2023-01-31 03:38:41 +00:00
|
|
|
{ config, lib, pkgs, sane-lib, utils, ... }:
|
2022-12-31 10:15:08 +00:00
|
|
|
|
|
|
|
let
|
2023-01-31 03:38:41 +00:00
|
|
|
persist-base = config.sane.persist.stores."plaintext".origin;
|
2023-01-31 03:36:15 +00:00
|
|
|
device = config.sane.persist.stores."cryptClearOnBoot".origin;
|
|
|
|
key = "${device}.key";
|
2023-01-31 03:38:41 +00:00
|
|
|
underlying = sane-lib.path.concat [ persist-base "crypt/clearedonboot" ];
|
2023-01-03 07:04:49 +00:00
|
|
|
in
|
2023-01-06 10:04:51 +00:00
|
|
|
lib.mkIf config.sane.persist.enable
|
2022-12-31 10:15:08 +00:00
|
|
|
{
|
2023-01-06 10:04:51 +00:00
|
|
|
sane.persist.stores."cryptClearOnBoot" = {
|
2023-01-04 01:54:13 +00:00
|
|
|
storeDescription = ''
|
|
|
|
stored to disk, but encrypted to an in-memory key and cleared on every boot
|
|
|
|
so that it's unreadable after power-off
|
|
|
|
'';
|
2023-01-31 03:36:15 +00:00
|
|
|
origin = lib.mkDefault "/mnt/persist/crypt/clearedonboot";
|
2023-01-03 07:04:49 +00:00
|
|
|
};
|
|
|
|
|
2022-12-31 10:15:08 +00:00
|
|
|
|
2023-01-31 03:36:15 +00:00
|
|
|
fileSystems."${device}" = {
|
|
|
|
device = underlying;
|
2022-12-31 10:15:08 +00:00
|
|
|
fsType = "fuse.gocryptfs";
|
|
|
|
options = [
|
|
|
|
"nodev"
|
|
|
|
"nosuid"
|
|
|
|
"allow_other"
|
2023-01-31 03:36:15 +00:00
|
|
|
"passfile=${key}"
|
2022-12-31 10:15:08 +00:00
|
|
|
"defaults"
|
|
|
|
];
|
|
|
|
noCheck = true;
|
|
|
|
};
|
2023-01-04 03:57:24 +00:00
|
|
|
# let sane.fs know about our fileSystem and automatically add the appropriate dependencies
|
2023-01-31 03:36:15 +00:00
|
|
|
sane.fs."${device}".mount = {
|
2023-01-04 11:22:26 +00:00
|
|
|
# technically the dependency on the keyfile is extraneous because that *happens* to
|
|
|
|
# be needed to init the store.
|
|
|
|
depends = let
|
2023-01-31 03:36:15 +00:00
|
|
|
cryptfile = config.sane.fs."${underlying}/gocryptfs.conf";
|
|
|
|
keyfile = config.sane.fs."${key}";
|
2023-01-04 11:22:26 +00:00
|
|
|
in [ keyfile.unit cryptfile.unit ];
|
|
|
|
};
|
2022-12-31 12:31:49 +00:00
|
|
|
|
2023-01-04 09:28:59 +00:00
|
|
|
# let sane.fs know how to initialize the gocryptfs store,
|
|
|
|
# and that it MUST do so
|
2023-01-31 03:36:15 +00:00
|
|
|
sane.fs."${underlying}/gocryptfs.conf".generated = {
|
2023-01-04 09:28:59 +00:00
|
|
|
script.script = ''
|
|
|
|
backing="$1"
|
|
|
|
passfile="$2"
|
|
|
|
# clear the backing store
|
|
|
|
# TODO: we should verify that it's not mounted anywhere...
|
|
|
|
rm -rf "''${backing:?}"/*
|
|
|
|
${pkgs.gocryptfs}/bin/gocryptfs -quiet -passfile "$passfile" -init "$backing"
|
|
|
|
'';
|
2023-01-31 03:36:15 +00:00
|
|
|
script.scriptArgs = [ underlying key ];
|
2023-01-04 09:28:59 +00:00
|
|
|
# we need the key in order to initialize the store
|
2023-01-31 03:36:15 +00:00
|
|
|
depends = [ config.sane.fs."${key}".unit ];
|
2023-01-04 09:28:59 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
# let sane.fs know how to generate the key for gocryptfs
|
2023-01-31 03:36:15 +00:00
|
|
|
sane.fs."${key}".generated = {
|
2023-01-04 09:28:59 +00:00
|
|
|
script.script = ''
|
|
|
|
dd if=/dev/random bs=128 count=1 | base64 --wrap=0 > "$1"
|
|
|
|
'';
|
2023-01-31 03:36:15 +00:00
|
|
|
script.scriptArgs = [ key ];
|
2023-01-04 09:28:59 +00:00
|
|
|
# no need for anyone else to be able to read the key
|
|
|
|
acl.mode = "0400";
|
|
|
|
};
|
2022-12-31 10:15:08 +00:00
|
|
|
|
|
|
|
# TODO: could add this *specifically* to the .mount file for the encrypted fs?
|
2023-01-03 12:00:49 +00:00
|
|
|
system.fsPackages = [ pkgs.gocryptfs ]; # fuse needs to find gocryptfs
|
2022-12-31 10:15:08 +00:00
|
|
|
}
|