sane-private-do: run a command with the private store unlocked; then re-lock it

pkgs/sane-scripts/default.nix

@@ -56,6 +56,7 @@ resholve.mkDerivation {
 
           # these are used internally; probably a better fix
           "sane-mount-servo"
+          "sane-private-lock"
           "sane-private-unlock"
         ];
       };

pkgs/sane-scripts/src/sane-private-do

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+# unlock the ~/private store, run some command, and then re-lock the store
+
+set -x
+
+external_cmd=$@
+
+sane-private-unlock
+$external_cmd
+exec sane-private-lock

pkgs/sane-scripts/src/sane-private-unlock

@@ -2,8 +2,7 @@
 
 set -ex
 
-# configure persistent, encrypted storage that is auto-mounted on login.
-# this is a one-time setup and user should log out/back in after running it.
+# mounts ~/private
 
 mount=/home/colin/private
 cipher="/nix/persist$mount"