From 11bc7eb4378a8672861a5deec97826ba3294af59 Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Fri, 3 Apr 2026 19:31:34 -0600
Subject: sys/boot: impermanence: add support for an independent 'trust'
 persistent storage

---
 sys/boot/impermanence.nix | 56 ++++++++++++++++++++++++++++++++++-------------
 1 file changed, 41 insertions(+), 15 deletions(-)

(limited to 'sys/boot/impermanence.nix')

diff --git a/sys/boot/impermanence.nix b/sys/boot/impermanence.nix
index 5c7e46b..bdf6a90 100644
--- a/sys/boot/impermanence.nix
+++ b/sys/boot/impermanence.nix
@@ -5,20 +5,34 @@
 }:
 with lib; let
   cfg = config.local.boot.impermanence;
+
+  #TODO: type correcto de files, directories?
+  entryOption = mkOption {
+    type = with lib.types; listOf (either str attrs);
+    default = [];
+  };
+
+  persistPath = "/persist";
+
+  trustPath =
+    if cfg.trust.path != null
+    then cfg.trust.path
+    else persistPath;
 in {
   options.local.boot.impermanence = {
     enable = mkEnableOption "root fs impermanence";
 
-    #TODO: type correcto de files, directories?
+    files = entryOption;
+    directories = entryOption;
 
-    directories = mkOption {
-      type = with lib.types; listOf (either str attrs);
-      default = [];
-    };
+    trust = {
+      path = mkOption {
+        type = with lib.types; nullOr path;
+        default = null;
+      };
 
-    files = mkOption {
-      type = with lib.types; listOf (either str attrs);
-      default = [];
+      files = entryOption;
+      directories = entryOption;
     };
   };
 
@@ -50,17 +64,29 @@ in {
     (mkIf cfg.enable {
       assertions = [
         {
-          assertion = (config.fileSystems ? "/persist") && config.fileSystems."/persist".neededForBoot;
-          message = "Impermanence requires /persist to be a neededForBoot mountpoint";
+          assertion = (config.fileSystems ? ${persistPath}) && config.fileSystems.${persistPath}.neededForBoot;
+          message = "Impermanence requires ${persistPath} to be a neededForBoot mountpoint";
         }
       ];
 
-      environment.persistence."/persist" = {
-        hideMounts = true;
+      environment.persistence = mkMerge [
+        {
+          ${persistPath} = {
+            hideMounts = true;
 
-        files = cfg.files;
-        directories = cfg.directories;
-      };
+            files = cfg.files;
+            directories = cfg.directories;
+          };
+        }
+        {
+          ${trustPath} = {
+            hideMounts = true;
+
+            files = cfg.trust.files;
+            directories = cfg.trust.directories;
+          };
+        }
+      ];
     })
   ];
 }
-- 
cgit v1.2.3