From 3c7b5ac006c39d0091e16e1059455aa357443372 Mon Sep 17 00:00:00 2001
From: Patrick <patrick@failmail.dev>
Date: Fri, 12 Apr 2024 12:19:47 +0200
Subject: [PATCH] fix: dont redecrypt secrets every time

---
 config/basic/impermanence.nix | 4 ++++
 nix/rage-decrypt-and-cache.sh | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/basic/impermanence.nix b/config/basic/impermanence.nix
index b69d367..a6fac1e 100644
--- a/config/basic/impermanence.nix
+++ b/config/basic/impermanence.nix
@@ -31,6 +31,10 @@ in {
       "/var/log"
       "/var/lib/systemd"
       "/var/lib/nixos"
+      {
+        directory = "/var/tmp/nix-import-encrypted/";
+        mode = "0777";
+      }
       {
         directory = "/var/tmp/agenix-rekey";
         mode = "0777";
diff --git a/nix/rage-decrypt-and-cache.sh b/nix/rage-decrypt-and-cache.sh
index 8ee9f52..3291530 100755
--- a/nix/rage-decrypt-and-cache.sh
+++ b/nix/rage-decrypt-and-cache.sh
@@ -23,7 +23,7 @@ new_name="$(sha512sum "$file")"
 new_name="${new_name:0:32}-${basename//"/"/"%"}"
 
 # Derive the path where the decrypted file will be stored
-out="/tmp/nix-import-encrypted/$new_name"
+out="/var/tmp/nix-import-encrypted/$new_name"
 mkdir -p "$(dirname "$out")"
 
 # Decrypt only if necessary