feat(nixos): add impermanence module for ephemeral roots

2025-07-07 12:16:14 +08:00 · 2025-07-07 12:16:14 +08:00 · 9abcb6c85b
commit 9abcb6c85b
parent 714c3b8940
4 changed files with 62 additions and 0 deletions
--- a/flake.lock
+++ b/flake.lock
@ -136,6 +136,21 @@
        "type": "github"
      }
    },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1737831083,
+        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
    "import-tree": {
      "locked": {
        "lastModified": 1751399845,
@ -196,6 +211,7 @@
        "flake-parts": "flake-parts",
        "git-hooks": "git-hooks",
        "home-manager": "home-manager",
+        "impermanence": "impermanence",
        "import-tree": "import-tree",
        "make-shell": "make-shell",
        "nixpkgs": "nixpkgs",
--- a/flake.nix
+++ b/flake.nix
@ -19,6 +19,8 @@
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    # impermanence provides a nice abstraction over linking files from /persist
+    impermanence.url = "github:nix-community/impermanence";
    # import-tree imports all nix files in a given directory.
    import-tree.url = "github:vic/import-tree";
    # files lets us write text files and automatically add checks for them
--- a/nix/modules/machine/root/drive.nix
+++ b/nix/modules/machine/root/drive.nix
--- a/nix/modules/machine/root/ephemeral.nix
+++ b/nix/modules/machine/root/ephemeral.nix
@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+let
+  inherit (lib) mkMerge mkIf mkAfter;
+in
+{
+  flake.modules.nixos.default =
+    { hostName, ... }:
+    let
+      inherit (config.flake.manifest.hosts.nixos.${hostName}.machine) root;
+    in
+    {
+      imports = [ inputs.impermanence.nixosModules.impermanence ];
+      config = mkMerge [
+        # Ephemeral by default - assumes btrfs
+        (mkIf (root.ephemeral or true) {
+          boot.initrd.postDeviceCommands = mkAfter ''
+            mkdir /btrfs_tmp
+            mount /dev/root_vg/root /btrfs_tmp
+
+            if [[ -e /btrfs_tmp/root ]]; then
+              btrfs subvolume delete "/btrfs_tmp/root"
+            fi
+          '';
+          programs.fuse.userAllowOther = true;
+          fileSystems."/persist".neededForBoot = true;
+          environment.persistence."/persist" = {
+            hideMounts = true;
+            files = [
+              "/etc/ssh/ssh_host_ed25519_key"
+              "/etc/ssh/ssh_host_ed25519_key.pub"
+              "/etc/ssh/ssh_host_rsa_key"
+              "/etc/ssh/ssh_host_rsa_key.pub"
+              "/etc/machine-id"
+            ];
+          };
+        })
+      ];
+    };
+}