Modetc: move your dotfiles from kernel space

rnhmjoj · September 10, 2025, 9:54pm

In the past I have been using rewritefs to move my dotfiles away from ~ and organise them exactly how I want, but I have never been happy with the performance penalty. So, I made my own thing.

This is a kernel module that uses hooks to rewrite paths in file system operations to essentially achieve what a symlink does, but without any file in the home directory. It’s pretty similar to rewritefs (sans regex support) but about 2-4 times faster.

I wasn’t sure whether to share this because it’s an even crazier solution than rewritefs, but what the hell, here it is anyway.

bme · September 10, 2025, 9:59pm

This is completely insane, and I love it.

joelmccracken · September 12, 2025, 2:04pm

Very cool. Add in the ability for this to be run dynamically by processes for themselves (and children) and this would be very similar to a feature from plan9.

rnhmjoj · September 12, 2025, 2:49pm

would be very similar to a feature from plan9.

Ah, I didn’t know plan9 had something like this, what is it called?

joelmccracken · September 12, 2025, 3:33pm

I’m not sure, something like “mount namespaces”. I haven’t used plan9 stuff myself, I’ve just read/watched various things out of curiosity.

rnhmjoj · September 14, 2025, 10:14am

Linux does have mount namespaces, which I believe were indeed taken from plan9. However to create the equivalent of a symlink you still need to make an empty file and use it as the target of a bind mount. For example:

$ unshare -rm
$ cat a
ciao!
$ mount --bind a b
mount: b: mount point does not exist.
       dmesg(1) may have more information after failed mount system call.
$ touch b
$ mount --bind a b
$ cat b
ciao!

hugosenari · October 1, 2025, 5:25pm

Amazing

Now I have to find someone who creates a sops-age-modetc-nix(OS) module
But for security reasons I think we need different group of users to have different view to that file

rnhmjoj · October 2, 2025, 7:39am

sops-age-modetc-nix(OS) module

I’m not familiar with sops, what is this supposed to do?

hugosenari · October 3, 2025, 12:25am

Encrypt/Decrypt one field in your JSON/YAML/INI file using (Age, KMS, GPG, Vault)
ie

    db:
        user: ENC[AES256_GCM,data:CwE4O1s=,iv:2k=,aad:o=,tag:w==]
        password: ENC[AES256_GCM,data:p673w==,iv:YY=,aad:UQ=,tag:A=]

And decrypt as:

    db:
        user: foo
        password: bar

Means with modetc we could store A in /nix/store/HASH-app/cfg.yml, configure app to run reading /nix/store/HASH-app/cfg.yml, but when app reads, it reads from /run/secrets/decrypted/app/cfg.yml

rnhmjoj · February 5, 2026, 9:45am

In the past week I managed to work a bit on modetc and fix the last remaining bugs (unwanted references keeping mountpoints busy, handling paths starting with ../).

I have also added some sanitisation to the parameters, so modetc will no longer crash your kernel if you forget to set them. The latest version should be pretty safe to use, now.

Finally, the default rule (e.g. ~/.random_dotfile → ~/.config/random_dotfile) can now be disabled, so modetc can be used for more general purposes.
For example, you should be able to rewrite Nix store paths and apply a security patch without recompiling all the packages (very expensive) or using system.replaceDependencies (still quite slow).