diff --git a/flake.lock b/flake.lock index cc6fdab..24b4d3b 100644 --- a/flake.lock +++ b/flake.lock @@ -107,6 +107,22 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1684264534, + "narHash": "sha256-K0zr+ry3FwIo3rN2U/VWAkCJSgBslBisvfRIPwMbuCQ=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "89253fb1518063556edd5e54509c30ac3089d5e6", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "impermanence", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1689956312, @@ -160,6 +176,7 @@ "agenix": "agenix", "darwin": "darwin_2", "home-manager": "home-manager_2", + "impermanence": "impermanence", "nixpkgs": "nixpkgs", "nixpkgs-chia": "nixpkgs-chia", "nixpkgs-unstable": "nixpkgs-unstable" diff --git a/flake.nix b/flake.nix index eb6ae00..53c6929 100644 --- a/flake.nix +++ b/flake.nix @@ -12,11 +12,13 @@ home-manager.url = "github:nix-community/home-manager/release-23.05"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + impermanence.url = "github:nix-community/impermanence/master"; }; description = "Hillion Nix flake"; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-chia, agenix, home-manager, darwin, ... }@inputs: { + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-chia, agenix, home-manager, impermanence, darwin, ... }@inputs: { nixosConfigurations = let fqdns = builtins.attrNames (builtins.readDir ./hosts); @@ -35,8 +37,17 @@ modules = [ ./hosts/${fqdn}/default.nix ./modules/default.nix + agenix.nixosModules.default + impermanence.nixosModules.impermanence + home-manager.nixosModules.default + { + home-manager.sharedModules = [ + impermanence.nixosModules.home-manager.impermanence + ]; + } + ({ config, ... }: { nix.registry.nixpkgs.flake = nixpkgs; # pin `nix shell` nixpkgs system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev; diff --git a/hosts/router.home.ts.hillion.co.uk/default.nix b/hosts/router.home.ts.hillion.co.uk/default.nix index 8a59746..12b2da8 100644 --- a/hosts/router.home.ts.hillion.co.uk/default.nix +++ b/hosts/router.home.ts.hillion.co.uk/default.nix @@ -4,7 +4,6 @@ imports = [ ../../modules/common/default.nix ./hardware-configuration.nix - ./persist.nix ]; config = { @@ -20,6 +19,9 @@ "net.ipv4.conf.all.forwarding" = true; }; + ## Impermanence + custom.impermanence.enable = true; + ## Networking networking = { firewall.enable = lib.mkForce false; diff --git a/hosts/router.home.ts.hillion.co.uk/hardware-configuration.nix b/hosts/router.home.ts.hillion.co.uk/hardware-configuration.nix index 6b1a767..af4ff7b 100644 --- a/hosts/router.home.ts.hillion.co.uk/hardware-configuration.nix +++ b/hosts/router.home.ts.hillion.co.uk/hardware-configuration.nix @@ -18,6 +18,7 @@ { device = "tmpfs"; fsType = "tmpfs"; + options = [ "mode=0755" "size=4G" ]; }; fileSystems."/boot" = diff --git a/hosts/router.home.ts.hillion.co.uk/persist.nix b/hosts/router.home.ts.hillion.co.uk/persist.nix deleted file mode 100644 index 11da51d..0000000 --- a/hosts/router.home.ts.hillion.co.uk/persist.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ config, lib, ... }: - -{ - config = { - # Persist files (due to tmpfs root) - ## Set root tmpfs to 0755 - fileSystems."/".options = [ - "mode=0755" - "size=4G" - ]; - - ## Require data at boot (to have access to host keys for agenix) - fileSystems."/data".neededForBoot = true; - - ## OpenSSH Host Keys (SSH + agenix secrets) - services.openssh = { - hostKeys = [ - { - path = "/data/system/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - { - path = "/data/system/etc/ssh/ssh_host_rsa_key"; - type = "rsa"; - bits = 4096; - } - ]; - }; - - ## Persistent directories and symlinks - systemd.tmpfiles.rules = [ - ### Persistent home subdirectories - "L /root/local - - - - /data/users/root" - "L /home/jake/local - - - - /data/users/jake" - ]; - - ## Persistent /etc/nixos - fileSystems."/etc/nixos" = { - device = "/data/users/root/repos/nixos"; - options = [ "bind" ]; - }; - - ## Persistent zsh history - programs.zsh.histFile = lib.mkForce "$HOME/local/.zsh_history"; - - ## Tailscale - fileSystems."/var/lib/tailscale" = { - device = "/data/system/var/lib/tailscale"; - options = [ "bind" ]; - }; - }; -} diff --git a/modules/default.nix b/modules/default.nix index 7ec228e..a6f0e13 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -6,6 +6,7 @@ ./chia.nix ./common/hostinfo.nix ./desktop/awesome/default.nix + ./impermanence.nix ./locations.nix ./resilio.nix ./services/downloads.nix diff --git a/modules/impermanence.nix b/modules/impermanence.nix new file mode 100644 index 0000000..6e92acc --- /dev/null +++ b/modules/impermanence.nix @@ -0,0 +1,55 @@ +{ config, lib, ... }: + +let + cfg = config.custom.impermanence; + listIf = (enable: x: if enable then x else [ ]); +in +{ + options.custom.impermanence = { + enable = lib.mkEnableOption "impermanence"; + + base = lib.mkOption { + type = lib.types.str; + default = "/data"; + }; + + users = lib.mkOption { + type = with lib.types; listOf str; + default = [ "root" config.custom.user ]; + }; + }; + + config = lib.mkIf cfg.enable { + fileSystems.${cfg.base}.neededForBoot = true; + + services.openssh.hostKeys = [ + { path = "/data/system/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } + { path = "/data/system/etc/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; } + ]; + + environment.persistence."${cfg.base}/system" = { + hideMounts = true; + + directories = [ + "/etc/nixos" + ] ++ (listIf config.custom.tailscale.enable [ "/var/lib/tailscale" ]); + }; + + home-manager.users = + let + mkUser = (x: { + name = x; + value = { + home.persistence."/data/users/${x}" = { + files = [ + ".zsh_history" + ]; + }; + }; + }); + in + builtins.listToAttrs (builtins.map mkUser cfg.users); + + systemd.tmpfiles.rules = builtins.map (x: "L ${config.users.users.${x}.home}/local - - - - /data/users/${x}") cfg.users; + }; +}