemon" # redundant with nixos declarations`
			`# "/var/lib/private" # empty on lappy`
			`# "/var/lib/systemd" # nothing obviously necessary`
			`# "/var/lib/udisks2" # empty on lappy`
			`# "/var/lib/upower" # historic charge data. unnecessary, but maybe used somewhere?`
complete servo image & port to impermanence there might still be some bugs to work out here. this produces a workable image, but with some uncertainty around that swapfile (the first attempt had /swapfile living on a tmpfs). 2022-06-29 08:17:53 +00:00			`#`
			`# servo additions:`
impermanence: abstract the creation of service directories better would be to not directly call out user/group, but force them to be looked up. 2022-07-10 22:15:34 +00:00			`{ user = "998"; group = "996"; directory = "/var/lib/acme"; } # TODO: mode?`
complete servo image & port to impermanence there might still be some bugs to work out here. this produces a workable image, but with some uncertainty around that swapfile (the first attempt had /swapfile living on a tmpfs). 2022-06-29 08:17:53 +00:00			`# "/var/lib/dhparams" # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix`
			`# "/var/lib/dovecot"`
			`# "/var/lib/duplicity"`
impermanence: abstract the creation of service directories better would be to not directly call out user/group, but force them to be looked up. 2022-07-10 22:15:34 +00:00			`{ user = "994"; group = "993"; directory = "/var/lib/gitea"; } # TODO: mode? could be more granular`
			`{ user = "261"; group = "261"; directory = "/var/lib/ipfs"; } # TODO: mode? could be more granular`
			`{ user = "root"; group = "root"; directory = "/var/lib/jackett"; } # TODO: mode? we only need this to save Indexer creds ==> migrate to config?`
			`{ user = "996"; group = "994"; directory = "/var/lib/jellyfin"; } # TODO: mode? could be more granular`
			`{ user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; } # TODO: mode?`
			`{ user = "224"; group = "224"; directory = "/var/lib/matrix-synapse"; } # TODO: mode?`
			`{ user = "221"; group = "221"; directory = "/var/lib/opendkim"; } # TODO: mode? move this to the nix config (SOPS)`
			`{ user = "997"; group = "995"; directory = "/var/lib/pleroma"; } # TODO: mode? could be more granular`
			`{ user = "71"; group = "71"; directory = "/var/lib/postgresql"; } # TODO: mode?`
			`{ user = "root"; group = "root"; directory = "/var/lib/postfix"; } # TODO: mode? could be more granular`
			`{ user = "70"; group = "70"; directory = "/var/lib/transmission"; } # TODO: mode? we need this specifically for the stats tracking in .config/`
			`{ user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }`
			`]);`
impermanence: persist /etc/machine-id 2022-06-21 07:02:57 +00:00			`files = [`
			`"/etc/machine-id"`
impermanence: granualize the /home/colin mounts 2022-06-21 08:59:31 +00:00			`# "/home/colin/knowledge"`
			`"/home/colin/.zsh_history"`
impermanence: persist /etc/machine-id 2022-06-21 07:02:57 +00:00			`# # XXX these only need persistence because i have mutableUsers = true, i think`
			`# "/etc/group"`
			`# "/etc/passwd"`
			`# "/etc/shadow"`
			`# { file = "/home/test2"; persistentStoragePath = "/nix/persist"; }`
			`];`
lappy: enable impermanence it mostly went smooth, though i lost a .ssh key. probably the best upgrade process is to do most of the heavy work in the initrd: write the new nix config, notably, configuring a tmpfs / mount and moving the previous / to /nix. then boot and in the initrd, move all the `/nix/nix/...` items up a level. 2022-06-20 10:28:01 +00:00			`};`
sops: decrypt secrets AFTER /nix/ssh has been mounted 2022-06-30 08:30:58 +00:00
			`systemd.services.sane-sops = {`
			`description = "sops relies on /etc/ssh being available, so re-run its activation AFTER fs-local";`
			`script = config.system.activationScripts.setupSecrets.text;`
			`after = [ "fs-local.target" ];`
			`wantedBy = [ "multi-user.target" ];`
			`};`
lappy: enable impermanence it mostly went smooth, though i lost a .ssh key. probably the best upgrade process is to do most of the heavy work in the initrd: write the new nix config, notably, configuring a tmpfs / mount and moving the previous / to /nix. then boot and in the initrd, move all the `/nix/nix/...` items up a level. 2022-06-20 10:28:01 +00:00			`};`
			`}`