2022-06-20 10:28:01 +00:00
|
|
|
# borrows from:
|
|
|
|
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
|
|
|
|
# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
|
|
|
|
# https://github.com/nix-community/impermanence
|
|
|
|
{ lib, config, impermanence, ... }:
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
let
|
2022-08-01 07:23:49 +00:00
|
|
|
cfg = config.sane.impermanence;
|
2022-10-23 13:48:39 +00:00
|
|
|
# taken from sops-nix code: checks if any secrets are needed to create /etc/shadow
|
|
|
|
secretsForUsers = (lib.filterAttrs (_: v: v.neededForUsers) config.sops.secrets) != {};
|
2022-06-20 10:28:01 +00:00
|
|
|
in
|
|
|
|
{
|
|
|
|
options = {
|
2022-08-01 07:23:49 +00:00
|
|
|
sane.impermanence.enable = mkOption {
|
2022-06-20 10:28:01 +00:00
|
|
|
default = false;
|
|
|
|
type = types.bool;
|
|
|
|
};
|
2022-08-01 07:23:49 +00:00
|
|
|
sane.impermanence.home-dirs = mkOption {
|
2022-07-10 22:25:04 +00:00
|
|
|
default = [];
|
|
|
|
type = types.listOf (types.either types.str (types.attrsOf types.str));
|
|
|
|
};
|
2022-08-01 07:23:49 +00:00
|
|
|
sane.impermanence.service-dirs = mkOption {
|
2022-07-11 00:58:16 +00:00
|
|
|
default = [];
|
|
|
|
type = types.listOf (types.either types.str (types.attrsOf types.str));
|
|
|
|
};
|
2022-06-20 10:28:01 +00:00
|
|
|
};
|
|
|
|
|
2022-07-10 21:42:33 +00:00
|
|
|
config = let
|
2022-07-10 22:06:55 +00:00
|
|
|
map-dir = defaults: dir: if isString dir then
|
|
|
|
map-dir defaults { directory = "${defaults.directory}${dir}"; }
|
|
|
|
else
|
|
|
|
defaults // dir
|
|
|
|
;
|
|
|
|
map-dirs = defaults: dirs: builtins.map (map-dir defaults) dirs;
|
|
|
|
|
|
|
|
map-home-dirs = map-dirs { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/"; };
|
|
|
|
map-sys-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
|
2022-09-27 00:48:55 +00:00
|
|
|
|
2022-07-10 21:42:33 +00:00
|
|
|
in mkIf cfg.enable {
|
2022-08-01 21:37:19 +00:00
|
|
|
sane.image.extraDirectories = [ "/nix/persist/var/log" ];
|
2022-06-20 10:28:01 +00:00
|
|
|
environment.persistence."/nix/persist" = {
|
2022-10-22 13:09:53 +00:00
|
|
|
directories = (map-home-dirs cfg.home-dirs) ++ (map-sys-dirs [
|
2022-08-03 21:54:36 +00:00
|
|
|
# TODO: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
|
2022-09-23 01:28:03 +00:00
|
|
|
# { mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
|
2022-06-21 09:23:19 +00:00
|
|
|
# "/etc/nixos"
|
2022-08-03 21:54:36 +00:00
|
|
|
# "/etc/ssh" # persist only the specific files we want, instead
|
2022-07-10 22:06:55 +00:00
|
|
|
"/var/log"
|
|
|
|
"/var/backup" # for e.g. postgres dumps
|
2022-06-25 04:10:49 +00:00
|
|
|
# "/var/lib/AccountsService" # not sure what this is, but it's empty
|
2022-07-10 22:15:34 +00:00
|
|
|
"/var/lib/alsa" # preserve output levels, default devices
|
2022-06-25 04:10:49 +00:00
|
|
|
# "/var/lib/blueman" # files aren't human readable
|
2022-07-10 22:15:34 +00:00
|
|
|
"/var/lib/bluetooth" # preserve bluetooth handshakes
|
|
|
|
"/var/lib/colord" # preserve color calibrations (?)
|
2022-06-25 04:10:49 +00:00
|
|
|
# "/var/lib/dhclient" # empty on lappy; dunno about desko
|
|
|
|
# "/var/lib/fwupd" # not sure why this would need persistent state
|
|
|
|
# "/var/lib/geoclue" # empty on lappy
|
2022-06-25 21:53:15 +00:00
|
|
|
# "/var/lib/lockdown" # empty on desko; might store secrets after iOS handshake?
|
2022-06-25 04:10:49 +00:00
|
|
|
# "/var/lib/logrotate.status" # seems redundant with what's in /var/log?
|
2022-07-10 22:15:34 +00:00
|
|
|
"/var/lib/machines" # maybe not needed, but would be painful to add a VM and forget.
|
2022-06-25 04:10:49 +00:00
|
|
|
# "/var/lib/misc" # empty on lappy
|
|
|
|
# "/var/lib/NetworkManager" # looks to be mostly impermanent state?
|
|
|
|
# "/var/lib/NetworkManager-fortisslvpn" # empty on lappy
|
2022-07-15 05:06:19 +00:00
|
|
|
# "/var/lib/nixos" # has some uid/gid maps, but we enforce these to be deterministic.
|
2022-06-25 04:10:49 +00:00
|
|
|
# "/var/lib/PackageKit" # wtf is this?
|
|
|
|
# "/var/lib/power-profiles-daemon" # redundant with nixos declarations
|
|
|
|
# "/var/lib/private" # empty on lappy
|
|
|
|
# "/var/lib/systemd" # nothing obviously necessary
|
|
|
|
# "/var/lib/udisks2" # empty on lappy
|
|
|
|
# "/var/lib/upower" # historic charge data. unnecessary, but maybe used somewhere?
|
2022-06-29 08:17:53 +00:00
|
|
|
#
|
|
|
|
# servo additions:
|
2022-10-22 13:03:04 +00:00
|
|
|
] ++ cfg.service-dirs);
|
2022-06-21 07:02:57 +00:00
|
|
|
files = [
|
|
|
|
"/etc/machine-id"
|
2022-08-03 21:54:36 +00:00
|
|
|
"/etc/ssh/ssh_host_ed25519_key"
|
|
|
|
"/etc/ssh/ssh_host_ed25519_key.pub"
|
|
|
|
"/etc/ssh/ssh_host_rsa_key"
|
|
|
|
"/etc/ssh/ssh_host_rsa_key.pub"
|
2022-06-21 07:02:57 +00:00
|
|
|
# # XXX these only need persistence because i have mutableUsers = true, i think
|
|
|
|
# "/etc/group"
|
|
|
|
# "/etc/passwd"
|
|
|
|
# "/etc/shadow"
|
2022-10-22 12:56:04 +00:00
|
|
|
];
|
2022-06-20 10:28:01 +00:00
|
|
|
};
|
2022-06-30 08:30:58 +00:00
|
|
|
|
2022-10-23 11:35:12 +00:00
|
|
|
# secret decoding depends on /etc/ssh keys, which are persisted
|
|
|
|
system.activationScripts.setupSecrets.deps = [ "persist-files" ];
|
2022-10-23 13:48:39 +00:00
|
|
|
# `setupSecretsForUsers` should depend on `persist-files`,
|
|
|
|
# but `persist-files` itself depends on `users`, to this would be circular.
|
|
|
|
# we work around that by manually mounting the ssh host key.
|
|
|
|
# strictly speaking, this makes the `setupSecrets -> persist-files` dep extraneous,
|
|
|
|
# but it's a decent safety net in case something goes wrong.
|
|
|
|
# system.activationScripts.setupSecretsForUsers.deps = [ "persist-files" ];
|
|
|
|
system.activationScripts.setupSecretsForUsers= lib.mkIf secretsForUsers {
|
|
|
|
deps = [ "persist-ssh-host-key" ];
|
|
|
|
};
|
|
|
|
system.activationScripts.persist-ssh-host-key = lib.mkIf secretsForUsers (
|
|
|
|
let
|
|
|
|
key = "/etc/ssh/ssh_host_ed25519_key";
|
|
|
|
in ''
|
|
|
|
mkdir -p /etc/ssh
|
|
|
|
touch ${key}
|
|
|
|
mount -o bind /nix/persist${key} ${key}
|
|
|
|
''
|
|
|
|
);
|
2022-06-20 10:28:01 +00:00
|
|
|
};
|
|
|
|
}
|
|
|
|
|