persistence: split /var/log persistence into dedicated "initrd" store

hosts/common/persist.nix

@@ -5,9 +5,11 @@
   # store /home/colin/a/b in /mnt/persist/private/a/b instead of /mnt/persist/private/home/colin/a/b
   sane.persist.stores.private.prefix = "/home/colin";
 
+  sane.persist.sys.byStore.initrd = [
+    "/var/log"
+  ];
   sane.persist.sys.byStore.plaintext = [
     # TODO: these should be private.. somehow
-    "/var/log"
     "/var/backup"  # for e.g. postgres dumps
   ];
   sane.persist.sys.byStore.cryptClearOnBoot = [

modules/persist/stores/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ./crypt.nix
+    ./initrd.nix
     ./plaintext.nix
     ./private.nix
   ];

modules/persist/stores/initrd.nix

@@ -0,0 +1,13 @@
+# certain paths -- notable /var/log -- need to be mounted in the initrd.
+# this presents a "gotcha", in that we can't run any of our "prepare $directory" scripts before mounting it.
+#
+# N.B.: if /var/log fails to mount, ssh in and manually create its backing dir, then reboot.
+# it's that simple.
+# it should get created automatically during (stage-2) boot/activation, though.
+{ config, lib, ... }:
+lib.mkIf config.sane.persist.enable {
+  sane.persist.stores."initrd" = {
+    origin = lib.mkDefault "/nix/persist/initrd";
+    defaultMethod = "bind";
+  };
+}