7 files changed, 137 insertions, 51 deletions

diff --git a/profiles/defaults.nix b/profiles/defaults.nix
index 2683c5a..834c28d 100644
--- a/profiles/defaults.nix
+++ b/profiles/defaults.nix
@@ -5,6 +5,17 @@
   adminUser,
   ...
 }:
+let
+  inherit (lib // builtins)
+    attrNames
+    hasAttr
+    mkIf
+    length
+    ;
+  hasState =
+    hasAttr "persistence" config.environment && (length (attrNames config.environment.persistence)) > 0;
+  hasSecrets = config.age.secrets != { };
+in
 {
   imports = [
     ./cgroups.nix
@@ -145,4 +156,8 @@
     vim
     wireguard-tools
   ];
+
+  system.activationScripts.agenixNewGeneration = mkIf (
+    hasSecrets && hasState && config.ephemeralRoot
+  ) { deps = [ "persist-files" ]; };
 }
diff --git a/profiles/disk/btrfs-on-luks.nix b/profiles/disk/btrfs-on-luks.nix
index 3fe57f7..aea2c0c 100644
--- a/profiles/disk/btrfs-on-luks.nix
+++ b/profiles/disk/btrfs-on-luks.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ lib, config, ... }:
 let
   btrfsopt = [
     "compress=zstd"
@@ -13,55 +13,52 @@ in
   ];
 
   disko.devices = {
-    disk = {
-      main = {
-        type = "disk";
-        device = "/dev/nvme0n1";
-        content = {
-          type = "gpt";
-          partitions = {
-            ESP = {
-              size = "2G";
-              type = "EF00";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot";
-                mountOptions = [
-                  "fmask=0022"
-                  "dmask=0022"
-                ];
-              };
+    disk.disk1 = {
+      type = "disk";
+      device = lib.mkDefault "/dev/nvme0n1";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            size = "2G";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
             };
-            luks = {
-              size = "100%";
+          };
+          luks = {
+            size = "100%";
+            content = {
+              type = "luks";
+              name = "nixos";
+              passwordFile = "/tmp/disk.key";
+              settings.allowDiscards = true;
               content = {
-                type = "luks";
-                name = "nixos";
-                passwordFile = "/tmp/pass";
-                settings = {
-                  allowDiscards = true;
-                };
-                content = {
-                  type = "btrfs";
-                  extraArgs = [ "-f" ];
-                  subvolumes = {
-                    "@root" = {
-                      mountpoint = "/";
-                      mountOptions = btrfsopt;
-                    };
-                    "@home" = {
-                      mountpoint = "/home";
-                      mountOptions = btrfsopt;
-                    };
-                    "@nix" = {
-                      mountpoint = "/nix";
-                      mountOptions = btrfsopt;
-                    };
-                    "@data" = {
-                      mountpoint = "/data";
-                      mountOptions = btrfsopt;
-                    };
+                type = "btrfs";
+                extraArgs = [ "-f" ];
+                subvolumes = {
+                  "/root" = lib.mkIf (!config.ephemeralRoot) {
+                    mountpoint = "/";
+                    mountOptions = btrfsopt;
+                  };
+                  "/nix" = {
+                    mountpoint = "/nix";
+                    mountOptions = btrfsopt;
+                  };
+                  "/data" = {
+                    mountpoint = "/data";
+                    mountOptions = btrfsopt;
+                  };
+                  "/persist" = {
+                    mountpoint = "/persist";
+                    mountOptions = btrfsopt;
                   };
                 };
               };
@@ -70,5 +67,14 @@ in
         };
       };
     };
+    nodev."/" = lib.mkIf config.ephemeralRoot {
+      fsType = "tmpfs";
+      mountOptions = [
+        "size=16G"
+        "defaults"
+        "mode=755"
+      ];
+    };
   };
+  fileSystems."/persist".neededForBoot = true;
 }
diff --git a/profiles/hardware/synology-vm.nix b/profiles/hardware/synology-vm.nix
index 053cf41..970a23c 100644
--- a/profiles/hardware/synology-vm.nix
+++ b/profiles/hardware/synology-vm.nix
@@ -15,7 +15,9 @@
     "sd_mod"
     "sr_mod"
   ];
-  boot.initrd.kernelModules = [ ];
+  boot.initrd.kernelModules = [
+    "virtio_net"
+  ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
diff --git a/profiles/remote-unlock.nix b/profiles/remote-unlock.nix
index 9812ce8..0e2cb1b 100644
--- a/profiles/remote-unlock.nix
+++ b/profiles/remote-unlock.nix
@@ -12,7 +12,7 @@
       enable = true;
       port = 911;
       hostKeys = [
-        "/etc/initrd/ssh_host_ed25519_key"
+        "/persist/secrets/ssh_host_ed25519_key"
       ];
       authorizedKeys = with adminUser.userinfo.sshPublicKeys; [
         onepassword
diff --git a/profiles/state.nix b/profiles/state.nix
new file mode 100644
index 0000000..0869d11
--- /dev/null
+++ b/profiles/state.nix
@@ -0,0 +1,59 @@
+{
+  adminUser,
+  config,
+  lib,
+  ...
+}:
+{
+  system.activationScripts = lib.mkIf config.ephemeralRoot {
+    "createPersistentStorageDirs".deps = [
+      "var-lib-private-permissions"
+      "home-user-permissions"
+      "users"
+      "groups"
+    ];
+    "var-lib-private-permissions" = {
+      deps = [ "specialfs" ];
+      text = ''
+        mkdir -p /persist/var/lib/private
+        chmod 0700 /persist/var/lib/private
+      '';
+    };
+    "home-user-permissions" = {
+      deps = [ "specialfs" ];
+      text = ''
+        mkdir -p /persist/save/home/${adminUser.name}
+        chown -R ${toString adminUser.uid}:${toString adminUser.gid} /persist/save/home/${adminUser.name}
+        chmod 0700 /persist/save/home/${adminUser.name}
+      '';
+    };
+  };
+
+  environment.persistence."/persist" = {
+    enable = config.ephemeralRoot;
+    hideMounts = true;
+    directories = [
+      "/root"
+      "/var/lib/containers"
+      "/var/lib/nixos"
+      "/var/lib/systemd"
+      "/var/log"
+    ];
+    files = [
+      "/etc/machine-id"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+    ];
+  };
+
+  environment.persistence."/persist/save" = {
+    enable = config.ephemeralRoot;
+    hideMounts = true;
+    users.${adminUser.name} = {
+      directories = [ ];
+      files = [
+        ".ssh/known_hosts"
+      ];
+    };
+  };
+}
diff --git a/profiles/users/admin-user.nix b/profiles/users/admin-user.nix
index 2e33603..8624fb4 100644
--- a/profiles/users/admin-user.nix
+++ b/profiles/users/admin-user.nix
@@ -10,7 +10,7 @@
     inherit (adminUser) uid;
     shell = pkgs.fish;
     isNormalUser = true;
-    hashedPassword = "$y$j9T$U3mXpCzXC1VUp8wV5snJz/$32vTk0KwVXvP/jLO13nMlGPHy0nCe4ZtebdvqU4hwmD";
+    hashedPassword = "$y$j9T$TbnCB1V7n6W9C32LEroix1$P.OvRgLlhSbwFvR6ADE43Gc5Hc0ezxXMETS/DjIeXC8";
     openssh.authorizedKeys.keys = pkgs.lib.attrValues adminUser.userinfo.sshPublicKeys;
     extraGroups = [
       "wheel"
diff --git a/profiles/wireguard.nix b/profiles/wireguard.nix
index 76586ba..5620699 100644
--- a/profiles/wireguard.nix
+++ b/profiles/wireguard.nix
@@ -22,6 +22,10 @@ let
       publicKey = hostConfigurations.rivendell.wgPublicKey;
       endpoint = "192.168.1.114";
     };
+    test = {
+      ip = 41;
+      publicKey = hostConfigurations.rivendell.wgPublicKey;
+    };
   };
 
   wgPort = 51820;