migrate to impermanence?

machines/109-199-104-83/configuration.nix

@@ -4,6 +4,10 @@
   machine,
   ...
 }: {
+  imports = [
+    ./impermanence.nix
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
   # roundcube config
   services.roundcube = {
     enable = true;
@@ -25,7 +29,7 @@
     x509.useACMEHost = config.mailserver.fqdn;
     loginAccounts = {
       "test@${config.networking.domain}" = {
-        hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path;
+        hashedPasswordFile = builtins.toString config.age.secrets.secret3.path;
       };
     };
   };
@@ -46,8 +50,12 @@
   # system config
   system.stateVersion = "25.11";
   nix.settings.experimental-features = ["flakes" "nix-command"];
-  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
   fileSystems."/" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = ["defaults" "size=60%" "mode=755"];
+  };
+  fileSystems."/nix" = {
     device = "/dev/sda1";
     fsType = "ext4";
   };

machines/109-199-104-83/impermanence.nix

@@ -0,0 +1,30 @@
+{
+  environment.persistence."/nix/persist" = {
+    enable = true;
+    hideMounts = true;
+    directories = [
+      # logs
+      "/var/log"
+      "/var/lib/systemd/coredump"
+
+      # users
+      "/var/lib/nixos"
+
+      # private ssh keys
+      "/etc/ssh"
+
+      # mailserver
+      "/var/vmail"
+      "/var/dkim"
+      "/var/lib/dovecot"
+      "/var/lib/postfix"
+      "/var/lib/postgresql"
+      "/var/lib/redis-rspamd"
+      "/var/lib/roundcube"
+      "/var/lib/secrets"
+    ];
+    files = [
+      "/etc/machine-id"
+    ];
+  };
+}

machines/lenovo/configuration.nix

@@ -9,6 +9,10 @@
     ./impermanence.nix
     (modulesPath + "/installer/scan/not-detected.nix")
   ];
+  age.secrets = {
+    secret0.file = ../../secrets/secret0.age;
+    secret1.file = ../../secrets/secret1.age;
+  };
   boot.loader = {
     efi.canTouchEfiVariables = true;
     systemd-boot.enable = true;

pub-keys.nix

@@ -1,8 +1,9 @@
 {
   age.secrets = {
-    andromeda-pw.file = ./secrets/andromeda-pw.age;
+    secret0.file = ./secrets/secret0.age;
-    mtgmonkey-pw.file = ./secrets/mtgmonkey-pw.age;
+    secret1.file = ./secrets/secret1.age;
-    mailserver-acc-test-pw.file = ./secrets/mailserver-acc-test-pw.age;
+    secret2.file = ./secrets/secret2.age;
+    secret3.file = ./secrets/secret3.age;
   };
   pub-keys = {
     ssh = {

secrets/secrets.nix

@@ -4,7 +4,8 @@ let
   lenovo = pub-keys.ssh.lenovo;
   _109-199-104-83 = pub-keys.ssh._109-199-104-83;
 in {
-  "andromeda-pw.age".publicKeys = [andromeda lenovo];
+  "secret0.age".publicKeys = [andromeda lenovo];
-  "mtgmonkey-pw.age".publicKeys = [andromeda lenovo];
+  "secret1.age".publicKeys = [andromeda lenovo];
-  "mailserver-acc-test-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];
+  "secret2.age".publicKeys = [andromeda lenovo _109-199-104-83];
+  "secret3.age".publicKeys = [andromeda lenovo _109-199-104-83];
 }

users.nix

@@ -13,7 +13,7 @@ in {
       "andromeda" = {
         isNormalUser = true;
         description = "andromeda";
-        hashedPasswordFile = builtins.toString config.age.secrets.andromeda-pw.path;
+        hashedPasswordFile = builtins.toString config.age.secrets.secret0.path;
         extraGroups = [
           "networkmanager"
           "wheel"
@@ -22,7 +22,7 @@ in {
       "mtgmonkey" = {
         isNormalUser = true;
         description = "mtgmonkey";
-        hashedPasswordFile = builtins.toString config.age.secrets.mtgmonkey-pw.path;
+        hashedPasswordFile = builtins.toString config.age.secrets.secret1.path;
         extraGroups = [
           (lib.mkIf
             (machine == machines.lenovo)