From 084541da4c702fe5545ee5c17178e2d139cd116f Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Wed, 28 Feb 2024 13:19:39 +0000
Subject: [PATCH] modules/programs: require manual definition; don't
 auto-populate attrset

this greatly decreases nix eval time
---
 hosts/common/programs/assorted.nix     | 35 +++++++++++++++++++++++---
 hosts/common/programs/default.nix      |  1 +
 hosts/common/programs/firejail.nix     |  8 ++++++
 hosts/common/programs/fwupd.nix        |  1 +
 hosts/common/programs/sane-scripts.nix | 10 ++++++++
 modules/programs/default.nix           | 18 -------------
 6 files changed, 51 insertions(+), 22 deletions(-)
 create mode 100644 hosts/common/programs/firejail.nix

diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index cc43e8d8..11ada034 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -206,6 +206,8 @@ in
     alsaUtils.sandbox.wrapperType = "wrappedDerivation";
     alsaUtils.sandbox.whitelistAudio = true;  #< not strictly necessary?
 
+    backblaze-b2 = {};
+
     blanket.sandbox.method = "bwrap";
     blanket.sandbox.wrapperType = "wrappedDerivation";
     blanket.sandbox.whitelistAudio = true;
@@ -243,6 +245,8 @@ in
 
     cargo.persist.byStore.plaintext = [ ".cargo" ];
 
+    clang = {};
+
     # cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
     cryptsetup.sandbox.method = "landlock";
     cryptsetup.sandbox.wrapperType = "wrappedDerivation";
@@ -293,6 +297,8 @@ in
     dtrx.sandbox.whitelistPwd = true;
     dtrx.sandbox.autodetectCliPaths = "existing";  #< for the archive
 
+    duplicity = {};
+
     e2fsprogs.sandbox.method = "landlock";
     e2fsprogs.sandbox.wrapperType = "wrappedDerivation";
     e2fsprogs.sandbox.autodetectCliPaths = "existing";
@@ -303,6 +309,8 @@ in
       "/sys/firmware/efi"
     ];
 
+    eg25-control = {};
+
     electrum.sandbox.method = "bwrap";  # TODO:sandbox: untested
     electrum.sandbox.wrapperType = "wrappedDerivation";
     electrum.sandbox.net = "all";  # TODO: probably want to make this run behind a VPN, always
@@ -409,6 +417,8 @@ in
     gdb.sandbox.wrapperType = "wrappedDerivation";
     gdb.sandbox.autodetectCliPaths = true;
 
+    geoclue2-with-demo-agent = {};
+
     # MS GitHub stores auth token in .config
     # TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
     gh.persist.byStore.private = [ ".config/gh" ];
@@ -505,6 +515,9 @@ in
       ".persist/plaintext"
     ];
 
+    gnused = {};
+    gpsd = {};
+
     gptfdisk.sandbox.method = "landlock";
     gptfdisk.sandbox.wrapperType = "wrappedDerivation";
     gptfdisk.sandbox.extraPaths = [
@@ -512,6 +525,8 @@ in
     ];
     gptfdisk.sandbox.autodetectCliPaths = "existing";  #< sometimes you'll use gdisk on a device file.
 
+    grim = {};
+
     hase.sandbox.method = "bwrap";
     hase.sandbox.wrapperType = "wrappedDerivation";
     hase.sandbox.net = "clearnet";
@@ -643,6 +658,8 @@ in
     lsof.sandbox.method = "capshonly";  # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
     lsof.sandbox.wrapperType = "wrappedDerivation";
 
+    lua = {};
+
     "mate.engrampa".sandbox.method = "bwrap";  # TODO:sandbox: untested
     "mate.engrampa".sandbox.wrapperType = "inplace";
     "mate.engrampa".sandbox.whitelistWayland = true;
@@ -717,6 +734,8 @@ in
       "/proc"
     ];
 
+    nodejs = {};
+
     # `nvme list` only shows results when run as root.
     nvme-cli.sandbox.method = "landlock";
     nvme-cli.sandbox.wrapperType = "wrappedDerivation";
@@ -743,6 +762,8 @@ in
     ];
     parted.sandbox.autodetectCliPaths = "existing";  #< sometimes you'll use parted on a device file.
 
+    patchelf = {};
+
     pavucontrol.sandbox.method = "bwrap";
     pavucontrol.sandbox.wrapperType = "wrappedDerivation";
     pavucontrol.sandbox.whitelistAudio = true;
@@ -801,6 +822,8 @@ in
     rsync.sandbox.net = "clearnet";
     rsync.sandbox.autodetectCliPaths = "existingOrParent";
 
+    rustc = {};
+
     screen.sandbox.enable = false;  #< tty; needs to run anything
 
     sequoia.sandbox.method = "bwrap";  # TODO:sandbox: untested
@@ -818,6 +841,8 @@ in
     # printer/filament settings
     slic3r.persist.byStore.plaintext = [ ".Slic3r" ];
 
+    slurp = {};
+
     # use like `sudo smartctl /dev/sda -a`
     smartmontools.sandbox.method = "landlock";
     smartmontools.sandbox.wrapperType = "inplace";  # ships a script in /etc that calls into its bin
@@ -864,6 +889,8 @@ in
     speedtest-cli.sandbox.wrapperType = "wrappedDerivation";
     speedtest-cli.sandbox.net = "all";
 
+    sqlite = {};
+
     strace.sandbox.enable = false;  #< needs to `exec` its args, and therefore support *anything*
 
     subversion.sandbox.method = "bwrap";
@@ -963,6 +990,8 @@ in
     wl-clipboard.sandbox.wrapperType = "wrappedDerivation";
     wl-clipboard.sandbox.whitelistWayland = true;
 
+    wtype = {};
+
     xwayland.sandbox.method = "bwrap";
     xwayland.sandbox.wrapperType = "inplace";  #< consumers use it as a library (e.g. wlroots)
     xwayland.sandbox.whitelistWayland = true;  #< just assuming this is needed
@@ -978,13 +1007,11 @@ in
     yt-dlp.sandbox.wrapperType = "wrappedDerivation";
     yt-dlp.sandbox.net = "all";
     yt-dlp.sandbox.whitelistPwd = true;  # saves to pwd by default
+
+    zfs = {};
   };
 
   programs.feedbackd = lib.mkIf config.sane.programs.feedbackd.enabled {
     enable = true;
   };
-
-  programs.firejail = lib.mkIf config.sane.programs.firejail.enabled {
-    enable = true;  #< install the suid binary
-  };
 }
diff --git a/hosts/common/programs/default.nix b/hosts/common/programs/default.nix
index 802f3dc6..b4f7da99 100644
--- a/hosts/common/programs/default.nix
+++ b/hosts/common/programs/default.nix
@@ -26,6 +26,7 @@
     ./evince.nix
     ./feedbackd.nix
     ./firefox.nix
+    ./firejail.nix
     ./flare-signal.nix
     ./fontconfig.nix
     ./fractal.nix
diff --git a/hosts/common/programs/firejail.nix b/hosts/common/programs/firejail.nix
new file mode 100644
index 00000000..3c74e825
--- /dev/null
+++ b/hosts/common/programs/firejail.nix
@@ -0,0 +1,8 @@
+{ lib, config, ... }:
+{
+  sane.programs.firejail = {};
+
+  programs.firejail = lib.mkIf config.sane.programs.firejail.enabled {
+    enable = true;  #< install the suid binary
+  };
+}
diff --git a/hosts/common/programs/fwupd.nix b/hosts/common/programs/fwupd.nix
index 6bfb7669..3849210e 100644
--- a/hosts/common/programs/fwupd.nix
+++ b/hosts/common/programs/fwupd.nix
@@ -1,5 +1,6 @@
 { config, lib, ... }:
 {
+  sane.programs.fwupd = {};
   services.fwupd = lib.mkIf config.sane.programs.fwupd.enabled {
     # enables the dbus service, which i think the frontend speaks to.
     enable = true;
diff --git a/hosts/common/programs/sane-scripts.nix b/hosts/common/programs/sane-scripts.nix
index 565f1cb0..9b2bcfd0 100644
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@@ -49,6 +49,9 @@ in
       "sane-scripts.sync-music"
     ];
 
+    "sane-scripts.backup-ls" = {};
+    "sane-scripts.backup-restore" = {};
+
     "sane-scripts.bt-add".sandbox = {
       method = "bwrap";
       wrapperType = "wrappedDerivation";
@@ -121,6 +124,8 @@ in
       net = "all";
     };
 
+    "sane-scripts.ip-port-forward" = {};
+
     "sane-scripts.private-change-passwd".sandbox = {
       method = "bwrap";
       wrapperType = "wrappedDerivation";
@@ -216,9 +221,14 @@ in
       ];
     };
 
+    "sane-scripts.stop-all-servo" = {};
+
     # if `tee` isn't trustworthy we have bigger problems
     "sane-scripts.sudo-redirect".sandbox.enable = false;
 
+    "sane-scripts.sync-music" = {};
+    "sane-scripts.sync-from-iphone" = {};
+
     "sane-scripts.tag-music".sandbox = {
       method = "bwrap";
       wrapperType = "wrappedDerivation";
diff --git a/modules/programs/default.nix b/modules/programs/default.nix
index d69d99b8..b0e03ebc 100644
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -652,26 +652,8 @@ in
       {
         environment.pathsToLink = [ "/share/sane-sandboxed" ];
         environment.systemPackages = [ config.sane.sandboxHelper ];
-      }
-      {
         # expose the pkgs -- as available to the system -- as a build target.
         system.build.pkgs = pkgs;
-
-        sane.programs = lib.mkMerge [
-          # make a program for every (toplevel) package
-          (lib.mapAttrs (_pkgName: _pkg: {}) pkgs)
-
-          # do the same for programs in known groups
-          (lib.mapAttrs' (pkgName: _pkg: { name = "cacert.${pkgName}"; value = {}; }) pkgs.cacert)
-          (lib.mapAttrs' (pkgName: _pkg: { name = "gnome.${pkgName}"; value = {}; }) pkgs.gnome)
-          (lib.mapAttrs' (pkgName: _pkg: { name = "libsForQt5.${pkgName}"; value = {}; }) pkgs.libsForQt5)
-          (lib.mapAttrs' (pkgName: _pkg: { name = "mate.${pkgName}"; value = {}; }) pkgs.mate)
-          (lib.mapAttrs' (pkgName: _pkg: { name = "perlPackages.${pkgName}"; value = {}; }) pkgs.perlPackages)
-          (lib.mapAttrs' (pkgName: _pkg: { name = "plasma5Packages.${pkgName}"; value = {}; }) pkgs.plasma5Packages)
-          (lib.mapAttrs' (pkgName: _pkg: { name = "python3Packages.${pkgName}"; value = {}; }) pkgs.python3Packages)
-          (lib.mapAttrs' (pkgName: _pkg: { name = "sane-scripts.${pkgName}"; value = {}; }) pkgs.sane-scripts)
-          (lib.mapAttrs' (pkgName: _pkg: { name = "sway-contrib.${pkgName}"; value = {}; }) pkgs.sway-contrib)
-        ];
       }
     ];
 }