From 72d6d73e3750b6ec4dfffeb05eb0688d6358aeab Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Wed, 30 Mar 2022 01:42:00 +0200
Subject: [PATCH 1/3] nixos/ipfs: Only set ReadWritePaths when hardened

Co-authored-by: Luflosi <Luflosi@users.noreply.github.com>
---
 nixos/modules/services/network-filesystems/ipfs.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/services/network-filesystems/ipfs.nix b/nixos/modules/services/network-filesystems/ipfs.nix
index 7e96179b3cab..f63debe13acd 100644
--- a/nixos/modules/services/network-filesystems/ipfs.nix
+++ b/nixos/modules/services/network-filesystems/ipfs.nix
@@ -280,7 +280,7 @@ in
         User = cfg.user;
         Group = cfg.group;
         StateDirectory = "";
-        ReadWritePaths = [ "" cfg.dataDir ];
+        ReadWritePaths = optionals (!cfg.autoMount) [ "" cfg.dataDir ];
       } // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; };
     } // optionalAttrs (!cfg.startWhenNeeded) {
       wantedBy = [ "default.target" ];

From 699e389f8343fb14f7ca3bda09e8871c705c9dde Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Sat, 16 Apr 2022 21:14:26 +0200
Subject: [PATCH 2/3] nixos/ipfs: test FUSE mount

---
 nixos/tests/ipfs.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/nixos/tests/ipfs.nix b/nixos/tests/ipfs.nix
index 5e7c967028e4..1fd0ef9d8bda 100644
--- a/nixos/tests/ipfs.nix
+++ b/nixos/tests/ipfs.nix
@@ -14,6 +14,14 @@ import ./make-test-python.nix ({ pkgs, ...} : {
     };
   };
 
+  nodes.fuse = { ... }: {
+    services.ipfs = {
+      enable = true;
+      apiAddress = "/ip4/127.0.0.1/tcp/2324";
+      autoMount = true;
+    };
+  };
+
   testScript = ''
     start_all()
 
@@ -40,5 +48,12 @@ import ./make-test-python.nix ({ pkgs, ...} : {
     # Test if setting dataDir works properly with the hardened systemd unit
     machine.succeed("test -e /mnt/ipfs/config")
     machine.succeed("test ! -e /var/lib/ipfs/")
+
+    # Test FUSE mountpoint
+    ipfs_hash = fuse.succeed(
+        "echo fnord3 | ipfs --api /ip4/127.0.0.1/tcp/2324 add | awk '{ print $2 }'"
+    )
+
+    fuse.succeed(f"cat /ipfs/{ipfs_hash.strip()} | grep fnord3")
   '';
 })

From 664dab95743b9e11402d41dbedb1c8da6af163f6 Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Mon, 13 Jun 2022 21:01:32 +0200
Subject: [PATCH 3/3] nixos/tests/ipfs: Simplify FUSE test

Co-authored-by: Luflosi <Luflosi@users.noreply.github.com>
---
 nixos/tests/ipfs.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/tests/ipfs.nix b/nixos/tests/ipfs.nix
index 1fd0ef9d8bda..295a7b9c7273 100644
--- a/nixos/tests/ipfs.nix
+++ b/nixos/tests/ipfs.nix
@@ -51,7 +51,7 @@ import ./make-test-python.nix ({ pkgs, ...} : {
 
     # Test FUSE mountpoint
     ipfs_hash = fuse.succeed(
-        "echo fnord3 | ipfs --api /ip4/127.0.0.1/tcp/2324 add | awk '{ print $2 }'"
+        "echo fnord3 | ipfs --api /ip4/127.0.0.1/tcp/2324 add --quieter"
     )
 
     fuse.succeed(f"cat /ipfs/{ipfs_hash.strip()} | grep fnord3")