colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

programs: support secrets even when sandboxed

Browse Source
This commit is contained in:
Colin 2024-01-23 14:45:34 +00:00
parent bb63a594ab
commit 576d2c32f0
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
modules/programs/default.nix
View File

@ -70,6 +70,7 @@ let
"/run/opengl-driver"
"/run/opengl-driver-32" #< XXX: doesn't exist on aarch64?
"/run/user" #< particularly /run/user/$id/wayland-1, pulse, etc.
"/run/secrets/home"
# "/dev/dri" #< fix non-fatal "libEGL warning: wayland-egl: could not open /dev/dri/renderD128" (geary)
] ++ mediaRootPaths ++ sandbox.extraPaths;
}
@ -284,6 +285,10 @@ let
;
suggestedPrograms = lib.optionals (config.sandbox.method == "bwrap") [ "bubblewrap" ]
++ lib.optionals (config.sandbox.method == "firejail") [ "firejail" ];
# declare a fs dependency for each secret, but don't specify how to populate it yet.
# can't populate it here because it varies per-user.
# this gets the symlink into the sandbox, but not the actual secret.
fs = lib.mapAttrs (_homePath: _secretSrc: {}) config.secrets;
};
});
toPkgSpec = with lib; types.coercedTo types.package (p: { package = p; }) pkgSpec;