diff --git a/hosts/common/programs/default.nix b/hosts/common/programs/default.nix index fa9358924..1f59f8dfe 100644 --- a/hosts/common/programs/default.nix +++ b/hosts/common/programs/default.nix @@ -95,6 +95,7 @@ ./rofi ./s6-rc.nix ./sane-input-handler + ./sane-sandboxed.nix ./sane-screenshot.nix ./sane-scripts.nix ./schlock.nix diff --git a/hosts/common/programs/sane-sandboxed.nix b/hosts/common/programs/sane-sandboxed.nix new file mode 100644 index 000000000..d894f83f8 --- /dev/null +++ b/hosts/common/programs/sane-sandboxed.nix @@ -0,0 +1,19 @@ +{ config, pkgs, ... }: +let + cfg = config.sane.programs; +in +{ + sane.programs.sane-sandboxed = { + packageUnwrapped = pkgs.sane-sandboxed.override { + bubblewrap = cfg.bubblewrap.package; + firejail = cfg.firejail.package; + landlock-sandboxer = pkgs.landlock-sandboxer.override { + # not strictly necessary (landlock ABI is versioned), however when sandboxer version != kernel version, + # the sandboxer may nag about one or the other wanting to be updated. + linux = config.boot.kernelPackages.kernel; + }; + }; + + sandbox.enable = false; + }; +} diff --git a/modules/programs/default.nix b/modules/programs/default.nix index 050aa7cd7..dd0996145 100644 --- a/modules/programs/default.nix +++ b/modules/programs/default.nix @@ -41,7 +41,7 @@ let else let makeProfile = pkgs.callPackage ./make-sandbox-profile.nix { }; - makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sane-sandboxed = config.sane.sandboxHelper; }; + makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sane-sandboxed = config.sane.programs.sane-sandboxed.package; }; # removeStorePaths: [ str ] -> [ str ], but remove store paths, because nix evals aren't allowed to contain any (for purity reasons?) removeStorePaths = paths: lib.filter (p: !(lib.hasPrefix "/nix/store" p)) paths; @@ -610,22 +610,6 @@ in set to 0 to get the fastest, but most restrictive build. ''; }; - sane.sandboxHelper = mkOption { - type = types.package; - default = pkgs.callPackage ./sane-sandboxed.nix { - bubblewrap = cfg.bubblewrap.package; - firejail = cfg.firejail.package; - landlock-sandboxer = pkgs.landlock-sandboxer.override { - # not strictly necessary (landlock ABI is versioned), however when sandboxer version != kernel version, - # the sandboxer may nag about one or the other wanting to be updated. - linux = config.boot.kernelPackages.kernel; - }; - }; - description = '' - `sane-sandbox` package. - exposed to facilitate debugging, e.g. `nix build '.#hostConfigs.desko.sane.sandboxHelper'` - ''; - }; sane.strictSandboxing = mkOption { type = types.enum [ false "warn" "assert" ]; default = "warn"; @@ -651,7 +635,7 @@ in (take (sane-lib.mkTypedMerge take configs)) { environment.pathsToLink = [ "/share/sane-sandboxed" ]; - environment.systemPackages = [ config.sane.sandboxHelper ]; + sane.programs.sane-sandboxed.enableFor.system = true; # expose the pkgs -- as available to the system -- as a build target. system.build.pkgs = pkgs; } diff --git a/modules/programs/sane-sandboxed.nix b/pkgs/additional/sane-sandboxed/default.nix similarity index 100% rename from modules/programs/sane-sandboxed.nix rename to pkgs/additional/sane-sandboxed/default.nix diff --git a/modules/programs/sane-sandboxed b/pkgs/additional/sane-sandboxed/sane-sandboxed similarity index 100% rename from modules/programs/sane-sandboxed rename to pkgs/additional/sane-sandboxed/sane-sandboxed diff --git a/pkgs/default.nix b/pkgs/default.nix index 658b872c9..7cf9aed92 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -58,6 +58,7 @@ let rtl8723cs-firmware = callPackage ./additional/rtl8723cs-firmware { }; rtl8723cs-wowlan = callPackage ./additional/rtl8723cs-wowlan { }; sane-open-desktop = callPackage ./additional/sane-open-desktop { }; + sane-sandboxed = callPackage ./additional/sane-sandboxed { }; sane-screenshot = callPackage ./additional/sane-screenshot { }; sane-scripts = lib.recurseIntoAttrs (callPackage ./additional/sane-scripts { }); sane-weather = callPackage ./additional/sane-weather { };