nixfiles/services/gocryptfs.nix

{ config, lib, pkgs, ... }:

{
  # todo: ideally we should support multiple encrypted directories
  options.services.gocryptfs = with lib; {
    enable = mkEnableOption "gocryptfs";
    package = mkOption {
      type = types.package;
      default = pkgs.gocryptfs;
      defaultText = "pkgs.gocryptfs";
      description = "gocryptfs package";
    };
    serviceName = mkOption {
      type = types.str;
      default = "gocryptfs";
      description = "gocryptfs service name";
    };

    passwordFile = mkOption {
      type = types.str;
      description = "path to the file containing the password";
    };

    cipherDir = mkOption {
      type = types.str;
      description = "path to the directory used as the underlying encrypted storage";
    };

    mountPoint = mkOption {
      type = types.str;
      description = "gocryptfs mount point";
    };

    extraInitOptions = mkOption {
      type = types.listOf types.str;
      default = [ ];
      description = "additional options to pass to gocryptfs -init";
    };
    
    extraOptions = mkOption {
      type = types.listOf types.str;
      default = [ ];
      description = "additional options to pass to gocryptfs mount";
    };
  };

  config = let 
    cfg = config.services.gocryptfs;
  in {
    systemd.services.${cfg.serviceName} = {
      description = "${cfg.serviceName} daemon";
      wantedBy = [ "multi-user.target" ];
      path = [ cfg.package ];
      serviceConfig = {
        User = "root";
        Group = "root";
      };
      script = ''
        set -euo pipefail

        if [ ! -d ${lib.escapeShellArg cfg.cipherDir} ]; then
          echo "gocryptfs: directory ${lib.escapeShellArg cfg.cipherDir} does not exist"
          exit 1
        fi

        if [ ! -f ${lib.escapeShellArg cfg.cipherDir}/gocryptfs.conf ]; then
          echo "gocryptfs: running gocryptfs -init"
          gocryptfs -init \
            -passfile ${lib.escapeShellArg cfg.passwordFile} \
            ${builtins.concatStringsSep " " (map lib.escapeShellArg cfg.extraInitOptions)} \
            ${lib.escapeShellArg cfg.cipherDir}
        fi

        if [ ! -d ${lib.escapeShellArg cfg.mountPoint} ]; then
          mkdir -p ${lib.escapeShellArg cfg.mountPoint}
        fi

        gocryptfs -fg -passfile ${lib.escapeShellArg cfg.passwordFile} \
          ${builtins.concatStringsSep " " (map lib.escapeShellArg cfg.extraOptions)} \
          ${lib.escapeShellArg cfg.cipherDir} ${lib.escapeShellArg cfg.mountPoint}
      '';
    };
  };
}
chore(koi): ecryptfs -> gocryptfs 2024-12-07 06:52:47 +03:00			`{ config, lib, pkgs, ... }:`

			`{`
			`# todo: ideally we should support multiple encrypted directories`
			`options.services.gocryptfs = with lib; {`
			`enable = mkEnableOption "gocryptfs";`
			`package = mkOption {`
			`type = types.package;`
			`default = pkgs.gocryptfs;`
			`defaultText = "pkgs.gocryptfs";`
			`description = "gocryptfs package";`
			`};`
			`serviceName = mkOption {`
			`type = types.str;`
			`default = "gocryptfs";`
			`description = "gocryptfs service name";`
			`};`

			`passwordFile = mkOption {`
			`type = types.str;`
			`description = "path to the file containing the password";`
			`};`

			`cipherDir = mkOption {`
			`type = types.str;`
			`description = "path to the directory used as the underlying encrypted storage";`
			`};`

			`mountPoint = mkOption {`
			`type = types.str;`
			`description = "gocryptfs mount point";`
			`};`

			`extraInitOptions = mkOption {`
			`type = types.listOf types.str;`
			`default = [ ];`
			`description = "additional options to pass to gocryptfs -init";`
			`};`

			`extraOptions = mkOption {`
			`type = types.listOf types.str;`
			`default = [ ];`
			`description = "additional options to pass to gocryptfs mount";`
			`};`
			`};`

			`config = let`
			`cfg = config.services.gocryptfs;`
			`in {`
			`systemd.services.${cfg.serviceName} = {`
			`description = "${cfg.serviceName} daemon";`
			`wantedBy = [ "multi-user.target" ];`
			`path = [ cfg.package ];`
			`serviceConfig = {`
			`User = "root";`
			`Group = "root";`
			`};`
			`script = ''`
			`set -euo pipefail`

			`if [ ! -d ${lib.escapeShellArg cfg.cipherDir} ]; then`
			`echo "gocryptfs: directory ${lib.escapeShellArg cfg.cipherDir} does not exist"`
			`exit 1`
			`fi`

			`if [ ! -f ${lib.escapeShellArg cfg.cipherDir}/gocryptfs.conf ]; then`
			`echo "gocryptfs: running gocryptfs -init"`
			`gocryptfs -init \`
			`-passfile ${lib.escapeShellArg cfg.passwordFile} \`
			`${builtins.concatStringsSep " " (map lib.escapeShellArg cfg.extraInitOptions)} \`
			`${lib.escapeShellArg cfg.cipherDir}`
			`fi`

			`if [ ! -d ${lib.escapeShellArg cfg.mountPoint} ]; then`
			`mkdir -p ${lib.escapeShellArg cfg.mountPoint}`
			`fi`

			`gocryptfs -fg -passfile ${lib.escapeShellArg cfg.passwordFile} \`
			`${builtins.concatStringsSep " " (map lib.escapeShellArg cfg.extraOptions)} \`
			`${lib.escapeShellArg cfg.cipherDir} ${lib.escapeShellArg cfg.mountPoint}`
			`'';`
			`};`
			`};`
			`}`