feat: impermanence

hosts/idols/ai/default.nix

@@ -1,4 +1,4 @@
-{config, ...} @ args:
+{ pkgs, ...} @ args:
 #############################################################
 #
 #  Ai - my main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
@@ -10,7 +10,9 @@
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
 
-    ../../../modules/nixos/fhs-fonts.nix
+    ./impermanence.nix
+
+    # ../../../modules/nixos/fhs-fonts.nix
     ../../../modules/nixos/libvirt.nix
     ../../../modules/nixos/core-desktop.nix
     ../../../modules/nixos/remote-building.nix
@@ -21,23 +23,6 @@
 
   nixpkgs.overlays = import ../../../overlays args;
 
-  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
-  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
-  # supported fil systems, so we can mount any removable disks with these filesystems
-  boot.supportedFilesystems = [
-    "ext4"
-    "btrfs"
-    "xfs"
-    #"zfs"
-    "ntfs"
-    "fat"
-    "vfat"
-    "exfat"
-    "cifs" # mount windows share
-  ];
-
-  boot.kernelParams = [ "nvidia.NVreg_PreserveVideoMemoryAllocations=1" ];
-
   networking = {
     hostName = "ai";
     wireless.enable = false; # Enables wireless support via wpa_supplicant.
@@ -65,7 +50,7 @@
     ];
   };
 
-  virtualisation.docker.storageDriver = "btrfs";
+  # virtualisation.docker.storageDriver = "btrfs";
 
   # for Nvidia GPU
   services.xserver.videoDrivers = ["nvidia"]; # will install nvidia-vaapi-driver by default

hosts/idols/ai/hardware-configuration.nix

@@ -1,32 +1,42 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
 
   # Use the EFI boot loader.
   boot.loader.efi.canTouchEfiVariables = true;
   # depending on how you configured your disk mounts, change this to /boot or /boot/efi.
-  boot.loader.efi.efiSysMountPoint = "/boot/efi";
-  boot.loader.grub = {
-    enable = true;
-    device = "nodev";
-    efiSupport = true;
-    useOSProber = true; # automatically add other OSs into grub menu
-    # if you use an encrypted /boot partition, you should enable this option.
-    # grub 2.12-rc1 support only luks1 and luks2+pbkdf2,
-    # so the /boot partition can only use those two luks encrypt format.
-    enableCryptodisk = true;
-  };
+  boot.loader.efi.efiSysMountPoint = "/boot";
+  boot.loader.systemd-boot.enable = true;
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-intel"];
+  boot.kernelParams = [ "nvidia.NVreg_PreserveVideoMemoryAllocations=1" ];
+  boot.extraModulePackages = [];
+
+  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
+  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
+  # supported fil systems, so we can mount any removable disks with these filesystems
+  boot.supportedFilesystems = [
+    "ext4"
+    "btrfs"
+    "xfs"
+    "ntfs"
+    "fat"
+    "vfat"
+    "cifs" # mount windows share
+  ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
 
   boot.initrd = {
     # unlocked luks devices via a keyfile or prompt a passphrase.
@@ -40,74 +50,60 @@
       # it's less secure, but faster.
       allowDiscards = true;
     };
-
-    luks.devices."crypted-boot" = {
-      device = "/dev/nvme0n1p3";
-      #keyFile = "/boot-part.key";
-
-      # boot partition do not require fast speed, so we disable it.
-      allowDiscards = false;
-    };
-
-    # secrets to append to the initrd.
-    # the initrd is located in /boot partition, so only enabled this options when you encryped /boot partition!
-    secrets = {
-      # Format:
-      #   file-path inside initrd  =  the source path it should be copied from.
-      # "/boot-part.key" = "/etc/secrets/initrd/boot-part.key";
-    };
   };
 
+  # equal to `mount -t tmpfs tmpfs /`
+  fileSystems."/" = {
+    device = "tmpfs";
+    fsType = "tmpfs";
+    # set mode to 755, otherwise systemd will set it to 777, which cause problems.
+    options = ["relatime" "mode=755"];
+  };
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c";
-      fsType = "btrfs";
-      options = [ "subvol=@root" "compress-force=zstd:1" ];
-    };
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
+    fsType = "btrfs";
+    options = ["subvol=@nix" "noatime" "compress-force=zstd:1"];
+  };
 
-  fileSystems."/nix" =
-    { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c";
-      fsType = "btrfs";
-      options = [ "subvol=@nix" "noatime" "compress-force=zstd:1" ];
-    };
+  fileSystems."/persistent" = {
+    device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
+    fsType = "btrfs";
+    options = ["subvol=@persistent" "compress-force=zstd:1"];
+    neededForBoot = true;
+  };
 
-  fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c";
-      fsType = "btrfs";
-      options = [ "subvol=@home" "compress-force=zstd:1" ];
-    };
+  fileSystems."/snapshots" = {
+    device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
+    fsType = "btrfs";
+    options = ["subvol=@snapshots" "compress-force=zstd:1"];
+  };
 
   # mount swap subvolume in readonly mode.
-  fileSystems."/swap" =
-    { device = "/dev/disk/by-uuid/836b93a9-324f-45e6-ac1d-964becd7520c";
-      fsType = "btrfs";
-      options = [ "subvol=@swap" "ro" ];
-    };
+  fileSystems."/swap" = {
+    device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd";
+    fsType = "btrfs";
+    options = ["subvol=@swap" "ro"];
+  };
 
   # remount swapfile in read-write mode
-  fileSystems."/swap/swapfile" =
-    { 
-      # the swapfile is located in /swap subvolume, so we need to mount /swap first.
-      depends = [ "/swap"];
-      
-      device = "/swap/swapfile";
-      fsType = "none";
-      options = [ "bind" "rw" ];
-    };
+  fileSystems."/swap/swapfile" = {
+    # the swapfile is located in /swap subvolume, so we need to mount /swap first.
+    depends = ["/swap"];
 
-  fileSystems."/boot" =
-    { device = "/dev/mapper/crypted-boot";
-      fsType = "ext4";
-    };
+    device = "/swap/swapfile";
+    fsType = "none";
+    options = ["bind" "rw"];
+  };
 
-  fileSystems."/boot/efi" =
-    { device = "/dev/nvme0n1p1";
-      fsType = "vfat";
-    };
+  fileSystems."/boot" = {
+    device = "/dev/nvme0n1p1";
+    fsType = "vfat";
+  };
 
-  swapDevices =
-    [ { device = "/swap/swapfile"; }
-    ];
+  swapDevices = [
+    {device = "/swap/swapfile";}
+  ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's

hosts/idols/ai/impermanence.nix

@@ -0,0 +1,93 @@
+{impermanence, pkgs, ...}: {
+  imports = [
+    impermanence.nixosModules.impermanence
+  ];
+
+
+  environment.systemPackages = [
+    # `sudo ncdu -x /`
+    pkgs.ncdu
+  ];
+
+  # There are two ways to clear the root filesystem on every boot:
+  ##  1. use tmpfs for /
+  ##  2. (btrfs/zfs only)take a blank snapshot of the root filesystem and revert to it on every boot via:
+  ##  3. boot.initrd.postDeviceCommands = ''
+  ##       mkdir -p /run/mymount
+  ##       mount -o subvol=/ /dev/disk/by-uuid/UUID /run/mymount
+  ##       btrfs subvolume delete /run/mymount
+  ##       btrfs subvolume snapshot / /run/mymount
+  ##     '';
+  #
+  #  See also https://grahamc.com/blog/erase-your-darlings/
+  environment.persistence."/persistent" = {
+    # sets the mount option x-gvfs-hide on all the bind mounts
+    # to hide them from the file manager
+    hideMounts = true;
+    directories = [
+      "/etc/NetworkManager/system-connections"
+      "/etc/ssh"
+      "/etc/nix/inputs"
+
+      # my files
+      "/etc/agenix/"
+
+      "/var/log"
+      "/var/lib"
+
+      # created by modules/nixos/fhs-fonts.nix
+      # for flatpak apps
+      # "/usr/share/fonts"
+      # "/usr/share/icons"
+    ];
+    files = [
+      "/etc/machine-id"
+    ];
+    users.ryan = {
+      directories = [
+        "codes"
+        "nix-config"
+        "tmp"
+
+        "Downloads"
+        "Music"
+        "Pictures"
+        "Documents"
+        "Videos"
+
+        {
+          directory = ".gnupg";
+          mode = "0700";
+        }
+        {
+          directory = ".ssh";
+          mode = "0700";
+        }
+        {
+          directory = ".aws";
+          mode = "0700";
+        }
+        {
+          directory = ".docker";
+          mode = "0700";
+        }
+        {
+          directory = ".kube";
+          mode = "0700";
+        }
+
+        ".bash_history"
+        ".cache"
+        ".config"
+        ".local"
+        ".mozilla"
+        ".npm"
+        ".wakatime"
+      ];
+      files = [
+        ".wakatime.cfg"
+        ".wakatime.bdb"
+      ];
+    };
+  };
+}