From 5d80a9f7b0e40d814c9ae56a910d7cb053ea009b Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 4 Nov 2025 14:57:25 -0600 Subject: [PATCH] feat: added impermanence to ceres --- flake.lock | 16 ++++++ flake.nix | 5 ++ secrets/secrets.yaml | 6 +-- systems/ceres/config/filesystem.nix | 77 +++++++++++++++++++++++++++-- 4 files changed, 96 insertions(+), 8 deletions(-) diff --git a/flake.lock b/flake.lock index 70c65ad..ddb3f5a 100755 --- a/flake.lock +++ b/flake.lock @@ -798,6 +798,21 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1737831083, + "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, "linkpage": { "inputs": { "flake-parts": "flake-parts_3", @@ -1363,6 +1378,7 @@ "home-manager": "home-manager", "hyprland": "hyprland", "hyprland-portal": "hyprland-portal", + "impermanence": "impermanence", "linkpage": "linkpage", "lix": "lix", "lix-module": "lix-module", diff --git a/flake.nix b/flake.nix index 68ff16a..94ceaa0 100755 --- a/flake.nix +++ b/flake.nix @@ -22,6 +22,10 @@ inputs.nixpkgs.follows = "nixpkgs"; }; systems.url = "github:nix-systems/x86_64-linux"; + impermanence = { + url = "github:nix-community/impermanence"; + inputs.nixpkgs.follows = "nixpkgs"; + }; home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; @@ -147,6 +151,7 @@ inputs.filesorter.nixosModules.default inputs.zookeeper.nixosModules.default inputs.home-manager.nixosModules.home-manager + inputs.impermanence.nixosModules.impermanence inputs.lix-module.nixosModules.default inputs.sops-nix.nixosModules.sops ]; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 4b03a5a..0113790 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -1,7 +1,7 @@ ssh: private: ENC[AES256_GCM,data:XJk/gjPkFeSZtPkKYS2vRHqMY/X5zRaDlS4UwzUvjm9MvTgdhoXUlqvFC0Dl5SZhRlY+XXAuG7gIIUESzCFWQKdOoUcto3r0WSuIm9EwLKXnnaHemeFVHYgZU9Rz45PK6yFWUC06+n56b2A1dFXftjeXcCqaQrT/jk3RDSHmhW9u7QgDmhhaybxXOrzkup2U8kjhrMmRBcf4xP//nihuzHcyYX75ONr56bgkjl6gpZTfZrn2ad8b+4iGn+rElzf7RHAG0mwTeEX2kYRyafaanGuc2xTnZubBAYDnc1eM6T99PXC0iWh/lUKc1zG1l18UchWzgvl3sPK0Cb2/5aaFMUk2ET6kVOlpKyGc94MRpyv3iUi8soFjh34sWH3mFtec2OWfIxDhoVfZoc2hmP2Hflfjp7acwaMskFBHaCSO2DGtNmN3hSUhAAeLx8OZupSIJmDVpq00qKUbN+5z4K78AdGuUOP07cE889evNniCHLP6yPav7tIulnBS9lD2U+CbqF7vMtdZx/eYFwJjmMtE,iv:JxSytvXKWLHDedlE0Wq5YpPUnfb0HoQgKJ2bt1Z8yqk=,tag:MjOoUSWsHWHgxp0yu9YQFA==,type:str] public: ENC[AES256_GCM,data:Cn4hutHHeptbefHOKK7zv5TmveGOqfHAwGHogDq9sRmeb+b1lzHwj7qvg8lcnlJtIo4qS+TrKtSj5ZCsPNXOhWG1rkk97gTfPMbcxj5f1O3WJigL2wsrB2cQgc5UsA==,iv:ID4zRdr/efClOAHbXzxG1bNuJR0A2qbydzGlMhvEcRE=,tag:qbIoaGb+RXxRRkkQtuX7/A==,type:str] - hosts: ENC[AES256_GCM,data:XhXSuPumonZWNj6xcgWjgV7af7w6Ub4bg475MKgWMq48XmdWnsecx4EQyoHdHCjUU45QIyR4WqH/NrkjubvblT2516m2O9UdVWR+BarxvTUOau2y2B5sFTwFTfwQrrPb5rAc88eAi1WSEyDOKt2FVi4hmBBaZwiwpNUnwlGiN+o74Iml2hyV5lJsHNkfP1+UL8WnOPPbs/sXtlPKIkN+rMO94bX29EyEpNa2W0HxKfNVgOfaxiu4+9eXjVrdi4gLU3PwDkEjprLgCJZxhNzKabH6iXLfyUu5Pik4X+YfHPlpX3ZIgUO/L/1SoozRSaaQIKm7yxTGYDic6aZRzeJfSgL/RK21Xwt3y5OQo9jAbPXVCogPXN+iRhsEq4tbSLKFzp0+Abc7uj7RKsSiFUIk4UsIBHs0tnFSCmb8qL9Pqf4m5I3NmaCUULFln7iB4HSZLTweIXM2mWSd68vDHCMUSQHIiQ2bwODocrgoPABq3PRaUswnklMsb84yfiNLvIa792diFth1QQKOwyQZ6tYff2gx56BYMoF6BC0QJoL/ftrybLi1g99nd4NBGUPm01TFNi7uKHeE4hMVOHb971Vp3jKOv9OwWZbWrgMmvaBUlmNPgTHr9QmdGRxtoIpjwsyjhe61PfLSAyyVIyTQyF1qnZ24PZt9dTXuAlO52XBZ5OizX5Ao4bW0Nx1qKYTV6QcNVuv3hfjNNvS23cFrs1Wld2/67h4aoyKTfSbF+7YZ9GL+djZ9fHhI+IqT2+FgYDm3RHUe3H9LJ8/M3D6ncZW1qwvyKrSuIf16EpIztLJNDbts4F5JXmY69nDBsvCWqtoua2Sig/mKpemdURwJmbzE2vRovhn2ubTWnSpIuizBq+uQ1V+V6zjJ8RalPJWYuwnB/OPHhGB56AdqQ1HLbfL05cu1Z8JA2mGwZa6DXyiy+a5uxP+RXEuRU+RSemss07w2Wvwa+WijXr3k3YwD7DyuKRguqNVM/y9E5ip29PlSZTb5UVJgP+GT7MR8AL2OqNJ/aVA1q0Vy2aHBbxSTLiFsqW8vpFLD4Q1fzOpb/a6nF+NHcFFX+q02Vwk+u/zn4M9v4qLfMknz3Q3FrB+/JfvTjmGHIqpIfTdWlvWXfAIYaMNGBYAG/9uy24JYLSc5DE6oEqLz4NcadcEsEIDkl8VkPIl+v3eaijZy9MTbWBN2ZQvrsHu+O/18eZFpwbW2jxS1dZzI2FgSBQ7veVb228I2+Ex+0mzIvKahec4VGfXeaH0O2IuMyMEJI2j/zTKDEHzSgkafO6KJyaXyGGGUWYyVl+uuzoJ9J/n6scTY+J/Fy731kpmQkb5uXhl9F/ccAlw2qPx8JVdtOCebTBpoQgKUVb0Yg93hRK51gdx/fbHU6uwb0mvRzrxQqwFriygwiT+VXZL9NonLFXHvUIKu,iv:UIULO1YSKegqbvzJ5IS+d/+MWfu/e6mCCX36Hty0v6M=,tag:wqzHZa3l4RcyDczndFlcRg==,type:str] + hosts: ENC[AES256_GCM,data:bYoURIFn0y/twZ1xfhMi8mN618nNEIdeJW6oOedK3YeDNMH37f7pd+yEY+xhqmcdsXuoD99vDOk6ZWxkxNjSYZJ+XKIWJTXlAWdmLmhjrAyCAAn2zE93c5UbR23g1obPS3wZyY+PgYw98ZrmYNU0R8NPmWgVW7TvCOL0LY23drxRAcnwbs3p86N9KcPyXk38Lp+TJFzbXvloIhErSu/EG8vFH56XmJ6RdTEsCYchqj1rNxg1XRayqS2cQ2N912S8FhLEvr1pzobmQVSC00mmKUvk7HDjNBCfg2B36npb3a83qm1+kgyp3cIHS87QfoqYMCBZVWy8iYyL1/RL0qivorPl83nNG2/G8IkAEpNLN+o5WZiGKgNV7os/sZH+IvvMQfFzmoht7r6vZ29MmfC2XsV6W2lduPHWM8ooov1qrpGtUaai+JlBIStGEHFn+DjiGkSsjlrqBWOqTT5qVEHl3yxuaOhwLKN8aOwiCc4v5fOv4/v2c3moqX7bpHRDkt08Gf7y0/XSG9oVd6xHsjj1GyN3/sAT1uxyA+alAdTIYK37MyGEpUSrmnxCdVskzgjih326BhhY2ZXtHywbzeIiaQ+ilHolMkrMXzPizjmYKSvA+iNQQLJocz1Ikm7jIeD/pB0+tcmtjUD2AOPu90UV/MDawwS3Fjrg846i9rehf66yW3cvF/DvTqqi4MHPeAuqMkZRSGcxONTU9r6aF/VgdSwKEjhovn5C6UIiU97N/HQP0/5aBSsT7jr7afkhkQUoMB7C71Vww/bKwCmJC6OXmt90jaiDVsysbYqIhnYSKmyBNHvUxp0eKl8nO4osFeDqMNKAK5Qz+PnbF/var5qRy37M/Ed8HBqKQtjF2UrknbMhVbX+u3utIY2I2+SBnazlriXLVgSgCKAn+8kExsv4K30nn/Yim0b4MCuXqqJB2UIFTDAYcfUhtWi6EKHuZJ58qDpGaSsUxcQXKaYjdvwSsqeniNV0/Y3tP0auEOL4xk0nEST+LQyzGgLXQAuSg1BfAF7I9LOmhjnJcgWrUkg6Odj1WMPkmO0+OrgfXWFo2BZWkZonQMX78W01fpYtJ39uhbVevasd3e5GEHf2NjEiBOX5czb84aEls+ct6DkOwbx70J3JdtN0aJmxHRqeqO1KTM3SuJbW6oGGPtMSjEg8dvwXbYFDPWHd4JszoGFnbOrWM2kFDj0cY+Rpk0N7peM9rIHR3ppcEElmAX/pkORksKCcSgJunHSQVs32ZSuPKeVT4uD8bpOwVAZR91O97F6hBYr9Ab12PdrNrwEwyGHxJTj6Zj0N2GluJy7vxBtZLmWvaSW3tm+EPU7N7KDnJFhj1ZSTf+nK8avJb6jphn6BGu/sJgtFh7p9HMkbQLIIQdtoQezZnlwMGiRiBIg6D1jvycxg3GNQ3WzHe5wu,iv:zlU2Q2Onx6Nsi3U1uCtOxeznV96D0fFfwpyz/ZrgXPU=,tag:eS+PAbm48nJsjvC80asiAA==,type:str] network: server: ENC[AES256_GCM,data:EFsmXNkuf5OAMh8hjfZTixmmdjqBNIME9JjQC8azeCwcMVInm8bWdxE4OqFmxOk9MAU=,iv:pI6WeM2aQC+7vx1Xmp5O2rikqNLgzuEOg+Lo7TqFQxU=,tag:ElcA8mn9dx+IjIf38nKT5A==,type:str] fallaryn: ENC[AES256_GCM,data:O77hH3STB6zpl0b9iXsVu9OOrlLKUwfs2qI9hdqX4kMuBs3XgT/xsQ==,iv:RDKsuJoy+LIyADMc3bgOEmLKdXtu6kad2aeVetuZdJI=,tag:MrpCZ+iJUnGIjeHMgcYG6Q==,type:str] @@ -59,7 +59,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-04T11:01:52Z" - mac: ENC[AES256_GCM,data:g/wjdt10ly357yEtjeITpIpVih3QedPVp+ZywvX5fZc3OqiXmE3ubG0CLnOLrqql3Ek7ezw9I1xNtFoLH1eU87quaN/3MyenoOq2sw0tkyY4ciNFGLRST7n3rh+3yaYzh9c/FFb83iSv9T+9f0y7odkV/jAiGUk9HZYZi2a5FtE=,iv:J5m96w5emOtgg0wwjZOIFiUNPvxpnwsjQzSlQ7pxDXY=,tag:9w9d+Z9vbXE/cdU0XHenbg==,type:str] + lastmodified: "2025-11-04T20:22:31Z" + mac: ENC[AES256_GCM,data:mL+7OjHRuSpGFaBAyNA1VP5GtwaL97uGVZo6eMduPNSy2bAkE6PhFwzVKLUikKCjOdYut1xF9aVRa0Sj1CiOTHoJdRlzpF02XSeTGJ/uxYFap29F7PruGzv24Xy7zfHQQYDO/ypBUSDgS8yO73zjjqBqlIT5NQD9X1M0TDT/QUk=,iv:g8JAT9B+irTZiH7e7hlp6x+gjlDUztlSe7FUPKcJ2Fg=,tag:OSQlvguKpQmG1r90fDWemA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 diff --git a/systems/ceres/config/filesystem.nix b/systems/ceres/config/filesystem.nix index bb0d4e8..31b5a19 100755 --- a/systems/ceres/config/filesystem.nix +++ b/systems/ceres/config/filesystem.nix @@ -1,6 +1,7 @@ { flake, config, + lib, ... }: let @@ -9,16 +10,82 @@ in { fileSystems = { "/" = { - device = "/dev/disk/by-uuid/4b740a8e-8123-4d29-8ec2-132aebb0583d"; - fsType = "ext4"; + device = "/dev/disk/by-label/root"; + fsType = "btrfs"; + options = [ + "subvol=@" + ]; }; + + "/nix" = { + device = "/dev/disk/by-label/root"; + fsType = "btrfs"; + options = [ + "subvol=@nix" + ]; + }; + + "/persistent" = { + device = "/dev/disk/by-label/root"; + fsType = "btrfs"; + neededForBoot = true; + options = [ + "subvol=@persistent" + ]; + }; + "/boot" = { - device = "/dev/disk/by-uuid/34BA-5602"; + device = "/dev/disk/by-label/BOOT"; fsType = "vfat"; }; + "/mnt/storage" = { - device = "dev/disk/by-label/storage"; - fsType = "xfs"; + device = "/dev/disk/by-label/storage"; + fsType = "ext4"; + }; + }; + + boot.initrd.postResumeCommands = lib.mkAfter '' + mkdir -p /mnt + mount -o subvol=/ /dev/disk/by-label/root /mnt + + if [[ -e /mnt/@ ]]; then + mkdir -p /mnt/@old_roots + timestamp=$(date --date="@$(stat -c %Y /mnt/@)" "+%Y-%m-%d_%H:%M:%S") + mv /mnt/@ "/mnt/@old_roots/$timestamp" + fi + + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/mnt/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /mnt/@old_roots/ -maxdepth 1 -mtime +30); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /mnt/@ + umount /mnt + ''; + + environment.persistence."/persistent" = { + hideMounts = true; + directories = [ + "/var/log" + "/var/lib" + "/var/cache" + "/etc/ssh" + ]; + files = [ + "/etc/machine-id" + ]; + users.${user0} = { + directories = [ + ".ssh" + ]; }; };