fix "rescue" host to eval again

hosts/by-name/rescue/default.nix

@@ -6,7 +6,7 @@
 
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
-  sane.persist.enable = false;
+  sane.persist.enable = false;  # what we mean here is that the image is immutable; `/` is still tmpfs.
   sane.nixcache.enable = false;  # don't want to be calling out to dead machines that we're *trying* to rescue
 
   # auto-login at shell

hosts/common/home/fs.nix

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
   sane.user.persist.byStore.plaintext = [
     "archive"
@@ -29,14 +29,17 @@
   ];
 
   # convenience
-  sane.user.fs.".persist/private".symlink.target = config.sane.persist.stores.private.origin;
-  sane.user.fs.".persist/plaintext".symlink.target = config.sane.persist.stores.plaintext.origin;
-  sane.user.fs.".persist/ephemeral".symlink.target = config.sane.persist.stores.cryptClearOnBoot.origin;
+  sane.user.fs = let
+    persistEnabled = config.sane.persist.enable;
+  in {
+    ".persist/private" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.private.origin; };
+    ".persist/plaintext" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.plaintext.origin; };
+    ".persist/ephemeral" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.cryptClearOnBoot.origin; };
 
-  sane.user.fs."nixos".symlink.target = "dev/nixos";
+    "nixos".symlink.target = "dev/nixos";
 
-  sane.user.fs."Books/servo".symlink.target = "/mnt/servo/media/Books";
-  sane.user.fs."Videos/servo".symlink.target = "/mnt/servo/media/Videos";
-  # sane.user.fs."Music/servo".symlink.target = "/mnt/servo/media/Music";
-  sane.user.fs."Pictures/servo-macros".symlink.target = "/mnt/servo/media/Pictures/macros";
+    "Books/servo".symlink.target = "/mnt/servo/media/Books";
+    "Videos/servo".symlink.target = "/mnt/servo/media/Videos";
+    "Pictures/servo-macros".symlink.target = "/mnt/servo/media/Pictures/macros";
+  };
 }

hosts/common/programs/gnome-keyring/default.nix

@@ -28,7 +28,7 @@ in
 
     fs.".local/share/keyrings/default" = {
       file.text = "Default_keyring.keyring";  #< no trailing newline
-      wantedBy = [ config.sane.fs."${config.sane.persist.stores.private.origin}".unit ];
+      # wantedBy = [ config.sane.fs."${config.sane.persist.stores.private.origin}".unit ];
       wantedBeforeBy = [  #< don't create this as part of `multi-user.target`
         "gnome-keyring.service"  # TODO: sane.programs should declare this dependency for us
       ];
@@ -43,7 +43,7 @@ in
         lock-on-idle=false
         lock-after=false
       '';
-      wantedBy = [ config.sane.fs."${config.sane.persist.stores.private.origin}".unit ];
+      # wantedBy = [ config.sane.fs."${config.sane.persist.stores.private.origin}".unit ];
       wantedBeforeBy = [  #< don't create this as part of `multi-user.target`
         "gnome-keyring.service"
       ];

hosts/common/users/colin.nix

@@ -42,7 +42,7 @@
     # - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
     pamMount = let
       priv = config.fileSystems."${config.sane.persist.stores.private.origin}";
-    in {
+    in lib.mkIf config.sane.persist.enable {
       fstype = priv.fsType;
       path = priv.device;
       mountpoint = priv.mountPoint;

modules/ssh.nix

@@ -71,9 +71,11 @@ in
     # N.B.: use the plaintext `backing` dir instead of proper persistence, because this needs to be available
     # during activation time (see /etc/machine-id and setupSecretsForUsers activation script).
     # TODO: this should go in the same dir as `/var/log`, then. i.e. `stores.initrd` (but rename to `stores.early`).
-    environment.etc."ssh/host_keys".source = let
+    environment.etc."ssh/host_keys" = let
       plaintextBacking = config.sane.fs."${config.sane.persist.stores.plaintext.origin}".mount.bind;
-    in "${plaintextBacking}/etc/ssh/host_keys";
+    in lib.mkIf config.sane.persist.enable {
+      source = "${plaintextBacking}/etc/ssh/host_keys";
+    };
 
     # let openssh find our host keys
     services.openssh.hostKeys = [