hosts/common/fs: remoteHome: remove use of sane.fs.*.mount
part of an effort to simplify sane.fs
This commit is contained in:
@@ -77,48 +77,58 @@ let
|
|||||||
|
|
||||||
ifSshAuthorized = lib.mkIf config.sane.hosts.by-name."${config.networking.hostName}".ssh.authorized;
|
ifSshAuthorized = lib.mkIf config.sane.hosts.by-name."${config.networking.hostName}".ssh.authorized;
|
||||||
|
|
||||||
remoteHome = name: { host ? name }: {
|
remoteHome = name: { host ? name }: let
|
||||||
sane.programs.sshfs-fuse.enableFor.system = true;
|
mountpoint = "/mnt/${name}/home";
|
||||||
system.fsPackages = [
|
|
||||||
config.sane.programs.sshfs-fuse.package
|
|
||||||
];
|
|
||||||
fileSystems."/mnt/${name}/home" = {
|
|
||||||
device = "sshfs#colin@${host}:/home/colin";
|
device = "sshfs#colin@${host}:/home/colin";
|
||||||
fsType = "fuse3";
|
fsType = "fuse3";
|
||||||
options = fsOpts.sshColin ++ fsOpts.lazyMount ++ [
|
options = fsOpts.sshColin ++ fsOpts.lazyMount ++ [
|
||||||
# drop_privileges: after `mount.fuse3` opens /dev/fuse, it will drop all capabilities before invoking sshfs
|
# drop_privileges: after `mount.fuse3` opens /dev/fuse, it will drop all capabilities before invoking sshfs
|
||||||
"drop_privileges"
|
"drop_privileges"
|
||||||
"auto_unmount" #< ensures that when the fs exits, it releases its mountpoint. then systemd can recognize it as failed.
|
"auto_unmount" #< ensures that when the fs exits, it releases its mountpoint. then systemd can recognize it as failed.
|
||||||
|
# disable defaults: don't require this to be mount as part of local-fs.target
|
||||||
|
"noauto"
|
||||||
|
"nofail"
|
||||||
];
|
];
|
||||||
|
in {
|
||||||
|
sane.programs.sshfs-fuse.enableFor.system = true;
|
||||||
|
system.fsPackages = [
|
||||||
|
config.sane.programs.sshfs-fuse.package
|
||||||
|
];
|
||||||
|
fileSystems."${mountpoint}" = {
|
||||||
|
inherit device fsType options;
|
||||||
noCheck = true;
|
noCheck = true;
|
||||||
};
|
};
|
||||||
sane.fs."/mnt/${name}/home" = {
|
# tell systemd about the mount so that i can sandbox it
|
||||||
dir.acl.user = "colin";
|
systemd.mounts = [{
|
||||||
dir.acl.group = "users";
|
where = mountpoint;
|
||||||
dir.acl.mode = "0700";
|
what = device;
|
||||||
|
type = fsType;
|
||||||
|
options = lib.concatStringsSep "," options;
|
||||||
wantedBy = [ "default.target" ];
|
wantedBy = [ "default.target" ];
|
||||||
mount.depends = [ "network-online.target" ];
|
after = [ "network-online.target" ];
|
||||||
mount.mountConfig.ExecSearchPath = [ "/run/current-system/sw/bin" ];
|
requires = [ "network-online.target" ];
|
||||||
mount.mountConfig.User = "colin";
|
|
||||||
mount.mountConfig.AmbientCapabilities = "CAP_SETPCAP CAP_SYS_ADMIN";
|
mountConfig.ExecSearchPath = [ "/run/current-system/sw/bin" ];
|
||||||
|
mountConfig.User = "colin";
|
||||||
|
mountConfig.AmbientCapabilities = "CAP_SETPCAP CAP_SYS_ADMIN";
|
||||||
# hardening (systemd-analyze security mnt-desko-home.mount):
|
# hardening (systemd-analyze security mnt-desko-home.mount):
|
||||||
# TODO: i can't use ProtectSystem=full here, because i can't create a new mount space; but...
|
# TODO: i can't use ProtectSystem=full here, because i can't create a new mount space; but...
|
||||||
# with drop_privileges, i *could* sandbox the actual `sshfs` program using e.g. bwrap
|
# with drop_privileges, i *could* sandbox the actual `sshfs` program using e.g. bwrap
|
||||||
mount.mountConfig.CapabilityBoundingSet = "CAP_SETPCAP CAP_SYS_ADMIN";
|
mountConfig.CapabilityBoundingSet = "CAP_SETPCAP CAP_SYS_ADMIN";
|
||||||
mount.mountConfig.LockPersonality = true;
|
mountConfig.LockPersonality = true;
|
||||||
mount.mountConfig.MemoryDenyWriteExecute = true;
|
mountConfig.MemoryDenyWriteExecute = true;
|
||||||
mount.mountConfig.NoNewPrivileges = true;
|
mountConfig.NoNewPrivileges = true;
|
||||||
mount.mountConfig.ProtectClock = true;
|
mountConfig.ProtectClock = true;
|
||||||
mount.mountConfig.ProtectHostname = true;
|
mountConfig.ProtectHostname = true;
|
||||||
mount.mountConfig.RemoveIPC = true;
|
mountConfig.RemoveIPC = true;
|
||||||
mount.mountConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
|
mountConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
|
||||||
#VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/...
|
#VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/...
|
||||||
# see `systemd-analyze filesystems` for a full list
|
# see `systemd-analyze filesystems` for a full list
|
||||||
mount.mountConfig.RestrictFileSystems = "@common-block @basic-api fuse";
|
mountConfig.RestrictFileSystems = "@common-block @basic-api fuse";
|
||||||
mount.mountConfig.RestrictRealtime = true;
|
mountConfig.RestrictRealtime = true;
|
||||||
mount.mountConfig.RestrictSUIDSGID = true;
|
mountConfig.RestrictSUIDSGID = true;
|
||||||
mount.mountConfig.SystemCallArchitectures = "native";
|
mountConfig.SystemCallArchitectures = "native";
|
||||||
mount.mountConfig.SystemCallFilter = [
|
mountConfig.SystemCallFilter = [
|
||||||
"@system-service"
|
"@system-service"
|
||||||
"@mount"
|
"@mount"
|
||||||
"~@chown"
|
"~@chown"
|
||||||
@@ -127,12 +137,12 @@ let
|
|||||||
# could remove almost all io calls, however one has to keep `open`, and `write`, to communicate with the fuse device.
|
# could remove almost all io calls, however one has to keep `open`, and `write`, to communicate with the fuse device.
|
||||||
# so that's pretty useless as a way to prevent write access
|
# so that's pretty useless as a way to prevent write access
|
||||||
];
|
];
|
||||||
mount.mountConfig.IPAddressDeny = "any";
|
mountConfig.IPAddressDeny = "any";
|
||||||
mount.mountConfig.IPAddressAllow = "10.0.0.0/8";
|
mountConfig.IPAddressAllow = "10.0.0.0/8";
|
||||||
mount.mountConfig.DevicePolicy = "closed"; # only allow /dev/{null,zero,full,random,urandom}
|
mountConfig.DevicePolicy = "closed"; # only allow /dev/{null,zero,full,random,urandom}
|
||||||
mount.mountConfig.DeviceAllow = "/dev/fuse";
|
mountConfig.DeviceAllow = "/dev/fuse";
|
||||||
# mount.mountConfig.RestrictNamespaces = true; #< my sshfs sandboxing uses bwrap
|
# mount.mountConfig.RestrictNamespaces = true; #< my sshfs sandboxing uses bwrap
|
||||||
};
|
}];
|
||||||
};
|
};
|
||||||
remoteServo = subdir: let
|
remoteServo = subdir: let
|
||||||
localPath = "/mnt/servo/${subdir}";
|
localPath = "/mnt/servo/${subdir}";
|
||||||
|
Reference in New Issue
Block a user