fs: allow common /mnt points to be mounted by me without sudo

2024-02-23 02:29:12 +00:00 · 2024-02-23 02:29:12 +00:00 · 771dc2e1ce
commit 771dc2e1ce
parent 4a316d4b91
1 changed files with 22 additions and 3 deletions
--- a/hosts/common/fs.nix
+++ b/hosts/common/fs.nix
@ -1,5 +1,6 @@
 # docs
 # - x-systemd options: <https://www.freedesktop.org/software/systemd/man/systemd.mount.html>
+# - fuse options: `man mount.fuse`

 { lib, pkgs, sane-lib, ... }:

@ -8,7 +9,9 @@ let
    common = [
      "_netdev"
      "noatime"
-      "user"  # allow any user with access to the device to mount the fs
+      # user: allow any user with access to the device to mount the fs.
+      #       note that this requires a suid `mount` binary; see: <https://zameermanji.com/blog/2022/8/5/using-fuse-without-root-on-linux/>
+      "user"
      "x-systemd.requires=network-online.target"
      "x-systemd.after=network-online.target"
      "x-systemd.mount-timeout=10s"  # how long to wait for mount **and** how long to wait for unmount
@ -22,7 +25,8 @@ let

    ssh = common ++ [
      "identityfile=/home/colin/.ssh/id_ed25519"
-      "allow_other"
+      # "allow_other"  # allow users other than the one who mounts it to access it
+      "allow_root"  # allow root to access files on this fs
      "default_permissions"
    ];
    sshColin = ssh ++ [
@ -63,7 +67,11 @@ let
      options = fsOpts.sshColin ++ fsOpts.noauto;
      noCheck = true;
    };
-    sane.fs."/mnt/${host}/home" = sane-lib.fs.wantedDir;
+    sane.fs."/mnt/${host}/home" = sane-lib.fs.wanted {
+      dir.acl.user = "colin";
+      dir.acl.group = "users";
+      dir.acl.mode = "0700";
+    };
  };
 in
 lib.mkMerge [
@ -111,12 +119,22 @@ lib.mkMerge [
      fsType = "nfs";
      options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
    };
+    sane.fs."/mnt/servo/media" = sane-lib.fs.wanted {
+      dir.acl.user = "colin";
+      dir.acl.group = "users";
+      dir.acl.mode = "0750";
+    };
    fileSystems."/mnt/servo/playground" = {
      device = "servo-hn:/playground";
      noCheck = true;
      fsType = "nfs";
      options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
    };
+    sane.fs."/mnt/servo/playground" = sane-lib.fs.wanted {
+      dir.acl.user = "colin";
+      dir.acl.group = "users";
+      dir.acl.mode = "0750";
+    };
    # fileSystems."/mnt/servo-media-nfs" = {
    #   device = "servo-hn:/media";
    #   noCheck = true;
@ -131,6 +149,7 @@ lib.mkMerge [
      "/libexec"
    ];

+    programs.fuse.userAllowOther = true;  #< necessary for `allow_other` or `allow_root` options.
    environment.systemPackages = [
      pkgs.sshfs-fuse
    ];