1 files changed, 59 insertions, 0 deletions

diff --git a/profiles/state.nix b/profiles/state.nix
new file mode 100644
index 0000000..0869d11
--- /dev/null
+++ b/profiles/state.nix
@@ -0,0 +1,59 @@
+{
+  adminUser,
+  config,
+  lib,
+  ...
+}:
+{
+  system.activationScripts = lib.mkIf config.ephemeralRoot {
+    "createPersistentStorageDirs".deps = [
+      "var-lib-private-permissions"
+      "home-user-permissions"
+      "users"
+      "groups"
+    ];
+    "var-lib-private-permissions" = {
+      deps = [ "specialfs" ];
+      text = ''
+        mkdir -p /persist/var/lib/private
+        chmod 0700 /persist/var/lib/private
+      '';
+    };
+    "home-user-permissions" = {
+      deps = [ "specialfs" ];
+      text = ''
+        mkdir -p /persist/save/home/${adminUser.name}
+        chown -R ${toString adminUser.uid}:${toString adminUser.gid} /persist/save/home/${adminUser.name}
+        chmod 0700 /persist/save/home/${adminUser.name}
+      '';
+    };
+  };
+
+  environment.persistence."/persist" = {
+    enable = config.ephemeralRoot;
+    hideMounts = true;
+    directories = [
+      "/root"
+      "/var/lib/containers"
+      "/var/lib/nixos"
+      "/var/lib/systemd"
+      "/var/log"
+    ];
+    files = [
+      "/etc/machine-id"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+    ];
+  };
+
+  environment.persistence."/persist/save" = {
+    enable = config.ephemeralRoot;
+    hideMounts = true;
+    users.${adminUser.name} = {
+      directories = [ ];
+      files = [
+        ".ssh/known_hosts"
+      ];
+    };
+  };
+}