colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

declare ~/private in fileSystems and reuse for pamMount

Browse Source
This commit is contained in:
colin 2023-01-02 11:34:02 +00:00
parent 54dd643cf0
commit 875e923197
2 changed files with 45 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
hosts/common/users.nix
View File

@ -54,33 +54,22 @@ in
shell = pkgs.zsh;
openssh.authorizedKeys.keys = builtins.attrValues (import ../../modules/pubkeys.nix).users;
# mount encrypted stuff at login
# some other nix pam users:
# - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
# - <https://github.com/lourkeur/distro/blob/11173454c6bb50f7ccab28cc2c757dca21446d1d/nixos/profiles/users/louis-full.nix>
# - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
pamMount = {
# mount encrypted stuff at login
# requires that login password == fs encryption password
fstype = "fuse";
path = "gocryptfs#/nix/persist/home/colin/private";
# path = "${pkgs.gocryptfs}/bin/gocryptfs#/nix/persist/home/colin/private";
# fstype = "fuse.gocryptfs";
# path = "/nix/persist/home/colin/private";
mountpoint = "/home/colin/private";
# without allow_other, *root* isn't allowed to list anything in ~/private.
# which is weird (root can just `su colin`), but probably doesn't *hurt* anything -- right?
options="nodev,nosuid,quiet"; # allow_other
pamMount = let
priv = config.fileSystems."/home/colin/private";
in {
fstype = priv.fsType;
path = priv.device;
mountpoint = priv.mountPoint;
options = builtins.concatStringsSep "," priv.options;
};
};
# required for PAM to find gocryptfs
security.pam.mount.additionalSearchPaths = [ pkgs.gocryptfs ];
security.pam.mount.enable = true;
# security.pam.mount.debugLevel = 1;
# security.pam.enableSSHAgentAuth = true; # ??
# needed for `allow_other` in e.g. gocryptfs mounts
# or i guess going through mount.fuse sets suid so that's not necessary?
# programs.fuse.userAllowOther = true;
sane.impermanence.home-dirs = [
# cache is probably too big to fit on the tmpfs

38
modules/impermanence/crypt.nix
View File

@ -29,6 +29,7 @@ let
fi
'';
};
private-mount-unit = ''${utils.escapeSystemdPath "/home/colin/private"}.mount'';
in lib.mkIf config.sane.impermanence.enable
{
systemd.services."prepareEncryptedClearedOnBoot" = rec {
@ -69,14 +70,49 @@ in lib.mkIf config.sane.impermanence.enable
sane.fs."${store.device}" = {
# ensure the fs is mounted only after the mountpoint directory is created
dir.reverseDepends = [ store.mount-unit ];
# HACK: this fs entry is provided by our mount service.
# HACK: this fs entry is provided by our mount unit.
unit = store.mount-unit;
};
sane.fs."${store.underlying.path}" = {
# don't mount until after the backing dir is setup correctly.
# TODO: this isn't necessary? the mount-unit already depends on prepareEncryptedClearOnBoot
# which depends on the underlying path?
dir.reverseDepends = [ store.mount-unit ];
};
fileSystems."/home/colin/private" = {
device = "/nix/persist/home/colin/private";
fsType = "fuse.gocryptfs";
options = [
"noauto" # don't try to mount, until the user logs in!
"allow_other" # root ends up being the user that mounts this, so need to make it visible to `colin`.
"nodev"
"nosuid"
"quiet"
"defaults"
];
noCheck = true;
};
sane.fs."/home/colin/private" = {
dir.reverseDepends = [
# mounting relies on the mountpoint first being created.
private-mount-unit
# ensure the directory is created during boot, and before user logs in.
"multi-user.target"
];
# HACK: this fs entry is provided by the mount unit.
unit = private-mount-unit;
};
sane.fs."/nix/persist/home/colin/private" = {
dir.reverseDepends = [
# the mount unit relies on the source having first been created.
# (it also relies on the cryptfs having been seeded -- which we can't verify here).
private-mount-unit
# ensure the directory is created during boot, and before user logs in.
"multi-user.target"
];
};
# TODO: could add this *specifically* to the .mount file for the encrypted fs?
environment.systemPackages = [ pkgs.gocryptfs ]; # fuse needs to find gocryptfs
}