sys: prepare impermanence declarations in advance of [lustrated]'s transition

author: Alejandro Soto <alejandro@34project.org> 2026-04-02 23:32:28 -0600
committer: Alejandro Soto <alejandro@34project.org> 2026-04-02 23:33:02 -0600
commit: ee0b5f7edfe9fba65f9749f65377c4f519c7fc0a (patch)
tree: 5531ffd8445c642e41f49bbc6333adbf252c1baf /sys
parent: 399da96059c2b7a8a3ca66896d069d1234f80294 (diff)
7 files changed, 47 insertions, 5 deletions
diff --git a/sys/boot/firmware.nix b/sys/boot/firmware.nix
index b3598a7..0e024f1 100644
--- a/sys/boot/firmware.nix
+++ b/sys/boot/firmware.nix
@@ -28,6 +28,15 @@ in {
       enableRedistributableFirmware = true;
     };
 
+    local.boot.impermanence.directories = [
+      {
+        directory = "/var/lib/fwupd";
+        user = "fwupd-refresh";
+        group = "fwupd-refresh";
+        mode = "u=rwx,g=rx,o=rx";
+      }
+    ];
+
     services.fwupd.enable = true;
   };
 }
diff --git a/sys/boot/impermanence.nix b/sys/boot/impermanence.nix
index 632094b..09aee09 100644
--- a/sys/boot/impermanence.nix
+++ b/sys/boot/impermanence.nix
@@ -27,7 +27,9 @@ in {
       local.boot.impermanence = {
         directories = [
           "/etc/lvm"
+          "/var/lib/lastlog"
           "/var/lib/nixos"
+          "/var/lib/systemd"
           "/var/log"
         ];
 
diff --git a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
index 7905da3..4a3e51e 100644
--- a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
+++ b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
@@ -26,11 +26,11 @@ in {
   #       - /toplevel/persist
   #       - /toplevel/boot-archive.pub
   #       - /toplevel/boot-keys
-  #         - /toplevel/boot-keys/2000-01-01T00:00:00-06:00.key.crypt (encrypted for /toplevel/boot-archive.pub)
+  #         - /toplevel/boot-keys/2000-01-01T00:00:00-06:00.key.age (encrypted for /toplevel/boot-archive.pub)
   #         - /toplevel/boot-keys/...
-  #         - /toplevel/boot-keys/last.key.crypt -> 2000-01-01T00:00:00-06:00.key.crypt
+  #         - /toplevel/boot-keys/last.key.age -> 2000-01-01T00:00:00-06:00.key.age
   #       - /toplevel/boots
-  #         - /toplevel/boots/2000-01-01T00:00:00-06:00 (raw protector in last.key.crypt)
+  #         - /toplevel/boots/2000-01-01T00:00:00-06:00 (raw protector in last.key.age)
   #         - /toplevel/boots/...
   #         - /toplevel/boots/last -> 2000-01-01T00:00:00-06:00 (mounted as /)
   config = mkIf cfg.enable {
@@ -59,7 +59,7 @@ in {
       rm -f /boot-key
 
       ln -Tsf "$boot_stamp" /mnt-toplevel/boots/last
-      ln -Tsf "$boot_stamp.key.crypt" /mnt-toplevel/boot-keys/last.key.crypt
+      ln -Tsf "$boot_stamp.key.age" /mnt-toplevel/boot-keys/last.key.age
 
       mount --bind "$root_from_toplevel" /mnt-root
       mount --make-shared /mnt-root
diff --git a/sys/hardware/bluetooth.nix b/sys/hardware/bluetooth.nix
index 63e3f0c..30d286f 100644
--- a/sys/hardware/bluetooth.nix
+++ b/sys/hardware/bluetooth.nix
@@ -15,5 +15,14 @@ in {
       enable = true;
       powerOnBoot = mkDefault false;
     };
+
+    local.boot.impermanence.directories = [
+      {
+        directory = "/var/lib/bluetooth";
+        user = "root";
+        group = "root";
+        mode = "u=rwx,g=,o=";
+      }
+    ];
   };
 }
diff --git a/sys/hardware/laptop.nix b/sys/hardware/laptop.nix
index 3b5b772..3123960 100644
--- a/sys/hardware/laptop.nix
+++ b/sys/hardware/laptop.nix
@@ -11,6 +11,10 @@ in {
   };
 
   config = mkIf cfg.enable {
+    local.boot.impermanence.directories = [
+      "/var/lib/upower"
+    ];
+
     services = {
       tlp.enable = true;
       upower.enable = true;
diff --git a/sys/hardware/thinkpad.nix b/sys/hardware/thinkpad.nix
index ab18694..72296ed 100644
--- a/sys/hardware/thinkpad.nix
+++ b/sys/hardware/thinkpad.nix
@@ -30,7 +30,18 @@ in {
 
     hardware.firmware = [pkgs.sof-firmware];
 
-    local.hardware.laptop.enable = true;
+    local = {
+      boot.impermanence.directories = [
+        {
+          directory = "/var/lib/fprint";
+          user = "root";
+          group = "root";
+          mode = "u=rwx,g=,o=";
+        }
+      ];
+
+      hardware.laptop.enable = true;
+    };
 
     services = {
       fprintd.enable = true;
diff --git a/sys/net/interfaces.nix b/sys/net/interfaces.nix
index 764973c..7d45ced 100644
--- a/sys/net/interfaces.nix
+++ b/sys/net/interfaces.nix
@@ -102,6 +102,13 @@ in {
       wireguard.enable = true;
     };
 
+    local.boot.impermanence.directories = optional config.networking.wireless.iwd.enable {
+      directory = "/var/lib/iwd";
+      user = "root";
+      group = "root";
+      mode = "u=rwx,g=,o=";
+    };
+
     systemd.network.networks = mkIf (cfg.dhcpInterface != null) {
       ${cfg.dhcpInterface} = {
         matchConfig.Name = cfg.dhcpInterface;
author	Alejandro Soto <alejandro@34project.org>	2026-04-02 23:32:28 -0600
committer	Alejandro Soto <alejandro@34project.org>	2026-04-02 23:33:02 -0600
commit	ee0b5f7edfe9fba65f9749f65377c4f519c7fc0a (patch)
tree	5531ffd8445c642e41f49bbc6333adbf252c1baf /sys
parent	399da96059c2b7a8a3ca66896d069d1234f80294 (diff)