colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

programs: sandbox sane-shutdown, sane-reboot

Browse Source
This commit is contained in:
Colin
2024-02-20 13:43:05 +00:00
parent 58db553c84
commit 8beac8df2f
4 changed files with 34 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
hosts/common/programs/sane-scripts.nix
View File

@@ -121,12 +121,35 @@ in
# extraPaths = [ "/boot" ]; # extraPaths = [ "/boot" ];
# }; # };
# it's just a thin wrapper around rsync, which is already sandboxed
"sane-scripts.rcp".sandbox.enable = false;
# but make sure rsync is always on PATH, so that we actually do get sandboxing :)
"sane-scripts.rcp".suggestedPrograms = [ "rsync" ];
"sane-scripts.reboot".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
extraPaths = [
"/run/dbus"
"/run/systemd"
];
};
"sane-scripts.reclaim-disk-space".sandbox = { "sane-scripts.reclaim-disk-space".sandbox = {
method = "bwrap"; method = "bwrap";
wrapperType = "wrappedDerivation"; wrapperType = "wrappedDerivation";
extraPaths = [ "/nix/var/nix" ]; extraPaths = [ "/nix/var/nix" ];
}; };
"sane-scripts.shutdown".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
extraPaths = [
"/run/dbus"
"/run/systemd"
];
};
# if `tee` isn't trustworthy we have bigger problems # if `tee` isn't trustworthy we have bigger problems
"sane-scripts.sudo-redirect".sandbox.enable = false; "sane-scripts.sudo-redirect".sandbox.enable = false;

4
pkgs/additional/sane-scripts/default.nix
View File

@@ -130,7 +130,7 @@ let
reboot = static-nix-shell.mkBash { reboot = static-nix-shell.mkBash {
pname = "sane-reboot"; pname = "sane-reboot";
src = ./src; src = ./src;
pkgs = [ "systemd" ]; pkgs = [ "nettools" "systemd" ];
}; };
reclaim-boot-space = static-nix-shell.mkPython3Bin { reclaim-boot-space = static-nix-shell.mkPython3Bin {
pname = "sane-reclaim-boot-space"; pname = "sane-reclaim-boot-space";
@@ -159,7 +159,7 @@ let
shutdown = static-nix-shell.mkBash { shutdown = static-nix-shell.mkBash {
pname = "sane-shutdown"; pname = "sane-shutdown";
src = ./src; src = ./src;
pkgs = [ "inetutils" "systemd" ]; pkgs = [ "nettools" "systemd" ];
}; };
stop-all-servo = static-nix-shell.mkBash { stop-all-servo = static-nix-shell.mkBash {
pname = "sane-stop-all-servo"; pname = "sane-stop-all-servo";

7
pkgs/additional/sane-scripts/src/sane-reboot
View File

@@ -1,11 +1,14 @@
#!/usr/bin/env nix-shell #!/usr/bin/env nix-shell
#!nix-shell -i bash -p systemd #!nix-shell -i bash -p nettools -p systemd
target="$1" target="$1"
shift
host="$(hostname)" host="$(hostname)"
if [ "$host" = "$target" ] if [ "$host" = "$target" ]
then then
sudo reboot now # N.B.: anything other than just `reboot` with no args requires `sudo` privilegs (to write to /run/systemd/)
reboot "$@"
else else
echo "WRONG MACHINE. you're on $host." echo "WRONG MACHINE. you're on $host."
exit 1 exit 1

6
pkgs/additional/sane-scripts/src/sane-shutdown
View File

@@ -1,11 +1,13 @@
#!/usr/bin/env nix-shell #!/usr/bin/env nix-shell
#!nix-shell -i bash -p inetutils -p systemd #!nix-shell -i bash -p nettools -p systemd
target="$1" target="$1"
shift
host="$(hostname)" host="$(hostname)"
if [ "$host" = "$target" ] if [ "$host" = "$target" ]
then then
sudo shutdown now shutdown now "$@"
else else
echo "WRONG MACHINE. you're on $host." echo "WRONG MACHINE. you're on $host."
exit 1 exit 1