README: document the sandboxing feature of my "programs" module
This commit is contained in:
@@ -99,6 +99,11 @@ i.e. you might find value in using these in your own config:
|
|||||||
- allows `fs` and `persist` config values to be gated behind program deployment:
|
- allows `fs` and `persist` config values to be gated behind program deployment:
|
||||||
- e.g. `/home/<user>/.mozilla/firefox` is persisted only for users who
|
- e.g. `/home/<user>/.mozilla/firefox` is persisted only for users who
|
||||||
`sane.programs.firefox.enableFor.user."<user>" = true;`
|
`sane.programs.firefox.enableFor.user."<user>" = true;`
|
||||||
|
- allows aggressive sandboxing any program:
|
||||||
|
- `sane.programs.firefox.sandbox.method = "bwrap"; # sandbox with bubblewrap`
|
||||||
|
- `sane.programs.firefox.sandbox.whitelistWayland = true; # allow it to render a wayland window`
|
||||||
|
- `sane.programs.firefox.sandbox.extraHomePaths = [ "Downloads" ]; # allow it read/write access to ~/Downloads`
|
||||||
|
- integrated with `fs` and `persist` modules so that programs' config files and persisted data stores are linked into the sandbox w/o any extra involvement.
|
||||||
- `modules/users.nix`
|
- `modules/users.nix`
|
||||||
- convenience layer atop the above modules so that you can just write
|
- convenience layer atop the above modules so that you can just write
|
||||||
`fs.".config/git"` instead of `fs."/home/colin/.config/git"`
|
`fs.".config/git"` instead of `fs."/home/colin/.config/git"`
|
||||||
|
|||||||
Reference in New Issue
Block a user