modules/programs: simplify how sandbox profiles make it into system packages
This commit is contained in:
parent
c424f7ac3b
commit
93012664e5
|
@ -430,20 +430,21 @@ let
|
|||
system.checks = lib.optionals (p.enabled && p.sandbox.enable && p.sandbox.method != null && p.package != null) [
|
||||
p.package.passthru.checkSandboxed
|
||||
];
|
||||
sane.sandboxProfiles = lib.optionals (p.enabled && p.sandbox.enable && p.sandbox.method != null && p.package != null) [
|
||||
p.package.passthru.sandboxProfiles
|
||||
];
|
||||
|
||||
# conditionally add to system PATH and env
|
||||
environment = lib.optionalAttrs (p.enabled && p.enableFor.system) {
|
||||
systemPackages = lib.optional (p.package != null) p.package;
|
||||
systemPackages = lib.optionals (p.package != null) (
|
||||
[ p.package ] ++ lib.optional (p.sandbox.enable && p.sandbox.method != null) p.package.passthru.sandboxProfiles
|
||||
);
|
||||
# sessionVariables are set by PAM, as opposed to environment.variables which goes in /etc/profile
|
||||
sessionVariables = p.env;
|
||||
};
|
||||
|
||||
# conditionally add to user(s) PATH
|
||||
users.users = lib.mapAttrs (user: en: {
|
||||
packages = lib.optional (p.package != null && en && p.enabled) p.package;
|
||||
packages = lib.optionals (p.package != null && en && p.enabled) (
|
||||
[ p.package ] ++ lib.optional (p.sandbox.enable && p.sandbox.method != null) p.package.passthru.sandboxProfiles
|
||||
);
|
||||
}) p.enableFor.user;
|
||||
|
||||
# conditionally persist relevant user dirs and create files
|
||||
|
@ -529,14 +530,6 @@ in
|
|||
exposed to facilitate debugging, e.g. `nix build '.#hostConfigs.desko.sane.sandboxHelper'`
|
||||
'';
|
||||
};
|
||||
sane.sandboxProfiles = mkOption {
|
||||
type = types.listOf types.package;
|
||||
default = [];
|
||||
description = ''
|
||||
packages with /share/sane-sandbox profiles indicating how to sandbox their associated package.
|
||||
this is mostly an internal implementation detail.
|
||||
'';
|
||||
};
|
||||
sane.strictSandboxing = mkOption {
|
||||
type = types.enum [ false "warn" "assert" ];
|
||||
default = "warn";
|
||||
|
@ -553,7 +546,6 @@ in
|
|||
environment.systemPackages = f.environment.systemPackages;
|
||||
environment.sessionVariables = f.environment.sessionVariables;
|
||||
users.users = f.users.users;
|
||||
sane.sandboxProfiles = f.sane.sandboxProfiles;
|
||||
sane.users = f.sane.users;
|
||||
sops.secrets = f.sops.secrets;
|
||||
system.checks = f.system.checks;
|
||||
|
@ -563,13 +555,7 @@ in
|
|||
(take (sane-lib.mkTypedMerge take configs))
|
||||
{
|
||||
environment.pathsToLink = [ "/share/sane-sandboxed" ];
|
||||
environment.systemPackages = [(
|
||||
config.sane.sandboxHelper.withProfiles
|
||||
(pkgs.symlinkJoin {
|
||||
name = "sane-sandbox-profiles";
|
||||
paths = config.sane.sandboxProfiles;
|
||||
})
|
||||
)];
|
||||
environment.systemPackages = [ config.sane.sandboxHelper ];
|
||||
}
|
||||
{
|
||||
# expose the pkgs -- as available to the system -- as a build target.
|
||||
|
|
Loading…
Reference in New Issue
Block a user