programs: sane-secrets-*: sandbox

hosts/common/programs/sane-scripts.nix

@@ -128,6 +128,15 @@ in
       net = "all";
     };
 
+    # TODO: gocryptfs/fuse requires /run/wrappers/bin/fusermount3 SUID
+    # "sane-scripts.private-unlock".sandbox = {
+    #   method = "landlock";
+    #   wrapperType = "wrappedDerivation";
+    #   extraHomePaths = [ "private" ];
+    #   # TODO: don't hardcode the username here.
+    #   extraPaths = [ "/nix/persist/home/colin/private" ];
+    # };
+
     "sane-scripts.reclaim-boot-space".sandbox = {
       method = "bwrap";
       wrapperType = "wrappedDerivation";
@@ -154,6 +163,32 @@ in
       extraPaths = [ "/nix/var/nix" ];
     };
 
+    "sane-scripts.secrets-unlock".sandbox = {
+      method = "bwrap";
+      wrapperType = "wrappedDerivation";
+      extraHomePaths = [
+        ".ssh/id_ed25519"
+        ".ssh/id_ed25519.pub"
+        ".config/sops"
+      ];
+    };
+
+    # sane-secrets-dump is a thin wrapper around sops + some utilities.
+    # really i should sandbox just the utilities
+    "sane-scripts.secrets-dump".sandbox.enable = false;
+    "sane-scripts.secrets-dump".suggestedPrograms = [
+      "gnugrep"
+      "oath-toolkit"
+      "sops"
+    ];
+    # sane-secrets-update-keys is a thin wrapper around sops + some utilities.
+    # really i should sandbox just the utilities
+    "sane-scripts.secrets-update-keys".sandbox.enable = false;
+    "sane-scripts.secrets-update-keys".suggestedPrograms = [
+      "findutils"
+      "sops"
+    ];
+
     "sane-scripts.shutdown".sandbox = {
       method = "bwrap";
       wrapperType = "wrappedDerivation";