linux-builder: Add option to delete the builder's disk image at servi…

…ce start time

modules/nix/linux-builder.nix

@@ -11,8 +11,6 @@ let
     modules = [ cfg.config ];
   };
 
-  WorkingDirectory = "/var/lib/darwin-builder";
-
   # create-builder uses TMPDIR to share files with the builder, notably certs.
   # macOS will clean up files in /tmp automatically that haven't been accessed in 3+ days.
   # If we let it use /tmp, leaving the computer asleep for 3 days makes the certs vanish.
@@ -22,6 +20,7 @@ let
     rm -rf $TMPDIR
     mkdir -p $TMPDIR
     trap "rm -rf $TMPDIR" EXIT
+    ${lib.optionalString cfg.ephemeral "rm -f ${cfg.workingDirectory}/nixos.qcow2"}
     ${builderWithOverrides}/bin/create-builder
   '';
 in
@@ -79,6 +78,22 @@ in
         This sets the corresponding `nix.buildMachines.*.supportedFeatures` option.
       '';
     };
+
+    workingDirectory = mkOption {
+       type = types.str;
+       default = "/var/lib/darwin-builder";
+       description = ''
+         The working directory of the Linux builder daemon process.
+       '';
+    };
+
+    ephemeral = mkEnableOption (lib.mdDoc ''
+      delete the builder's disk image on ever service restart.
+
+      This is useful whenever you change the builder's system configuration or
+      simply don't want it to accumulate state. Leave it disabled if you need to
+      rely on secrets or other information in the builder's file system.
+    '');
   };
 
   config = mkIf cfg.enable {
@@ -91,7 +106,7 @@ in
     } ];
 
     system.activationScripts.preActivation.text = ''
-      mkdir -p ${WorkingDirectory}
+      mkdir -p ${cfg.workingDirectory}
     '';
 
     launchd.daemons.linux-builder = {
@@ -105,7 +120,7 @@ in
         ];
         KeepAlive = true;
         RunAtLoad = true;
-        inherit WorkingDirectory;
+        WorkingDirectory = cfg.workingDirectory;
       };
     };