57 lines
1.4 KiB
Nix
57 lines
1.4 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
username,
|
|
...
|
|
}:
|
|
{
|
|
environment.persistence."/persistent" = {
|
|
hideMounts = true;
|
|
directories = [
|
|
"/var/log"
|
|
"/var/lib/systemd/coredump"
|
|
"/var/lib/nixos"
|
|
"/var/lib/systemd/timers"
|
|
"/var/lib/bluetooth"
|
|
];
|
|
|
|
files = [
|
|
"/etc/ssh/ssh_host_ed25519_key"
|
|
"/etc/ssh/ssh_host_ed25519_key.pub"
|
|
"/etc/ssh/ssh_host_rsa_key"
|
|
"/etc/ssh/ssh_host_rsa_key.pub"
|
|
"/etc/machine-id"
|
|
];
|
|
|
|
users.root = {
|
|
files = [
|
|
".local/share/fish/fish_history"
|
|
];
|
|
};
|
|
};
|
|
|
|
# Bind mount entire home directory from persistent storage
|
|
# (impermanence doesn't support "." so we do this directly)
|
|
fileSystems."/home/${username}" = {
|
|
device = "/persistent/home/${username}";
|
|
fsType = "none";
|
|
options = [ "bind" ];
|
|
neededForBoot = true;
|
|
};
|
|
# /var/lib/agenix holds the TPM-sealed age identity. agenix decrypts secrets
|
|
# from initrd-nixos-activation-start, which runs *before* impermanence's
|
|
# stage-2 bind mounts. Mount it explicitly with neededForBoot so the
|
|
# identity is in place when activation reads it. (NixOS auto-marks /var/log
|
|
# and /var/lib/nixos as neededForBoot; /var/lib/agenix is not in that set.)
|
|
fileSystems."/var/lib/agenix" = {
|
|
device = "/persistent/var/lib/agenix";
|
|
fsType = "none";
|
|
options = [ "bind" ];
|
|
neededForBoot = true;
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"d /etc 755 root"
|
|
];
|
|
}
|