router: switch to impermanence

flake.lock

@@ -107,6 +107,22 @@
         "type": "github"
       }
     },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1684264534,
+        "narHash": "sha256-K0zr+ry3FwIo3rN2U/VWAkCJSgBslBisvfRIPwMbuCQ=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "89253fb1518063556edd5e54509c30ac3089d5e6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "master",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1689956312,
@@ -160,6 +176,7 @@
         "agenix": "agenix",
         "darwin": "darwin_2",
         "home-manager": "home-manager_2",
+        "impermanence": "impermanence",
         "nixpkgs": "nixpkgs",
         "nixpkgs-chia": "nixpkgs-chia",
         "nixpkgs-unstable": "nixpkgs-unstable"

flake.nix

@@ -12,11 +12,13 @@
 
     home-manager.url = "github:nix-community/home-manager/release-23.05";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
+
+    impermanence.url = "github:nix-community/impermanence/master";
   };
 
   description = "Hillion Nix flake";
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-chia, agenix, home-manager, darwin, ... }@inputs: {
+  outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-chia, agenix, home-manager, impermanence, darwin, ... }@inputs: {
     nixosConfigurations =
       let
         fqdns = builtins.attrNames (builtins.readDir ./hosts);
@@ -35,8 +37,17 @@
             modules = [
               ./hosts/${fqdn}/default.nix
               ./modules/default.nix
+
               agenix.nixosModules.default
+              impermanence.nixosModules.impermanence
+
               home-manager.nixosModules.default
+              {
+                home-manager.sharedModules = [
+                  impermanence.nixosModules.home-manager.impermanence
+                ];
+              }
+
               ({ config, ... }: {
                 nix.registry.nixpkgs.flake = nixpkgs; # pin `nix shell` nixpkgs
                 system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;

hosts/router.home.ts.hillion.co.uk/default.nix

@@ -4,7 +4,6 @@
   imports = [
     ../../modules/common/default.nix
     ./hardware-configuration.nix
-    ./persist.nix
   ];
 
   config = {
@@ -20,6 +19,9 @@
       "net.ipv4.conf.all.forwarding" = true;
     };
 
+    ## Impermanence
+    custom.impermanence.enable = true;
+
     ## Networking
     networking = {
       firewall.enable = lib.mkForce false;

hosts/router.home.ts.hillion.co.uk/hardware-configuration.nix

@@ -18,6 +18,7 @@
     {
       device = "tmpfs";
       fsType = "tmpfs";
+      options = [ "mode=0755" "size=4G" ];
     };
 
   fileSystems."/boot" =

hosts/router.home.ts.hillion.co.uk/persist.nix

@@ -1,52 +0,0 @@
-{ config, lib, ... }:
-
-{
-  config = {
-    # Persist files (due to tmpfs root)
-    ## Set root tmpfs to 0755
-    fileSystems."/".options = [
-      "mode=0755"
-      "size=4G"
-    ];
-
-    ## Require data at boot (to have access to host keys for agenix)
-    fileSystems."/data".neededForBoot = true;
-
-    ## OpenSSH Host Keys (SSH + agenix secrets)
-    services.openssh = {
-      hostKeys = [
-        {
-          path = "/data/system/etc/ssh/ssh_host_ed25519_key";
-          type = "ed25519";
-        }
-        {
-          path = "/data/system/etc/ssh/ssh_host_rsa_key";
-          type = "rsa";
-          bits = 4096;
-        }
-      ];
-    };
-
-    ## Persistent directories and symlinks
-    systemd.tmpfiles.rules = [
-      ### Persistent home subdirectories
-      "L /root/local - - - - /data/users/root"
-      "L /home/jake/local - - - - /data/users/jake"
-    ];
-
-    ## Persistent /etc/nixos
-    fileSystems."/etc/nixos" = {
-      device = "/data/users/root/repos/nixos";
-      options = [ "bind" ];
-    };
-
-    ## Persistent zsh history
-    programs.zsh.histFile = lib.mkForce "$HOME/local/.zsh_history";
-
-    ## Tailscale
-    fileSystems."/var/lib/tailscale" = {
-      device = "/data/system/var/lib/tailscale";
-      options = [ "bind" ];
-    };
-  };
-}

modules/default.nix

@@ -6,6 +6,7 @@
     ./chia.nix
     ./common/hostinfo.nix
     ./desktop/awesome/default.nix
+    ./impermanence.nix
     ./locations.nix
     ./resilio.nix
     ./services/downloads.nix

modules/impermanence.nix

@@ -0,0 +1,55 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.custom.impermanence;
+  listIf = (enable: x: if enable then x else [ ]);
+in
+{
+  options.custom.impermanence = {
+    enable = lib.mkEnableOption "impermanence";
+
+    base = lib.mkOption {
+      type = lib.types.str;
+      default = "/data";
+    };
+
+    users = lib.mkOption {
+      type = with lib.types; listOf str;
+      default = [ "root" config.custom.user ];
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    fileSystems.${cfg.base}.neededForBoot = true;
+
+    services.openssh.hostKeys = [
+      { path = "/data/system/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
+      { path = "/data/system/etc/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; }
+    ];
+
+    environment.persistence."${cfg.base}/system" = {
+      hideMounts = true;
+
+      directories = [
+        "/etc/nixos"
+      ] ++ (listIf config.custom.tailscale.enable [ "/var/lib/tailscale" ]);
+    };
+
+    home-manager.users =
+      let
+        mkUser = (x: {
+          name = x;
+          value = {
+            home.persistence."/data/users/${x}" = {
+              files = [
+                ".zsh_history"
+              ];
+            };
+          };
+        });
+      in
+      builtins.listToAttrs (builtins.map mkUser cfg.users);
+
+    systemd.tmpfiles.rules = builtins.map (x: "L ${config.users.users.${x}.home}/local - - - - /data/users/${x}") cfg.users;
+  };
+}