declare ~/private in fileSystems and reuse for pamMount
This commit is contained in:
parent
54dd643cf0
commit
875e923197
|
@ -54,33 +54,22 @@ in
|
|||
shell = pkgs.zsh;
|
||||
openssh.authorizedKeys.keys = builtins.attrValues (import ../../modules/pubkeys.nix).users;
|
||||
|
||||
# mount encrypted stuff at login
|
||||
# some other nix pam users:
|
||||
# - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
|
||||
# - <https://github.com/lourkeur/distro/blob/11173454c6bb50f7ccab28cc2c757dca21446d1d/nixos/profiles/users/louis-full.nix>
|
||||
# - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
|
||||
pamMount = {
|
||||
# mount encrypted stuff at login
|
||||
# requires that login password == fs encryption password
|
||||
fstype = "fuse";
|
||||
path = "gocryptfs#/nix/persist/home/colin/private";
|
||||
# path = "${pkgs.gocryptfs}/bin/gocryptfs#/nix/persist/home/colin/private";
|
||||
# fstype = "fuse.gocryptfs";
|
||||
# path = "/nix/persist/home/colin/private";
|
||||
mountpoint = "/home/colin/private";
|
||||
# without allow_other, *root* isn't allowed to list anything in ~/private.
|
||||
# which is weird (root can just `su colin`), but probably doesn't *hurt* anything -- right?
|
||||
options="nodev,nosuid,quiet"; # allow_other
|
||||
pamMount = let
|
||||
priv = config.fileSystems."/home/colin/private";
|
||||
in {
|
||||
fstype = priv.fsType;
|
||||
path = priv.device;
|
||||
mountpoint = priv.mountPoint;
|
||||
options = builtins.concatStringsSep "," priv.options;
|
||||
};
|
||||
};
|
||||
|
||||
# required for PAM to find gocryptfs
|
||||
security.pam.mount.additionalSearchPaths = [ pkgs.gocryptfs ];
|
||||
security.pam.mount.enable = true;
|
||||
# security.pam.mount.debugLevel = 1;
|
||||
# security.pam.enableSSHAgentAuth = true; # ??
|
||||
# needed for `allow_other` in e.g. gocryptfs mounts
|
||||
# or i guess going through mount.fuse sets suid so that's not necessary?
|
||||
# programs.fuse.userAllowOther = true;
|
||||
|
||||
sane.impermanence.home-dirs = [
|
||||
# cache is probably too big to fit on the tmpfs
|
||||
|
|
|
@ -29,6 +29,7 @@ let
|
|||
fi
|
||||
'';
|
||||
};
|
||||
private-mount-unit = ''${utils.escapeSystemdPath "/home/colin/private"}.mount'';
|
||||
in lib.mkIf config.sane.impermanence.enable
|
||||
{
|
||||
systemd.services."prepareEncryptedClearedOnBoot" = rec {
|
||||
|
@ -69,14 +70,49 @@ in lib.mkIf config.sane.impermanence.enable
|
|||
sane.fs."${store.device}" = {
|
||||
# ensure the fs is mounted only after the mountpoint directory is created
|
||||
dir.reverseDepends = [ store.mount-unit ];
|
||||
# HACK: this fs entry is provided by our mount service.
|
||||
# HACK: this fs entry is provided by our mount unit.
|
||||
unit = store.mount-unit;
|
||||
};
|
||||
sane.fs."${store.underlying.path}" = {
|
||||
# don't mount until after the backing dir is setup correctly.
|
||||
# TODO: this isn't necessary? the mount-unit already depends on prepareEncryptedClearOnBoot
|
||||
# which depends on the underlying path?
|
||||
dir.reverseDepends = [ store.mount-unit ];
|
||||
};
|
||||
|
||||
fileSystems."/home/colin/private" = {
|
||||
device = "/nix/persist/home/colin/private";
|
||||
fsType = "fuse.gocryptfs";
|
||||
options = [
|
||||
"noauto" # don't try to mount, until the user logs in!
|
||||
"allow_other" # root ends up being the user that mounts this, so need to make it visible to `colin`.
|
||||
"nodev"
|
||||
"nosuid"
|
||||
"quiet"
|
||||
"defaults"
|
||||
];
|
||||
noCheck = true;
|
||||
};
|
||||
sane.fs."/home/colin/private" = {
|
||||
dir.reverseDepends = [
|
||||
# mounting relies on the mountpoint first being created.
|
||||
private-mount-unit
|
||||
# ensure the directory is created during boot, and before user logs in.
|
||||
"multi-user.target"
|
||||
];
|
||||
# HACK: this fs entry is provided by the mount unit.
|
||||
unit = private-mount-unit;
|
||||
};
|
||||
sane.fs."/nix/persist/home/colin/private" = {
|
||||
dir.reverseDepends = [
|
||||
# the mount unit relies on the source having first been created.
|
||||
# (it also relies on the cryptfs having been seeded -- which we can't verify here).
|
||||
private-mount-unit
|
||||
# ensure the directory is created during boot, and before user logs in.
|
||||
"multi-user.target"
|
||||
];
|
||||
};
|
||||
|
||||
# TODO: could add this *specifically* to the .mount file for the encrypted fs?
|
||||
environment.systemPackages = [ pkgs.gocryptfs ]; # fuse needs to find gocryptfs
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user