common/fs: mount /mnt/servo/media/* directories more granularly
this benefits sandboxing
This commit is contained in:
parent
bbb93600b7
commit
331e673589
|
@ -2,7 +2,7 @@
|
||||||
# - x-systemd options: <https://www.freedesktop.org/software/systemd/man/systemd.mount.html>
|
# - x-systemd options: <https://www.freedesktop.org/software/systemd/man/systemd.mount.html>
|
||||||
# - fuse options: `man mount.fuse`
|
# - fuse options: `man mount.fuse`
|
||||||
|
|
||||||
{ config, lib, pkgs, sane-lib, ... }:
|
{ config, lib, pkgs, sane-lib, utils, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
fsOpts = rec {
|
fsOpts = rec {
|
||||||
|
@ -132,14 +132,14 @@ let
|
||||||
dir.acl.mode = "0750";
|
dir.acl.mode = "0750";
|
||||||
};
|
};
|
||||||
fileSystems."/mnt/servo/${subdir}" = {
|
fileSystems."/mnt/servo/${subdir}" = {
|
||||||
device = "servo-hn:/${subdir}";
|
device = "ftp://servo-hn:/${subdir}";
|
||||||
noCheck = true;
|
noCheck = true;
|
||||||
fsType = "fuse.curlftpfs";
|
fsType = "fuse.curlftpfs";
|
||||||
options = fsOpts.ftp ++ fsOpts.noauto ++ fsOpts.wg;
|
options = fsOpts.ftp ++ fsOpts.noauto ++ fsOpts.wg;
|
||||||
# fsType = "nfs";
|
# fsType = "nfs";
|
||||||
# options = fsOpts.nfs ++ fsOpts.lazyMount ++ fsOpts.wg;
|
# options = fsOpts.nfs ++ fsOpts.lazyMount ++ fsOpts.wg;
|
||||||
};
|
};
|
||||||
systemd.services."automount-servo-${subdir}" = let
|
systemd.services."automount-servo-${utils.escapeSystemdPath subdir}" = let
|
||||||
fs = config.fileSystems."/mnt/servo/${subdir}";
|
fs = config.fileSystems."/mnt/servo/${subdir}";
|
||||||
in {
|
in {
|
||||||
# this is a *flaky* network mount, especially on moby.
|
# this is a *flaky* network mount, especially on moby.
|
||||||
|
@ -161,7 +161,7 @@ let
|
||||||
"-s" # single-threaded (TODO: it's probably ok to disable this?)
|
"-s" # single-threaded (TODO: it's probably ok to disable this?)
|
||||||
"-o"
|
"-o"
|
||||||
(lib.concatStringsSep "," (lib.filter (o: !lib.hasPrefix "x-systemd." o) fs.options))
|
(lib.concatStringsSep "," (lib.filter (o: !lib.hasPrefix "x-systemd." o) fs.options))
|
||||||
"ftp://${fs.device}"
|
fs.device
|
||||||
"/mnt/servo/${subdir}"
|
"/mnt/servo/${subdir}"
|
||||||
];
|
];
|
||||||
# not sure if this configures a linear, or exponential backoff.
|
# not sure if this configures a linear, or exponential backoff.
|
||||||
|
@ -218,7 +218,18 @@ lib.mkMerge [
|
||||||
(remoteHome "desko")
|
(remoteHome "desko")
|
||||||
(remoteHome "lappy")
|
(remoteHome "lappy")
|
||||||
(remoteHome "moby")
|
(remoteHome "moby")
|
||||||
(remoteServo "media")
|
# this granularity of servo media mounts is necessary to support sandboxing:
|
||||||
|
# for flaky mounts, we can only bind the mountpoint itself into the sandbox,
|
||||||
|
# so it's either this or unconditionally bind all of media/.
|
||||||
|
(remoteServo "media/archive")
|
||||||
|
(remoteServo "media/Books")
|
||||||
|
(remoteServo "media/collections")
|
||||||
|
# (remoteServo "media/datasets")
|
||||||
|
(remoteServo "media/freeleech")
|
||||||
|
(remoteServo "media/games")
|
||||||
|
(remoteServo "media/Music")
|
||||||
|
(remoteServo "media/Pictures/macros")
|
||||||
|
(remoteServo "media/Videos")
|
||||||
(remoteServo "playground")
|
(remoteServo "playground")
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user