Closed a12l closed 1 year ago
I have noticed this as well, but one case that is extra interesting as well as the root owned one is this line: https://github.com/etu/nixconfig/blob/main/hosts/eliaxe-A100514-NR/persistence.nix#L60
I've expect ~/VirtualBox VMs
to be created and mounted.
It is created in the tmpfs space and mounted correctly, so far so good.
But I also got ~/VirtualBox/VMs
created and that entire file-tree is owned by root:root
.
But that's a separate issue! But what I really did was to confirm your issue as well.
Whoops, this was because of a stupid last-minute "optimization" I did. Sorry about that. Should now be fixed in master
.
@etu I'm seeing that issue as well. Everything seems to be working correctly, except for the directory creation, so there's probably something strange happening in create-directories.bash
. I'll have to investigate it further, though.
Oh yeah, it uses space as a separator, so that's what's why. I'll fix it.
@talyz I think that this problem disappeared after you pushed your fix [1] when I still had a basic configuration. But now when my configuration [2] is based on digga
[3] (a configuration framework building upon flake-utils-plus [4]), the problem still occurs. Note that I'm not at all sure if the problem disappeared with your fix while still using the "basic" configuration, but I think so. Sadly I don't have my old configuration files.
Addendum: I'm using the latest commit of Impermanence, as you can see in my lock file [5].
[1] https://github.com/nix-community/impermanence/commit/65caf299a582ef7cd14b586e8ca0ffe42a363613 [2] https://github.com/a12l/nixosConfig [3] https://github.com/divnix/digga [4] https://github.com/gytis-ivaskevicius/flake-utils-plus [5] https://github.com/a12l/nixosConfig/blob/trunk/flake.lock#L239
Note that it won't change the permission of any files that already exist in persistent storage. Can you provide an example where you add a new directory to the list and it ends up with incorrect permissions? Also look in the activate
script for your current generation and search for the createPersistentStorageDirs
snippet. Are the correct permissions provided to the create-directories
script for each directory?
The problem is that ~/.config
; ~/.local
; and ~/.local/share
is owned by root:root
, and not a12l:users
. The files that I've listed for persistent storage is located inside ~/.config
and in ~/.local/share
, but I haven't listed ~/.config
nor ~/.local/share
for persistent storage.
You can see below that the ~/.config
; ~/.local
; and ~/.local/share
directories located inside the persistent storage has correct ownership. (I've removed files and directories that isn't handled by Impermanence for clarity)
$ ls -la /persistent/home/a12l/
total 175
drwxr-xr-x 10 a12l users 13 Feb 6 12:55 .
drwxr-xr-x 3 root root 3 Dec 16 10:49 ..
drwxr-xr-x 12 a12l users 14 Feb 6 12:53 .config
drwxr-xr-x 4 a12l users 4 Jan 25 22:59 .local
drwxr-xr-x 2 a12l users 2 Dec 23 00:35 .minisign
drwxr-xr-x 5 a12l users 5 Jan 16 20:10 .mozilla
drwxr-xr-x 2 a12l users 2 Dec 23 02:17 .scribus
drwxr-xr-x 2 a12l users 6 Feb 5 15:38 .ssh
drwxr-xr-x 3 a12l users 4 Dec 25 00:35 .thunderbird
drwxr-xr-x 3 a12l users 3 Jan 26 14:45 .zotero
$ ls -la /persistent/home/a12l/.config/
total 215
drwxr-xr-x 12 a12l users 14 Feb 6 12:53 .
drwxr-xr-x 10 a12l users 13 Feb 6 12:55 ..
drwxr-xr-x 2 a12l users 3 Dec 23 10:41 autostart
drwxr-xr-x 7 a12l users 14 Jan 10 14:42 calibre
drwxr-xr-x 30 a12l users 36 Feb 3 02:25 chromium
drwxr-xr-x 8 a12l users 14 Feb 6 13:42 emacs
drwxr-xr-x 3 a12l users 3 Jan 18 16:14 fontconfig
drwxr-xr-x 3 a12l users 3 Jan 10 18:38 JetBrains
-rw-r--r-- 1 a12l users 459 Jan 20 15:20 KeePassXCrc
drwxr-xr-x 10 a12l users 13 Feb 1 22:47 'Mullvad VPN'
drwxr-xr-x 3 a12l users 5 Jan 29 22:31 pijul
drwxr-xr-x 3 a12l users 6 Jan 31 12:40 qBittorrent
-rw-r--r-- 1 a12l users 636 Dec 30 17:59 user-dirs.dirs
drwxr-xr-x 8 a12l users 15 Feb 1 15:09 zotero
$ ls -la /persistent/home/a12l/.local/
total 50
drwxr-xr-x 3 a12l users 3 Feb 6 14:00 .
drwxr-xr-x 10 a12l users 13 Feb 6 12:55 ..
drwxr-xr-x 3 a12l users 3 Feb 6 12:55 share
$ ls -la /persistent/home/a12l/.local/share/
total 50
drwxr-xr-x 3 a12l users 3 Feb 6 12:55 .
drwxr-xr-x 3 a12l users 3 Feb 6 14:00 ..
drwxr-xr-x 3 a12l users 9 Jan 18 15:39 fonts
But as you can see below ~/.config
; ~/.local
; and ~/.local/share
has different ownership (root:root
) it my $HOME
. No problems with the directories and files that I directly list to be handled by Impermanence.
$ ls -la ~/
total 574
drwxr-xr-x 25 a12l users 28 Feb 6 13:44 .
drwxr-xr-x 3 root root 3 Dec 11 14:19 ..
drwxr-xr-x 11 root root 11 Feb 6 13:42 .config
drwxr-xr-x 3 root root 3 Feb 6 13:42 .local
drwxr-xr-x 32 a12l users 422 Feb 4 02:21 Long-Term
drwxr-xr-x 2 a12l users 2 Dec 23 00:35 .minisign
drwxr-xr-x 5 a12l users 5 Jan 16 20:10 .mozilla
drwxr-xr-x 2 a12l users 2 Dec 23 02:17 .scribus
drwxr-xr-x 2 a12l users 6 Feb 5 15:38 .ssh
drwxr-xr-x 18 a12l users 141 Feb 6 13:51 Temporary
drwxr-xr-x 3 a12l users 4 Dec 25 00:35 .thunderbird
drwxr-xr-x 4 a12l users 4 Jan 27 15:57 Zettelkasten
drwxr-xr-x 3 a12l users 3 Jan 26 14:45 .zotero
$ ls -l ~/.config/
total 149
drwxr-xr-x 2 a12l users 3 Dec 23 10:41 autostart
drwxr-xr-x 7 a12l users 14 Jan 10 14:42 calibre
drwxr-xr-x 30 a12l users 36 Feb 3 02:25 chromium
drwxr-xr-x 8 a12l users 14 Feb 6 13:42 emacs
drwxr-xr-x 3 a12l users 3 Jan 18 16:14 fontconfig
drwxr-xr-x 3 a12l users 3 Jan 10 18:38 JetBrains
drwxr-xr-x 3 a12l users 5 Jan 29 22:31 pijul
drwxr-xr-x 3 a12l users 6 Jan 31 12:40 qBittorrent
drwxr-xr-x 8 a12l users 15 Feb 1 15:09 zotero
$ ls -l ~/.local/
total 17
drwxr-xr-x 3 root root 3 Feb 6 13:42 share
$ ls -l ~/.local/share/
total 17
drwxr-xr-x 3 a12l users 9 Jan 18 15:39 fonts
This is the relevant bindmounts
$ findmnt
[...]
├─/home zroot/USERDATA/home zfs rw,relatime,xattr,posixacl
│ └─/home/a12l zroot/USERDATA/home/A12L/root zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/.config/JetBrains zroot/HOST/persistent[/home/a12l/.config/JetBrains]
│ │ zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/.config/autostart zroot/HOST/persistent[/home/a12l/.config/autostart]
│ │ zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/.config/calibre zroot/HOST/persistent[/home/a12l/.config/calibre]
│ │ zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/.config/chromium zroot/HOST/persistent[/home/a12l/.config/chromium]
│ │ zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/.config/fontconfig zroot/HOST/persistent[/home/a12l/.config/fontconfig]
│ │ zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/.config/emacs zroot/HOST/persistent[/home/a12l/.config/emacs]
│ │ zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/.config/pijul zroot/HOST/persistent[/home/a12l/.config/pijul]
│ │ zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/.config/qBittorrent zroot/HOST/persistent[/home/a12l/.config/qBittorrent]
│ │ zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/.config/zotero zroot/HOST/persistent[/home/a12l/.config/zotero]
│ │ zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/.local/share/fonts zroot/HOST/persistent[/home/a12l/.local/share/fonts]
│ │ zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/.mozilla zroot/HOST/persistent[/home/a12l/.mozilla] zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/.minisign zroot/HOST/persistent[/home/a12l/.minisign] zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/.scribus zroot/HOST/persistent[/home/a12l/.scribus] zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/.ssh zroot/HOST/persistent[/home/a12l/.ssh] zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/.zotero zroot/HOST/persistent[/home/a12l/.zotero] zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/.thunderbird zroot/HOST/persistent[/home/a12l/.thunderbird] zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/Temporary zroot/USERDATA/home/A12L/temporary zfs rw,relatime,xattr,posixacl
│ ├─/home/a12l/Long-Term zroot/USERDATA/home/A12L/long-term zfs rw,relatime,xattr,posixacl
│ └─/home/a12l/Zettelkasten zroot/USERDATA/home/A12L/zettelkasten zfs rw,relatime,xattr,posixacl
And when I look at /run/current-system/activate
it seems that the correct arguments is sent to the script :-/
#### Activation script snippet createPersistentStorageDirs:
_localstatus=0
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.config/autostart' 'a12l' 'users' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.config/calibre' 'a12l' 'users' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.config/chromium' 'a12l' 'users' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.config/emacs' 'a12l' 'users' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.config/fontconfig' 'a12l' 'users' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.config/JetBrains' 'a12l' 'users' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.local/share/fonts' 'a12l' 'users' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.config/qBittorrent' 'a12l' 'users' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.scribus' 'a12l' 'users' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.zotero' 'a12l' 'users' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.config/zotero' 'a12l' 'users' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.mozilla' 'a12l' 'users' '0700'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.minisign' 'a12l' 'users' '0700'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.config/pijul' 'a12l' 'users' '0700'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.ssh' 'a12l' 'users' '0700'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.thunderbird' 'a12l' 'users' '0700'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/var/log' 'root' 'root' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/var/lib/systemd/coredump' 'root' 'root' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/etc/NetworkManager/system-connections' 'root' 'root' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/etc/ssh' 'root' 'root' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.config' 'a12l' 'users' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/home/a12l/.config/Mullvad VPN' 'a12l' 'users' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/etc' 'root' 'root' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/etc/mullvad-vpn' 'root' 'root' '0755'
/nix/store/hkr3fdalaa1pp2rrswrmpqx3dpm2y9c5-impermanence-create-directories '/persistent' '/etc/nix' 'root' 'root' 'u=rwx,g=,o='
if (( _localstatus > 0 )); then
printf "Activation script snippet '%s' failed (%s)\n" "createPersistentStorageDirs" "$_localstatus"
fi
That's really odd. I can't see why this would happen based on the data you've provided. Is this after a reboot, not just a nixos-rebuild switch
?
To get more info on what's happening, I'll have to add some debug printouts in create-directories
.
Can you try #85, set enableDebugging = true
and report back with the trace from a reboot?
I've done some reorganizing of my filesystem setup. Moved from ZFS to tmpfs, etc. And I no longer experience this problem. I could try to reproduce the problem, or we can close this issue and reopen it again if someone else experience the same problem?
It would be interesting if you could switch back to ZFS to see if that's what causes the issue. It seems to work just fine with Btrfs and tmpfs, at least.
Okay! I believe I can help with this one; I'm on a ZFS
root as well, and am being affected by this issue. Anything I can do to help?
Yes! If you can set enableDebugging
and report back with a trace from a boot which was affected by this, that would help. This makes it sound more likely to be a ZFS bug, but it would be nice to confirm that the script is doing the right thing.
Where do I set enableDebugging
, again?
It's available at the top level of the submodule, so
{
environment.persistence."/persistent" = {
enableDebugging = true;
directories = [
# ...
];
files = [
# ...
];
};
}
Right; but how do I trace the reboot too? 😅
Actually, I used journalctl -b
, and got a wall of text; do I give you everything, or just until it sets up /etc
?
Actually, here's the entire log: https://github.com/shadowrylander/shadowrylander/blob/main/tmp
Yeah, the journalctl -b
output is what I want - thanks! Which directories have incorrect ownership for you?
No problem! And same as OP: my user directory. Can't even install anything! 😹
Well, @a12l's issue was that the ownership of ~/.config
and some other directories didn't propagate from persistent storage. If that's what you're seeing, but for the root of your home directory, then it doesn't seem to be our bug: from your log I can see that
chown --reference=/persist/home/shadowrylander /home/shadowrylander/
is run many times (should be once for every directory listed under it).
I believe it is; I've got a lot of directories listed there. The issue is that both /home
and /home/shadowrylander
itself is owned by root
, while only the former is meant to be. I don't know how to fix this short of doing it manually with a systemd
service.
Who's the owner of /persist/home/shadowrylander
?
Another user, curtis
; but the owner of /persist/home
itself is shadowrylander
.
No, wait; switch them around: shadowrylander
owns /persist/home/shadowrylander
, while curtis
owns /persist/home
.
In that case, running
chown --reference=/persist/home/shadowrylander /home/shadowrylander/
should make /home/shadowrylander
owned by shadowrylander
, and that command is run many times on boot according to the log you linked. Could you try switching your /
to tmpfs
and see if that solves this issue for you, too? If it does, I think we can pretty confidently say that ZFS is to blame.
Hmm... I'll have to figure out the partitioning for that... Be back in a bit.
If you're using the "rollback to empty" trick, it should be as easy as commenting out your normal /
filesystem definition and adding
{
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
};
}
Got it; should I also link another boot trace?
Update: still happening; /etc/fstab
shows root on tmpfs
, with everything else the same.
Note, however, that my home directories are ZFS datasets as well; should I change them over to tmpfs
as well?
Yes, exactly - all relevant storage should be switched to tmpfs
.
Alright, so everything applicable has been changed to tmpfs
, which includes my home directories and root, but not my persist directories or anything else not connected to /home
. However, still no dice; /home/shadowrylander
is still owned by root.
Hm, okay, strange. Can you provide the output to the following commands (and any others you find relevant)?
mount
ls -lah /persist/home
ls -lah /home
journalctl -b
Also, after recording the output, can you try running
sudo chown --reference=/persist/home/shadowrylander /home/shadowrylander/
and see if that corrects the ownership?
Will do. Note that curtis
owns /persist/home
; should anything be done about that, or is it not as important considering impermanence
controls the subdirectories in /persist/home
?
It shouldn't be important. Normally, it would be owned by root
, but it can be owned by any user and that ownership should then automatically be applied to /home
. Impermanence doesn't really control the contents of /persist/home
, other than creating directories which don't exist yet - it will not change permissions or fix ownership of existing items there.
Ah; got it. Thanks for the clarification! I'll apply the fix and report back.
This one's a doozy: https://github.com/shadowrylander/shadowrylander/blob/main/tmp
Also, the last chown
fixed the permissions!
Okay, I think I see what's happening - all the directory creation and permissions/ownership fixes are run before your home directories are mounted, so all the work it's done is essentially overridden. The create-directories
script runs as part of the activation script, which runs in the stage-2-init
and unless filesystems are marked as neededForBoot
, they're mounted later than that.
The easiest solution, in your case, would be to just skip defining home directory mounts. The home directories will simply be handled as part of the root directory and if all are rolled back the same way, it shouldn't matter. If you have a specific need to handle them separately, mark all of them neededForBoot
instead.
Hmm... I may have to mark them as neededForBoot
, though, as I snapshot frequently, so that if I make a careless mistake that I can't recover from with git or similar, like something from Downloads
, I can always recover them from the snapshot. I'll try it out and report back!
Okay, so slight issue: the directories all have the correct user shadowrylander
now, after setting neededForBoot
on the appropriate datasets, but the files linked from /persist/home/shadowrylander
are all owned by root
.
Do you mean that the symlinks in /home/shadowrylander
are owned by root
? This shouldn't matter much, since the uses for symlink ownership is very limited and symlink permissions aren't used. You should be able to write to, read from and and even delete the symlink even if it's owned by root
. It would still be nice to correct this, though.
You're right; it doesn't seem to matter. As bind-mounts
, the links can be easily modified. Either way, it works! Does neededForBoot
therefore solve the original problem, or was my issue different?
I suppose it could! @a12l do you remember if you had datasets mouted at the problematic directories?
I'm running into this problem too (and I happen to be using ZFS with rollback).
Specifically my problem is that ~/.config is being created with root:root
ownership.
When I peek inside ~/ I notice that nothing has been symlinked, the only thing that exists is ~/.config/syncthing
.. which is created by my syncthing config.
I suspect that this syncthing service is being started before $USER-home-manager.service
runs.
Is there any way to control the order of these?
Yes! Figured it out using good ol systemd overrides
https://github.com/Ramblurr/nixcfg/commit/8d8d64202492e818978c2b1dac79022f037e57fd
...
# FIX: home-manager impermanence
# when using with home-manager impermanence we need to ensure that home-manager actives before
# syncthing. otherwise the syncthing init will create ~/.config/syncthing, but ~/.config will be created
# with root:root ownership.
systemd.services."syncthing" = {
enable = true;
overrideStrategy = "asDropin";
requires = [ "home-manager-ramblurr.service" ];
after = [ "home-manager-ramblurr.service" ];
};
systemd.services."syncthing-init" = {
enable = true;
overrideStrategy = "asDropin";
requires = [ "home-manager-ramblurr.service" ];
after = [ "home-manager-ramblurr.service" ];
};
# END FIX: home-manager impermanence
services.syncthing = {
enable = true;
...
This is seemingly resolved.
I am not sure if this is the right place. All my files/directories have the right permission set to the user, however my home is still owned by root which leads to issues with Plasma as it can't create the files it needs. I would like that $HOME
to be writable but rollbacked on reboot.
In short:
zfs
. Not doing tmpfs
because I want to spare my RAM if I can./
per bootI do not have a separate dataset for /home/bphenriques
as I only persist what is relevant within the home
. Everything will be gone or will persist under /persist/config/bphenriques
or /persist/cache/bphenriques
.
{ lib, ... }:
{
disko.devices = {
disk = {
vda = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "gpt";
# Both order and keys are important
partitions = {
boot = {
size = "1M";
type = "EF02"; # for grub MBR
};
ESP = {
type = "EF00";
size = "512M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot"; # TODO: See people setting up options = [ "umask=0077" ]; # Limit access to random seed
};
};
swap = {
size = "6G";
content = {
type = "swap";
resumeDevice = false; # I really don't care about hibernation.
randomEncryption = true;
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
};
zpool = {
zroot = {
type = "zpool";
# https://www.high-availability.com/docs/ZFS-Tuning-Guide/#general-recommendations
rootFsOptions = {
compression = "lz4";
xattr = "sa";
atime = "off";
};
options = {
ashift = "12";
};
datasets =
let
persistConfigLocation = "/persist/config";
persistCacheLocation = "/persist/cache";
systemDatasets = {
system = {
type = "zfs_fs";
options.mountpoint = "none";
};
"system/root" = {
type = "zfs_fs";
# options.mountpoint = "legacy";
mountpoint = "/";
postCreateHook = ''zfs snapshot zroot/system/root@blank'';
};
"system/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
};
"system/persist" = {
type = "zfs_fs";
mountpoint = "${persistConfigLocation}/system";
};
"system/cache" = {
type = "zfs_fs";
mountpoint = "${persistCacheLocation}/system";
};
};
homeDatasets = {
home = {
type = "zfs_fs";
options.mountpoint = "none";
};
"home/bphenriques" = {
type = "zfs_fs";
options.mountpoint = "none";
};
"home/bphenriques/documents" = {
type = "zfs_fs";
mountpoint = "/home/bphenriques/documents";
};
"home/bphenriques/persist" = {
type = "zfs_fs";
mountpoint = "${persistConfigLocation}/bphenriques";
};
"home/bphenriques/cache" = {
type = "zfs_fs";
mountpoint = "${persistCacheLocation}/bphenriques";
};
};
dataDatasets = {
"data" = {
type = "zfs_fs";
mountpoint = "/mnt/data";
};
};
in systemDatasets // homeDatasets // dataDatasets;
};
};
};
fileSystems = {
"/".neededForBoot = true;
"/nix".neededForBoot = true;
"/boot".neededForBoot = true;
"/persist/config/system".neededForBoot = true;
"/persist/config/bphenriques".neededForBoot = true;
"/persist/cache/system".neededForBoot = true;
"/persist/cache/bphenriques".neededForBoot = true;
};
systemd.tmpfiles.settings = {
# Only accessible by the bphenriques
"grant-bphenriques-permissions" = {
"/home/bphenriques/documents" = {
e = {
user = "bphenriques";
group = "users";
mode = "0700";
};
};
};
# Accessible by everyone
"grant-users-permissions-data" = {
"/mnt/data" = {
e = {
user = "bphenriques";
group = "users";
mode = "775"; # Accessible by everyone.
};
};
};
};
}
And my impermenance:
{ lib, ... }:
{
environment.persistence = {
"/persist/config/system" = {
hideMounts = true;
directories = [
"/var/log"
# Docker
"/var/lib/docker"
# Connectivity
"/var/lib/bluetooth"
"/var/lib/nixos" # https://github.com/nix-community/impermanence/issues/178
"/etc/NetworkManager"
];
files = [
"/etc/machine-id"
];
};
"/persist/cache/system" = {
hideMounts = true;
files = [ ];
directories = [ ];
};
"/persist/config/bphenriques" = {
hideMounts = true;
users.bphenriques = {
directories = [
"Downloads"
"Music"
"Pictures"
"Videos"
".config/systemd" # git maintenance systemd timers
".config/vlc"
".mozilla" # Firefox
".config/sops"
".dotfiles"
# SSH
{ directory = ".ssh"; mode = "0700"; }
# Steam
".local/share/Steam"
".config/lutris"
".local/share/nix" # trusted settings and repl history
];
files = [ ];
};
};
"/persist/cache/bphenriques" = {
hideMounts = true;
users.bphenriques = {
directories = [
".cache/dconf"
".config/dconf"
".cache/nix"
".cache/mozilla" # Firefox
".local/share/lutris"
".config/sunshine"
# Shell
".local/share/fish"
".local/share/zoxide"
".bash_history"
];
files = [ ];
};
};
};
boot.initrd.postDeviceCommands = lib.mkAfter ''zfs rollback -r zroot/system/root@blank'';
}
The above should resemble my setup (middle of debugging). My question is, what should I expect of the /home/bphenriques
folder regarding permissions?
Happy to create a separate ticket focused on zfs
and this setup without mounting the /home/bphenriques
if sensible.
Edit: removed the abstractions to ease discussions. I had abstractions in place to modularize the files
and directories
but it is not easy because I want to keep the option of specifying { directory = ".ssh"; mode = "0700"; }
Solved my issue by moving my home impermeneance to home-manager. $HOME
now has the right permissions.
My
$HOME
is rolled back to a blank ZFS snapshot at every startup. The dotfiles that I want to keep between reboots is listed in Impermanence's directory and file lists; and the other files that I want to keep is located inside ZFS datasets that gets mounted in$HOME
.My problem using the new way to list users' directories and files is that the parent directories is created and owned by
root
. This cause a lot of problems. For example, if I have this in my NixOS configurationthen I get this when I log in
Note that
~/.local
and~/.local/share
is owned byroot:root
, while~/.local/share/fonts
and below is owned bya12l:users
.I expected that all directories that is automatically created by Impermanence should be owned by the user with the username listed in
environment.persistence."/persistent".users.<user>
, I.e.a12l
in my case.