76 lines
2.8 KiB
Nix
76 lines
2.8 KiB
Nix
{ config, lib, pkgs, sane-lib, utils, ... }:
|
|
|
|
let
|
|
persist-base = "/nix/persist";
|
|
origin = config.sane.persist.stores."cryptClearOnBoot".origin;
|
|
key = "${origin}.key";
|
|
backing = sane-lib.path.concat [ persist-base "crypt/clearedonboot" ];
|
|
in
|
|
lib.mkIf config.sane.persist.enable
|
|
{
|
|
sane.persist.stores."cryptClearOnBoot" = {
|
|
storeDescription = ''
|
|
stored to disk, but encrypted to an in-memory key and cleared on every boot
|
|
so that it's unreadable after power-off
|
|
'';
|
|
origin = lib.mkDefault "/mnt/persist/crypt/clearedonboot";
|
|
};
|
|
|
|
|
|
fileSystems."${origin}" = {
|
|
device = backing;
|
|
fsType = "fuse.gocryptfs";
|
|
options = [
|
|
# "nodev" # "Unknown parameter 'nodev'". gocryptfs requires this be passed as `-ko nodev`
|
|
# "nosuid" # "Unknown parameter 'nosuid'". gocryptfs requires this be passed as `-ko nosuid` (also, nosuid is default)
|
|
"allow_other" # root ends up being the user that mounts this, so need to make it visible to other users.
|
|
"passfile=${key}"
|
|
# "defaults" # "unknown flag: --defaults. Try 'gocryptfs -help'"
|
|
];
|
|
noCheck = true;
|
|
};
|
|
# let sane.fs know about our fileSystem and automatically add the appropriate dependencies
|
|
sane.fs."${origin}".mount = {
|
|
# technically the dependency on the keyfile is extraneous because that *happens* to
|
|
# be needed to init the store.
|
|
depends = let
|
|
cryptfile = config.sane.fs."${backing}/gocryptfs.conf";
|
|
keyfile = config.sane.fs."${key}";
|
|
in [ keyfile.unit cryptfile.unit ];
|
|
};
|
|
|
|
# let sane.fs know how to initialize the gocryptfs store,
|
|
# and that it MUST do so
|
|
sane.fs."${backing}/gocryptfs.conf".generated = let
|
|
script = pkgs.writeShellScript "init-gocryptfs-store" ''
|
|
backing="$1"
|
|
passfile="$2"
|
|
# clear the backing store
|
|
# TODO: we should verify that it's not mounted anywhere...
|
|
# - specifically, there's a bug here right now where if the `sane.fs`
|
|
# details change, a deploy onto a live system will restart this service,
|
|
# corrupting all of this store.
|
|
rm -rf "''${backing:?}"/*
|
|
${pkgs.gocryptfs}/bin/gocryptfs -quiet -passfile "$passfile" -init "$backing"
|
|
'';
|
|
in {
|
|
command = [ "${script}" backing key ];
|
|
# we need the key in order to initialize the store
|
|
depends = [ config.sane.fs."${key}".unit ];
|
|
};
|
|
|
|
# let sane.fs know how to generate the key for gocryptfs
|
|
sane.fs."${key}".generated = let
|
|
script = pkgs.writeShellScript "gen-random-gocryptfs-key" ''
|
|
dd if=/dev/random bs=128 count=1 | base64 --wrap=0 > "$1"
|
|
'';
|
|
in {
|
|
command = [ "${script}" key ];
|
|
# no need for anyone else to be able to read the key
|
|
acl.mode = "0400";
|
|
};
|
|
|
|
# TODO: could add this *specifically* to the .mount file for the encrypted fs?
|
|
system.fsPackages = [ pkgs.gocryptfs ]; # fuse needs to find gocryptfs
|
|
}
|