Impermanence

flake.lock

@@ -75,6 +75,21 @@
         "type": "github"
       }
     },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1708968331,
+        "narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1702272962,
@@ -127,6 +142,7 @@
         "deploy-rs": "deploy-rs",
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
+        "impermanence": "impermanence",
         "nixpkgs": "nixpkgs_2",
         "sops-nix": "sops-nix"
       }

flake.nix

@@ -12,8 +12,9 @@
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    impermanence.url = "github:nix-community/impermanence";
   };
-  outputs = inputs@{ self, nixpkgs, flake-utils, home-manager, deploy-rs, sops-nix, ... }:
+  outputs = inputs@{ self, nixpkgs, flake-utils, home-manager, deploy-rs, sops-nix, impermanence, ... }:
   let
     pkgs = import nixpkgs { system = "x86_64-linux"; };
     aarch64Pkgs = import nixpkgs { system = "aarch64-linux"; };
@@ -38,6 +39,7 @@
         system = "x86_64-linux";
         specialArgs = { inherit inputs; };
         modules = [
+          impermanence.nixosModules.impermanence
           ./systems/smolboi/configuration.nix
           home-manager.nixosModules.home-manager
           {

systems/smolboi/configuration.nix

@@ -23,8 +23,10 @@
       mask = ''\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff\xff'';
       magicOrExtension = ''\x7fELF....AI\x02'';
     };
+    tmp.cleanOnBoot = true;
   };
   powerManagement.cpuFreqGovernor = "schedutil";
+  sops.age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
   sops.secrets."cdombroski/password" = {
     neededForUsers = true;
     sopsFile = ../../secrets/smolboi/users.yaml;
@@ -103,6 +105,7 @@
   };
 
   security = {
+    sudo.extraConfig = "Defaults lecture = never";
     rtkit.enable = true;
   };
   users.users = {
@@ -128,6 +131,27 @@
       tio
     ];
     pathsToLink = [ "/share/bash-completion" ];
+    persistence."/persist" = {
+      hideMounts = true;
+      directories = [
+        "/etc/NetworkManager/system-connections"
+        "/var/lib/bluetooth"
+        "/var/lib/nixos"
+        "/var/log"
+        "/var/lib/systemd"
+        "/tmp"
+        "/var/lib/cups"
+      ];
+      files = [
+        "/etc/machine-id"
+        "/var/lib/NetworkManager/secret_key"
+        "/etc/adjtime"
+        "/etc/ssh/ssh_host_rsa_key"
+        "/etc/ssh/ssh_host_rsa_key.pub"
+        "/etc/ssh/ssh_host_ed25519_key"
+        "/etc/ssh/ssh_host_ed25519_key.pub"
+      ];
+    };
   };
 
   programs = {
@@ -165,7 +189,7 @@
   };
 
   fileSystems = {
-    "/".options = [ "compress=lzo" "autodefrag" "discard=async" "defaults" ];
+    "/persist".options = [ "compress=lzo" "autodefrag" "discard=async" "defaults" ];
     "/nix".options = [ "compress=lzo" "autodefrag" "discard=async" "noatime" "defaults" ];
     "/steam-library".options = [ "compress=lzo" "autodefrag" "discard=async" "defaults" ];
     "/home".options = [ "compress=lzo" "autodefrag" "discard=async" "defaults" ];

systems/smolboi/hardware-configuration.nix

@@ -13,8 +13,15 @@
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
+  fileSystems."/" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [ "defaults" "size=2g" "mode=755" ];
+  };
+  
+  fileSystems."/persist" =
     { device = "/dev/disk/by-uuid/d0eb1b09-7fba-49e3-b802-d6fdd9073516";
+      neededForBoot = true;
       fsType = "btrfs";
       options = [ "subvol=@nixos/root" ];
     };