colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

common/fs: mount /mnt/servo/media/* directories more granularly

Browse Source 
this benefits sandboxing
This commit is contained in:
Colin 2024-04-01 07:31:25 +00:00
parent bbb93600b7
commit 331e673589
1 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
hosts/common/fs.nix
View File

@ -2,7 +2,7 @@
# - x-systemd options: <https://www.freedesktop.org/software/systemd/man/systemd.mount.html>
# - fuse options: `man mount.fuse`
{ config, lib, pkgs, sane-lib, ... }:
{ config, lib, pkgs, sane-lib, utils, ... }:
let
fsOpts = rec {
@ -132,14 +132,14 @@ let
dir.acl.mode = "0750";
};
fileSystems."/mnt/servo/${subdir}" = {
device = "servo-hn:/${subdir}";
device = "ftp://servo-hn:/${subdir}";
noCheck = true;
fsType = "fuse.curlftpfs";
options = fsOpts.ftp ++ fsOpts.noauto ++ fsOpts.wg;
# fsType = "nfs";
# options = fsOpts.nfs ++ fsOpts.lazyMount ++ fsOpts.wg;
};
systemd.services."automount-servo-${subdir}" = let
systemd.services."automount-servo-${utils.escapeSystemdPath subdir}" = let
fs = config.fileSystems."/mnt/servo/${subdir}";
in {
# this is a *flaky* network mount, especially on moby.
@ -161,7 +161,7 @@ let
"-s" # single-threaded (TODO: it's probably ok to disable this?)
"-o"
(lib.concatStringsSep "," (lib.filter (o: !lib.hasPrefix "x-systemd." o) fs.options))
"ftp://${fs.device}"
fs.device
"/mnt/servo/${subdir}"
];
# not sure if this configures a linear, or exponential backoff.
@ -218,7 +218,18 @@ lib.mkMerge [
(remoteHome "desko")
(remoteHome "lappy")
(remoteHome "moby")
(remoteServo "media")
# this granularity of servo media mounts is necessary to support sandboxing:
# for flaky mounts, we can only bind the mountpoint itself into the sandbox,
# so it's either this or unconditionally bind all of media/.
(remoteServo "media/archive")
(remoteServo "media/Books")
(remoteServo "media/collections")
# (remoteServo "media/datasets")
(remoteServo "media/freeleech")
(remoteServo "media/games")
(remoteServo "media/Music")
(remoteServo "media/Pictures/macros")
(remoteServo "media/Videos")
(remoteServo "playground")
]