impermanence: crypt: more robust perms and ordering of backing device

2022-12-31 10:45:43 +00:00 · 2022-12-31 10:45:43 +00:00 · be19985440
commit be19985440
parent f7e3e7294a
2 changed files with 17 additions and 6 deletions
--- a/modules/impermanence/crypt.nix
+++ b/modules/impermanence/crypt.nix
@ -17,12 +17,12 @@ let
      passfile="$2"
      if ! test -e "$passfile"
      then
-        tmpdir=$(dirname "$passfile")
-        mkdir -p "$backing" "$tmpdir"
        # if the key doesn't exist, it's probably not mounted => delete the backing dir
        rm -rf "''${backing:?}"/*
        # generate key. we can "safely" keep it around for the lifetime of this boot
+        umask 266
        dd if=/dev/random bs=128 count=1 | base64 --wrap=0 > "$passfile"
+        umask 022
        # initialize the crypt store
        gocryptfs -quiet -passfile "$passfile" -init "$backing"
      fi
@ -35,10 +35,13 @@ in lib.mkIf config.sane.impermanence.enable
    "prepareEncryptedClearedOnBoot.service"
  ];

+  # declare our backing storage
+  sane.fs."${store.underlying.path}".dir = {};
+
  systemd.services."prepareEncryptedClearedOnBoot" =
  let
    mount-unit = "${utils.escapeSystemdPath store.device}.mount";
-  in {
+  in rec {
    description = "prepare keys for ${store.device}";
    serviceConfig.ExecStart = ''
      ${prepareEncryptedClearedOnBoot}/bin/prepareEncryptedClearedOnBoot ${store.underlying.path} ${store.underlying.key}
@ -47,9 +50,17 @@ in lib.mkIf config.sane.impermanence.enable
    # remove implicit dep on sysinit.target
    unitConfig.DefaultDependencies = "no";

+    # we need the key directory to be created, and the backing directory to exist
+    after = [
+      (config.sane.fs."${store.underlying.path}".service + ".service")
+      # TODO: "${parentDir store.device}"
+      (config.sane.fs."/mnt/impermanence/crypt".service + ".service")
+    ];
+    wants = after;
+
    # make sure the encrypted file system is mounted *after* its keys have been generated.
-    wantedBy = [ mount-unit ];
    before = [ mount-unit ];
+    wantedBy = before;
  };


--- a/modules/impermanence/default.nix
+++ b/modules/impermanence/default.nix
@ -145,8 +145,8 @@ in
            options = [
              "bind"
              # "x-systemd.requires=${backing-mount}.mount"  # this should be implicit
-              "x-systemd.after=${backing-service}"
-              "x-systemd.after=${dir-service}"
+              "x-systemd.after=${backing-service}.service"
+              "x-systemd.after=${dir-service}.service"
              # `wants` doesn't seem to make it to the service file here :-(
              # "x-systemd.wants=${backing-service}"
              # "x-systemd.wants=${dir-service}"