provide a script for changing the ~/private dir secrets

gocryptfs doesn't (i think?) ship a tool for changing the password: you
just create a new fs and rsync/mv the data

pkgs/sane-scripts/default.nix

@@ -49,8 +49,9 @@ resholve.mkDerivation {
           "umount"
           "sudo"
 
-          # this is actually internal; probably a better fix
+          # these are used internally; probably a better fix
           "sane-mount-servo"
+          "sane-private-unlock"
         ];
       };
 

pkgs/sane-scripts/src/sane-private-change-passwd

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+set -ex
+
+new_plain=/home/colin/private-new
+new_cipher="/nix/persist${new_plain}"
+dest_plain=/home/colin/private
+dest_cipher="/nix/persist${dest_plain}"
+
+# initialize the new store
+sudo mkdir -p "${new_cipher}" && sudo chown colin:users "${new_cipher}"
+mkdir -p "${new_plain}"
+gocryptfs -init "${new_cipher}"
+
+# mount the new and old store
+gocryptfs "${new_cipher}" "${new_plain}"
+sane-private-unlock
+
+# transfer to the new store
+rsync -arv /home/colin/private/ "${new_plain}"/
+
+# unmount both stores
+sudo umount "${new_plain}"
+sudo umount /home/colin/private
+
+# swap the stores
+sudo mv "${dest_cipher}" "${dest_cipher}-old"
+sudo mv "${new_cipher}" "${dest_cipher}"
+
+sane-private-unlock
+
+echo "if things look well, rm ${dest_cipher}-old"

pkgs/sane-scripts/src/sane-private-unlock

@@ -8,4 +8,7 @@ set -ex
 mount=/home/colin/private
 cipher="/nix/persist$mount"
 mkdir -p "$mount"
-gocryptfs "$cipher" "$mount"
+if [ ! -f "$mount/init" ]
+then
+  gocryptfs "$cipher" "$mount"
+fi