runner: overlay-root appliance mode

2026-02-17 02:26:09 -08:00 · 2026-02-17 02:26:09 -08:00 · ce8c1319f4
commit ce8c1319f4
parent 49b969e081
5 changed files with 79 additions and 1 deletions
--- a/nix/modules/ec-runner.nix
+++ b/nix/modules/ec-runner.nix
@ -6,6 +6,21 @@ in
 {
  options.services.every-channel.runner = {
    enable = lib.mkEnableOption "every.channel runner base system profile";
+
+    overlayRoot = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = ''
+          If enabled, mount the real root filesystem read-only and layer a tmpfs-backed
+          overlayfs upperdir on top. This makes runtime mutations non-persistent while
+          still allowing normal operation.
+
+          Note: for reliable in-place upgrades, mount `/boot` and `/nix` as separate
+          persistent filesystems outside the overlay.
+        '';
+      };
+    };
  };

  config = lib.mkIf cfg.enable {
@ -24,5 +39,42 @@ in
      jq
      curl
    ];
+
+    # Appliance defaults: avoid persistence-by-accident in logs.
+    services.journald.storage = lib.mkDefault "volatile";
+
+    # GC defaults to keep store growth bounded on unattended boxes.
+    nix.gc.automatic = lib.mkDefault true;
+    nix.gc.dates = lib.mkDefault "weekly";
+    nix.gc.options = lib.mkDefault "--delete-older-than 14d";
+    boot.loader.systemd-boot.configurationLimit = lib.mkDefault 10;
+
+    boot.initrd.kernelModules = lib.mkIf cfg.overlayRoot.enable [ "overlay" ];
+
+    # Make the on-disk root read-only and provide a tmpfs-backed writable layer.
+    # This runs after the real root has been mounted at /mnt-root by stage-1.
+    boot.initrd.postMountCommands = lib.mkIf cfg.overlayRoot.enable ''
+      set -euo pipefail
+
+      # If something else already overlaid the root (e.g. installer media), do nothing.
+      if mountpoint -q /mnt-root; then
+        if grep -q " /mnt-root overlay " /proc/mounts; then
+          exit 0
+        fi
+      fi
+
+      mkdir -p /mnt-root/.ec-overlay/ro /mnt-root/.ec-overlay/rw
+
+      # Move the real root mount out of the way, then remount it read-only.
+      mount --move /mnt-root /mnt-root/.ec-overlay/ro
+      mount -o remount,ro /mnt-root/.ec-overlay/ro
+
+      # Upper/work go on tmpfs so mutations disappear on reboot.
+      mount -t tmpfs tmpfs /mnt-root/.ec-overlay/rw -o mode=0755
+      mkdir -p /mnt-root/.ec-overlay/rw/upper /mnt-root/.ec-overlay/rw/work
+
+      mount -t overlay overlay /mnt-root \
+        -o lowerdir=/mnt-root/.ec-overlay/ro,upperdir=/mnt-root/.ec-overlay/rw/upper,workdir=/mnt-root/.ec-overlay/rw/work
+    '';
  };
 }
--- a/nix/nixos/ec-runner.nix
+++ b/nix/nixos/ec-runner.nix
@ -7,6 +7,7 @@
  ];

  services.every-channel.runner.enable = true;
+  services.every-channel.runner.overlayRoot.enable = lib.mkDefault true;

  # This is a role image; avoid baking per-host secrets/keys. SSH host keys will be
  # generated at first boot by NixOS defaults.
@ -26,4 +27,3 @@
  # Required by NixOS.
  system.stateVersion = "24.11";
 }
-