/mnt/servo/*: fix to not hang the mount when fs is offline

this is an unfortunate effect of the drop_privileges part of fuse3,
that the mount is active as soon as the fs implementation is launched,
instead of when it enters `fuse_main`.

hosts/common/fs.nix

@@ -121,6 +121,7 @@ let
       options = fsOpts.sshColin ++ fsOpts.lazyMount ++ [
         # drop_privileges: after `mount.fuse3` opens /dev/fuse, it will drop all capabilities before invoking sshfs
         "drop_privileges"
+        "auto_unmount"  #< ensures that when the fs exits, it releases its mountpoint. then systemd can recognize it as failed.
       ];
       noCheck = true;
     };
@@ -191,7 +192,8 @@ let
       dir.acl.group = "users";
       dir.acl.mode = "0750";
       wantedBy = [ "default.target" ];
-      mount.depends = [ "network-online.target" ];
+      mount.depends = [ "network-online.target" "${systemdName}-reachable.service" ];
+      # mount.unitConfig.Conflicts = [ "${systemdName}-reachable.service" ];  #< ensures that we *retry* reachability on every activation attempt
       #VVV patch so that when the mount fails, we start a timer to remount it.
       #    and for a disconnection after a good mount (onSuccess), restart the timer to be more aggressive
       mount.unitConfig.OnFailure = [ "${systemdName}.timer" ];
@@ -213,7 +215,6 @@ let
       #VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/...
       # see `systemd-analyze filesystems` for a full list
       mount.mountConfig.RestrictFileSystems = "@common-block @basic-api fuse";
-      mount.mountConfig.RestrictNamespaces = true;
       mount.mountConfig.RestrictRealtime = true;
       mount.mountConfig.RestrictSUIDSGID = true;
       mount.mountConfig.SystemCallArchitectures = "native";
@@ -230,6 +231,22 @@ let
       mount.mountConfig.IPAddressAllow = "10.0.10.5";
       mount.mountConfig.DevicePolicy = "closed";  # only allow /dev/{null,zero,full,random,urandom}
       mount.mountConfig.DeviceAllow = "/dev/fuse";
+      # mount.mountConfig.RestrictNamespaces = true;
+    };
+
+    systemd.services."${systemdName}-reachable" = {
+      serviceConfig.ExecSearchPath = [ "/run/current-system/sw/bin" ];
+      serviceConfig.ExecStart = lib.escapeShellArgs [
+        "curlftpfs"
+        "ftp://servo-hn:/${subdir}"
+        "/dev/null"
+        "-o"
+        (lib.concatStringsSep "," ([ "exit_after_connect" ] ++ config.fileSystems."${localPath}".options))
+      ];
+      serviceConfig.RemainAfterExit = true;
+      serviceConfig.Type = "oneshot";
+      unitConfig.BindsTo = [ "${systemdName}.mount" ];
+      # unitConfig.PartOf = [ "${systemdName}.mount" ];
     };
 
     systemd.targets."${systemdName}-restart-timer" = {

hosts/common/programs/curlftpfs.nix

@@ -2,14 +2,7 @@
 {
   sane.programs.curlftpfs = {
     packageUnwrapped = pkgs.curlftpfs-sane;
-    # TODO: try to sandbox this better? maybe i can have fuse (unsandboxed) invoke curlftpfs (sandboxed)?
-    # traditional way is via `-o drop_privileges`, supported by fuse3 only.
-
-    # sandbox.method = "capshonly";
-    # sandbox.net = "all";
-    # sandbox.capabilities = [
-    #   "sys_admin"
-    #   "sys_module"
-    # ];
+    sandbox.method = "bwrap";
+    sandbox.net = "all";
   };
 }