Create groups for encrypted filesystems

lib/fudo/host-filesystems.nix

@@ -7,17 +7,31 @@ let
 
   optionalOrDefault = tst: str: default: if tst then str else default;
 
+  filesystemsToMountpointLists = mapAttrsToList
+    (fs: fsOpts: fsOpts.mountpoints);
+
 in {
   config = {
-    systemd = {
+    users.groups = let
+      mountpointToGroups = mp: mpOpts:
+        optional (mpOpts.group != null)
+          (nameValuePair mpOpts.group {
+            members = mpOpts.users;
+          });
+      mountpointListsToGroups = mapConcat
+        (mps: mapAttrsToList mountpointToGroups mps);
+    in listToAttrs
+      (mountpointListsToGroups
+        (filesystemsToMountpointLists host-filesystems));
 
+    systemd = {
       # Ensure the mountpoints exist
-      tmpfiles = let
+      tmpfiles.rules = let
         mountpointToPath = mp: mpOpts:
           "d '${mp}' - root ${optionalOrDefault mpOpts.group "-"} - -";
         filesystemsToMountpointLists = mapAttrsToList
           (fs: fsOpts: fsOpts.mountpoints);
-        mountpointListsToPaths = mapConcat
+        mountpointListsToPaths = concatMap
           (mps: mapAttrsToList mountpointToPath mps);
       in mountpointListsToPaths (filesystemsToMountpointLists host-filesystems);
 

lib/types/host.nix

@@ -16,7 +16,21 @@ rec {
           description = "List of filesystem options specific to this mountpoint (eg: subvol).";
         };
 
-        # TODO: Access control. Group? List of users?
+        group = mkOption {
+          type = nullOr str;
+          description = "Group to which the mountpoint should belong.";
+          default = null;
+        };
+
+        users = mkOption {
+          type = listOf str;
+          description = ''
+            List of users who should have access to the filesystem.
+
+            Requires a group to be set.
+          '';
+          default = [ ];
+        };
       };
     };
   in {