Restrict default mounts in lima

kachick · Dec 4, 2024 · 4b5be73 · 4b5be73
1 parent 0be8245
commit 4b5be73
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/config/lima/_config/default.yaml b/config/lima/_config/default.yaml
@@ -0,0 +1,7 @@
+# 🟢 Builtin default: [] (Mount nothing)
+mounts:
+  # TODO: Disable default mounting host home to keep secure even if it is not writable
+  # - location: '~' # Just comment out still respects template default. And setting mountPoint as false handles the false as string...
+  - location: '~/repos' # See git.nix in this repo
+    mountPoint: '{{.Home}}/repos' # Keep same behavior for ghq and the wrapped scripts
+    writable: true # For developing purpose, writable should be reasonable. And my system does not directly include these files
diff --git a/home-manager/lima-host.nix b/home-manager/lima-host.nix
@@ -17,6 +17,10 @@
       lima # includes qemu
     ];
 
+    # Lima and the yaml config does not have importing feature. However it prefers some files to realize overriding.
+    # See https://github.com/lima-vm/lima/blob/v1.0.1/templates/default.yaml#L536-L574 for detail
+    file.".lima/_config/default.yaml".source = ../config/lima/_config/default.yaml;
+
     activation = {
       # /tmp/lima will be writable shared by default of lima. However lima does not create the directory, and home-manager file module does not fit under /tmp.
       ensureLimaSharedTempdir = lib.hm.dag.entryAfter [ "writeBoundary" ] ''