2023-01-31 03:28:59 +00:00
|
|
|
{ config, lib, pkgs, sane-lib, utils, ... }:
|
2023-01-03 07:04:49 +00:00
|
|
|
|
2023-01-31 03:28:59 +00:00
|
|
|
let
|
2023-01-31 03:38:41 +00:00
|
|
|
persist-base = config.sane.persist.stores."plaintext".origin;
|
2023-01-31 03:28:59 +00:00
|
|
|
private-dir = config.sane.persist.stores."private".origin;
|
2023-01-31 03:38:41 +00:00
|
|
|
private-backing-dir = sane-lib.path.concat [ persist-base private-dir ];
|
2023-01-31 03:28:59 +00:00
|
|
|
in
|
2023-01-06 10:04:51 +00:00
|
|
|
lib.mkIf config.sane.persist.enable
|
2023-01-03 07:04:49 +00:00
|
|
|
{
|
2023-01-06 10:04:51 +00:00
|
|
|
sane.persist.stores."private" = {
|
2023-01-04 01:54:13 +00:00
|
|
|
storeDescription = ''
|
2023-01-31 03:28:59 +00:00
|
|
|
encrypted store which persists across boots.
|
|
|
|
typical use case is for the user to encrypt this store using their login password so that it
|
|
|
|
can be auto-unlocked at login.
|
2023-01-04 01:54:13 +00:00
|
|
|
'';
|
2023-01-31 03:28:59 +00:00
|
|
|
origin = lib.mkDefault "/mnt/private";
|
2023-01-04 11:22:26 +00:00
|
|
|
defaultOrdering = let
|
2023-01-31 03:28:59 +00:00
|
|
|
private-unit = config.sane.fs."${private-dir}".unit;
|
2023-01-04 11:22:26 +00:00
|
|
|
in {
|
2023-01-31 03:28:59 +00:00
|
|
|
# auto create only after the store is mounted
|
2023-01-04 11:22:26 +00:00
|
|
|
wantedBy = [ private-unit ];
|
|
|
|
# we can't create things in private before local-fs.target
|
|
|
|
wantedBeforeBy = [ ];
|
|
|
|
};
|
2023-01-06 14:44:32 +00:00
|
|
|
defaultMethod = "symlink";
|
2023-01-03 07:04:49 +00:00
|
|
|
};
|
|
|
|
|
2023-01-31 03:28:59 +00:00
|
|
|
fileSystems."${private-dir}" = {
|
|
|
|
device = private-backing-dir;
|
2023-01-03 07:04:49 +00:00
|
|
|
fsType = "fuse.gocryptfs";
|
|
|
|
options = [
|
|
|
|
"noauto" # don't try to mount, until the user logs in!
|
2023-01-04 11:22:26 +00:00
|
|
|
"nofail"
|
2023-01-31 03:28:59 +00:00
|
|
|
"allow_other" # root ends up being the user that mounts this, so need to make it visible to other users.
|
2023-01-03 07:04:49 +00:00
|
|
|
"nodev"
|
|
|
|
"nosuid"
|
|
|
|
"quiet"
|
|
|
|
"defaults"
|
|
|
|
];
|
|
|
|
noCheck = true;
|
|
|
|
};
|
|
|
|
|
2023-01-04 12:12:30 +00:00
|
|
|
# let sane.fs know about the mount
|
2023-01-31 03:28:59 +00:00
|
|
|
sane.fs."${private-dir}".mount = {};
|
2023-01-04 12:12:30 +00:00
|
|
|
# it also needs to know that the underlying device is an ordinary folder
|
2023-01-31 03:28:59 +00:00
|
|
|
sane.fs."${private-backing-dir}".dir = {};
|
2023-01-03 07:04:49 +00:00
|
|
|
|
|
|
|
# TODO: could add this *specifically* to the .mount file for the encrypted fs?
|
2023-01-03 12:00:49 +00:00
|
|
|
system.fsPackages = [ pkgs.gocryptfs ]; # fuse needs to find gocryptfs
|
2023-01-03 07:04:49 +00:00
|
|
|
}
|
|
|
|
|