nixosModules/imperm.nix at kill-rofi · bwc9876.dev/nixos-config

bwc9876.dev / nixos-config
fork atom
Flake for my NixOS devices
fork atom
nixos-config / nixosModules / imperm.nix
at kill-rofi 91 lines 2.6 kB view raw
wrap content
bwc9876.dev Better lanzaboote control, better ssh host keys 4mo ago
e281bd0e
 1{...}: {
 2  config,
 3  lib,
 4  inputs,
 5  ...
 6}: {
 7  imports = [inputs.imperm.nixosModules.default];
 8
 9  options.cow.imperm = {
10    enable = lib.mkEnableOption "Impermanence, turns off mutable users and expects you to define their password hashes";
11    persistRoot = lib.mkOption {
12      type = lib.types.str;
13      default = "/nix/persist";
14      description = "Path to store persisted data";
15    };
16    cacheRoot = lib.mkOption {
17      type = lib.types.str;
18      default = "/nix/perist-cache";
19      description = "Path to store cache data";
20    };
21    keep = lib.mkOption {
22      type = lib.types.listOf lib.types.str;
23      description = "Paths to keep that should be backed up";
24      default = [];
25    };
26    keepCache = lib.mkOption {
27      type = lib.types.listOf lib.types.str;
28      description = "Paths to keep that shouldn't be backed up";
29      default = [];
30    };
31  };
32
33  config = let
34    users =
35      if config.cow.hm.enable
36      then config.home-manager.users
37      else {};
38    persistRoot = config.cow.imperm.persistRoot; # Anything important we want backed up
39    cacheRoot = config.cow.imperm.cacheRoot; # Anything not as important that we can stand losing
40  in
41    lib.mkIf config.cow.imperm.enable {
42      users.mutableUsers = false;
43
44      boot.lanzaboote.pkiBundle = lib.mkIf config.cow.lanzaboote.enable "${persistRoot}/secure/secureboot";
45
46      services.openssh.hostKeys = lib.mkIf config.cow.ssh-server.enable [
47        {
48          bits = 4096;
49          path = "${persistRoot}/secure/ssh_host_rsa_key";
50          type = "rsa";
51        }
52        {
53          path = "${persistRoot}/secure/ssh_host_ed25519_key";
54          type = "ed25519";
55        }
56      ];
57
58      environment.persistence = {
59        "${cacheRoot}" = {
60          enable = true;
61          hideMounts = true;
62          directories =
63            [
64              "/var/log"
65              "/var/lib/nixos"
66              "/var/lib/systemd/coredump"
67              "/var/lib/systemd/timers"
68              "/var/lib/systemd/rfkill"
69              "/var/lib/systemd/backlight"
70            ]
71            ++ config.cow.imperm.keepCache;
72          users =
73            builtins.mapAttrs (_: v: {
74              directories = v.cow.imperm.keepCache or [];
75            })
76            users;
77        };
78        "${persistRoot}" = {
79          enable = true;
80          hideMounts = true;
81          directories = config.cow.imperm.keep;
82          users =
83            builtins.mapAttrs (_: v: {
84              directories = v.cow.imperm.keep or [];
85              files = v.cow.imperm.keepFiles or [];
86            })
87            users;
88        };
89      };
90    };
91}