From 260a9175581a3dfc06e576fd22d9743f5553d481 Mon Sep 17 00:00:00 2001 From: MagicRB Date: Tue, 3 Oct 2023 16:55:14 +0200 Subject: [PATCH] Add omen impermenance Signed-off-by: MagicRB --- flake.nix | 2 + nixos/systems/omen/default.nix | 2 + nixos/systems/omen/filesystems.nix | 28 +++++++- nixos/systems/omen/hardware.nix | 1 + nixos/systems/omen/impermenance.nix | 108 ++++++++++++++++++++++++++++ 5 files changed, 139 insertions(+), 2 deletions(-) create mode 100644 nixos/systems/omen/impermenance.nix diff --git a/flake.nix b/flake.nix index b2dbf98..74e59b4 100644 --- a/flake.nix +++ b/flake.nix @@ -18,6 +18,7 @@ website.url = "sourcehut:~magic_rb/website"; microvm.url = "github:astro/microvm.nix"; notnft.url = "github:chayleaf/notnft"; + impermenance.url = "path:///nix/persist/home/main/repos/impermanence"; disko.url = "github:nix-community/disko"; nixos-anywhere.url = "github:numtide/nixos-anywhere"; @@ -99,6 +100,7 @@ overlays/terraform-provider-influxdb-v2.nix overlays/bootloadHID.nix overlays/itp + overlays/show-files-to-be-deleted inputs.uterranix.flakeModule ]; diff --git a/nixos/systems/omen/default.nix b/nixos/systems/omen/default.nix index 4c45d81..75336b2 100644 --- a/nixos/systems/omen/default.nix +++ b/nixos/systems/omen/default.nix @@ -36,6 +36,7 @@ in ./users.nix ./nixpkgs.nix ../../common/sound.nix + ./impermenance.nix # ./test-vm.nix inputs.dwarffs.nixosModules.dwarffs @@ -43,6 +44,7 @@ in inputs.notnft.nixosModules.default inputs.self.nixosModules.notnft inputs.self.nixosModules.microvm-extras-host + inputs.impermenance.nixosModules.impermanence ]; _module.args.nixinate = { diff --git a/nixos/systems/omen/filesystems.nix b/nixos/systems/omen/filesystems.nix index 3a6019b..3bdb29f 100644 --- a/nixos/systems/omen/filesystems.nix +++ b/nixos/systems/omen/filesystems.nix @@ -14,18 +14,42 @@ let blowholeAddress = secret.network.ips.blowhole.dns or ""; in { + boot.zfs.requestEncryptionCredentials = []; + fileSystems = { "/" = { + device = "none"; + fsType = "tmpfs"; + options = [ "defaults" "size=512M" "mode=755" "noexec" ]; + }; + "/tmp" = { + device = "none"; + fsType = "tmpfs"; + options = [ "defaults" "size=512M" "mode=755" ]; + }; + "/nix/persist" = { + device = "omen-ssd/persist"; + fsType = "zfs"; + neededForBoot = true; + }; + "/old/root" = { device = "omen-ssd/local/root"; fsType = "zfs"; + neededForBoot = true; + }; + "/old/home" = { + device = "omen-ssd/safe/home"; + fsType = "zfs"; + neededForBoot = true; }; "/nix" = { device = "omen-ssd/local/nix"; fsType = "zfs"; }; "/home" = { - device = "omen-ssd/safe/home"; + device = "omen-ssd/ephemeral/home"; fsType = "zfs"; + neededForBoot = true; }; "/boot/1" = { @@ -37,7 +61,7 @@ in fsType = "vfat"; }; - "/var/lib/secrets" = { + "/var/secrets" = { device = "omen-ssd/local/secrets"; fsType = "zfs"; }; diff --git a/nixos/systems/omen/hardware.nix b/nixos/systems/omen/hardware.nix index c1ed32c..670e085 100644 --- a/nixos/systems/omen/hardware.nix +++ b/nixos/systems/omen/hardware.nix @@ -17,6 +17,7 @@ in hardware.cpu.intel.updateMicrocode = true; boot = { + initrd.systemd.enable = true; initrd.availableKernelModules = [ "xhci_pci" "ahci" diff --git a/nixos/systems/omen/impermenance.nix b/nixos/systems/omen/impermenance.nix new file mode 100644 index 0000000..3e7d32d --- /dev/null +++ b/nixos/systems/omen/impermenance.nix @@ -0,0 +1,108 @@ +{ inputs', pkgs, ... }: +{ + nixpkgs.overlays = [ + inputs'.self.overlays.show-files-to-be-deleted + ]; + + environment.systemPackages = [ + pkgs.show-files-to-be-deleted + ]; + + environment.persistence."/nix/persist" = { + hideMounts = true; + directories = [ + "/var/log" + "/var/lib/bluetooth" + "/var/lib/nixos" + "/var/lib/systemd/coredump" + "/var/lib/iwd" + "/var/lib/syncthing" + ]; + files = [ + "/etc/machine-id" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + ]; + users.main = { + directories = [ + "sync" + ".steam" + ".local/share/Steam" + ".emacs.d" + "roam" + "dotfiles" + "Documents" + { directory = ".gnupg"; mode = "0700"; } + { directory = ".ssh"; mode = "0700"; } + ".local/share/direnv" + "repos" + ]; + files = [ + { file = ".config/wallpaper"; method = "symlink"; } + ]; + }; + }; + + boot.initrd.systemd.storePaths = with pkgs; [ + zfs + busybox + ]; + boot.initrd.systemd.services.rollback = { + description = "Rollback ZFS datasets to a pristine state"; + wantedBy = [ + "initrd.target" + ]; + after = [ + "zfs-import-omen-ssd.service" + ]; + before = [ + "sysroot.mount" + ]; + path = with pkgs; [ + zfs + busybox + ]; + unitConfig.DefaultDependencies = "no"; + serviceConfig.Type = "oneshot"; + script = '' + generation="$(zfs get :generation omen-ssd/ephemeral/home -H -o value)" + dataset="omen-ssd/ephemeral/home" + generation="$(("$generation" + 1))" + zfs set ":generation=$generation" "$dataset" + zfs send "$dataset" | zfs recv "$dataset/$generation" + zfs rollback "$dataset@blank" && echo "rollback complete" + + + while IFS="\n" read gen + do + echo "$gen < $(("$generation" - 10))" + if [ "$gen" -lt "$(("$generation" - 10))" ]; then + zfs destroy -r "$dataset/$gen" + echo "destroyed " + fi + done <<< "$(zfs list "omen-ssd/ephemeral/home" -t filesystem -r -H -o name | xargs -I {} ${pkgs.runtimeShell} -c 'echo "$1" | rev | cut -f 1 -d "/" | rev' sh {} | grep -v home)" + ''; + }; + + + systemd.services."home-manager-main-pre.service" = { + description = "Home Manager environment prestart for main"; + + wantedBy = [ "multi-user.target" ]; + before = [ "home-manager-main.service" ]; + + script = '' + set -e + mkdir -p /home/main + chown 1000:1000 /home/main + ''; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + TimeoutStartSec = "5m"; + }; + }; +}