diff --git a/configuration.nix b/configuration.nix index 9378fac..e944a61 100644 --- a/configuration.nix +++ b/configuration.nix @@ -13,6 +13,7 @@ imports = [ ./hardware.nix ./zfs.nix + ./impermanence.nix ./services/postgresql.nix ./services/jellyfin.nix @@ -97,6 +98,7 @@ initrd = { compressor = "zstd"; + supportedFilesystems = [ "f2fs" ]; }; loader.systemd-boot.enable = lib.mkForce false; @@ -284,7 +286,7 @@ ]; # TODO! use proper secrets management - # hashedPasswordFile = builtins.toString ./secrets/hashedPass; + hashedPassword = lib.strings.trim (builtins.readFile ./secrets/hashedPass); openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop @@ -339,7 +341,7 @@ # }; # systemd.tmpfiles.rules = [ - # "d /tank/music 775 ${username} users" + # "Z /tank/music 775 ${username} users" # ]; system.stateVersion = "24.11"; diff --git a/disk-config.nix b/disk-config.nix index 25580ff..9a487ca 100644 --- a/disk-config.nix +++ b/disk-config.nix @@ -15,17 +15,40 @@ mountpoint = "/boot"; }; }; - root = { + persistent = { + size = "20G"; + content = { + type = "filesystem"; + format = "f2fs"; + mountpoint = "/persistent"; + }; + }; + nix = { size = "100%"; content = { type = "filesystem"; format = "f2fs"; - mountpoint = "/"; + mountpoint = "/nix"; }; }; + }; }; }; }; + nodev = { + "/" = { + fsType = "tmpfs"; + mountOptions = [ + "defaults" + "size=2G" + "mode=755" + ]; + }; + }; }; + + fileSystems."/persistent".neededForBoot = true; + fileSystems."/nix".neededForBoot = true; + } diff --git a/flake.lock b/flake.lock index 32e1599..5b3b2f5 100644 --- a/flake.lock +++ b/flake.lock @@ -205,6 +205,21 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1737831083, + "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, "lanzaboote": { "inputs": { "crane": "crane", @@ -238,11 +253,11 @@ ] }, "locked": { - "lastModified": 1759669067, - "narHash": "sha256-L0R8SAoVvZIGG8zH/7BDWFdgsISzViZJHzeimcIOIqY=", + "lastModified": 1759814657, + "narHash": "sha256-AZ8CPyyI4Nn9ietsOKu28zle5r0JiJrwOHy1m9sUmbM=", "owner": "ggml-org", "repo": "llama.cpp", - "rev": "ca71fb9b368e3db96e028f80c4c9df6b6b370edd", + "rev": "0123ff38f53d34752f29239a29d0e40a6dc4110f", "type": "github" }, "original": { @@ -291,11 +306,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1759580034, - "narHash": "sha256-YWo57PL7mGZU7D4WeKFMiW4ex/O6ZolUS6UNBHTZfkI=", + "lastModified": 1759735786, + "narHash": "sha256-a0+h02lyP2KwSNrZz4wLJTu9ikujNsTWIC874Bv7IJ0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3bcc93c5f7a4b30335d31f21e2f1281cba68c318", + "rev": "20c4598c84a671783f741e02bf05cbfaf4907cff", "type": "github" }, "original": { @@ -348,6 +363,7 @@ "deploy-rs": "deploy-rs", "disko": "disko", "home-manager": "home-manager", + "impermanence": "impermanence", "lanzaboote": "lanzaboote", "llamacpp": "llamacpp", "nix-minecraft": "nix-minecraft", diff --git a/flake.nix b/flake.nix index ee2a5db..ca52512 100644 --- a/flake.nix +++ b/flake.nix @@ -43,6 +43,10 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + impermanence = { + url = "github:nix-community/impermanence"; + }; + senior_project-website = { url = "github:Titaniumtown/senior-project-website"; flake = false; @@ -66,6 +70,7 @@ disko, srvos, deploy-rs, + impermanence, ... }@inputs: let @@ -196,6 +201,8 @@ disko.nixosModules.disko ./configuration.nix + impermanence.nixosModules.impermanence + vpn-confinement.nixosModules.default # get nix-minecraft working! diff --git a/impermanence.nix b/impermanence.nix new file mode 100644 index 0000000..112b9cb --- /dev/null +++ b/impermanence.nix @@ -0,0 +1,52 @@ +{ + config, + lib, + pkgs, + username, + service_configs, + ... +}: +{ + environment.persistence."/persistent" = { + hideMounts = true; + directories = [ + "/var/log" + "/var/lib/systemd/coredump" + "/var/lib/nixos" + + "/var/lib/systemd/timers" + ]; + + files = [ + # SSH host keys + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + + # Machine ID + "/etc/machine-id" + + # ZFS cache + "/etc/zfs/zpool.cache" + ]; + + users.${username} = { + files = [ + ".local/share/fish/fish_history" + ]; + }; + + users.root = { + home = "/root"; + + files = [ + ".local/share/fish/fish_history" + ]; + }; + }; + + systemd.tmpfiles.rules = [ + "d /etc 755 root" + ]; +} diff --git a/services/bitwarden.nix b/services/bitwarden.nix index 59f8f3c..67d41bc 100644 --- a/services/bitwarden.nix +++ b/services/bitwarden.nix @@ -42,7 +42,7 @@ ''; systemd.tmpfiles.rules = [ - "d ${service_configs.vaultwarden.path} 0700 vaultwarden vaultwarden" - "d ${config.services.vaultwarden.backupDir} 0700 vaultwarden vaultwarden" + "Z ${service_configs.vaultwarden.path} 0700 vaultwarden vaultwarden" + "Z ${config.services.vaultwarden.backupDir} 0700 vaultwarden vaultwarden" ]; } diff --git a/services/gitea.nix b/services/gitea.nix index 040072d..38cfc78 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -45,7 +45,7 @@ systemd.tmpfiles.rules = [ # 0700 for ssh permission reasons - "d ${config.services.gitea.stateDir} 0700 ${config.services.gitea.user} ${config.services.gitea.group}" + "Z ${config.services.gitea.stateDir} 0700 ${config.services.gitea.user} ${config.services.gitea.group}" ]; services.postgresql = { diff --git a/services/immich.nix b/services/immich.nix index ad2df48..cd0c863 100644 --- a/services/immich.nix +++ b/services/immich.nix @@ -30,7 +30,7 @@ ''; systemd.tmpfiles.rules = [ - "d ${config.services.immich.mediaLocation} 0770 ${config.services.immich.user} ${config.services.immich.group}" + "Z ${config.services.immich.mediaLocation} 0770 ${config.services.immich.user} ${config.services.immich.group}" ]; environment.systemPackages = with pkgs; [ diff --git a/services/jellyfin.nix b/services/jellyfin.nix index fedf687..4e715e9 100644 --- a/services/jellyfin.nix +++ b/services/jellyfin.nix @@ -32,8 +32,8 @@ ''; systemd.tmpfiles.rules = [ - "d ${config.services.jellyfin.dataDir} 0700 ${config.services.jellyfin.user} ${config.services.jellyfin.group}" - "d ${config.services.jellyfin.cacheDir} 0700 ${config.services.jellyfin.user} ${config.services.jellyfin.group}" + "Z ${config.services.jellyfin.dataDir} 0700 ${config.services.jellyfin.user} ${config.services.jellyfin.group}" + "Z ${config.services.jellyfin.cacheDir} 0700 ${config.services.jellyfin.user} ${config.services.jellyfin.group}" ]; users.users.${config.services.jellyfin.user}.extraGroups = [ diff --git a/services/matrix.nix b/services/matrix.nix index 88d1e56..dee5cb4 100644 --- a/services/matrix.nix +++ b/services/matrix.nix @@ -50,7 +50,7 @@ }; systemd.tmpfiles.rules = [ - "d /var/lib/private/matrix-conduit 0770 conduit conduit" + "Z /var/lib/private/matrix-conduit 0770 conduit conduit" ]; # for federation diff --git a/services/minecraft.nix b/services/minecraft.nix index d8eb700..274d3c2 100644 --- a/services/minecraft.nix +++ b/services/minecraft.nix @@ -142,7 +142,7 @@ }; systemd.tmpfiles.rules = [ - "d ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 700 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}" - "d ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web 750 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}" + "Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 700 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}" + "Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web 750 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}" ]; } diff --git a/services/owntracks.nix b/services/owntracks.nix index 0b59d51..b5734ac 100644 --- a/services/owntracks.nix +++ b/services/owntracks.nix @@ -32,7 +32,7 @@ in }; systemd.tmpfiles.rules = [ - "d ${service_configs.owntracks.data_dir} 0770 owntracks owntracks" + "Z ${service_configs.owntracks.data_dir} 0770 owntracks owntracks" ]; services.caddy.virtualHosts."owntracks.${service_configs.https.domain}".extraConfig = '' diff --git a/services/postgresql.nix b/services/postgresql.nix index 5a2207a..bab8ef9 100644 --- a/services/postgresql.nix +++ b/services/postgresql.nix @@ -20,7 +20,7 @@ systemd.tmpfiles.rules = [ # postgresql requires 0700 - "d ${config.services.postgresql.dataDir} 0700 postgresql postgresql" + "Z ${config.services.postgresql.dataDir} 0700 postgresql postgresql" ]; users.users.${username}.extraGroups = [ diff --git a/services/qbittorrent.nix b/services/qbittorrent.nix index 71cd7ef..f1e36ad 100644 --- a/services/qbittorrent.nix +++ b/services/qbittorrent.nix @@ -208,9 +208,9 @@ }; systemd.tmpfiles.rules = [ - "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0750 ${config.services.qbittorrent.user} ${service_configs.media_group}" - "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}" - "d ${config.services.qbittorrent.profileDir} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}" + "Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0750 ${config.services.qbittorrent.user} ${service_configs.media_group}" + "Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}" + "Z ${config.services.qbittorrent.profileDir} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}" ]; services.caddy.virtualHosts."torrent.${service_configs.https.domain}".extraConfig = '' diff --git a/services/soulseek.nix b/services/soulseek.nix index 72536e7..b6c42c6 100644 --- a/services/soulseek.nix +++ b/services/soulseek.nix @@ -68,10 +68,10 @@ in users.users.${username}.extraGroups = [ "music" ]; systemd.tmpfiles.rules = [ - "d ${service_configs.music_dir} 0750 ${username} music" - "d ${service_configs.slskd.base} 0750 ${config.services.slskd.user} ${config.services.slskd.group}" - "d ${service_configs.slskd.downloads} 0750 ${config.services.slskd.user} music" - "d ${service_configs.slskd.incomplete} 0750 ${config.services.slskd.user} music" + "Z ${service_configs.music_dir} 0750 ${username} music" + "Z ${service_configs.slskd.base} 0750 ${config.services.slskd.user} ${config.services.slskd.group}" + "Z ${service_configs.slskd.downloads} 0750 ${config.services.slskd.user} music" + "Z ${service_configs.slskd.incomplete} 0750 ${config.services.slskd.user} music" ]; # doesn't work with auth????