search

nix-community / impermanence

Modules to help you handle persistent state on systems with ephemeral root storage [maintainer=@talyz]
MIT License
1.03k stars 77 forks source link

nixos: Improve directory creation and permission and ownership assignment #109

Closed talyz closed 1 year ago

talyz commented 1 year ago

Construct directory items for all parent directories of the user specified files and directories, assigning better default permissions and ownership to each and removing this responsibility from the create-directories script.

This means that all parent directories of root directories will now have the default permissions and ownership, not inherit them from the child. User directories are assigned default user ownership. The home directory itself is handled specially to make sure it is owned by the user, not readable by anyone else and its parent gets default root ownership.

To illustrate this with an example, here is a directory specification and the ownership and permissions that could potentially be assigned to the parent directories, given none of them yet exist in persistent storage:

{
  environment.persistence."/persistent" = {
    users.talyz = {
      directories = [
        { directory = ".local/share/secret"; mode = "0500"; }
      ];
    };
  };
}

Before

/home                            talyz:talyz   0500
/home/talyz                      talyz:talyz   0500
/home/talyz/.local               talyz:talyz   0500
/home/talyz/.local/share         talyz:talyz   0500
/home/talyz/.local/share/secret  talyz:talyz   0500

After

/home                            root:root     0755
/home/talyz                      talyz:talyz   0700
/home/talyz/.local               talyz:talyz   0755
/home/talyz/.local/share         talyz:talyz   0755
/home/talyz/.local/share/secret  talyz:talyz   0500

Also:

cc @tomeon

dschrempf commented 1 year ago

This seems to be necessary. At the moment, Home Manager activation failes when using the impermanence system module and, e.g., { directory = ".local/share/mpd"; mode = "0700"; }. The error is:

Apr 13 10:05:19 blaubaer hm-activate-dominik[1181]: mkdir: cannot create directory ‘/home/dominik/.local/share/applications’: Permission denied
Apr 13 10:05:19 blaubaer hm-activate-dominik[1182]: ln: failed to create symbolic link '/home/dominik/.local/share/applications/mimeapps.list': No such file or directory

EDIT: It turns out, the mounts where faulty because there was a race condition between mounting /home/ as tmpfs and bind mounting the persistent directories. That is, I had to set neededForBoot = true; not only for the persistent volume, but also for the temporary volume which I use as `/home/. I think this should be stated in the README.

m-bdf commented 1 year ago

I've been using this branch for a bit and it works like a charm, avoiding the need to rely on systemd-tmpfiles to set correct parent permissions and ownership in most cases. Any chance of this PR being merged soon?

talyz commented 1 year ago

Great! Yeah, I've been using this for a few months at this point without any issues, so I think it's safe to merge.