179 lines
4.9 KiB
Nix
179 lines
4.9 KiB
Nix
{ ... }:
|
|
let
|
|
declPackageSet = pkgs: {
|
|
packageUnwrapped = null;
|
|
suggestedPrograms = pkgs;
|
|
};
|
|
in
|
|
{
|
|
sane.programs = {
|
|
"sane-scripts.backup" = declPackageSet [
|
|
"sane-scripts.backup-ls"
|
|
"sane-scripts.backup-restore"
|
|
];
|
|
"sane-scripts.bittorrent" = declPackageSet [
|
|
"sane-scripts.bt-add"
|
|
"sane-scripts.bt-rm"
|
|
"sane-scripts.bt-search"
|
|
"sane-scripts.bt-show"
|
|
];
|
|
"sane-scripts.dev" = declPackageSet [
|
|
"sane-scripts.clone"
|
|
"sane-scripts.dev-cargo-loop"
|
|
];
|
|
"sane-scripts.cli" = declPackageSet [
|
|
"sane-scripts.deadlines"
|
|
"sane-scripts.find-dotfiles"
|
|
"sane-scripts.ip-check"
|
|
"sane-scripts.private-change-passwd"
|
|
"sane-scripts.private-do"
|
|
"sane-scripts.private-init"
|
|
"sane-scripts.private-lock"
|
|
"sane-scripts.private-unlock"
|
|
"sane-scripts.rcp"
|
|
"sane-scripts.reboot"
|
|
"sane-scripts.reclaim-boot-space"
|
|
"sane-scripts.reclaim-disk-space"
|
|
"sane-scripts.secrets-dump"
|
|
"sane-scripts.secrets-unlock"
|
|
"sane-scripts.secrets-update-keys"
|
|
"sane-scripts.shutdown"
|
|
"sane-scripts.sudo-redirect"
|
|
"sane-scripts.tag-music"
|
|
"sane-scripts.vpn"
|
|
"sane-scripts.which"
|
|
"sane-scripts.wipe"
|
|
];
|
|
"sane-scripts.sys-utils" = declPackageSet [
|
|
"sane-scripts.ip-port-forward"
|
|
"sane-scripts.sync-music"
|
|
];
|
|
|
|
"sane-scripts.bt-add".sandbox = {
|
|
method = "bwrap";
|
|
wrapperType = "wrappedDerivation";
|
|
net = "clearnet";
|
|
# TODO: migrate `transmission_passwd` to `secrets` api
|
|
extraPaths = [ "/run/secrets/transmission_passwd" ];
|
|
};
|
|
|
|
"sane-scripts.bt-rm".sandbox = {
|
|
method = "bwrap";
|
|
wrapperType = "wrappedDerivation";
|
|
net = "clearnet";
|
|
# TODO: migrate `transmission_passwd` to `secrets` api
|
|
extraPaths = [ "/run/secrets/transmission_passwd" ];
|
|
};
|
|
|
|
"sane-scripts.bt-search".sandbox = {
|
|
method = "bwrap";
|
|
wrapperType = "wrappedDerivation";
|
|
net = "clearnet";
|
|
# TODO: migrate `jackett_apikey` to `secrets` api
|
|
extraPaths = [ "/run/secrets/jackett_apikey" ];
|
|
};
|
|
|
|
"sane-scripts.bt-show".sandbox = {
|
|
method = "bwrap";
|
|
wrapperType = "wrappedDerivation";
|
|
net = "clearnet";
|
|
# TODO: migrate `transmission_passwd` to `secrets` api
|
|
extraPaths = [ "/run/secrets/transmission_passwd" ];
|
|
};
|
|
|
|
# the idea of this script is to `cd` into a fresh clone...
|
|
# but that's an ephemeral operation that would be lost when the sandbox closes.
|
|
"sane-scripts.clone".sandbox.enable = false;
|
|
|
|
"sane-scripts.deadlines".sandbox = {
|
|
method = "bwrap";
|
|
wrapperType = "wrappedDerivation";
|
|
extraHomePaths = [ "knowledge/planner/deadlines.tsv" ];
|
|
};
|
|
|
|
"sane-scripts.find-dotfiles".sandbox = {
|
|
method = "bwrap";
|
|
wrapperType = "wrappedDerivation";
|
|
extraHomePaths = [
|
|
".cache"
|
|
".config"
|
|
".local"
|
|
# would be nice to give it everything *except* ~/private, but not currently possible
|
|
".bitmonero"
|
|
".electrum"
|
|
".librewolf"
|
|
".ssh"
|
|
".steam"
|
|
".wine"
|
|
];
|
|
};
|
|
|
|
"sane-scripts.ip-check".sandbox = {
|
|
method = "bwrap";
|
|
wrapperType = "wrappedDerivation";
|
|
net = "clearnet";
|
|
};
|
|
|
|
"sane-scripts.reclaim-boot-space".sandbox = {
|
|
method = "bwrap";
|
|
wrapperType = "wrappedDerivation";
|
|
extraPaths = [ "/boot" ];
|
|
};
|
|
|
|
# it's just a thin wrapper around rsync, which is already sandboxed
|
|
"sane-scripts.rcp".sandbox.enable = false;
|
|
# but make sure rsync is always on PATH, so that we actually do get sandboxing :)
|
|
"sane-scripts.rcp".suggestedPrograms = [ "rsync" ];
|
|
|
|
"sane-scripts.reboot".sandbox = {
|
|
method = "bwrap";
|
|
wrapperType = "wrappedDerivation";
|
|
extraPaths = [
|
|
"/run/dbus"
|
|
"/run/systemd"
|
|
];
|
|
};
|
|
|
|
"sane-scripts.reclaim-disk-space".sandbox = {
|
|
method = "bwrap";
|
|
wrapperType = "wrappedDerivation";
|
|
extraPaths = [ "/nix/var/nix" ];
|
|
};
|
|
|
|
"sane-scripts.shutdown".sandbox = {
|
|
method = "bwrap";
|
|
wrapperType = "wrappedDerivation";
|
|
extraPaths = [
|
|
"/run/dbus"
|
|
"/run/systemd"
|
|
];
|
|
};
|
|
|
|
# if `tee` isn't trustworthy we have bigger problems
|
|
"sane-scripts.sudo-redirect".sandbox.enable = false;
|
|
|
|
"sane-scripts.which".sandbox = {
|
|
method = "bwrap";
|
|
wrapperType = "wrappedDerivation";
|
|
extraHomePaths = [
|
|
# for SXMO
|
|
".config/sxmo/hooks"
|
|
];
|
|
};
|
|
|
|
"sane-scripts.wipe".sandbox = {
|
|
method = "bwrap";
|
|
wrapperType = "wrappedDerivation";
|
|
whitelistDbus = [ "user" ]; #< for `secret-tool` and `systemd --user stop <service>
|
|
extraHomePaths = [
|
|
# could be more specific, but at a maintenance cost.
|
|
".cache"
|
|
".config"
|
|
".local/share"
|
|
".librewolf"
|
|
".mozilla"
|
|
];
|
|
};
|
|
};
|
|
}
|