modules/programs: require manual definition; don't auto-populate attrset
this greatly decreases nix eval time
This commit is contained in:
parent
f7a82a845c
commit
084541da4c
|
@ -206,6 +206,8 @@ in
|
||||||
alsaUtils.sandbox.wrapperType = "wrappedDerivation";
|
alsaUtils.sandbox.wrapperType = "wrappedDerivation";
|
||||||
alsaUtils.sandbox.whitelistAudio = true; #< not strictly necessary?
|
alsaUtils.sandbox.whitelistAudio = true; #< not strictly necessary?
|
||||||
|
|
||||||
|
backblaze-b2 = {};
|
||||||
|
|
||||||
blanket.sandbox.method = "bwrap";
|
blanket.sandbox.method = "bwrap";
|
||||||
blanket.sandbox.wrapperType = "wrappedDerivation";
|
blanket.sandbox.wrapperType = "wrappedDerivation";
|
||||||
blanket.sandbox.whitelistAudio = true;
|
blanket.sandbox.whitelistAudio = true;
|
||||||
|
@ -243,6 +245,8 @@ in
|
||||||
|
|
||||||
cargo.persist.byStore.plaintext = [ ".cargo" ];
|
cargo.persist.byStore.plaintext = [ ".cargo" ];
|
||||||
|
|
||||||
|
clang = {};
|
||||||
|
|
||||||
# cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
|
# cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
|
||||||
cryptsetup.sandbox.method = "landlock";
|
cryptsetup.sandbox.method = "landlock";
|
||||||
cryptsetup.sandbox.wrapperType = "wrappedDerivation";
|
cryptsetup.sandbox.wrapperType = "wrappedDerivation";
|
||||||
|
@ -293,6 +297,8 @@ in
|
||||||
dtrx.sandbox.whitelistPwd = true;
|
dtrx.sandbox.whitelistPwd = true;
|
||||||
dtrx.sandbox.autodetectCliPaths = "existing"; #< for the archive
|
dtrx.sandbox.autodetectCliPaths = "existing"; #< for the archive
|
||||||
|
|
||||||
|
duplicity = {};
|
||||||
|
|
||||||
e2fsprogs.sandbox.method = "landlock";
|
e2fsprogs.sandbox.method = "landlock";
|
||||||
e2fsprogs.sandbox.wrapperType = "wrappedDerivation";
|
e2fsprogs.sandbox.wrapperType = "wrappedDerivation";
|
||||||
e2fsprogs.sandbox.autodetectCliPaths = "existing";
|
e2fsprogs.sandbox.autodetectCliPaths = "existing";
|
||||||
|
@ -303,6 +309,8 @@ in
|
||||||
"/sys/firmware/efi"
|
"/sys/firmware/efi"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
eg25-control = {};
|
||||||
|
|
||||||
electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
electrum.sandbox.wrapperType = "wrappedDerivation";
|
electrum.sandbox.wrapperType = "wrappedDerivation";
|
||||||
electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always
|
electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always
|
||||||
|
@ -409,6 +417,8 @@ in
|
||||||
gdb.sandbox.wrapperType = "wrappedDerivation";
|
gdb.sandbox.wrapperType = "wrappedDerivation";
|
||||||
gdb.sandbox.autodetectCliPaths = true;
|
gdb.sandbox.autodetectCliPaths = true;
|
||||||
|
|
||||||
|
geoclue2-with-demo-agent = {};
|
||||||
|
|
||||||
# MS GitHub stores auth token in .config
|
# MS GitHub stores auth token in .config
|
||||||
# TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
|
# TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
|
||||||
gh.persist.byStore.private = [ ".config/gh" ];
|
gh.persist.byStore.private = [ ".config/gh" ];
|
||||||
|
@ -505,6 +515,9 @@ in
|
||||||
".persist/plaintext"
|
".persist/plaintext"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
gnused = {};
|
||||||
|
gpsd = {};
|
||||||
|
|
||||||
gptfdisk.sandbox.method = "landlock";
|
gptfdisk.sandbox.method = "landlock";
|
||||||
gptfdisk.sandbox.wrapperType = "wrappedDerivation";
|
gptfdisk.sandbox.wrapperType = "wrappedDerivation";
|
||||||
gptfdisk.sandbox.extraPaths = [
|
gptfdisk.sandbox.extraPaths = [
|
||||||
|
@ -512,6 +525,8 @@ in
|
||||||
];
|
];
|
||||||
gptfdisk.sandbox.autodetectCliPaths = "existing"; #< sometimes you'll use gdisk on a device file.
|
gptfdisk.sandbox.autodetectCliPaths = "existing"; #< sometimes you'll use gdisk on a device file.
|
||||||
|
|
||||||
|
grim = {};
|
||||||
|
|
||||||
hase.sandbox.method = "bwrap";
|
hase.sandbox.method = "bwrap";
|
||||||
hase.sandbox.wrapperType = "wrappedDerivation";
|
hase.sandbox.wrapperType = "wrappedDerivation";
|
||||||
hase.sandbox.net = "clearnet";
|
hase.sandbox.net = "clearnet";
|
||||||
|
@ -643,6 +658,8 @@ in
|
||||||
lsof.sandbox.method = "capshonly"; # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
|
lsof.sandbox.method = "capshonly"; # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
|
||||||
lsof.sandbox.wrapperType = "wrappedDerivation";
|
lsof.sandbox.wrapperType = "wrappedDerivation";
|
||||||
|
|
||||||
|
lua = {};
|
||||||
|
|
||||||
"mate.engrampa".sandbox.method = "bwrap"; # TODO:sandbox: untested
|
"mate.engrampa".sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
"mate.engrampa".sandbox.wrapperType = "inplace";
|
"mate.engrampa".sandbox.wrapperType = "inplace";
|
||||||
"mate.engrampa".sandbox.whitelistWayland = true;
|
"mate.engrampa".sandbox.whitelistWayland = true;
|
||||||
|
@ -717,6 +734,8 @@ in
|
||||||
"/proc"
|
"/proc"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
nodejs = {};
|
||||||
|
|
||||||
# `nvme list` only shows results when run as root.
|
# `nvme list` only shows results when run as root.
|
||||||
nvme-cli.sandbox.method = "landlock";
|
nvme-cli.sandbox.method = "landlock";
|
||||||
nvme-cli.sandbox.wrapperType = "wrappedDerivation";
|
nvme-cli.sandbox.wrapperType = "wrappedDerivation";
|
||||||
|
@ -743,6 +762,8 @@ in
|
||||||
];
|
];
|
||||||
parted.sandbox.autodetectCliPaths = "existing"; #< sometimes you'll use parted on a device file.
|
parted.sandbox.autodetectCliPaths = "existing"; #< sometimes you'll use parted on a device file.
|
||||||
|
|
||||||
|
patchelf = {};
|
||||||
|
|
||||||
pavucontrol.sandbox.method = "bwrap";
|
pavucontrol.sandbox.method = "bwrap";
|
||||||
pavucontrol.sandbox.wrapperType = "wrappedDerivation";
|
pavucontrol.sandbox.wrapperType = "wrappedDerivation";
|
||||||
pavucontrol.sandbox.whitelistAudio = true;
|
pavucontrol.sandbox.whitelistAudio = true;
|
||||||
|
@ -801,6 +822,8 @@ in
|
||||||
rsync.sandbox.net = "clearnet";
|
rsync.sandbox.net = "clearnet";
|
||||||
rsync.sandbox.autodetectCliPaths = "existingOrParent";
|
rsync.sandbox.autodetectCliPaths = "existingOrParent";
|
||||||
|
|
||||||
|
rustc = {};
|
||||||
|
|
||||||
screen.sandbox.enable = false; #< tty; needs to run anything
|
screen.sandbox.enable = false; #< tty; needs to run anything
|
||||||
|
|
||||||
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
|
@ -818,6 +841,8 @@ in
|
||||||
# printer/filament settings
|
# printer/filament settings
|
||||||
slic3r.persist.byStore.plaintext = [ ".Slic3r" ];
|
slic3r.persist.byStore.plaintext = [ ".Slic3r" ];
|
||||||
|
|
||||||
|
slurp = {};
|
||||||
|
|
||||||
# use like `sudo smartctl /dev/sda -a`
|
# use like `sudo smartctl /dev/sda -a`
|
||||||
smartmontools.sandbox.method = "landlock";
|
smartmontools.sandbox.method = "landlock";
|
||||||
smartmontools.sandbox.wrapperType = "inplace"; # ships a script in /etc that calls into its bin
|
smartmontools.sandbox.wrapperType = "inplace"; # ships a script in /etc that calls into its bin
|
||||||
|
@ -864,6 +889,8 @@ in
|
||||||
speedtest-cli.sandbox.wrapperType = "wrappedDerivation";
|
speedtest-cli.sandbox.wrapperType = "wrappedDerivation";
|
||||||
speedtest-cli.sandbox.net = "all";
|
speedtest-cli.sandbox.net = "all";
|
||||||
|
|
||||||
|
sqlite = {};
|
||||||
|
|
||||||
strace.sandbox.enable = false; #< needs to `exec` its args, and therefore support *anything*
|
strace.sandbox.enable = false; #< needs to `exec` its args, and therefore support *anything*
|
||||||
|
|
||||||
subversion.sandbox.method = "bwrap";
|
subversion.sandbox.method = "bwrap";
|
||||||
|
@ -963,6 +990,8 @@ in
|
||||||
wl-clipboard.sandbox.wrapperType = "wrappedDerivation";
|
wl-clipboard.sandbox.wrapperType = "wrappedDerivation";
|
||||||
wl-clipboard.sandbox.whitelistWayland = true;
|
wl-clipboard.sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
|
wtype = {};
|
||||||
|
|
||||||
xwayland.sandbox.method = "bwrap";
|
xwayland.sandbox.method = "bwrap";
|
||||||
xwayland.sandbox.wrapperType = "inplace"; #< consumers use it as a library (e.g. wlroots)
|
xwayland.sandbox.wrapperType = "inplace"; #< consumers use it as a library (e.g. wlroots)
|
||||||
xwayland.sandbox.whitelistWayland = true; #< just assuming this is needed
|
xwayland.sandbox.whitelistWayland = true; #< just assuming this is needed
|
||||||
|
@ -978,13 +1007,11 @@ in
|
||||||
yt-dlp.sandbox.wrapperType = "wrappedDerivation";
|
yt-dlp.sandbox.wrapperType = "wrappedDerivation";
|
||||||
yt-dlp.sandbox.net = "all";
|
yt-dlp.sandbox.net = "all";
|
||||||
yt-dlp.sandbox.whitelistPwd = true; # saves to pwd by default
|
yt-dlp.sandbox.whitelistPwd = true; # saves to pwd by default
|
||||||
|
|
||||||
|
zfs = {};
|
||||||
};
|
};
|
||||||
|
|
||||||
programs.feedbackd = lib.mkIf config.sane.programs.feedbackd.enabled {
|
programs.feedbackd = lib.mkIf config.sane.programs.feedbackd.enabled {
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
programs.firejail = lib.mkIf config.sane.programs.firejail.enabled {
|
|
||||||
enable = true; #< install the suid binary
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -26,6 +26,7 @@
|
||||||
./evince.nix
|
./evince.nix
|
||||||
./feedbackd.nix
|
./feedbackd.nix
|
||||||
./firefox.nix
|
./firefox.nix
|
||||||
|
./firejail.nix
|
||||||
./flare-signal.nix
|
./flare-signal.nix
|
||||||
./fontconfig.nix
|
./fontconfig.nix
|
||||||
./fractal.nix
|
./fractal.nix
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
{ lib, config, ... }:
|
||||||
|
{
|
||||||
|
sane.programs.firejail = {};
|
||||||
|
|
||||||
|
programs.firejail = lib.mkIf config.sane.programs.firejail.enabled {
|
||||||
|
enable = true; #< install the suid binary
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,5 +1,6 @@
|
||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
{
|
{
|
||||||
|
sane.programs.fwupd = {};
|
||||||
services.fwupd = lib.mkIf config.sane.programs.fwupd.enabled {
|
services.fwupd = lib.mkIf config.sane.programs.fwupd.enabled {
|
||||||
# enables the dbus service, which i think the frontend speaks to.
|
# enables the dbus service, which i think the frontend speaks to.
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -49,6 +49,9 @@ in
|
||||||
"sane-scripts.sync-music"
|
"sane-scripts.sync-music"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
"sane-scripts.backup-ls" = {};
|
||||||
|
"sane-scripts.backup-restore" = {};
|
||||||
|
|
||||||
"sane-scripts.bt-add".sandbox = {
|
"sane-scripts.bt-add".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
wrapperType = "wrappedDerivation";
|
||||||
|
@ -121,6 +124,8 @@ in
|
||||||
net = "all";
|
net = "all";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"sane-scripts.ip-port-forward" = {};
|
||||||
|
|
||||||
"sane-scripts.private-change-passwd".sandbox = {
|
"sane-scripts.private-change-passwd".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
wrapperType = "wrappedDerivation";
|
||||||
|
@ -216,9 +221,14 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"sane-scripts.stop-all-servo" = {};
|
||||||
|
|
||||||
# if `tee` isn't trustworthy we have bigger problems
|
# if `tee` isn't trustworthy we have bigger problems
|
||||||
"sane-scripts.sudo-redirect".sandbox.enable = false;
|
"sane-scripts.sudo-redirect".sandbox.enable = false;
|
||||||
|
|
||||||
|
"sane-scripts.sync-music" = {};
|
||||||
|
"sane-scripts.sync-from-iphone" = {};
|
||||||
|
|
||||||
"sane-scripts.tag-music".sandbox = {
|
"sane-scripts.tag-music".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
wrapperType = "wrappedDerivation";
|
||||||
|
|
|
@ -652,26 +652,8 @@ in
|
||||||
{
|
{
|
||||||
environment.pathsToLink = [ "/share/sane-sandboxed" ];
|
environment.pathsToLink = [ "/share/sane-sandboxed" ];
|
||||||
environment.systemPackages = [ config.sane.sandboxHelper ];
|
environment.systemPackages = [ config.sane.sandboxHelper ];
|
||||||
}
|
|
||||||
{
|
|
||||||
# expose the pkgs -- as available to the system -- as a build target.
|
# expose the pkgs -- as available to the system -- as a build target.
|
||||||
system.build.pkgs = pkgs;
|
system.build.pkgs = pkgs;
|
||||||
|
|
||||||
sane.programs = lib.mkMerge [
|
|
||||||
# make a program for every (toplevel) package
|
|
||||||
(lib.mapAttrs (_pkgName: _pkg: {}) pkgs)
|
|
||||||
|
|
||||||
# do the same for programs in known groups
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "cacert.${pkgName}"; value = {}; }) pkgs.cacert)
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "gnome.${pkgName}"; value = {}; }) pkgs.gnome)
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "libsForQt5.${pkgName}"; value = {}; }) pkgs.libsForQt5)
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "mate.${pkgName}"; value = {}; }) pkgs.mate)
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "perlPackages.${pkgName}"; value = {}; }) pkgs.perlPackages)
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "plasma5Packages.${pkgName}"; value = {}; }) pkgs.plasma5Packages)
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "python3Packages.${pkgName}"; value = {}; }) pkgs.python3Packages)
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "sane-scripts.${pkgName}"; value = {}; }) pkgs.sane-scripts)
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "sway-contrib.${pkgName}"; value = {}; }) pkgs.sway-contrib)
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue