From b344c38bfb95bbf155948b518e66fcbadbdd7c27 Mon Sep 17 00:00:00 2001
From: colin <colin@uninsane.org>
Date: Mon, 24 Oct 2022 08:21:53 -0700
Subject: [PATCH] provide a script for changing the ~/private dir secrets

gocryptfs doesn't (i think?) ship a tool for changing the password: you
just create a new fs and rsync/mv the data
---
 pkgs/sane-scripts/default.nix                 |  3 +-
 .../src/sane-private-change-passwd            | 32 +++++++++++++++++++
 pkgs/sane-scripts/src/sane-private-unlock     |  5 ++-
 3 files changed, 38 insertions(+), 2 deletions(-)
 create mode 100755 pkgs/sane-scripts/src/sane-private-change-passwd

diff --git a/pkgs/sane-scripts/default.nix b/pkgs/sane-scripts/default.nix
index a1a5f35e..510458ad 100644
--- a/pkgs/sane-scripts/default.nix
+++ b/pkgs/sane-scripts/default.nix
@@ -49,8 +49,9 @@ resholve.mkDerivation {
           "umount"
           "sudo"
 
-          # this is actually internal; probably a better fix
+          # these are used internally; probably a better fix
           "sane-mount-servo"
+          "sane-private-unlock"
         ];
       };
 
diff --git a/pkgs/sane-scripts/src/sane-private-change-passwd b/pkgs/sane-scripts/src/sane-private-change-passwd
new file mode 100755
index 00000000..2d64a083
--- /dev/null
+++ b/pkgs/sane-scripts/src/sane-private-change-passwd
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+set -ex
+
+new_plain=/home/colin/private-new
+new_cipher="/nix/persist${new_plain}"
+dest_plain=/home/colin/private
+dest_cipher="/nix/persist${dest_plain}"
+
+# initialize the new store
+sudo mkdir -p "${new_cipher}" && sudo chown colin:users "${new_cipher}"
+mkdir -p "${new_plain}"
+gocryptfs -init "${new_cipher}"
+
+# mount the new and old store
+gocryptfs "${new_cipher}" "${new_plain}"
+sane-private-unlock
+
+# transfer to the new store
+rsync -arv /home/colin/private/ "${new_plain}"/
+
+# unmount both stores
+sudo umount "${new_plain}"
+sudo umount /home/colin/private
+
+# swap the stores
+sudo mv "${dest_cipher}" "${dest_cipher}-old"
+sudo mv "${new_cipher}" "${dest_cipher}"
+
+sane-private-unlock
+
+echo "if things look well, rm ${dest_cipher}-old"
diff --git a/pkgs/sane-scripts/src/sane-private-unlock b/pkgs/sane-scripts/src/sane-private-unlock
index e7aad839..fb518bd3 100755
--- a/pkgs/sane-scripts/src/sane-private-unlock
+++ b/pkgs/sane-scripts/src/sane-private-unlock
@@ -8,4 +8,7 @@ set -ex
 mount=/home/colin/private
 cipher="/nix/persist$mount"
 mkdir -p "$mount"
-gocryptfs "$cipher" "$mount"
+if [ ! -f "$mount/init" ]
+then
+  gocryptfs "$cipher" "$mount"
+fi