From aaabb5ed76ba27e0de71c16ff58f14de62a5432d Mon Sep 17 00:00:00 2001
From: Ryan Yin <ryan4yin@linux.com>
Date: Sun, 29 Jun 2025 14:56:08 +0800
Subject: [PATCH] feat: hosts/k8s - replace impermanence with preservation
 (#199)

---
 hosts/k8s/disko-config/kubevirt-disko-fs.nix |   2 +-
 hosts/k8s/kubevirt-shoryu/default.nix        |   2 +-
 hosts/k8s/kubevirt-shoryu/impermanence.nix   |  58 ----------
 hosts/k8s/kubevirt-shoryu/preservation.nix   | 110 +++++++++++++++++++
 hosts/k8s/kubevirt-shushou/default.nix       |   2 +-
 hosts/k8s/kubevirt-youko/default.nix         |   2 +-
 6 files changed, 114 insertions(+), 62 deletions(-)
 delete mode 100644 hosts/k8s/kubevirt-shoryu/impermanence.nix
 create mode 100644 hosts/k8s/kubevirt-shoryu/preservation.nix

diff --git a/hosts/k8s/disko-config/kubevirt-disko-fs.nix b/hosts/k8s/disko-config/kubevirt-disko-fs.nix
index e3d8a707..24c7d5b3 100644
--- a/hosts/k8s/disko-config/kubevirt-disko-fs.nix
+++ b/hosts/k8s/disko-config/kubevirt-disko-fs.nix
@@ -53,7 +53,7 @@
                 # type `cryptsetup --help` to see the compiled-in key and passphrase maximum sizes
                 keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
                 keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
-                fallbackToPassword = true;
+                # fallbackToPassword = true;
                 allowDiscards = true;
               };
               # Whether to add a boot.initrd.luks.devices entry for the specified disk.
diff --git a/hosts/k8s/kubevirt-shoryu/default.nix b/hosts/k8s/kubevirt-shoryu/default.nix
index 328ea1da..b580c331 100644
--- a/hosts/k8s/kubevirt-shoryu/default.nix
+++ b/hosts/k8s/kubevirt-shoryu/default.nix
@@ -51,7 +51,7 @@ in {
       disko.nixosModules.default
       ../disko-config/kubevirt-disko-fs.nix
       ./hardware-configuration.nix
-      ./impermanence.nix
+      ./preservation.nix
       coreModule
       k3sModule
     ];
diff --git a/hosts/k8s/kubevirt-shoryu/impermanence.nix b/hosts/k8s/kubevirt-shoryu/impermanence.nix
deleted file mode 100644
index be9a04c3..00000000
--- a/hosts/k8s/kubevirt-shoryu/impermanence.nix
+++ /dev/null
@@ -1,58 +0,0 @@
-{
-  impermanence,
-  pkgs,
-  ...
-}: {
-  # TODO: migrate from impermanence to preservation.
-  # Currently initrd do not support read password from devices:
-  #   boot.initrd.luks.devices.<name>.fallbackToPassword is implied by systemd stage 1.
-  #
-  # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix
-  imports = [
-    impermanence.nixosModules.impermanence
-  ];
-
-  environment.systemPackages = [
-    # `sudo ncdu -x /`
-    pkgs.ncdu
-  ];
-
-  # NOTE: impermanence only mounts the directory/file list below to /persistent
-  # If the directory/file already exists in the root filesystem, you should
-  # move those files/directories to /persistent first!
-  environment.persistence."/persistent" = {
-    # sets the mount option x-gvfs-hide on all the bind mounts
-    # to hide them from the file manager
-    hideMounts = true;
-    directories = [
-      "/etc/NetworkManager/system-connections"
-      "/etc/ssh"
-      "/etc/nix/inputs"
-      "/etc/secureboot" # lanzaboote - secure boot
-      # my secrets
-      "/etc/agenix/"
-
-      "/var/log"
-      "/var/lib"
-
-      # k3s related
-      "/etc/iscsi"
-      "/etc/rancher"
-    ];
-    files = [
-      "/etc/machine-id"
-    ];
-
-    # the following directories will be passed to /persistent/home/$USER
-    users.ryan = {
-      directories = [
-        "codes"
-        "nix-config"
-        "tmp"
-      ];
-      files = [
-        ".config/nushell/history.txt"
-      ];
-    };
-  };
-}
diff --git a/hosts/k8s/kubevirt-shoryu/preservation.nix b/hosts/k8s/kubevirt-shoryu/preservation.nix
new file mode 100644
index 00000000..7a80759a
--- /dev/null
+++ b/hosts/k8s/kubevirt-shoryu/preservation.nix
@@ -0,0 +1,110 @@
+{
+  preservation,
+  pkgs,
+  myvars,
+  ...
+}: let
+  inherit (myvars) username;
+in {
+  imports = [
+    preservation.nixosModules.default
+  ];
+
+  preservation.enable = true;
+  boot.initrd.systemd.enable = true;
+
+  environment.systemPackages = [
+    # `sudo ncdu -x /`
+    pkgs.ncdu
+  ];
+
+  # NOTE: `preservation` only mounts the directory/file list below to /persistent
+  # If the directory/file already exists in the root filesystem you should
+  # move those files/directories to /persistent first!
+  preservation.preserveAt."/persistent" = {
+    directories = [
+      "/etc/NetworkManager/system-connections"
+      "/etc/ssh"
+      "/etc/nix/inputs"
+      "/etc/secureboot" # lanzaboote - secure boot
+      # my secrets
+      "/etc/agenix/"
+
+      "/var/log"
+      "/var/lib"
+
+      # k3s related
+      "/etc/iscsi"
+      "/etc/rancher"
+    ];
+    files = [
+      # auto-generated machine ID
+      {
+        file = "/etc/machine-id";
+        inInitrd = true;
+      }
+    ];
+
+    # the following directories will be passed to /persistent/home/$USER
+    users.${username} = {
+      directories = [
+        "codes"
+        "nix-config"
+        "tmp"
+      ];
+      files = [
+        {
+          file = ".config/nushell/history.txt";
+          how = "symlink";
+          # create parent directory automatically
+          configureParent = true;
+        }
+      ];
+    };
+  };
+
+  # Create some directories with custom permissions.
+  #
+  # In this configuration the path `/home/butz/.local` is not an immediate parent
+  # of any persisted file so it would be created with the systemd-tmpfiles default
+  # ownership `root:root` and mode `0755`. This would mean that the user `butz`
+  # could not create other files or directories inside `/home/butz/.local`.
+  #
+  # Therefore systemd-tmpfiles is used to prepare such directories with
+  # appropriate permissions.
+  #
+  # Note that immediate parent directories of persisted files can also be
+  # configured with ownership and permissions from the `parent` settings if
+  # `configureParent = true` is set for the file.
+  systemd.tmpfiles.settings.preservation = let
+    permission = {
+      user = username;
+      group = "users";
+      mode = "0755";
+    };
+  in {
+    "/home/${username}/.config".d = permission;
+    "/home/${username}/.local".d = permission;
+    "/home/${username}/.local/share".d = permission;
+    "/home/${username}/.local/state".d = permission;
+    "/home/${username}/.terraform.d".d = permission;
+  };
+
+  # systemd-machine-id-commit.service would fail but it is not relevant
+  # in this specific setup for a persistent machine-id so we disable it
+  #
+  # see the firstboot example below for an alternative approach
+  systemd.suppressedSystemUnits = ["systemd-machine-id-commit.service"];
+
+  # let the service commit the transient ID to the persistent volume
+  systemd.services.systemd-machine-id-commit = {
+    unitConfig.ConditionPathIsMountPoint = [
+      ""
+      "/persistent/etc/machine-id"
+    ];
+    serviceConfig.ExecStart = [
+      ""
+      "systemd-machine-id-setup --commit --root /persistent"
+    ];
+  };
+}
diff --git a/hosts/k8s/kubevirt-shushou/default.nix b/hosts/k8s/kubevirt-shushou/default.nix
index 67c23625..84da6742 100644
--- a/hosts/k8s/kubevirt-shushou/default.nix
+++ b/hosts/k8s/kubevirt-shushou/default.nix
@@ -45,7 +45,7 @@ in {
       disko.nixosModules.default
       ../disko-config/kubevirt-disko-fs.nix
       ../kubevirt-shoryu/hardware-configuration.nix
-      ../kubevirt-shoryu/impermanence.nix
+      ../kubevirt-shoryu/preservation.nix
       coreModule
       k3sModule
     ];
diff --git a/hosts/k8s/kubevirt-youko/default.nix b/hosts/k8s/kubevirt-youko/default.nix
index 405f881a..501081f9 100644
--- a/hosts/k8s/kubevirt-youko/default.nix
+++ b/hosts/k8s/kubevirt-youko/default.nix
@@ -45,7 +45,7 @@ in {
       disko.nixosModules.default
       ../disko-config/kubevirt-disko-fs.nix
       ../kubevirt-shoryu/hardware-configuration.nix
-      ../kubevirt-shoryu/impermanence.nix
+      ../kubevirt-shoryu/preservation.nix
       coreModule
       k3sModule
     ];