sys: prepare impermanence declarations in advance of [lustrated]'s transition

author: Alejandro Soto <alejandro@34project.org> 2026-04-02 23:32:28 -0600
committer: Alejandro Soto <alejandro@34project.org> 2026-04-02 23:33:02 -0600
commit: ee0b5f7edfe9fba65f9749f65377c4f519c7fc0a (patch)
tree: 5531ffd8445c642e41f49bbc6333adbf252c1baf /sys/boot
parent: 399da96059c2b7a8a3ca66896d069d1234f80294 (diff)
3 files changed, 15 insertions, 4 deletions
diff --git a/sys/boot/firmware.nix b/sys/boot/firmware.nix
index b3598a7..0e024f1 100644
--- a/sys/boot/firmware.nix
+++ b/sys/boot/firmware.nix
@@ -28,6 +28,15 @@ in {
       enableRedistributableFirmware = true;
     };
 
+    local.boot.impermanence.directories = [
+      {
+        directory = "/var/lib/fwupd";
+        user = "fwupd-refresh";
+        group = "fwupd-refresh";
+        mode = "u=rwx,g=rx,o=rx";
+      }
+    ];
+
     services.fwupd.enable = true;
   };
 }
diff --git a/sys/boot/impermanence.nix b/sys/boot/impermanence.nix
index 632094b..09aee09 100644
--- a/sys/boot/impermanence.nix
+++ b/sys/boot/impermanence.nix
@@ -27,7 +27,9 @@ in {
       local.boot.impermanence = {
         directories = [
           "/etc/lvm"
+          "/var/lib/lastlog"
           "/var/lib/nixos"
+          "/var/lib/systemd"
           "/var/log"
         ];
 
diff --git a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
index 7905da3..4a3e51e 100644
--- a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
+++ b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
@@ -26,11 +26,11 @@ in {
   #       - /toplevel/persist
   #       - /toplevel/boot-archive.pub
   #       - /toplevel/boot-keys
-  #         - /toplevel/boot-keys/2000-01-01T00:00:00-06:00.key.crypt (encrypted for /toplevel/boot-archive.pub)
+  #         - /toplevel/boot-keys/2000-01-01T00:00:00-06:00.key.age (encrypted for /toplevel/boot-archive.pub)
   #         - /toplevel/boot-keys/...
-  #         - /toplevel/boot-keys/last.key.crypt -> 2000-01-01T00:00:00-06:00.key.crypt
+  #         - /toplevel/boot-keys/last.key.age -> 2000-01-01T00:00:00-06:00.key.age
   #       - /toplevel/boots
-  #         - /toplevel/boots/2000-01-01T00:00:00-06:00 (raw protector in last.key.crypt)
+  #         - /toplevel/boots/2000-01-01T00:00:00-06:00 (raw protector in last.key.age)
   #         - /toplevel/boots/...
   #         - /toplevel/boots/last -> 2000-01-01T00:00:00-06:00 (mounted as /)
   config = mkIf cfg.enable {
@@ -59,7 +59,7 @@ in {
       rm -f /boot-key
 
       ln -Tsf "$boot_stamp" /mnt-toplevel/boots/last
-      ln -Tsf "$boot_stamp.key.crypt" /mnt-toplevel/boot-keys/last.key.crypt
+      ln -Tsf "$boot_stamp.key.age" /mnt-toplevel/boot-keys/last.key.age
 
       mount --bind "$root_from_toplevel" /mnt-root
       mount --make-shared /mnt-root
author	Alejandro Soto <alejandro@34project.org>	2026-04-02 23:32:28 -0600
committer	Alejandro Soto <alejandro@34project.org>	2026-04-02 23:33:02 -0600
commit	ee0b5f7edfe9fba65f9749f65377c4f519c7fc0a (patch)
tree	5531ffd8445c642e41f49bbc6333adbf252c1baf /sys/boot
parent	399da96059c2b7a8a3ca66896d069d1234f80294 (diff)