programs: sane-secrets-*: sandbox
This commit is contained in:
parent
be2098c18a
commit
d9901aa161
|
@ -128,6 +128,15 @@ in
|
|||
net = "all";
|
||||
};
|
||||
|
||||
# TODO: gocryptfs/fuse requires /run/wrappers/bin/fusermount3 SUID
|
||||
# "sane-scripts.private-unlock".sandbox = {
|
||||
# method = "landlock";
|
||||
# wrapperType = "wrappedDerivation";
|
||||
# extraHomePaths = [ "private" ];
|
||||
# # TODO: don't hardcode the username here.
|
||||
# extraPaths = [ "/nix/persist/home/colin/private" ];
|
||||
# };
|
||||
|
||||
"sane-scripts.reclaim-boot-space".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
|
@ -154,6 +163,32 @@ in
|
|||
extraPaths = [ "/nix/var/nix" ];
|
||||
};
|
||||
|
||||
"sane-scripts.secrets-unlock".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
extraHomePaths = [
|
||||
".ssh/id_ed25519"
|
||||
".ssh/id_ed25519.pub"
|
||||
".config/sops"
|
||||
];
|
||||
};
|
||||
|
||||
# sane-secrets-dump is a thin wrapper around sops + some utilities.
|
||||
# really i should sandbox just the utilities
|
||||
"sane-scripts.secrets-dump".sandbox.enable = false;
|
||||
"sane-scripts.secrets-dump".suggestedPrograms = [
|
||||
"gnugrep"
|
||||
"oath-toolkit"
|
||||
"sops"
|
||||
];
|
||||
# sane-secrets-update-keys is a thin wrapper around sops + some utilities.
|
||||
# really i should sandbox just the utilities
|
||||
"sane-scripts.secrets-update-keys".sandbox.enable = false;
|
||||
"sane-scripts.secrets-update-keys".suggestedPrograms = [
|
||||
"findutils"
|
||||
"sops"
|
||||
];
|
||||
|
||||
"sane-scripts.shutdown".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
|
|
Loading…
Reference in New Issue
Block a user