persist: rename "cryptClearOnBoot" to "ephemeral"

2024-07-24 15:13:48 +00:00
parent cf8e9f798d
commit 874b7aecfa
14 changed files with 21 additions and 21 deletions
--- a/hosts/common/home/fs.nix
+++ b/hosts/common/home/fs.nix
@@ -36,7 +36,7 @@
  in {
    ".persist/private" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.private.origin; };
    ".persist/plaintext" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.plaintext.origin; };
-    ".persist/ephemeral" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.cryptClearOnBoot.origin; };
+    ".persist/ephemeral" = lib.mkIf persistEnabled { symlink.target = config.sane.persist.stores.ephemeral.origin; };

    "nixos".symlink.target = "dev/nixos";

--- a/hosts/common/persist.nix
+++ b/hosts/common/persist.nix
@@ -11,7 +11,7 @@
    # TODO: these should be private.. somehow
    "/var/backup"  # for e.g. postgres dumps
  ];
-  sane.persist.sys.byStore.cryptClearOnBoot = [
+  sane.persist.sys.byStore.ephemeral = [
    "/var/lib/systemd/coredump"
  ];
 }
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -519,7 +519,7 @@ in
    electrum.sandbox.method = "bwrap";  # TODO:sandbox: untested
    electrum.sandbox.net = "all";  # TODO: probably want to make this run behind a VPN, always
    electrum.sandbox.whitelistWayland = true;
-    electrum.persist.byStore.cryptClearOnBoot = [ ".electrum" ];  #< TODO: use XDG dirs!
+    electrum.persist.byStore.ephemeral = [ ".electrum" ];  #< TODO: use XDG dirs!

    endless-sky.buildCost = 1;
    endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
@@ -685,7 +685,7 @@ in
      "Pictures/Screenshots"
      "Pictures/servo-macros"
    ];
-    gnome-frog.persist.byStore.cryptClearOnBoot = [
+    gnome-frog.persist.byStore.ephemeral = [
      ".local/share/tessdata"  # 15M; dunno what all it is.
    ];

@@ -899,7 +899,7 @@ in
    nixpkgs-review.sandbox.extraPaths = [
      "/nix"
    ];
-    nixpkgs-review.persist.byStore.cryptClearOnBoot = [
+    nixpkgs-review.persist.byStore.ephemeral = [
      ".cache/nixpkgs-review"  #< help it not exhaust / tmpfs
    ];

--- a/hosts/common/programs/brave.nix
+++ b/hosts/common/programs/brave.nix
@@ -21,7 +21,7 @@
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;

-    persist.byStore.cryptClearOnBoot = [
+    persist.byStore.ephemeral = [
      ".cache/BraveSoftware"
      ".config/BraveSoftware"
    ];
--- a/hosts/common/programs/firefox.nix
+++ b/hosts/common/programs/firefox.nix
@@ -160,7 +160,7 @@ let
      persistCache = mkOption {
        description = "optional store name to which persist browser cache";
        type = types.nullOr types.str;
-        default = "cryptClearOnBoot";
+        default = "ephemeral";
      };
      addons = mkOption {
        type = types.attrsOf addonOpts;
@@ -372,14 +372,14 @@ in
          if (cfg.persistData != null) then
            cfg.persistData
          else
-            "cryptClearOnBoot"
+            "ephemeral"
        ;

        persist.byPath."${cfg.browser.dotDir}/default".store =
          if (cfg.persistData != null) then
            cfg.persistData
          else
-            "cryptClearOnBoot"
+            "ephemeral"
        ;
      };

--- a/hosts/common/programs/komikku.nix
+++ b/hosts/common/programs/komikku.nix
@@ -24,7 +24,7 @@
      # also writes to ~/.cache/komikku
      ".local/share/komikku"
    ];
-    persist.byStore.cryptClearOnBoot = [
+    persist.byStore.ephemeral = [
      ".cache/komikku"
    ];
  };
--- a/hosts/common/programs/rofi/default.nix
+++ b/hosts/common/programs/rofi/default.nix
@@ -125,7 +125,7 @@ in
    fs."Apps".symlink.target = ".local/share/applications/rofi-applications.desktop";
    fs."WiFi".symlink.target = ".local/share/applications/networkmanager_dmenu.desktop";
    fs."close".symlink.target = ".local/share/applications/close.desktop";  #< provide an escape from the file browser
-    persist.byStore.cryptClearOnBoot = [
+    persist.byStore.ephemeral = [
      # this gets us a few things:
      # - file browser remembers its last directory
      # - caching of .desktop files (perf)
--- a/hosts/common/programs/tor-browser.nix
+++ b/hosts/common/programs/tor-browser.nix
@@ -12,7 +12,7 @@
    sandbox.net = "clearnet";  # tor over VPN wouldn't make sense
    sandbox.whitelistAudio = true;
    sandbox.whitelistWayland = true;
-    persist.byStore.cryptClearOnBoot = [
+    persist.byStore.ephemeral = [
      ".local/share/tor-browser"
    ];
  };
--- a/hosts/common/programs/wike.nix
+++ b/hosts/common/programs/wike.nix
@@ -24,7 +24,7 @@

    # wike probably meant to put everything here in a subdir, but didn't.
    # see: <https://github.com/hugolabe/Wike/issues/176>
-    persist.byStore.cryptClearOnBoot = [
+    persist.byStore.ephemeral = [
      ".cache/webkitgtk"
      ".local/share/webkitgtk"
    ];
--- a/hosts/common/programs/wine.nix
+++ b/hosts/common/programs/wine.nix
@@ -6,7 +6,7 @@
    # could build with `supportFlags.netapiSupport = false` to use `full` but without samba.
    packageUnwrapped = pkgs.winePackages.base;
    # no need for the cryptographic nature, just needs to not use loads of / tmpfs.
-    persist.byStore.cryptClearOnBoot = [ ".wine" ];
+    persist.byStore.ephemeral = [ ".wine" ];
    persist.byStore.plaintext = [
      # Power Bomberman: <https://www.bombermanboard.com/viewtopic.php?t=1925>
      ".wine/drive_c/users/colin/AppData/pb"
--- a/hosts/common/users/root.nix
+++ b/hosts/common/users/root.nix
@@ -1,6 +1,6 @@
 { config, ... }:
 {
-  sane.persist.sys.byStore.cryptClearOnBoot = [
+  sane.persist.sys.byStore.ephemeral = [
    # when running commands as root, some things may create ~/.cache entries.
    # notably:
    # - `/root/.cache/nix/` takes up ~10 MB on lappy/desko/servo
--- a/hosts/modules/services/duplicity.nix
+++ b/hosts/modules/services/duplicity.nix
@@ -15,7 +15,7 @@ in

  config = mkIf cfg.enable {
    # we need this mostly because of the size of duplicity's cache
-    sane.persist.sys.byStore.cryptClearOnBoot = [{
+    sane.persist.sys.byStore.ephemeral = [{
      path = "/var/lib/duplicity";
      user = "root";
      group = "root";
--- a/modules/persist/stores/default.nix
+++ b/modules/persist/stores/default.nix
@@ -2,7 +2,7 @@

 {
  imports = [
-    ./crypt.nix
+    ./ephemeral.nix
    ./initrd.nix
    ./plaintext.nix
    ./private.nix
--- a/modules/persist/stores/ephemeral.nix
+++ b/modules/persist/stores/ephemeral.nix
@@ -2,8 +2,8 @@

 let
  persist-base = "/nix/persist";
-  origin = config.sane.persist.stores."cryptClearOnBoot".origin;
-  backing = sane-lib.path.concat [ persist-base "crypt/clearedonboot" ];
+  origin = config.sane.persist.stores."ephemeral".origin;
+  backing = sane-lib.path.concat [ persist-base "ephemeral" ];

  gocryptfs-ephemeral = pkgs.writeShellApplication {
    name = "mount.fuse.gocryptfs-ephemeral";
@@ -31,12 +31,12 @@ let
 in
 lib.mkIf config.sane.persist.enable
 {
-  sane.persist.stores."cryptClearOnBoot" = {
+  sane.persist.stores."ephemeral" = {
    storeDescription = ''
      stored to disk, but encrypted to an in-memory key and cleared on every boot
      so that it's unreadable after power-off
    '';
-    origin = lib.mkDefault "/mnt/persist/crypt/clearedonboot";
+    origin = lib.mkDefault "/mnt/persist/ephemeral";
  };

  fileSystems."${origin}" = {