From acb4dd1dfc20df79777edcd4c3eeefe2e1d78c8a Mon Sep 17 00:00:00 2001
From: sefidel <contact@sefidel.net>
Date: Wed, 15 Feb 2023 00:39:38 +0900
Subject: feat(nixos/kompakt): activate volatile root

---
 nixos/kompakt/configuration.nix | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

(limited to 'nixos/kompakt/configuration.nix')

diff --git a/nixos/kompakt/configuration.nix b/nixos/kompakt/configuration.nix
index 581af1f..7202a03 100644
--- a/nixos/kompakt/configuration.nix
+++ b/nixos/kompakt/configuration.nix
@@ -26,6 +26,9 @@
   networking.hostName = "kompakt"; # Define your hostname.
   networking.hostId = "9c8c0140";
 
+  boot.initrd.postDeviceCommands = lib.mkAfter ''
+    zfs rollback -r rpool/local/root@blank
+  '';
 
   # Pick only one of the below networking options.
   networking.wireless.iwd.enable = true;
@@ -69,14 +72,22 @@
   # Enable touchpad support (enabled default in most desktopManager).
   # services.xserver.libinput.enable = true;
 
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+  sops.secrets.root-password.neededForUsers = true;
+  sops.secrets.sefidel-password.neededForUsers = true;
+
+  users.mutableUsers = false;
+
   # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.sefidel = {
-    isNormalUser = true;
-    shell = pkgs.zsh;
-    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-    initialPassword = "cube";
-    packages = with pkgs; [
-    ];
+  users.users = {
+    root.passwordFile = config.sops.secrets.root-password.path;
+    sefidel = {
+      isNormalUser = true;
+      shell = pkgs.zsh;
+      passwordFile = config.sops.secrets.sefidel-password.path;
+
+      extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    };
   };
 
   # List packages installed in system profile. To search, run:
@@ -97,7 +108,12 @@
   # List services that you want to enable:
 
   # Enable the OpenSSH daemon.
-  # services.openssh.enable = true;
+  services.openssh.enable = true;
+
+  environment.persistence."/persist".directories = [
+    "/etc/ssh"
+    "/etc/nixos"
+  ];
 
   # Open ports in the firewall.
   # networking.firewall.allowedTCPPorts = [ ... ];
-- 
cgit 1.4.1