diff --git a/modules/model.nix b/modules/model.nix index 4f6f4781..2bff7dc0 100644 --- a/modules/model.nix +++ b/modules/model.nix @@ -21,12 +21,5 @@ inputs: { networking.hostName = model.hostname; } (inputs.lib.mkIf (model.cluster != null) { nixos.model.hostname = "${model.cluster.clusterName}-${model.cluster.nodeName}"; }) - # TODO: remove it - { - systemd.services = inputs.lib.mkIf (model.cluster.nodeType or null == "worker") (builtins.listToAttrs - (builtins.map - (user: { name = "home-manager-${inputs.utils.escapeSystemdPath user}"; value.enable = false; }) - inputs.config.nixos.user.users)); - } ]; } diff --git a/modules/system/impermanence.nix b/modules/system/impermanence.nix index 18655a14..a2651623 100644 --- a/modules/system/impermanence.nix +++ b/modules/system/impermanence.nix @@ -1,54 +1,87 @@ inputs: { - config = - { - environment.persistence = + config = inputs.lib.mkMerge + [ + # generic settings { - "/nix/persistent" = + environment.persistence = { - hideMounts = true; - directories = - [ - "/var/db" - "/var/lib" - "/var/log" - "/var/spool" - "/var/backup" - { directory = "/var/lib/docker/volumes"; mode = "0710"; } - "/srv" - ]; - files = - [ - "/etc/machine-id" - "/etc/ssh/ssh_host_ed25519_key.pub" - "/etc/ssh/ssh_host_ed25519_key" - "/etc/ssh/ssh_host_rsa_key.pub" - "/etc/ssh/ssh_host_rsa_key" - ]; + "/nix/persistent" = + { + hideMounts = true; + directories = + [ + "/var/db" + "/var/lib" + "/var/log" + "/var/spool" + "/var/backup" + { directory = "/var/lib/docker/volumes"; mode = "0710"; } + "/srv" + ]; + files = + [ + "/etc/machine-id" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_rsa_key.pub" + "/etc/ssh/ssh_host_rsa_key" + ]; + }; + "/nix/rootfs/current" = + { + hideMounts = true; + directories = + [ + "/var/lib/systemd/linger" + "/var/lib/systemd/coredump" + "/var/lib/systemd/backlight" + { directory = "/var/lib/docker"; mode = "0710"; } + "/var/lib/flatpak" + ]; + }; + "/nix/nodatacow" = + { + hideMounts = true; + directories = + [{ directory = "/var/log/journal"; user = "root"; group = "systemd-journal"; mode = "u=rwx,g=rx+s,o=rx"; }] + ++ ( + if inputs.config.nixos.virtualization.kvmHost.enable then + [{ directory = "/var/lib/libvirt/images"; mode = "0711"; }] + else [] + ); + }; }; - "/nix/rootfs/current" = + } + # /home/user and /home/user/.cache + { + environment.persistence = { - hideMounts = true; - directories = - [ - "/var/lib/systemd/linger" - "/var/lib/systemd/coredump" - "/var/lib/systemd/backlight" - { directory = "/var/lib/docker"; mode = "0710"; } - "/var/lib/flatpak" - ]; + "/nix/persistent".directories = + # mount user directory if not a cluster worker + inputs.lib.mkIf (inputs.config.nixos.model.cluster.nodeType or null != "worker") (builtins.map + (user: { directory = "/home/${user}"; inherit user; group = user; mode = "0700"; }) + (builtins.filter + (user: !(user == "chn" && inputs.config.nixos.model.type == "desktop")) + inputs.config.nixos.user.users)); + "/nix/rootfs/current".directories = builtins.map + (user: { directory = "/home/${user}/.cache"; inherit user; group = user; mode = "0700"; }) + inputs.config.nixos.user.users; }; - "/nix/nodatacow" = + } + # on cluster worker, dirs like /home/user/.config should always be separately mounted + { + environment.persistence = inputs.lib.mkIf (inputs.config.nixos.model.cluster.nodeType or null == "worker") { - hideMounts = true; - directories = - [{ directory = "/var/log/journal"; user = "root"; group = "systemd-journal"; mode = "u=rwx,g=rx+s,o=rx"; }] - ++ ( - if inputs.config.nixos.virtualization.kvmHost.enable then - [{ directory = "/var/lib/libvirt/images"; mode = "0711"; }] - else [] - ); + "/nix/persistent".directories = builtins.filter + # these dirs have been specified elsewhere + (dir: !(builtins.elem dir.directory [ "/home/chn/.config" "/home/chn/.ssh" ])) + (builtins.concatLists (builtins.map + (user: builtins.map + (dir: { directory = "/home/${user}/${dir}"; inherit user; group = user; mode = "0700"; }) + [ ".config" ".local" ".ssh" ".mozilla" ".zsh" ]) + inputs.config.nixos.user.users)); }; - }; - }; + } + ]; } diff --git a/modules/user/default.nix b/modules/user/default.nix index b0b5fcc1..6e9119f1 100644 --- a/modules/user/default.nix +++ b/modules/user/default.nix @@ -91,10 +91,6 @@ inputs: home-manager.users = builtins.listToAttrs (builtins.map (name: { inherit name; value.imports = user.sharedModules; }) user.users); - environment.persistence."/nix/persistent".directories = - inputs.lib.mkIf (inputs.config.nixos.model.cluster.nodeType or null != "worker") (builtins.map - (user: { directory = "/home/${user}"; inherit user; group = user; mode = "0700"; }) - (builtins.filter (user: user != "chn") user.users)); } # set hashedPassword if it exist in secrets ( @@ -149,32 +145,14 @@ inputs: [ ".zshrc" ".zshenv" ".profile" ".bashrc" ".bash_profile" ]) user.users)) ++ (builtins.map - (user: + (user: let inherit (inputs.config.home-manager.users.${user}.home.file.".zlogin") text; in { - what = builtins.toString - (inputs.pkgs.writeText ".zlogin" inputs.config.home-manager.users.${user}.home.file.".zlogin".text); + what = builtins.toString (inputs.pkgs.writeText ".zlogin" (if text == null then "" else text)); where = "/home/${user}/.zlogin"; options = "bind"; wantedBy = [ "multi-user.target" ]; }) user.users); } - # if cluster worker, mount .config .local .cache .ssh - (inputs.lib.mkIf (inputs.config.nixos.model.cluster.nodeType or null == "worker") - { - systemd.mounts = builtins.concatLists (builtins.map - (user: builtins.map - (dir: - { - what = "/nix/persistent/home/${user}/${dir}"; - where = "/home/${user}/${dir}"; - options = "bind"; - wantedBy = [ "multi-user.target" ]; - }) - [ ".config" ".local" ".ssh" ".mozilla" ".zsh" ]) - user.users); - }) - # TODO: 都使用 impermanence 挂载。impermanence 似乎会在 switch root 之后、其它服务启动之前挂载,这是最好的时机。 - # 同时 impermanence 会正确设置权限。 ]; }