diff --git a/common/container-node.nix b/common/container-node.nix index 8f75046..968b4a6 100644 --- a/common/container-node.nix +++ b/common/container-node.nix @@ -1,9 +1,11 @@ { lib, ... }: { imports = [ + ./impermanence.nix # TODO: find a way to avoid needing this here ]; boot.isContainer = true; + custom.impermanence.enable = false; custom.tailscale.enable = false; networking.useDHCP = lib.mkForce false; } diff --git a/common/impermanence.nix b/common/impermanence.nix index eb043ee..10c973d 100644 --- a/common/impermanence.nix +++ b/common/impermanence.nix @@ -1,71 +1,84 @@ -{ pkgs, inputs, ... }: +{ pkgs, inputs, lib, config, ... }: +let + cfg = config.custom.impermanence; +in { - environment.persistence = { - "/persist" = { - directories = [ "/var/lib/nixos" ]; - files = [ - "/etc/machine-id" - "/etc/ssh/ssh_host_ed25519_key" - "/etc/ssh/ssh_host_ed25519_key.pub" - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_rsa_key.pub" - ]; + options.custom.impermanence = { + enable = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Enable impermanent root fs"; }; }; - fileSystems."/".options = [ - "compress=zstd" - "noatime" - ]; - fileSystems."/nix".options = [ - "compress=zstd" - "noatime" - ]; - fileSystems."/persist".options = [ - "compress=zstd" - "noatime" - ]; - fileSystems."/persist".neededForBoot = true; - fileSystems."/var/log".options = [ - "compress=zstd" - "noatime" - ]; - fileSystems."/var/log".neededForBoot = true; + config = lib.mkIf cfg.enable { + environment.persistence = { + "/persist" = { + directories = [ "/var/lib/nixos" ]; + files = [ + "/etc/machine-id" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + }; + }; - users.mutableUsers = false; + fileSystems."/".options = [ + "compress=zstd" + "noatime" + ]; + fileSystems."/nix".options = [ + "compress=zstd" + "noatime" + ]; + fileSystems."/persist".options = [ + "compress=zstd" + "noatime" + ]; + fileSystems."/persist".neededForBoot = true; + fileSystems."/var/log".options = [ + "compress=zstd" + "noatime" + ]; + fileSystems."/var/log".neededForBoot = true; - # rollback results in sudo lectures after each reboot - security.sudo.extraConfig = '' - Defaults lecture = never - ''; + users.mutableUsers = false; - # needed for allowOther in the home-manager impermanence config - programs.fuse.userAllowOther = true; + # rollback results in sudo lectures after each reboot + security.sudo.extraConfig = '' + Defaults lecture = never + ''; - # reset / at each boot - # Note `lib.mkBefore` is used instead of `lib.mkAfter` here. - boot.initrd.postDeviceCommands = pkgs.lib.mkBefore '' - mkdir /mnt - mount /dev/mapper/luksroot /mnt - if [[ -e /mnt/root ]]; then - mkdir -p /mnt/old_roots - timestamp=$(date --date="@$(stat -c %Y /mnt/root)" "+%Y-%m-%-d_%H:%M:%S") - mv /mnt/root "/mnt/old_roots/$timestamp" - fi + # needed for allowOther in the home-manager impermanence config + programs.fuse.userAllowOther = true; - delete_subvolume_recursively() { - IFS=$'\n' - for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do - delete_subvolume_recursively "/mnt/$i" - done - btrfs subvolume delete "$1" - } + # reset / at each boot + # Note `lib.mkBefore` is used instead of `lib.mkAfter` here. + boot.initrd.postDeviceCommands = pkgs.lib.mkBefore '' + mkdir /mnt + mount /dev/mapper/luksroot /mnt + if [[ -e /mnt/root ]]; then + mkdir -p /mnt/old_roots + timestamp=$(date --date="@$(stat -c %Y /mnt/root)" "+%Y-%m-%-d_%H:%M:%S") + mv /mnt/root "/mnt/old_roots/$timestamp" + fi - for i in $(find /mnt/old_roots/ -maxdepth 1 -mtime +30); do - delete_subvolume_recursively "$i" - done + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/mnt/$i" + done + btrfs subvolume delete "$1" + } - btrfs subvolume create /mnt/root - umount /mnt - ''; + for i in $(find /mnt/old_roots/ -maxdepth 1 -mtime +30); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /mnt/root + umount /mnt + ''; + }; }