Disable wheatley, update flake lock, set up preservation in preparation for using it (setup encryption on queen first)

2026-01-05 16:39:32 +01:00 · 2026-01-05 16:39:32 +01:00 · f95d8cdbcf
commit f95d8cdbcf
parent 31ace37709
12 changed files with 953 additions and 63 deletions
--- a/nixos/desktop/default.nix
+++ b/nixos/desktop/default.nix
@ -117,6 +117,16 @@
      owner = config.users.users.lillian.name;
      path = "/home/lillian/.netrc";
    };
+    secrets."prod.keys" = {
+      mode = "0600";
+      owner = config.users.users.lillian.name;
+      path = "/home/lillian/.config/Ryujinx/system/prod.keys";
+    };
+    secrets."title.keys" = {
+      mode = "0600";
+      owner = config.users.users.lillian.name;
+      path = "/home/lillian/.config/Ryujinx/system/title.keys";
+    };
  };

  programs = {
--- a/nixos/hosts/GLaDOS/configuration.nix
+++ b/nixos/hosts/GLaDOS/configuration.nix
@ -78,6 +78,7 @@

  boot = {
    loader.systemd-boot.enable = false;
+    initrd.systemd.enable = true;

    binfmt.emulatedSystems = ["aarch64-linux"];

--- a/nixos/hosts/GLaDOS/secrets/sops.yaml
+++ b/nixos/hosts/GLaDOS/secrets/sops.yaml
--- a/nixos/hosts/queen/configuration.nix
+++ b/nixos/hosts/queen/configuration.nix
@ -30,6 +30,8 @@
    # ../../../disko/queen
  ];

+  preservation.enable = lib.mkForce false;
+
  services.anubis.instances.default.settings.TARGET = "http://localhost:8123";

  # required due to unix socket permissions
--- a/nixos/shared/default.nix
+++ b/nixos/shared/default.nix
@ -5,12 +5,12 @@
  config,
  pkgs,
  pkgs-edge,
-  stdenv,
  ...
 }: {
  imports = [
    ./locale
    ./packages
+    ./preservation.nix
    inputs.home-manager.nixosModules.home-manager
    #../hosts/${config.networking.hostName}/hardware-configuration.nix
  ];
--- a/nixos/shared/packages/default.nix
+++ b/nixos/shared/packages/default.nix
@ -28,7 +28,7 @@
      age
      alejandra
      e2fsprogs
-      uutils-findutils
+      # uutils-findutils
      git
      git-filter-repo
      pre-commit
--- a/nixos/shared/preservation.nix
+++ b/nixos/shared/preservation.nix
@ -0,0 +1,195 @@
+{...}: {
+  preservation = {
+    # the module doesn't do anything unless it is enabled
+    enable = true;
+
+    preserveAt."/persistent" = {
+      # preserve system directories
+      directories = [
+        #Shared
+        "/var/lib/sbctl"
+        "/var/lib/bluetooth"
+        "/var/lib/fprint"
+        "/var/lib/fwupd"
+        "/var/lib/libvirt"
+        "/var/lib/tpm2-tss"
+        "/var/lib/tpm2-udev-trigger"
+        "/var/lib/power-profiles-daemon"
+        "/var/lib/systemd/coredump"
+        "/var/lib/systemd/rfkill"
+        "/var/lib/systemd/timers"
+        "/var/log"
+        #Desktop
+        "/var/lib/decky-loader"
+        "/var/lib/flatpak"
+        #Server
+        "/var/lib/continuwuity"
+        "/var/lib/dhcpcd"
+        "/var/lib/docker"
+        "/var/lib/dovecot"
+        "/var/lib/forgejo"
+        "/var/lib/gotosocial"
+        "/var/lib/grafana"
+        "/var/lib/jellyfin"
+        "/var/lib/media"
+        "/var/lib/mollysocket"
+        "/var/lib/private"
+        "/var/lib/mysql"
+        "/var/lib/nextcloud"
+        "/var/lib/onlyoffice"
+        "/var/lib/postfix"
+        "/var/lib/postgresql"
+        "/var/lib/prometheus2"
+        "/var/lib/rabbitmq"
+        "/var/lib/redis-nextcloud"
+        "/var/lib/redis-rspamd"
+        "/var/lib/secrets"
+        "/var/lib/writefreely"
+        "/var/db"
+        "/var/dkim"
+        "/var/secrets"
+        "/var/sieve"
+        "/var/vmail"
+        "/var/mysql"
+        {
+          directory = "/var/lib/nixos";
+          inInitrd = true;
+        }
+      ];
+
+      # preserve system files
+      files = [
+        {
+          file = "/etc/machine-id";
+          inInitrd = true;
+        }
+        {
+          file = "/etc/ssh/ssh_host_rsa_key";
+          how = "symlink";
+          configureParent = true;
+        }
+        {
+          file = "/etc/ssh/ssh_host_ed25519_key";
+          how = "symlink";
+          configureParent = true;
+        }
+        "/var/lib/usbguard/rules.conf"
+
+        # creates a symlink on the volatile root
+        # creates an empty directory on the persistent volume, i.e. /persistent/var/lib/systemd
+        # does not create an empty file at the symlink's target (would require `createLinkTarget = true`)
+        {
+          file = "/var/lib/systemd/random-seed";
+          how = "symlink";
+          inInitrd = true;
+          configureParent = true;
+        }
+        "/var/lib/systemd/tpm2-srk-public-key.pem"
+        "/var/lib/systemd/tpm2-srk-public-key.tpm2b_public"
+      ];
+
+      # preserve user-specific files, implies ownership
+      users = {
+        lillian = {
+          commonMountOptions = [
+            "x-gvfs-hide"
+          ];
+          directories = [
+            {
+              directory = ".ssh";
+              mode = "0700";
+            }
+            #Desktop
+            "gnupg"
+            ".local/state/wireplumber"
+            ".local/share/direnv"
+            ".local/state/nix"
+            ".local/state/comma"
+            ".local/state/home-manager"
+            ".local/share/PrismLauncher"
+            ".local/share/qBittorrent"
+            ".local/share/kwalletd"
+            ".local/share/kwin" #TODO: add the window script via nix instead of saving it imperatively and keeping it
+            ".local/share/lutris"
+            ".local/share/Nextcloud"
+            ".local/share/Steam"
+            ".local/share/zoxide"
+            ".local/share/flatpak"
+            ".local/share/applications"
+            ".local/share/firefoxpwa/"
+            ".local/share/com.nonpolynomial.intiface_central"
+            ".mozilla"
+            ".steam"
+            ".zsh"
+            ".pki"
+            ".tldrc"
+            ".thunderbird"
+            "Code"
+            "Writing"
+            ".config/kdeconnect"
+            ".config/Nextcloud"
+            ".config/noisetorch"
+            ".config/qBittorrent"
+            ".config/r2modman"
+            ".config/r2modmanPlus-local"
+            ".config/Ryujinx"
+            ".config/Signal"
+            ".config/sops"
+            ".config/vesktop"
+          ];
+          #Shared
+          files = [
+            ".z"
+            ".zsh_history"
+          ];
+        };
+        root = {
+          # specify user home when it is not `/home/${user}`
+          home = "/root";
+          directories = [
+            {
+              directory = ".ssh";
+              mode = "0700";
+            }
+          ];
+        };
+      };
+    };
+  };
+
+  # Create some directories with custom permissions.
+  #
+  # In this configuration the path `/home/butz/.local` is not an immediate parent
+  # of any persisted file, so it would be created with the systemd-tmpfiles default
+  # ownership `root:root` and mode `0755`. This would mean that the user `butz`
+  # could not create other files or directories inside `/home/butz/.local`.
+  #
+  # Therefore systemd-tmpfiles is used to prepare such directories with
+  # appropriate permissions.
+  #
+  # Note that immediate parent directories of persisted files can also be
+  # configured with ownership and permissions from the `parent` settings if
+  # `configureParent = true` is set for the file.
+  systemd.tmpfiles.settings.preservation = {
+    "/home/lillian/.config".d = {
+      user = "lillian";
+      group = "users";
+      mode = "0755";
+    };
+    "/home/lillian/.local".d = {
+      user = "lillian";
+      group = "users";
+      mode = "0755";
+    };
+    "/home/lillian/.local/share".d = {
+      user = "lillian";
+      group = "users";
+      mode = "0755";
+    };
+    "/home/lillian/.local/state".d = {
+      user = "lillian";
+      group = "users";
+      mode = "0755";
+    };
+  };
+}