modules/programs: require manual definition; don't auto-populate attrset
this greatly decreases nix eval time
This commit is contained in:
parent
f7a82a845c
commit
084541da4c
|
@ -206,6 +206,8 @@ in
|
|||
alsaUtils.sandbox.wrapperType = "wrappedDerivation";
|
||||
alsaUtils.sandbox.whitelistAudio = true; #< not strictly necessary?
|
||||
|
||||
backblaze-b2 = {};
|
||||
|
||||
blanket.sandbox.method = "bwrap";
|
||||
blanket.sandbox.wrapperType = "wrappedDerivation";
|
||||
blanket.sandbox.whitelistAudio = true;
|
||||
|
@ -243,6 +245,8 @@ in
|
|||
|
||||
cargo.persist.byStore.plaintext = [ ".cargo" ];
|
||||
|
||||
clang = {};
|
||||
|
||||
# cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
|
||||
cryptsetup.sandbox.method = "landlock";
|
||||
cryptsetup.sandbox.wrapperType = "wrappedDerivation";
|
||||
|
@ -293,6 +297,8 @@ in
|
|||
dtrx.sandbox.whitelistPwd = true;
|
||||
dtrx.sandbox.autodetectCliPaths = "existing"; #< for the archive
|
||||
|
||||
duplicity = {};
|
||||
|
||||
e2fsprogs.sandbox.method = "landlock";
|
||||
e2fsprogs.sandbox.wrapperType = "wrappedDerivation";
|
||||
e2fsprogs.sandbox.autodetectCliPaths = "existing";
|
||||
|
@ -303,6 +309,8 @@ in
|
|||
"/sys/firmware/efi"
|
||||
];
|
||||
|
||||
eg25-control = {};
|
||||
|
||||
electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
electrum.sandbox.wrapperType = "wrappedDerivation";
|
||||
electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always
|
||||
|
@ -409,6 +417,8 @@ in
|
|||
gdb.sandbox.wrapperType = "wrappedDerivation";
|
||||
gdb.sandbox.autodetectCliPaths = true;
|
||||
|
||||
geoclue2-with-demo-agent = {};
|
||||
|
||||
# MS GitHub stores auth token in .config
|
||||
# TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
|
||||
gh.persist.byStore.private = [ ".config/gh" ];
|
||||
|
@ -505,6 +515,9 @@ in
|
|||
".persist/plaintext"
|
||||
];
|
||||
|
||||
gnused = {};
|
||||
gpsd = {};
|
||||
|
||||
gptfdisk.sandbox.method = "landlock";
|
||||
gptfdisk.sandbox.wrapperType = "wrappedDerivation";
|
||||
gptfdisk.sandbox.extraPaths = [
|
||||
|
@ -512,6 +525,8 @@ in
|
|||
];
|
||||
gptfdisk.sandbox.autodetectCliPaths = "existing"; #< sometimes you'll use gdisk on a device file.
|
||||
|
||||
grim = {};
|
||||
|
||||
hase.sandbox.method = "bwrap";
|
||||
hase.sandbox.wrapperType = "wrappedDerivation";
|
||||
hase.sandbox.net = "clearnet";
|
||||
|
@ -643,6 +658,8 @@ in
|
|||
lsof.sandbox.method = "capshonly"; # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
|
||||
lsof.sandbox.wrapperType = "wrappedDerivation";
|
||||
|
||||
lua = {};
|
||||
|
||||
"mate.engrampa".sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
"mate.engrampa".sandbox.wrapperType = "inplace";
|
||||
"mate.engrampa".sandbox.whitelistWayland = true;
|
||||
|
@ -717,6 +734,8 @@ in
|
|||
"/proc"
|
||||
];
|
||||
|
||||
nodejs = {};
|
||||
|
||||
# `nvme list` only shows results when run as root.
|
||||
nvme-cli.sandbox.method = "landlock";
|
||||
nvme-cli.sandbox.wrapperType = "wrappedDerivation";
|
||||
|
@ -743,6 +762,8 @@ in
|
|||
];
|
||||
parted.sandbox.autodetectCliPaths = "existing"; #< sometimes you'll use parted on a device file.
|
||||
|
||||
patchelf = {};
|
||||
|
||||
pavucontrol.sandbox.method = "bwrap";
|
||||
pavucontrol.sandbox.wrapperType = "wrappedDerivation";
|
||||
pavucontrol.sandbox.whitelistAudio = true;
|
||||
|
@ -801,6 +822,8 @@ in
|
|||
rsync.sandbox.net = "clearnet";
|
||||
rsync.sandbox.autodetectCliPaths = "existingOrParent";
|
||||
|
||||
rustc = {};
|
||||
|
||||
screen.sandbox.enable = false; #< tty; needs to run anything
|
||||
|
||||
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
|
@ -818,6 +841,8 @@ in
|
|||
# printer/filament settings
|
||||
slic3r.persist.byStore.plaintext = [ ".Slic3r" ];
|
||||
|
||||
slurp = {};
|
||||
|
||||
# use like `sudo smartctl /dev/sda -a`
|
||||
smartmontools.sandbox.method = "landlock";
|
||||
smartmontools.sandbox.wrapperType = "inplace"; # ships a script in /etc that calls into its bin
|
||||
|
@ -864,6 +889,8 @@ in
|
|||
speedtest-cli.sandbox.wrapperType = "wrappedDerivation";
|
||||
speedtest-cli.sandbox.net = "all";
|
||||
|
||||
sqlite = {};
|
||||
|
||||
strace.sandbox.enable = false; #< needs to `exec` its args, and therefore support *anything*
|
||||
|
||||
subversion.sandbox.method = "bwrap";
|
||||
|
@ -963,6 +990,8 @@ in
|
|||
wl-clipboard.sandbox.wrapperType = "wrappedDerivation";
|
||||
wl-clipboard.sandbox.whitelistWayland = true;
|
||||
|
||||
wtype = {};
|
||||
|
||||
xwayland.sandbox.method = "bwrap";
|
||||
xwayland.sandbox.wrapperType = "inplace"; #< consumers use it as a library (e.g. wlroots)
|
||||
xwayland.sandbox.whitelistWayland = true; #< just assuming this is needed
|
||||
|
@ -978,13 +1007,11 @@ in
|
|||
yt-dlp.sandbox.wrapperType = "wrappedDerivation";
|
||||
yt-dlp.sandbox.net = "all";
|
||||
yt-dlp.sandbox.whitelistPwd = true; # saves to pwd by default
|
||||
|
||||
zfs = {};
|
||||
};
|
||||
|
||||
programs.feedbackd = lib.mkIf config.sane.programs.feedbackd.enabled {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
programs.firejail = lib.mkIf config.sane.programs.firejail.enabled {
|
||||
enable = true; #< install the suid binary
|
||||
};
|
||||
}
|
||||
|
|
|
@ -26,6 +26,7 @@
|
|||
./evince.nix
|
||||
./feedbackd.nix
|
||||
./firefox.nix
|
||||
./firejail.nix
|
||||
./flare-signal.nix
|
||||
./fontconfig.nix
|
||||
./fractal.nix
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
{ lib, config, ... }:
|
||||
{
|
||||
sane.programs.firejail = {};
|
||||
|
||||
programs.firejail = lib.mkIf config.sane.programs.firejail.enabled {
|
||||
enable = true; #< install the suid binary
|
||||
};
|
||||
}
|
|
@ -1,5 +1,6 @@
|
|||
{ config, lib, ... }:
|
||||
{
|
||||
sane.programs.fwupd = {};
|
||||
services.fwupd = lib.mkIf config.sane.programs.fwupd.enabled {
|
||||
# enables the dbus service, which i think the frontend speaks to.
|
||||
enable = true;
|
||||
|
|
|
@ -49,6 +49,9 @@ in
|
|||
"sane-scripts.sync-music"
|
||||
];
|
||||
|
||||
"sane-scripts.backup-ls" = {};
|
||||
"sane-scripts.backup-restore" = {};
|
||||
|
||||
"sane-scripts.bt-add".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
|
@ -121,6 +124,8 @@ in
|
|||
net = "all";
|
||||
};
|
||||
|
||||
"sane-scripts.ip-port-forward" = {};
|
||||
|
||||
"sane-scripts.private-change-passwd".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
|
@ -216,9 +221,14 @@ in
|
|||
];
|
||||
};
|
||||
|
||||
"sane-scripts.stop-all-servo" = {};
|
||||
|
||||
# if `tee` isn't trustworthy we have bigger problems
|
||||
"sane-scripts.sudo-redirect".sandbox.enable = false;
|
||||
|
||||
"sane-scripts.sync-music" = {};
|
||||
"sane-scripts.sync-from-iphone" = {};
|
||||
|
||||
"sane-scripts.tag-music".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
|
|
|
@ -652,26 +652,8 @@ in
|
|||
{
|
||||
environment.pathsToLink = [ "/share/sane-sandboxed" ];
|
||||
environment.systemPackages = [ config.sane.sandboxHelper ];
|
||||
}
|
||||
{
|
||||
# expose the pkgs -- as available to the system -- as a build target.
|
||||
system.build.pkgs = pkgs;
|
||||
|
||||
sane.programs = lib.mkMerge [
|
||||
# make a program for every (toplevel) package
|
||||
(lib.mapAttrs (_pkgName: _pkg: {}) pkgs)
|
||||
|
||||
# do the same for programs in known groups
|
||||
(lib.mapAttrs' (pkgName: _pkg: { name = "cacert.${pkgName}"; value = {}; }) pkgs.cacert)
|
||||
(lib.mapAttrs' (pkgName: _pkg: { name = "gnome.${pkgName}"; value = {}; }) pkgs.gnome)
|
||||
(lib.mapAttrs' (pkgName: _pkg: { name = "libsForQt5.${pkgName}"; value = {}; }) pkgs.libsForQt5)
|
||||
(lib.mapAttrs' (pkgName: _pkg: { name = "mate.${pkgName}"; value = {}; }) pkgs.mate)
|
||||
(lib.mapAttrs' (pkgName: _pkg: { name = "perlPackages.${pkgName}"; value = {}; }) pkgs.perlPackages)
|
||||
(lib.mapAttrs' (pkgName: _pkg: { name = "plasma5Packages.${pkgName}"; value = {}; }) pkgs.plasma5Packages)
|
||||
(lib.mapAttrs' (pkgName: _pkg: { name = "python3Packages.${pkgName}"; value = {}; }) pkgs.python3Packages)
|
||||
(lib.mapAttrs' (pkgName: _pkg: { name = "sane-scripts.${pkgName}"; value = {}; }) pkgs.sane-scripts)
|
||||
(lib.mapAttrs' (pkgName: _pkg: { name = "sway-contrib.${pkgName}"; value = {}; }) pkgs.sway-contrib)
|
||||
];
|
||||
}
|
||||
];
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue