fs: enable @basic-api everywhere, since its required by systemd restart logic

hosts/common/fs.nix

@@ -160,7 +160,7 @@ let
       mount.mountConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
       #VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/...
       # see `systemd-analyze filesystems` for a full list
-      mount.mountConfig.RestrictFileSystems = "@common-block devtmpfs fuse";
+      mount.mountConfig.RestrictFileSystems = "@common-block @basic-api fuse";
       mount.mountConfig.RestrictNamespaces = true;
       mount.mountConfig.RestrictRealtime = true;
       mount.mountConfig.RestrictSUIDSGID = true;

modules/persist/stores/ephemeral.nix

@@ -69,7 +69,7 @@ lib.mkIf config.sane.persist.enable
     mount.mountConfig.RestrictAddressFamilies = "AF_UNIX";  # "none" works, but then it can't connect to the logger
     #VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/...
     # see `systemd-analyze filesystems` for a full list
-    mount.mountConfig.RestrictFileSystems = "@common-block devtmpfs fuse pipefs";
+    mount.mountConfig.RestrictFileSystems = "@common-block @basic-api fuse pipefs";
     mount.mountConfig.RestrictNamespaces = true;
     mount.mountConfig.RestrictNetworkInterfaces = "";
     mount.mountConfig.RestrictRealtime = true;

modules/persist/stores/private.nix

@@ -131,7 +131,7 @@ lib.mkIf config.sane.persist.enable
     mount.mountConfig.ProtectHostname = true;
     mount.mountConfig.RemoveIPC = true;
     mount.mountConfig.RestrictAddressFamilies = "AF_UNIX";  # "none" works, but then it can't connect to the logger
-    mount.mountConfig.RestrictFileSystems = "@common-block devtmpfs fuse pipefs";
+    mount.mountConfig.RestrictFileSystems = "@common-block @basic-api fuse pipefs";
     mount.mountConfig.RestrictNamespaces = true;
     mount.mountConfig.RestrictNetworkInterfaces = "";
     mount.mountConfig.RestrictRealtime = true;