git: sandbox with bwrap

hosts/common/programs/git.nix

@@ -6,38 +6,49 @@ let
   mkCfg = lib.generators.toINI { };
 in
 {
-  sane.programs.git.fs.".config/git/config".symlink.text = mkCfg {
+  sane.programs.git = {
-    # top-level options documented:
+    sandbox.method = "bwrap";
-    # - <https://git-scm.com/docs/git-config#_variables>
+    sandbox.wrapperType = "wrappedDerivation";  # can't pass installCheckPhase :?
+    sandbox.whitelistPwd = true;
+    sandbox.extraHomePaths = [
+      # even with `whitelistPwd`, git has to crawl *up* the path -- which isn't necessarily in the sandbox -- to locate parent .git files
+      "dev"
+      "ref"
+      ".ssh/id_ed25519"
+    ];
+    fs.".config/git/config".symlink.text = mkCfg {
+      # top-level options documented:
+      # - <https://git-scm.com/docs/git-config#_variables>
 
-    user.name = "Colin";
+      user.name = "Colin";
-    user.email = "colin@uninsane.org";
+      user.email = "colin@uninsane.org";
 
-    alias.amend   = "commit --amend --no-edit";
+      alias.amend   = "commit --amend --no-edit";
-    alias.br      = "branch";
+      alias.br      = "branch";
-    alias.co      = "checkout";
+      alias.co      = "checkout";
-    alias.cp      = "cherry-pick";
+      alias.cp      = "cherry-pick";
-    alias.d       = "difftool";
+      alias.d       = "difftool";
-    alias.dif     = "diff";  # common typo
+      alias.dif     = "diff";  # common typo
-    alias.difsum  = "diff --compact-summary";  #< show only the list of files which changed, not contents
+      alias.difsum  = "diff --compact-summary";  #< show only the list of files which changed, not contents
-    alias.rb      = "rebase";
+      alias.rb      = "rebase";
-    alias.st      = "status";
+      alias.st      = "status";
-    alias.stat    = "status";
+      alias.stat    = "status";
 
-    diff.noprefix = true;  #< don't show a/ or b/ prefixes in diffs
+      diff.noprefix = true;  #< don't show a/ or b/ prefixes in diffs
-    # difftastic docs:
+      # difftastic docs:
-    # - <https://difftastic.wilfred.me.uk/git.html>
+      # - <https://difftastic.wilfred.me.uk/git.html>
-    diff.tool = "difftastic";
+      diff.tool = "difftastic";
-    difftool.prompt = false;
+      difftool.prompt = false;
-    "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
+      "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
-    # now run `git difftool` to use difftastic git
+      # now run `git difftool` to use difftastic git
 
-    # render dates as YYYY-MM-DD HH:MM:SS +TZ
+      # render dates as YYYY-MM-DD HH:MM:SS +TZ
-    log.date = "iso";
+      log.date = "iso";
 
-    sendemail.annotate = "yes";
+      sendemail.annotate = "yes";
-    sendemail.confirm = "always";
+      sendemail.confirm = "always";
 
-    stash.showPatch = true;
+      stash.showPatch = true;
+    };
   };
 }