starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-03-18 23:44:16 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity

feat: hosts/k8s - replace impermanence with preservation (#199)

Browse Source
This commit is contained in:
Ryan Yin
2025-06-29 14:56:08 +08:00
committed by GitHub
parent dd008c3363
commit aaabb5ed76
6 changed files with 114 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/k8s/disko-config/kubevirt-disko-fs.nix
View File

@@ -53,7 +53,7 @@
# type `cryptsetup --help` to see the compiled-in key and passphrase maximum sizes
keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
fallbackToPassword = true;
# fallbackToPassword = true;
allowDiscards = true;
};
# Whether to add a boot.initrd.luks.devices entry for the specified disk.

2
hosts/k8s/kubevirt-shoryu/default.nix
View File

@@ -51,7 +51,7 @@ in {
disko.nixosModules.default
../disko-config/kubevirt-disko-fs.nix
./hardware-configuration.nix
./impermanence.nix
./preservation.nix
coreModule
k3sModule
];

58
hosts/k8s/kubevirt-shoryu/impermanence.nix
View File

@@ -1,58 +0,0 @@
{
impermanence,
pkgs,
...
}: {
# TODO: migrate from impermanence to preservation.
# Currently initrd do not support read password from devices:
# boot.initrd.luks.devices.<name>.fallbackToPassword is implied by systemd stage 1.
#
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix
imports = [
impermanence.nixosModules.impermanence
];
environment.systemPackages = [
# `sudo ncdu -x /`
pkgs.ncdu
];
# NOTE: impermanence only mounts the directory/file list below to /persistent
# If the directory/file already exists in the root filesystem, you should
# move those files/directories to /persistent first!
environment.persistence."/persistent" = {
# sets the mount option x-gvfs-hide on all the bind mounts
# to hide them from the file manager
hideMounts = true;
directories = [
"/etc/NetworkManager/system-connections"
"/etc/ssh"
"/etc/nix/inputs"
"/etc/secureboot" # lanzaboote - secure boot
# my secrets
"/etc/agenix/"
"/var/log"
"/var/lib"
# k3s related
"/etc/iscsi"
"/etc/rancher"
];
files = [
"/etc/machine-id"
];
# the following directories will be passed to /persistent/home/$USER
users.ryan = {
directories = [
"codes"
"nix-config"
"tmp"
];
files = [
".config/nushell/history.txt"
];
};
};
}

110
hosts/k8s/kubevirt-shoryu/preservation.nix Normal file
View File

@@ -0,0 +1,110 @@
{
preservation,
pkgs,
myvars,
...
}: let
inherit (myvars) username;
in {
imports = [
preservation.nixosModules.default
];
preservation.enable = true;
boot.initrd.systemd.enable = true;
environment.systemPackages = [
# `sudo ncdu -x /`
pkgs.ncdu
];
# NOTE: `preservation` only mounts the directory/file list below to /persistent
# If the directory/file already exists in the root filesystem you should
# move those files/directories to /persistent first!
preservation.preserveAt."/persistent" = {
directories = [
"/etc/NetworkManager/system-connections"
"/etc/ssh"
"/etc/nix/inputs"
"/etc/secureboot" # lanzaboote - secure boot
# my secrets
"/etc/agenix/"
"/var/log"
"/var/lib"
# k3s related
"/etc/iscsi"
"/etc/rancher"
];
files = [
# auto-generated machine ID
{
file = "/etc/machine-id";
inInitrd = true;
}
];
# the following directories will be passed to /persistent/home/$USER
users.${username} = {
directories = [
"codes"
"nix-config"
"tmp"
];
files = [
{
file = ".config/nushell/history.txt";
how = "symlink";
# create parent directory automatically
configureParent = true;
}
];
};
};
# Create some directories with custom permissions.
#
# In this configuration the path `/home/butz/.local` is not an immediate parent
# of any persisted file so it would be created with the systemd-tmpfiles default
# ownership `root:root` and mode `0755`. This would mean that the user `butz`
# could not create other files or directories inside `/home/butz/.local`.
#
# Therefore systemd-tmpfiles is used to prepare such directories with
# appropriate permissions.
#
# Note that immediate parent directories of persisted files can also be
# configured with ownership and permissions from the `parent` settings if
# `configureParent = true` is set for the file.
systemd.tmpfiles.settings.preservation = let
permission = {
user = username;
group = "users";
mode = "0755";
};
in {
"/home/${username}/.config".d = permission;
"/home/${username}/.local".d = permission;
"/home/${username}/.local/share".d = permission;
"/home/${username}/.local/state".d = permission;
"/home/${username}/.terraform.d".d = permission;
};
# systemd-machine-id-commit.service would fail but it is not relevant
# in this specific setup for a persistent machine-id so we disable it
#
# see the firstboot example below for an alternative approach
systemd.suppressedSystemUnits = ["systemd-machine-id-commit.service"];
# let the service commit the transient ID to the persistent volume
systemd.services.systemd-machine-id-commit = {
unitConfig.ConditionPathIsMountPoint = [
""
"/persistent/etc/machine-id"
];
serviceConfig.ExecStart = [
""
"systemd-machine-id-setup --commit --root /persistent"
];
};
}

2
hosts/k8s/kubevirt-shushou/default.nix
View File

@@ -45,7 +45,7 @@ in {
disko.nixosModules.default
../disko-config/kubevirt-disko-fs.nix
../kubevirt-shoryu/hardware-configuration.nix
../kubevirt-shoryu/impermanence.nix
../kubevirt-shoryu/preservation.nix
coreModule
k3sModule
];

2
hosts/k8s/kubevirt-youko/default.nix
View File

@@ -45,7 +45,7 @@ in {
disko.nixosModules.default
../disko-config/kubevirt-disko-fs.nix
../kubevirt-shoryu/hardware-configuration.nix
../kubevirt-shoryu/impermanence.nix
../kubevirt-shoryu/preservation.nix
coreModule
k3sModule
];