From eef580d596d3cba1aa903b546ec826f5bb169898 Mon Sep 17 00:00:00 2001
From: niten <niten@fudo.org>
Date: Mon, 18 Oct 2021 07:19:13 -0700
Subject: [PATCH] Create groups for encrypted filesystems

---
 lib/fudo/host-filesystems.nix | 20 +++++++++++++++++---
 lib/types/host.nix            | 16 +++++++++++++++-
 2 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/lib/fudo/host-filesystems.nix b/lib/fudo/host-filesystems.nix
index 7fe6902..8fa3a39 100644
--- a/lib/fudo/host-filesystems.nix
+++ b/lib/fudo/host-filesystems.nix
@@ -7,17 +7,31 @@ let
 
   optionalOrDefault = tst: str: default: if tst then str else default;
 
+  filesystemsToMountpointLists = mapAttrsToList
+    (fs: fsOpts: fsOpts.mountpoints);
+
 in {
   config = {
-    systemd = {
+    users.groups = let
+      mountpointToGroups = mp: mpOpts:
+        optional (mpOpts.group != null)
+          (nameValuePair mpOpts.group {
+            members = mpOpts.users;
+          });
+      mountpointListsToGroups = mapConcat
+        (mps: mapAttrsToList mountpointToGroups mps);
+    in listToAttrs
+      (mountpointListsToGroups
+        (filesystemsToMountpointLists host-filesystems));
 
+    systemd = {
       # Ensure the mountpoints exist
-      tmpfiles = let
+      tmpfiles.rules = let
         mountpointToPath = mp: mpOpts:
           "d '${mp}' - root ${optionalOrDefault mpOpts.group "-"} - -";
         filesystemsToMountpointLists = mapAttrsToList
           (fs: fsOpts: fsOpts.mountpoints);
-        mountpointListsToPaths = mapConcat
+        mountpointListsToPaths = concatMap
           (mps: mapAttrsToList mountpointToPath mps);
       in mountpointListsToPaths (filesystemsToMountpointLists host-filesystems);
 
diff --git a/lib/types/host.nix b/lib/types/host.nix
index 3ffd311..85681ab 100644
--- a/lib/types/host.nix
+++ b/lib/types/host.nix
@@ -16,7 +16,21 @@ rec {
           description = "List of filesystem options specific to this mountpoint (eg: subvol).";
         };
 
-        # TODO: Access control. Group? List of users?
+        group = mkOption {
+          type = nullOr str;
+          description = "Group to which the mountpoint should belong.";
+          default = null;
+        };
+
+        users = mkOption {
+          type = listOf str;
+          description = ''
+            List of users who should have access to the filesystem.
+
+            Requires a group to be set.
+          '';
+          default = [ ];
+        };
       };
     };
   in {