colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

hosts/common/fs: remoteHome: remove use of sane.fs.*.mount

Browse Source 
part of an effort to simplify sane.fs
This commit is contained in:
Colin
2024-09-29 01:52:34 +00:00
parent c44b5240d1
commit 3cbb45fa4c
1 changed files with 45 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
hosts/common/fs.nix
View File

@@ -77,48 +77,58 @@ let
ifSshAuthorized = lib.mkIf config.sane.hosts.by-name."${config.networking.hostName}".ssh.authorized; ifSshAuthorized = lib.mkIf config.sane.hosts.by-name."${config.networking.hostName}".ssh.authorized;
remoteHome = name: { host ? name }: { remoteHome = name: { host ? name }: let
sane.programs.sshfs-fuse.enableFor.system = true; mountpoint = "/mnt/${name}/home";
system.fsPackages = [
config.sane.programs.sshfs-fuse.package
];
fileSystems."/mnt/${name}/home" = {
device = "sshfs#colin@${host}:/home/colin"; device = "sshfs#colin@${host}:/home/colin";
fsType = "fuse3"; fsType = "fuse3";
options = fsOpts.sshColin ++ fsOpts.lazyMount ++ [ options = fsOpts.sshColin ++ fsOpts.lazyMount ++ [
# drop_privileges: after `mount.fuse3` opens /dev/fuse, it will drop all capabilities before invoking sshfs # drop_privileges: after `mount.fuse3` opens /dev/fuse, it will drop all capabilities before invoking sshfs
"drop_privileges" "drop_privileges"
"auto_unmount" #< ensures that when the fs exits, it releases its mountpoint. then systemd can recognize it as failed. "auto_unmount" #< ensures that when the fs exits, it releases its mountpoint. then systemd can recognize it as failed.
# disable defaults: don't require this to be mount as part of local-fs.target
"noauto"
"nofail"
]; ];
in {
sane.programs.sshfs-fuse.enableFor.system = true;
system.fsPackages = [
config.sane.programs.sshfs-fuse.package
];
fileSystems."${mountpoint}" = {
inherit device fsType options;
noCheck = true; noCheck = true;
}; };
sane.fs."/mnt/${name}/home" = { # tell systemd about the mount so that i can sandbox it
dir.acl.user = "colin"; systemd.mounts = [{
dir.acl.group = "users"; where = mountpoint;
dir.acl.mode = "0700"; what = device;
type = fsType;
options = lib.concatStringsSep "," options;
wantedBy = [ "default.target" ]; wantedBy = [ "default.target" ];
mount.depends = [ "network-online.target" ]; after = [ "network-online.target" ];
mount.mountConfig.ExecSearchPath = [ "/run/current-system/sw/bin" ]; requires = [ "network-online.target" ];
mount.mountConfig.User = "colin";
mount.mountConfig.AmbientCapabilities = "CAP_SETPCAP CAP_SYS_ADMIN"; mountConfig.ExecSearchPath = [ "/run/current-system/sw/bin" ];
mountConfig.User = "colin";
mountConfig.AmbientCapabilities = "CAP_SETPCAP CAP_SYS_ADMIN";
# hardening (systemd-analyze security mnt-desko-home.mount): # hardening (systemd-analyze security mnt-desko-home.mount):
# TODO: i can't use ProtectSystem=full here, because i can't create a new mount space; but... # TODO: i can't use ProtectSystem=full here, because i can't create a new mount space; but...
# with drop_privileges, i *could* sandbox the actual `sshfs` program using e.g. bwrap # with drop_privileges, i *could* sandbox the actual `sshfs` program using e.g. bwrap
mount.mountConfig.CapabilityBoundingSet = "CAP_SETPCAP CAP_SYS_ADMIN"; mountConfig.CapabilityBoundingSet = "CAP_SETPCAP CAP_SYS_ADMIN";
mount.mountConfig.LockPersonality = true; mountConfig.LockPersonality = true;
mount.mountConfig.MemoryDenyWriteExecute = true; mountConfig.MemoryDenyWriteExecute = true;
mount.mountConfig.NoNewPrivileges = true; mountConfig.NoNewPrivileges = true;
mount.mountConfig.ProtectClock = true; mountConfig.ProtectClock = true;
mount.mountConfig.ProtectHostname = true; mountConfig.ProtectHostname = true;
mount.mountConfig.RemoveIPC = true; mountConfig.RemoveIPC = true;
mount.mountConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; mountConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
#VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/... #VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/...
# see `systemd-analyze filesystems` for a full list # see `systemd-analyze filesystems` for a full list
mount.mountConfig.RestrictFileSystems = "@common-block @basic-api fuse"; mountConfig.RestrictFileSystems = "@common-block @basic-api fuse";
mount.mountConfig.RestrictRealtime = true; mountConfig.RestrictRealtime = true;
mount.mountConfig.RestrictSUIDSGID = true; mountConfig.RestrictSUIDSGID = true;
mount.mountConfig.SystemCallArchitectures = "native"; mountConfig.SystemCallArchitectures = "native";
mount.mountConfig.SystemCallFilter = [ mountConfig.SystemCallFilter = [
"@system-service" "@system-service"
"@mount" "@mount"
"~@chown" "~@chown"
@@ -127,12 +137,12 @@ let
# could remove almost all io calls, however one has to keep `open`, and `write`, to communicate with the fuse device. # could remove almost all io calls, however one has to keep `open`, and `write`, to communicate with the fuse device.
# so that's pretty useless as a way to prevent write access # so that's pretty useless as a way to prevent write access
]; ];
mount.mountConfig.IPAddressDeny = "any"; mountConfig.IPAddressDeny = "any";
mount.mountConfig.IPAddressAllow = "10.0.0.0/8"; mountConfig.IPAddressAllow = "10.0.0.0/8";
mount.mountConfig.DevicePolicy = "closed"; # only allow /dev/{null,zero,full,random,urandom} mountConfig.DevicePolicy = "closed"; # only allow /dev/{null,zero,full,random,urandom}
mount.mountConfig.DeviceAllow = "/dev/fuse"; mountConfig.DeviceAllow = "/dev/fuse";
# mount.mountConfig.RestrictNamespaces = true; #< my sshfs sandboxing uses bwrap # mount.mountConfig.RestrictNamespaces = true; #< my sshfs sandboxing uses bwrap
}; }];
}; };
remoteServo = subdir: let remoteServo = subdir: let
localPath = "/mnt/servo/${subdir}"; localPath = "/mnt/servo/${subdir}";