colin
/
nix-files
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

modules/programs: require manual definition; don't auto-populate attrset 

this greatly decreases nix eval time
This commit is contained in:
Colin 2024-02-28 13:19:39 +00:00
parent f7a82a845c
commit 084541da4c
6 changed files with 51 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
hosts/common/programs/assorted.nix
View File

@ -206,6 +206,8 @@ in
alsaUtils.sandbox.wrapperType = "wrappedDerivation";
alsaUtils.sandbox.whitelistAudio = true; #< not strictly necessary?
backblaze-b2 = {};
blanket.sandbox.method = "bwrap";
blanket.sandbox.wrapperType = "wrappedDerivation";
blanket.sandbox.whitelistAudio = true;
@ -243,6 +245,8 @@ in
cargo.persist.byStore.plaintext = [ ".cargo" ];
clang = {};
# cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
cryptsetup.sandbox.method = "landlock";
cryptsetup.sandbox.wrapperType = "wrappedDerivation";
@ -293,6 +297,8 @@ in
dtrx.sandbox.whitelistPwd = true;
dtrx.sandbox.autodetectCliPaths = "existing"; #< for the archive
duplicity = {};
e2fsprogs.sandbox.method = "landlock";
e2fsprogs.sandbox.wrapperType = "wrappedDerivation";
e2fsprogs.sandbox.autodetectCliPaths = "existing";
@ -303,6 +309,8 @@ in
"/sys/firmware/efi"
];
eg25-control = {};
electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested
electrum.sandbox.wrapperType = "wrappedDerivation";
electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always
@ -409,6 +417,8 @@ in
gdb.sandbox.wrapperType = "wrappedDerivation";
gdb.sandbox.autodetectCliPaths = true;
geoclue2-with-demo-agent = {};
# MS GitHub stores auth token in .config
# TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
gh.persist.byStore.private = [ ".config/gh" ];
@ -505,6 +515,9 @@ in
".persist/plaintext"
];
gnused = {};
gpsd = {};
gptfdisk.sandbox.method = "landlock";
gptfdisk.sandbox.wrapperType = "wrappedDerivation";
gptfdisk.sandbox.extraPaths = [
@ -512,6 +525,8 @@ in
];
gptfdisk.sandbox.autodetectCliPaths = "existing"; #< sometimes you'll use gdisk on a device file.
grim = {};
hase.sandbox.method = "bwrap";
hase.sandbox.wrapperType = "wrappedDerivation";
hase.sandbox.net = "clearnet";
@ -643,6 +658,8 @@ in
lsof.sandbox.method = "capshonly"; # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
lsof.sandbox.wrapperType = "wrappedDerivation";
lua = {};
"mate.engrampa".sandbox.method = "bwrap"; # TODO:sandbox: untested
"mate.engrampa".sandbox.wrapperType = "inplace";
"mate.engrampa".sandbox.whitelistWayland = true;
@ -717,6 +734,8 @@ in
"/proc"
];
nodejs = {};
# `nvme list` only shows results when run as root.
nvme-cli.sandbox.method = "landlock";
nvme-cli.sandbox.wrapperType = "wrappedDerivation";
@ -743,6 +762,8 @@ in
];
parted.sandbox.autodetectCliPaths = "existing"; #< sometimes you'll use parted on a device file.
patchelf = {};
pavucontrol.sandbox.method = "bwrap";
pavucontrol.sandbox.wrapperType = "wrappedDerivation";
pavucontrol.sandbox.whitelistAudio = true;
@ -801,6 +822,8 @@ in
rsync.sandbox.net = "clearnet";
rsync.sandbox.autodetectCliPaths = "existingOrParent";
rustc = {};
screen.sandbox.enable = false; #< tty; needs to run anything
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
@ -818,6 +841,8 @@ in
# printer/filament settings
slic3r.persist.byStore.plaintext = [ ".Slic3r" ];
slurp = {};
# use like `sudo smartctl /dev/sda -a`
smartmontools.sandbox.method = "landlock";
smartmontools.sandbox.wrapperType = "inplace"; # ships a script in /etc that calls into its bin
@ -864,6 +889,8 @@ in
speedtest-cli.sandbox.wrapperType = "wrappedDerivation";
speedtest-cli.sandbox.net = "all";
sqlite = {};
strace.sandbox.enable = false; #< needs to `exec` its args, and therefore support *anything*
subversion.sandbox.method = "bwrap";
@ -963,6 +990,8 @@ in
wl-clipboard.sandbox.wrapperType = "wrappedDerivation";
wl-clipboard.sandbox.whitelistWayland = true;
wtype = {};
xwayland.sandbox.method = "bwrap";
xwayland.sandbox.wrapperType = "inplace"; #< consumers use it as a library (e.g. wlroots)
xwayland.sandbox.whitelistWayland = true; #< just assuming this is needed
@ -978,13 +1007,11 @@ in
yt-dlp.sandbox.wrapperType = "wrappedDerivation";
yt-dlp.sandbox.net = "all";
yt-dlp.sandbox.whitelistPwd = true; # saves to pwd by default
zfs = {};
};
programs.feedbackd = lib.mkIf config.sane.programs.feedbackd.enabled {
enable = true;
};
programs.firejail = lib.mkIf config.sane.programs.firejail.enabled {
enable = true; #< install the suid binary
};
}

1
hosts/common/programs/default.nix
View File

@ -26,6 +26,7 @@
./evince.nix
./feedbackd.nix
./firefox.nix
./firejail.nix
./flare-signal.nix
./fontconfig.nix
./fractal.nix

8
hosts/common/programs/firejail.nix Normal file
View File

@ -0,0 +1,8 @@
{ lib, config, ... }:
{
sane.programs.firejail = {};
programs.firejail = lib.mkIf config.sane.programs.firejail.enabled {
enable = true; #< install the suid binary
};
}

1
hosts/common/programs/fwupd.nix
View File

@ -1,5 +1,6 @@
{ config, lib, ... }:
{
sane.programs.fwupd = {};
services.fwupd = lib.mkIf config.sane.programs.fwupd.enabled {
# enables the dbus service, which i think the frontend speaks to.
enable = true;

10
hosts/common/programs/sane-scripts.nix
View File

@ -49,6 +49,9 @@ in
"sane-scripts.sync-music"
];
"sane-scripts.backup-ls" = {};
"sane-scripts.backup-restore" = {};
"sane-scripts.bt-add".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
@ -121,6 +124,8 @@ in
net = "all";
};
"sane-scripts.ip-port-forward" = {};
"sane-scripts.private-change-passwd".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
@ -216,9 +221,14 @@ in
];
};
"sane-scripts.stop-all-servo" = {};
# if `tee` isn't trustworthy we have bigger problems
"sane-scripts.sudo-redirect".sandbox.enable = false;
"sane-scripts.sync-music" = {};
"sane-scripts.sync-from-iphone" = {};
"sane-scripts.tag-music".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";

18
modules/programs/default.nix
View File

@ -652,26 +652,8 @@ in
{
environment.pathsToLink = [ "/share/sane-sandboxed" ];
environment.systemPackages = [ config.sane.sandboxHelper ];
}
{
# expose the pkgs -- as available to the system -- as a build target.
system.build.pkgs = pkgs;
sane.programs = lib.mkMerge [
# make a program for every (toplevel) package
(lib.mapAttrs (_pkgName: _pkg: {}) pkgs)
# do the same for programs in known groups
(lib.mapAttrs' (pkgName: _pkg: { name = "cacert.${pkgName}"; value = {}; }) pkgs.cacert)
(lib.mapAttrs' (pkgName: _pkg: { name = "gnome.${pkgName}"; value = {}; }) pkgs.gnome)
(lib.mapAttrs' (pkgName: _pkg: { name = "libsForQt5.${pkgName}"; value = {}; }) pkgs.libsForQt5)
(lib.mapAttrs' (pkgName: _pkg: { name = "mate.${pkgName}"; value = {}; }) pkgs.mate)
(lib.mapAttrs' (pkgName: _pkg: { name = "perlPackages.${pkgName}"; value = {}; }) pkgs.perlPackages)
(lib.mapAttrs' (pkgName: _pkg: { name = "plasma5Packages.${pkgName}"; value = {}; }) pkgs.plasma5Packages)
(lib.mapAttrs' (pkgName: _pkg: { name = "python3Packages.${pkgName}"; value = {}; }) pkgs.python3Packages)
(lib.mapAttrs' (pkgName: _pkg: { name = "sane-scripts.${pkgName}"; value = {}; }) pkgs.sane-scripts)
(lib.mapAttrs' (pkgName: _pkg: { name = "sway-contrib.${pkgName}"; value = {}; }) pkgs.sway-contrib)
];
}
];
}