impermanence

impermanence registers persistent storage for when root gets wiped on reboot (e.g. tmpfs on /).

See

• https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
• https://elis.nu/blog/2020/06/nixos-tmpfs-as-home/
• https://grahamc.com/blog/erase-your-darlings/

configuration

Example configurations

• https://gist.github.com/byrongibson/b279469f0d2954cc59b3db59c511a199
• https://github.com/nix-community/impermanence/issues/92

Configuration is relatively simple, change something like

  fileSystems."/" = {
    device = "/dev/VolumeGroup/root";
    fsType = "ext4";
  };

to

  fileSystems."/" = {
    fsType = "tmpfs";
    options = [ "defaults" "size=2G" "mode=755" ];
  };
  fileSystems."/keep" = {
    device = "/dev/VolumeGroup/root";
    fsType = "ext4";
    neededForBoot = true;
  };
  # https://nixos.wiki/wiki/Filesystems
  fileSystems."/nix" = {
    device = "/keep/nix";
    options = [ "bind" ];
  };

Here the name /keep is arbitrary.

important state

• /etc/machine-id: if not stored, new id (re-)generated on every boot
  • used by systemd/journalctl in/var/log/journal/<machine-id>

persisting passwords

Can use

• users.users.<name>.password: (plaintext) password
• users.users.<name>.hashedPassword: hashed password from mkpasswd
• users.users.<name>.hashedPasswordFile: path to hashed password

hashedPasswordFile is a file whose only line is a hashed password as generated by mkpasswd. Unfortunately hashedPassword and password overwrite hashedPasswordFile, so if the file is deleted, one can get locked out of their account. The configuration will warn on rebuild, however.

warning: password file ‘’ does not exist

Generate password with yescrypt hash function, now default on archlinux (and for mkpasswd).

mkpasswd --method=yescrypt "$(pass encryption/tuxedo/password)" > root.yescrypt

See also reddit, impermanence issue #120.

memory used

Can use df to measure tmpfs memory usage.

df -h

Filesystem             Size  Used Avail Use% Mounted on
devtmpfs               1.6G     0  1.6G   0% /dev
tmpfs                   16G  8.0K   16G   1% /dev/shm
tmpfs                  7.7G  6.3M  7.7G   1% /run
tmpfs                   16G  1.2M   16G   1% /run/wrappers
tmpfs                  2.0G  1.6M  2.0G   1% /
/dev/VolumeGroup/root  883G  447G  392G  54% /keep
tmpfs                  3.1G   32K  3.1G   1% /run/user/1000

The relevant line is

tmpfs                  2.0G  1.6M  2.0G   1% /

Can check what's about to be cleared with

ncdu -x /

(-x means to not cross filesystem boundaries)

sudo ncdu -x /

will show the contents of /root, which may not be accessible normally.

running out of memory

Nix builds works in /tmp (see boot.tmp.useTmpfs) which can cause memory issues for large builds.

One can make a shell script called mktmp

#!/run/current-system/sw/bin/sh
# make a persistent /tmp

sudo mkdir -p /keep/tmp
sudo chmod 1777 /keep/tmp
sudo mount --onlyonce --bind /keep/tmp/ /tmp || true

and rmtmp

#!/run/current-system/sw/bin/sh
# remove a persistent /tmp

sudo umount /tmp
sudo chmod --silent -t /keep/tmp
sudo rm -rf /keep/tmp

to make and remove a temporary persisted /tmp, respectively.

These shell scripts are designed to be idempotent and inverses of each other.