persist stores: define the path for private
at the host level
This commit is contained in:
parent
7c81df00df
commit
70b62e9f76
|
@ -10,6 +10,7 @@
|
||||||
./ids.nix
|
./ids.nix
|
||||||
./machine-id.nix
|
./machine-id.nix
|
||||||
./net.nix
|
./net.nix
|
||||||
|
./persist.nix
|
||||||
./secrets.nix
|
./secrets.nix
|
||||||
./ssh.nix
|
./ssh.nix
|
||||||
./users.nix
|
./users.nix
|
||||||
|
|
7
hosts/common/persist.nix
Normal file
7
hosts/common/persist.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{ ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
sane.persist.stores.private.origin = "/home/colin/private";
|
||||||
|
# store /home/colin/a/b in /home/private/a/b instead of /home/private/home/colin/a/b
|
||||||
|
sane.persist.stores.private.prefix = "/home/colin";
|
||||||
|
}
|
|
@ -3,7 +3,7 @@
|
||||||
let
|
let
|
||||||
cfg = config.sane.persist;
|
cfg = config.sane.persist;
|
||||||
in lib.mkIf cfg.enable {
|
in lib.mkIf cfg.enable {
|
||||||
sane.persist.stores."plaintext" = {
|
sane.persist.stores."plaintext" = lib.mkDefault {
|
||||||
origin = "/nix/persist";
|
origin = "/nix/persist";
|
||||||
};
|
};
|
||||||
# TODO: needed?
|
# TODO: needed?
|
||||||
|
|
|
@ -1,21 +1,22 @@
|
||||||
{ config, lib, pkgs, utils, ... }:
|
{ config, lib, pkgs, sane-lib, utils, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
private-dir = config.sane.persist.stores."private".origin;
|
||||||
|
private-backing-dir = sane-lib.path.concat [ "/nix/persist" private-dir ];
|
||||||
|
in
|
||||||
lib.mkIf config.sane.persist.enable
|
lib.mkIf config.sane.persist.enable
|
||||||
{
|
{
|
||||||
sane.persist.stores."private" = {
|
sane.persist.stores."private" = {
|
||||||
storeDescription = ''
|
storeDescription = ''
|
||||||
encrypted to the user's password and auto-unlocked at login
|
encrypted store which persists across boots.
|
||||||
|
typical use case is for the user to encrypt this store using their login password so that it
|
||||||
|
can be auto-unlocked at login.
|
||||||
'';
|
'';
|
||||||
origin = "/home/colin/private";
|
origin = lib.mkDefault "/mnt/private";
|
||||||
# files stored under here *must* have the /home/colin prefix.
|
|
||||||
# internally, this prefix is removed so that e.g.
|
|
||||||
# /home/colin/foo/bar when stored in `private` is visible at
|
|
||||||
# /home/colin/private/foo/bar
|
|
||||||
prefix = "/home/colin";
|
|
||||||
defaultOrdering = let
|
defaultOrdering = let
|
||||||
private-unit = config.sane.fs."/home/colin/private".unit;
|
private-unit = config.sane.fs."${private-dir}".unit;
|
||||||
in {
|
in {
|
||||||
# auto create only after ~/private is mounted
|
# auto create only after the store is mounted
|
||||||
wantedBy = [ private-unit ];
|
wantedBy = [ private-unit ];
|
||||||
# we can't create things in private before local-fs.target
|
# we can't create things in private before local-fs.target
|
||||||
wantedBeforeBy = [ ];
|
wantedBeforeBy = [ ];
|
||||||
|
@ -23,13 +24,13 @@ lib.mkIf config.sane.persist.enable
|
||||||
defaultMethod = "symlink";
|
defaultMethod = "symlink";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/home/colin/private" = {
|
fileSystems."${private-dir}" = {
|
||||||
device = "/nix/persist/home/colin/private";
|
device = private-backing-dir;
|
||||||
fsType = "fuse.gocryptfs";
|
fsType = "fuse.gocryptfs";
|
||||||
options = [
|
options = [
|
||||||
"noauto" # don't try to mount, until the user logs in!
|
"noauto" # don't try to mount, until the user logs in!
|
||||||
"nofail"
|
"nofail"
|
||||||
"allow_other" # root ends up being the user that mounts this, so need to make it visible to `colin`.
|
"allow_other" # root ends up being the user that mounts this, so need to make it visible to other users.
|
||||||
"nodev"
|
"nodev"
|
||||||
"nosuid"
|
"nosuid"
|
||||||
"quiet"
|
"quiet"
|
||||||
|
@ -39,9 +40,9 @@ lib.mkIf config.sane.persist.enable
|
||||||
};
|
};
|
||||||
|
|
||||||
# let sane.fs know about the mount
|
# let sane.fs know about the mount
|
||||||
sane.fs."/home/colin/private".mount = {};
|
sane.fs."${private-dir}".mount = {};
|
||||||
# it also needs to know that the underlying device is an ordinary folder
|
# it also needs to know that the underlying device is an ordinary folder
|
||||||
sane.fs."/nix/persist/home/colin/private".dir = {};
|
sane.fs."${private-backing-dir}".dir = {};
|
||||||
|
|
||||||
# TODO: could add this *specifically* to the .mount file for the encrypted fs?
|
# TODO: could add this *specifically* to the .mount file for the encrypted fs?
|
||||||
system.fsPackages = [ pkgs.gocryptfs ]; # fuse needs to find gocryptfs
|
system.fsPackages = [ pkgs.gocryptfs ]; # fuse needs to find gocryptfs
|
||||||
|
|
Loading…
Reference in New Issue
Block a user