mirror of
https://github.com/ItsDrike/nixdots
synced 2024-09-19 20:39:42 +00:00
77 lines
2.7 KiB
Nix
77 lines
2.7 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
...
|
|
}: let
|
|
inherit (lib) mkIf mkForce;
|
|
|
|
cfgSystem = config.myOptions.system;
|
|
cfg = config.myOptions.system.impermanence.root;
|
|
in {
|
|
config = mkIf cfg.enable {
|
|
users = {
|
|
# This option makes it that users are not mutable outside of our configuration.
|
|
# If you're using root impermanence, this will actually be the case regardless
|
|
# of this setting, however, setting this explicitly is a good idea, because nix
|
|
# will warn us if our users don't have passwords set, preventing lock outs.
|
|
mutableUsers = false;
|
|
|
|
# Each existing user needs to have a password file defined here, otherwise
|
|
# they will not be available to login. These password files can be generated with:
|
|
# mkpasswd -m sha-512 > /persist/passwords/myuser
|
|
users = {
|
|
root = {
|
|
hashedPasswordFile = "${cfg.persistentMountPoint}/passwords/root";
|
|
};
|
|
${cfgSystem.username} = {
|
|
hashedPasswordFile = "${cfg.persistentMountPoint}/passwords/${cfgSystem.username}";
|
|
};
|
|
};
|
|
};
|
|
|
|
environment.persistence."${cfg.persistentMountPoint}/system" = {
|
|
hideMounts = true;
|
|
directories =
|
|
[
|
|
"/etc/nixos" # NixOS configuration source
|
|
"/etc/NetworkManager/system-connections" # saved network connections
|
|
"/var/db/sudo" # keeps track of who got the sudo lecture already
|
|
# "/var/log" # I sometimes use a subvolume for this, added manually if not
|
|
"/var/lib/nixos"
|
|
"/var/lib/bluetooth"
|
|
"/var/lib/systemd/coredump" # captured coredumps
|
|
]
|
|
++ cfg.extraDirectories;
|
|
|
|
files =
|
|
[
|
|
"/etc/machine-id"
|
|
]
|
|
++ cfg.extraFiles;
|
|
};
|
|
|
|
# For some reason, NetworkManager needs this instead of the impermanence mode
|
|
# to not get screwed up
|
|
systemd.tmpfiles.rules = [
|
|
"L /var/lib/NetworkManager/secret_key - - - - ${cfg.persistentMountPoint}/system/var/lib/NetworkManager/secret_key"
|
|
"L /var/lib/NetworkManager/seen-bssids - - - - ${cfg.persistentMountPoint}/system/var/lib/NetworkManager/seen-bssids"
|
|
"L /var/lib/NetworkManager/timestamps - - - - ${cfg.persistentMountPoint}/system/var/lib/NetworkManager/timestamps"
|
|
];
|
|
|
|
# Define host key paths in the persistent mount point instead of using impermanence for these.
|
|
# This works better, because these keys also get auto-created if they don't already exist.
|
|
services.openssh.hostKeys = mkForce [
|
|
{
|
|
bits = 4096;
|
|
path = "${cfg.persistentMountPoint}/system/etc/ssh/ssh_host_rsa_key";
|
|
type = "rsa";
|
|
}
|
|
{
|
|
bits = 4096;
|
|
path = "${cfg.persistentMountPoint}/system/etc/ssh/ssh_host_ed25519_key";
|
|
type = "ed25519";
|
|
}
|
|
];
|
|
};
|
|
}
|