misc: initial commit

2024-12-28 19:33:49 -05:00 · 2024-12-28 19:33:49 -05:00 · 964b99b28d
commit 964b99b28d
32 changed files with 1675 additions and 0 deletions
--- a/nixos/impermanence.nix
+++ b/nixos/impermanence.nix
@ -0,0 +1,52 @@
+{
+  inputs,
+  options,
+  ...
+}: {
+  imports = [inputs.impermanence.nixosModules.impermanence];
+
+  # There are bind mounts into here that are important for boot.
+  fileSystems."/persist".neededForBoot = true;
+
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    directories = [
+      "/var/lib/nixos"
+      "/var/lib/bluetooth"
+      "/var/lib/fprint"
+      "/var/lib/upower"
+      "/var/lib/tailscale"
+      "/var/lib/systemd/coredump"
+      "/etc/NetworkManager/system-connections"
+      "/var/lib/iwd" # Known networks and keys
+      {
+        directory = "/var/lib/colord";
+        user = "colord";
+        group = "colord";
+        mode = "u=rwx,g=rx,o=";
+      }
+      # TODO: cups?
+    ];
+    files = [
+      "/etc/machine-id"
+      #{ file = "/var/keys/secret_file"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
+      "/var/lib/NetworkManager/secret_key"
+      "/var/lib/NetworkManager/seen-bssids"
+      "/var/lib/NetworkManager/timestamps"
+    ];
+  };
+
+  # /etc/{passwd,shadow} are not persisted
+  users.mutableUsers = false;
+
+  # Some report issues with impermanence file config for host keys, so just change their location
+  services.openssh.hostKeys =
+    builtins.map
+    (x: x // {path = "/persist" + x.path;})
+    options.services.openssh.hostKeys.default;
+
+  # sudo lecture db is not persisted, turn it off
+  security.sudo.extraConfig = ''
+    Defaults lecture = never
+  '';
+}