nixos-config/nixos/profiles/system/preservation.nix

{ config, lib, ... }:
{
  assertions = [
    {
      assertion = config.fileSystems ? "/persist";
      message = ''
        `config.fileSystems."/persist"` must be set.
      '';
    }
  ];

  preservation = {
    enable = true;
    preserveAt = lib.mkMerge (
      lib.mapAttrsToList (
        name: hmCfg:
        lib.mapAttrs (_: preserve: {
          users.${name} = {
            home = hmCfg.home.homeDirectory;
            inherit (preserve) directories files;
          };
        }) hmCfg.preservation.preserveAt
      ) (lib.filterAttrs (_: hmCfg: hmCfg.preservation.enable) config.home-manager.users)
      ++ lib.singleton {
        "/persist" = {
          directories = [
            {
              directory = "/var/lib/machines";
              mode = "-";
              user = "-";
              group = "-";
            }
            {
              directory = "/var/lib/nixos";
              inInitrd = !(config.systemd.sysusers.enable || config.services.userborn.enable);
              mode = "0755";
              user = "root";
              group = "root";
            }
            {
              directory = "/var/lib/portables";
              mode = "-";
              user = "-";
              group = "-";
            }
            {
              directory = "/var/lib/systemd";
              mode = "-";
              user = "-";
              group = "-";
            }
            {
              directory = "/var/tmp";
              mode = "-";
              user = "-";
              group = "-";
            }
          ];
          files = [
            {
              file = config.sops.age.keyFile;
              inInitrd = true;
              mode = "0600";
              user = "root";
              group = "root";
            }
          ];
        };
      }
    );
  };

  environment.etc."machine-id" = {
    source = "/persist/etc/machine-id";
    mode = "direct-symlink";
  };

  # https://github.com/NixOS/nixpkgs/pull/351151#issuecomment-2549025171
  systemd.services.systemd-machine-id-commit = {
    unitConfig.ConditionPathIsMountPoint = [
      ""
      "/persist/etc/machine-id"
    ];
    serviceConfig.ExecStart = [
      ""
      "systemd-machine-id-setup --commit --root /persist"
    ];
  };

  # https://willibutz.github.io/preservation/examples.html
  systemd.tmpfiles.settings.preservation = lib.mkMerge (
    lib.mapAttrsToList (name: hmCfg: {
      "${hmCfg.home.homeDirectory}/.cache".d = {
        user = name;
        group = config.users.users.${name}.group;
        mode = "0755";
      };
      "${hmCfg.home.homeDirectory}/.config".d = {
        user = name;
        group = config.users.users.${name}.group;
        mode = "0755";
      };
      "${hmCfg.home.homeDirectory}/.local".d = {
        user = name;
        group = config.users.users.${name}.group;
        mode = "0755";
      };
      "${hmCfg.home.homeDirectory}/.local/share".d = {
        user = name;
        group = config.users.users.${name}.group;
        mode = "0755";
      };
      "${hmCfg.home.homeDirectory}/.local/state".d = {
        user = name;
        group = config.users.users.${name}.group;
        mode = "0755";
      };
    }) (lib.filterAttrs (_: hmCfg: hmCfg.preservation.enable) config.home-manager.users)
  );
}
treewide: drop impermanence in favor of preservation 2024-12-26 13:35:29 +08:00			`{ config, lib, ... }:`
			`{`
			`assertions = [`
			`{`
			`assertion = config.fileSystems ? "/persist";`
			`message = ''`
			`config.fileSystems."/persist"` must be set.
			`'';`
			`}`
			`];`

			`preservation = {`
			`enable = true;`
			`preserveAt = lib.mkMerge (`
			`lib.mapAttrsToList (`
			`name: hmCfg:`
			`lib.mapAttrs (_: preserve: {`
			`users.${name} = {`
			`home = hmCfg.home.homeDirectory;`
			`inherit (preserve) directories files;`
			`};`
			`}) hmCfg.preservation.preserveAt`
			`) (lib.filterAttrs (_: hmCfg: hmCfg.preservation.enable) config.home-manager.users)`
			`++ lib.singleton {`
			`"/persist" = {`
			`directories = [`
			`{`
treewide: refine the granularity of preservation 2024-12-27 01:50:09 +08:00			`directory = "/var/lib/machines";`
system/preservation: drop permission config for certain directories 2024-12-30 04:31:37 +08:00			`mode = "-";`
			`user = "-";`
			`group = "-";`
treewide: drop impermanence in favor of preservation 2024-12-26 13:35:29 +08:00			`}`
			`{`
treewide: refine the granularity of preservation 2024-12-27 01:50:09 +08:00			`directory = "/var/lib/nixos";`
system/perlless: init 2025-01-11 19:20:33 +08:00			`inInitrd = !(config.systemd.sysusers.enable \|\| config.services.userborn.enable);`
treewide: avoid unnecessary permission management with preservation 2024-12-27 16:46:04 +08:00			`mode = "0755";`
			`user = "root";`
			`group = "root";`
treewide: drop impermanence in favor of preservation 2024-12-26 13:35:29 +08:00			`}`
			`{`
treewide: refine the granularity of preservation 2024-12-27 01:50:09 +08:00			`directory = "/var/lib/portables";`
system/preservation: drop permission config for certain directories 2024-12-30 04:31:37 +08:00			`mode = "-";`
			`user = "-";`
			`group = "-";`
treewide: avoid unnecessary permission management with preservation 2024-12-27 16:46:04 +08:00			`}`
			`{`
			`directory = "/var/lib/systemd";`
system/preservation: drop permission config for certain directories 2024-12-30 04:31:37 +08:00			`mode = "-";`
			`user = "-";`
			`group = "-";`
treewide: drop impermanence in favor of preservation 2024-12-26 13:35:29 +08:00			`}`
			`{`
			`directory = "/var/tmp";`
system/preservation: drop permission config for certain directories 2024-12-30 04:31:37 +08:00			`mode = "-";`
			`user = "-";`
			`group = "-";`
treewide: drop impermanence in favor of preservation 2024-12-26 13:35:29 +08:00			`}`
			`];`
			`files = [`
treewide: refine the granularity of preservation 2024-12-27 01:50:09 +08:00			`{`
			`file = config.sops.age.keyFile;`
			`inInitrd = true;`
			`mode = "0600";`
treewide: avoid unnecessary permission management with preservation 2024-12-27 16:46:04 +08:00			`user = "root";`
			`group = "root";`
treewide: refine the granularity of preservation 2024-12-27 01:50:09 +08:00			`}`
treewide: drop impermanence in favor of preservation 2024-12-26 13:35:29 +08:00			`];`
			`};`
			`}`
			`);`
			`};`

system/preservation: use static symlink for files in `/etc` 2025-01-13 13:17:05 +08:00			`environment.etc."machine-id" = {`
			`source = "/persist/etc/machine-id";`
			`mode = "direct-symlink";`
			`};`

treewide: drop impermanence in favor of preservation 2024-12-26 13:35:29 +08:00			`# https://github.com/NixOS/nixpkgs/pull/351151#issuecomment-2549025171`
			`systemd.services.systemd-machine-id-commit = {`
			`unitConfig.ConditionPathIsMountPoint = [`
			`""`
			`"/persist/etc/machine-id"`
			`];`
			`serviceConfig.ExecStart = [`
			`""`
			`"systemd-machine-id-setup --commit --root /persist"`
			`];`
			`};`

			`# https://willibutz.github.io/preservation/examples.html`
			`systemd.tmpfiles.settings.preservation = lib.mkMerge (`
			`lib.mapAttrsToList (name: hmCfg: {`
treewide: refine the granularity of preservation 2024-12-27 01:50:09 +08:00			`"${hmCfg.home.homeDirectory}/.cache".d = {`
			`user = name;`
			`group = config.users.users.${name}.group;`
			`mode = "0755";`
			`};`
treewide: drop impermanence in favor of preservation 2024-12-26 13:35:29 +08:00			`"${hmCfg.home.homeDirectory}/.config".d = {`
			`user = name;`
			`group = config.users.users.${name}.group;`
			`mode = "0755";`
			`};`
			`"${hmCfg.home.homeDirectory}/.local".d = {`
			`user = name;`
			`group = config.users.users.${name}.group;`
			`mode = "0755";`
			`};`
			`"${hmCfg.home.homeDirectory}/.local/share".d = {`
			`user = name;`
			`group = config.users.users.${name}.group;`
			`mode = "0755";`
			`};`
			`"${hmCfg.home.homeDirectory}/.local/state".d = {`
			`user = name;`
			`group = config.users.users.${name}.group;`
			`mode = "0755";`
			`};`
			`}) (lib.filterAttrs (_: hmCfg: hmCfg.preservation.enable) config.home-manager.users)`
			`);`
			`}`