From 69e25748867e30c967d5cb8d849531dbe823dde5 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Fri, 29 Sep 2023 15:28:56 +0200
Subject: [PATCH] feat: make import encryted cache permanent across reboots
 (and make permissions more strict)

---
 modules/config/impermanence.nix | 1 +
 nix/rage-decrypt-and-cache.sh   | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/config/impermanence.nix b/modules/config/impermanence.nix
index 6493119..04f0b40 100644
--- a/modules/config/impermanence.nix
+++ b/modules/config/impermanence.nix
@@ -91,6 +91,7 @@ in {
     directories =
       [
         "/var/tmp/agenix-rekey"
+        "/var/tmp/nix-import-encrypted" # Decrypted repo-secrets can be kept
         "/var/lib/systemd"
         "/var/log"
         #{ directory = "/tmp"; mode = "1777"; }
diff --git a/nix/rage-decrypt-and-cache.sh b/nix/rage-decrypt-and-cache.sh
index 8ee9f52..62b3eaa 100755
--- a/nix/rage-decrypt-and-cache.sh
+++ b/nix/rage-decrypt-and-cache.sh
@@ -23,7 +23,8 @@ new_name="$(sha512sum "$file")"
 new_name="${new_name:0:32}-${basename//"/"/"%"}"
 
 # Derive the path where the decrypted file will be stored
-out="/tmp/nix-import-encrypted/$new_name"
+out="/var/tmp/nix-import-encrypted.$UID/$new_name"
+umask 077
 mkdir -p "$(dirname "$out")"
 
 # Decrypt only if necessary