feat(wealthfolio): add gocryptfs wrapper with vault mount/unmount

workflow · workflow · commit d641562d4014 · 2026-03-15T01:11:22.000+01:00
Restructure wealthfolio module to directory with wrapper script that
prompts for password via zenity, mounts gocryptfs vault, creates
symlinks from XDG paths, and unmounts on exit. Remove impermanence
dirs (now handled by nixos-secrets vault persistence). Add desktop
entry pointing to the wrapper.
diff --git a/flake.lock b/flake.lock
diff --git a/parts/features/apps/wealthfolio/default.nix b/parts/features/apps/wealthfolio/default.nix
@@ -1,7 +1,5 @@
 {...}: {
   flake.modules.homeManager.wealthfolio = {
-    lib,
-    osConfig,
     pkgs,
     ...
   }: let
@@ -42,15 +40,22 @@
           | sponge apps/tauri/tauri.conf.json
       '';
     });
-  in {
-    home.persistence."/persist" = lib.mkIf osConfig.dendrix.isImpermanent {
-      directories = [
-        ".local/share/com.teymz.wealthfolio"
-        ".local/share/Wealthfolio"
-        ".config/com.teymz.wealthfolio"
-      ];
+
+    wealthfolio-wrapper = pkgs.writeShellApplication {
+      name = "wealthfolio-wrapper";
+      runtimeInputs = [wealthfolio pkgs.gocryptfs pkgs.zenity pkgs.util-linux pkgs.coreutils pkgs.procps];
+      text = builtins.readFile ./wealthfolio-wrapper.sh;
     };
+  in {
+    home.packages = [wealthfolio wealthfolio-wrapper];
 
-    home.packages = [wealthfolio];
+    xdg.desktopEntries.Wealthfolio = {
+      name = "Wealthfolio";
+      exec = "wealthfolio-wrapper";
+      terminal = false;
+      type = "Application";
+      categories = ["Office" "Finance"];
+      icon = "com.teymz.wealthfolio";
+    };
   };
 }
diff --git a/parts/features/apps/wealthfolio/wealthfolio-wrapper.sh b/parts/features/apps/wealthfolio/wealthfolio-wrapper.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+# Wrapper that mounts a gocryptfs vault before launching Wealthfolio
+# and unmounts it on exit. Provides encryption-at-rest for financial data.
+#
+# Mounts the vault directly at the XDG data path so Wealthfolio
+# reads/writes through the FUSE mount transparently.
+
+VAULT_DIR="$HOME/.wealthfolio-vault"
+MOUNT_DIR="$HOME/.local/share/com.teymz.wealthfolio"
+
+cleanup() {
+    if mountpoint -q "$MOUNT_DIR"; then
+        /run/wrappers/bin/fusermount -u "$MOUNT_DIR"
+    fi
+    # Remove plaintext leftovers from the underlying directory
+    rm -rf "${MOUNT_DIR:?}"/*
+}
+
+trap cleanup EXIT INT TERM
+
+if mountpoint -q "$MOUNT_DIR"; then
+    if pgrep -x Wealthfolio > /dev/null; then
+        exec Wealthfolio
+    fi
+    # Stale mount from a crashed session — clean it up
+    /run/wrappers/bin/fusermount -u "$MOUNT_DIR"
+fi
+
+password=$(zenity --password --title="Wealthfolio Vault") || exit 0
+
+mkdir -p "$VAULT_DIR" "$MOUNT_DIR"
+
+# First-run: initialize the vault
+if [ ! -f "$VAULT_DIR/gocryptfs.conf" ]; then
+    echo "$password" | gocryptfs -init -q "$VAULT_DIR"
+fi
+
+echo "$password" | gocryptfs -q -nonempty "$VAULT_DIR" "$MOUNT_DIR"
+unset password
+
+Wealthfolio &
+WEALTHFOLIO_PID=$!
+wait "$WEALTHFOLIO_PID" || true
+
+# Also wait for any forked children
+while pgrep -x Wealthfolio > /dev/null; do
+    sleep 1
+done
