security/hakurei
6
3
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

nix: configure sharefs via fileSystems
All checks were successful
Test / ShareFS (push) Successful in 41s
Details
Test / Sandbox (race detector) (push) Successful in 45s
Details
Test / Create distribution (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 47s
Details
Test / Hpkg (push) Successful in 50s
Details
Test / Hakurei (push) Successful in 56s
Details
Test / Hakurei (race detector) (push) Successful in 56s
Details
Test / Flake checks (push) Successful in 1m35s
Details

Browse Source 
Turns out this did not work because in the vm test harness, virtualisation.fileSystems completely and silently overrides fileSystems, causing its contents to not even be evaluated anymore. This is not documented as far as I can tell, and is not obvious by any stretch of the imagination. The current hack is cargo culted from nix-community/impermanence and hopefully lasts until this project fully replaces nix.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-12-27 22:52:12 +09:00
parent e7982b4ee9
commit e42ea32dbe
6 changed files with 136 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
cmd/sharefs/test/configuration.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, config, ... }: { pkgs, ... }:
{ {
users.users = { users.users = {
alice = { alice = {
@@ -17,9 +17,6 @@
environment = { environment = {
# For benchmarking sharefs: # For benchmarking sharefs:
systemPackages = [ pkgs.fsmark ]; systemPackages = [ pkgs.fsmark ];
# For sharefs option checks without adding to PATH:
etc.sharefs.source = "${config.environment.hakurei.package}/libexec/sharefs";
}; };
virtualisation = { virtualisation = {

10
cmd/sharefs/test/test.py
View File

@@ -2,14 +2,14 @@ start_all()
machine.wait_for_unit("multi-user.target") machine.wait_for_unit("multi-user.target")
# To check sharefs version: # To check sharefs version:
print(machine.succeed("/etc/sharefs -V")) print(machine.succeed("sharefs -V"))
# Make sure sharefs did not terminate: # Make sure sharefs started:
machine.wait_for_unit("sharefs.service") machine.wait_for_unit("sdcard.mount")
machine.succeed("mkdir /mnt") machine.succeed("mkdir /mnt")
def check_bad_opts_output(opts, want, source="/etc", privileged=False): def check_bad_opts_output(opts, want, source="/etc", privileged=False):
output = machine.fail(("" if privileged else "sudo -u alice -i ") + f"/etc/sharefs -f -o source={source},{opts} /mnt 2>&1") output = machine.fail(("" if privileged else "sudo -u alice -i ") + f"sharefs -f -o source={source},{opts} /mnt 2>&1")
if output != want: if output != want:
raise Exception(f"unexpected output: {output}") raise Exception(f"unexpected output: {output}")
@@ -40,7 +40,7 @@ machine.succeed("rmdir /mnt")
# Unprivileged mount/unmount: # Unprivileged mount/unmount:
machine.succeed("sudo -u alice -i mkdir /home/alice/{sdcard,persistent}") machine.succeed("sudo -u alice -i mkdir /home/alice/{sdcard,persistent}")
machine.succeed("sudo -u alice -i /etc/sharefs -o source=/home/alice/persistent /home/alice/sdcard") machine.succeed("sudo -u alice -i sharefs -o source=/home/alice/persistent /home/alice/sdcard")
machine.succeed("sudo -u alice -i touch /home/alice/sdcard/check") machine.succeed("sudo -u alice -i touch /home/alice/sdcard/check")
machine.succeed("sudo -u alice -i umount /home/alice/sdcard") machine.succeed("sudo -u alice -i umount /home/alice/sdcard")
machine.succeed("sudo -u alice -i rm /home/alice/persistent/check") machine.succeed("sudo -u alice -i rm /home/alice/persistent/check")

4
flake.nix
View File

@@ -138,6 +138,10 @@
; ;
}; };
hsu = pkgs.callPackage ./cmd/hsu/package.nix { inherit (self.packages.${system}) hakurei; }; hsu = pkgs.callPackage ./cmd/hsu/package.nix { inherit (self.packages.${system}) hakurei; };
sharefs = pkgs.linkFarm "sharefs" {
"bin/sharefs" = "${hakurei}/libexec/sharefs";
"bin/mount.fuse.sharefs" = "${hakurei}/libexec/sharefs";
};
dist = pkgs.runCommand "${hakurei.name}-dist" { buildInputs = hakurei.targetPkgs ++ [ pkgs.pkgsStatic.musl ]; } '' dist = pkgs.runCommand "${hakurei.name}-dist" { buildInputs = hakurei.targetPkgs ++ [ pkgs.pkgsStatic.musl ]; } ''
# go requires XDG_CACHE_HOME for the build cache # go requires XDG_CACHE_HOME for the build cache

62
nixos.nix
View File

@@ -24,11 +24,38 @@ let
getsubuid = userid: appid: userid * 100000 + 10000 + appid; getsubuid = userid: appid: userid * 100000 + 10000 + appid;
getsubname = userid: appid: "u${toString userid}_a${toString appid}"; getsubname = userid: appid: "u${toString userid}_a${toString appid}";
getsubhome = userid: appid: "${cfg.stateDir}/u${toString userid}/a${toString appid}"; getsubhome = userid: appid: "${cfg.stateDir}/u${toString userid}/a${toString appid}";
mountpoints = {
${cfg.sharefs.name} = mkIf (cfg.sharefs.source != null) {
depends = [ cfg.sharefs.source ];
device = "sharefs";
fsType = "fuse.sharefs";
noCheck = true;
options = [
"rw"
"noexec"
"nosuid"
"nodev"
"noatime"
"allow_other"
"mkdir"
"source=${cfg.sharefs.source}"
"setuid=${toString config.users.users.${cfg.sharefs.user}.uid}"
"setgid=${toString config.users.groups.${cfg.sharefs.group}.gid}"
];
};
};
in in
{ {
imports = [ (import ./options.nix packages) ]; imports = [ (import ./options.nix packages) ];
options = {
# Forward declare a dummy option for VM filesystems since the real one won't exist
# unless the VM module is actually imported.
virtualisation.fileSystems = lib.mkOption { };
};
config = mkIf cfg.enable { config = mkIf cfg.enable {
assertions = [ assertions = [
( (
@@ -66,38 +93,9 @@ in
) "" cfg.users; ) "" cfg.users;
}; };
systemd.services = { environment.systemPackages = optional (cfg.sharefs.source != null) cfg.sharefs.package;
sharefs = mkIf (cfg.sharefs.source != null) { fileSystems = mountpoints;
unitConfig.RequiresMountsFor = cfg.sharefs.source; virtualisation.fileSystems = mountpoints;
serviceConfig = {
NoNewPrivileges = true;
};
script = ''
${pkgs.coreutils}/bin/install -dm0 ${cfg.sharefs.name}
exec ${cfg.package}/libexec/sharefs -f \
-o ${
lib.join "," [
"noexec"
"nosuid"
"nodev"
"noatime"
"auto_unmount"
"allow_other"
"setuid=$(id -u ${cfg.sharefs.user})"
"setgid=$(id -g ${cfg.sharefs.group})"
"source=${cfg.sharefs.source}"
"mkdir"
]
} ${cfg.sharefs.name}
'';
# do not unmount on configuration changes
restartIfChanged = false;
wantedBy = [ "multi-user.target" ];
};
};
home-manager = home-manager =
let let

90
options.md
View File

@@ -809,6 +809,96 @@ package
## environment\.hakurei\.sharefs\.package
The sharefs package to use\.
*Type:*
package
*Default:*
` <derivation sharefs> `
## environment\.hakurei\.sharefs\.group
Name of the group to run the sharefs daemon as\.
*Type:*
string
*Default:*
` "sharefs" `
## environment\.hakurei\.sharefs\.name
Host path to mount sharefs on\.
*Type:*
string
*Default:*
` "/sdcard" `
## environment\.hakurei\.sharefs\.source
Writable backing directory\. Setting this to null disables sharefs\.
*Type:*
null or string
*Default:*
` null `
## environment\.hakurei\.sharefs\.user
Name of the user to run the sharefs daemon as\.
*Type:*
string
*Default:*
` "sharefs" `
## environment\.hakurei\.shell ## environment\.hakurei\.shell

6
options.nix
View File

@@ -41,6 +41,12 @@ in
}; };
sharefs = { sharefs = {
package = mkOption {
type = types.package;
default = packages.${pkgs.stdenv.hostPlatform.system}.sharefs;
description = "The sharefs package to use.";
};
user = mkOption { user = mkOption {
type = types.str; type = types.str;
default = "sharefs"; default = "sharefs";