From b0e9978ead9a1dcd76a9373084e2101320994300 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Sat, 3 Jun 2023 17:50:54 +0200
Subject: [PATCH] chore: add separate /state directory for reboot-persistent
 non-backuped state

---
 hosts/common/core/impermanence.nix | 90 +++++++++++++++---------------
 hosts/sentinel/fs.nix              |  4 ++
 hosts/ward/fs.nix                  |  4 ++
 3 files changed, 54 insertions(+), 44 deletions(-)

diff --git a/hosts/common/core/impermanence.nix b/hosts/common/core/impermanence.nix
index dd33465..edd935c 100644
--- a/hosts/common/core/impermanence.nix
+++ b/hosts/common/core/impermanence.nix
@@ -3,21 +3,46 @@
   lib,
   ...
 }: {
-  # State that should be kept across reboots, but is otherwise
-  # NOT important information in any way that needs to be backed up.
-  #environment.persistence."/local" = {
-  # with new dataset   --> ^-- , or without v--
-  #environment.persistence."/nix/state" = {
-  #  hideMounts = true;
-  #  files = [
-  #  ];
-  #  directories = [
-  #  ];
-  #};
-
   # Give agenix access to the hostkey independent of impermanence activation
   age.identityPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];
 
+  # State that should be kept across reboots, but is otherwise
+  # NOT important information in any way that needs to be backed up.
+  environment.persistence."/state" = {
+    hideMounts = true;
+    directories =
+      [
+        {
+          directory = "/var/lib/systemd";
+          user = "root";
+          group = "root";
+          mode = "0755";
+        }
+        {
+          directory = "/var/log";
+          user = "root";
+          group = "root";
+          mode = "0755";
+        }
+        #{ directory = "/tmp"; user = "root"; group = "root"; mode = "1777"; }
+        #{ directory = "/var/tmp"; user = "root"; group = "root"; mode = "1777"; }
+        {
+          directory = "/var/spool";
+          user = "root";
+          group = "root";
+          mode = "0755";
+        }
+      ]
+      ++ lib.optionals config.networking.wireless.iwd.enable [
+        {
+          directory = "/var/lib/iwd";
+          user = "root";
+          group = "root";
+          mode = "0700";
+        }
+      ];
+  };
+
   # State that should be kept forever, and backed up accordingly.
   environment.persistence."/persist" = {
     hideMounts = true;
@@ -34,37 +59,6 @@
           group = "root";
           mode = "0755";
         }
-        # TODO only persist across reboots, don't backup, once loki is used
-        {
-          directory = "/var/lib/systemd";
-          user = "root";
-          group = "root";
-          mode = "0755";
-        }
-        # TODO only persist across reboots, don't backup, once loki is used
-        {
-          directory = "/var/log";
-          user = "root";
-          group = "root";
-          mode = "0755";
-        }
-        #{ directory = "/tmp"; user = "root"; group = "root"; mode = "1777"; }
-        #{ directory = "/var/tmp"; user = "root"; group = "root"; mode = "1777"; }
-        # TODO only persist across reboots, don't backup, once loki is used
-        {
-          directory = "/var/spool";
-          user = "root";
-          group = "root";
-          mode = "0777";
-        }
-      ]
-      ++ lib.optionals config.networking.wireless.iwd.enable [
-        {
-          directory = "/var/lib/iwd";
-          user = "root";
-          group = "root";
-          mode = "0700";
-        }
       ]
       ++ lib.optionals config.security.acme.acceptTerms [
         {
@@ -100,12 +94,20 @@
       ]
       ++ lib.optionals config.services.gitea.enable [
         {
-          directory = "/var/lib/gitea";
+          directory = config.services.gitea.stateDir;
           user = "gitea";
           group = "gitea";
           mode = "0700";
         }
       ]
+      ++ lib.optionals config.services.loki.enable [
+        {
+          directory = "/var/lib/loki";
+          user = "loki";
+          group = "loki";
+          mode = "0700";
+        }
+      ]
       ++ lib.optionals config.services.grafana.enable [
         {
           directory = config.services.grafana.dataDir;
diff --git a/hosts/sentinel/fs.nix b/hosts/sentinel/fs.nix
index ffeadbb..86b0e3d 100644
--- a/hosts/sentinel/fs.nix
+++ b/hosts/sentinel/fs.nix
@@ -32,6 +32,7 @@
                 postCreateHook = "zfs snapshot rpool/local/root@blank";
               };
             "local/nix" = filesystem "/nix";
+            "local/state" = filesystem "/state";
             "safe" = unmountable;
             "safe/persist" = filesystem "/persist";
           };
@@ -41,6 +42,9 @@
 
   boot.loader.grub.devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"];
   boot.initrd.luks.devices.enc-rpool.allowDiscards = true;
+  # TODO remove once this is upstreamed
+  boot.initrd.systemd.services."zfs-import-rpool".after = ["cryptsetup.target"];
+  fileSystems."/state".neededForBoot = true;
   fileSystems."/persist".neededForBoot = true;
 
   # After importing the rpool, rollback the root system to be empty.
diff --git a/hosts/ward/fs.nix b/hosts/ward/fs.nix
index f21e693..83c2c16 100644
--- a/hosts/ward/fs.nix
+++ b/hosts/ward/fs.nix
@@ -33,6 +33,7 @@
                 postCreateHook = "zfs snapshot rpool/local/root@blank";
               };
             "local/nix" = filesystem "/nix";
+            "local/state" = filesystem "/state";
             "safe" = unmountable;
             "safe/persist" = filesystem "/persist";
             "safe/vms" = unmountable;
@@ -41,6 +42,9 @@
     };
   };
 
+  # TODO remove once this is upstreamed
+  boot.initrd.systemd.services."zfs-import-rpool".after = ["cryptsetup.target"];
+  fileSystems."/state".neededForBoot = true;
   fileSystems."/persist".neededForBoot = true;
 
   # After importing the rpool, rollback the root system to be empty.