create/deply ~/private: an encrypted filesystem

it uses gocryptfs -- a newer alternative to EncFS -- to encrypt paths and data (but not metadata) onto an underlying backing filesystem
2022-10-18 05:29:36 -07:00
parent 98c2ac21fe
commit e11f903aec
8 changed files with 63 additions and 9 deletions
--- a/machines/lappy/default.nix
+++ b/machines/lappy/default.nix
@@ -11,6 +11,8 @@
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];

+  users.users.colin.initialPassword = "147147";
+
  # default config: https://man.archlinux.org/man/snapper-configs.5
  # defaults to something like:
  #   - hourly snapshots
--- a/modules/universal/env/default.nix
+++ b/modules/universal/env/default.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, ... }:

 {
  imports = [
@@ -21,5 +21,16 @@
  };
  # enable zsh completions
  environment.pathsToLink = [ "/share/zsh" ];
+  environment.systemPackages = with pkgs; [
+    # required for pam_mount
+    gocryptfs
+  ];
+
+  security.pam.mount.enable = true;
+  # security.pam.mount.debugLevel = 1;
+  # security.pam.enableSSHAgentAuth = true; # ??
+  # needed for `allow_other` in e.g. gocryptfs mounts
+  # or i guess going through mount.fuse sets suid so that's not necessary?
+  # programs.fuse.userAllowOther = true;
 }

--- a/modules/universal/env/home-packages.nix
+++ b/modules/universal/env/home-packages.nix
@@ -9,6 +9,7 @@ let
    cdrtools
    duplicity
    gnupg
+    gocryptfs
    ifuse
    ipfs
    libimobiledevice
--- a/modules/universal/users.nix
+++ b/modules/universal/users.nix
@@ -54,6 +54,17 @@ in
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
      ];
+
+      pamMount = {
+        # mount encrypted stuff at login
+        # requires that login password == fs encryption password
+        # fstype = "fuse";
+        # path = "${pkgs.gocryptfs}/bin/gocryptfs#/nix/persist/home/colin/private";
+        fstype = "fuse.gocryptfs";
+        path = "/nix/persist/home/colin/private";
+        mountpoint = "/home/colin/private";
+        options="nodev,nosuid,quiet,allow_other";
+      };
    };

    sane.impermanence.service-dirs = mkIf cfg.guest.enable [
--- a/pkgs/gocryptfs/default.nix
+++ b/pkgs/gocryptfs/default.nix
@@ -0,0 +1,15 @@
+{ pkgs, lib, ... }:
+
+(pkgs.gocryptfs.overrideAttrs (upstream: {
+  # XXX `su colin` hangs when pam_mount tries to mount a gocryptfs system
+  # unless `logger` (util-linux) is accessible from gocryptfs.
+  # this is surprising: the code LOOKS like it's meant to handle logging failures.
+  # propagating util-linux through either `environment.systemPackages` or `security.pam.mount.additionalSearchPaths` DOES NOT WORK.
+  #
+  # TODO: see about upstreaming this
+  postInstall = ''
+    wrapProgram $out/bin/gocryptfs \
+      --suffix PATH : ${lib.makeBinPath [ pkgs.fuse pkgs.util-linux ]}
+    ln -s $out/bin/gocryptfs $out/bin/mount.fuse.gocryptfs
+  '';
+}))
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -35,6 +35,8 @@
  # patch rpi uboot with something that fixes USB HDD boot
  ubootRaspberryPi4_64bit = prev.callPackage ./ubootRaspberryPi4_64bit { pkgs = prev; };

+  gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
+
  #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
  kaiteki = prev.callPackage ./kaiteki { };
  # kaiteki = prev.kaiteki;
--- a/pkgs/sane-scripts/default.nix
+++ b/pkgs/sane-scripts/default.nix
@@ -23,6 +23,7 @@ resholve.mkDerivation {
        file
        findutils
        gnugrep
+        gocryptfs
        ifuse
        inotify-tools
        ncurses
@@ -54,14 +55,15 @@ resholve.mkDerivation {
      };

      # list of programs which *can* or *cannot* exec their arguments
-      execer = [
-        "cannot:${pkgs.ifuse}/bin/ifuse"
-        "cannot:${pkgs.oath-toolkit}/bin/oathtool"
-        "cannot:${pkgs.openssh}/bin/ssh-keygen"
-        "cannot:${pkgs.rmlint}/bin/rmlint"
-        "cannot:${pkgs.rsync}/bin/rsync"
-        "cannot:${pkgs.ssh-to-age}/bin/ssh-to-age"
-        "cannot:${pkgs.sops}/bin/sops"
+      execer = with pkgs; [
+        "cannot:${gocryptfs}/bin/gocryptfs"
+        "cannot:${ifuse}/bin/ifuse"
+        "cannot:${oath-toolkit}/bin/oathtool"
+        "cannot:${openssh}/bin/ssh-keygen"
+        "cannot:${rmlint}/bin/rmlint"
+        "cannot:${rsync}/bin/rsync"
+        "cannot:${sops}/bin/sops"
+        "cannot:${ssh-to-age}/bin/ssh-to-age"
      ];
    };
  };
--- a/pkgs/sane-scripts/src/sane-private-init
+++ b/pkgs/sane-scripts/src/sane-private-init
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -ex
+
+# configure persistent, encrypted storage that is auto-mounted on login.
+# this is a one-time setup and user should log out/back in after running it.
+
+p=/nix/persist/home/colin/private
+mkdir -p $p
+gocryptfs -init $p