wireguard-tools: sandbox with bunpen

2024-09-07 20:33:54 +00:00
parent 823ec0e6f4
commit 8eadede76d
1 changed files with 2 additions and 1 deletions
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -1238,9 +1238,10 @@ in
    whalebird.persist.byStore.private = [ ".config/Whalebird" ];

    # `wg`, `wg-quick`
-    wireguard-tools.sandbox.method = "landlock";
+    wireguard-tools.sandbox.method = "bunpen";
    wireguard-tools.sandbox.net = "all";
    wireguard-tools.sandbox.capabilities = [ "net_admin" ];
+    wireguard-tools.sandbox.tryKeepUsers = true;

    # provides `iwconfig`, `iwlist`, `iwpriv`, ...
    wirelesstools.sandbox.method = "landlock";