persistence: cleanup so it all works well with symlink-based stores

hosts/common/programs/assorted.nix

@@ -395,7 +395,10 @@ in
     fuzzel.sandbox.method = "bwrap";  #< landlock nearly works, but unable to open ~/.cache
     fuzzel.sandbox.wrapperType = "wrappedDerivation";
     fuzzel.sandbox.whitelistWayland = true;
-    fuzzel.persist.byStore.private = [ ".cache/fuzzel" ];  #< this is a file of recent selections
+    fuzzel.persist.byStore.private = [
+      # this is a file of recent selections
+      { path=".cache/fuzzel"; type="file"; }
+    ];
 
     gawk.sandbox.method = "bwrap";  # TODO:sandbox: untested
     gawk.sandbox.wrapperType = "inplace";  # share/gawk libraries refer to /libexec
@@ -494,7 +497,9 @@ in
 
     # TODO: gnome-maps: move to own file
     "gnome.gnome-maps".persist.byStore.plaintext = [ ".cache/shumate" ];
-    "gnome.gnome-maps".persist.byStore.private = [ ".local/share/maps-places.json" ];
+    "gnome.gnome-maps".persist.byStore.private = [
+      ({ path = ".local/share/maps-places.json"; type = "file"; })
+    ];
 
     # hitori rules:
     # - click to shade a tile

hosts/common/programs/audacity.nix

@@ -18,6 +18,8 @@
       # support media imports via file->open dir to some common media directories
       "tmp"
       "Music"
+      # audacity needs the entire config dir mounted if running in a sandbox
+      ".config/audacity"
     ];
 
     # disable first-run splash screen
@@ -29,7 +31,5 @@
       Major=3
       Minor=4
     '';
-    # audacity needs the entire config dir mounted if running in a sandbox
-    fs.".config/audacity".dir = {};
   };
 }

hosts/common/programs/mpv.nix

@@ -80,7 +80,10 @@ in
       "Videos/servo"
     ];
 
-    persist.byStore.plaintext = [ ".local/state/mpv/watch_later" ];
+    persist.byStore.plaintext = [
+      # for `watch_later`
+      ".local/state/mpv"
+    ];
     fs.".config/mpv/input.conf".symlink.text = let
       execInTerm = "${pkgs.xdg-terminal-exec}/bin/xdg-terminal-exec";
     in ''

hosts/common/programs/vlc.nix

@@ -24,7 +24,7 @@ in
     persist.byStore.private = [
       # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
       # filenames are stored in plaintext (unlike mpv, which i think hashes them)
-      ".config/vlc"
+      ({ path = ".config/vlc/vlc-qt-interface.conf"; type = "file"; })
       # vlc caches artwork. i'm not sure where it gets the artwork (internet? embedded metadata?)
       ".cache/vlc"
     ];

hosts/common/programs/wike.nix

@@ -22,7 +22,7 @@
       ".local/share/webkitgtk"
     ];
     persist.byStore.private = [
-      ".local/share/historic.json"  # history
+      ({ path=".local/share/historic.json"; type="file"; })  # history
       # .local/share/cookies (probably not necessary to persist?)
 
       # .local/share/booklists.json (empty; not sure if wike's)

hosts/common/users/root.nix

@@ -5,6 +5,7 @@
     # notably:
     # - `/root/.cache/nix/` takes up ~10 MB on lappy/desko/servo
     # - `/root/.cache/mesa_shader_cache` takes up 1-2 MB on moby
-    { path = "/root"; user = "root"; group = "root"; mode = "0700"; }
+    # /root gets created earlier during boot, so safer to specify only subdirs here
+    { path = "/root/.cache"; user = "root"; group = "root"; mode = "0700"; }
   ];
 }

modules/persist/default.nix

@@ -236,23 +236,25 @@ in
           };
         })
         (lib.optionalAttrs (opt.type == "file") {
-          # ensure the backing path of this file's parent exists.
+          # create the backing file, as an empty file.
-          # XXX: this forces the backing parent to be a directory
+          # the old way was to create the parent directory and leave the file empty, expecting the program to create it.
-          # this is almost always what is wanted, but it's sometimes an arbitrary constraint
+          # that doesn't work well with sandboxing, where the fs handles we want to give the program have to exist before launch.
-          sane.fs."${path.parent (fsPathToBackingPath fspath)}" = {
+          sane.fs."${fsPathToBackingPath fspath}" = {
             wantedBeforeBy = [ config.sane.fs."${fspath}".unit ];
-            dir = {};
+            file.acl = config.sane.fs."${fspath}".generated.acl;
+            file.text = lib.mkDefault "";
           };
         })
         {
           # default each item along the backing path to have the same acl as the location it would be mounted.
+          # also, default each parent to being a directory.
           sane.fs = lib.mkMerge (builtins.map
             (fsSubpath: {
               "${fsPathToBackingPath fsSubpath}" = {
-                generated.acl = config.sane.fs."${fsSubpath}".generated.acl;
+                dir.acl = config.sane.fs."${fsSubpath}".generated.acl;
               };
             })
-            (path.walk store.prefix (path.parent fspath))
+            (lib.init (path.walk store.prefix fspath))
           );
         }
       ];