drafted out impermanence for defiant

README.md

@@ -60,4 +60,4 @@ to update passwords run: `nix shell nixpkgs#sops -c sops secrets/user-passwords.
 - mastodon server
 - tail scale clients
 - wake on LAN
-- ISO target that contains authorized keys for nixos-anywhere
+- ISO target that contains authorized keys for nixos-anywhere https://github.com/diegofariasm/yggdrasil/blob/4acc43ebc7bcbf2e41376d14268e382007e94d78/hosts/bootstrap/default.nix

flake.lock

@@ -74,6 +74,21 @@
         "type": "github"
       }
     },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1730403150,
+        "narHash": "sha256-W1FH5aJ/GpRCOA7DXT/sJHFpa5r8sq2qAUncWwRZ3Gg=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "0d09341beeaa2367bac5d718df1404bf2ce45e6f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
     "nix-vscode-extensions": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -146,6 +161,7 @@
       "inputs": {
         "disko": "disko",
         "home-manager": "home-manager",
+        "impermanence": "impermanence",
         "nix-vscode-extensions": "nix-vscode-extensions",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",

flake.nix

@@ -23,6 +23,10 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    impermanence = {
+      url = "github:nix-community/impermanence";
+    };
+
     # users home directories
     home-manager = {
       url = "github:nix-community/home-manager";
@@ -49,6 +53,7 @@
   outputs = {
     nixpkgs,
     disko,
+    impermanence,
     nixos-hardware,
     home-manager,
     ...
@@ -102,6 +107,7 @@
         specialArgs = {inherit inputs lib;};
         modules = [
           ./overlays
+          impermanence.nixosModules.impermanence
           disko.nixosModules.disko
           home-manager.nixosModules.home-manager
           home-manager-config

hosts/defiant/disko-config.nix

@@ -1,10 +1,9 @@
-{lib, ...}: let
+{...}: let
   bootDisk = devicePath: {
     type = "disk";
     device = devicePath;
     content = {
       type = "gpt";
-
       partitions = {
         boot = {
           size = "1M";
@@ -32,37 +31,37 @@
           size = "100%";
           content = {
             type = "zfs";
-            pool = "zroot";
+            pool = "rpool";
-          };
-        };
-      };
-    };
-  };
-  cacheDisk = devicePath: swapSize: {
-    type = "disk";
-    device = devicePath;
-    content = {
-      type = "gpt";
-      partitions = {
-        encryptedSwap = {
-          size = swapSize;
-          content = {
-            type = "swap";
-            randomEncryption = true;
-            discardPolicy = "both";
-            resumeDevice = true;
-          };
-        };
-        zfs = {
-          size = "100%";
-          content = {
-            type = "zfs";
-            pool = "zroot";
           };
         };
       };
     };
   };
+  # cacheDisk = devicePath: swapSize: {
+  #   type = "disk";
+  #   device = devicePath;
+  #   content = {
+  #     type = "gpt";
+  #     partitions = {
+  #       encryptedSwap = {
+  #         size = swapSize;
+  #         content = {
+  #           type = "swap";
+  #           randomEncryption = true;
+  #           discardPolicy = "both";
+  #           resumeDevice = true;
+  #         };
+  #       };
+  #       zfs = {
+  #         size = "100%";
+  #         content = {
+  #           type = "zfs";
+  #           pool = "rpool";
+  #         };
+  #       };
+  #     };
+  #   };
+  # };
 in {
   disko.devices = {
     disk = {
@@ -75,7 +74,7 @@ in {
       # ssd_2_tb_a = cacheDisk "64G" "/dev/disk/by-id/XXX";
     };
     zpool = {
-      zroot = {
+      rpool = {
         type = "zpool";
         mode = {
           topology = {
@@ -92,7 +91,7 @@ in {
               }
             ];
             cache = [];
-            # cache = [ "ssd_2_tb_a" ];
+            # cache = [ "ssd_2_tb_a" ];z
           };
         };
 
@@ -101,34 +100,40 @@ in {
         };
 
         rootFsOptions = {
-          encryption = "on";
+          # encryption = "on";
-          keyformat = "hex";
+          # keyformat = "hex";
-          keylocation = "prompt";
+          # keylocation = "prompt";
           compression = "lz4";
           xattr = "sa";
           acltype = "posixacl";
+          canmount = "off";
           "com.sun:auto-snapshot" = "false";
         };
 
-        mountpoint = "/";
-        postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot@blank$' || zfs snapshot zroot@blank";
-
         datasets = {
-          "nix" = {
+          root = {
+            type = "zfs_fs";
+            mountpoint = "/";
+            options.mountpoint = "legacy";
+            postCreateHook = "zfs snapshot rpool/root@blank";
+          };
+          home = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+            postCreateHook = "zfs snapshot rpool/home@blank";
+          };
+          nix = {
             type = "zfs_fs";
             mountpoint = "/nix";
           };
-          "home" = {
+          persistent = {
             type = "zfs_fs";
-            mountpoint = "/mnt/home";
+            mountpoint = "/persistent";
             options = {
               "com.sun:auto-snapshot" = "true";
             };
           };
-          "var" = {
-            type = "zfs_fs";
-            mountpoint = "/var";
-          };
         };
       };
     };

hosts/defiant/hardware-configuration.nix

@@ -2,9 +2,9 @@
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
+  pkgs,
   config,
   lib,
-  pkgs,
   modulesPath,
   ...
 }: {
@@ -13,27 +13,136 @@
     ../hardware-common.nix
   ];
 
+  security.sudo.extraConfig = "Defaults lecture=never";
+
   boot = {
     initrd = {
       availableKernelModules = ["xhci_pci" "aacraid" "ahci" "usbhid" "usb_storage" "sd_mod"];
       kernelModules = [];
+      # TODO: figure out some kind of snapshotting before rolebacks
+      # postDeviceCommands = lib.mkAfter ''
+      #   zfs rollback -r rpool/root@blank
+      #   zfs rollback -r rpool/home@blank
+      # '';
+      systemd = {
+        enable = lib.mkDefault true;
+        services.rollback = {
+          description = "Rollback root filesystem to a pristine state on boot";
+          wantedBy = [
+            "zfs.target"
+            "initrd.target"
+          ];
+          after = [
+            "zfs-import-rpool.service"
+          ];
+          before = [
+            "sysroot.mount"
+            "fs.target"
+          ];
+          path = with pkgs; [
+            zfs
+          ];
+          unitConfig.DefaultDependencies = "no";
+          # serviceConfig = {
+          #   Type = "oneshot";
+          #   ExecStart =
+          #     "${config.boot.zfs.package}/sbin/zfs rollback -r rpool/home@blank";
+          # };
+          serviceConfig.Type = "oneshot";
+          script = ''
+            zfs list -t snapshot || echo
+            zfs rollback -r rpool/root@blank
+            zfs rollback -r rpool/home@blank
+          '';
+        };
+      };
     };
     kernelModules = ["kvm-amd"];
+    kernelParams = ["quiet"];
     extraModulePackages = [];
 
     supportedFilesystems = ["zfs"];
 
-    zfs.extraPools = ["zroot"];
+    zfs.extraPools = ["rpool"];
   };
 
   swapDevices = [];
 
+  fileSystems = {
+    "/" = {
+      neededForBoot = true;
+    };
+
+    "/home" = {
+      neededForBoot = true;
+    };
+
+    "/persistent" = {
+      neededForBoot = true;
+    };
+  };
+
   networking = {
     hostId = "c51763d6";
     hostName = "defiant"; # Define your hostname.
     useNetworkd = true;
   };
 
+  environment.persistence."/persistent" = {
+    enable = true;
+    hideMounts = true;
+    directories = [
+      # "/run/secrets"
+
+      "/etc/ssh"
+
+      "/var/log"
+      "/var/lib/nixos"
+      "/var/lib/systemd/coredump"
+
+      # config.apps.pihole.directory.root
+
+      # config.apps.jellyfin.mediaDirectory
+      # config.services.jellyfin.configDir
+      # config.services.jellyfin.cacheDir
+      # config.services.jellyfin.dataDir
+
+      # "/var/hass" # config.users.users.hass.home
+      # "/var/postgresql" # config.users.users.postgresql.home
+      # "/var/forgejo" # config.users.users.forgejo.home
+      # "/var/nextcloud" # config.users.users.nextcloud.home
+      # "/var/headscale" # config.users.users.headscale.home
+    ];
+    files = [
+      "/etc/machine-id"
+      # config.environment.sessionVariables.SOPS_AGE_KEY_FILE
+    ];
+    users.leyla = {
+      directories = [
+        "documents"
+        ".ssh"
+      ];
+      files = [];
+    };
+  };
+
+  # systemd.services = {
+  #   # https://github.com/openzfs/zfs/issues/10891
+  #   systemd-udev-settle.enable = false;
+  #   # Snapshots are not accessable on boot for some reason this should fix it
+  #   # https://github.com/NixOS/nixpkgs/issues/257505
+  #   zfs-mount = {
+  #     serviceConfig = {
+  #       # ExecStart = [ "${lib.getExe' pkgs.util-linux "mount"} -a -t zfs -o remount" ];
+  #       ExecStart = [
+  #         "${lib.getExe' pkgs.util-linux "mount"} -t zfs rpool/root -o remount"
+  #         "${lib.getExe' pkgs.util-linux "mount"} -t zfs rpool/home -o remount"
+  #         "${lib.getExe' pkgs.util-linux "mount"} -t zfs rpool/persistent -o remount"
+  #       ];
+  #     };
+  #   };
+  # };
+
   systemd.network = {
     enable = true;