cmd/sharefs: containerise filesystem daemon

This replaces the forking daemonise libfuse function which prevents Go callbacks from calling into the runtime. This also enforces least privilege on the daemon process.

Signed-off-by: Ophestra <cat@gensokyo.uk>

nixos.nix

@@ -88,7 +88,6 @@ in
                 "noatime"
                 "auto_unmount"
                 "allow_other"
-                "clone_fd"
                 "setuid=$(id -u ${cfg.sharefs.user})"
                 "setgid=$(id -g ${cfg.sharefs.group})"
                 "source=${cfg.sharefs.source}"