sane-private-unlock: init

this presents a simpler unlock mechanism than my previous unl0kr script

hosts/common/programs/sane-scripts.nix

@@ -21,6 +21,7 @@ in
       "sane-scripts.find-dotfiles"
       "sane-scripts.ip-check"
       "sane-scripts.private-do"
+      "sane-scripts.private-unlock"
       "sane-scripts.rcp"
       "sane-scripts.reboot"
       "sane-scripts.reclaim-boot-space"
@@ -115,6 +116,15 @@ in
       extraPaths = [ "/" ];
     };
 
+    "sane-scripts.private-unlock" = {
+      suggestedPrograms = [ "systemctl" ];
+      sandbox.extraPaths = [ "/run/gocryptfs" ];
+      sandbox.whitelistSystemctl = true;
+      fs.".profile".symlink.text = ''
+        sane-private-unlock
+      '';
+    };
+
     "sane-scripts.reclaim-boot-space".sandbox = {
       method = "bunpen";
       extraPaths = [ "/boot" ];

pkgs/by-name/sane-scripts/package.nix

@@ -113,6 +113,11 @@ let
       srcRoot = ./src;
       pkgs = [ "util-linux" ];
     };
+    private-unlock = static-nix-shell.mkBash {
+      pname = "sane-private-unlock";
+      srcRoot = ./src;
+      pkgs = [ "coreutils" "systemdMinimal" ];
+    };
     private-unlock-remote = static-nix-shell.mkBash {
       pname = "sane-private-unlock-remote";
       srcRoot = ./src;

pkgs/by-name/sane-scripts/src/sane-private-unlock

@@ -0,0 +1,19 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bash -p coreutils -p systemdMinimal
+
+if ! systemctl is-active private-storage.target > /dev/null; then
+  echo "unable to access encrypted data store."
+  echo "unlock it now or cancel with Ctrl+C."
+fi
+
+while ! systemctl is-active private-storage.target > /dev/null; do
+  # see: <https://stackoverflow.com/a/2654096>
+  IFS= read -s -r -p "password: " line
+  echo
+  if [[ "$?" -eq 0 ]]; then
+    echo -n "$line" > /run/gocryptfs/private.key
+    # give time for the store to be unlocked
+    timeout 3s systemctl start private-storage.target
+  fi
+done
+