sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: make import encryted cache permanent across reboots (and make permissions more strict)

Browse source
This commit is contained in:
oddlama 2023-09-29 15:28:56 +02:00
parent 7d7f259fa0
commit 69e2574886
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
2 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/config/impermanence.nix
View file

@ -91,6 +91,7 @@ in {
directories = directories =
[ [
"/var/tmp/agenix-rekey" "/var/tmp/agenix-rekey"
"/var/tmp/nix-import-encrypted" # Decrypted repo-secrets can be kept
"/var/lib/systemd" "/var/lib/systemd"
"/var/log" "/var/log"
#{ directory = "/tmp"; mode = "1777"; } #{ directory = "/tmp"; mode = "1777"; }

3
nix/rage-decrypt-and-cache.sh
View file

@ -23,7 +23,8 @@ new_name="$(sha512sum "$file")"
new_name="${new_name:0:32}-${basename//"/"/"%"}" new_name="${new_name:0:32}-${basename//"/"/"%"}"
# Derive the path where the decrypted file will be stored # Derive the path where the decrypted file will be stored
out="/tmp/nix-import-encrypted/$new_name" out="/var/tmp/nix-import-encrypted.$UID/$new_name"
umask 077
mkdir -p "$(dirname "$out")" mkdir -p "$(dirname "$out")"
# Decrypt only if necessary # Decrypt only if necessary