modules/programs: simplify how sandbox profiles make it into system packages

2024-02-12 10:52:44 +00:00 · 2024-02-12 10:52:44 +00:00 · 93012664e5
commit 93012664e5
parent c424f7ac3b
1 changed files with 7 additions and 21 deletions
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@ -430,20 +430,21 @@ let
    system.checks = lib.optionals (p.enabled && p.sandbox.enable && p.sandbox.method != null && p.package != null) [
      p.package.passthru.checkSandboxed
    ];
-    sane.sandboxProfiles = lib.optionals (p.enabled && p.sandbox.enable && p.sandbox.method != null && p.package != null) [
-      p.package.passthru.sandboxProfiles
-    ];

    # conditionally add to system PATH and env
    environment = lib.optionalAttrs (p.enabled && p.enableFor.system) {
-      systemPackages = lib.optional (p.package != null) p.package;
+      systemPackages = lib.optionals (p.package != null) (
+        [ p.package ] ++ lib.optional (p.sandbox.enable && p.sandbox.method != null) p.package.passthru.sandboxProfiles
+      );
      # sessionVariables are set by PAM, as opposed to environment.variables which goes in /etc/profile
      sessionVariables = p.env;
    };

    # conditionally add to user(s) PATH
    users.users = lib.mapAttrs (user: en: {
-      packages = lib.optional (p.package != null && en && p.enabled) p.package;
+      packages = lib.optionals (p.package != null && en && p.enabled) (
+        [ p.package ] ++ lib.optional (p.sandbox.enable && p.sandbox.method != null) p.package.passthru.sandboxProfiles
+      );
    }) p.enableFor.user;

    # conditionally persist relevant user dirs and create files
@ -529,14 +530,6 @@ in
        exposed to facilitate debugging, e.g. `nix build '.#hostConfigs.desko.sane.sandboxHelper'`
      '';
    };
-    sane.sandboxProfiles = mkOption {
-      type = types.listOf types.package;
-      default = [];
-      description = ''
-        packages with /share/sane-sandbox profiles indicating how to sandbox their associated package.
-        this is mostly an internal implementation detail.
-      '';
-    };
    sane.strictSandboxing = mkOption {
      type = types.enum [ false "warn" "assert" ];
      default = "warn";
@ -553,7 +546,6 @@ in
        environment.systemPackages = f.environment.systemPackages;
        environment.sessionVariables = f.environment.sessionVariables;
        users.users = f.users.users;
-        sane.sandboxProfiles = f.sane.sandboxProfiles;
        sane.users = f.sane.users;
        sops.secrets = f.sops.secrets;
        system.checks = f.system.checks;
@ -563,13 +555,7 @@ in
      (take (sane-lib.mkTypedMerge take configs))
      {
        environment.pathsToLink = [ "/share/sane-sandboxed" ];
-        environment.systemPackages = [(
-          config.sane.sandboxHelper.withProfiles
-            (pkgs.symlinkJoin {
-              name = "sane-sandbox-profiles";
-              paths = config.sane.sandboxProfiles;
-            })
-        )];
+        environment.systemPackages = [ config.sane.sandboxHelper ];
      }
      {
        # expose the pkgs -- as available to the system -- as a build target.