From fa131fe39f68a3c4faadb7b4d2bd370d4bfe1eb1 Mon Sep 17 00:00:00 2001
From: colin <colin@uninsane.org>
Date: Mon, 20 Jun 2022 03:28:01 -0700
Subject: [PATCH] lappy: enable impermanence

it mostly went smooth, though i lost a .ssh key.
probably the best upgrade process is to do most of the heavy work in the
initrd:

write the new nix config, notably, configuring a tmpfs / mount
and moving the previous / to /nix.
then boot and in the initrd, move all the `/nix/nix/...` items
up a level.
---
 flake.lock                 | 16 +++++++++++++
 flake.nix                  |  5 +++--
 machines/lappy/default.nix |  1 +
 machines/lappy/fs.nix      | 10 +++++++++
 modules/default.nix        |  1 +
 modules/impermanence.nix   | 46 ++++++++++++++++++++++++++++++++++++++
 6 files changed, 77 insertions(+), 2 deletions(-)
 create mode 100644 modules/impermanence.nix

diff --git a/flake.lock b/flake.lock
index a6148791..25f70799 100644
--- a/flake.lock
+++ b/flake.lock
@@ -21,6 +21,21 @@
         "type": "github"
       }
     },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1646131459,
+        "narHash": "sha256-GPmgxvUFvQ1GmsGfWHy9+rcxWrczeDhS9XnAIPHi9XQ=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "2f39baeb7d039fda5fc8225111bb79474138e6f4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
     "mobile-nixos": {
       "flake": false,
       "locked": {
@@ -118,6 +133,7 @@
     "root": {
       "inputs": {
         "home-manager": "home-manager",
+        "impermanence": "impermanence",
         "mobile-nixos": "mobile-nixos",
         "nixpkgs": "nixpkgs",
         "nurpkgs": "nurpkgs",
diff --git a/flake.nix b/flake.nix
index 2b59fa2f..2916f164 100644
--- a/flake.nix
+++ b/flake.nix
@@ -16,9 +16,10 @@
     };
     nurpkgs.url = "github:nix-community/NUR";
     sops-nix.url = "github:Mic92/sops-nix";
+    impermanence.url = "github:nix-community/impermanence";
   };
 
-  outputs = { self, nixpkgs, mobile-nixos, home-manager, nurpkgs, sops-nix }: {
+  outputs = { self, nixpkgs, mobile-nixos, home-manager, nurpkgs, sops-nix, impermanence }: {
     machines.servo = self.decl-bootable-machine { name = "servo"; system = "aarch64-linux"; };
     machines.desko = self.decl-bootable-machine { name = "desko"; system = "x86_64-linux"; };
     machines.lappy = self.decl-bootable-machine { name = "lappy"; system = "x86_64-linux"; };
@@ -68,7 +69,7 @@
       nixosSystem = import (patchedPkgs + "/nixos/lib/eval-config.nix");
       in (nixosSystem {
         inherit system;
-        specialArgs = { inherit home-manager nurpkgs; };
+        specialArgs = { inherit home-manager nurpkgs impermanence; };
         modules = [
           ./modules
           ./machines/${name}
diff --git a/machines/lappy/default.nix b/machines/lappy/default.nix
index 51117d82..0cf2954d 100644
--- a/machines/lappy/default.nix
+++ b/machines/lappy/default.nix
@@ -5,6 +5,7 @@
   ];
 
   colinsane.gui.sway.enable = true;
+  colinsane.impermanence.enable = true;
 
   # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
   system.stateVersion = "21.05";
diff --git a/machines/lappy/fs.nix b/machines/lappy/fs.nix
index 91d9fa28..687afd16 100644
--- a/machines/lappy/fs.nix
+++ b/machines/lappy/fs.nix
@@ -2,6 +2,16 @@
 
 {
   fileSystems."/" = lib.mkDefault {
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "mode=755"
+      "size=1G"
+      "defaults"
+    ];
+  };
+
+  fileSystems."/nix" = lib.mkDefault {
     device = "/dev/disk/by-uuid/75230e56-2c69-4e41-b03e-68475f119980";
     fsType = "btrfs";
     options = [
diff --git a/modules/default.nix b/modules/default.nix
index 8df82490..29c1b305 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ./gui
     ./hardware
+    ./impermanence.nix
     ./services/duplicity.nix
     ./universal
   ];
diff --git a/modules/impermanence.nix b/modules/impermanence.nix
new file mode 100644
index 00000000..a849ae2d
--- /dev/null
+++ b/modules/impermanence.nix
@@ -0,0 +1,46 @@
+# borrows from:
+#   https://xeiaso.net/blog/paranoid-nixos-2021-07-18
+#   https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
+#   https://github.com/nix-community/impermanence
+{ lib, config, impermanence, ... }:
+
+with lib;
+let
+  cfg = config.colinsane.impermanence;
+in
+{
+  imports = [
+    impermanence.nixosModule
+  ];
+  options = {
+    colinsane.impermanence.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.persistence."/nix/persist" = {
+      directories = [
+        # TODO: more granular persistence of /home
+        "/home/colin"
+        "/etc/NetworkManager/system-connections"
+        "/etc/nixos"
+        "/etc/ssh"
+        # TODO: these individual files don't bind-mount. Xe shows the right way to handle files, i believe.
+        # "/etc/machine-id"
+        # # XXX these only need persistence because i have mutableUsers = true, i think
+        # "/etc/group"
+        # "/etc/passwd"
+        # "/etc/shadow"
+        # TODO: more granular persistence of /var/lib
+        "/var/lib"
+        "/var/log"
+        "/mnt"
+        # TODO: what even GOES in /srv?
+        "/srv"
+      ];
+    };
+  };
+}
+