colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

persist: rename "cryptClearOnBoot" to "ephemeral"

Browse Source
This commit is contained in:
Colin
2024-07-24 15:13:48 +00:00
parent cf8e9f798d
commit 874b7aecfa
14 changed files with 21 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/common/home/fs.nix
View File

@@ -36,7 +36,7 @@
in { in {
".persist/private" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.private.origin; }; ".persist/private" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.private.origin; };
".persist/plaintext" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.plaintext.origin; }; ".persist/plaintext" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.plaintext.origin; };
".persist/ephemeral" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.cryptClearOnBoot.origin; }; ".persist/ephemeral" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.ephemeral.origin; };
"nixos".symlink.target = "dev/nixos"; "nixos".symlink.target = "dev/nixos";

2
hosts/common/persist.nix
View File

@@ -11,7 +11,7 @@
# TODO: these should be private.. somehow # TODO: these should be private.. somehow
"/var/backup" # for e.g. postgres dumps "/var/backup" # for e.g. postgres dumps
]; ];
sane.persist.sys.byStore.cryptClearOnBoot = [ sane.persist.sys.byStore.ephemeral = [
"/var/lib/systemd/coredump" "/var/lib/systemd/coredump"
]; ];
} }

6
hosts/common/programs/assorted.nix
View File

@@ -519,7 +519,7 @@ in
electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested
electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always
electrum.sandbox.whitelistWayland = true; electrum.sandbox.whitelistWayland = true;
electrum.persist.byStore.cryptClearOnBoot = [ ".electrum" ]; #< TODO: use XDG dirs! electrum.persist.byStore.ephemeral = [ ".electrum" ]; #< TODO: use XDG dirs!
endless-sky.buildCost = 1; endless-sky.buildCost = 1;
endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ]; endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
@@ -685,7 +685,7 @@ in
"Pictures/Screenshots" "Pictures/Screenshots"
"Pictures/servo-macros" "Pictures/servo-macros"
]; ];
gnome-frog.persist.byStore.cryptClearOnBoot = [ gnome-frog.persist.byStore.ephemeral = [
".local/share/tessdata" # 15M; dunno what all it is. ".local/share/tessdata" # 15M; dunno what all it is.
]; ];
@@ -899,7 +899,7 @@ in
nixpkgs-review.sandbox.extraPaths = [ nixpkgs-review.sandbox.extraPaths = [
"/nix" "/nix"
]; ];
nixpkgs-review.persist.byStore.cryptClearOnBoot = [ nixpkgs-review.persist.byStore.ephemeral = [
".cache/nixpkgs-review" #< help it not exhaust / tmpfs ".cache/nixpkgs-review" #< help it not exhaust / tmpfs
]; ];

2
hosts/common/programs/brave.nix
View File

@@ -21,7 +21,7 @@
sandbox.whitelistDri = true; sandbox.whitelistDri = true;
sandbox.whitelistWayland = true; sandbox.whitelistWayland = true;
persist.byStore.cryptClearOnBoot = [ persist.byStore.ephemeral = [
".cache/BraveSoftware" ".cache/BraveSoftware"
".config/BraveSoftware" ".config/BraveSoftware"
]; ];

6
hosts/common/programs/firefox.nix
View File

@@ -160,7 +160,7 @@ let
persistCache = mkOption { persistCache = mkOption {
description = "optional store name to which persist browser cache"; description = "optional store name to which persist browser cache";
type = types.nullOr types.str; type = types.nullOr types.str;
default = "cryptClearOnBoot"; default = "ephemeral";
}; };
addons = mkOption { addons = mkOption {
type = types.attrsOf addonOpts; type = types.attrsOf addonOpts;
@@ -372,14 +372,14 @@ in
if (cfg.persistData != null) then if (cfg.persistData != null) then
cfg.persistData cfg.persistData
else else
"cryptClearOnBoot" "ephemeral"
; ;
persist.byPath."${cfg.browser.dotDir}/default".store = persist.byPath."${cfg.browser.dotDir}/default".store =
if (cfg.persistData != null) then if (cfg.persistData != null) then
cfg.persistData cfg.persistData
else else
"cryptClearOnBoot" "ephemeral"
; ;
}; };

2
hosts/common/programs/komikku.nix
View File

@@ -24,7 +24,7 @@
# also writes to ~/.cache/komikku # also writes to ~/.cache/komikku
".local/share/komikku" ".local/share/komikku"
]; ];
persist.byStore.cryptClearOnBoot = [ persist.byStore.ephemeral = [
".cache/komikku" ".cache/komikku"
]; ];
}; };

2
hosts/common/programs/rofi/default.nix
View File

@@ -125,7 +125,7 @@ in
fs."Apps".symlink.target = ".local/share/applications/rofi-applications.desktop"; fs."Apps".symlink.target = ".local/share/applications/rofi-applications.desktop";
fs."WiFi".symlink.target = ".local/share/applications/networkmanager_dmenu.desktop"; fs."WiFi".symlink.target = ".local/share/applications/networkmanager_dmenu.desktop";
fs."close".symlink.target = ".local/share/applications/close.desktop"; #< provide an escape from the file browser fs."close".symlink.target = ".local/share/applications/close.desktop"; #< provide an escape from the file browser
persist.byStore.cryptClearOnBoot = [ persist.byStore.ephemeral = [
# this gets us a few things: # this gets us a few things:
# - file browser remembers its last directory # - file browser remembers its last directory
# - caching of .desktop files (perf) # - caching of .desktop files (perf)

2
hosts/common/programs/tor-browser.nix
View File

@@ -12,7 +12,7 @@
sandbox.net = "clearnet"; # tor over VPN wouldn't make sense sandbox.net = "clearnet"; # tor over VPN wouldn't make sense
sandbox.whitelistAudio = true; sandbox.whitelistAudio = true;
sandbox.whitelistWayland = true; sandbox.whitelistWayland = true;
persist.byStore.cryptClearOnBoot = [ persist.byStore.ephemeral = [
".local/share/tor-browser" ".local/share/tor-browser"
]; ];
}; };

2
hosts/common/programs/wike.nix
View File

@@ -24,7 +24,7 @@
# wike probably meant to put everything here in a subdir, but didn't. # wike probably meant to put everything here in a subdir, but didn't.
# see: <https://github.com/hugolabe/Wike/issues/176> # see: <https://github.com/hugolabe/Wike/issues/176>
persist.byStore.cryptClearOnBoot = [ persist.byStore.ephemeral = [
".cache/webkitgtk" ".cache/webkitgtk"
".local/share/webkitgtk" ".local/share/webkitgtk"
]; ];

2
hosts/common/programs/wine.nix
View File

@@ -6,7 +6,7 @@
# could build with `supportFlags.netapiSupport = false` to use `full` but without samba. # could build with `supportFlags.netapiSupport = false` to use `full` but without samba.
packageUnwrapped = pkgs.winePackages.base; packageUnwrapped = pkgs.winePackages.base;
# no need for the cryptographic nature, just needs to not use loads of / tmpfs. # no need for the cryptographic nature, just needs to not use loads of / tmpfs.
persist.byStore.cryptClearOnBoot = [ ".wine" ]; persist.byStore.ephemeral = [ ".wine" ];
persist.byStore.plaintext = [ persist.byStore.plaintext = [
# Power Bomberman: <https://www.bombermanboard.com/viewtopic.php?t=1925> # Power Bomberman: <https://www.bombermanboard.com/viewtopic.php?t=1925>
".wine/drive_c/users/colin/AppData/pb" ".wine/drive_c/users/colin/AppData/pb"

2
hosts/common/users/root.nix
View File

@@ -1,6 +1,6 @@
{ config, ... }: { config, ... }:
{ {
sane.persist.sys.byStore.cryptClearOnBoot = [ sane.persist.sys.byStore.ephemeral = [
# when running commands as root, some things may create ~/.cache entries. # when running commands as root, some things may create ~/.cache entries.
# notably: # notably:
# - `/root/.cache/nix/` takes up ~10 MB on lappy/desko/servo # - `/root/.cache/nix/` takes up ~10 MB on lappy/desko/servo

2
hosts/modules/services/duplicity.nix
View File

@@ -15,7 +15,7 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
# we need this mostly because of the size of duplicity's cache # we need this mostly because of the size of duplicity's cache
sane.persist.sys.byStore.cryptClearOnBoot = [{ sane.persist.sys.byStore.ephemeral = [{
path = "/var/lib/duplicity"; path = "/var/lib/duplicity";
user = "root"; user = "root";
group = "root"; group = "root";

2
modules/persist/stores/default.nix
View File

@@ -2,7 +2,7 @@
{ {
imports = [ imports = [
./crypt.nix ./ephemeral.nix
./initrd.nix ./initrd.nix
./plaintext.nix ./plaintext.nix
./private.nix ./private.nix

8
modules/persist/stores/crypt.nix → modules/persist/stores/ephemeral.nix
View File

@@ -2,8 +2,8 @@
let let
persist-base = "/nix/persist"; persist-base = "/nix/persist";
origin = config.sane.persist.stores."cryptClearOnBoot".origin; origin = config.sane.persist.stores."ephemeral".origin;
backing = sane-lib.path.concat [ persist-base "crypt/clearedonboot" ]; backing = sane-lib.path.concat [ persist-base "ephemeral" ];
gocryptfs-ephemeral = pkgs.writeShellApplication { gocryptfs-ephemeral = pkgs.writeShellApplication {
name = "mount.fuse.gocryptfs-ephemeral"; name = "mount.fuse.gocryptfs-ephemeral";
@@ -31,12 +31,12 @@ let
in in
lib.mkIf config.sane.persist.enable lib.mkIf config.sane.persist.enable
{ {
sane.persist.stores."cryptClearOnBoot" = { sane.persist.stores."ephemeral" = {
storeDescription = '' storeDescription = ''
stored to disk, but encrypted to an in-memory key and cleared on every boot stored to disk, but encrypted to an in-memory key and cleared on every boot
so that it's unreadable after power-off so that it's unreadable after power-off
''; '';
origin = lib.mkDefault "/mnt/persist/crypt/clearedonboot"; origin = lib.mkDefault "/mnt/persist/ephemeral";
}; };
fileSystems."${origin}" = { fileSystems."${origin}" = {