nixos/fuse: add enable option

Fuse is stil enabled by default so the default behaviour of NixOS doesn't change. However, now it's possible to actively exclude fuse when you don't need it.
2025-07-27 21:19:00 +02:00 · 2025-07-27 21:19:00 +02:00 · 0d9a5c2059
commit 0d9a5c2059
parent 9e0ac0c7e6
3 changed files with 32 additions and 11 deletions
--- a/nixos/modules/programs/fuse.nix
+++ b/nixos/modules/programs/fuse.nix
@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:

 let
  cfg = config.programs.fuse;
@ -7,6 +12,10 @@ in
  meta.maintainers = with lib.maintainers; [ ];

  options.programs.fuse = {
+    enable = lib.mkEnableOption "fuse" // {
+      default = true;
+    };
+
    mountMax = lib.mkOption {
      # In the C code it's an "int" (i.e. signed and at least 16 bit), but
      # negative numbers obviously make no sense:
@ -27,10 +36,30 @@ in
    };
  };

-  config = {
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [
+      pkgs.fuse
+      pkgs.fuse3
+    ];
+
+    security.wrappers =
+      let
+        mkSetuidRoot = source: {
+          setuid = true;
+          owner = "root";
+          group = "root";
+          inherit source;
+        };
+      in
+      {
+        fusermount = mkSetuidRoot "${lib.getBin pkgs.fuse}/bin/fusermount";
+        fusermount3 = mkSetuidRoot "${lib.getBin pkgs.fuse3}/bin/fusermount3";
+      };
+
    environment.etc."fuse.conf".text = ''
      ${lib.optionalString (!cfg.userAllowOther) "#"}user_allow_other
      mount_max = ${builtins.toString cfg.mountMax}
    '';
+
  };
 }
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@ -266,8 +266,6 @@ in
      in
      {
        # These are mount related wrappers that require the +s permission.
-        fusermount = mkSetuidRoot "${lib.getBin pkgs.fuse}/bin/fusermount";
-        fusermount3 = mkSetuidRoot "${lib.getBin pkgs.fuse3}/bin/fusermount3";
        mount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount";
        umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount";
      };
--- a/nixos/modules/tasks/filesystems.nix
+++ b/nixos/modules/tasks/filesystems.nix
@ -461,13 +461,7 @@ in
    # Add the mount helpers to the system path so that `mount' can find them.
    system.fsPackages = [ pkgs.dosfstools ];

-    environment.systemPackages =
-      with pkgs;
-      [
-        fuse3
-        fuse
-      ]
-      ++ config.system.fsPackages;
+    environment.systemPackages = config.system.fsPackages;

    environment.etc.fstab.text =
      let