Merge branch 'tmpfs-home-per-login' into nfs-on-desktops

24apricots · 24apricots · commit 210f71df663d · 2026-04-12T06:38:01.000-07:00
branch 'tmpfs-home-per-login' (config to mount a tmpfs for each users'
home directory on login) contains a script that copies /etc/skel to a
newly mounted tmpfs home on login via pam_exec. this script will be
modified to also set up ~/remote when remote home directories are
mounted at /remote with nfs.
diff --git a/modules/graphical/apps/browsers.nix b/modules/graphical/apps/browsers.nix
@@ -66,16 +66,17 @@ in
         OfferToSaveLoginsDefault = false;
         HttpsOnlyMode = "enabled";
 
-        SanitizeOnShutdown = {
-          Cache = true;
-          Cookies = true;
-          Downloads = true;
-          FormData = true;
-          History = true;
-          Sessions = true;
-          SiteSettings = true;
-          OfflineApps = true;
-        };
+        # not needed since home directories are on tmpfs
+        #SanitizeOnShutdown = {
+        #  Cache = true;
+        #  Cookies = true;
+        #  Downloads = true;
+        #  FormData = true;
+        #  History = true;
+        #  Sessions = true;
+        #  SiteSettings = true;
+        #  OfflineApps = true;
+        #};
 
         DontCheckDefaultBrowser = true;
         DisableBuiltinPDFViewer = true;
diff --git a/modules/home/home.nix b/modules/home/home.nix
@@ -0,0 +1,75 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.ocf.home;
+  homeSetupScript = pkgs.writeShellScript "ocf_setup_home" (builtins.readFile ./ocf_setup_home.sh);
+  remoteHost = "tsunami";
+
+  # Default openssh doesn't include GSSAPI support, so we need to override sshfs
+  # to use the openssh_gssapi package instead. This is annoying because the
+  # sshfs package's openssh argument is nested in another layer of callPackage,
+  # so we override callPackage instead to override openssh.
+  sshfs = pkgs.sshfs.override {
+    callPackage =
+      fn: args:
+      (pkgs.callPackage fn args).override {
+        openssh = pkgs.openssh_gssapi;
+      };
+  };
+in
+{
+  options.ocf.home = {
+    tmpfs = lib.mkEnableOption "mount tmpfs on /home and each user's home directory (unmounted on logout)";
+    #TODO mountRemote = lib.mkEnableOption "sshfs mount ${remoteHost}:~ on ~/remote";
+  };
+
+  config = lib.mkIf cfg.tmpfs {
+    fileSystems."/home" = {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = [
+        "size=16G"
+        "mode=755"
+      ];
+    };
+
+    security.pam = {
+      # Trim spaces from username
+      services.login.rules.auth.trimspaces = {
+        control = "requisite";
+        modulePath = "${pkgs.ocf-pam_trimspaces}/lib/security/pam_trimspaces.so";
+        order = 0;
+      };
+
+      services.login.pamMount = true;
+
+      # needed to mount ~/remote with kerberos ssh auth
+      services.login.rules.session.mount.order =
+        config.security.pam.services.login.rules.session.krb5.order + 50;
+
+      # mount ~ and ~/remote
+      mount.extraVolumes = [
+        ''<volume fstype="tmpfs" path="tmpfs" mountpoint="~" options="uid=%(USERUID),gid=%(USERGID),mode=0700"/>''
+        # TODO: enable StrictHostKeyChecking and UserKnownHostsFile because these should not be disabled!
+        ''<volume fstype="fuse" path="${lib.getExe sshfs}#%(USER)@${remoteHost}:" mountpoint="~/remote/" options="follow_symlinks,UserKnownHostsFile=/dev/null,StrictHostKeyChecking=no" pgrp="ocf" />''
+      ];
+
+      # because mount now creates the home dir and mounts tmpfs on it, mkhomedir wont copy the skel because the dir exists
+      # we can do copy skel as part of a home setup script, and do other stuff as well
+      #services.login.rules.session.mkhomedir.order = config.security.pam.services.login.rules.session.mount.order + 50;
+      #makeHomeDir.skelDirectory = "/etc/skel";
+
+      services.login.rules.session.ocf_home_setup = {
+        order = config.security.pam.services.login.rules.session.mount.order + 50;
+        control = "optional";
+        modulePath = "pam_exec.so";
+        args = [ "${homeSetupScript}" ];
+      };
+    };
+  };
+}
diff --git a/modules/home/ocf_setup_home.sh b/modules/home/ocf_setup_home.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+user_home="$(getent passwd "$PAM_USER" | cut -d: -f6)"
+user_gid="$(getent passwd "$PAM_USER" | cut -d: -f4)"
+
+umask 0077
+
+case "$PAM_TYPE" in
+	open_session)
+		# populate users tmpfs home with skel
+		# check to make sure that the directory is actually empty
+		# FIXME: expects findutils to exist
+		if [ -d "$user_home" ] && [ -z "$(find "$user_home" -maxdepth 0 -empty)" ]; then
+			# /etc/skel is read only because its in the nix store.
+			# we should follow umask like how pam_mkhomedir does
+			cp -rT --no-preserve=mode /etc/skel/ "$user_home/"
+			chown -R "$PAM_USER:$user_gid" "$user_home/"
+		fi
+
+		# TODO: run desktoprc here
+		;;
+	close_session)
+		# unmount everything under the users home dir
+		umount --recursive "$USER_HOME"
+		;;
+esac
diff --git a/modules/tmpfs-home.nix b/modules/tmpfs-home.nix
diff --git a/profiles/desktop.nix b/profiles/desktop.nix
@@ -32,7 +32,7 @@ in
     acme.enable = false;
 
     etc.enable = true;
-    tmpfsHome.enable = true;
+    home.tmpfs = true;
     network.wakeOnLan.enable = true;
     logged-in-users-exporter.enable = true;
 
