persist stores: define the path for private at the host level

hosts/common/default.nix

@@ -10,6 +10,7 @@
     ./ids.nix
     ./machine-id.nix
     ./net.nix
+    ./persist.nix
     ./secrets.nix
     ./ssh.nix
     ./users.nix

hosts/common/persist.nix

@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sane.persist.stores.private.origin = "/home/colin/private";
+  # store /home/colin/a/b in /home/private/a/b instead of /home/private/home/colin/a/b
+  sane.persist.stores.private.prefix = "/home/colin";
+}

modules/persist/stores/plaintext.nix

@@ -3,7 +3,7 @@
 let
   cfg = config.sane.persist;
 in lib.mkIf cfg.enable {
-  sane.persist.stores."plaintext" = {
+  sane.persist.stores."plaintext" = lib.mkDefault {
     origin = "/nix/persist";
   };
   # TODO: needed?

modules/persist/stores/private.nix

@@ -1,21 +1,22 @@
-{ config, lib, pkgs, utils, ... }:
+{ config, lib, pkgs, sane-lib, utils, ... }:
 
+let
+  private-dir = config.sane.persist.stores."private".origin;
+  private-backing-dir = sane-lib.path.concat [ "/nix/persist" private-dir ];
+in
 lib.mkIf config.sane.persist.enable
 {
   sane.persist.stores."private" = {
     storeDescription = ''
-      encrypted to the user's password and auto-unlocked at login
+      encrypted store which persists across boots.
+      typical use case is for the user to encrypt this store using their login password so that it
+      can be auto-unlocked at login.
     '';
-    origin = "/home/colin/private";
-    # files stored under here *must* have the /home/colin prefix.
-    # internally, this prefix is removed so that e.g.
-    # /home/colin/foo/bar when stored in `private` is visible at
-    # /home/colin/private/foo/bar
-    prefix = "/home/colin";
+    origin = lib.mkDefault "/mnt/private";
     defaultOrdering = let
-      private-unit = config.sane.fs."/home/colin/private".unit;
+      private-unit = config.sane.fs."${private-dir}".unit;
     in {
-      # auto create only after ~/private is mounted
+      # auto create only after the store is mounted
       wantedBy = [ private-unit ];
       # we can't create things in private before local-fs.target
       wantedBeforeBy = [ ];
@@ -23,13 +24,13 @@ lib.mkIf config.sane.persist.enable
     defaultMethod = "symlink";
   };
 
-  fileSystems."/home/colin/private" = {
-    device = "/nix/persist/home/colin/private";
+  fileSystems."${private-dir}" = {
+    device = private-backing-dir;
     fsType = "fuse.gocryptfs";
     options = [
       "noauto"  # don't try to mount, until the user logs in!
       "nofail"
-      "allow_other"  # root ends up being the user that mounts this, so need to make it visible to `colin`.
+      "allow_other"  # root ends up being the user that mounts this, so need to make it visible to other users.
       "nodev"
       "nosuid"
       "quiet"
@@ -39,9 +40,9 @@ lib.mkIf config.sane.persist.enable
   };
 
   # let sane.fs know about the mount
-  sane.fs."/home/colin/private".mount = {};
+  sane.fs."${private-dir}".mount = {};
   # it also needs to know that the underlying device is an ordinary folder
-  sane.fs."/nix/persist/home/colin/private".dir = {};
+  sane.fs."${private-backing-dir}".dir = {};
 
   # TODO: could add this *specifically* to the .mount file for the encrypted fs?
   system.fsPackages = [ pkgs.gocryptfs ];  # fuse needs to find gocryptfs