diff options
| author | nikstur <nikstur@outlook.com> | 2025-07-27 21:19:00 +0200 |
|---|---|---|
| committer | nikstur <nikstur@outlook.com> | 2025-08-10 22:43:39 +0200 |
| commit | 0d9a5c2059c2d05267cd3895cfccea7feb2fb319 (patch) | |
| tree | 74d813ecd3a49dc404a10f8ca7a239c4f4665541 | |
| parent | nixos/kexec: add enable option (diff) | |
| download | nixpkgs-0d9a5c2059c2d05267cd3895cfccea7feb2fb319.tar.gz | |
nixos/fuse: add enable option
Fuse is stil enabled by default so the default behaviour of NixOS
doesn't change. However, now it's possible to actively exclude fuse when
you don't need it.
| -rw-r--r-- | nixos/modules/programs/fuse.nix | 33 | ||||
| -rw-r--r-- | nixos/modules/security/wrappers/default.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/tasks/filesystems.nix | 8 |
3 files changed, 32 insertions, 11 deletions
diff --git a/nixos/modules/programs/fuse.nix b/nixos/modules/programs/fuse.nix index 6d225089f33d..9096ce7812b4 100644 --- a/nixos/modules/programs/fuse.nix +++ b/nixos/modules/programs/fuse.nix @@ -1,4 +1,9 @@ -{ config, lib, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.programs.fuse; @@ -7,6 +12,10 @@ in meta.maintainers = with lib.maintainers; [ ]; options.programs.fuse = { + enable = lib.mkEnableOption "fuse" // { + default = true; + }; + mountMax = lib.mkOption { # In the C code it's an "int" (i.e. signed and at least 16 bit), but # negative numbers obviously make no sense: @@ -27,10 +36,30 @@ in }; }; - config = { + config = lib.mkIf cfg.enable { + environment.systemPackages = [ + pkgs.fuse + pkgs.fuse3 + ]; + + security.wrappers = + let + mkSetuidRoot = source: { + setuid = true; + owner = "root"; + group = "root"; + inherit source; + }; + in + { + fusermount = mkSetuidRoot "${lib.getBin pkgs.fuse}/bin/fusermount"; + fusermount3 = mkSetuidRoot "${lib.getBin pkgs.fuse3}/bin/fusermount3"; + }; + environment.etc."fuse.conf".text = '' ${lib.optionalString (!cfg.userAllowOther) "#"}user_allow_other mount_max = ${builtins.toString cfg.mountMax} ''; + }; } diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index cc1810c534bc..edbed8120e24 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -266,8 +266,6 @@ in in { # These are mount related wrappers that require the +s permission. - fusermount = mkSetuidRoot "${lib.getBin pkgs.fuse}/bin/fusermount"; - fusermount3 = mkSetuidRoot "${lib.getBin pkgs.fuse3}/bin/fusermount3"; mount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount"; umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount"; }; diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 5e52591a560b..ad27284d6991 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -461,13 +461,7 @@ in # Add the mount helpers to the system path so that `mount' can find them. system.fsPackages = [ pkgs.dosfstools ]; - environment.systemPackages = - with pkgs; - [ - fuse3 - fuse - ] - ++ config.system.fsPackages; + environment.systemPackages = config.system.fsPackages; environment.etc.fstab.text = let |