colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

create/deply ~/private: an encrypted filesystem

Browse Source 
it uses gocryptfs -- a newer alternative to EncFS -- to encrypt
paths and data (but not metadata) onto an underlying backing filesystem
This commit is contained in:
colin
2022-10-18 05:29:36 -07:00
parent 98c2ac21fe
commit e11f903aec
8 changed files with 63 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
machines/lappy/default.nix
View File

@@ -11,6 +11,8 @@
boot.loader.efi.canTouchEfiVariables = false; boot.loader.efi.canTouchEfiVariables = false;
sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ]; sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
users.users.colin.initialPassword = "147147";
# default config: https://man.archlinux.org/man/snapper-configs.5 # default config: https://man.archlinux.org/man/snapper-configs.5
# defaults to something like: # defaults to something like:
# - hourly snapshots # - hourly snapshots

13
modules/universal/env/default.nix vendored
View File

@@ -1,4 +1,4 @@
{ ... }: { pkgs, ... }:
{ {
imports = [ imports = [
@@ -21,5 +21,16 @@
}; };
# enable zsh completions # enable zsh completions
environment.pathsToLink = [ "/share/zsh" ]; environment.pathsToLink = [ "/share/zsh" ];
environment.systemPackages = with pkgs; [
# required for pam_mount
gocryptfs
];
security.pam.mount.enable = true;
# security.pam.mount.debugLevel = 1;
# security.pam.enableSSHAgentAuth = true; # ??
# needed for `allow_other` in e.g. gocryptfs mounts
# or i guess going through mount.fuse sets suid so that's not necessary?
# programs.fuse.userAllowOther = true;
} }

1
modules/universal/env/home-packages.nix vendored
View File

@@ -9,6 +9,7 @@ let
cdrtools cdrtools
duplicity duplicity
gnupg gnupg
gocryptfs
ifuse ifuse
ipfs ipfs
libimobiledevice libimobiledevice

11
modules/universal/users.nix
View File

@@ -54,6 +54,17 @@ in
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
]; ];
pamMount = {
# mount encrypted stuff at login
# requires that login password == fs encryption password
# fstype = "fuse";
# path = "${pkgs.gocryptfs}/bin/gocryptfs#/nix/persist/home/colin/private";
fstype = "fuse.gocryptfs";
path = "/nix/persist/home/colin/private";
mountpoint = "/home/colin/private";
options="nodev,nosuid,quiet,allow_other";
};
}; };
sane.impermanence.service-dirs = mkIf cfg.guest.enable [ sane.impermanence.service-dirs = mkIf cfg.guest.enable [

15
pkgs/gocryptfs/default.nix Normal file
View File

@@ -0,0 +1,15 @@
{ pkgs, lib, ... }:
(pkgs.gocryptfs.overrideAttrs (upstream: {
# XXX `su colin` hangs when pam_mount tries to mount a gocryptfs system
# unless `logger` (util-linux) is accessible from gocryptfs.
# this is surprising: the code LOOKS like it's meant to handle logging failures.
# propagating util-linux through either `environment.systemPackages` or `security.pam.mount.additionalSearchPaths` DOES NOT WORK.
#
# TODO: see about upstreaming this
postInstall = ''
wrapProgram $out/bin/gocryptfs \
--suffix PATH : ${lib.makeBinPath [ pkgs.fuse pkgs.util-linux ]}
ln -s $out/bin/gocryptfs $out/bin/mount.fuse.gocryptfs
'';
}))

2
pkgs/overlay.nix
View File

@@ -35,6 +35,8 @@
# patch rpi uboot with something that fixes USB HDD boot # patch rpi uboot with something that fixes USB HDD boot
ubootRaspberryPi4_64bit = prev.callPackage ./ubootRaspberryPi4_64bit { pkgs = prev; }; ubootRaspberryPi4_64bit = prev.callPackage ./ubootRaspberryPi4_64bit { pkgs = prev; };
gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
#### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
kaiteki = prev.callPackage ./kaiteki { }; kaiteki = prev.callPackage ./kaiteki { };
# kaiteki = prev.kaiteki; # kaiteki = prev.kaiteki;

18
pkgs/sane-scripts/default.nix
View File

@@ -23,6 +23,7 @@ resholve.mkDerivation {
file file
findutils findutils
gnugrep gnugrep
gocryptfs
ifuse ifuse
inotify-tools inotify-tools
ncurses ncurses
@@ -54,14 +55,15 @@ resholve.mkDerivation {
}; };
# list of programs which *can* or *cannot* exec their arguments # list of programs which *can* or *cannot* exec their arguments
execer = [ execer = with pkgs; [
"cannot:${pkgs.ifuse}/bin/ifuse" "cannot:${gocryptfs}/bin/gocryptfs"
"cannot:${pkgs.oath-toolkit}/bin/oathtool" "cannot:${ifuse}/bin/ifuse"
"cannot:${pkgs.openssh}/bin/ssh-keygen" "cannot:${oath-toolkit}/bin/oathtool"
"cannot:${pkgs.rmlint}/bin/rmlint" "cannot:${openssh}/bin/ssh-keygen"
"cannot:${pkgs.rsync}/bin/rsync" "cannot:${rmlint}/bin/rmlint"
"cannot:${pkgs.ssh-to-age}/bin/ssh-to-age" "cannot:${rsync}/bin/rsync"
"cannot:${pkgs.sops}/bin/sops" "cannot:${sops}/bin/sops"
"cannot:${ssh-to-age}/bin/ssh-to-age"
]; ];
}; };
}; };

10
pkgs/sane-scripts/src/sane-private-init Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
set -ex
# configure persistent, encrypted storage that is auto-mounted on login.
# this is a one-time setup and user should log out/back in after running it.
p=/nix/persist/home/colin/private
mkdir -p $p
gocryptfs -init $p