impermanence: split the /home/colin perms fix into more appropriate places

hosts/common/users.nix

@@ -71,6 +71,14 @@ in
 
     security.pam.mount.enable = true;
 
+    # ensure ~ perms are known to sane.fs module.
+    # TODO: this is generic enough to be lifted up into sane.fs itself.
+    sane.fs."/home/colin".dir.acl = {
+      user = "colin";
+      group = config.users.users.colin.group;
+      mode = config.users.users.colin.homeMode;
+    };
+
     sane.impermanence.dirs.home.plaintext = [
       "archive"
       "dev"

modules/impermanence/default.nix

@@ -181,27 +181,8 @@ in
     ./stores
   ];
 
-  config = mkIf cfg.enable (lib.mkMerge [
+  config = let
-    {
+    cfgFor = opt:
-      # TODO: move to sane.fs, to auto-ensure all user dirs?
-      sane.fs."/home/colin".dir.acl = {
-        user = "colin";
-        group = config.users.users.colin.group;
-        mode = config.users.users.colin.homeMode;
-      };
-
-      # N.B.: we have a similar problem with all mounts:
-      # <crypt>/.cache/mozilla won't inherit <plain>/.cache perms.
-      # this is less of a problem though, since we don't really support overlapping mounts like that in the first place.
-      # what is a problem is if the user specified some other dir we don't know about here.
-      # like "/var", and then "/nix/persist/var" has different perms and something mounts funny.
-      # TODO: just add assertions that sane.fs."${backing}/${dest}".dir == sane.fs."${dest}" for each mount point?
-      sane.fs."/nix/persist/home/colin".dir.acl = config.sane.fs."/home/colin".dir.acl;
-      sane.fs."/mnt/impermanence/crypt/clearedonboot/home/colin".dir.acl = config.sane.fs."/home/colin".dir.acl;
-    }
-
-    (
-      let cfgFor = opt:
       let
         store = opt.store;
         store-rel-path = pathFrom store.prefix opt.directory;
@@ -222,16 +203,14 @@ in
           mount.extraOptions = store.extraOptions;
         };
         sane.fs."${backing-path}" = {
-            # ensure the backing path has same perms as the mount point
+          # ensure the backing path has same perms as the mount point.
+          # TODO: maybe we want to do this, crawling all the way up to the store base?
+          # that would simplify (remove) the code in stores/default.nix
           dir.acl = config.sane.fs."${opt.directory}".dir.acl;
         };
       };
-        cfgs = builtins.map cfgFor cfg.dirs.all;
+  in mkIf cfg.enable {
-      in {
+    sane.fs = lib.mkMerge (map (d: (cfgFor d).sane.fs) cfg.dirs.all);
-        sane.fs = lib.mkMerge (catAttrs "fs" (catAttrs "sane" cfgs));
+  };
-      }
-    )
-
-  ]);
 }
 

modules/impermanence/stores/default.nix

@@ -11,5 +11,18 @@ in
   ];
 
   config = lib.mkIf cfg.enable {
+    # make sure that the store has the same acl as the main filesystem,
+    # particularly for /home/colin.
+    #
+    # N.B.: we have a similar problem with all mounts:
+    # <crypt>/.cache/mozilla won't inherit <plain>/.cache perms.
+    # this is less of a problem though, since we don't really support overlapping mounts like that in the first place.
+    # what is a problem is if the user specified some other dir we don't know about here.
+    # like "/var", and then "/nix/persist/var" has different perms and something mounts funny.
+    # TODO: just add assertions that sane.fs."${backing}/${dest}".dir == sane.fs."${dest}" for each mount point?
+    sane.fs = lib.mapAttrs' (_name: store: {
+      name = "${store.mountpt}/home/colin";
+      value.dir.acl = config.sane.fs."/home/colin".dir.acl;
+    }) cfg.stores;
   };
 }