diff --git a/configuration.nix b/configuration.nix index 9378fac..5614204 100644 --- a/configuration.nix +++ b/configuration.nix @@ -13,6 +13,7 @@ imports = [ ./hardware.nix ./zfs.nix + ./impermanence.nix ./services/postgresql.nix ./services/jellyfin.nix @@ -97,6 +98,7 @@ initrd = { compressor = "zstd"; + supportedFilesystems = [ "f2fs" ]; }; loader.systemd-boot.enable = lib.mkForce false; @@ -119,6 +121,14 @@ chown -R root:wheel ${config.boot.lanzaboote.pkiBundle} chmod -R 500 ${config.boot.lanzaboote.pkiBundle} ''; + + # ensure persistent directories exist + "persistent-dirs".text = '' + mkdir -p /persistent/etc/ssh + mkdir -p /persistent/var/lib + mkdir -p /persistent/etc/nixos + mkdir -p /persistent/var/log + ''; }; environment.etc = { diff --git a/disk-config.nix b/disk-config.nix index 25580ff..63acb14 100644 --- a/disk-config.nix +++ b/disk-config.nix @@ -15,17 +15,29 @@ mountpoint = "/boot"; }; }; - root = { + persistent = { size = "100%"; content = { type = "filesystem"; format = "f2fs"; - mountpoint = "/"; + mountpoint = "/persistent"; }; }; }; }; }; }; + nodev = { + "/" = { + fsType = "tmpfs"; + mountOptions = [ + "defaults" + "size=2G" + "mode=755" + ]; + }; + }; }; + + fileSystems."/persistent".neededForBoot = true; } diff --git a/flake.lock b/flake.lock index 32e1599..373f2e7 100644 --- a/flake.lock +++ b/flake.lock @@ -205,6 +205,21 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1737831083, + "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, "lanzaboote": { "inputs": { "crane": "crane", @@ -348,6 +363,7 @@ "deploy-rs": "deploy-rs", "disko": "disko", "home-manager": "home-manager", + "impermanence": "impermanence", "lanzaboote": "lanzaboote", "llamacpp": "llamacpp", "nix-minecraft": "nix-minecraft", diff --git a/flake.nix b/flake.nix index ee2a5db..ca52512 100644 --- a/flake.nix +++ b/flake.nix @@ -43,6 +43,10 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + impermanence = { + url = "github:nix-community/impermanence"; + }; + senior_project-website = { url = "github:Titaniumtown/senior-project-website"; flake = false; @@ -66,6 +70,7 @@ disko, srvos, deploy-rs, + impermanence, ... }@inputs: let @@ -196,6 +201,8 @@ disko.nixosModules.disko ./configuration.nix + impermanence.nixosModules.impermanence + vpn-confinement.nixosModules.default # get nix-minecraft working! diff --git a/impermanence.nix b/impermanence.nix new file mode 100644 index 0000000..6406d95 --- /dev/null +++ b/impermanence.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + pkgs, + username, + service_configs, + ... +}: +{ + environment.persistence."/persistent" = { + hideMounts = true; + directories = [ + # System directories + "/etc/nixos" + "/var/log" + "/var/lib/nixos" + "/var/lib/systemd/coredump" + "/etc/NetworkManager/system-connections" + "/etc/ssh" + + # Wireguard + "/etc/wireguard" + + # Systemd persistent timers and state + "/var/lib/systemd/timers" + ]; + + files = [ + # SSH host keys + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + + # Machine ID + "/etc/machine-id" + + # ZFS cache + "/etc/zfs/zpool.cache" + ]; + + users.${username} = { + directories = [ + ".ssh" + ".config/fish" + ".local/share/fish" + ".cache" + ".config/helix" + ]; + + files = [ + ".bash_history" + ]; + }; + }; + +}