From 523297f96d6ce358bd50588e0d8f6816e9f0a8a1 Mon Sep 17 00:00:00 2001 From: Shahab Dogar Date: Sat, 8 Feb 2025 13:48:14 +0500 Subject: [PATCH] feat: NixOS | add impermanence --- flake.lock | 16 ++++++++++++ flake.nix | 4 +++ nixos/configuration.nix | 54 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 74 insertions(+) diff --git a/flake.lock b/flake.lock index b929dae..725ab44 100644 --- a/flake.lock +++ b/flake.lock @@ -444,6 +444,21 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1737831083, + "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, "lanzaboote": { "inputs": { "crane": "crane", @@ -607,6 +622,7 @@ "disko": "disko", "home-manager": "home-manager", "hyprland": "hyprland", + "impermanence": "impermanence", "lanzaboote": "lanzaboote", "nix-secrets": "nix-secrets", "nixos-hardware": "nixos-hardware", diff --git a/flake.nix b/flake.nix index d649e16..2e943b0 100644 --- a/flake.nix +++ b/flake.nix @@ -33,6 +33,9 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + # Impermanence + impermanence.url = "github:nix-community/impermanence"; + # Secrets nix-secrets = { url = "git+ssh://git@git.dogar.dev/shahab/nix-secrets?shallow=1&ref=main"; @@ -54,6 +57,7 @@ inputs.disko.nixosModules.disko inputs.nixos-hardware.nixosModules.framework-13-7040-amd inputs.sops-nix.nixosModules.sops + inputs.impermanence.nixosModules.impermanence ./nixos/configuration.nix ./nixos/disko-config.nix ./nixos/hardware-configuration.nix diff --git a/nixos/configuration.nix b/nixos/configuration.nix index 0708dfa..271f1f9 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -19,6 +19,31 @@ in { efi.canTouchEfiVariables = true; }; + initrd.postResumeCommands = lib.mkAfter '' + mkdir /btrfs_tmp + mount /dev/luks_vg/root /btrfs_tmp + if [[ -e /btrfs_tmp/root ]]; then + mkdir -p /btrfs_tmp/old_roots + timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") + mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + fi + + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/btrfs_tmp/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /btrfs_tmp/root + umount /btrfs_tmp + ''; + lanzaboote = { enable = true; pkiBundle = "/var/lib/sbctl"; @@ -176,6 +201,35 @@ in { protonup-qt ]; + environment.persistence."/persistant" = { + hideMounts = true; + directories = [ + "/var/log" + "/var/lib/bluetooth" + "/var/lib/nixos" + "/var/lib/sbctl" + "/var/lib/systemd/coredump" + "/etc/NetworkManager/system-connections" + ]; + files = [ + "/etc/machine-id" + ]; + users.shahab = { + directories = [ + "Downloads" + "nix-config" + "nix-secrets" + ".config" + { directory = ".ssh"; mode = "0700"; } + { directory = ".steam"; mode = "0700"; } + { directory = ".local/share/Steam"; mode = "0700"; } + { directory = ".local/share/nvim"; mode = "0700"; } + { directory = ".local/share/direnv"; mode = "0700"; } + { directory = ".1Password"; mode = "0700"; } + ]; + }; + }; + # Enable steam for gaming programs.steam = { enable = true;