864e75afce
sanebox: purge
2024-10-29 05:59:01 +00:00
2edce8e6c8
refactor: use mkEnableOption,mkPackageOption where applicable
2024-10-12 19:36:50 +00:00
440db76ddc
fix sane-private-unlock sandboxing
2024-10-06 07:50:21 +00:00
61df81291b
refactor: optimize eval time
...
lifting `let` bindings up where possible helps reduce the number of thunks nix has to allocate. this patch only does that by 0.3%-ish, though
2024-10-01 03:54:44 +00:00
1eea81c4ff
refactor: sane.fs: lift acl up to the toplevel; drop generated options
2024-09-30 15:15:30 +00:00
572dd5854d
WIP: sane.fs: remove wantedBy/wantedBeforeBy options
2024-09-30 10:19:39 +00:00
48c81610a5
sane.fs: remove public access to the "unit" fields
...
fs entries soon won't correspond to systemd units, and hence that option's a bit nonsensical
2024-09-30 09:10:40 +00:00
5857bdcc81
persist: remove the unused "initrd" store
2024-09-28 14:25:40 +00:00
d7c26b736c
remove all users of sane.fs.*.generated (except derived-secrets, that comes later)
...
this will allow me to reduce the scope of sane.fs, and then optimize it to not create a systemd service per each entry
2024-09-28 14:25:40 +00:00
31615340a7
programs/assorted: remove explicit (and extraneous) sandbox.method = "bunpen" declarations
2024-09-21 23:35:06 +00:00
1599df26e7
/mnt/persist/private: remove unneeded "sandbox.keepPids"
2024-09-10 01:09:21 +00:00
0b39f18faa
/mnt/persist/ephemeral: dont even try to delete the backing directory -- just everything contained in it
2024-09-10 00:45:07 +00:00
8ae7e255e5
gocryptfs: sandbox with bunpen
2024-09-10 00:02:03 +00:00
95994de1ad
provision-private-key (/run/gocryptfs/private.key): sandbox with bunpen
2024-09-09 03:56:55 +00:00
3e182b2a06
modules/persist: lint
2024-09-04 13:13:14 +00:00
020e5f8c6e
/mnt/persist/private: split waiting on the keyfile out of the mount process
2024-08-06 02:03:55 +00:00
809c3af7fa
/mnt/persist/private: minor improvements to file permissions
2024-08-06 01:26:53 +00:00
93cb1bc546
/mnt/persist/private: sandbox in a way that the actual gocryptfs instance doesn't get CAP_SYS_ADMIN
2024-08-06 00:52:48 +00:00
53acab834c
refactor: persist/stores/ephemeral: move to its own source directory
2024-08-05 23:05:02 +00:00
3a0610b029
/mnt/persist/ephemeral: sandbox in a way that the actual gocryptfs instance doesn't get CAP_SYS_ADMIN
...
instead, only fuse does, and the capability is lost during the handoff between fuse and gocryptfs
2024-08-05 23:04:14 +00:00
74662df720
persist/{private,ephemeral}: mount via fuse
...
gocryptfs is compatible with --drop-permissions style of mount.fuse3. only, i can't actually use that today because i need to keep permissions :o
but maybe i'll enable that in the future
2024-08-03 18:51:58 +00:00
eaeb8380dc
fs: enable @basic-api everywhere, since its required by systemd restart logic
2024-08-02 09:13:55 +00:00
9dbb2a6266
sane.fs: take in the role of generating systemd.mounts files
2024-08-02 07:33:21 +00:00
113b107d73
persist: fix ordering so stores arent required by local-fs.target
...
maybe they should be, but then there's weird stuff about getty depending on sysinit.target, and that being blocked by the private store...
2024-08-02 06:20:39 +00:00
96dfe79a8c
fs: persist/private: harden systemd mount file
2024-08-02 05:17:44 +00:00
6e5bde17aa
cleanup: persist/private: simplify
2024-08-02 05:00:55 +00:00
515aab5370
cleanup: persist/private: encode the dependencies more precisely, rather than just having it all depend on default.target
2024-08-02 04:50:33 +00:00
f925dd9a20
fs: isolate /mnt/servo/* and /mnt/persist/ephemeral a bit more
2024-08-02 04:45:14 +00:00
efc16a9e80
persist: harden the "ephemeral" store mount environment
...
there's only so much this can actually achieve. it's still quite possible for someone who knows what they're doing to do large amounts of damage
2024-08-01 22:40:55 +00:00
ace03bb0e9
persist/private: actually do enable "auto", for servo where i dont auto-tty-login as colin
...
this doesn't seem to block the boot
2024-07-26 22:02:57 +00:00
f4df121e3d
persist/private: s6: use systemd to explicitly start the mount, rather than assume it's already been initiated
2024-07-26 14:01:31 +00:00
96f786de20
persist/private: fix so systemd actually knows when the mount has completed
2024-07-26 12:44:32 +00:00
fcbbfc4a65
fix s6 service ordering: unl0kr -> (wait for mount) -> sway
...
note that the systemd-aware mount never completes -- it's stuck in 'activating' forever. that's the next challenge
2024-07-26 12:18:14 +00:00
af905a2f58
unl0kr: split the gocryptfs unlocking into its own separate service
...
/mnt/persist/private can be depended on by both s6 user services and systemd system services (which will become useful for servo)
/mnt/persist/private can be unlocked by dropping the key in remotely, however that won't kill unl0kr
TODO: fix unl0kr to not also output text to the tty
TODO: ensure gocryptfs mount can handle being fed a wrong password
2024-07-26 08:08:21 +00:00
b554d32133
fix permissions of /nix/persist/private, to be user-writable
...
this is important for my rsync-net backup scripts, which need to record timestamps in there
2024-07-25 18:42:45 +00:00
874b7aecfa
persist: rename "cryptClearOnBoot" to "ephemeral"
2024-07-25 12:11:46 +00:00
cf8e9f798d
persist/crypt: simplify the fileSystems definitions
...
turns out you can just declare your own fs type, that's cool
2024-07-25 12:11:46 +00:00
6ab5dd8a8f
modules/persist: ensure that the mountpoint for the private store is created at boot
2024-02-25 07:51:24 +00:00
4023960dc0
README: MANUAL MIGRATION: move "plaintext" store to /nix/persist/plaintext
...
to migrate the data:
```sh
$ sudo mkdir /nix/persist/plaintext
$ sudo mv /nix/persist/{etc,home,var} /nix/persist/plaintext
$ sudo ln -s plaintext/etc /nix/persist/etc #< temporarily; if deploying over ssh
$ switch
$ reboot
$ sudo rm /nix/persist/etc #< if you did the symlink earlier
```
2024-02-23 18:02:17 +00:00
fff9f9d49a
README: MANUAL MIGRATION: move "private" store to /nix/persist/private
...
to migrate the data, first unmount `~/private` (`sane-private-lock`), then:
```sh
$ sudo mv /nix/persist/home/colin/private /nix/persist
$ switch
$ reboot
```
2024-02-23 16:01:09 +00:00
d7402ae170
persist: stores: make naming more consistent
2024-02-23 14:57:20 +00:00
6267e7f966
tidy up small persist/private nitpicks
2024-02-23 14:44:38 +00:00
120a41b169
persistence: split /var/log persistence into dedicated "initrd" store
2024-02-23 14:42:47 +00:00
aa0991bd6c
persistence: cleanup so it all works well with symlink-based stores
2024-02-23 13:09:44 +00:00
057b9e3fed
replace links/references to ~/private/FOO with just ~/FOO
2024-02-23 07:06:29 +00:00
a402822084
move "private" store to /mnt/persist/private instead of ~/private
...
this will allow me to add all of ~ to a sandbox without giving all of ~/private
2024-02-23 07:06:29 +00:00
80ecdcc4f9
persist: plaintext: consider "/mnt/persist/plaintext" as the logical root, and abstract away "/nix/persist"
2024-02-23 07:06:29 +00:00
0864790bb7
docs: modules/persist: document the "origin" store parameter
2024-02-23 07:06:29 +00:00
478747a96e
modules/persist: change default mounting method to symlink
...
this changes the plaintext and cryptClearOnBoot stores: private was already symlink-based.
this isn't strictly necessary: the rationale is:
1. `mount` syscall *requires* CAP_SYS_ADMIN (i.e. superuser/suid).
that's causing problems with sandboxing, particularly ~/private.
that doesn't affect other stores *yet*, but it may in the future.
2. visibility. i.e. it makes *clear* where anything is persisted.
if `realpath` doesn't evaluate to `/nix/persist`, then it's not
persisted.
2024-02-23 07:06:29 +00:00
6acd363f55
sane.persist.root-on-tmpfs -> sane.root-on-tmpfs
2023-11-09 00:15:04 +00:00
