{ npins, config, lib, pkgs, ... }: let inherit (lib) types; cfg = config.common.configure.persist; perms = { user = lib.mkOption { type = types.str; default = "root"; }; group = lib.mkOption { type = types.str; default = "root"; }; mode = lib.mkOption { type = with types; nullOr str; default = null; }; }; in { options.common.configure.persist = { home.enable = lib.mkOption { type = types.bool; default = false; }; system = { enable = lib.mkOption { type = types.bool; default = false; }; dirs = lib.mkOption { default = [ ]; type = with types; listOf (oneOf [ str (submodule { options = { directory = lib.mkOption { type = types.str; }; } // perms; }) ]); }; files = lib.mkOption { default = [ ]; type = with types; listOf (oneOf [ str (submodule { options = { file = lib.mkOption { type = types.str; }; parentDirectory = lib.mkOption { type = with types; nullOr (submodule perms); default = null; }; } // perms; }) ]); }; }; }; imports = (lib.mkIf cfg.enable [ "${npins.preservation}/module.nix" ]).content; config = lib.mkMerge [ (lib.mkIf cfg.home.enable { common.configure.rootDisk.subVolumes.home = true; programs.fuse.userAllowOther = lib.mkDefault true; preservation.enable = true; preservation.preserveAt."/persist" = { }; }) (lib.mkIf cfg.system.enable { common.configure.rootDisk.subVolumes.system = true; boot.initrd.systemd.services.defenestrate = { description = "Defenestrate old btrfs-root"; wantedBy = [ "initrd.target" ]; after = [ "cryptsetup.target" ]; before = [ "sysroot.mount" ]; onFailure = [ "emergency.target" ]; unitConfig.DefaultDependencies = "no"; serviceConfig.Type = "oneshot"; script = '' mkdir -p /btrfs_tmp mount -o "subvol=/" /dev/mapper/root /btrfs_tmp ${lib.getExe pkgs.btrfs-progs} subvolume delete --recursive /btrfs_tmp/nixos-root-4 mv /btrfs_tmp/nixos-root-3 /btrfs_tmp/nixos-root-4 mv /btrfs_tmp/nixos-root-2 /btrfs_tmp/nixos-root-3 mv /btrfs_tmp/nixos-root-1 /btrfs_tmp/nixos-root-2 ${lib.getExe pkgs.btrfs-progs} subvolume create /btrfs_tmp/nixos-root-1 ${lib.getExe pkgs.btrfs-progs} subvolume set-default /btrfs_tmp/nixos-root-1 umount /btrfs_tmp ''; }; systemd.tmpfiles.rules = [ "d /var/lib/private 0700 root root" ]; systemd.services = lib.genAttrs [ "sops-install-secrets" "sops-install-secrets-for-users" ] (_: { unitConfig.RequiresMountsFor = [ "/persist/system" ]; }); systemd.tmpfiles.settings.preservation = let directories = map ( elem: if (lib.isAttrs elem) then elem.directory else elem ) config.preservation.preserveAt."/persist/system".directories; in lib.genAttrs (lib.filter (elem: lib.hasPrefix "/var/lib/private/" elem) directories) (name: { "d" = { type = "!d"; mode = lib.mkForce "0700"; }; }); preservation.enable = true; preservation.preserveAt."/persist/system" = { directories = [ "/var/log" "/var/lib/systemd/coredump" "/var/lib/systemd/rfkill" "/var/lib/systemd/timers" { directory = "/var/lib/nixos"; inInitrd = true; } # { # directory = "/var/lib/private"; # mode = "0700"; # } ] ++ cfg.system.dirs; files = [ { file = "/var/lib/systemd/random-seed"; how = "symlink"; inInitrd = true; configureParent = true; } ] ++ cfg.system.files; }; }) ]; }