Skip to content

tmpfs for every home #144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
24apricots wants to merge 5 commits into from
Closed

tmpfs for every home #144

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
665bbf4
reorganize graphical and desktop configs
24apricots Feb 11, 2026
ed0fe34
tmpfs for each home, unmounted on logout
24apricots Feb 17, 2026
d011a1b
Merge branch 'main' into desktop-improvements
24apricots Feb 19, 2026
fa7bc22
Merge branch 'main' into desktop-improvements
24apricots Apr 10, 2026
c9c32d6
copy skel to tmpfs home correctly
24apricots Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 11 additions & 10 deletions modules/graphical/apps/browsers.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,16 +66,17 @@ in
OfferToSaveLoginsDefault = false;
HttpsOnlyMode = "enabled";

SanitizeOnShutdown = {
Cache = true;
Cookies = true;
Downloads = true;
FormData = true;
History = true;
Sessions = true;
SiteSettings = true;
OfflineApps = true;
};
# not needed since home directories are on tmpfs
#SanitizeOnShutdown = {
# Cache = true;
# Cookies = true;
# Downloads = true;
# FormData = true;
# History = true;
# Sessions = true;
# SiteSettings = true;
# OfflineApps = true;
#};

DontCheckDefaultBrowser = true;
DisableBuiltinPDFViewer = true;
Expand Down
64 changes: 64 additions & 0 deletions modules/home/home.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
{ lib, config, pkgs, ... }:

let
cfg = config.ocf.home;
homeSetupScript = pkgs.writeShellScript "ocf_setup_home" (builtins.readFile ./ocf_setup_home.sh);
remoteHost = "tsunami";

# Default openssh doesn't include GSSAPI support, so we need to override sshfs
# to use the openssh_gssapi package instead. This is annoying because the
# sshfs package's openssh argument is nested in another layer of callPackage,
# so we override callPackage instead to override openssh.
sshfs = pkgs.sshfs.override {
callPackage = fn: args: (pkgs.callPackage fn args).override {
openssh = pkgs.openssh_gssapi;
};
};
in
{
options.ocf.home = {
tmpfs = lib.mkEnableOption "mount tmpfs on /home and each user's home directory (unmounted on logout)";
#TODO mountRemote = lib.mkEnableOption "sshfs mount ${remoteHost}:~ on ~/remote";
};

config = lib.mkIf cfg.tmpfs {
fileSystems."/home" = {
device = "tmpfs";
fsType = "tmpfs";
options = [ "size=16G" "mode=755" ];
};

security.pam = {
# Trim spaces from username
services.login.rules.auth.trimspaces = {
control = "requisite";
modulePath = "${pkgs.ocf-pam_trimspaces}/lib/security/pam_trimspaces.so";
order = 0;
};

services.login.pamMount = true;

# needed to mount ~/remote with kerberos ssh auth
services.login.rules.session.mount.order = config.security.pam.services.login.rules.session.krb5.order + 50;

# mount ~ and ~/remote
mount.extraVolumes = [
''<volume fstype="tmpfs" path="tmpfs" mountpoint="~" options="uid=%(USERUID),gid=%(USERGID),mode=0700"/>''
# TODO: enable StrictHostKeyChecking and UserKnownHostsFile because these should not be disabled!
''<volume fstype="fuse" path="${lib.getExe sshfs}#%(USER)@${remoteHost}:" mountpoint="~/remote/" options="follow_symlinks,UserKnownHostsFile=/dev/null,StrictHostKeyChecking=no" pgrp="ocf" />''
];

# because mount now creates the home dir and mounts tmpfs on it, mkhomedir wont copy the skel because the dir exists
# we can do copy skel as part of a home setup script, and do other stuff as well
#services.login.rules.session.mkhomedir.order = config.security.pam.services.login.rules.session.mount.order + 50;
#makeHomeDir.skelDirectory = "/etc/skel";

services.login.rules.session.ocf_home_setup = {
order = config.security.pam.services.login.rules.session.mount.order + 50;
control = "optional";
modulePath = "pam_exec.so";
args = [ "${homeSetupScript}" ];
};
};
};
}
26 changes: 26 additions & 0 deletions modules/home/ocf_setup_home.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
#!/bin/sh

user_home="$(getent passwd "$PAM_USER" | cut -d: -f6)"
user_gid="$(getent passwd "$PAM_USER" | cut -d: -f4)"

umask 0077

case "$PAM_TYPE" in
open_session)
# populate users tmpfs home with skel
# check to make sure that the directory is actually empty
# FIXME: expects findutils to exist
if [ -d "$user_home" ] && [ -z "$(find "$user_home" -maxdepth 0 -empty)" ]; then
# /etc/skel is read only because its in the nix store.
# we should follow umask like how pam_mkhomedir does
cp -rT --no-preserve=mode /etc/skel/ "$user_home/"
chown -R "$PAM_USER:$user_gid" "$user_home/"
fi

# TODO: run desktoprc here
;;
close_session)
# unmount everything under the users home dir
umount --recursive "$USER_HOME"
;;
esac
21 changes: 0 additions & 21 deletions modules/tmpfs-home.nix
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion profiles/desktop.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ in
acme.enable = false;

etc.enable = true;
tmpfsHome.enable = true;
home.tmpfs = true;
network.wakeOnLan.enable = true;
logged-in-users-exporter.enable = true;

Expand Down
Loading