feat: enable impermanence

README.md

@@ -16,7 +16,6 @@ This is my personal nix config.
 	  - `secrets.nix.age` Repository-wide local secrets. Decrypted on import via `builtins.extraBuiltins.rageImportEncrypted`.
 	  - `host.pub` This host's public key. Used for agenix rekeying.
 	- `default.nix` The actual system definition. Follow the imports from there to see what it entails.
-	- `meta.nix` Determines the type and architecture of this system, and some other optional meta information. Used e.g. by `nix/colmena.nix` to know which hosts are real NixOS hosts, and which are VMs or some other type.
 	- `fs.nix` Filesystem setup.
 	- `net.nix` Networking setup.
   - `nom/` - My laptop and main development machine
@@ -54,8 +53,8 @@ This is my personal nix config.
 
 ... incomplete.
 
-- add hosts/<name>
+- add <name> to `hosts` in `flake.nix`
-- fill meta.nix
+- create hosts/<name>
 - fill net.nix
 - fill fs.nix (you need to know the device by-id paths in advance for formatting to work!)
 - generate-initrd-keys

flake.lock

@@ -28,11 +28,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682072804,
+        "lastModified": 1682854491,
-        "narHash": "sha256-Y7Q7dUXzEwIxZ0a2iTDF7e/hv4GFmn7ejfSr5JWSPCI=",
+        "narHash": "sha256-xFTgMA+whHZyRAAN6EQUX0gMAjSGi44+sFbIPOXVShw=",
         "owner": "oddlama",
         "repo": "agenix-rekey",
-        "rev": "d00eaa5c9bb71a0858fe7fd4a148445a428b311c",
+        "rev": "7096bf1e2acdbf8c6e8dda6f452d06d9d72fb3a7",
         "type": "github"
       },
       "original": {
@@ -116,11 +116,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682802069,
+        "lastModified": 1682856014,
-        "narHash": "sha256-hctikxnF3AvHckQqzNa/4YLHbNNrdC733VsTZPWeyTo=",
+        "narHash": "sha256-QkjneK3DH68IsEf2VnTkMesjsyHsVeVlr6TFxp97uIw=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "c917cb9cdb621f3b60a7ccc77729cab52250da81",
+        "rev": "8b43938cf77bbeddec127a5398b5dba3578c4290",
         "type": "github"
       },
       "original": {
@@ -257,11 +257,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682097095,
+        "lastModified": 1682817142,
-        "narHash": "sha256-ecIKDVpayjIDEdxWCSHmG4yJQ21/nKZkhFNlLzwttWU=",
+        "narHash": "sha256-mkKUFwQq8Sgw+p82K5SoWO6lODFeJcr+SpzH3+Utye0=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "b2627f159e8b54e4f6af7edc88b64fa3736819c9",
+        "rev": "15fb183b412619d27db227dcbaf959c63bdaba09",
         "type": "github"
       },
       "original": {
@@ -308,11 +308,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1680876084,
+        "lastModified": 1682836095,
-        "narHash": "sha256-eP9yxP0wc7XuVaODugh+ajgbFGaile2O1ihxiLxOuvU=",
+        "narHash": "sha256-PdzpJhuXBz71AgWNWMMYLbB8GMMce6QguhQY/6HOOcc=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "3006d2860a6ed5e01b0c3e7ffb730e9b293116e2",
+        "rev": "e4a21ddcb45ee5f5c85a5d9e9698debf77fb98c3",
         "type": "github"
       },
       "original": {

hosts/common/core/default.nix

@@ -8,6 +8,7 @@
 }: {
   imports = [
     ./inputrc.nix
+    ./impermanence.nix
     ./issue.nix
     ./net.nix
     ./nix.nix

hosts/common/core/impermanence.nix

@@ -0,0 +1,28 @@
+{
+  # State that should be kept across reboots, but is otherwise
+  # NOT important information in any way that needs to be backed up.
+  #environment.persistence."/nix/state" = {
+  #  hideMounts = true;
+  #  files = [
+  #    "/etc/machine-id"
+  #    "/etc/ssh/ssh_host_ed25519_key"
+  #    "/etc/ssh/ssh_host_ed25519_key.pub"
+  #  ];
+  #  directories = [
+  #    "/var/log"
+  #  ];
+  #};
+
+  # State that should be kept forever, and backed up accordingly.
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    files = [
+      "/etc/machine-id"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+    ];
+    directories = [
+      "/var/log"
+    ];
+  };
+}

hosts/ward/fs.nix

@@ -1,4 +1,5 @@
 {
+  lib,
   extraLib,
   nodeSecrets,
   pkgs,
@@ -39,6 +40,8 @@
     };
   };
 
+  fileSystems."/persist".neededForBoot = true;
+
   #environment.persistence."/persist".directories = [
   #  { directory = "/var/lib/acme"; user = "acme"; group = "acme"; }
   #];

nix/generate-node.nix

@@ -5,7 +5,7 @@
   colmena,
   disko,
   home-manager,
-  #impermanence,
+  impermanence,
   microvm,
   nixos-hardware,
   nixos-nftables-firewall,
@@ -33,7 +33,7 @@ in
         agenix-rekey.nixosModules.default
         disko.nixosModules.disko
         home-manager.nixosModules.default
-        #impermanence.nixosModules.default
+        impermanence.nixosModules.impermanence
         nixos-nftables-firewall.nixosModules.default
       ]
       ++ optionals (nodeMeta.microVmHost or false) [

nix/lib.nix

@@ -98,18 +98,15 @@ in rec {
       };
 
       unmountable = {type = "zfs_fs";};
-      filesystem = mountpoint:
+      filesystem = mountpoint: {
-        {
+        type = "zfs_fs";
-          type = "zfs_fs";
+        options = {
-          options = {
+          canmount = "on";
-            canmount = "on";
-            inherit mountpoint;
-          };
-        }
-        // optionalAttrs (mountpoint == "/") {
-          # Required to add dependencies for initrd
           inherit mountpoint;
         };
+        # Required to add dependencies for initrd
+        inherit mountpoint;
+      };
     };
   };