colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
771dc2e1ce
nix-files/modules/persist/stores/private.nix

53 lines
1.9 KiB
Nix
Raw Blame History

{ config, lib, pkgs, sane-lib, utils, ... }:
let
persist-base = config.sane.persist.stores."plaintext".origin;
private-dir = config.sane.persist.stores."private".origin;
private-backing-dir = sane-lib.path.concat [ persist-base private-dir ];
in
lib.mkIf config.sane.persist.enable
{
sane.persist.stores."private" = {
storeDescription = ''
encrypted store which persists across boots.
typical use case is for the user to encrypt this store using their login password so that it
can be auto-unlocked at login.
'';
origin = lib.mkDefault "/mnt/private";
defaultOrdering = let
private-unit = config.sane.fs."${private-dir}".unit;
in {
# auto create only after the store is mounted
wantedBy = [ private-unit ];
# we can't create things in private before local-fs.target
wantedBeforeBy = [ ];
};
defaultMethod = "symlink";
};
fileSystems."${private-dir}" = {
device = private-backing-dir;
fsType = "fuse.gocryptfs";
options = [
"noauto" # don't try to mount, until the user logs in!
"nofail"
# "nodev" # "Unknown parameter 'nodev'". gocryptfs requires this be passed as `-ko nodev`
# "noexec" # handful of scripts in ~/private/knowledge that are executable
# "nosuid" # "Unknown parameter 'nosuid'". gocryptfs requires this be passed as `-ko nosuid` (also nosuid is default)
"allow_other" # root ends up being the user that mounts this, so need to make it visible to other users.
# "quiet"
# "defaults" # "unknown flag: --defaults. Try 'gocryptfs -help'"
];
noCheck = true;
};
# let sane.fs know about the mount
sane.fs."${private-dir}".mount = {};
# it also needs to know that the underlying device is an ordinary folder
sane.fs."${private-backing-dir}".dir = {};
# TODO: could add this *specifically* to the .mount file for the encrypted fs?
system.fsPackages = [ pkgs.gocryptfs ]; # fuse needs to find gocryptfs
}
Reference in New Issue View Git Blame Copy Permalink