modules/persist: change default mounting method to symlink
this changes the plaintext and cryptClearOnBoot stores: private was already symlink-based. this isn't strictly necessary: the rationale is: 1. `mount` syscall *requires* CAP_SYS_ADMIN (i.e. superuser/suid). that's causing problems with sandboxing, particularly ~/private. that doesn't affect other stores *yet*, but it may in the future. 2. visibility. i.e. it makes *clear* where anything is persisted. if `realpath` doesn't evaluate to `/nix/persist`, then it's not persisted.
This commit is contained in:
parent
771dc2e1ce
commit
478747a96e
|
@ -50,6 +50,7 @@
|
|||
sane.persist.stores."ext" = {
|
||||
origin = "/mnt/pool/persist";
|
||||
storeDescription = "external HDD storage";
|
||||
defaultMethod = "bind"; #< TODO: change to "symlink"?
|
||||
};
|
||||
|
||||
# increase /tmp space (defaults to 50% of RAM) for building large nix things.
|
||||
|
|
|
@ -36,7 +36,7 @@ let
|
|||
};
|
||||
defaultMethod = mkOption {
|
||||
type = types.enum [ "bind" "symlink" ];
|
||||
default = "bind";
|
||||
default = "symlink";
|
||||
description = ''
|
||||
preferred way to link items from the store into the fs
|
||||
'';
|
||||
|
|
Loading…
Reference in New Issue
Block a user