From 98b542332b2f90af8560a20da097c92f1b5baced Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Tue, 31 Jan 2023 03:36:15 +0000
Subject: [PATCH] persist: crypt store: make paths overridable

---
 modules/persist/stores/crypt.nix | 35 ++++++++++++++------------------
 1 file changed, 15 insertions(+), 20 deletions(-)

diff --git a/modules/persist/stores/crypt.nix b/modules/persist/stores/crypt.nix
index fac7876e..64b05fb3 100644
--- a/modules/persist/stores/crypt.nix
+++ b/modules/persist/stores/crypt.nix
@@ -1,14 +1,9 @@
 { config, lib, pkgs, utils, ... }:
 
 let
-  store = rec {
-    device = "/mnt/persist/crypt/clearedonboot";
-    underlying = {
-      path = "/nix/persist/crypt/clearedonboot";
-      # TODO: consider moving this to /tmp, but that requires tmp be mounted first?
-      key = "/mnt/persist/crypt/clearedonboot.key";
-    };
-  };
+  device = config.sane.persist.stores."cryptClearOnBoot".origin;
+  key = "${device}.key";
+  underlying = "/nix/persist/crypt/clearedonboot";
 in
 lib.mkIf config.sane.persist.enable
 {
@@ -17,35 +12,35 @@ lib.mkIf config.sane.persist.enable
       stored to disk, but encrypted to an in-memory key and cleared on every boot
       so that it's unreadable after power-off
     '';
-    origin = store.device;
+    origin = lib.mkDefault "/mnt/persist/crypt/clearedonboot";
   };
 
 
-  fileSystems."${store.device}" = {
-    device = store.underlying.path;
+  fileSystems."${device}" = {
+    device = underlying;
     fsType = "fuse.gocryptfs";
     options = [
       "nodev"
       "nosuid"
       "allow_other"
-      "passfile=${store.underlying.key}"
+      "passfile=${key}"
       "defaults"
     ];
     noCheck = true;
   };
   # let sane.fs know about our fileSystem and automatically add the appropriate dependencies
-  sane.fs."${store.device}".mount = {
+  sane.fs."${device}".mount = {
     # technically the dependency on the keyfile is extraneous because that *happens* to
     # be needed to init the store.
     depends = let
-      cryptfile = config.sane.fs."${store.underlying.path}/gocryptfs.conf";
-      keyfile = config.sane.fs."${store.underlying.key}";
+      cryptfile = config.sane.fs."${underlying}/gocryptfs.conf";
+      keyfile = config.sane.fs."${key}";
     in [ keyfile.unit cryptfile.unit ];
   };
 
   # let sane.fs know how to initialize the gocryptfs store,
   # and that it MUST do so
-  sane.fs."${store.underlying.path}/gocryptfs.conf".generated = {
+  sane.fs."${underlying}/gocryptfs.conf".generated = {
     script.script = ''
       backing="$1"
       passfile="$2"
@@ -54,17 +49,17 @@ lib.mkIf config.sane.persist.enable
       rm -rf "''${backing:?}"/*
       ${pkgs.gocryptfs}/bin/gocryptfs -quiet -passfile "$passfile" -init "$backing"
     '';
-    script.scriptArgs = [ store.underlying.path store.underlying.key ];
+    script.scriptArgs = [ underlying key ];
     # we need the key in order to initialize the store
-    depends = [ config.sane.fs."${store.underlying.key}".unit ];
+    depends = [ config.sane.fs."${key}".unit ];
   };
 
   # let sane.fs know how to generate the key for gocryptfs
-  sane.fs."${store.underlying.key}".generated = {
+  sane.fs."${key}".generated = {
     script.script = ''
       dd if=/dev/random bs=128 count=1 | base64 --wrap=0 > "$1"
     '';
-    script.scriptArgs = [ store.underlying.key ];
+    script.scriptArgs = [ key ];
     # no need for anyone else to be able to read the key
     acl.mode = "0400";
   };