modules/persist: change default mounting method to symlink

this changes the plaintext and cryptClearOnBoot stores: private was already symlink-based. this isn't strictly necessary: the rationale is: 1. `mount` syscall *requires* CAP_SYS_ADMIN (i.e. superuser/suid). that's causing problems with sandboxing, particularly ~/private. that doesn't affect other stores *yet*, but it may in the future. 2. visibility. i.e. it makes *clear* where anything is persisted. if `realpath` doesn't evaluate to `/nix/persist`, then it's not persisted.
2024-02-23 03:36:31 +00:00 · 2024-02-23 03:36:31 +00:00 · 478747a96e
commit 478747a96e
parent 771dc2e1ce
2 changed files with 2 additions and 1 deletions
--- a/hosts/by-name/servo/fs.nix
+++ b/hosts/by-name/servo/fs.nix
@ -50,6 +50,7 @@
  sane.persist.stores."ext" = {
    origin = "/mnt/pool/persist";
    storeDescription = "external HDD storage";
+    defaultMethod = "bind";  #< TODO: change to "symlink"?
  };

  # increase /tmp space (defaults to 50% of RAM) for building large nix things.
--- a/modules/persist/default.nix
+++ b/modules/persist/default.nix
@ -36,7 +36,7 @@ let
      };
      defaultMethod = mkOption {
        type = types.enum [ "bind" "symlink" ];
-        default = "bind";
+        default = "symlink";
        description = ''
          preferred way to link items from the store into the fs
        '';