3 files changed, 49 insertions, 29 deletions

diff --git a/sys/boot/detached-luks.nix b/sys/boot/detached-luks.nix
index d3e7c29..79241f6 100644
--- a/sys/boot/detached-luks.nix
+++ b/sys/boot/detached-luks.nix
@@ -58,6 +58,14 @@ in {
         sleep 2
       '';
 
+      postMountCommands =
+        ''
+          umount /initrd-boot
+        ''
+        + optionalString tpmInitrd ''
+          rm -r /tpm
+        '';
+
       luks.devices.${cfg.target} = {
         device = cfg.crypt;
         header = headerPath;
@@ -96,13 +104,6 @@ in {
 
             unseal_tpm_key
           '';
-
-        postOpenCommands = mkBefore (''
-            umount /initrd-boot
-          ''
-          + optionalString tpmInitrd ''
-            rm -r /tpm
-          '');
       };
     };
 
diff --git a/sys/boot/impermanence.nix b/sys/boot/impermanence.nix
index 09aee09..5c7e46b 100644
--- a/sys/boot/impermanence.nix
+++ b/sys/boot/impermanence.nix
@@ -33,10 +33,18 @@ in {
           "/var/log"
         ];
 
-        files = [
-          "/etc/machine-id"
-          "/var/lib/logrotate.status"
-        ];
+        files =
+          [
+            "/etc/machine-id"
+            "/var/lib/logrotate.status"
+          ]
+          ++ optionals config.users.mutableUsers [
+            "/etc/group"
+            "/etc/passwd"
+            "/etc/shadow"
+            "/etc/subuid"
+            "/etc/subgid"
+          ];
       };
     }
     (mkIf cfg.enable {
diff --git a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
index 4a3e51e..a057aa0 100644
--- a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
+++ b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
@@ -13,6 +13,11 @@ in {
     target = mkOption {
       type = types.str;
     };
+
+    persistInToplevel = mkOption {
+      type = types.bool;
+      default = true;
+    };
   };
 
   # - boot device
@@ -22,8 +27,9 @@ in {
   # - toplevel device
   #   - headerless luks
   #     - /toplevel (ext4)
-  #       - /toplevel/nix
-  #       - /toplevel/persist
+  #       - /toplevel/nix (if !cfg.persistInToplevel)
+  #       - /toplevel/persist (if cfg.persistInToplevel)
+  #         - /toplevel/persist/nix
   #       - /toplevel/boot-archive.pub
   #       - /toplevel/boot-keys
   #         - /toplevel/boot-keys/2000-01-01T00:00:00-06:00.key.age (encrypted for /toplevel/boot-archive.pub)
@@ -72,24 +78,29 @@ in {
       umount /mnt-toplevel
     '';
 
-    fileSystems = {
-      "/" = {
-        device = "none";
-        fsType = "ext4";
-        options = ["remount"];
-      };
-
-      "/nix" = {
-        device = "/persist/nix";
-        options = ["bind"];
-      };
+    fileSystems =
+      {
+        "/" = {
+          device = "none";
+          fsType = "ext4";
+          options = ["remount"];
+        };
 
-      "/persist" = {
-        device = "/toplevel/persist";
-        options = ["bind"];
-        neededForBoot = true;
+        "/nix" = {
+          device =
+            if cfg.persistInToplevel
+            then "/persist/nix"
+            else "/toplevel/nix";
+          options = ["bind"];
+        };
+      }
+      // optionalAttrs cfg.persistInToplevel {
+        "/persist" = {
+          device = "/toplevel/persist";
+          options = ["bind"];
+          neededForBoot = true;
+        };
       };
-    };
 
     local.boot = {
       fscrypt.enable = true;