2023-01-03 07:04:49 +00:00
|
|
|
{ config, lib, pkgs, utils, ... }:
|
|
|
|
|
2023-01-06 10:04:51 +00:00
|
|
|
lib.mkIf config.sane.persist.enable
|
2023-01-03 07:04:49 +00:00
|
|
|
{
|
2023-01-06 10:04:51 +00:00
|
|
|
sane.persist.stores."private" = {
|
2023-01-04 01:54:13 +00:00
|
|
|
storeDescription = ''
|
|
|
|
encrypted to the user's password and auto-unlocked at login
|
|
|
|
'';
|
2023-01-04 12:19:32 +00:00
|
|
|
origin = "/home/colin/private";
|
2023-01-03 07:04:49 +00:00
|
|
|
# files stored under here *must* have the /home/colin prefix.
|
|
|
|
# internally, this prefix is removed so that e.g.
|
|
|
|
# /home/colin/foo/bar when stored in `private` is visible at
|
|
|
|
# /home/colin/private/foo/bar
|
|
|
|
prefix = "/home/colin";
|
2023-01-04 11:22:26 +00:00
|
|
|
defaultOrdering = let
|
2023-01-03 07:04:49 +00:00
|
|
|
private-unit = config.sane.fs."/home/colin/private".unit;
|
2023-01-04 11:22:26 +00:00
|
|
|
in {
|
|
|
|
# auto create only after ~/private is mounted
|
|
|
|
wantedBy = [ private-unit ];
|
|
|
|
# we can't create things in private before local-fs.target
|
|
|
|
wantedBeforeBy = [ ];
|
|
|
|
};
|
2023-01-03 07:04:49 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
fileSystems."/home/colin/private" = {
|
|
|
|
device = "/nix/persist/home/colin/private";
|
|
|
|
fsType = "fuse.gocryptfs";
|
|
|
|
options = [
|
|
|
|
"noauto" # don't try to mount, until the user logs in!
|
2023-01-04 11:22:26 +00:00
|
|
|
"nofail"
|
2023-01-03 07:04:49 +00:00
|
|
|
"allow_other" # root ends up being the user that mounts this, so need to make it visible to `colin`.
|
|
|
|
"nodev"
|
|
|
|
"nosuid"
|
|
|
|
"quiet"
|
|
|
|
"defaults"
|
|
|
|
];
|
|
|
|
noCheck = true;
|
|
|
|
};
|
|
|
|
|
2023-01-04 12:12:30 +00:00
|
|
|
# let sane.fs know about the mount
|
2023-01-04 11:22:26 +00:00
|
|
|
sane.fs."/home/colin/private".mount = {};
|
2023-01-04 12:12:30 +00:00
|
|
|
# it also needs to know that the underlying device is an ordinary folder
|
2023-01-04 11:22:26 +00:00
|
|
|
sane.fs."/nix/persist/home/colin/private".dir = {};
|
2023-01-03 07:04:49 +00:00
|
|
|
|
|
|
|
# TODO: could add this *specifically* to the .mount file for the encrypted fs?
|
2023-01-03 12:00:49 +00:00
|
|
|
system.fsPackages = [ pkgs.gocryptfs ]; # fuse needs to find gocryptfs
|
2023-01-03 07:04:49 +00:00
|
|
|
}
|
|
|
|
|