{ config, lib, pkgs, sane-lib, utils, ... }: let # TODO: parameterize! persist-base = "/nix/persist"; private-dir = config.sane.persist.stores."private".origin; # TODO: remove the `prefix` part of this (will require data migration) private-backing-dir = sane-lib.path.concat [ persist-base config.sane.persist.stores."private".prefix "private" ]; in lib.mkIf config.sane.persist.enable { sane.persist.stores."private" = { storeDescription = '' encrypted store which persists across boots. typical use case is for the user to encrypt this store using their login password so that it can be auto-unlocked at login. ''; origin = lib.mkDefault "/mnt/private"; defaultOrdering = let private-unit = config.sane.fs."${private-dir}".unit; in { # auto create only after the store is mounted wantedBy = [ private-unit ]; # we can't create things in private before local-fs.target wantedBeforeBy = [ ]; }; defaultMethod = "symlink"; }; fileSystems."${private-dir}" = { device = private-backing-dir; fsType = "fuse.gocryptfs"; options = [ "noauto" # don't try to mount, until the user logs in! "nofail" # "nodev" # "Unknown parameter 'nodev'". gocryptfs requires this be passed as `-ko nodev` # "noexec" # handful of scripts in ~/knowledge that are executable # "nosuid" # "Unknown parameter 'nosuid'". gocryptfs requires this be passed as `-ko nosuid` (also nosuid is default) "allow_other" # root ends up being the user that mounts this, so need to make it visible to other users. # "quiet" # "defaults" # "unknown flag: --defaults. Try 'gocryptfs -help'" ]; noCheck = true; }; # let sane.fs know about the mount sane.fs."${private-dir}".mount = {}; # it also needs to know that the underlying device is an ordinary folder sane.fs."${private-backing-dir}".dir = {}; # TODO: could add this *specifically* to the .mount file for the encrypted fs? system.fsPackages = [ pkgs.gocryptfs ]; # fuse needs to find gocryptfs }