chore: add separate /state directory for reboot-persistent non-backuped state

2025-10-10 23:00:39 +02:00 · 2023-06-03 17:50:54 +02:00 · 2023-06-03 17:50:54 +02:00 · b0e9978ead
commit b0e9978ead
parent ba1932d2ef
3 changed files with 54 additions and 44 deletions
--- a/hosts/common/core/impermanence.nix
+++ b/hosts/common/core/impermanence.nix
@ -3,21 +3,46 @@
  lib,
  ...
 }: {
-  # State that should be kept across reboots, but is otherwise
-  # NOT important information in any way that needs to be backed up.
-  #environment.persistence."/local" = {
-  # with new dataset   --> ^-- , or without v--
-  #environment.persistence."/nix/state" = {
-  #  hideMounts = true;
-  #  files = [
-  #  ];
-  #  directories = [
-  #  ];
-  #};
-
  # Give agenix access to the hostkey independent of impermanence activation
  age.identityPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];

+  # State that should be kept across reboots, but is otherwise
+  # NOT important information in any way that needs to be backed up.
+  environment.persistence."/state" = {
+    hideMounts = true;
+    directories =
+      [
+        {
+          directory = "/var/lib/systemd";
+          user = "root";
+          group = "root";
+          mode = "0755";
+        }
+        {
+          directory = "/var/log";
+          user = "root";
+          group = "root";
+          mode = "0755";
+        }
+        #{ directory = "/tmp"; user = "root"; group = "root"; mode = "1777"; }
+        #{ directory = "/var/tmp"; user = "root"; group = "root"; mode = "1777"; }
+        {
+          directory = "/var/spool";
+          user = "root";
+          group = "root";
+          mode = "0755";
+        }
+      ]
+      ++ lib.optionals config.networking.wireless.iwd.enable [
+        {
+          directory = "/var/lib/iwd";
+          user = "root";
+          group = "root";
+          mode = "0700";
+        }
+      ];
+  };
+
  # State that should be kept forever, and backed up accordingly.
  environment.persistence."/persist" = {
    hideMounts = true;
@ -34,37 +59,6 @@
          group = "root";
          mode = "0755";
        }
-        # TODO only persist across reboots, don't backup, once loki is used
-        {
-          directory = "/var/lib/systemd";
-          user = "root";
-          group = "root";
-          mode = "0755";
-        }
-        # TODO only persist across reboots, don't backup, once loki is used
-        {
-          directory = "/var/log";
-          user = "root";
-          group = "root";
-          mode = "0755";
-        }
-        #{ directory = "/tmp"; user = "root"; group = "root"; mode = "1777"; }
-        #{ directory = "/var/tmp"; user = "root"; group = "root"; mode = "1777"; }
-        # TODO only persist across reboots, don't backup, once loki is used
-        {
-          directory = "/var/spool";
-          user = "root";
-          group = "root";
-          mode = "0777";
-        }
-      ]
-      ++ lib.optionals config.networking.wireless.iwd.enable [
-        {
-          directory = "/var/lib/iwd";
-          user = "root";
-          group = "root";
-          mode = "0700";
-        }
      ]
      ++ lib.optionals config.security.acme.acceptTerms [
        {
@ -100,12 +94,20 @@
      ]
      ++ lib.optionals config.services.gitea.enable [
        {
-          directory = "/var/lib/gitea";
+          directory = config.services.gitea.stateDir;
          user = "gitea";
          group = "gitea";
          mode = "0700";
        }
      ]
+      ++ lib.optionals config.services.loki.enable [
+        {
+          directory = "/var/lib/loki";
+          user = "loki";
+          group = "loki";
+          mode = "0700";
+        }
+      ]
      ++ lib.optionals config.services.grafana.enable [
        {
          directory = config.services.grafana.dataDir;
--- a/hosts/sentinel/fs.nix
+++ b/hosts/sentinel/fs.nix
@ -32,6 +32,7 @@
                postCreateHook = "zfs snapshot rpool/local/root@blank";
              };
            "local/nix" = filesystem "/nix";
+            "local/state" = filesystem "/state";
            "safe" = unmountable;
            "safe/persist" = filesystem "/persist";
          };
@ -41,6 +42,9 @@

  boot.loader.grub.devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"];
  boot.initrd.luks.devices.enc-rpool.allowDiscards = true;
+  # TODO remove once this is upstreamed
+  boot.initrd.systemd.services."zfs-import-rpool".after = ["cryptsetup.target"];
+  fileSystems."/state".neededForBoot = true;
  fileSystems."/persist".neededForBoot = true;

  # After importing the rpool, rollback the root system to be empty.
--- a/hosts/ward/fs.nix
+++ b/hosts/ward/fs.nix
@ -33,6 +33,7 @@
                postCreateHook = "zfs snapshot rpool/local/root@blank";
              };
            "local/nix" = filesystem "/nix";
+            "local/state" = filesystem "/state";
            "safe" = unmountable;
            "safe/persist" = filesystem "/persist";
            "safe/vms" = unmountable;
@ -41,6 +42,9 @@
    };
  };

+  # TODO remove once this is upstreamed
+  boot.initrd.systemd.services."zfs-import-rpool".after = ["cryptsetup.target"];
+  fileSystems."/state".neededForBoot = true;
  fileSystems."/persist".neededForBoot = true;

  # After importing the rpool, rollback the root system to be empty.