Add omen impermenance

Signed-off-by: MagicRB <richard@brezak.sk>
2024-11-22 08:04:20 +01:00 · 2023-10-03 16:55:14 +02:00 · 2023-10-03 16:55:14 +02:00 · 260a917558
parent 05d186d304
commit 260a917558
5 changed files with 139 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@ -18,6 +18,7 @@
    website.url = "sourcehut:~magic_rb/website";
    microvm.url = "github:astro/microvm.nix";
    notnft.url = "github:chayleaf/notnft";
+    impermenance.url = "path:///nix/persist/home/main/repos/impermanence";

    disko.url = "github:nix-community/disko";
    nixos-anywhere.url = "github:numtide/nixos-anywhere";
@ -99,6 +100,7 @@
        overlays/terraform-provider-influxdb-v2.nix
        overlays/bootloadHID.nix
        overlays/itp
+        overlays/show-files-to-be-deleted

        inputs.uterranix.flakeModule
      ];
--- a/nixos/systems/omen/default.nix
+++ b/nixos/systems/omen/default.nix
@ -36,6 +36,7 @@ in
            ./users.nix
            ./nixpkgs.nix
            ../../common/sound.nix
+            ./impermenance.nix
            # ./test-vm.nix

            inputs.dwarffs.nixosModules.dwarffs
@ -43,6 +44,7 @@ in
            inputs.notnft.nixosModules.default
            inputs.self.nixosModules.notnft
            inputs.self.nixosModules.microvm-extras-host
+            inputs.impermenance.nixosModules.impermanence
          ];

          _module.args.nixinate = {
--- a/nixos/systems/omen/filesystems.nix
+++ b/nixos/systems/omen/filesystems.nix
@ -14,18 +14,42 @@ let
  blowholeAddress = secret.network.ips.blowhole.dns or "";
 in
 {
+  boot.zfs.requestEncryptionCredentials = [];
+
  fileSystems = {
    "/" = {
+      device = "none";
+      fsType = "tmpfs";
+      options = [ "defaults" "size=512M" "mode=755" "noexec" ];
+    };
+    "/tmp" = {
+      device = "none";
+      fsType = "tmpfs";
+      options = [ "defaults" "size=512M" "mode=755" ];
+    };
+    "/nix/persist" = {
+      device = "omen-ssd/persist";
+      fsType = "zfs";
+      neededForBoot = true;
+    };
+    "/old/root" = {
      device = "omen-ssd/local/root";
      fsType = "zfs";
+      neededForBoot = true;
+    };
+    "/old/home" = {
+      device = "omen-ssd/safe/home";
+      fsType = "zfs";
+      neededForBoot = true;
    };
    "/nix" = {
      device = "omen-ssd/local/nix";
      fsType = "zfs";
    };
    "/home" = {
-      device = "omen-ssd/safe/home";
+      device = "omen-ssd/ephemeral/home";
      fsType = "zfs";
+      neededForBoot = true;
    };

    "/boot/1" = {
@ -37,7 +61,7 @@ in
      fsType = "vfat";
    };

-    "/var/lib/secrets" = {
+    "/var/secrets" = {
      device = "omen-ssd/local/secrets";
      fsType = "zfs";
    };
--- a/nixos/systems/omen/hardware.nix
+++ b/nixos/systems/omen/hardware.nix
@ -17,6 +17,7 @@ in
  hardware.cpu.intel.updateMicrocode = true;

  boot = {
+    initrd.systemd.enable = true;
    initrd.availableKernelModules = [
      "xhci_pci"
      "ahci"
--- a/nixos/systems/omen/impermenance.nix
+++ b/nixos/systems/omen/impermenance.nix
@ -0,0 +1,108 @@
+{ inputs', pkgs, ... }:
+{
+  nixpkgs.overlays = [
+    inputs'.self.overlays.show-files-to-be-deleted
+  ];
+
+  environment.systemPackages = [
+    pkgs.show-files-to-be-deleted
+  ];
+
+  environment.persistence."/nix/persist" = {
+    hideMounts = true;
+    directories = [
+      "/var/log"
+      "/var/lib/bluetooth"
+      "/var/lib/nixos"
+      "/var/lib/systemd/coredump"
+      "/var/lib/iwd"
+      "/var/lib/syncthing"
+    ];
+    files = [
+      "/etc/machine-id"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+    ];
+    users.main = {
+      directories = [
+        "sync"
+        ".steam"
+        ".local/share/Steam"
+        ".emacs.d"
+        "roam"
+        "dotfiles"
+        "Documents"
+        { directory = ".gnupg"; mode = "0700"; }
+        { directory = ".ssh"; mode = "0700"; }
+        ".local/share/direnv"
+        "repos"
+      ];
+      files = [
+        { file = ".config/wallpaper"; method = "symlink"; }
+      ];
+    };
+  };
+
+  boot.initrd.systemd.storePaths = with pkgs; [
+    zfs
+    busybox
+  ];
+  boot.initrd.systemd.services.rollback = {
+    description = "Rollback ZFS datasets to a pristine state";
+    wantedBy = [
+      "initrd.target"
+    ];
+    after = [
+      "zfs-import-omen-ssd.service"
+    ];
+    before = [
+      "sysroot.mount"
+    ];
+    path = with pkgs; [
+      zfs
+      busybox
+    ];
+    unitConfig.DefaultDependencies = "no";
+    serviceConfig.Type = "oneshot";
+    script = ''
+      generation="$(zfs get :generation omen-ssd/ephemeral/home -H -o value)"
+      dataset="omen-ssd/ephemeral/home"
+      generation="$(("$generation" + 1))"
+      zfs set ":generation=$generation" "$dataset"
+      zfs send "$dataset" | zfs recv "$dataset/$generation"
+      zfs rollback "$dataset@blank" && echo "rollback complete"
+
+
+      while IFS="\n" read gen
+      do
+        echo "$gen < $(("$generation" - 10))"
+        if [ "$gen" -lt "$(("$generation" - 10))" ]; then
+          zfs destroy -r "$dataset/$gen"
+          echo "destroyed "
+        fi
+      done <<< "$(zfs list "omen-ssd/ephemeral/home" -t filesystem -r -H -o name | xargs -I {} ${pkgs.runtimeShell} -c 'echo "$1" | rev | cut -f 1 -d "/" | rev' sh {} | grep -v home)"
+    '';
+  };
+
+
+  systemd.services."home-manager-main-pre.service" = {
+    description = "Home Manager environment prestart for main";
+
+    wantedBy = [ "multi-user.target" ];
+    before = [ "home-manager-main.service" ];
+
+    script = ''
+      set -e
+      mkdir -p /home/main
+      chown 1000:1000 /home/main
+    '';
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = "yes";
+      TimeoutStartSec = "5m";
+    };
+  };
+}