nix/hosts/common/configs/system/impermanence/default.nix

{ config, pkgs, ... }:
{
  imports = [ ./options.nix ];

  boot.initrd.systemd = {
    enable = true;

    initrdBin = with pkgs; [
      coreutils
      util-linux
      findutils
      btrfs-progs
    ];

    services.impermanence = {
      description = "Rollback BTRFS subvolumes to a pristine state";
      wantedBy = [ "initrd.target" ];
      before = [ "sysroot.mount" ];
      after = [
        "cryptsetup.target"
        "local-fs-pre.target"
      ];
      unitConfig.DefaultDependencies = false;
      serviceConfig.Type = "oneshot";
      environment.DEVICE = config.environment.impermanence.device;
      script = builtins.readFile ./scripts/wipe.sh;
    };
  };

  # uuidgen -r | tr -d -
  # https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/administration/systemd-state.section.md
  # https://github.com/NixOS/nixpkgs/pull/286140/files
  # https://git.eisfunke.com/config/nixos/-/blob/e65e1dc21d06d07b454005762b177ef151f8bfb6/nixos/machine-id.nix
  sops.secrets."machineId".mode = "0444";

  fileSystems."/persist".neededForBoot = true;

  environment = {
    etc."machine-id".source = pkgs.runCommandLocal "machine-id-link" { } ''
      ln -s ${config.sops.secrets."machineId".path} $out
    '';

    persistence = {
      "/persist/user"."/etc/nixos" = { };
      "/persist/state" = {
        "/var/lib/nixos" = { };
        "/var/lib/systemd" = { };
        "/var/log" = { };
      };
    };
  };
}