persist/{private,ephemeral}: mount via fuse

gocryptfs is compatible with --drop-permissions style of mount.fuse3. only, i can't actually use that today because i need to keep permissions :o but maybe i'll enable that in the future
2024-08-03 18:51:58 +00:00
parent 2b3278eb7f
commit 74662df720
2 changed files with 13 additions and 11 deletions
--- a/modules/persist/stores/ephemeral.nix
+++ b/modules/persist/stores/ephemeral.nix
@@ -6,10 +6,11 @@ let
  backing = sane-lib.path.concat [ persist-base "ephemeral" ];
  gocryptfs-ephemeral = pkgs.writeShellApplication {
-    name = "mount.fuse.gocryptfs-ephemeral";
+    name = "gocryptfs-ephemeral";
    runtimeInputs = with pkgs; [
      coreutils-full
      gocryptfs
      util-linux  #< gocryptfs complains that it can't exec `logger`, otherwise
    ];
    text = ''
      # mount invokes us like this. not sure if that's a guarantee or not:
@@ -25,7 +26,7 @@ let
      # that's inconsequential: we just care that it's not *persisted*.
      pw=$(dd if=/dev/random bs=128 count=1 | base64 --wrap=0)
      echo "$pw" | gocryptfs -quiet -passfile /dev/stdin -init "$backing"
-      echo "$pw" | gocryptfs -quiet -passfile /dev/stdin "$@"
+      echo "$pw" | exec gocryptfs -quiet -passfile /dev/stdin "$@"
    '';
  };
 in
@@ -40,11 +41,11 @@ lib.mkIf config.sane.persist.enable
  };
  fileSystems."${origin}" = {
-    device = backing;
+    device = "${lib.getExe gocryptfs-ephemeral}#${backing}";
-    fsType = "fuse.gocryptfs-ephemeral";
+    fsType = "fuse3";
    options = [
-      # "nodev"   # "Unknown parameter 'nodev'". gocryptfs requires this be passed as `-ko nodev`
+      "nodev"   # only works via mount.fuse; gocryptfs requires this be passed as `-ko nodev`
-      # "nosuid"  # "Unknown parameter 'nosuid'". gocryptfs requires this be passed as `-ko nosuid` (also, nosuid is default)
+      "nosuid"  # only works via mount.fuse; gocryptfs requires this be passed as `-ko nosuid` (also, nosuid is default)
      "allow_other"  # root ends up being the user that mounts this, so need to make it visible to other users.
      # "defaults"  # "unknown flag: --defaults. Try 'gocryptfs -help'"
    ];
--- a/modules/persist/stores/private.nix
+++ b/modules/persist/stores/private.nix
@@ -6,11 +6,12 @@ let
  backing = sane-lib.path.concat [ persist-base "private" ];
  gocryptfs-private = pkgs.writeShellApplication {
-    name = "mount.fuse.gocryptfs-private";
+    name = "gocryptfs-private";
    runtimeInputs = with pkgs; [
      coreutils-full
      gocryptfs
      inotify-tools
      util-linux  #< gocryptfs complains that it can't exec `logger`, otherwise
    ];
    text = ''
      # backing=$1
@@ -89,14 +90,14 @@ lib.mkIf config.sane.persist.enable
  };
  fileSystems."${origin}" = {
-    device = backing;
+    device = "${lib.getExe gocryptfs-private}#${backing}";
-    fsType = "fuse.gocryptfs-private";
+    fsType = "fuse3";
    options = [
      # "auto"
      "nofail"
      # "nodev"   # "Unknown parameter 'nodev'". gocryptfs requires this be passed as `-ko nodev`
      # "noexec"  # handful of scripts in ~/knowledge that are executable
-      # "nosuid"  # "Unknown parameter 'nosuid'". gocryptfs requires this be passed as `-ko nosuid` (also nosuid is default)
+      "nodev"   # only works via mount.fuse; gocryptfs requires this be passed as `-ko nodev`
      "nosuid"  # only works via mount.fuse; gocryptfs requires this be passed as `-ko nosuid` (also, nosuid is default)
      "allow_other"  # root ends up being the user that mounts this, so need to make it visible to other users.
      # "quiet"
      # "defaults"  # "unknown flag: --defaults. Try 'gocryptfs -help'"