persist: crypt store: make paths overridable
This commit is contained in:
parent
70b62e9f76
commit
98b542332b
|
@ -1,14 +1,9 @@
|
|||
{ config, lib, pkgs, utils, ... }:
|
||||
|
||||
let
|
||||
store = rec {
|
||||
device = "/mnt/persist/crypt/clearedonboot";
|
||||
underlying = {
|
||||
path = "/nix/persist/crypt/clearedonboot";
|
||||
# TODO: consider moving this to /tmp, but that requires tmp be mounted first?
|
||||
key = "/mnt/persist/crypt/clearedonboot.key";
|
||||
};
|
||||
};
|
||||
device = config.sane.persist.stores."cryptClearOnBoot".origin;
|
||||
key = "${device}.key";
|
||||
underlying = "/nix/persist/crypt/clearedonboot";
|
||||
in
|
||||
lib.mkIf config.sane.persist.enable
|
||||
{
|
||||
|
@ -17,35 +12,35 @@ lib.mkIf config.sane.persist.enable
|
|||
stored to disk, but encrypted to an in-memory key and cleared on every boot
|
||||
so that it's unreadable after power-off
|
||||
'';
|
||||
origin = store.device;
|
||||
origin = lib.mkDefault "/mnt/persist/crypt/clearedonboot";
|
||||
};
|
||||
|
||||
|
||||
fileSystems."${store.device}" = {
|
||||
device = store.underlying.path;
|
||||
fileSystems."${device}" = {
|
||||
device = underlying;
|
||||
fsType = "fuse.gocryptfs";
|
||||
options = [
|
||||
"nodev"
|
||||
"nosuid"
|
||||
"allow_other"
|
||||
"passfile=${store.underlying.key}"
|
||||
"passfile=${key}"
|
||||
"defaults"
|
||||
];
|
||||
noCheck = true;
|
||||
};
|
||||
# let sane.fs know about our fileSystem and automatically add the appropriate dependencies
|
||||
sane.fs."${store.device}".mount = {
|
||||
sane.fs."${device}".mount = {
|
||||
# technically the dependency on the keyfile is extraneous because that *happens* to
|
||||
# be needed to init the store.
|
||||
depends = let
|
||||
cryptfile = config.sane.fs."${store.underlying.path}/gocryptfs.conf";
|
||||
keyfile = config.sane.fs."${store.underlying.key}";
|
||||
cryptfile = config.sane.fs."${underlying}/gocryptfs.conf";
|
||||
keyfile = config.sane.fs."${key}";
|
||||
in [ keyfile.unit cryptfile.unit ];
|
||||
};
|
||||
|
||||
# let sane.fs know how to initialize the gocryptfs store,
|
||||
# and that it MUST do so
|
||||
sane.fs."${store.underlying.path}/gocryptfs.conf".generated = {
|
||||
sane.fs."${underlying}/gocryptfs.conf".generated = {
|
||||
script.script = ''
|
||||
backing="$1"
|
||||
passfile="$2"
|
||||
|
@ -54,17 +49,17 @@ lib.mkIf config.sane.persist.enable
|
|||
rm -rf "''${backing:?}"/*
|
||||
${pkgs.gocryptfs}/bin/gocryptfs -quiet -passfile "$passfile" -init "$backing"
|
||||
'';
|
||||
script.scriptArgs = [ store.underlying.path store.underlying.key ];
|
||||
script.scriptArgs = [ underlying key ];
|
||||
# we need the key in order to initialize the store
|
||||
depends = [ config.sane.fs."${store.underlying.key}".unit ];
|
||||
depends = [ config.sane.fs."${key}".unit ];
|
||||
};
|
||||
|
||||
# let sane.fs know how to generate the key for gocryptfs
|
||||
sane.fs."${store.underlying.key}".generated = {
|
||||
sane.fs."${key}".generated = {
|
||||
script.script = ''
|
||||
dd if=/dev/random bs=128 count=1 | base64 --wrap=0 > "$1"
|
||||
'';
|
||||
script.scriptArgs = [ store.underlying.key ];
|
||||
script.scriptArgs = [ key ];
|
||||
# no need for anyone else to be able to read the key
|
||||
acl.mode = "0400";
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue
Block a user