colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

persist: crypt store: make paths overridable

Browse Source
This commit is contained in:
Colin 2023-01-31 03:36:15 +00:00
parent 70b62e9f76
commit 98b542332b
1 changed files with 15 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
modules/persist/stores/crypt.nix
View File

@ -1,14 +1,9 @@
{ config, lib, pkgs, utils, ... }: { config, lib, pkgs, utils, ... }:
let let
store = rec { device = config.sane.persist.stores."cryptClearOnBoot".origin;
device = "/mnt/persist/crypt/clearedonboot"; key = "${device}.key";
underlying = { underlying = "/nix/persist/crypt/clearedonboot";
path = "/nix/persist/crypt/clearedonboot";
# TODO: consider moving this to /tmp, but that requires tmp be mounted first?
key = "/mnt/persist/crypt/clearedonboot.key";
};
};
in in
lib.mkIf config.sane.persist.enable lib.mkIf config.sane.persist.enable
{ {
@ -17,35 +12,35 @@ lib.mkIf config.sane.persist.enable
stored to disk, but encrypted to an in-memory key and cleared on every boot stored to disk, but encrypted to an in-memory key and cleared on every boot
so that it's unreadable after power-off so that it's unreadable after power-off
''; '';
origin = store.device; origin = lib.mkDefault "/mnt/persist/crypt/clearedonboot";
}; };
fileSystems."${store.device}" = { fileSystems."${device}" = {
device = store.underlying.path; device = underlying;
fsType = "fuse.gocryptfs"; fsType = "fuse.gocryptfs";
options = [ options = [
"nodev" "nodev"
"nosuid" "nosuid"
"allow_other" "allow_other"
"passfile=${store.underlying.key}" "passfile=${key}"
"defaults" "defaults"
]; ];
noCheck = true; noCheck = true;
}; };
# let sane.fs know about our fileSystem and automatically add the appropriate dependencies # let sane.fs know about our fileSystem and automatically add the appropriate dependencies
sane.fs."${store.device}".mount = { sane.fs."${device}".mount = {
# technically the dependency on the keyfile is extraneous because that *happens* to # technically the dependency on the keyfile is extraneous because that *happens* to
# be needed to init the store. # be needed to init the store.
depends = let depends = let
cryptfile = config.sane.fs."${store.underlying.path}/gocryptfs.conf"; cryptfile = config.sane.fs."${underlying}/gocryptfs.conf";
keyfile = config.sane.fs."${store.underlying.key}"; keyfile = config.sane.fs."${key}";
in [ keyfile.unit cryptfile.unit ]; in [ keyfile.unit cryptfile.unit ];
}; };
# let sane.fs know how to initialize the gocryptfs store, # let sane.fs know how to initialize the gocryptfs store,
# and that it MUST do so # and that it MUST do so
sane.fs."${store.underlying.path}/gocryptfs.conf".generated = { sane.fs."${underlying}/gocryptfs.conf".generated = {
script.script = '' script.script = ''
backing="$1" backing="$1"
passfile="$2" passfile="$2"
@ -54,17 +49,17 @@ lib.mkIf config.sane.persist.enable
rm -rf "''${backing:?}"/* rm -rf "''${backing:?}"/*
${pkgs.gocryptfs}/bin/gocryptfs -quiet -passfile "$passfile" -init "$backing" ${pkgs.gocryptfs}/bin/gocryptfs -quiet -passfile "$passfile" -init "$backing"
''; '';
script.scriptArgs = [ store.underlying.path store.underlying.key ]; script.scriptArgs = [ underlying key ];
# we need the key in order to initialize the store # we need the key in order to initialize the store
depends = [ config.sane.fs."${store.underlying.key}".unit ]; depends = [ config.sane.fs."${key}".unit ];
}; };
# let sane.fs know how to generate the key for gocryptfs # let sane.fs know how to generate the key for gocryptfs
sane.fs."${store.underlying.key}".generated = { sane.fs."${key}".generated = {
script.script = '' script.script = ''
dd if=/dev/random bs=128 count=1 | base64 --wrap=0 > "$1" dd if=/dev/random bs=128 count=1 | base64 --wrap=0 > "$1"
''; '';
script.scriptArgs = [ store.underlying.key ]; script.scriptArgs = [ key ];
# no need for anyone else to be able to read the key # no need for anyone else to be able to read the key
acl.mode = "0400"; acl.mode = "0400";
}; };