NixOS-Config/nixos/shared/preservation.nix

{...}: {
  preservation = {
    # the module doesn't do anything unless it is enabled
    enable = true;

    preserveAt."/persistent" = {
      # preserve system directories
      directories = [
        #Shared
        "/var/lib/sbctl"
        "/var/lib/bluetooth"
        "/var/lib/fprint"
        "/var/lib/fwupd"
        "/var/lib/libvirt"
        "/var/lib/tpm2-tss"
        "/var/lib/tpm2-udev-trigger"
        "/var/lib/power-profiles-daemon"
        "/var/lib/systemd/coredump"
        "/var/lib/systemd/rfkill"
        "/var/lib/systemd/timers"
        "/var/log"
        #Desktop
        "/var/lib/decky-loader"
        "/var/lib/flatpak"
        #Server
        "/var/lib/continuwuity"
        "/var/lib/dhcpcd"
        "/var/lib/docker"
        "/var/lib/dovecot"
        "/var/lib/forgejo"
        "/var/lib/gotosocial"
        "/var/lib/grafana"
        "/var/lib/jellyfin"
        "/var/lib/media"
        "/var/lib/mollysocket"
        "/var/lib/private"
        "/var/lib/mysql"
        "/var/lib/nextcloud"
        "/var/lib/onlyoffice"
        "/var/lib/postfix"
        "/var/lib/postgresql"
        "/var/lib/prometheus2"
        "/var/lib/rabbitmq"
        "/var/lib/redis-nextcloud"
        "/var/lib/redis-rspamd"
        "/var/lib/secrets"
        "/var/lib/writefreely"
        "/var/db"
        "/var/dkim"
        "/var/secrets"
        "/var/sieve"
        "/var/vmail"
        "/var/mysql"
        {
          directory = "/var/lib/nixos";
          inInitrd = true;
        }
      ];

      # preserve system files
      files = [
        {
          file = "/etc/machine-id";
          inInitrd = true;
        }
        {
          file = "/etc/ssh/ssh_host_rsa_key";
          how = "symlink";
          configureParent = true;
        }
        {
          file = "/etc/ssh/ssh_host_ed25519_key";
          how = "symlink";
          configureParent = true;
        }
        "/var/lib/usbguard/rules.conf"

        # creates a symlink on the volatile root
        # creates an empty directory on the persistent volume, i.e. /persistent/var/lib/systemd
        # does not create an empty file at the symlink's target (would require `createLinkTarget = true`)
        {
          file = "/var/lib/systemd/random-seed";
          how = "symlink";
          inInitrd = true;
          configureParent = true;
        }
        "/var/lib/systemd/tpm2-srk-public-key.pem"
        "/var/lib/systemd/tpm2-srk-public-key.tpm2b_public"
      ];

      # preserve user-specific files, implies ownership
      users = {
        lillian = {
          commonMountOptions = [
            "x-gvfs-hide"
          ];
          directories = [
            {
              directory = ".ssh";
              mode = "0700";
            }
            #Desktop
            ".local/state/wireplumber"
            ".local/share/direnv"
            ".local/state/nix"
            ".local/state/comma"
            ".local/state/home-manager"
            ".local/share/PrismLauncher"
            ".local/share/qBittorrent"
            ".local/share/kwalletd"
            ".local/share/kwin" #TODO: add the window script via nix instead of saving it imperatively and keeping it
            ".local/share/lutris"
            ".local/share/Nextcloud"
            ".local/share/Steam"
            ".local/share/zoxide"
            ".local/share/flatpak"
            ".local/share/applications"
            ".local/share/firefoxpwa/"
            ".local/share/com.nonpolynomial.intiface_central"
            ".mozilla"
            ".steam"
            ".zsh"
            ".pki"
            ".tldrc"
            ".thunderbird"
            "Code"
            "Writing"
            ".config/kdeconnect"
            ".config/Nextcloud"
            ".config/noisetorch"
            ".config/qBittorrent"
            ".config/r2modman"
            ".config/r2modmanPlus-local"
            ".config/Ryujinx"
            ".config/Signal"
            ".config/sops"
            ".config/vesktop"
          ];
          #Shared
          files = [
            ".z"
            ".zsh_history"
          ];
        };
        root = {
          # specify user home when it is not `/home/${user}`
          home = "/root";
          directories = [
            {
              directory = ".ssh";
              mode = "0700";
            }
          ];
        };
      };
    };
  };

  # Create some directories with custom permissions.
  #
  # In this configuration the path `/home/butz/.local` is not an immediate parent
  # of any persisted file, so it would be created with the systemd-tmpfiles default
  # ownership `root:root` and mode `0755`. This would mean that the user `butz`
  # could not create other files or directories inside `/home/butz/.local`.
  #
  # Therefore systemd-tmpfiles is used to prepare such directories with
  # appropriate permissions.
  #
  # Note that immediate parent directories of persisted files can also be
  # configured with ownership and permissions from the `parent` settings if
  # `configureParent = true` is set for the file.
  systemd.tmpfiles.settings.preservation = {
    "/home/lillian/.config".d = {
      user = "lillian";
      group = "users";
      mode = "0755";
    };
    "/home/lillian/.local".d = {
      user = "lillian";
      group = "users";
      mode = "0755";
    };
    "/home/lillian/.local/share".d = {
      user = "lillian";
      group = "users";
      mode = "0755";
    };
    "/home/lillian/.local/state".d = {
      user = "lillian";
      group = "users";
      mode = "0755";
    };
  };
}