Colin
478747a96e
this changes the plaintext and cryptClearOnBoot stores: private was already symlink-based. this isn't strictly necessary: the rationale is: 1. `mount` syscall *requires* CAP_SYS_ADMIN (i.e. superuser/suid). that's causing problems with sandboxing, particularly ~/private. that doesn't affect other stores *yet*, but it may in the future. 2. visibility. i.e. it makes *clear* where anything is persisted. if `realpath` doesn't evaluate to `/nix/persist`, then it's not persisted. |
||
---|---|---|
.. | ||
services | ||
default.nix | ||
fs.nix | ||
net.nix |