2023-01-30

8 files changed, 83 insertions, 9 deletions

diff --git a/modules/nixos/common/ark.nix b/modules/nixos/common/ark.nix
new file mode 100644
index 0000000..3a12050
--- /dev/null
+++ b/modules/nixos/common/ark.nix
@@ -0,0 +1,56 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.nixfiles.modules.ark;
+in {
+  imports = [
+    (mkAliasOptionModule ["ark"] ["nixfiles" "modules" "ark"])
+    inputs.impermanence.nixosModules.impermanence
+  ];
+
+  options.nixfiles.modules.ark = let
+    mkListOfAnythingOption = mkOption {
+      type = with types; listOf anything; # Assumed to be matching with the upstream type.
+      default = [];
+    };
+  in {
+    enable = mkEnableOption "persistent storage support via impermanence";
+
+    path = mkOption {
+      type = types.str;
+      default = "/ark";
+    };
+
+    directories = mkListOfAnythingOption;
+    files = mkListOfAnythingOption;
+    # hm = {
+    #   directories = mkListOfAnythingOption;
+    #   files = mkListOfAnythingOption;
+    # };
+  };
+
+  config = mkIf cfg.enable {
+    environment.persistence.${cfg.path} = {
+      hideMounts = true;
+      enableDebugging = false;
+      inherit (cfg) directories files;
+    };
+
+    # NOTE We can't reliably[1] use this, so for the time being, this will stay
+    # commented out. Probably forever.
+    #
+    # [1]: https://github.com/nix-community/impermanence/issues/18
+    #
+    # hm = {
+    #   imports = [inputs.impermanence.nixosModules.home-manager.impermanence];
+    #   home.persistence."${cfg.path}/${config.my.home}" = {
+    #     allowOther = false;
+    #     inherit (cfg.hm) directories files;
+    #   };
+    # };
+  };
+}
diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix
index 8724c8b..54f8f51 100644
--- a/modules/nixos/common/default.nix
+++ b/modules/nixos/common/default.nix
@@ -1,5 +1,6 @@
 _: {
   imports = [
+    ./ark.nix
     ./console.nix
     ./documentation.nix
     ./home-manager.nix
diff --git a/modules/nixos/common/networking.nix b/modules/nixos/common/networking.nix
index 0c44159..8d94a4e 100644
--- a/modules/nixos/common/networking.nix
+++ b/modules/nixos/common/networking.nix
@@ -12,6 +12,10 @@ in {
     mkEnableOption "custom networking settings";
 
   config = mkIf (!cfg.onlyDefault) {
+    ark.directories = with config.networking;
+      optional networkmanager.enable "/etc/NetworkManager/system-connections"
+      ++ optional wireless.iwd.enable "/var/lib/iwd";
+
     # TODO Support multiple interfaces and IP addresses.
     networking = mkMerge [
       {
@@ -20,8 +24,8 @@ in {
         hostName = this.hostname;
         hostId = substring 0 8 (builtins.hashString "md5" this.hostname);
 
-        # Remove default hostname mappings. This is required at least by the current
-        # implementation of the montoring module.
+        # Remove default hostname mappings. This is required at least by the
+        # current implementation of the monitoring module.
         hosts = {
           "127.0.0.2" = mkForce [];
           "::1" = mkForce [];
diff --git a/modules/nixos/common/nix.nix b/modules/nixos/common/nix.nix
index 71f62fd..48c52b3 100644
--- a/modules/nixos/common/nix.nix
+++ b/modules/nixos/common/nix.nix
@@ -21,10 +21,10 @@ in {
       config.allowUnfreePredicate = p: elem (getName p) cfg.allowedUnfreePackages;
 
       overlays = with inputs; [
-        agenix.overlay
+        agenix.overlays.default
+        nix-minecraft.overlay
         pollymc.overlay
         xmonad-ng.overlays.default
-        # nix-minecraft-servers.overlays.default
       ];
     };
 
diff --git a/modules/nixos/common/secrets.nix b/modules/nixos/common/secrets.nix
index 4fcdc61..c229882 100644
--- a/modules/nixos/common/secrets.nix
+++ b/modules/nixos/common/secrets.nix
@@ -8,7 +8,7 @@
 }:
 with lib; {
   imports = [
-    inputs.agenix.nixosModule
+    inputs.agenix.nixosModules.default
     (mkAliasOptionModule ["secrets"] ["age" "secrets"])
   ];
 
diff --git a/modules/nixos/common/security.nix b/modules/nixos/common/security.nix
index 09c5da1..d146cee 100644
--- a/modules/nixos/common/security.nix
+++ b/modules/nixos/common/security.nix
@@ -9,17 +9,21 @@ with lib; {
       enable = true;
       execWheelOnly = true;
       wheelNeedsPassword = false;
-      # https://mwl.io/archives/1000
       extraConfig = ''
-        Defaults env_keep += "SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK"
+        Defaults lecture=never
       '';
     };
 
     polkit = {
       enable = true;
-      # https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt
       extraConfig = ''
-        polkit.addRule(function (action, subject) {
+        /*
+         * Allow members of the wheel group to execute any actions
+         * without password authentication, similar to "sudo NOPASSWD:".
+         *
+         * https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt
+         */
+        polkit.addRule(function(action, subject) {
           if (subject.isInGroup('wheel'))
             return polkit.Result.YES;
         });
diff --git a/modules/nixos/common/systemd.nix b/modules/nixos/common/systemd.nix
index 5c7282d..c1b2539 100644
--- a/modules/nixos/common/systemd.nix
+++ b/modules/nixos/common/systemd.nix
@@ -1,4 +1,10 @@
 {pkgs, ...}: {
+  ark = {
+    # FIXME Enable on a fresh system!
+    # files = ["/etc/machine-id"];
+    directories = ["/var/lib/systemd/coredump"];
+  };
+
   hm.systemd.user.startServices = "sd-switch";
 
   services.journald.extraConfig = ''
diff --git a/modules/nixos/common/users.nix b/modules/nixos/common/users.nix
index 22e8023..400bf33 100644
--- a/modules/nixos/common/users.nix
+++ b/modules/nixos/common/users.nix
@@ -1,5 +1,8 @@
 {lib, ...}:
 with lib; {
+  # TODO Enable on a fresh system.
+  # ark.directories = [config.my.home];
+
   users = {
     mutableUsers = false;