sys/platform: [lustrated]: switch to luks-ext4-fscrypt-impermanence boot stack

author: Alejandro Soto <alejandro@34project.org> 2026-04-02 19:07:17 -0600
committer: Alejandro Soto <alejandro@34project.org> 2026-04-02 23:33:02 -0600
commit: 94ffaabeb9602e689e55fdd21b9beb2d9c552901 (patch)
tree: 72c4d82ed2afc2386e7462c727d213f11d249cd3 /sys/boot/stack
parent: ee0b5f7edfe9fba65f9749f65377c4f519c7fc0a (diff)
1 files changed, 29 insertions, 18 deletions
diff --git a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
index 4a3e51e..a057aa0 100644
--- a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
+++ b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
@@ -13,6 +13,11 @@ in {
     target = mkOption {
       type = types.str;
     };
+
+    persistInToplevel = mkOption {
+      type = types.bool;
+      default = true;
+    };
   };
 
   # - boot device
@@ -22,8 +27,9 @@ in {
   # - toplevel device
   #   - headerless luks
   #     - /toplevel (ext4)
-  #       - /toplevel/nix
-  #       - /toplevel/persist
+  #       - /toplevel/nix (if !cfg.persistInToplevel)
+  #       - /toplevel/persist (if cfg.persistInToplevel)
+  #         - /toplevel/persist/nix
   #       - /toplevel/boot-archive.pub
   #       - /toplevel/boot-keys
   #         - /toplevel/boot-keys/2000-01-01T00:00:00-06:00.key.age (encrypted for /toplevel/boot-archive.pub)
@@ -72,24 +78,29 @@ in {
       umount /mnt-toplevel
     '';
 
-    fileSystems = {
-      "/" = {
-        device = "none";
-        fsType = "ext4";
-        options = ["remount"];
-      };
-
-      "/nix" = {
-        device = "/persist/nix";
-        options = ["bind"];
-      };
+    fileSystems =
+      {
+        "/" = {
+          device = "none";
+          fsType = "ext4";
+          options = ["remount"];
+        };
 
-      "/persist" = {
-        device = "/toplevel/persist";
-        options = ["bind"];
-        neededForBoot = true;
+        "/nix" = {
+          device =
+            if cfg.persistInToplevel
+            then "/persist/nix"
+            else "/toplevel/nix";
+          options = ["bind"];
+        };
+      }
+      // optionalAttrs cfg.persistInToplevel {
+        "/persist" = {
+          device = "/toplevel/persist";
+          options = ["bind"];
+          neededForBoot = true;
+        };
       };
-    };
 
     local.boot = {
       fscrypt.enable = true;
author	Alejandro Soto <alejandro@34project.org>	2026-04-02 19:07:17 -0600
committer	Alejandro Soto <alejandro@34project.org>	2026-04-02 23:33:02 -0600
commit	94ffaabeb9602e689e55fdd21b9beb2d9c552901 (patch)
tree	72c4d82ed2afc2386e7462c727d213f11d249cd3 /sys/boot/stack
parent	ee0b5f7edfe9fba65f9749f65377c4f519c7fc0a (diff)