common/fs: mount curlftpfs using fuse3

hosts/common/fs.nix

@@ -171,11 +171,18 @@ let
     systemdName = utils.escapeSystemdPath localPath;
   in {
     sane.programs.curlftpfs.enableFor.system = true;
+    system.fsPackages = [
+      config.sane.programs.curlftpfs.package
+    ];
     fileSystems."${localPath}" = {
-      device = "ftp://servo-hn:/${subdir}";
+      device = "curlftpfs#ftp://servo-hn:/${subdir}";
       noCheck = true;
-      fsType = "fuse.curlftpfs";
+      fsType = "fuse3";
-      options = fsOpts.ftp ++ fsOpts.noauto;
+      options = fsOpts.ftp ++ fsOpts.noauto ++ [
+        # drop_privileges: after `mount.fuse3` opens /dev/fuse, it will drop all capabilities before invoking sshfs
+        "drop_privileges"
+        "auto_unmount"  #< ensures that when the fs exits, it releases its mountpoint. then systemd can recognize it as failed.
+      ];
       # fsType = "nfs";
       # options = fsOpts.nfs ++ fsOpts.lazyMount;
     };
@@ -191,10 +198,11 @@ let
       mount.unitConfig.OnSuccess = [ "${systemdName}-restart-timer.target" ];
 
       mount.mountConfig.TimeoutSec = "10s";
+      mount.mountConfig.ExecSearchPath = [ "/run/current-system/sw/bin" ];
       mount.mountConfig.User = "colin";
-      mount.mountConfig.AmbientCapabilities = "CAP_SYS_ADMIN";
+      mount.mountConfig.AmbientCapabilities = "CAP_SETPCAP CAP_SYS_ADMIN";
       # hardening (systemd-analyze security mnt-servo-playground.mount)
-      mount.mountConfig.CapabilityBoundingSet = "CAP_SYS_ADMIN";
+      mount.mountConfig.CapabilityBoundingSet = "CAP_SETPCAP CAP_SYS_ADMIN";
       mount.mountConfig.LockPersonality = true;
       mount.mountConfig.MemoryDenyWriteExecute = true;
       mount.mountConfig.NoNewPrivileges = true;