feat: enable impermanence

2023-05-01 11:49:37 +02:00 · 2023-05-01 11:49:37 +02:00 · 4cee692eff
commit 4cee692eff
parent 30cfdaf860
7 changed files with 55 additions and 27 deletions
--- a/README.md
+++ b/README.md
@ -16,7 +16,6 @@ This is my personal nix config.
 	  - `secrets.nix.age` Repository-wide local secrets. Decrypted on import via `builtins.extraBuiltins.rageImportEncrypted`.
 	  - `host.pub` This host's public key. Used for agenix rekeying.
 	- `default.nix` The actual system definition. Follow the imports from there to see what it entails.
-	- `meta.nix` Determines the type and architecture of this system, and some other optional meta information. Used e.g. by `nix/colmena.nix` to know which hosts are real NixOS hosts, and which are VMs or some other type.
 	- `fs.nix` Filesystem setup.
 	- `net.nix` Networking setup.
  - `nom/` - My laptop and main development machine
@ -54,8 +53,8 @@ This is my personal nix config.

 ... incomplete.

- add hosts/<name>
- fill meta.nix
+- add <name> to `hosts` in `flake.nix`
+- create hosts/<name>
 - fill net.nix
 - fill fs.nix (you need to know the device by-id paths in advance for formatting to work!)
 - generate-initrd-keys
--- a/flake.lock
+++ b/flake.lock
@ -28,11 +28,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1682072804,
-        "narHash": "sha256-Y7Q7dUXzEwIxZ0a2iTDF7e/hv4GFmn7ejfSr5JWSPCI=",
+        "lastModified": 1682854491,
+        "narHash": "sha256-xFTgMA+whHZyRAAN6EQUX0gMAjSGi44+sFbIPOXVShw=",
        "owner": "oddlama",
        "repo": "agenix-rekey",
-        "rev": "d00eaa5c9bb71a0858fe7fd4a148445a428b311c",
+        "rev": "7096bf1e2acdbf8c6e8dda6f452d06d9d72fb3a7",
        "type": "github"
      },
      "original": {
@ -116,11 +116,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1682802069,
-        "narHash": "sha256-hctikxnF3AvHckQqzNa/4YLHbNNrdC733VsTZPWeyTo=",
+        "lastModified": 1682856014,
+        "narHash": "sha256-QkjneK3DH68IsEf2VnTkMesjsyHsVeVlr6TFxp97uIw=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "c917cb9cdb621f3b60a7ccc77729cab52250da81",
+        "rev": "8b43938cf77bbeddec127a5398b5dba3578c4290",
        "type": "github"
      },
      "original": {
@ -257,11 +257,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1682097095,
-        "narHash": "sha256-ecIKDVpayjIDEdxWCSHmG4yJQ21/nKZkhFNlLzwttWU=",
+        "lastModified": 1682817142,
+        "narHash": "sha256-mkKUFwQq8Sgw+p82K5SoWO6lODFeJcr+SpzH3+Utye0=",
        "owner": "astro",
        "repo": "microvm.nix",
-        "rev": "b2627f159e8b54e4f6af7edc88b64fa3736819c9",
+        "rev": "15fb183b412619d27db227dcbaf959c63bdaba09",
        "type": "github"
      },
      "original": {
@ -308,11 +308,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1680876084,
-        "narHash": "sha256-eP9yxP0wc7XuVaODugh+ajgbFGaile2O1ihxiLxOuvU=",
+        "lastModified": 1682836095,
+        "narHash": "sha256-PdzpJhuXBz71AgWNWMMYLbB8GMMce6QguhQY/6HOOcc=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "3006d2860a6ed5e01b0c3e7ffb730e9b293116e2",
+        "rev": "e4a21ddcb45ee5f5c85a5d9e9698debf77fb98c3",
        "type": "github"
      },
      "original": {
--- a/hosts/common/core/default.nix
+++ b/hosts/common/core/default.nix
@ -8,6 +8,7 @@
 }: {
  imports = [
    ./inputrc.nix
+    ./impermanence.nix
    ./issue.nix
    ./net.nix
    ./nix.nix
--- a/hosts/common/core/impermanence.nix
+++ b/hosts/common/core/impermanence.nix
@ -0,0 +1,28 @@
+{
+  # State that should be kept across reboots, but is otherwise
+  # NOT important information in any way that needs to be backed up.
+  #environment.persistence."/nix/state" = {
+  #  hideMounts = true;
+  #  files = [
+  #    "/etc/machine-id"
+  #    "/etc/ssh/ssh_host_ed25519_key"
+  #    "/etc/ssh/ssh_host_ed25519_key.pub"
+  #  ];
+  #  directories = [
+  #    "/var/log"
+  #  ];
+  #};
+
+  # State that should be kept forever, and backed up accordingly.
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    files = [
+      "/etc/machine-id"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+    ];
+    directories = [
+      "/var/log"
+    ];
+  };
+}
--- a/hosts/ward/fs.nix
+++ b/hosts/ward/fs.nix
@ -1,4 +1,5 @@
 {
+  lib,
  extraLib,
  nodeSecrets,
  pkgs,
@ -39,6 +40,8 @@
    };
  };

+  fileSystems."/persist".neededForBoot = true;
+
  #environment.persistence."/persist".directories = [
  #  { directory = "/var/lib/acme"; user = "acme"; group = "acme"; }
  #];
--- a/nix/generate-node.nix
+++ b/nix/generate-node.nix
@ -5,7 +5,7 @@
  colmena,
  disko,
  home-manager,
-  #impermanence,
+  impermanence,
  microvm,
  nixos-hardware,
  nixos-nftables-firewall,
@ -33,7 +33,7 @@ in
        agenix-rekey.nixosModules.default
        disko.nixosModules.disko
        home-manager.nixosModules.default
-        #impermanence.nixosModules.default
+        impermanence.nixosModules.impermanence
        nixos-nftables-firewall.nixosModules.default
      ]
      ++ optionals (nodeMeta.microVmHost or false) [
--- a/nix/lib.nix
+++ b/nix/lib.nix
@ -98,15 +98,12 @@ in rec {
      };

      unmountable = {type = "zfs_fs";};
-      filesystem = mountpoint:
-        {
+      filesystem = mountpoint: {
        type = "zfs_fs";
        options = {
          canmount = "on";
          inherit mountpoint;
        };
-        }
-        // optionalAttrs (mountpoint == "/") {
        # Required to add dependencies for initrd
        inherit mountpoint;
      };