From 1a972927b65d0500f968d33a1506dc7ca8f23c98 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Fri, 16 Feb 2024 05:27:50 +0000
Subject: [PATCH] programs: sandbox nethogs, nmon, nixpkgs-review

---
 hosts/common/programs/assorted.nix | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index dfb66e8f..d94306fc 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -473,6 +473,24 @@ in
     nano.sandbox.wrapperType = "wrappedDerivation";
     nano.sandbox.autodetectCliPaths = "existingFileOrParent";
 
+    nethogs.sandbox.method = "capshonly";  # *partially* works under landlock w/ full access to /
+    nethogs.sandbox.wrapperType = "wrappedDerivation";
+    nethogs.sandbox.capabilities = [ "net_admin" "net_raw" ];
+
+    nmon.sandbox.method = "landlock";
+    nmon.sandbox.wrapperType = "wrappedDerivation";
+    nmon.sandbox.extraPaths = [
+      "/proc"
+    ];
+
+    nixpkgs-review.sandbox.method = "bwrap";
+    nixpkgs-review.sandbox.wrapperType = "inplace";  #< shell completions use full paths
+    nixpkgs-review.sandbox.net = "clearnet";
+    nixpkgs-review.sandbox.whitelistPwd = true;
+    nixpkgs-review.sandbox.extraPaths = [
+      "/nix"
+    ];
+
     # settings (electron app)
     obsidian.persist.byStore.plaintext = [ ".config/obsidian" ];