sane.programs: provide sandbox.net = "vpn.wg-home" to tunnel through my home ISP
This commit is contained in:
@@ -42,7 +42,13 @@ let
|
||||
# makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sanebox = config.sane.programs.sanebox.package; };
|
||||
makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { };
|
||||
|
||||
vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
|
||||
vpn = if sandbox.net == "vpn" then
|
||||
lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn)
|
||||
else if sandbox.net == "vpn.wg-home" then
|
||||
config.sane.vpn.wg-home
|
||||
else
|
||||
null
|
||||
;
|
||||
|
||||
allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ sandbox.extraHomePaths;
|
||||
allowedRunPaths = sandbox.extraRuntimePaths;
|
||||
@@ -73,15 +79,15 @@ let
|
||||
method
|
||||
whitelistPwd
|
||||
;
|
||||
netDev = if sandbox.net == "vpn" then
|
||||
netDev = if vpn != null then
|
||||
vpn.name
|
||||
else
|
||||
sandbox.net;
|
||||
netGateway = if sandbox.net == "vpn" then
|
||||
netGateway = if vpn != null then
|
||||
vpn.addrV4
|
||||
else
|
||||
null;
|
||||
dns = if sandbox.net == "vpn" then
|
||||
dns = if vpn != null then
|
||||
vpn.dns
|
||||
else
|
||||
null;
|
||||
@@ -261,7 +267,7 @@ let
|
||||
type = types.coercedTo
|
||||
types.str
|
||||
(s: if s == "clearnet" || s == "localhost" then "all" else s)
|
||||
(types.enum [ null "all" "vpn" ]);
|
||||
(types.enum [ null "all" "vpn" "vpn.wg-home" ]);
|
||||
default = null;
|
||||
description = ''
|
||||
how this app should have its network traffic routed.
|
||||
@@ -271,6 +277,7 @@ let
|
||||
- "localhost": only needs access to other services running on this host.
|
||||
currently, just an alias for "all".
|
||||
- "vpn": to route all traffic over the default VPN.
|
||||
- "vpn.wg-home": to route all traffic over the wg-home VPN.
|
||||
- null: to maximally isolate from the network.
|
||||
'';
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user