{...}: { preservation = { # the module doesn't do anything unless it is enabled enable = true; preserveAt."/persistent" = { # preserve system directories directories = [ #Shared "/var/lib/sbctl" "/var/lib/bluetooth" "/var/lib/fprint" "/var/lib/fwupd" "/var/lib/libvirt" "/var/lib/tpm2-tss" "/var/lib/tpm2-udev-trigger" "/var/lib/power-profiles-daemon" "/var/lib/systemd/coredump" "/var/lib/systemd/rfkill" "/var/lib/systemd/timers" "/var/log" #Desktop "/var/lib/decky-loader" "/var/lib/flatpak" #Server "/var/lib/continuwuity" "/var/lib/dhcpcd" "/var/lib/docker" "/var/lib/dovecot" "/var/lib/forgejo" "/var/lib/gotosocial" "/var/lib/grafana" "/var/lib/jellyfin" "/var/lib/media" "/var/lib/mollysocket" "/var/lib/private" "/var/lib/mysql" "/var/lib/nextcloud" "/var/lib/onlyoffice" "/var/lib/postfix" "/var/lib/postgresql" "/var/lib/prometheus2" "/var/lib/rabbitmq" "/var/lib/redis-nextcloud" "/var/lib/redis-rspamd" "/var/lib/secrets" "/var/lib/writefreely" "/var/db" "/var/dkim" "/var/secrets" "/var/sieve" "/var/vmail" "/var/mysql" { directory = "/var/lib/nixos"; inInitrd = true; } ]; # preserve system files files = [ { file = "/etc/machine-id"; inInitrd = true; } { file = "/etc/ssh/ssh_host_rsa_key"; how = "symlink"; configureParent = true; } { file = "/etc/ssh/ssh_host_ed25519_key"; how = "symlink"; configureParent = true; } "/var/lib/usbguard/rules.conf" # creates a symlink on the volatile root # creates an empty directory on the persistent volume, i.e. /persistent/var/lib/systemd # does not create an empty file at the symlink's target (would require `createLinkTarget = true`) { file = "/var/lib/systemd/random-seed"; how = "symlink"; inInitrd = true; configureParent = true; } "/var/lib/systemd/tpm2-srk-public-key.pem" "/var/lib/systemd/tpm2-srk-public-key.tpm2b_public" ]; # preserve user-specific files, implies ownership users = { lillian = { commonMountOptions = [ "x-gvfs-hide" ]; directories = [ { directory = ".ssh"; mode = "0700"; } #Desktop ".local/state/wireplumber" ".local/share/direnv" ".local/state/nix" ".local/state/comma" ".local/state/home-manager" ".local/share/PrismLauncher" ".local/share/qBittorrent" ".local/share/kwalletd" ".local/share/kwin" #TODO: add the window script via nix instead of saving it imperatively and keeping it ".local/share/lutris" ".local/share/Nextcloud" ".local/share/Steam" ".local/share/zoxide" ".local/share/flatpak" ".local/share/applications" ".local/share/firefoxpwa/" ".local/share/com.nonpolynomial.intiface_central" ".mozilla" ".steam" ".zsh" ".pki" ".tldrc" ".thunderbird" "Code" "Writing" ".config/kdeconnect" ".config/Nextcloud" ".config/noisetorch" ".config/qBittorrent" ".config/r2modman" ".config/r2modmanPlus-local" ".config/Ryujinx" ".config/Signal" ".config/sops" ".config/vesktop" ]; #Shared files = [ ".z" ".zsh_history" ]; }; root = { # specify user home when it is not `/home/${user}` home = "/root"; directories = [ { directory = ".ssh"; mode = "0700"; } ]; }; }; }; }; # Create some directories with custom permissions. # # In this configuration the path `/home/butz/.local` is not an immediate parent # of any persisted file, so it would be created with the systemd-tmpfiles default # ownership `root:root` and mode `0755`. This would mean that the user `butz` # could not create other files or directories inside `/home/butz/.local`. # # Therefore systemd-tmpfiles is used to prepare such directories with # appropriate permissions. # # Note that immediate parent directories of persisted files can also be # configured with ownership and permissions from the `parent` settings if # `configureParent = true` is set for the file. systemd.tmpfiles.settings.preservation = { "/home/lillian/.config".d = { user = "lillian"; group = "users"; mode = "0755"; }; "/home/lillian/.local".d = { user = "lillian"; group = "users"; mode = "0755"; }; "/home/lillian/.local/share".d = { user = "lillian"; group = "users"; mode = "0755"; }; "/home/lillian/.local/state".d = { user = "lillian"; group = "users"; mode = "0755"; }; }; }