rearrange /mnt structure for host-based subdirs

e.g. /mnt/servo/media, /mnt/desko/home, etc

TODO.md

@@ -55,11 +55,6 @@
     - <https://github.com/flatpak/xdg-dbus-proxy>
   - remove `.ssh` access from Firefox!
     - limit access to `~/private/knowledge/secrets` through an agent that requires GUI approval, so a firefox exploit can't steal all my logins
-  - make /mnt/servo-media more sandbox-friendly
-    - having the sandboxer detect ~/Videos and ~/Videos/servo, and derefrencing the symlink in the latter (rather than consolidating them), to add those paths, would go a long way.
-    - ~/Videos/servo would also need to link not to /mnt/servo-media/Videos, but to /mnt/servo-nfs/media/Videos
-      - maybe just kill /mnt/servo-nfs and /mnt/servo-media, consolidate to /mnt/servo/media/...
-      - and rework /mnt/desko-home -> /mnt/desko/home, ...
 - make dconf stuff less monolithic
   - i.e. per-app dconf profiles for those which need it. possible static config.
 - canaries for important services

flake.nix

@@ -439,8 +439,8 @@
             # can run this from any device that has ssh access to desko and servo
             type = "app";
             program = builtins.toString (pkgs.writeShellScript "sync-to-desko" ''
-              sudo mount /mnt/desko-home
-              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compat /mnt/servo-media/Music /mnt/desko-home/Music "$@"
+              sudo mount /mnt/desko/home
+              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compat /mnt/servo/media/Music /mnt/desko/home/Music "$@"
             '');
           };
 
@@ -449,8 +449,8 @@
             # can run this from any device that has ssh access to lappy and servo
             type = "app";
             program = builtins.toString (pkgs.writeShellScript "sync-to-lappy" ''
-              sudo mount /mnt/lappy-home
-              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compress --compat /mnt/servo-media/Music /mnt/lappy-home/Music "$@"
+              sudo mount /mnt/lappy/home
+              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compress --compat /mnt/servo/media/Music /mnt/lappy/home/Music "$@"
             '');
           };
 
@@ -459,11 +459,11 @@
             # can run this from any device that has ssh access to moby and servo
             type = "app";
             program = builtins.toString (pkgs.writeShellScript "sync-to-moby" ''
-              sudo mount /mnt/moby-home
-              sudo mount /mnt/desko-home
-              ${pkgs.rsync}/bin/rsync -arv --exclude servo-macros /mnt/moby-home/Pictures/ /mnt/desko-home/Pictures/moby/
+              sudo mount /mnt/moby/home
+              sudo mount /mnt/desko/home
+              ${pkgs.rsync}/bin/rsync -arv --exclude servo-macros /mnt/moby/home/Pictures/ /mnt/desko/home/Pictures/moby/
               # N.B.: limited by network/disk -> reduce job count to improve pause/resume behavior
-              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compress --compat --jobs 4 /mnt/servo-media/Music /mnt/moby-home/Music "$@"
+              ${pkgs.sane-scripts.sync-music}/bin/sane-sync-music --compress --compat --jobs 4 /mnt/servo/media/Music /mnt/moby/home/Music "$@"
             '');
           };
 

hosts/common/fs.nix

@@ -57,13 +57,13 @@ let
     ];
   };
   remoteHome = host: {
-    fileSystems."/mnt/${host}-home" = {
+    fileSystems."/mnt/${host}/home" = {
       device = "colin@${host}:/home/colin";
       fsType = "fuse.sshfs";
       options = fsOpts.sshColin ++ fsOpts.noauto;
       noCheck = true;
     };
-    sane.fs."/mnt/${host}-home" = sane-lib.fs.wantedDir;
+    sane.fs."/mnt/${host}/home" = sane-lib.fs.wantedDir;
   };
 in
 lib.mkMerge [
@@ -105,13 +105,13 @@ lib.mkMerge [
     #   fsType = "nfs";
     #   options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
     # };
-    fileSystems."/mnt/servo-nfs/media" = {
+    fileSystems."/mnt/servo/media" = {
       device = "servo-hn:/media";
       noCheck = true;
       fsType = "nfs";
       options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
     };
-    fileSystems."/mnt/servo-nfs/playground" = {
+    fileSystems."/mnt/servo/playground" = {
       device = "servo-hn:/playground";
       noCheck = true;
       fsType = "nfs";
@@ -123,7 +123,7 @@ lib.mkMerge [
     #   fsType = "nfs";
     #   options = fsOpts.common ++ fsOpts.auto;
     # };
-    sane.fs."/mnt/servo-media" = sane-lib.fs.wantedSymlinkTo "/mnt/servo-nfs/media";
+    # sane.fs."/mnt/servo-media" = sane-lib.fs.wantedSymlinkTo "/mnt/servo-nfs/media";
 
     environment.pathsToLink = [
       # needed to achieve superuser access for user-mounted filesystems (see optionsRoot above)

hosts/common/programs/assorted.nix

@@ -302,7 +302,7 @@ in
       "tmp"
     ];
     gimp.sandbox.extraPaths = [
-      "/mnt/servo-media/Pictures"
+      "/mnt/servo/media/Pictures"
     ];
     gimp.sandbox.autodetectCliPaths = true;
 

hosts/common/programs/cozy.nix

@@ -8,7 +8,7 @@
       "Books"
     ];
     sandbox.extraPaths = [
-      "/mnt/servo-media/Books"
+      "/mnt/servo/media/Books"
     ];
     # cozy uses a sqlite db for its config and exposes no CLI options other than --help and --debug
     persist.byStore.plaintext = [

hosts/common/programs/firefox.nix

@@ -254,7 +254,7 @@ in
         sandbox.extraPaths = [
           # ~/Pictures/servo-macros links to here.
           # TODO: consider a bind-mount, so that access to ~/Pictures also gives access to here.
-          "/mnt/servo-media/Pictures/macros"
+          "/mnt/servo/media/Pictures/macros"
         ];
         fs.".config/sops".dir = lib.mkIf cfg.addons.browserpass-extension.enable {};  #< needs to be created, not *just* added to the sandbox
 

hosts/common/programs/go2tv.nix

@@ -11,9 +11,9 @@
 #       - e.g. `go2tv -u 'https://inv.us.projectsegfau.lt/latest_version?id=qBzjHU_zEwM&itag=18'`
 #       - e.g. `go2tv -tc -u 'https://yt.artemislena.eu/latest_version?id=qBzjHU_zEwM&itag=22'`
 #       - sometimes transcoding is needed, sometimes not...
-# - `go2tv -v /mnt/servo-media/Videos/Shows/bebop/session1.mkv`
+# - `go2tv -v /mnt/servo/media/Videos/Shows/bebop/session1.mkv`
 #   - LGTV: works
-# - `go2tv -tc -v /mnt/servo-media/Videos/Shows/bebop/session1.mkv`
+# - `go2tv -tc -v /mnt/servo/media/Videos/Shows/bebop/session1.mkv`
 #   - LGTV: works
 #
 # WHEN TO TRANSCODE:
@@ -42,8 +42,8 @@ in
       "Videos"
     ];
     sandbox.extraPaths = [
-      "/mnt/servo-media/Music"
-      "/mnt/servo-media/Videos"
+      "/mnt/servo/media/Music"
+      "/mnt/servo/media/Videos"
     ];
   };
   # for serving local files

hosts/common/programs/handbrake.nix

@@ -10,8 +10,8 @@
       "tmp"
     ];
     sandbox.extraPaths = [
-      "/mnt/servo-media/Pictures"
-      "/mnt/servo-media/Videos"
+      "/mnt/servo/media/Pictures"
+      "/mnt/servo/media/Videos"
     ];
     sandbox.autodetectCliPaths = true;
 

hosts/common/programs/kdenlive.nix

@@ -10,8 +10,8 @@
       "tmp"
     ];
     sandbox.extraPaths = [
-      "/mnt/servo-media/Pictures"
-      "/mnt/servo-media/Videos"
+      "/mnt/servo/media/Pictures"
+      "/mnt/servo/media/Videos"
     ];
     sandbox.whitelistDri = true;
     packageUnwrapped = pkgs.kdenlive.override {

hosts/common/programs/koreader/default.nix

@@ -53,7 +53,7 @@ in {
       "Books"
     ];
     sandbox.extraPaths = [
-      "/mnt/servo-media/Books"
+      "/mnt/servo/media/Books"
     ];
     # koreader applies these lua "patches" at boot:
     # - <https://github.com/koreader/koreader/wiki/User-patches>

hosts/common/programs/stepmania.nix

@@ -20,8 +20,8 @@
       ".stepmania-5.1/Cache"  #< otherwise gotta index all the songs every launch
       ".stepmania-5.1/Save"
     ];
-    fs.".stepmania-5.1/Courses".symlink.target = "/mnt/servo-media/games/stepmania/Courses";
-    fs.".stepmania-5.1/Songs".symlink.target = "/mnt/servo-media/games/stepmania/Songs";
+    fs.".stepmania-5.1/Courses".symlink.target = "/mnt/servo/media/games/stepmania/Courses";
+    fs.".stepmania-5.1/Songs".symlink.target = "/mnt/servo/media/games/stepmania/Songs";
     fs.".stepmania-5.1/stepmania.nix".symlink.target = "../nixos/hosts/common/programs/stepmania.nix";
     # TODO: setup ~/.stepmania-5.1/Themes
   };

hosts/common/users/colin.nix

@@ -137,9 +137,9 @@
     # convenience
     fs."knowledge".symlink.target = "private/knowledge";
     fs."nixos".symlink.target = "dev/nixos";
-    fs."Books/servo".symlink.target = "/mnt/servo-media/Books";
-    fs."Videos/servo".symlink.target = "/mnt/servo-media/Videos";
-    # fs."Music/servo".symlink.target = "/mnt/servo-media/Music";
-    fs."Pictures/servo-macros".symlink.target = "/mnt/servo-media/Pictures/macros";
+    fs."Books/servo".symlink.target = "/mnt/servo/media/Books";
+    fs."Videos/servo".symlink.target = "/mnt/servo/media/Videos";
+    # fs."Music/servo".symlink.target = "/mnt/servo/media/Music";
+    fs."Pictures/servo-macros".symlink.target = "/mnt/servo/media/Pictures/macros";
   };
 }

modules/programs/sane-sandboxed

@@ -277,7 +277,7 @@ bwrapSetup() {
 bwrapIngestPath() {
   # N.B.: use --dev-bind-try instead of --dev-bind for platform-specific paths like /run/opengl-driver-32
   #   which don't exist on aarch64, as the -try variant will gracefully fail (i.e. not bind it).
-  # N.B.: `test -r` for paths like /mnt/servo-media, which may otherwise break bwrap when offline with
+  # N.B.: `test -r` for paths like /mnt/servo/media, which may otherwise break bwrap when offline with
   #   "bwrap: Can't get type of source /mnt/...: Input/output error"
   # HOWEVER, paths such as `/run/secrets` are not readable, so don't do that (or, try `test -e` if this becomes a problem again).
   # `-try` version of binding is still desireable for user files.

pkgs/additional/sane-scripts/src/sane-sync-from-servo

@@ -2,7 +2,7 @@
 #!nix-shell -i bash -p rsync
 set -ex
 
-REMOTE_MUSIC=/mnt/servo-media/Music
+REMOTE_MUSIC=/mnt/servo/media/Music
 
 test -d "$REMOTE_MUSIC" && \
   rsync -arv --delete --progress "$REMOTE_MUSIC/" ~/Music/