bwc9876.dev
Flake for my NixOS devices
Better lanzaboote control, better ssh host keys
+49
-34
+48
-29
nixosModules/imperm.nix
+48
-29
nixosModules/imperm.nix
···
1
-
{ ... }:
2
-
{
3
config,
4
lib,
5
inputs,
6
...
7
-
}:
8
-
{
9
-
imports = [ inputs.imperm.nixosModules.default ];
10
11
options.cow.imperm = {
12
enable = lib.mkEnableOption "Impermanence, turns off mutable users and expects you to define their password hashes";
···
23
keep = lib.mkOption {
24
type = lib.types.listOf lib.types.str;
25
description = "Paths to keep that should be backed up";
26
-
default = [ ];
27
};
28
keepCache = lib.mkOption {
29
type = lib.types.listOf lib.types.str;
30
description = "Paths to keep that shouldn't be backed up";
31
-
default = [ ];
32
};
33
};
34
35
-
config =
36
-
let
37
-
users = if config.cow.hm.enable then config.home-manager.users else { };
38
-
persistRoot = config.cow.imperm.persistRoot; # Anything important we want backed up
39
-
cacheRoot = config.cow.imperm.cacheRoot; # Anything not as important that we can stand losing
40
-
in
41
lib.mkIf config.cow.imperm.enable {
42
users.mutableUsers = false;
43
44
environment.persistence = {
45
"${cacheRoot}" = {
46
enable = true;
47
hideMounts = true;
48
-
directories = [
49
-
"/var/log"
50
-
"/var/lib/nixos"
51
-
"/var/lib/systemd/coredump"
52
-
"/var/lib/systemd/timers"
53
-
"/var/lib/systemd/rfkill"
54
-
"/var/lib/systemd/backlight"
55
-
]
56
-
++ config.cow.imperm.keepCache;
57
-
users = builtins.mapAttrs (_: v: {
58
-
directories = v.cow.imperm.keepCache or [ ];
59
-
}) users;
60
};
61
"${persistRoot}" = {
62
enable = true;
63
hideMounts = true;
64
directories = config.cow.imperm.keep;
65
-
users = builtins.mapAttrs (_: v: {
66
-
directories = v.cow.imperm.keep or [ ];
67
-
files = v.cow.imperm.keepFiles or [ ];
68
-
}) users;
69
};
70
};
71
};
···
1
+
{...}: {
2
config,
3
lib,
4
inputs,
5
...
6
+
}: {
7
+
imports = [inputs.imperm.nixosModules.default];
8
9
options.cow.imperm = {
10
enable = lib.mkEnableOption "Impermanence, turns off mutable users and expects you to define their password hashes";
···
21
keep = lib.mkOption {
22
type = lib.types.listOf lib.types.str;
23
description = "Paths to keep that should be backed up";
24
+
default = [];
25
};
26
keepCache = lib.mkOption {
27
type = lib.types.listOf lib.types.str;
28
description = "Paths to keep that shouldn't be backed up";
29
+
default = [];
30
};
31
};
32
33
+
config = let
34
+
users =
35
+
if config.cow.hm.enable
36
+
then config.home-manager.users
37
+
else {};
38
+
persistRoot = config.cow.imperm.persistRoot; # Anything important we want backed up
39
+
cacheRoot = config.cow.imperm.cacheRoot; # Anything not as important that we can stand losing
40
+
in
41
lib.mkIf config.cow.imperm.enable {
42
users.mutableUsers = false;
43
44
+
boot.lanzaboote.pkiBundle = lib.mkIf config.cow.lanzaboote.enable "${persistRoot}/secure/secureboot";
45
+
46
+
services.openssh.hostKeys = lib.mkIf config.cow.ssh-server.enable [
47
+
{
48
+
bits = 4096;
49
+
path = "${persistRoot}/secure/ssh_host_rsa_key";
50
+
type = "rsa";
51
+
}
52
+
{
53
+
path = "${persistRoot}/secure/ssh_host_ed25519_key";
54
+
type = "ed25519";
55
+
}
56
+
];
57
+
58
environment.persistence = {
59
"${cacheRoot}" = {
60
enable = true;
61
hideMounts = true;
62
+
directories =
63
+
[
64
+
"/var/log"
65
+
"/var/lib/nixos"
66
+
"/var/lib/systemd/coredump"
67
+
"/var/lib/systemd/timers"
68
+
"/var/lib/systemd/rfkill"
69
+
"/var/lib/systemd/backlight"
70
+
]
71
+
++ config.cow.imperm.keepCache;
72
+
users =
73
+
builtins.mapAttrs (_: v: {
74
+
directories = v.cow.imperm.keepCache or [];
75
+
})
76
+
users;
77
};
78
"${persistRoot}" = {
79
enable = true;
80
hideMounts = true;
81
directories = config.cow.imperm.keep;
82
+
users =
83
+
builtins.mapAttrs (_: v: {
84
+
directories = v.cow.imperm.keep or [];
85
+
files = v.cow.imperm.keepFiles or [];
86
+
})
87
+
users;
88
};
89
};
90
};
+1
-5
nixosModules/lanzaboote.nix
+1
-5
nixosModules/lanzaboote.nix