nerf/impermanence #13

Merged
nerf merged 6 commits from nerf/nixConfig:nerf/impermanence into main 2023-10-06 08:08:50 +00:00
6 changed files with 113 additions and 0 deletions

View file

@ -235,3 +235,46 @@ Afterwards the secret should be available in `/run/secrets/example-key`.
If the accessing process is not root it must be member of the group `config.users.groups.keys` If the accessing process is not root it must be member of the group `config.users.groups.keys`
for systemd services this can be archived by setting `serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];` for systemd services this can be archived by setting `serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];`
it the service configuration. it the service configuration.
## impermanence
These machines are setup with `"/"` as a tmpfs. This is there to keep the machines clean. So no clutter in home
directories, no weird ad-hoc solutions of botching something into `/opt/` or something like this. All will be
gone at reboot.
But there are some files that we want to survive reboots, for example logs or ssh keys. The solution to this is
to have a persistent storage mounted at `/persist` and automatically bind mount the paths of persistent things
to the right places. To set this up we are using the impermanence module. In our configuration this is loaded with
some default files to bind mount (ssh keys, machine-id some nixos specific things). That we have on all machines.
If you keep your application data (like recommended) on a separate partition, the chances are you don't need
to interact with this, as most configuration files will be in the nix store anyway. If the application wants these nix
store files in certain directories, you should use `environment.etc` family of options (consult the nixos documentation
for this). This is for mutable files that are not core application data. (Like ssh keys, for a mailserver one could
think about the hash files (not the db files) of an alias map (if one doesn't want to manage that with
the nix store), things like that).
This should not be (but could be) used for large application databases. It would be more appropriate to mount
its own filesystem for things like that. For small configuration files that are not in the nix-store,
that might be the appropriate solution.
By default the storage is called `persist` and the default path for it is `/persist`. These can be changed
with the `impermanence.name` and `impermanence.storagePath` options. To add paths to this storage you do the
following.
```
environment.persistence.${config.impermanence.name} = {
directories = [
"<your path to a directory to persist>"
];
files = [
"<your path to a file to persist>"
];
};
```
For this to work `config` must be binded by the function arguments of you module. So the start of your module looks
something like this:
```
{lib, pkgs, config, ...} :
<module code >
```

View file

@ -33,6 +33,21 @@
"type": "indirect" "type": "indirect"
} }
}, },
"impermanence": {
"locked": {
"lastModified": 1694622745,
"narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"nixos-mailserver": { "nixos-mailserver": {
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",
@ -123,6 +138,7 @@
"root": { "root": {
"inputs": { "inputs": {
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"impermanence": "impermanence",
"nixos-mailserver": "nixos-mailserver", "nixos-mailserver": "nixos-mailserver",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"

View file

@ -14,6 +14,9 @@
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
impermanence = {
url = "github:nix-community/impermanence";
};
}; };
outputs = inputs@{ flake-parts, ... }: outputs = inputs@{ flake-parts, ... }:

View file

@ -12,6 +12,7 @@
imports = [ imports = [
(import (./. + "/machines/${name}/configuration.nix") inputs) (import (./. + "/machines/${name}/configuration.nix") inputs)
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
inputs.impermanence.nixosModules.impermanence
]; ];
}; };
in lib.genAttrs machines makeSystem); in lib.genAttrs machines makeSystem);

View file

@ -0,0 +1,47 @@
{lib, config, ...} :
let
inherit (lib)
mkEnableOption
mkIf
mkOption
types
;
cfg = config.impermanence;
in
{
imports = [ ];
options.impermanence = {
enable = mkEnableOption "impermanence";
storagePath = mkOption {
type = types.path;
default = "/persist";
description = "The path where persistent data is stored";
};
name = mkOption {
type = types.str;
default = "persist";
description = "the name of the persistent data store";
};
};
config = mkIf cfg.enable {
environment.persistence.${cfg.name} = {
persistentStoragePath = cfg.storagePath;
directories = [
"/var/log"
"/var/lib/nixos"
];
files = [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
};
environment.etc.machine-id.source = "${cfg.storagePath}/machine-id";
};
}

View file

@ -4,6 +4,7 @@ imports = [
./admins.nix ./admins.nix
./nix_keys.nix ./nix_keys.nix
(modulesPath + "/virtualisation/xen-domU.nix") (modulesPath + "/virtualisation/xen-domU.nix")
../modules/impermanence.nix
]; ];
nix = { nix = {
extraOptions = '' extraOptions = ''
@ -27,6 +28,8 @@ users = {
users.root.hashedPassword = "!"; users.root.hashedPassword = "!";
}; };
impermanence.enable = true;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
environment = { environment = {