persist/{private,ephemeral}: mount via fuse

gocryptfs is compatible with --drop-permissions style of mount.fuse3. only, i can't actually use that today because i need to keep permissions :o

but maybe i'll enable that in the future
This commit is contained in:
2024-08-03 18:51:58 +00:00
parent 2b3278eb7f
commit 74662df720
2 changed files with 13 additions and 11 deletions

View File

@@ -6,10 +6,11 @@ let
backing = sane-lib.path.concat [ persist-base "ephemeral" ];
gocryptfs-ephemeral = pkgs.writeShellApplication {
name = "mount.fuse.gocryptfs-ephemeral";
name = "gocryptfs-ephemeral";
runtimeInputs = with pkgs; [
coreutils-full
gocryptfs
util-linux #< gocryptfs complains that it can't exec `logger`, otherwise
];
text = ''
# mount invokes us like this. not sure if that's a guarantee or not:
@@ -25,7 +26,7 @@ let
# that's inconsequential: we just care that it's not *persisted*.
pw=$(dd if=/dev/random bs=128 count=1 | base64 --wrap=0)
echo "$pw" | gocryptfs -quiet -passfile /dev/stdin -init "$backing"
echo "$pw" | gocryptfs -quiet -passfile /dev/stdin "$@"
echo "$pw" | exec gocryptfs -quiet -passfile /dev/stdin "$@"
'';
};
in
@@ -40,11 +41,11 @@ lib.mkIf config.sane.persist.enable
};
fileSystems."${origin}" = {
device = backing;
fsType = "fuse.gocryptfs-ephemeral";
device = "${lib.getExe gocryptfs-ephemeral}#${backing}";
fsType = "fuse3";
options = [
# "nodev" # "Unknown parameter 'nodev'". gocryptfs requires this be passed as `-ko nodev`
# "nosuid" # "Unknown parameter 'nosuid'". gocryptfs requires this be passed as `-ko nosuid` (also, nosuid is default)
"nodev" # only works via mount.fuse; gocryptfs requires this be passed as `-ko nodev`
"nosuid" # only works via mount.fuse; gocryptfs requires this be passed as `-ko nosuid` (also, nosuid is default)
"allow_other" # root ends up being the user that mounts this, so need to make it visible to other users.
# "defaults" # "unknown flag: --defaults. Try 'gocryptfs -help'"
];

View File

@@ -6,11 +6,12 @@ let
backing = sane-lib.path.concat [ persist-base "private" ];
gocryptfs-private = pkgs.writeShellApplication {
name = "mount.fuse.gocryptfs-private";
name = "gocryptfs-private";
runtimeInputs = with pkgs; [
coreutils-full
gocryptfs
inotify-tools
util-linux #< gocryptfs complains that it can't exec `logger`, otherwise
];
text = ''
# backing=$1
@@ -89,14 +90,14 @@ lib.mkIf config.sane.persist.enable
};
fileSystems."${origin}" = {
device = backing;
fsType = "fuse.gocryptfs-private";
device = "${lib.getExe gocryptfs-private}#${backing}";
fsType = "fuse3";
options = [
# "auto"
"nofail"
# "nodev" # "Unknown parameter 'nodev'". gocryptfs requires this be passed as `-ko nodev`
# "noexec" # handful of scripts in ~/knowledge that are executable
# "nosuid" # "Unknown parameter 'nosuid'". gocryptfs requires this be passed as `-ko nosuid` (also nosuid is default)
"nodev" # only works via mount.fuse; gocryptfs requires this be passed as `-ko nodev`
"nosuid" # only works via mount.fuse; gocryptfs requires this be passed as `-ko nosuid` (also, nosuid is default)
"allow_other" # root ends up being the user that mounts this, so need to make it visible to other users.
# "quiet"
# "defaults" # "unknown flag: --defaults. Try 'gocryptfs -help'"