From 737b74c58de0712973f81c91aa07748c02deef70 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Sat, 24 Jan 2026 10:55:16 -0800
Subject: adding a new VM for testing

Re-key all the secrets.
---
 profiles/state.nix | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 profiles/state.nix

(limited to 'profiles/state.nix')

diff --git a/profiles/state.nix b/profiles/state.nix
new file mode 100644
index 0000000..0869d11
--- /dev/null
+++ b/profiles/state.nix
@@ -0,0 +1,59 @@
+{
+  adminUser,
+  config,
+  lib,
+  ...
+}:
+{
+  system.activationScripts = lib.mkIf config.ephemeralRoot {
+    "createPersistentStorageDirs".deps = [
+      "var-lib-private-permissions"
+      "home-user-permissions"
+      "users"
+      "groups"
+    ];
+    "var-lib-private-permissions" = {
+      deps = [ "specialfs" ];
+      text = ''
+        mkdir -p /persist/var/lib/private
+        chmod 0700 /persist/var/lib/private
+      '';
+    };
+    "home-user-permissions" = {
+      deps = [ "specialfs" ];
+      text = ''
+        mkdir -p /persist/save/home/${adminUser.name}
+        chown -R ${toString adminUser.uid}:${toString adminUser.gid} /persist/save/home/${adminUser.name}
+        chmod 0700 /persist/save/home/${adminUser.name}
+      '';
+    };
+  };
+
+  environment.persistence."/persist" = {
+    enable = config.ephemeralRoot;
+    hideMounts = true;
+    directories = [
+      "/root"
+      "/var/lib/containers"
+      "/var/lib/nixos"
+      "/var/lib/systemd"
+      "/var/log"
+    ];
+    files = [
+      "/etc/machine-id"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+    ];
+  };
+
+  environment.persistence."/persist/save" = {
+    enable = config.ephemeralRoot;
+    hideMounts = true;
+    users.${adminUser.name} = {
+      directories = [ ];
+      files = [
+        ".ssh/known_hosts"
+      ];
+    };
+  };
+}
-- 
cgit v1.2.3