feat(impermanence): wipe root on reboot

99linesofcode · 99linesofcode · commit 64e670c985bc · 2025-11-06T02:03:47.000+01:00
In addition, all the files that should be saved across reboots (i.e.
known networks, SSH keys, printers, bluetooth devices) are being written
to /persist and managed through the nix-community impermanence module
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -19,10 +19,7 @@
   # NOTE: nix version is manually kept in sync with home-manager
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    home-manager = {
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
+    impermanence.url = "github:nix-community/impermanence";
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -31,14 +28,19 @@
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs =
     {
       nixpkgs,
       self,
-      disko,
       sops-nix,
+      disko,
+      impermanence,
       ...
     }@inputs:
     let
@@ -65,6 +67,7 @@
         nixpkgs.lib.nixosSystem {
           modules = [
             disko.nixosModules.disko
+            impermanence.nixosModules.impermanence
             (import ./modules)
             (import ./users)
           ]
diff --git a/hosts/luna/default.nix b/hosts/luna/default.nix
@@ -39,6 +39,7 @@ in
     efi.enable = true;
     encryption.enable = true;
     btrfs.enable = true;
+    impermanence.enable = true;
     swap.enable = true;
 
     network = {
diff --git a/modules/bluetooth.nix b/modules/bluetooth.nix
@@ -32,5 +32,9 @@ with lib;
         deps = [ ];
       };
     };
+
+    host.impermanence.directories = mkIf config.host.impermanence.enable [
+      "/var/lib/bluetooth"
+    ];
   };
 }
diff --git a/modules/impermanence.nix b/modules/impermanence.nix
@@ -0,0 +1,55 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.host.impermanence;
+in
+with lib;
+{
+  options.host.impermanence = {
+    enable = mkEnableOption "impermanence";
+    directories = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      description = "folders that should be stored in /persist";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.persistence."/persist" = {
+      directories = [
+        "/root"
+        "/var/lib/nixos"
+      ]
+      ++ config.host.impermanence.directories;
+      hideMounts = true;
+    };
+
+    boot.initrd.systemd = {
+      services.rollback = {
+        description = "Rollback BTRFS root subvolume to a pristine state";
+        wantedBy = [ "initrd.target" ];
+        after = [ "systemd-cryptsetup@pool0_0.service" ];
+        before = [ "sysroot.mount" ];
+        unitConfig.DefaultDependencies = "no";
+        serviceConfig.Type = "oneshot";
+        script = # sh
+          ''
+            mkdir -p /mnt
+            mount -o subvol=/ /dev/mapper/pool0_0 /mnt
+
+            btrfs subvolume list -o /mnt/root | cut -f9 -d ' ' | while read subvolume; do
+              echo "deleting /$subvolume subvolume..."
+              btrfs subvolume delete "/mnt/$subvolume"
+            done
+
+            echo "deleting /root subvolume..."
+            btrfs subvolume delete /mnt/root
+
+            echo "restoring blank /root subvolume..."
+            btrfs subvolume snapshot /mnt/root-blank /mnt/root
+
+            umount /mnt
+          '';
+      };
+    };
+  };
+}
diff --git a/modules/network/manager.nix b/modules/network/manager.nix
@@ -33,5 +33,9 @@ with lib;
         iwd.enable = true;
       };
     };
+
+    host.impermanence.directories = mkIf config.host.impermanence.enable [
+      "/var/lib/iwd"
+    ];
   };
 }
diff --git a/modules/openssh.nix b/modules/openssh.nix
@@ -19,17 +19,21 @@ with lib;
   config = mkIf cfg.enable {
     services.openssh = {
       enable = true;
-      hostKeys = [
-        # TODO: impermanence baby
-        # {
-        #   path = "/persist/etc/ssh/ssh_host_ed25519_key";
-        #   type = "ed25519";
-        # }
-        {
-          path = "/etc/ssh/ssh_host_ed25519_key";
-          type = "ed25519";
-        }
-      ];
+      hostKeys =
+        if config.host.impermanence.enable then
+          [
+            {
+              path = "/persist/etc/ssh/ssh_host_ed25519_key";
+              type = "ed25519";
+            }
+          ]
+        else
+          [
+            {
+              path = "/etc/ssh/ssh_host_ed25519_key";
+              type = "ed25519";
+            }
+          ];
       settings = {
         AllowUsers = users;
         KbdInteractiveAuthentication = mkDefault false;
diff --git a/modules/printing.nix b/modules/printing.nix
@@ -23,5 +23,9 @@ with lib;
         brlaser
       ];
     };
+
+    host.impermanence.directories = mkIf config.host.impermanence.enable [
+      "/var/lib/cups"
+    ];
   };
 }
diff --git a/modules/sops.nix b/modules/sops.nix
@@ -29,7 +29,11 @@ with lib;
     sops = {
       defaultSopsFile = ../.sops.yaml;
       age = {
-        sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+        sshKeyPaths =
+          if config.host.impermanence.enable then
+            [ "/persist/etc/ssh/ssh_host_ed25519_key" ]
+          else
+            [ "/etc/ssh/ssh_host_ed25519_key" ];
       };
     };
   };
