common/fs: mount curlftpfs using fuse3
This commit is contained in:
@@ -171,11 +171,18 @@ let
|
||||
systemdName = utils.escapeSystemdPath localPath;
|
||||
in {
|
||||
sane.programs.curlftpfs.enableFor.system = true;
|
||||
system.fsPackages = [
|
||||
config.sane.programs.curlftpfs.package
|
||||
];
|
||||
fileSystems."${localPath}" = {
|
||||
device = "ftp://servo-hn:/${subdir}";
|
||||
device = "curlftpfs#ftp://servo-hn:/${subdir}";
|
||||
noCheck = true;
|
||||
fsType = "fuse.curlftpfs";
|
||||
options = fsOpts.ftp ++ fsOpts.noauto;
|
||||
fsType = "fuse3";
|
||||
options = fsOpts.ftp ++ fsOpts.noauto ++ [
|
||||
# drop_privileges: after `mount.fuse3` opens /dev/fuse, it will drop all capabilities before invoking sshfs
|
||||
"drop_privileges"
|
||||
"auto_unmount" #< ensures that when the fs exits, it releases its mountpoint. then systemd can recognize it as failed.
|
||||
];
|
||||
# fsType = "nfs";
|
||||
# options = fsOpts.nfs ++ fsOpts.lazyMount;
|
||||
};
|
||||
@@ -191,10 +198,11 @@ let
|
||||
mount.unitConfig.OnSuccess = [ "${systemdName}-restart-timer.target" ];
|
||||
|
||||
mount.mountConfig.TimeoutSec = "10s";
|
||||
mount.mountConfig.ExecSearchPath = [ "/run/current-system/sw/bin" ];
|
||||
mount.mountConfig.User = "colin";
|
||||
mount.mountConfig.AmbientCapabilities = "CAP_SYS_ADMIN";
|
||||
mount.mountConfig.AmbientCapabilities = "CAP_SETPCAP CAP_SYS_ADMIN";
|
||||
# hardening (systemd-analyze security mnt-servo-playground.mount)
|
||||
mount.mountConfig.CapabilityBoundingSet = "CAP_SYS_ADMIN";
|
||||
mount.mountConfig.CapabilityBoundingSet = "CAP_SETPCAP CAP_SYS_ADMIN";
|
||||
mount.mountConfig.LockPersonality = true;
|
||||
mount.mountConfig.MemoryDenyWriteExecute = true;
|
||||
mount.mountConfig.NoNewPrivileges = true;
|
||||
|
Reference in New Issue
Block a user