mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

feat: make import encryted cache permanent across reboots (and make permissions more strict)

Browse source
This commit is contained in:
oddlama 2023-09-29 15:28:56 +02:00
parent 7d7f259fa0
commit 69e2574886
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
2 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/config/impermanence.nix
View file

@ -91,6 +91,7 @@ in {
directories =
[
"/var/tmp/agenix-rekey"
"/var/tmp/nix-import-encrypted" # Decrypted repo-secrets can be kept
"/var/lib/systemd"
"/var/log"
#{ directory = "/tmp"; mode = "1777"; }

3
nix/rage-decrypt-and-cache.sh
View file

@ -23,7 +23,8 @@ new_name="$(sha512sum "$file")"
new_name="${new_name:0:32}-${basename//"/"/"%"}"
# Derive the path where the decrypted file will be stored
out="/tmp/nix-import-encrypted/$new_name"
out="/var/tmp/nix-import-encrypted.$UID/$new_name"
umask 077
mkdir -p "$(dirname "$out")"
# Decrypt only if necessary