colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

common/fs: only desclare /mnt/$host mounts for hosts this machine is authorized to access

Browse Source
This commit is contained in:
Colin
2024-08-02 20:29:22 +00:00
parent e586b7b449
commit fbfd0afca4
1 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
hosts/common/fs.nix
View File

@@ -107,6 +107,9 @@ let
"connect_timeout=20"
];
};
ifSshAuthorized = lib.mkIf config.sane.hosts.by-name."${config.networking.hostName}".ssh.authorized;
remoteHome = host: {
sane.programs.sshfs-fuse.enableFor.system = true;
fileSystems."/mnt/${host}/home" = {
@@ -245,10 +248,10 @@ lib.mkMerge [
programs.fuse.userAllowOther = true; #< necessary for `allow_other` or `allow_root` options.
}
(remoteHome "crappy")
(remoteHome "desko")
(remoteHome "lappy")
(remoteHome "moby")
(ifSshAuthorized (remoteHome "crappy"))
(ifSshAuthorized (remoteHome "desko"))
(ifSshAuthorized (remoteHome "lappy"))
(ifSshAuthorized (remoteHome "moby"))
# this granularity of servo media mounts is necessary to support sandboxing:
# for flaky mounts, we can only bind the mountpoint itself into the sandbox,
# so it's either this or unconditionally bind all of media/.