immich: +bind-paths

hosts/mtworx/configuration.nix

@@ -1,4 +1,5 @@
 {
+  lib,
   config,
   pkgs,
   myData,
@@ -176,6 +177,72 @@ in
     };
   };
 
+  users = {
+    users.mount-test = {
+      name = "mount-test";
+      group = "mount-test";
+      isSystemUser = true;
+    };
+    groups.mount-test = { };
+  };
+
+  systemd.services.mount-test = {
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      RuntimeDirectory = "mount-test";
+      BindPaths = [ "/home/motiejus/x:/var/run/mount-test/x" ];
+      PrivateDevices = false;
+
+      Type = "simple";
+      Restart = "on-failure";
+      RestartSec = 10;
+
+      # Hardening
+      NoNewPrivileges = true;
+      PrivateTmp = true;
+      PrivateMounts = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_UNIX"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+
+      User = "mount-test";
+      Group = "mount-test";
+      ExecStart =
+        "!"
+        + (lib.getExe (
+          pkgs.writeShellApplication {
+            name = "mount-test";
+            runtimeInputs = with pkgs; [
+              bindfs
+              util-linux
+            ];
+            text = ''
+              set -x
+              mkdir -p /var/run/mount-test/inner
+              bindfs -u motiejus -g users /var/run/mount-test/x /var/run/mount-test/inner
+              exec setpriv \
+                --ruid mount-test \
+                --inh-caps -sys_admin,-setuid,-setgid \
+                touch /var/run/mount-test/inner/foo
+            '';
+          }
+        ));
+    };
+  };
+
   users.extraGroups.vboxusers.members = [ "motiejus" ];
 
   environment.systemPackages = with pkgs; [ dnsmasq ];

modules/services/immich/default.nix

@@ -19,6 +19,7 @@ let
     ];
     text = ''
       set -x
+      mkdir -p /var/run/immich/bind-paths
       ${lib.concatMapStringsSep "\n"
         (name: ''
           mkdir /data/${name}
@@ -53,10 +54,7 @@ in
     '';
 
     systemd = {
-      tmpfiles.rules = [
+      tmpfiles.rules = [ "d /data 0755 root root -" ];
-        "d /data 0755 root root -"
-        "d /var/run/immich/bind-paths 0755 ${immich-user} ${immich-group} -"
-      ];
       services.immich-server.serviceConfig = {
         RuntimeDirectory = "immich";
         TemporaryFileSystem = "/data";