nix-community
`services.yggdrasil` doesn't play nice with Impermanence
I have machines with something like:
services.yggdrasil.enable = true;
services.yggdrasil.persistentKeys = true;
The NixOS module wants to do the following:
- Before
yggdrasil.servicestarts, runyggdrasil-persistent-keys.service, a one-shot which generates/var/lib/yggdrasil/keys.json - Generate
/run/yggdrasil/yggdrasil.confwhich includes that file - Run with systemd Dynamic Users, which means...
-
/var/lib/yggdrasil/is moved to/var/lib/private/yggdrasil/and permissions are changed
Adding insult to injury, there's nothing inside that directory. This is purely systemd making our lives harder. I'd normally just override the persistent-key path, but this NixOS module doesn't really support any customization.
I can work around this somewhat with:
environment.persistence."/persistent".files = [ "/var/lib/yggdrasil/keys.json" ];
But this doesn't work if I want to switch NixOS configurations after boot:
$ sudo nixos-rebuild switch --flake .
building the system configuration...
activating the configuration...
setting up /etc...
A file already exists at /var/lib/yggdrasil/keys.json!
Activation script snippet 'persist-files' failed (1)
Any thoughts? If this can't be fixed here, then just say so and I'll raise the issue to nixpkgs.
Have you tried persisting the whole directory (/var/lib/yggdrasil) instead of just the file as a workaround?
Yes; persisting the directory caused systemd to fail to start yggdrasil.service. Does that pattern work for other services?
Yes; persisting the directory caused systemd to fail to start
yggdrasil.service. Does that pattern work for other services?
Not other services specifically, but I ran across many situations where simply persisting a file would cause rebuild failures and persisting the directory wouldn't. It's disheartening to hear that it fails in this case regardless of the method.