sys/boot: impermanence: add support for an independent 'trust' persistent storage

4 files changed, 62 insertions, 21 deletions

diff --git a/sys/baseline/default.nix b/sys/baseline/default.nix
index 1a0ed14..f8ae5d9 100644
--- a/sys/baseline/default.nix
+++ b/sys/baseline/default.nix
@@ -44,10 +44,15 @@ with lib; {
 
     lib.local = pkgs.local.lib;
 
-    local.boot.impermanence.directories = [
-      "/var/lib/dhparams"
-      "/var/trust"
-    ];
+    local.boot.impermanence = {
+      directories = [
+        "/var/lib/dhparams"
+      ];
+
+      trust.directories = [
+        "/var/trust"
+      ];
+    };
 
     nix = {
       package = pkgs.nix;
diff --git a/sys/boot/impermanence.nix b/sys/boot/impermanence.nix
index 5c7e46b..bdf6a90 100644
--- a/sys/boot/impermanence.nix
+++ b/sys/boot/impermanence.nix
@@ -5,20 +5,34 @@
 }:
 with lib; let
   cfg = config.local.boot.impermanence;
+
+  #TODO: type correcto de files, directories?
+  entryOption = mkOption {
+    type = with lib.types; listOf (either str attrs);
+    default = [];
+  };
+
+  persistPath = "/persist";
+
+  trustPath =
+    if cfg.trust.path != null
+    then cfg.trust.path
+    else persistPath;
 in {
   options.local.boot.impermanence = {
     enable = mkEnableOption "root fs impermanence";
 
-    #TODO: type correcto de files, directories?
+    files = entryOption;
+    directories = entryOption;
 
-    directories = mkOption {
-      type = with lib.types; listOf (either str attrs);
-      default = [];
-    };
+    trust = {
+      path = mkOption {
+        type = with lib.types; nullOr path;
+        default = null;
+      };
 
-    files = mkOption {
-      type = with lib.types; listOf (either str attrs);
-      default = [];
+      files = entryOption;
+      directories = entryOption;
     };
   };
 
@@ -50,17 +64,29 @@ in {
     (mkIf cfg.enable {
       assertions = [
         {
-          assertion = (config.fileSystems ? "/persist") && config.fileSystems."/persist".neededForBoot;
-          message = "Impermanence requires /persist to be a neededForBoot mountpoint";
+          assertion = (config.fileSystems ? ${persistPath}) && config.fileSystems.${persistPath}.neededForBoot;
+          message = "Impermanence requires ${persistPath} to be a neededForBoot mountpoint";
         }
       ];
 
-      environment.persistence."/persist" = {
-        hideMounts = true;
+      environment.persistence = mkMerge [
+        {
+          ${persistPath} = {
+            hideMounts = true;
 
-        files = cfg.files;
-        directories = cfg.directories;
-      };
+            files = cfg.files;
+            directories = cfg.directories;
+          };
+        }
+        {
+          ${trustPath} = {
+            hideMounts = true;
+
+            files = cfg.trust.files;
+            directories = cfg.trust.directories;
+          };
+        }
+      ];
     })
   ];
 }
diff --git a/sys/boot/secure-boot.nix b/sys/boot/secure-boot.nix
index b13ab7c..150ff92 100644
--- a/sys/boot/secure-boot.nix
+++ b/sys/boot/secure-boot.nix
@@ -46,6 +46,13 @@ in {
       pkgs.sbctl
     ];
 
-    local.boot.impermanence.directories = [pkiBundle];
+    local.boot.impermanence.trust.directories = [
+      {
+        directory = pkiBundle;
+        user = "root";
+        group = "root";
+        mode = "u=rwx,g=,o=";
+      }
+    ];
   };
 }
diff --git a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
index a057aa0..5b19242 100644
--- a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
+++ b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
@@ -104,7 +104,10 @@ in {
 
     local.boot = {
       fscrypt.enable = true;
-      impermanence.enable = true;
+      impermanence = {
+        enable = true;
+        trust.path = "/toplevel/trust";
+      };
     };
   };
 }