diff --git a/modules/programs/default.nix b/modules/programs/default.nix index d44ec7d0a..ca2c63933 100644 --- a/modules/programs/default.nix +++ b/modules/programs/default.nix @@ -42,7 +42,13 @@ let # makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sanebox = config.sane.programs.sanebox.package; }; makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { }; - vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn); + vpn = if sandbox.net == "vpn" then + lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn) + else if sandbox.net == "vpn.wg-home" then + config.sane.vpn.wg-home + else + null + ; allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ sandbox.extraHomePaths; allowedRunPaths = sandbox.extraRuntimePaths; @@ -73,15 +79,15 @@ let method whitelistPwd ; - netDev = if sandbox.net == "vpn" then + netDev = if vpn != null then vpn.name else sandbox.net; - netGateway = if sandbox.net == "vpn" then + netGateway = if vpn != null then vpn.addrV4 else null; - dns = if sandbox.net == "vpn" then + dns = if vpn != null then vpn.dns else null; @@ -261,7 +267,7 @@ let type = types.coercedTo types.str (s: if s == "clearnet" || s == "localhost" then "all" else s) - (types.enum [ null "all" "vpn" ]); + (types.enum [ null "all" "vpn" "vpn.wg-home" ]); default = null; description = '' how this app should have its network traffic routed. @@ -271,6 +277,7 @@ let - "localhost": only needs access to other services running on this host. currently, just an alias for "all". - "vpn": to route all traffic over the default VPN. + - "vpn.wg-home": to route all traffic over the wg-home VPN. - null: to maximally isolate from the network. ''; };