services.yggdrasil doesn't play nice with Impermanence

[MostAwesomeDude]

I have machines with something like:

services.yggdrasil.enable = true;
services.yggdrasil.persistentKeys = true;

The NixOS module wants to do the following:

• Before yggdrasil.service starts, run yggdrasil-persistent-keys.service, a one-shot which generates /var/lib/yggdrasil/keys.json
• Generate /run/yggdrasil/yggdrasil.conf which includes that file
• Run with systemd Dynamic Users, which means...
• /var/lib/yggdrasil/ is moved to /var/lib/private/yggdrasil/ and permissions are changed

Adding insult to injury, there's nothing inside that directory. This is purely systemd making our lives harder. I'd normally just override the persistent-key path, but this NixOS module doesn't really support any customization.

I can work around this somewhat with:

environment.persistence."/persistent".files = [ "/var/lib/yggdrasil/keys.json" ];

But this doesn't work if I want to switch NixOS configurations after boot:

$ sudo nixos-rebuild switch --flake .
building the system configuration...
activating the configuration...
setting up /etc...
A file already exists at /var/lib/yggdrasil/keys.json!
Activation script snippet 'persist-files' failed (1)

Any thoughts? If this can't be fixed here, then just say so and I'll raise the issue to nixpkgs.

[Kezerber]

Have you tried persisting the whole directory (/var/lib/yggdrasil) instead of just the file as a workaround?

[MostAwesomeDude]

Yes; persisting the directory caused systemd to fail to start yggdrasil.service. Does that pattern work for other services?

[Kezerber]

Yes; persisting the directory caused systemd to fail to start yggdrasil.service. Does that pattern work for other services?

Not other services specifically, but I ran across many situations where simply persisting a file would cause rebuild failures and persisting the directory wouldn't. It's disheartening to hear that it fails in this case regardless of the method.