50 lines
1.6 KiB
Nix
50 lines
1.6 KiB
Nix
{ config, lib, pkgs, utils, ... }:
|
|
|
|
lib.mkIf config.sane.persist.enable
|
|
{
|
|
sane.persist.stores."private" = {
|
|
storeDescription = ''
|
|
encrypted to the user's password and auto-unlocked at login
|
|
'';
|
|
origin = "/home/colin/private";
|
|
# files stored under here *must* have the /home/colin prefix.
|
|
# internally, this prefix is removed so that e.g.
|
|
# /home/colin/foo/bar when stored in `private` is visible at
|
|
# /home/colin/private/foo/bar
|
|
prefix = "/home/colin";
|
|
defaultOrdering = let
|
|
private-unit = config.sane.fs."/home/colin/private".unit;
|
|
in {
|
|
# auto create only after ~/private is mounted
|
|
wantedBy = [ private-unit ];
|
|
# we can't create things in private before local-fs.target
|
|
wantedBeforeBy = [ ];
|
|
};
|
|
defaultMethod = "symlink";
|
|
};
|
|
|
|
fileSystems."/home/colin/private" = {
|
|
device = "/nix/persist/home/colin/private";
|
|
fsType = "fuse.gocryptfs";
|
|
options = [
|
|
"noauto" # don't try to mount, until the user logs in!
|
|
"nofail"
|
|
"allow_other" # root ends up being the user that mounts this, so need to make it visible to `colin`.
|
|
"nodev"
|
|
"nosuid"
|
|
"quiet"
|
|
"defaults"
|
|
];
|
|
noCheck = true;
|
|
};
|
|
|
|
# let sane.fs know about the mount
|
|
sane.fs."/home/colin/private".mount = {};
|
|
# it also needs to know that the underlying device is an ordinary folder
|
|
sane.fs."/nix/persist/home/colin/private".dir = {};
|
|
|
|
# TODO: could add this *specifically* to the .mount file for the encrypted fs?
|
|
system.fsPackages = [ pkgs.gocryptfs ]; # fuse needs to find gocryptfs
|
|
}
|
|
|