colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

git: sandbox with bwrap

Browse Source
This commit is contained in:
Colin
2024-01-28 10:36:19 +00:00
parent f100595257
commit 3cd244be76
1 changed files with 38 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
hosts/common/programs/git.nix
View File

@@ -6,7 +6,17 @@ let
mkCfg = lib.generators.toINI { }; mkCfg = lib.generators.toINI { };
in in
{ {
sane.programs.git.fs.".config/git/config".symlink.text = mkCfg { sane.programs.git = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation"; # can't pass installCheckPhase :?
sandbox.whitelistPwd = true;
sandbox.extraHomePaths = [
# even with `whitelistPwd`, git has to crawl *up* the path -- which isn't necessarily in the sandbox -- to locate parent .git files
"dev"
"ref"
".ssh/id_ed25519"
];
fs.".config/git/config".symlink.text = mkCfg {
# top-level options documented: # top-level options documented:
# - <https://git-scm.com/docs/git-config#_variables> # - <https://git-scm.com/docs/git-config#_variables>
@@ -40,4 +50,5 @@ in
stash.showPatch = true; stash.showPatch = true;
}; };
};
} }