From 875e923197169da33339083f698ba1616b04ef04 Mon Sep 17 00:00:00 2001
From: colin <colin@uninsane.org>
Date: Mon, 2 Jan 2023 11:34:02 +0000
Subject: [PATCH] declare ~/private in fileSystems and reuse for pamMount

---
 hosts/common/users.nix         | 27 +++++++-----------------
 modules/impermanence/crypt.nix | 38 +++++++++++++++++++++++++++++++++-
 2 files changed, 45 insertions(+), 20 deletions(-)

diff --git a/hosts/common/users.nix b/hosts/common/users.nix
index bdf76ea7..8195f4e7 100644
--- a/hosts/common/users.nix
+++ b/hosts/common/users.nix
@@ -54,33 +54,22 @@ in
       shell = pkgs.zsh;
       openssh.authorizedKeys.keys = builtins.attrValues (import ../../modules/pubkeys.nix).users;
 
+      # mount encrypted stuff at login
       # some other nix pam users:
       # - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
       # - <https://github.com/lourkeur/distro/blob/11173454c6bb50f7ccab28cc2c757dca21446d1d/nixos/profiles/users/louis-full.nix>
       # - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
-      pamMount = {
-        # mount encrypted stuff at login
-        # requires that login password == fs encryption password
-        fstype = "fuse";
-        path = "gocryptfs#/nix/persist/home/colin/private";
-        # path = "${pkgs.gocryptfs}/bin/gocryptfs#/nix/persist/home/colin/private";
-        # fstype = "fuse.gocryptfs";
-        # path = "/nix/persist/home/colin/private";
-        mountpoint = "/home/colin/private";
-        # without allow_other, *root* isn't allowed to list anything in ~/private.
-        # which is weird (root can just `su colin`), but probably doesn't *hurt* anything -- right?
-        options="nodev,nosuid,quiet";  # allow_other
+      pamMount = let
+        priv = config.fileSystems."/home/colin/private";
+      in {
+        fstype = priv.fsType;
+        path = priv.device;
+        mountpoint = priv.mountPoint;
+        options = builtins.concatStringsSep "," priv.options;
       };
     };
 
-    # required for PAM to find gocryptfs
-    security.pam.mount.additionalSearchPaths = [ pkgs.gocryptfs ];
     security.pam.mount.enable = true;
-    # security.pam.mount.debugLevel = 1;
-    # security.pam.enableSSHAgentAuth = true; # ??
-    # needed for `allow_other` in e.g. gocryptfs mounts
-    # or i guess going through mount.fuse sets suid so that's not necessary?
-    # programs.fuse.userAllowOther = true;
 
     sane.impermanence.home-dirs = [
       # cache is probably too big to fit on the tmpfs
diff --git a/modules/impermanence/crypt.nix b/modules/impermanence/crypt.nix
index 424241a3..c2ffae1c 100644
--- a/modules/impermanence/crypt.nix
+++ b/modules/impermanence/crypt.nix
@@ -29,6 +29,7 @@ let
       fi
     '';
   };
+  private-mount-unit = ''${utils.escapeSystemdPath "/home/colin/private"}.mount'';
 in lib.mkIf config.sane.impermanence.enable
 {
   systemd.services."prepareEncryptedClearedOnBoot" = rec {
@@ -69,14 +70,49 @@ in lib.mkIf config.sane.impermanence.enable
   sane.fs."${store.device}" = {
     # ensure the fs is mounted only after the mountpoint directory is created
     dir.reverseDepends = [ store.mount-unit ];
-    # HACK: this fs entry is provided by our mount service.
+    # HACK: this fs entry is provided by our mount unit.
     unit = store.mount-unit;
   };
   sane.fs."${store.underlying.path}" = {
     # don't mount until after the backing dir is setup correctly.
+    # TODO: this isn't necessary? the mount-unit already depends on prepareEncryptedClearOnBoot
+    # which depends on the underlying path?
     dir.reverseDepends = [ store.mount-unit ];
   };
 
+  fileSystems."/home/colin/private" = {
+    device = "/nix/persist/home/colin/private";
+    fsType = "fuse.gocryptfs";
+    options = [
+      "noauto"  # don't try to mount, until the user logs in!
+      "allow_other"  # root ends up being the user that mounts this, so need to make it visible to `colin`.
+      "nodev"
+      "nosuid"
+      "quiet"
+      "defaults"
+    ];
+    noCheck = true;
+  };
+  sane.fs."/home/colin/private" = {
+    dir.reverseDepends = [
+      # mounting relies on the mountpoint first being created.
+      private-mount-unit
+      # ensure the directory is created during boot, and before user logs in.
+      "multi-user.target"
+    ];
+    # HACK: this fs entry is provided by the mount unit.
+    unit = private-mount-unit;
+  };
+  sane.fs."/nix/persist/home/colin/private" = {
+    dir.reverseDepends = [
+      # the mount unit relies on the source having first been created.
+      # (it also relies on the cryptfs having been seeded -- which we can't verify here).
+      private-mount-unit
+      # ensure the directory is created during boot, and before user logs in.
+      "multi-user.target"
+    ];
+  };
+
   # TODO: could add this *specifically* to the .mount file for the encrypted fs?
   environment.systemPackages = [ pkgs.gocryptfs ];  # fuse needs to find gocryptfs
 }