diff --git a/flake.lock b/flake.lock index 91274d1..3deca02 100644 --- a/flake.lock +++ b/flake.lock @@ -75,6 +75,21 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1708968331, + "narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1702272962, @@ -127,6 +142,7 @@ "deploy-rs": "deploy-rs", "flake-utils": "flake-utils", "home-manager": "home-manager", + "impermanence": "impermanence", "nixpkgs": "nixpkgs_2", "sops-nix": "sops-nix" } diff --git a/flake.nix b/flake.nix index e620c0c..fd70fe5 100644 --- a/flake.nix +++ b/flake.nix @@ -12,8 +12,9 @@ url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + impermanence.url = "github:nix-community/impermanence"; }; - outputs = inputs@{ self, nixpkgs, flake-utils, home-manager, deploy-rs, sops-nix, ... }: + outputs = inputs@{ self, nixpkgs, flake-utils, home-manager, deploy-rs, sops-nix, impermanence, ... }: let pkgs = import nixpkgs { system = "x86_64-linux"; }; aarch64Pkgs = import nixpkgs { system = "aarch64-linux"; }; @@ -38,6 +39,7 @@ system = "x86_64-linux"; specialArgs = { inherit inputs; }; modules = [ + impermanence.nixosModules.impermanence ./systems/smolboi/configuration.nix home-manager.nixosModules.home-manager { diff --git a/systems/smolboi/configuration.nix b/systems/smolboi/configuration.nix index 46c27ad..cc882b1 100644 --- a/systems/smolboi/configuration.nix +++ b/systems/smolboi/configuration.nix @@ -23,8 +23,10 @@ mask = ''\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff\xff''; magicOrExtension = ''\x7fELF....AI\x02''; }; + tmp.cleanOnBoot = true; }; powerManagement.cpuFreqGovernor = "schedutil"; + sops.age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ]; sops.secrets."cdombroski/password" = { neededForUsers = true; sopsFile = ../../secrets/smolboi/users.yaml; @@ -103,6 +105,7 @@ }; security = { + sudo.extraConfig = "Defaults lecture = never"; rtkit.enable = true; }; users.users = { @@ -128,6 +131,27 @@ tio ]; pathsToLink = [ "/share/bash-completion" ]; + persistence."/persist" = { + hideMounts = true; + directories = [ + "/etc/NetworkManager/system-connections" + "/var/lib/bluetooth" + "/var/lib/nixos" + "/var/log" + "/var/lib/systemd" + "/tmp" + "/var/lib/cups" + ]; + files = [ + "/etc/machine-id" + "/var/lib/NetworkManager/secret_key" + "/etc/adjtime" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + ]; + }; }; programs = { @@ -165,7 +189,7 @@ }; fileSystems = { - "/".options = [ "compress=lzo" "autodefrag" "discard=async" "defaults" ]; + "/persist".options = [ "compress=lzo" "autodefrag" "discard=async" "defaults" ]; "/nix".options = [ "compress=lzo" "autodefrag" "discard=async" "noatime" "defaults" ]; "/steam-library".options = [ "compress=lzo" "autodefrag" "discard=async" "defaults" ]; "/home".options = [ "compress=lzo" "autodefrag" "discard=async" "defaults" ]; diff --git a/systems/smolboi/hardware-configuration.nix b/systems/smolboi/hardware-configuration.nix index 8fc8aa3..c12ef45 100644 --- a/systems/smolboi/hardware-configuration.nix +++ b/systems/smolboi/hardware-configuration.nix @@ -13,8 +13,15 @@ boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = + fileSystems."/" = { + device = "none"; + fsType = "tmpfs"; + options = [ "defaults" "size=2g" "mode=755" ]; + }; + + fileSystems."/persist" = { device = "/dev/disk/by-uuid/d0eb1b09-7fba-49e3-b802-d6fdd9073516"; + neededForBoot = true; fsType = "btrfs"; options = [ "subvol=@nixos/root" ]; };