From 7341044060e395e63225e5393b2f6a1d1ef38cbc Mon Sep 17 00:00:00 2001
From: Ivan Nikolaenko <ivan.nikolaenko@unikie.com>
Date: Tue, 20 Aug 2024 17:47:46 +0300
Subject: [PATCH] Fix ownership and permissions for chromium data

Also save SSH host keys for VMs that are using storage
services

Signed-off-by: Ivan Nikolaenko <ivan.nikolaenko@unikie.com>
---
 .../microvm/common/storagevm.nix              | 41 ++++++++++++++++---
 modules/reference/appvms/business.nix         |  7 ++--
 modules/reference/appvms/chromium.nix         |  7 ++--
 3 files changed, 44 insertions(+), 11 deletions(-)

diff --git a/modules/microvm/virtualization/microvm/common/storagevm.nix b/modules/microvm/virtualization/microvm/common/storagevm.nix
index e07b647d3..16d0cb732 100644
--- a/modules/microvm/virtualization/microvm/common/storagevm.nix
+++ b/modules/microvm/virtualization/microvm/common/storagevm.nix
@@ -36,6 +36,32 @@ in
         Directories to bind mount to persistent storage.
       '';
     };
+
+    users = mkOption {
+      type = types.anything;
+      default = { };
+      example = {
+        "user".directories = [
+          "Downloads"
+          "Music"
+          "Pictures"
+          "Documents"
+          "Videos"
+        ];
+      };
+      description = ''
+        User-specific directories to bind mount to persistent storage.
+      '';
+    };
+
+    files = mkOption {
+      type = types.anything;
+      default = [ ];
+      example = [ "/etc/machine-id" ];
+      description = ''
+        Files to bind mount to persistent storage.
+      '';
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -51,10 +77,15 @@ in
       }
     ];
 
-    environment.persistence.${mountPath} = {
-      hideMounts = true;
-      inherit (cfg) directories;
-      # inherit (cfg) directories;
-    };
+    environment.persistence.${mountPath} = lib.mkMerge [
+      {
+        hideMounts = true;
+        files = [
+          "/etc/ssh/ssh_host_ed25519_key.pub"
+          "/etc/ssh/ssh_host_ed25519_key"
+        ];
+      }
+      { inherit (cfg) directories users files; }
+    ];
   };
 }
diff --git a/modules/reference/appvms/business.nix b/modules/reference/appvms/business.nix
index d1f95c077..4acf441e9 100644
--- a/modules/reference/appvms/business.nix
+++ b/modules/reference/appvms/business.nix
@@ -10,9 +10,10 @@
 let
   #TODO: Move this to a common place
   xdgPdfPort = 1200;
+  name = "business";
 in
 {
-  name = "business";
+  name = "${name}";
   packages =
     let
       # PDF XDG handler is executed when the user opens a PDF file in the browser
@@ -78,8 +79,8 @@ in
       ghaf.reference.programs.chromium.enable = true;
       ghaf.storagevm = {
         enable = true;
-        name = "business";
-        directories = [ "/home/${config.ghaf.users.accounts.user}/.config" ];
+        name = "${name}";
+        users.${config.ghaf.users.accounts.user}.directories = [ ".config" ];
       };
 
       # Set default PDF XDG handler
diff --git a/modules/reference/appvms/chromium.nix b/modules/reference/appvms/chromium.nix
index d529d2cd5..f432a555f 100644
--- a/modules/reference/appvms/chromium.nix
+++ b/modules/reference/appvms/chromium.nix
@@ -10,9 +10,10 @@
 let
   inherit (lib) hasAttr optionals;
   xdgPdfPort = 1200;
+  name = "chromium";
 in
 {
-  name = "chromium";
+  name = "${name}";
   packages =
     let
       # PDF XDG handler is executed when the user opens a PDF file in the browser
@@ -73,8 +74,8 @@ in
       ghaf.reference.programs.chromium.enable = true;
       ghaf.storagevm = {
         enable = true;
-        name = "business";
-        directories = [ "/home/${config.ghaf.users.accounts.user}/.config" ];
+        name = "${name}";
+        users.${config.ghaf.users.accounts.user}.directories = [ ".config" ];
       };
 
       # Set default PDF XDG handler