From b40505f93c154f86940b23030503b926799b1347 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Wed, 4 Oct 2023 17:42:13 +0200
Subject: [PATCH] fix: cache nix-import-encrypted only on dev machines

---
 modules/optional/dev/default.nix | 5 ++++-
 nix/rage-decrypt-and-cache.sh    | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/modules/optional/dev/default.nix b/modules/optional/dev/default.nix
index 3723176..cdc1f68 100644
--- a/modules/optional/dev/default.nix
+++ b/modules/optional/dev/default.nix
@@ -23,7 +23,10 @@ lib.optionalAttrs (!minimal) {
       directory = "/var/tmp/agenix-rekey";
       mode = "1777";
     }
-    "/var/tmp/nix-import-encrypted" # Decrypted repo-secrets can be kept
+    {
+      directory = "/var/tmp/nix-import-encrypted"; # Decrypted repo-secrets can be kept
+      mode = "1777";
+    }
   ];
 
   services.nixseparatedebuginfod = {
diff --git a/nix/rage-decrypt-and-cache.sh b/nix/rage-decrypt-and-cache.sh
index 62b3eaa..b812ab7 100755
--- a/nix/rage-decrypt-and-cache.sh
+++ b/nix/rage-decrypt-and-cache.sh
@@ -23,7 +23,7 @@ new_name="$(sha512sum "$file")"
 new_name="${new_name:0:32}-${basename//"/"/"%"}"
 
 # Derive the path where the decrypted file will be stored
-out="/var/tmp/nix-import-encrypted.$UID/$new_name"
+out="/var/tmp/nix-import-encrypted/$UID/$new_name"
 umask 077
 mkdir -p "$(dirname "$out")"