common/fs: only desclare /mnt/$host mounts for hosts this machine is authorized to access
This commit is contained in:
@@ -107,6 +107,9 @@ let
|
|||||||
"connect_timeout=20"
|
"connect_timeout=20"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
ifSshAuthorized = lib.mkIf config.sane.hosts.by-name."${config.networking.hostName}".ssh.authorized;
|
||||||
|
|
||||||
remoteHome = host: {
|
remoteHome = host: {
|
||||||
sane.programs.sshfs-fuse.enableFor.system = true;
|
sane.programs.sshfs-fuse.enableFor.system = true;
|
||||||
fileSystems."/mnt/${host}/home" = {
|
fileSystems."/mnt/${host}/home" = {
|
||||||
@@ -245,10 +248,10 @@ lib.mkMerge [
|
|||||||
programs.fuse.userAllowOther = true; #< necessary for `allow_other` or `allow_root` options.
|
programs.fuse.userAllowOther = true; #< necessary for `allow_other` or `allow_root` options.
|
||||||
}
|
}
|
||||||
|
|
||||||
(remoteHome "crappy")
|
(ifSshAuthorized (remoteHome "crappy"))
|
||||||
(remoteHome "desko")
|
(ifSshAuthorized (remoteHome "desko"))
|
||||||
(remoteHome "lappy")
|
(ifSshAuthorized (remoteHome "lappy"))
|
||||||
(remoteHome "moby")
|
(ifSshAuthorized (remoteHome "moby"))
|
||||||
# this granularity of servo media mounts is necessary to support sandboxing:
|
# this granularity of servo media mounts is necessary to support sandboxing:
|
||||||
# for flaky mounts, we can only bind the mountpoint itself into the sandbox,
|
# for flaky mounts, we can only bind the mountpoint itself into the sandbox,
|
||||||
# so it's either this or unconditionally bind all of media/.
|
# so it's either this or unconditionally bind all of media/.
|
||||||
|
Reference in New Issue
Block a user