Adjust impermanence only for required /etc files

Signed-off-by: Manuel Bluhm <[email protected]>
tiiuae · Oct 7, 2024 · ce5c3e7 · ce5c3e7
1 parent 66911fb
commit ce5c3e7
Showing 1 changed file with 62 additions and 10 deletions.
diff --git a/modules/microvm/virtualization/microvm/common/storagevm.nix b/modules/microvm/virtualization/microvm/common/storagevm.nix
@@ -1,6 +1,11 @@
 # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: Apache-2.0
-{ lib, config, ... }:
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
 let
   cfg = config.ghaf.storagevm;
   inherit (lib)
@@ -11,6 +16,7 @@ let
     mkForce
     types
     optionals
+    optionalAttrs
     ;
   mountPath = "/guestStorage";
 in
@@ -93,21 +99,67 @@ in
     environment.persistence.${mountPath} = lib.mkMerge [
       {
         hideMounts = true;
-        directories =
+        directories = [
+          "/var/lib/nixos"
+        ];
+
+        files =
           [
-            "/var/lib/nixos"
+            "/etc/ssh/ssh_host_ed25519_key.pub"
+            "/etc/ssh/ssh_host_ed25519_key"
           ]
+          # TODO Remove with userborn
           ++ optionals config.ghaf.users.accounts.enableLoginUser [
-            # TODO Replace with userborn setup
-            "/etc"
+            "/etc/passwd"
+            "/etc/shadow.backup"
+            "/etc/group"
+            "/etc/etc.lock"
           ];
-
-        files = [
-          "/etc/ssh/ssh_host_ed25519_key.pub"
-          "/etc/ssh/ssh_host_ed25519_key"
-        ];
       }
       { inherit (cfg) directories users files; }
     ];
+
+    # TODO Remove with userborn. Fixes impermanence problems with /etc
+    system.activationScripts = optionalAttrs config.ghaf.users.accounts.enableLoginUser {
+      "_adjust_before_persist_files" = {
+        deps = [
+          "createPersistentStorageDirs"
+        ];
+        text = ''
+          if [[ ! -f /guestStorage/etc/etc.lock ]]; then
+            cp /etc/passwd /guestStorage/etc && rm /etc/passwd
+            cp /etc/group /guestStorage/etc && rm /etc/group
+            cp /etc/shadow /guestStorage/etc/shadow.backup
+            touch /guestStorage/etc/etc.lock
+            echo "copied and removed passwd, shadow, group"
+          else
+            [[ -f /etc/passwd ]] && rm /etc/passwd
+            [[ -f /etc/group ]] && rm /etc/group
+            rm /etc/shadow
+            cp /guestStorage/etc/shadow.backup /etc/shadow
+          fi
+        '';
+      };
+    };
+
+    systemd = optionalAttrs config.ghaf.users.accounts.enableLoginUser {
+      paths.etc-shadow = {
+        wantedBy = [ "local-fs.target" ];
+        after = [ "local-fs.target" ];
+        pathConfig = {
+          PathChanged = [ "/etc/shadow" ];
+          Unit = "etc-shadow.service";
+        };
+      };
+      services.etc-shadow = {
+        enable = true;
+        wantedBy = [ "local-fs.target" ];
+        after = [ "local-fs.target" ];
+        script = ''
+          ${pkgs.coreutils}/bin/cp /etc/shadow /etc/shadow.backup
+          ${pkgs.coreutils}/bin/chown root:shadow /etc/shadow
+        '';
+      };
+    };
   };
 }