overthinkos/gocryptfs
infrastructure/skills/gocryptfs/SKILL.md
Encrypted filesystem (gocryptfs) for charly config encrypted volume operations. Use when working with encrypted volumes, charly config mount/unmount, or filesystem encryption.
development
Updated Jun 11, 2026
$ install --global
skillsauthnpx skillsauth add overthinkos/overthink-plugins gocryptfsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 11, 2026, 7:11 AM160.8s1 file scanned
SKILL.md
- name:
- gocryptfs
- description:
- |
gocryptfs -- Encrypted filesystem support
Candy Properties
| Property | Value |
|----------|-------|
| Install files | charly.yml (packages only) |
Packages
RPM: gocryptfs
Cross-distro coverage
rpm: (Fedora), pac: (Arch — community), deb: (Debian/Ubuntu — gocryptfs available in Debian main) — full parity.
Usage
# charly.yml
my-image:
candy:
- gocryptfs
Typically used as part of the charly candy (the full toolchain: charly binary + virtualization + gocryptfs + socat) rather than directly.
Runtime Behavior
When charly config mount or charly start mounts encrypted volumes, each gocryptfs daemon runs inside a systemd-run --scope --user --unit=charly-enc-<image>-<volume> scope unit. This decouples the FUSE mount lifecycle from the container service — mounts survive container stop/restart and remain browsable on the host.
The -allow_other flag is always passed to gocryptfs (required for rootless podman with --userns=keep-id). gocryptfs auto-enables default_permissions, so kernel UNIX permission checks still apply.
See /charly-automation:enc for full encrypted volume operations documentation.
Used In Boxes
- Part of the
charlycandy's full toolchain (used ingithubrunner)
Related Candies
/charly-infrastructure:virtualization-- part of thecharlycandy alongside gocryptfs/charly-infrastructure:socat-- part of thecharlycandy alongside gocryptfs
When to Use This Skill
Use when the user asks about:
- Encrypted volumes or filesystems
charly configencrypted volume operations (mount, unmount, status, passwd)- The
gocryptfscandy - systemd scope units for encrypted mounts (
charly-enc-*)
Author + Test References
/charly-image:layer— candy authoring reference (tasks, vars, env_provide, tests block syntax)/charly-eval:eval— declarative testing framework for theeval:block
Related Skills
overthinkos/charly
tools
VerifiedTrustedCommunity
OpenCharly CLI (charly) binary installed into container/VM images for in-container use. Use when working with charly binary deployment inside containers, native D-Bus support, or the full charly toolchain (charly binary + virtualization + gocryptfs + socat).
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-cachyos
development
VerifiedTrustedCommunity
Operator CachyOS workstation profile — a kind:local template + target:local deploy that installs the full dev stack (30 candies) onto a CachyOS host via ShellExecutor. Lives in the overthinkos/cachyos submodule. MUST be invoked before editing or applying the charly-cachyos workstation profile.
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-fedora
tools
VerifiedTrustedCommunity
Fedora box with the full charly toolchain using shared candies. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Same candy list as charly-arch. Includes NVIDIA GPU runtime. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-fedora box.
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-arch
tools
VerifiedTrustedCommunity
Arch Linux box with the full charly toolchain. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Composes /charly-coder:charly-mcp so the box is reachable as an MCP gateway on port 18765. NVIDIA GPU runtime composed in. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-arch box.
SKILL.mdUpdated Jun 10, 2026