nixdots/system/shared/impermanence/root.nix

77 lines
2.7 KiB
Nix
Raw Permalink Normal View History

2024-07-26 23:07:07 +00:00
{
config,
lib,
...
}: let
2024-04-07 22:36:02 +00:00
inherit (lib) mkIf mkForce;
2024-04-07 16:28:15 +00:00
cfgSystem = config.myOptions.system;
cfg = config.myOptions.system.impermanence.root;
2024-07-26 23:07:07 +00:00
in {
2024-04-07 16:28:15 +00:00
config = mkIf cfg.enable {
users = {
# This option makes it that users are not mutable outside of our configuration.
# If you're using root impermanence, this will actually be the case regardless
# of this setting, however, setting this explicitly is a good idea, because nix
# will warn us if our users don't have passwords set, preventing lock outs.
mutableUsers = false;
# Each existing user needs to have a password file defined here, otherwise
# they will not be available to login. These password files can be generated with:
# mkpasswd -m sha-512 > /persist/passwords/myuser
users = {
root = {
hashedPasswordFile = "${cfg.persistentMountPoint}/passwords/root";
};
${cfgSystem.username} = {
hashedPasswordFile = "${cfg.persistentMountPoint}/passwords/${cfgSystem.username}";
};
};
};
environment.persistence."${cfg.persistentMountPoint}/system" = {
hideMounts = true;
2024-07-26 23:07:07 +00:00
directories =
[
"/etc/nixos" # NixOS configuration source
"/etc/NetworkManager/system-connections" # saved network connections
"/var/db/sudo" # keeps track of who got the sudo lecture already
# "/var/log" # I sometimes use a subvolume for this, added manually if not
"/var/lib/nixos"
"/var/lib/bluetooth"
"/var/lib/systemd/coredump" # captured coredumps
]
++ cfg.extraDirectories;
2024-04-07 16:28:15 +00:00
2024-07-26 23:07:07 +00:00
files =
[
"/etc/machine-id"
]
++ cfg.extraFiles;
2024-04-07 16:28:15 +00:00
};
# For some reason, NetworkManager needs this instead of the impermanence mode
# to not get screwed up
systemd.tmpfiles.rules = [
"L /var/lib/NetworkManager/secret_key - - - - ${cfg.persistentMountPoint}/system/var/lib/NetworkManager/secret_key"
"L /var/lib/NetworkManager/seen-bssids - - - - ${cfg.persistentMountPoint}/system/var/lib/NetworkManager/seen-bssids"
"L /var/lib/NetworkManager/timestamps - - - - ${cfg.persistentMountPoint}/system/var/lib/NetworkManager/timestamps"
];
# Define host key paths in the persistent mount point instead of using impermanence for these.
# This works better, because these keys also get auto-created if they don't already exist.
services.openssh.hostKeys = mkForce [
{
bits = 4096;
path = "${cfg.persistentMountPoint}/system/etc/ssh/ssh_host_rsa_key";
type = "rsa";
}
{
bits = 4096;
path = "${cfg.persistentMountPoint}/system/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
}