From cbf87fe8cf8c35b914b948820ef74d82848ae46b Mon Sep 17 00:00:00 2001
From: niten <niten@fudo.org>
Date: Mon, 18 Oct 2021 07:03:01 -0700
Subject: [PATCH] Ensure mountpoints exist

---
 lib/fudo/host-filesystems.nix | 23 +++++++++++++++++--
 lib/fudo/hosts.nix            | 42 -----------------------------------
 2 files changed, 21 insertions(+), 44 deletions(-)

diff --git a/lib/fudo/host-filesystems.nix b/lib/fudo/host-filesystems.nix
index 4e98fe2..7fe6902 100644
--- a/lib/fudo/host-filesystems.nix
+++ b/lib/fudo/host-filesystems.nix
@@ -4,9 +4,24 @@ with lib;
 let
   hostname = config.instance.hostname;
   host-filesystems = config.fudo.hosts.${hostname}.encrypted-filesystems;
+
+  optionalOrDefault = tst: str: default: if tst then str else default;
+
 in {
   config = {
     systemd = {
+
+      # Ensure the mountpoints exist
+      tmpfiles = let
+        mountpointToPath = mp: mpOpts:
+          "d '${mp}' - root ${optionalOrDefault mpOpts.group "-"} - -";
+        filesystemsToMountpointLists = mapAttrsToList
+          (fs: fsOpts: fsOpts.mountpoints);
+        mountpointListsToPaths = mapConcat
+          (mps: mapAttrsToList mountpointToPath mps);
+      in mountpointListsToPaths (filesystemsToMountpointLists host-filesystems);
+
+      # Actual mounts of decrypted filesystems
       mounts = let
         filesystems = mapAttrsToList
           (fs: opts: { filesystem = fs; opts = opts; })
@@ -26,8 +41,9 @@ in {
               })
             fs.opts.mountpoints)
           filesystems;
-      in builtins.trace mounts mounts;
+      in mounts;
 
+      # Jobs to decrypt the encrypted devices
       services = mapAttrs' (filesystem-name: opts:
         nameValuePair "${filesystem-name}-decrypt"
           {
@@ -35,8 +51,10 @@ in {
             description = "Decrypt the ${filesystem-name} filesystem when the key is available at ${opts.key-path}";
             path = with pkgs; [ cryptsetup ];
             serviceConfig = {
+              Type = "oneshot";
+              RemainAfterExit = true;
               ExecStart = pkgs.writeShellScript "decrypt-${filesystem-name}.sh" ''
-                cryptsetup open --type luks --key-file ${opts.key-path} ${opts.encrypted-device} ${filesystem-name}
+                [ ! -d /dev/mapper/${filesystem-name} ] || cryptsetup open --type luks --key-file ${opts.key-path} ${opts.encrypted-device} ${filesystem-name}
               '';
               ExecStop = pkgs.writeShellScript "close-${filesystem-name}.sh" ''
                 cryptsetup close /dev/mapper/${filesystem-name}
@@ -45,6 +63,7 @@ in {
           })
         host-filesystems;
 
+      # Watch the path of the key, trigger decrypt when it's available
       paths = mapAttrs' (filesystem-name: opts:
         nameValuePair "${filesystem-name}-decrypt"
           {
diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix
index a5c9c59..a21b4ae 100644
--- a/lib/fudo/hosts.nix
+++ b/lib/fudo/hosts.nix
@@ -74,23 +74,6 @@ in {
       in concatStringsSep "\n" sorted-unique;
     };
 
-    # fudo.hosts.${hostname}.build-pubkeys =
-    #   map builtins.readFile
-    #     (map (build-key-path: "${build-key-path}/${hostname}.key.pub")
-    #       (optional (site.build-key-path != null) site.build-key-path));
-
-    # nix = mkIf
-    #   (has-build-servers && has-build-keys && site.enable-distributed-builds) {
-    #     buildMachines = mapAttrsToList (hostname: buildOpts: {
-    #       hostName = "${hostname}.${domain-name}";
-    #       maxJobs = buildOpts.max-jobs;
-    #       speedFactor = buildOpts.speed-factor;
-    #       supportedFeatures = buildOpts.supported-features;
-    #       sshKey = config.fudo.secrets.host-secrets.${hostname}.build-private-key.target-file;
-    #     }) site.build-servers;
-    #     distributedBuilds = true;
-    #   };
-
     time.timeZone = site.timezone;
 
     krb5.libdefaults.default_realm = domain.gssapi-realm;
@@ -152,30 +135,5 @@ in {
     };
 
     boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;
-
-    # programs.ssh.knownHosts = let
-    #   keyed-hosts =
-    #     filterAttrs (host: opts: opts.ssh-pubkeys != []) config.fudo.hosts;
-
-    #   crossProduct = f: list0: list1:
-    #     concatMap (el0: map (el1: f el0 el1) list1) list0;
-
-    #   getHostnames = hostOpts:
-    #     [ hostOpts.hostname ]
-    #     ++ (crossProduct (host: domain: "${host}.${domain}")
-    #       ([ hostOpts.hostname ] ++ hostOpts.aliases)
-    #       ([ hostOpts.domain ] ++ hostOpts.extra-domains));
-
-    #   getHostEntryPairs = host:
-    #     map (hostname: nameValuePair hostname { publicKey = host.ssh-pubkey; })
-    #     (getHostnames host);
-
-    #   hostAttrsToList = hostAttrs:
-    #     mapAttrsToList (hostname: opts: { hostname = hostname; } // opts)
-    #     hostAttrs;
-
-    #   getKnownHosts = hosts:
-    #     concatMap getHostEntryPairs (hostAttrsToList hosts);
-    # in listToAttrs (getKnownHosts keyed-hosts);
   };
 }