persist stores: define the path for private
at the host level
This commit is contained in:
parent
7c81df00df
commit
70b62e9f76
|
@ -10,6 +10,7 @@
|
|||
./ids.nix
|
||||
./machine-id.nix
|
||||
./net.nix
|
||||
./persist.nix
|
||||
./secrets.nix
|
||||
./ssh.nix
|
||||
./users.nix
|
||||
|
|
7
hosts/common/persist.nix
Normal file
7
hosts/common/persist.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
sane.persist.stores.private.origin = "/home/colin/private";
|
||||
# store /home/colin/a/b in /home/private/a/b instead of /home/private/home/colin/a/b
|
||||
sane.persist.stores.private.prefix = "/home/colin";
|
||||
}
|
|
@ -3,7 +3,7 @@
|
|||
let
|
||||
cfg = config.sane.persist;
|
||||
in lib.mkIf cfg.enable {
|
||||
sane.persist.stores."plaintext" = {
|
||||
sane.persist.stores."plaintext" = lib.mkDefault {
|
||||
origin = "/nix/persist";
|
||||
};
|
||||
# TODO: needed?
|
||||
|
|
|
@ -1,21 +1,22 @@
|
|||
{ config, lib, pkgs, utils, ... }:
|
||||
{ config, lib, pkgs, sane-lib, utils, ... }:
|
||||
|
||||
let
|
||||
private-dir = config.sane.persist.stores."private".origin;
|
||||
private-backing-dir = sane-lib.path.concat [ "/nix/persist" private-dir ];
|
||||
in
|
||||
lib.mkIf config.sane.persist.enable
|
||||
{
|
||||
sane.persist.stores."private" = {
|
||||
storeDescription = ''
|
||||
encrypted to the user's password and auto-unlocked at login
|
||||
encrypted store which persists across boots.
|
||||
typical use case is for the user to encrypt this store using their login password so that it
|
||||
can be auto-unlocked at login.
|
||||
'';
|
||||
origin = "/home/colin/private";
|
||||
# files stored under here *must* have the /home/colin prefix.
|
||||
# internally, this prefix is removed so that e.g.
|
||||
# /home/colin/foo/bar when stored in `private` is visible at
|
||||
# /home/colin/private/foo/bar
|
||||
prefix = "/home/colin";
|
||||
origin = lib.mkDefault "/mnt/private";
|
||||
defaultOrdering = let
|
||||
private-unit = config.sane.fs."/home/colin/private".unit;
|
||||
private-unit = config.sane.fs."${private-dir}".unit;
|
||||
in {
|
||||
# auto create only after ~/private is mounted
|
||||
# auto create only after the store is mounted
|
||||
wantedBy = [ private-unit ];
|
||||
# we can't create things in private before local-fs.target
|
||||
wantedBeforeBy = [ ];
|
||||
|
@ -23,13 +24,13 @@ lib.mkIf config.sane.persist.enable
|
|||
defaultMethod = "symlink";
|
||||
};
|
||||
|
||||
fileSystems."/home/colin/private" = {
|
||||
device = "/nix/persist/home/colin/private";
|
||||
fileSystems."${private-dir}" = {
|
||||
device = private-backing-dir;
|
||||
fsType = "fuse.gocryptfs";
|
||||
options = [
|
||||
"noauto" # don't try to mount, until the user logs in!
|
||||
"nofail"
|
||||
"allow_other" # root ends up being the user that mounts this, so need to make it visible to `colin`.
|
||||
"allow_other" # root ends up being the user that mounts this, so need to make it visible to other users.
|
||||
"nodev"
|
||||
"nosuid"
|
||||
"quiet"
|
||||
|
@ -39,9 +40,9 @@ lib.mkIf config.sane.persist.enable
|
|||
};
|
||||
|
||||
# let sane.fs know about the mount
|
||||
sane.fs."/home/colin/private".mount = {};
|
||||
sane.fs."${private-dir}".mount = {};
|
||||
# it also needs to know that the underlying device is an ordinary folder
|
||||
sane.fs."/nix/persist/home/colin/private".dir = {};
|
||||
sane.fs."${private-backing-dir}".dir = {};
|
||||
|
||||
# TODO: could add this *specifically* to the .mount file for the encrypted fs?
|
||||
system.fsPackages = [ pkgs.gocryptfs ]; # fuse needs to find gocryptfs
|
||||
|
|
Loading…
Reference in New Issue
Block a user