impermanence: defer to fs.nix module for permissions & dir creation

modules/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ./allocations.nix
+    ./fs.nix
     ./gui
     ./home-manager
     ./packages.nix
@@ -10,5 +11,6 @@
     ./impermanence
     ./nixcache.nix
     ./services
+    ./sops.nix
   ];
 }

modules/fs.nix

@@ -0,0 +1,155 @@
+{ config, lib, pkgs, utils, ... }:
+with lib;
+let
+  cfg = config.sane.fs;
+
+  # sane.fs."<path>" top-level options
+  fsEntry = types.submodule ({ name, ...}: let
+    parent = parentDir name;
+    has-parent = hasParent name;
+    parent-cfg = if has-parent then cfg."${parent}" else {};
+  in {
+    options = {
+      dir = mkOption {
+        type = mkDirEntryType (parent-cfg.dir or {
+          user = "root";
+          group = "root";
+          mode = "0755";
+        });
+      };
+      depends = mkOption {
+        type = types.listOf types.str;
+        description = "list of systemd services needed to be run before this service";
+        default = [];
+      };
+      service = mkOption {
+        type = types.str;
+        description = "name of the systemd service which ensures this entry";
+        default = "ensure-${utils.escapeSystemdPath name}";
+      };
+    };
+    config = {
+      # we put this here instead of as a `default` to ensure that users who specify additional
+      # dependencies still get a dep on the parent (unless they assign with `mkForce`).
+      depends = if has-parent then [ "${parent-cfg.service}.service" ] else [];
+    };
+  });
+  # sane.fs."<path>".dir sub-options
+  mkDirEntryType = defaults: types.submodule {
+    options = {
+      user = mkOption {
+        type = types.str;  # TODO: use uid?
+      };
+      group = mkOption {
+        type = types.str;
+      };
+      mode = mkOption {
+        type = types.str;
+      };
+    };
+    config = lib.mkDefault defaults;
+  };
+
+  # given a fsEntry definition, output the `config` attrs it generates.
+  mkFsConfig = path: opt: {
+    systemd.services."${opt.service}" = {
+      description = "prepare ${path}";
+      script = ensure-dir-script;
+      scriptArgs = "${path} ${opt.dir.user} ${opt.dir.group} ${opt.dir.mode}";
+      serviceConfig.Type = "oneshot";
+      after = opt.depends;
+      wants = opt.depends;
+      # prevent systemd making this unit implicitly dependent on sysinit.target.
+      # see: <https://www.freedesktop.org/software/systemd/man/systemd.special.html>
+      unitConfig.DefaultDependencies = "no";
+    };
+  };
+
+  # systemd/shell script used to create and set perms for a specific dir
+  ensure-dir-script = ''
+    path="$1"
+    user="$2"
+    group="$3"
+    mode="$4"
+
+    if ! test -d "$path"
+    then
+      # if the directory *doesn't* exist, try creating it
+      # if we fail to create it, ensure we raced with something else and that it's actually a directory
+      mkdir "$path" || test -d "$path"
+    fi
+    chmod "$mode" "$path"
+    chown "$user:$group" "$path"
+  '';
+
+  # split the string path into a list of string components.
+  # root directory "/" becomes the empty list [].
+  # implicitly performs normalization so that:
+  # splitPath "a//b/" => ["a" "b"]
+  # splitPath "/a/b" =>  ["a" "b"]
+  splitPath = str: builtins.filter (seg: (builtins.isString seg) && seg != "" ) (builtins.split "/" str);
+  # return a string path, with leading slash but no trailing slash
+  joinPathAbs = comps: "/" + (builtins.concatStringsSep "/" comps);
+  concatPaths = paths: joinPathAbs (builtins.concatLists (builtins.map (p: splitPath p) paths));
+  # normalize the given path
+  normPath = str: joinPathAbs (splitPath str);
+  # return the parent directory. doesn't care about leading/trailing slashes.
+  # the parent of "/" is "/".
+  parentDir = str: normPath (builtins.dirOf (normPath str));
+  hasParent = str: (parentDir str) != (normPath str);
+
+  # return all ancestors of this path.
+  # e.g. ancestorsOf "/foo/bar/baz" => [ "/" "/foo" "/foo/bar" ]
+  ancestorsOf = path: if hasParent path then
+    ancestorsOf (parentDir path) ++ [ (parentDir path) ]
+  else
+    [ ]
+  ;
+
+  # attrsOf fsEntry type which for every entry ensures that all ancestor entries are created.
+  # we do this with a custom type to ensure that users can access `config.sane.fs."/parent/path"`
+  # when inferred.
+  fsTree = let
+    baseType = types.attrsOf fsEntry;
+    # merge is called once, with all collected `sane.fs` definitions passed and we coalesce those
+    # into a single value `x` as if the user had wrote simply `sane.fs = x` in a single location.
+    # so option defaulting and such happens *after* `merge` is called.
+    merge = loc: defs: let
+      # loc is the location of the option holding this type, e.g. ["sane" "fs"].
+      # each def is an { value = attrsOf fsEntry instance; file = "..."; }
+      pathsForDef = def: attrNames def.value;
+      origPaths = concatLists (builtins.map pathsForDef defs);
+      extraPaths = concatLists (builtins.map ancestorsOf origPaths);
+      extraDefs = builtins.map (p: {
+        file = ./.;
+        value = {
+          "${p}".dir = {};
+        };
+      }) extraPaths;
+    in
+      baseType.merge loc (defs ++ extraDefs);
+  in
+    lib.mkOptionType {
+      inherit merge;
+      name = "fsTree";
+      description = "attrset representation of a file-system tree";
+      # ensure that every path is in canonical form, else we might get duplicates and subtle errors
+      check = tree: builtins.all (p: p == normPath p) (builtins.attrNames tree);
+    };
+
+in {
+  options = {
+    sane.fs = mkOption {
+      # type = types.attrsOf fsEntry;
+      type = fsTree;
+      default = {};
+    };
+  };
+
+  config = let
+    cfgs = builtins.attrValues (builtins.mapAttrs mkFsConfig cfg);
+  in {
+    # we can't lib.mkMerge at the top-level, so do it per-attribute
+    systemd = lib.mkMerge (catAttrs "systemd" cfgs);
+  };
+}

modules/impermanence/default.nix

@@ -7,8 +7,6 @@
 with lib;
 let
   cfg = config.sane.impermanence;
-  # taken from sops-nix code: checks if any secrets are needed to create /etc/shadow
-  secrets-for-users = (lib.filterAttrs (_: v: v.neededForUsers) config.sops.secrets) != {};
   getStore = { encryptedClearOnBoot, ... }: (
     if encryptedClearOnBoot then {
       device = "/mnt/impermanence/crypt/clearedonboot";
@@ -52,10 +50,6 @@ let
   # return a string path, with leading slash but no trailing slash
   joinPathAbs = comps: "/" + (builtins.concatStringsSep "/" comps);
   concatPaths = paths: joinPathAbs (builtins.concatLists (builtins.map (p: splitPath p) paths));
-  # normalize the given path
-  normPath = str: joinPathAbs (splitPath str);
-  # return the parent directory. doesn't care about leading/trailing slashes.
-  parentDir = str: normPath (builtins.dirOf (normPath str));
 
   dirOptions = defaults: types.submodule {
     options = {
@@ -100,41 +94,6 @@ let
   ingested-home-dirs = ingestDirOptions home-dir-defaults cfg.home-dirs;
   ingested-sys-dirs = ingestDirOptions sys-dir-defaults cfg.dirs;
   ingested-dirs = ingested-home-dirs ++ ingested-sys-dirs;
-
-  # include these anchor points as "virtual" nodes in below fs tree.
-  home-dir = {
-    inherit (home-dir-defaults) user group mode;
-    directory = normPath home-dir-defaults.relativeTo;
-  };
-  root-dir = {
-    inherit (sys-dir-defaults) user group mode;
-    directory = normPath sys-dir-defaults.relativeTo;
-  };
-
-  unexpanded-tree = builtins.listToAttrs (builtins.map
-    (dir: {
-      name = dir.directory;
-      value = dir;
-    })
-    (ingested-dirs ++ [ home-dir root-dir ])
-  );
-
-  # ensures the provided node and all parent nodes exist
-  ensureNode = tree: path: (
-    let
-      parent-path = parentDir path;
-      tree-with-parent = if parent-path == "/"
-        then tree
-        else ensureNode tree parent-path;
-      parent = tree-with-parent."${parent-path}";
-      # how to initialize this node if it doesn't exist explicitly.
-      default-node = parent // { directory = path; };
-    in
-      { "${path}" = default-node; } // tree-with-parent
-  );
-
-  # finally, this tree has no orphan nodes
-  expanded-tree = foldl' ensureNode unexpanded-tree (builtins.attrNames unexpanded-tree);
 in
 {
   options = {
@@ -151,20 +110,19 @@ in
     sane.impermanence.dirs = mkDirsOption sys-dir-defaults;
   };
 
-  config = mkIf cfg.enable (lib.mkMerge [
-    (lib.mkIf cfg.root-on-tmpfs {
-      fileSystems."/" = {
-        device = "none";
-        fsType = "tmpfs";
-        options = [
-          "mode=755"
-          "size=1G"
-          "defaults"
-        ];
-      };
-    })
+  imports = [
+    ./root-on-tmpfs.nix
+  ];
 
+  config = mkIf cfg.enable (lib.mkMerge [
     {
+      # TODO: move to sane.fs, to auto-ensure all user dirs?
+      sane.fs."/home/colin".dir = {
+        user = "colin";
+        group = config.users.users.colin.group;
+        mode = config.users.users.colin.homeMode;
+      };
+
       # without this, we get `fusermount: fuse device not found, try 'modprobe fuse' first`.
       # - that only happens after a activation-via-boot -- not activation-after-rebuild-switch.
       # it seems likely that systemd loads `fuse` by default. see:
@@ -228,99 +186,47 @@ in
         let
           # systemd creates <path>.mount services for every fileSystems entry.
           # <path> gets escaped as part of that: this code tries to guess that escaped name here.
-          backing-mount = cleanName opt.store.device;
+          # backing-mount = cleanName opt.store.device;
           mount-service = cleanName opt.directory;
-          perms-service = "impermanence-perms-${mount-service}";
-          parent-mount-service = cleanName (parentDir opt.directory);
-          parent-perms-service = "impermanence-perms-${parent-mount-service}";
-          is-mount = opt ? store;
-          backing-path = if is-mount then
-            concatPaths [ opt.store.device opt.directory ]
-          else
-            opt.directory;
+          backing-path = concatPaths [ opt.store.device opt.directory ];
+
+          dir-service = config.sane.fs."${opt.directory}".service;
+          backing-service = config.sane.fs."${backing-path}".service;
         in {
-          fileSystems."${opt.directory}" = lib.mkIf is-mount {
-            device = concatPaths [ opt.store.device opt.directory ];
+          # create destination and backing directory, with correct perms
+          sane.fs."${opt.directory}".dir = {
+            inherit (opt) user group mode;
+          };
+          sane.fs."${backing-path}".dir = {
+            inherit (opt) user group mode;
+          };
+          # define the mountpoint.
+          fileSystems."${opt.directory}" = {
+            device = backing-path;
             options = [
               "bind"
               # "x-systemd.requires=${backing-mount}.mount"  # this should be implicit
-              "x-systemd.after=${perms-service}.service"
+              "x-systemd.after=${backing-service}"
+              "x-systemd.after=${dir-service}"
               # `wants` doesn't seem to make it to the service file here :-(
-              "x-systemd.wants=${perms-service}.service"
+              # "x-systemd.wants=${backing-service}"
+              # "x-systemd.wants=${dir-service}"
             ];
             # fsType = "bind";
             noCheck = true;
           };
+          systemd.services."${backing-service}".wantedBy = [ "${mount-service}.mount" ];
+          systemd.services."${dir-service}".wantedBy = [ "${mount-service}.mount" ];
 
-          # create services which ensure the source directories exist and have correct ownership/perms before mounting
-          systemd.services."${perms-service}" = let
-            perms-script = pkgs.writeShellScript "impermanence-prepare-perms" ''
-              backing="$1"
-              path="$2"
-              user="$3"
-              group="$4"
-              mode="$5"
-              mkdir "$path" || test -d "$path"
-              chmod "$mode" "$path"
-              chown "$user:$group" "$path"
-
-              # XXX: fix up the permissions of the origin, otherwise it overwrites the mountpoint with defaults.
-              # TODO: apply to the full $backing path? like, construct it entirely in parallel?
-              if [ "$backing" != "$path" ]
-              then
-                mkdir -p "$backing"
-                chmod "$mode" "$backing"
-                chown "$user:$group" "$backing"
-              fi
-            '';
-          in {
-            description = "prepare permissions for ${opt.directory}";
-            serviceConfig = {
-              ExecStart = ''${perms-script} ${backing-path} ${opt.directory} ${opt.user} ${opt.group} ${opt.mode}'';
-              Type = "oneshot";
-            };
-            unitConfig = {
-              # prevent systemd making this unit implicitly dependent on sysinit.target.
-              # see: <https://www.freedesktop.org/software/systemd/man/systemd.special.html>
-              DefaultDependencies = "no";
-            };
-            wantedBy = lib.mkIf is-mount [ "${mount-service}.mount" ];
-            after = lib.mkIf (opt.directory != "/") [ "${parent-perms-service}.service" ];
-            wants = lib.mkIf (opt.directory != "/") [ "${parent-perms-service}.service" ];
-          };
         };
-        cfgs = builtins.map cfgFor (builtins.attrValues expanded-tree);
-        # cfgs = builtins.map cfgFor ingested-dirs;
-        # cfgs = [ (cfgFor (ingestDirOption home-dir-defaults ".cache")) ];
-        # myMerge = items: builtins.foldl' (acc: new: acc // new) {} items;
+        cfgs = builtins.map cfgFor ingested-dirs;
       in {
-        # fileSystems = myMerge (catAttrs "fileSystems" cfgs);
-        fileSystems = lib.mkMerge (builtins.catAttrs "fileSystems" cfgs);
+        fileSystems = lib.mkMerge (catAttrs "fileSystems" cfgs);
+        sane.fs = lib.mkMerge (catAttrs "fs" (catAttrs "sane" cfgs));
         systemd = lib.mkMerge (catAttrs "systemd" cfgs);
       }
     )
 
-    (lib.mkIf secrets-for-users {
-      # secret decoding depends on /etc/ssh keys, so make sure those are present.
-      system.activationScripts.setupSecretsForUsers = lib.mkIf secrets-for-users {
-        deps = [ "etc" ];
-      };
-      system.activationScripts.etc.deps = lib.mkForce [];
-      assertions = builtins.concatLists (builtins.attrValues (
-        builtins.mapAttrs
-          (path: value: [
-            {
-              assertion = (builtins.substring 0 1 value.user) == "+";
-              message = "non-numeric user for /etc/${path}: ${value.user} prevents early /etc linking";
-            }
-            {
-              assertion = (builtins.substring 0 1 value.group) == "+";
-              message = "non-numeric group for /etc/${path}: ${value.group} prevents early /etc linking";
-            }
-          ])
-          config.environment.etc
-      ));
-    })
   ]);
 }
 

modules/impermanence/root-on-tmpfs.nix

@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.sane.impermanence;
+in
+{
+  fileSystems."/" = lib.mkIf (cfg.enable && cfg.root-on-tmpfs) {
+    device = "none";
+    fsType = "tmpfs";
+    options = [
+      "mode=755"
+      "size=1G"
+      "defaults"
+    ];
+  };
+}

modules/sops.nix

@@ -0,0 +1,32 @@
+{ config, lib, ... }:
+
+let
+  # taken from sops-nix code: checks if any secrets are needed to create /etc/shadow
+  secrets-for-users = (lib.filterAttrs (_: v: v.neededForUsers) config.sops.secrets) != {};
+  sops-files = config.sops.age.sshKeyPaths ++ config.sops.gnupg.sshKeyPaths ++ [ config.sops.age.keyFile ];
+  keys-in-etc = builtins.any (p: builtins.substring 0 5 p == "/etc/") sops-files;
+in
+{
+  config = lib.mkIf (secrets-for-users && keys-in-etc) {
+    # secret decoding depends on keys in /etc/ (like the ssh host key), so make sure those are present.
+    system.activationScripts.setupSecretsForUsers = lib.mkIf secrets-for-users {
+      deps = [ "etc" ];
+    };
+    # TODO: we should selectively remove "users" and "groups", but keep manually specified deps?
+    system.activationScripts.etc.deps = lib.mkForce [];
+    assertions = builtins.concatLists (builtins.attrValues (
+      builtins.mapAttrs
+        (path: value: [
+          {
+            assertion = (builtins.substring 0 1 value.user) == "+";
+            message = "non-numeric user for /etc/${path}: ${value.user} prevents early /etc linking";
+          }
+          {
+            assertion = (builtins.substring 0 1 value.group) == "+";
+            message = "non-numeric group for /etc/${path}: ${value.group} prevents early /etc linking";
+          }
+        ])
+        config.environment.etc
+    ));
+  };
+}