feat: replace impermanence with preservation (#198)

* feat: replace impermanence with preservation * fix: This module cannot be used with scripted initrd. * fix: permission for /var/lib/private * chore: boot.initrd.systemd.enable * docs: boot.initrd.luks.devices.<name>.fallbackToPassword is implied by systemd stage 1 * fix: typo
2026-01-11 22:30:25 +01:00 · 2025-06-29 13:02:36 +08:00
parent 763167ce0d
commit 8690978d7e
15 changed files with 382 additions and 219 deletions
--- a/secrets/nixos.nix
+++ b/secrets/nixos.nix
@@ -45,7 +45,7 @@ in {
    server.webserver.enable = mkEnableOption "NixOS Secrets for Web Servers(contains tls cert keys)";
    server.storage.enable = mkEnableOption "NixOS Secrets for HDD Data's LUKS Encryption";

-    impermanence.enable = mkEnableOption "whether use impermanence and ephemeral root file system";
+    preservation.enable = mkEnableOption "whether use impermanence and ephemeral root file system";
  };

  config = mkIf (cfg.desktop.enable || enabledServerSecrets) (mkMerge [
@@ -56,7 +56,7 @@ in {

      # if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
      age.identityPaths =
-        if cfg.impermanence.enable
+        if cfg.preservation.enable
        then [
          # To decrypt secrets on boot, this key should exists when the system is booting,
          # so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.