persist module

2022-12-14 23:46:25 +03:00 · 2022-12-14 23:46:25 +03:00 · 167d11428c
commit 167d11428c
parent 346dfd683c
30 changed files with 284 additions and 15 deletions
--- a/flake.nix
+++ b/flake.nix
@ -23,6 +23,7 @@
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    impermanence.url = "github:nix-community/impermanence";
    arkenfox-userjs = {
      url = "github:arkenfox/user.js";
      flake = false;
--- a/modules/persist.nix
+++ b/modules/persist.nix
@ -0,0 +1,145 @@
+{ config, pkgs, lib, inputs, ... }:
+let
+  cfg = config.persist;
+
+  takeAll = what: concatMap (x: x.${what});
+
+  persists = with cfg; [ state derivative cache ];
+
+  absoluteHomeFiles = map (x: "${cfg.homeDir}/${x}");
+
+  allFiles = takeAll "files" persists;
+
+  allHomeFiles = takeAll "homeFiles" persists;
+
+  allDirectories = takeAll "directories" persists;
+
+  allHomeDirectories = takeAll "homeDirectories" persists;
+
+  inherit (builtins) concatMap;
+  inherit (lib) mkIf;
+
+  homeDirectory = config.home-manager.users.${config.mainuser}.home.homeDirectory;
+
+in {
+  options = let
+    inherit (lib) mkOption mkEnableOption;
+    inherit (lib.types) listOf path str;
+    common = {
+      directories = mkOption {
+        type = listOf path;
+        default = [ ];
+      };
+      files = mkOption {
+        type = listOf str;
+        default = [ ];
+      };
+      homeDirectories = mkOption {
+        type = listOf str;
+        default = [ ];
+      };
+      homeFiles = mkOption {
+        type = listOf str;
+        default = [ ];
+      };
+    };
+  in {
+    persist = {
+
+      enable = mkEnableOption "a tmpfs root with explicit opt-in state";
+
+      persistRoot = mkOption {
+        type = path;
+        default = "/persistent";
+      };
+
+      homeDir = mkOption {
+        type = path;
+        default = homeDirectory;
+      };
+
+      # Stuff that matters
+      # TODO backups of this stuff
+      state = {
+        # backup = {...};
+      } // common;
+
+      # Stuff that can be computed from declarative+state, but is never invalidated (so shouldn't be cleaned up)
+      derivative = common;
+
+      # Stuff that's just there to speed up the system
+      # It's cleaned up regularly, to solve the cache invalidation problem once and for all
+      cache = {
+        clean = {
+          enable = mkEnableOption "cleaning the cache files and directories";
+          dates = mkOption {
+            type = str;
+            default = "weekly";
+            description =
+              "A systemd.time calendar description of when to clean the cache files";
+          };
+        };
+      } // common;
+
+    };
+  };
+
+  imports = [ inputs.impermanence.nixosModules.impermanence ];
+
+  config = mkIf cfg.enable {
+
+
+    environment.persistence.${cfg.persistRoot} = {
+      directories = allDirectories;
+      files = allFiles;
+    };
+
+    home-manager.users.${config.mainuser} = {
+      imports = [ inputs.impermanence.nixosModules.home-manager.impermanence ];
+      home.persistence."${cfg.persistRoot}${homeDirectory}" = {
+        directories = allHomeDirectories;
+        files = allHomeFiles;
+        allowOther = false;
+        removePrefixDirectory = false;
+      };
+    };
+
+    fileSystems."/" = lib.mkIf (config.deviceSpecific.devInfo.fileSystem != "zfs") {
+      device = "none";
+      options = [ "defaults" "size=2G" "mode=755" ];
+      fsType = "tmpfs";
+    };
+
+    boot.initrd = lib.mkIf (config.deviceSpecific.devInfo.fileSystem != "zfs") {
+      postMountCommands =
+        assert config.fileSystems
+        ? ${cfg.persistRoot}
+        && config.fileSystems.${cfg.persistRoot}.neededForBoot; ''
+          mkdir -p /mnt-root/nix
+          mount --bind /mnt-root${cfg.persistRoot}/nix /mnt-root/nix
+          chmod 755 /mnt-root
+        '';
+    };
+
+    # Euuuugh
+    systemd.services.persist-cache-cleanup = lib.mkIf cfg.cache.clean.enable {
+      description = "Cleaning up cache files and directories";
+      script = ''
+        ${builtins.concatStringsSep "\n" (map (x: "rm ${lib.escapeShellArg x}")
+          (cfg.cache.files
+            ++ absoluteHomeFiles cfg.cache.homeFiles))}
+
+        ${builtins.concatStringsSep "\n" (map (x: "rm -rf ${lib.escapeShellArg x}")
+          (cfg.cache.directories ++ cfg.cache.homeDirectories))}
+      '';
+      startAt = cfg.cache.clean.dates;
+    };
+
+    # system.activationScripts = {
+    #   homedir.text = builtins.concatStringsSep "\n" (map (dir: ''
+    #     mkdir -p ${cfg.persistRoot}${dir}
+    #     chown ${config.mainuser}:users ${cfg.persistRoot}${dir}
+    #   '') (builtins.filter (lib.hasPrefix homeDirectory) allDirectories));
+    # };
+  };
+}
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@ -61,7 +61,7 @@ let
        lib.escapeShellArg config.secretsConfig.repo
      } "${password-store}"
    fi
-    cat ${password-store}/spotify.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null
+    cat ${password-store}/ssh-builder.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null
    [ ! -z "${allServices}" ] && doas systemctl restart ${allServices}
  '';

@ -150,6 +150,9 @@ in {
    args = [ "restart" ] ++ allServicesMap;
  }];

+  config.persist.derivative.directories = [ "/var/secrets" ];
+  config.persist.derivative.homeDirectories = [ password-store ];
+
  config.home-manager.users.${config.mainuser} = {
    systemd.user.services.activate-secrets = {
      Service = {
--- a/profiles/applications/steam.nix
+++ b/profiles/applications/steam.nix
@ -2,9 +2,13 @@
  programs.steam.enable = true;
  hardware.steam-hardware.enable = true;

-  # startupApplications = [
-  #   "${pkgs.steam}/bin/steam"
-  # ];
+  startupApplications = [
+    "${pkgs.steam}/bin/steam"
+  ];
+
+  persist.state.homeDirectories = [
+    ".local/share/Steam"
+  ];

  # systemd.user.services.x11-ownership = rec {
  #   # serviceConfig.Type = "oneshot";
--- a/profiles/applications/tor-browser.nix
+++ b/profiles/applications/tor-browser.nix
@ -9,4 +9,6 @@ in {
  ] else [
    pkgs.tor-browser-bundle-bin
  ];
+
+  persist.state.homeDirectories = [ ".local/share/tor-browser" ];
 }
--- a/profiles/applications/waydroid.nix
+++ b/profiles/applications/waydroid.nix
@ -21,5 +21,8 @@ in {
    virtualisation.waydroid.enable = true;
    # virtualisation.lxd.enable = true;
    home-manager.users.${config.mainuser}.home.packages = [ pkgs.waydroid-script ];
+
+    persist.state.directories = [ "/var/lib/waydroid" ];
+    persist.state.homeDirectories = [ ".local/share/waydroid" ];
  };
 }
--- a/profiles/bluetooth.nix
+++ b/profiles/bluetooth.nix
@ -0,0 +1,20 @@
+{ config, pkgs, lib, ... }: {
+  hardware.bluetooth = {
+    enable = !isServer;
+    # package = pkgs.bluez;
+  };
+
+  # systemd.services.bluetooth.serviceConfig.ExecStart = lib.mkForce [
+  #   ""
+  #   "${pkgs.bluez}/libexec/bluetooth/bluetoothd -f /etc/bluetooth/main.conf -E"
+  # ];
+
+  persist.state.directories = [ "/var/lib/bluetooth" ];
+
+  home-manager.users.${config.mainuser}.programs.zsh.shellAliases = let
+    headphones = "D8:37:3B:60:5D:55";
+  in {
+    "hpc" = "bluetoothctl connect ${headphones}";
+    "hpd" = "bluetoothctl disconnect ${headphones}";
+  };
+}
--- a/profiles/boot.nix
+++ b/profiles/boot.nix
@ -7,6 +7,8 @@ with config.deviceSpecific; {
    numDevices = 1;
  };

+  persist.state.files = [ "/etc/machine-id" ];
+
  boot = if !isServer && !isISO then {
    loader = {
      timeout = lib.mkForce 4;
@ -36,6 +38,7 @@ with config.deviceSpecific; {
    };

    cleanTmpDir = true;
+    zfs.forceImportAll = false;
  } else if isServer then {
    kernelPackages = pkgs.linuxPackages_hardened;
    kernelModules = [ "tcp_bbr" ];
@ -64,9 +67,11 @@ with config.deviceSpecific; {
      "vm.swappiness" = if config.deviceSpecific.isSSD then 1 else 10;
    };
    cleanTmpDir = true;
+    zfs.forceImportAll = false;
  } else {
    kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
    kernelParams = lib.mkForce [ "zswap.enabled=0" ];
    supportedFilesystems = lib.mkForce [ "ext4" "vfat" "btrfs" "ntfs" ];
+    zfs.forceImportAll = false;
  };
 }
--- a/profiles/mullvad.nix
+++ b/profiles/mullvad.nix
@ -5,7 +5,11 @@ in {
  config = lib.mkIf vpn.enable {
    services.mullvad-vpn.enable = true;
    services.mullvad-vpn.enableExcludeWrapper = true;
-    home-manager.users.${config.mainuser}.home.packages = [ pkgs.mullvad-vpn ];
+    services.mullvad-vpn.package = pkgs.mullvad-vpn;
    startupApplications = [ "${pkgs.mullvad-vpn}/share/mullvad/mullvad-gui" ];
+
+    persist.state.homeDirectories = [
+      ".config/Mullvad VPN"
+    ];
  };
 }
--- a/profiles/network.nix
+++ b/profiles/network.nix
@ -53,4 +53,8 @@ with config.deviceSpecific;
      0.0.0.0 remote-config-proxy-prd.uca.cloud.unity3d.com
    '';
  };
+
+  persist.state.directories = lib.mkIf config.networkmanager.enable [
+    "/etc/NetworkManager/system-connections"
+  ];
 }
--- a/profiles/nix/default.nix
+++ b/profiles/nix/default.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, inputs, system,  ... }:
+{ config, lib, pkgs, inputs,  ... }:
 with config.deviceSpecific; {
  nix = rec {
    nixPath = lib.mkForce [ "self=/etc/self/compat" "nixpkgs=/etc/nixpkgs" ];
@ -53,4 +53,6 @@ with config.deviceSpecific; {

  environment.etc.nixpkgs.source = inputs.nixpkgs;
  environment.etc.self.source = inputs.self;
+
+  persist.state.homeDirectories = [ ".local/share/nix" ];
 }
--- a/profiles/servers/a2ln-server.nix
+++ b/profiles/servers/a2ln-server.nix
@ -14,4 +14,6 @@
    wantedBy = [ "multi-user.target" ];
  };
  networking.firewall.allowedTCPPorts = [ 23045 23046 ];
+
+  persist.state.homeDirectories = [ ".config/a2ln" ];
 }
--- a/profiles/servers/duplicacy.nix
+++ b/profiles/servers/duplicacy.nix
@ -72,4 +72,8 @@ in {
    partOf = [ "duplicacy-prune.service" ];
    timerConfig.OnCalendar = [ "*-*-* 01:00:00" ];
  };
+
+  # FIXME!
+  persist.state.directories = lib.mkIf config.deviceSpecific.devInfo.fileSystem != "zfs"
+    [ "/backup" ];
 }
--- a/profiles/servers/fail2ban.nix
+++ b/profiles/servers/fail2ban.nix
@ -56,4 +56,6 @@
      ignoreregex =
    '';
  };
+
+  persist.state.directories = [ "/var/lib/fail2ban" ];
 }
--- a/profiles/servers/gitea.nix
+++ b/profiles/servers/gitea.nix
@ -15,7 +15,7 @@
    httpPort = 6000;
    lfs.enable = true;
    rootUrl = "https://code.ataraxiadev.com";
-    stateDir = "/gitea/data";
+    stateDir = "/gitea/data"; # FIXME!
    settings = {
      attachment = {
        MAX_SIZE = 100;
--- a/profiles/servers/mailserver.nix
+++ b/profiles/servers/mailserver.nix
@ -146,4 +146,14 @@ in {
    enableSubmissionSsl = true;
    virusScanning = false;
  };
+
+  # FIXME: ownership of mail directory
+  persist.state.directories = [
+    "/var/lib/dovecot"
+    "/var/lib/postfix"
+    "/var/lib/dhparams"
+
+    "/var/dkim"
+    config.mailserver.mailDirectory
+  ];
 }
--- a/profiles/servers/microbin.nix
+++ b/profiles/servers/microbin.nix
@ -17,4 +17,6 @@
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
  };
+
+  persist.state.directories = [ "/var/microbin" ];
 }
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@ -234,4 +234,8 @@
  environment.systemPackages = with pkgs; [ python3 python3Packages.requests ];

  networking.firewall.allowedTCPPorts = [ 80 443 8448 ];
+
+  persist.state.directories = [
+    "/var/lib/acme"
+  ];
 }
--- a/profiles/servers/roundcube.nix
+++ b/profiles/servers/roundcube.nix
@ -29,4 +29,6 @@
    "listen.owner" = config.services.nginx.user;
    "listen.group" = config.services.nginx.group;
  };
+
+  persist.state.directories = [ "/var/lib/roundcube" ];
 }
--- a/profiles/servers/vaultwarden.nix
+++ b/profiles/servers/vaultwarden.nix
@ -32,4 +32,6 @@
    };
    environmentFile = config.secrets.vaultwarden.decrypted;
  };
+
+  persist.state.directories = [ "/var/lib/bitwarden_rs" ];
 }
--- a/profiles/servers/vscode-server.nix
+++ b/profiles/servers/vscode-server.nix
@ -6,4 +6,6 @@
  home-manager.users.${config.mainuser} = {
    services.vscode-server.enable = true;
  };
+
+  # persist.state.homeDirectories = [ ".vscode-server" ];
 }
--- a/profiles/services.nix
+++ b/profiles/services.nix
@ -4,7 +4,7 @@ with config.deviceSpecific; {
  services.acpid.enable = !isServer;
  services.acpid.logEvents = false;

-  hardware.bluetooth.enable = !isServer;
+
  services.blueman.enable = !isServer;

  services.btrbk.instances = lib.mkIf (devInfo.fileSystem == "btrfs") {
--- a/profiles/virtualisation.nix
+++ b/profiles/virtualisation.nix
@ -47,7 +47,7 @@ with config.deviceSpecific; {
      systemConfig = ''
        lxc.lxcpath = /var/lib/lxd/containers
        ${if devInfo.fileSystem == "zfs" then ''
-          lxc.bdev.zfs.root = rpool/lxd
+          lxc.bdev.zfs.root = rpool/nixos/lxd
        '' else ""}
      '';
      defaultConfig = ''
@ -64,5 +64,10 @@ with config.deviceSpecific; {
      internalInterfaces = [ "ve-+" ];
      # externalInterface = "enp8s0";
    };
+
+    persist.state.directories = lib.mkIf devInfo.fileSystem != "zfs" [
+      "/var/lib/docker"
+      "/var/lib/libvirt"
+    ];
  };
 }
--- a/profiles/workspace/direnv.nix
+++ b/profiles/workspace/direnv.nix
@ -6,4 +6,6 @@
      nix-direnv.enable = true;
    };
  };
+
+  persist.state.homeDirectories = [ ".local/share/direnv" ];
 }
--- a/profiles/workspace/gpg.nix
+++ b/profiles/workspace/gpg.nix
@ -25,4 +25,6 @@ with config.deviceSpecific; {
      };
    };
  };
+
+  persist.state.homeDirectories = [ ".local/share/gnupg" ];
 }
--- a/profiles/workspace/misc.nix
+++ b/profiles/workspace/misc.nix
@ -36,4 +36,26 @@

  systemd.services.systemd-timesyncd.wantedBy = [ "multi-user.target" ];
  systemd.timers.systemd-timesyncd = { timerConfig.OnCalendar = "hourly"; };
+
+  persist.state.files = lib.mkIf (config.deviceSpecific.devInfo.fileSystem == "zfs") [
+    "/etc/zfs/zpool.cache"
+  ];
+  persist.cache.homeDirectories = [
+    ".cache"
+    ".local/share/cargo"
+  ];
+  persist.cache.directories = [
+    "/var/cache"
+  ];
+  persist.state.directories = [
+    "/var/lib/nixos"
+    "/var/lib/systemd"
+  ];
+  persist.state.homeDirectories = [
+    "projects"
+    "nixos-config"
+  ] ++ lib.optionals (!config.deviceSpecific.isServer) [
+    "games"
+    # "persist"
+  ];
 }
--- a/profiles/workspace/nix-index.nix
+++ b/profiles/workspace/nix-index.nix
@ -5,4 +5,6 @@
      enableZshIntegration = true;
    };
  };
+
+  persist.derivative.homeDirectories = [ ".cache/nix-index" ];
 }
--- a/profiles/workspace/ssh.nix
+++ b/profiles/workspace/ssh.nix
@ -14,11 +14,7 @@ with config.deviceSpecific; {
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP0/DReYSAfkucroMTdELzTORsGhhbEa+W0FDFBnwViHuoqoKvetCOkW657icexc5v/j6Ghy3+Li9twbHnEDzUJVtNtauhGMjOcUYt6pTbeJ09CGSAh+orxzeY4vXp7ANb91xW8yRn/EE4ALxqbLsc/D7TUMl11fmf0UW+kLgU5TcUYVSLMjQqBpD1Lo7lXLrImloDxe5fwoBDT09E59r9tq6+/3aHz8mpKRLsIQIV0Av00BRJ+/OVmZuBd9WS35rfkpUYmpEVInSJy3G4O6kCvY/zc9Bnh67l4kALZZ0+6W23kBGrzaRfaOtCEcscwfIu+6GXiHOL33rrMNNinF0T2942jGc18feL6P/LZCzqz8bGdFNxT43jAGPeDDcrJEWAJZFO3vVTP65dTRTHQG2KlQMzS7tcif6YUlY2JLJIb61ZfLoShH/ini/tqsGT0Be1f3ndOFt48h4XMW1oIF+EXaHYeO2UJ6855m8Wpxs4bP/jX6vMV38IvvnHy4tWD50= alukard@AMD-Workstation"
  ];

-  secrets.ssh-builder = {
-    permissions = "644";
-    decrypted = "/root/.ssh/ssh-builder";
-  };
-
+  secrets.ssh-builder = {};
  programs.ssh.extraConfig = ''
    Host nix-builder
      hostname 192.168.0.100
@ -60,4 +56,13 @@ with config.deviceSpecific; {
      '';
    };
  };
+
+  persist.state.files = [
+    "/etc/ssh/ssh_host_ed25519_key"
+    "/etc/ssh/ssh_host_ed25519_key.pub"
+    "/etc/ssh/ssh_host_rsa_key"
+    "/etc/ssh/ssh_host_rsa_key.pub"
+    "/root/.ssh/known_hosts"
+  ];
+  persist.state.homeDirectories = [ ".ssh" ];
 }
--- a/profiles/workspace/xdg.nix
+++ b/profiles/workspace/xdg.nix
@ -10,7 +10,14 @@
  };

  environment.sessionVariables = {
-    # XDG_CURRENT_DESKTOP = "X-Generic";
    DE = "generic";
  };
+
+  persist.state.homeDirectories = [
+    "Documents"
+    "Downloads"
+    "Music"
+    "Pictures"
+    "Videos"
+  ];
 }
--- a/roles/base.nix
+++ b/roles/base.nix
@ -15,6 +15,7 @@
    network
    nix
    overlay
+    persist
    secrets
    secrets-envsubst
    security