impermanence

configuration.nix

@@ -13,6 +13,7 @@
   imports = [
     ./hardware.nix
     ./zfs.nix
+    ./impermanence.nix
 
     ./services/postgresql.nix
     ./services/jellyfin.nix
@@ -97,6 +98,7 @@
 
     initrd = {
       compressor = "zstd";
+      supportedFilesystems = [ "f2fs" ];
     };
 
     loader.systemd-boot.enable = lib.mkForce false;
@@ -119,6 +121,14 @@
       chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
       chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
     '';
+
+    # ensure persistent directories exist
+    "persistent-dirs".text = ''
+      mkdir -p /persistent/etc/ssh
+      mkdir -p /persistent/var/lib
+      mkdir -p /persistent/etc/nixos
+      mkdir -p /persistent/var/log
+    '';
   };
 
   environment.etc = {

disk-config.nix

@@ -15,17 +15,29 @@
                 mountpoint = "/boot";
               };
             };
-            root = {
+            persistent = {
               size = "100%";
               content = {
                 type = "filesystem";
                 format = "f2fs";
-                mountpoint = "/";
+                mountpoint = "/persistent";
               };
             };
           };
         };
       };
     };
+    nodev = {
+      "/" = {
+        fsType = "tmpfs";
+        mountOptions = [
+          "defaults"
+          "size=2G"
+          "mode=755"
+        ];
       };
+    };
+  };
+
+  fileSystems."/persistent".neededForBoot = true;
 }

flake.lock

@@ -205,6 +205,21 @@
         "type": "github"
       }
     },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1737831083,
+        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
     "lanzaboote": {
       "inputs": {
         "crane": "crane",
@@ -348,6 +363,7 @@
         "deploy-rs": "deploy-rs",
         "disko": "disko",
         "home-manager": "home-manager",
+        "impermanence": "impermanence",
         "lanzaboote": "lanzaboote",
         "llamacpp": "llamacpp",
         "nix-minecraft": "nix-minecraft",

flake.nix

@@ -43,6 +43,10 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    impermanence = {
+      url = "github:nix-community/impermanence";
+    };
+
     senior_project-website = {
       url = "github:Titaniumtown/senior-project-website";
       flake = false;
@@ -66,6 +70,7 @@
       disko,
       srvos,
       deploy-rs,
+      impermanence,
       ...
     }@inputs:
     let
@@ -196,6 +201,8 @@
           disko.nixosModules.disko
           ./configuration.nix
 
+          impermanence.nixosModules.impermanence
+
           vpn-confinement.nixosModules.default
 
           # get nix-minecraft working!

impermanence.nix

@@ -0,0 +1,57 @@
+{
+  config,
+  lib,
+  pkgs,
+  username,
+  service_configs,
+  ...
+}:
+{
+  environment.persistence."/persistent" = {
+    hideMounts = true;
+    directories = [
+      # System directories
+      "/etc/nixos"
+      "/var/log"
+      "/var/lib/nixos"
+      "/var/lib/systemd/coredump"
+      "/etc/NetworkManager/system-connections"
+      "/etc/ssh"
+
+      # Wireguard
+      "/etc/wireguard"
+
+      # Systemd persistent timers and state
+      "/var/lib/systemd/timers"
+    ];
+
+    files = [
+      # SSH host keys
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+
+      # Machine ID
+      "/etc/machine-id"
+
+      # ZFS cache
+      "/etc/zfs/zpool.cache"
+    ];
+
+    users.${username} = {
+      directories = [
+        ".ssh"
+        ".config/fish"
+        ".local/share/fish"
+        ".cache"
+        ".config/helix"
+      ];
+
+      files = [
+        ".bash_history"
+      ];
+    };
+  };
+
+}