msyds/sydnix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0ea963c8795dc6816bc635a51e1969b01a261d27
sydnix/modules/nixos/impermanence.nix
Madeleine Sydney Ślaga 0ea963c879 chore: Fix tree-wide permissions 
No idea why everything was executable, lol.
2025-09-08 06:08:20 -06:00

110 lines
2.7 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.sydnix.impermanence;
in {
imports = [
./impermanence/rollback.nix
];
options = {
sydnix.impermanence = {
enable = mkEnableOption "Impermanence";
directories = mkOption {
type = with types; listOf anything;
default = [];
};
files = mkOption {
type = with types; listOf anything;
default = [];
};
persistDirectory = mkOption {
default = "/persist";
type = types.str;
description = ''
The directory in which persistent files live.
'';
};
persistGroupName = mkOption {
default = "persist";
type = types.str;
description = ''
Name of the group whose members have access to the persist directory.
'';
};
cache = {
directories = mkOption {
description = ''
While functionally identical to `directories` (at the moment),
`cache.directories` carries additional semantics: these directories
/can/ be erased, but typically /shouldn't/ be.
'';
default = [];
type = types.listOf types.anything;
};
files = mkOption {
description = ''
While functionally identical to `files` (at the moment),
`cache.files` carries additional semantics: these files /can/ be
erased, but typically /shouldn't/ be.
'';
default = [];
type = types.listOf types.anything;
};
};
};
};
config = mkIf cfg.enable {
# Create a group called `cfg.persistGroupName`
users.groups.${cfg.persistGroupName} = {
name = cfg.persistGroupName;
};
systemd.tmpfiles.settings."10-varlibprivate" = {
"/var/lib/private" = {
z.group = "root";
z.user = "root";
z.mode = "2700";
};
};
# Permit members of `cfg.persistGroupName` to read, write, and execute
# /persist.
systemd.tmpfiles.settings."10-persist" = {
${cfg.persistDirectory} = {
z.group = cfg.persistGroupName;
z.mode = "2775";
};
"${cfg.persistDirectory}/home" = {
z.group = "users";
z.mode = "2775";
};
"${cfg.persistDirectory}/vault" = {
z.group = "users";
z.mode = "2775";
};
"${cfg.persistDirectory}/vault/root" = {
z.group = "root";
z.mode = "2775";
};
};
# TODO: Move this somewhere else.
programs.fuse.userAllowOther = true;
environment.persistence."${cfg.persistDirectory}/root" = {
directories = cfg.directories ++ cfg.cache.directories;
files = cfg.files ++ cfg.cache.files;
};
};
}
Reference in New Issue View Git Blame Copy Permalink