nixosModules/imperm.nix at main · bwc9876.dev/nixos-config

bwc9876.dev / nixos-config
fork
this repo has no description
fork
nixos-config / nixosModules / imperm.nix
at main 89 lines 2.6 kB view raw
wrap content
Ben C Redo All Modules 4w ago
f06f060a
 1{
 2  config,
 3  lib,
 4  ...
 5}: {
 6  options.cow.imperm = {
 7    enable = lib.mkEnableOption "Impermanence, turns off mutable users and expects you to define their password hashes";
 8    persistRoot = lib.mkOption {
 9      type = lib.types.str;
10      default = "/nix/persist";
11      description = "Path to store persisted data";
12    };
13    cacheRoot = lib.mkOption {
14      type = lib.types.str;
15      default = "/nix/perist-cache";
16      description = "Path to store cache data";
17    };
18    keep = lib.mkOption {
19      type = lib.types.listOf lib.types.str;
20      description = "Paths to keep that should be backed up";
21      default = [];
22    };
23    keepCache = lib.mkOption {
24      type = lib.types.listOf lib.types.str;
25      description = "Paths to keep that shouldn't be backed up";
26      default = [];
27    };
28  };
29
30  config = let
31    users =
32      if config.cow.hm.enable
33      then config.home-manager.users
34      else {};
35    persistRoot = config.cow.imperm.persistRoot; # Anything important we want backed up
36    cacheRoot = config.cow.imperm.cacheRoot; # Anything not as important that we can stand losing
37  in
38    lib.mkIf config.cow.imperm.enable {
39      users.mutableUsers = false;
40
41      boot.lanzaboote.pkiBundle = lib.mkIf config.cow.lanzaboote.enable "${persistRoot}/secure/secureboot";
42
43      services.openssh.hostKeys = lib.mkIf config.cow.ssh-server.enable [
44        {
45          bits = 4096;
46          path = "${persistRoot}/secure/ssh_host_rsa_key";
47          type = "rsa";
48        }
49        {
50          path = "${persistRoot}/secure/ssh_host_ed25519_key";
51          type = "ed25519";
52        }
53      ];
54
55      environment.persistence = {
56        "${cacheRoot}" = {
57          enable = true;
58          hideMounts = true;
59          directories =
60            [
61              "/var/log"
62              "/var/lib/nixos"
63              "/var/lib/systemd/coredump"
64              "/var/lib/systemd/timers"
65              "/var/lib/systemd/rfkill"
66              "/var/lib/systemd/backlight"
67              "/var/tmp"
68            ]
69            ++ config.cow.imperm.keepCache;
70          users =
71            builtins.mapAttrs (_: v: {
72              directories = v.cow.imperm.keepCache or [];
73            })
74            users;
75        };
76        "${persistRoot}" = {
77          enable = true;
78          hideMounts = true;
79          directories = config.cow.imperm.keep;
80          users =
81            builtins.mapAttrs (_: v: {
82              directories = v.cow.imperm.keep or [];
83              files = v.cow.imperm.keepFiles or [];
84            })
85            users;
86        };
87      };
88    };
89}
Configure Feed

Configure Feed
