foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-04-24 18:19:11 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

wrapper-manager/wraparound: migrate namespace from sandboxing

Browse Source 
This is in consideration for other wraparound modules in the future
which does not involve a sandboxing framework or something similar.
This commit is contained in:
Gabriel Arazas 2024-10-01 13:03:23 +08:00
parent dd0e007fc6
commit 9687b886a7
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
12 changed files with 64 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/wrapper-manager/default.nix
View File

@ -6,6 +6,6 @@
./programs/jujutsu.nix ./programs/jujutsu.nix
./nixgl.nix ./nixgl.nix
./dconf.nix ./dconf.nix
./sandboxing ./wraparound
]; ];
} }

20
modules/wrapper-manager/sandboxing/boxxy.nix → modules/wrapper-manager/wraparound/boxxy.nix
View File

@ -1,7 +1,7 @@
{ lib, pkgs, config, ... }: { lib, pkgs, config, ... }:
let let
cfg = config.sandboxing.boxxy; cfg = config.wraparound.boxxy;
boxxyRuleModule = { name, lib, ... }: { boxxyRuleModule = { name, lib, ... }: {
options = { options = {
@ -75,25 +75,25 @@ let
}; };
in in
{ {
options.sandboxing.boxxy = boxxyModuleFactory { isGlobal = true; }; options.wraparound.boxxy = boxxyModuleFactory { isGlobal = true; };
options.wrappers = options.wrappers =
let let
boxxySandboxModule = { name, lib, config, pkgs, ... }: boxxySandboxModule = { name, lib, config, pkgs, ... }:
let let
submoduleCfg = config.sandboxing.boxxy; submoduleCfg = config.wraparound.boxxy;
in in
{ {
options.sandboxing.variant = lib.mkOption { options.wraparound.variant = lib.mkOption {
type = with lib.types; nullOr (enum [ "boxxy" ]); type = with lib.types; nullOr (enum [ "boxxy" ]);
}; };
options.sandboxing.boxxy = boxxyModuleFactory { isGlobal = false; }; options.wraparound.boxxy = boxxyModuleFactory { isGlobal = false; };
config = lib.mkIf (config.sandboxing.variant == "boxxy") { config = lib.mkIf (config.wraparound.variant == "boxxy") {
sandboxing.boxxy.rules = cfg.rules; wraparound.boxxy.rules = cfg.rules;
sandboxing.boxxy.extraArgs = wraparound.boxxy.extraArgs =
cfg.extraArgs cfg.extraArgs
++ (lib.mapAttrsToList ++ (lib.mapAttrsToList
(_: metadata: (_: metadata:
@ -110,8 +110,8 @@ in
arg0 = lib.getExe' submoduleCfg.package "boxxy"; arg0 = lib.getExe' submoduleCfg.package "boxxy";
prependArgs = lib.mkBefore prependArgs = lib.mkBefore
(submoduleCfg.extraArgs (submoduleCfg.extraArgs
++ [ "--" config.sandboxing.wraparound.arg0 ] ++ [ "--" config.wraparound.subwrapper.arg0 ]
++ config.sandboxing.wraparound.extraArgs); ++ config.wraparound.subwrapper.extraArgs);
}; };
}; };
in in

14
modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix → modules/wrapper-manager/wraparound/bubblewrap/dbus-filter.nix
View File

@ -4,7 +4,7 @@
{ config, lib, options, pkgs, ... }: { config, lib, options, pkgs, ... }:
let let
cfg = config.sandboxing.bubblewrap; cfg = config.wraparound.bubblewrap;
dbusFilterType = { lib, ... }: dbusFilterType = { lib, ... }:
let let
@ -56,7 +56,7 @@ let
}; };
in in
{ {
options.sandboxing.bubblewrap = options.wraparound.bubblewrap =
lib.recursiveUpdate lib.recursiveUpdate
(bubblewrapModuleFactory { isGlobal = true; }) (bubblewrapModuleFactory { isGlobal = true; })
{ {
@ -126,10 +126,10 @@ in
bubblewrapModule = { config, lib, pkgs, name, ... }: bubblewrapModule = { config, lib, pkgs, name, ... }:
let let
submoduleCfg = config.sandboxing.bubblewrap; submoduleCfg = config.wraparound.bubblewrap;
in in
{ {
options.sandboxing.bubblewrap = options.wraparound.bubblewrap =
lib.recursiveUpdate lib.recursiveUpdate
(bubblewrapModuleFactory { isGlobal = false; }) (bubblewrapModuleFactory { isGlobal = false; })
{ {
@ -168,15 +168,15 @@ in
}; };
}; };
config = lib.mkIf (config.sandboxing.variant == "bubblewrap") { config = lib.mkIf (config.wraparound.variant == "bubblewrap") {
sandboxing.bubblewrap.dbus.filter.extraArgs = wraparound.bubblewrap.dbus.filter.extraArgs =
let let
makeDbusProxyArgs = address: metadata: makeDbusProxyArgs = address: metadata:
[ address (builtins.toString metadata.path) ] ++ metadata.extraArgs; [ address (builtins.toString metadata.path) ] ++ metadata.extraArgs;
in in
lib.lists.flatten (lib.mapAttrsToList makeDbusProxyArgs submoduleCfg.dbus.filter.addresses); lib.lists.flatten (lib.mapAttrsToList makeDbusProxyArgs submoduleCfg.dbus.filter.addresses);
sandboxing.bubblewrap.sharedNixPaths = [ wraparound.bubblewrap.sharedNixPaths = [
submoduleCfg.dbus.filter.package submoduleCfg.dbus.filter.package
]; ];
}; };

26
modules/wrapper-manager/sandboxing/bubblewrap/default.nix → modules/wrapper-manager/wraparound/bubblewrap/default.nix
View File

@ -18,7 +18,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
cfg = config.sandboxing.bubblewrap; cfg = config.wraparound.bubblewrap;
bubblewrapModuleFactory = { isGlobal ? false }: { bubblewrapModuleFactory = { isGlobal ? false }: {
package = lib.mkPackageOption pkgs "bubblewrap" { } // lib.optionalAttrs isGlobal { package = lib.mkPackageOption pkgs "bubblewrap" { } // lib.optionalAttrs isGlobal {
@ -63,26 +63,26 @@ in
./filesystem.nix ./filesystem.nix
]; ];
options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; }; options.wraparound.bubblewrap = bubblewrapModuleFactory { isGlobal = true; };
options.wrappers = options.wrappers =
let let
bubblewrapModule = { name, config, lib, ... }: bubblewrapModule = { name, config, lib, ... }:
let let
submoduleCfg = config.sandboxing.bubblewrap; submoduleCfg = config.wraparound.bubblewrap;
env' = lib.filterAttrs (n: _: !(lib.strings.hasPrefix "WRAPPER_MANAGER_BWRAP_LAUNCHER" n)) config.env; env' = lib.filterAttrs (n: _: !(lib.strings.hasPrefix "WRAPPER_MANAGER_BWRAP_LAUNCHER" n)) config.env;
in in
{ {
options.sandboxing.variant = lib.mkOption { options.wraparound.variant = lib.mkOption {
type = with lib.types; nullOr (enum [ "bubblewrap" ]); type = with lib.types; nullOr (enum [ "bubblewrap" ]);
}; };
options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = false; }; options.wraparound.bubblewrap = bubblewrapModuleFactory { isGlobal = false; };
config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [ config = lib.mkIf (config.wraparound.variant == "bubblewrap") (lib.mkMerge [
{ {
# Ordering of the arguments here matter(?). # Ordering of the arguments here matter(?).
sandboxing.bubblewrap.extraArgs = wraparound.bubblewrap.extraArgs =
cfg.extraArgs cfg.extraArgs
++ lib.mapAttrsToList ++ lib.mapAttrsToList
(var: metadata: (var: metadata:
@ -98,12 +98,12 @@ in
(lib.mkIf submoduleCfg.enableNetwork { (lib.mkIf submoduleCfg.enableNetwork {
# In case isolation is also enabled, we'll have this still # In case isolation is also enabled, we'll have this still
# enabled at least. # enabled at least.
sandboxing.bubblewrap.extraArgs = lib.mkAfter [ "--share-net" ]; wraparound.bubblewrap.extraArgs = lib.mkAfter [ "--share-net" ];
# The most common network-related files found on most # The most common network-related files found on most
# distributions. This should be enough in most cases. If not, # distributions. This should be enough in most cases. If not,
# we'll probably let the launcher handle this. # we'll probably let the launcher handle this.
sandboxing.bubblewrap.binds.ro = [ wraparound.bubblewrap.binds.ro = [
"/etc/ssh" "/etc/ssh"
"/etc/ssl" "/etc/ssl"
"/etc/hosts" "/etc/hosts"
@ -112,19 +112,19 @@ in
}) })
(lib.mkIf submoduleCfg.enableBundledCertificates { (lib.mkIf submoduleCfg.enableBundledCertificates {
sandboxing.bubblewrap.sharedNixPaths = [ pkgs.cacert ]; wraparound.bubblewrap.sharedNixPaths = [ pkgs.cacert ];
}) })
(lib.mkIf config.locale.enable { (lib.mkIf config.locale.enable {
sandboxing.bubblewrap.sharedNixPaths = [ config.locale.package ]; wraparound.bubblewrap.sharedNixPaths = [ config.locale.package ];
}) })
(lib.mkIf submoduleCfg.enableIsolation { (lib.mkIf submoduleCfg.enableIsolation {
sandboxing.bubblewrap.extraArgs = lib.mkBefore [ "--unshare-all" ]; wraparound.bubblewrap.extraArgs = lib.mkBefore [ "--unshare-all" ];
}) })
(lib.mkIf submoduleCfg.enableEnsureChildDiesWithParent { (lib.mkIf submoduleCfg.enableEnsureChildDiesWithParent {
sandboxing.bubblewrap.extraArgs = lib.mkBefore [ "--die-with-parent" ]; wraparound.bubblewrap.extraArgs = lib.mkBefore [ "--die-with-parent" ];
}) })
]); ]);
}; };

28
modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix → modules/wrapper-manager/wraparound/bubblewrap/filesystem.nix
View File

@ -4,7 +4,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
cfg = config.sandboxing.bubblewrap; cfg = config.wraparound.bubblewrap;
fileOperationsWithPerms = [ fileOperationsWithPerms = [
"file" "dir" "remount-ro" "file" "dir" "remount-ro"
@ -53,7 +53,7 @@ let
description = '' description = ''
Specify what filesystem-related operations to be done for the given Specify what filesystem-related operations to be done for the given
filesystem object. Only certain operations accept permissions given filesystem object. Only certain operations accept permissions given
from {option}`sandboxing.bubblewrap.filesystem.<name>.permissions`. from {option}`wraparound.bubblewrap.filesystem.<name>.permissions`.
''; '';
default = "ro-bind-try"; default = "ro-bind-try";
example = "bind"; example = "bind";
@ -181,24 +181,24 @@ let
lib.lists.filter (p: p != "") (lib.splitString "\n" closurePaths); lib.lists.filter (p: p != "") (lib.splitString "\n" closurePaths);
in in
{ {
options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; }; options.wraparound.bubblewrap = bubblewrapModuleFactory { isGlobal = true; };
options.wrappers = options.wrappers =
let let
bubblewrapModule = { config, lib, name, ... }: let bubblewrapModule = { config, lib, name, ... }: let
submoduleCfg = config.sandboxing.bubblewrap; submoduleCfg = config.wraparound.bubblewrap;
in { in {
options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = false; }; options.wraparound.bubblewrap = bubblewrapModuleFactory { isGlobal = false; };
config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [ config = lib.mkIf (config.wraparound.variant == "bubblewrap") (lib.mkMerge [
{ {
sandboxing.bubblewrap.binds = cfg.binds; wraparound.bubblewrap.binds = cfg.binds;
sandboxing.bubblewrap.sharedNixPaths = cfg.sharedNixPaths; wraparound.bubblewrap.sharedNixPaths = cfg.sharedNixPaths;
sandboxing.bubblewrap.filesystem = cfg.filesystem; wraparound.bubblewrap.filesystem = cfg.filesystem;
} }
{ {
sandboxing.bubblewrap.filesystem = wraparound.bubblewrap.filesystem =
let let
renameNixStorePaths = path: renameNixStorePaths = path:
if lib.isDerivation path then path.pname else path; if lib.isDerivation path then path.pname else path;
@ -215,7 +215,7 @@ in
in in
builtins.listToAttrs filesystemMappings; builtins.listToAttrs filesystemMappings;
sandboxing.bubblewrap.extraArgs = wraparound.bubblewrap.extraArgs =
let let
makeFilesystemArgs = _: metadata: makeFilesystemArgs = _: metadata:
let let
@ -238,11 +238,11 @@ in
} }
(lib.mkIf submoduleCfg.enableSharedNixStore { (lib.mkIf submoduleCfg.enableSharedNixStore {
sandboxing.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ]; wraparound.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ];
}) })
(lib.mkIf (submoduleCfg.sharedNixPaths != [ ]) { (lib.mkIf (submoduleCfg.sharedNixPaths != [ ]) {
sandboxing.bubblewrap.extraArgs = wraparound.bubblewrap.extraArgs =
let let
closurePaths = getClosurePaths submoduleCfg.sharedNixPaths; closurePaths = getClosurePaths submoduleCfg.sharedNixPaths;
in in
@ -250,7 +250,7 @@ in
}) })
(lib.mkIf submoduleCfg.dbus.enable { (lib.mkIf submoduleCfg.dbus.enable {
sandboxing.bubblewrap.dbus.filter.bwrapArgs = wraparound.bubblewrap.dbus.filter.bwrapArgs =
let let
closurePaths = getClosurePaths submoduleCfg.sharedNixPaths; closurePaths = getClosurePaths submoduleCfg.sharedNixPaths;
in in

28
modules/wrapper-manager/sandboxing/bubblewrap/launcher.nix → modules/wrapper-manager/wraparound/bubblewrap/launcher.nix
View File

@ -6,7 +6,7 @@
{ config, lib, options, pkgs, ... }: { config, lib, options, pkgs, ... }:
let let
cfg = config.sandboxing.bubblewrap.launcher; cfg = config.wraparound.bubblewrap.launcher;
bubblewrapModuleFactory = { isGlobal ? false }: { bubblewrapModuleFactory = { isGlobal ? false }: {
package = lib.mkOption { package = lib.mkOption {
@ -31,36 +31,36 @@ let
}; };
in in
{ {
options.sandboxing.bubblewrap.launcher = bubblewrapModuleFactory { isGlobal = true; }; options.wraparound.bubblewrap.launcher = bubblewrapModuleFactory { isGlobal = true; };
options.wrappers = options.wrappers =
let let
bubblewrapLauncherSubmodule = { config, lib, name, ... }: let bubblewrapLauncherSubmodule = { config, lib, name, ... }: let
submoduleCfg = config.sandboxing.bubblewrap.launcher; submoduleCfg = config.wraparound.bubblewrap.launcher;
envSuffix = word: "WRAPPER_MANAGER_BWRAP_LAUNCHER_${word}"; envSuffix = word: "WRAPPER_MANAGER_BWRAP_LAUNCHER_${word}";
in { in {
options.sandboxing.bubblewrap.launcher = bubblewrapModuleFactory { isGlobal = false; }; options.wraparound.bubblewrap.launcher = bubblewrapModuleFactory { isGlobal = false; };
config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [ config = lib.mkIf (config.wraparound.variant == "bubblewrap") (lib.mkMerge [
{ {
arg0 = lib.getExe' submoduleCfg.package "wrapper-manager-bubblewrap-launcher"; arg0 = lib.getExe' submoduleCfg.package "wrapper-manager-bubblewrap-launcher";
prependArgs = lib.mkBefore prependArgs = lib.mkBefore
(config.sandboxing.bubblewrap.extraArgs (config.wraparound.bubblewrap.extraArgs
++ [ "--" config.sandboxing.wraparound.arg0 ] ++ [ "--" config.wraparound.subwrapper.arg0 ]
++ config.sandboxing.wraparound.extraArgs); ++ config.wraparound.subwrapper.extraArgs);
env = { env = {
"${envSuffix "BWRAP"}".value = lib.getExe' config.sandboxing.bubblewrap.package "bwrap"; "${envSuffix "BWRAP"}".value = lib.getExe' config.wraparound.bubblewrap.package "bwrap";
# We're just unsetting autoconfigure since we're configuring this # We're just unsetting autoconfigure since we're configuring this
# through the module system anyways and would allow the user to # through the module system anyways and would allow the user to
# have some more control over what can be enabled. # have some more control over what can be enabled.
"${envSuffix "AUTOCONFIGURE"}".value = "0"; "${envSuffix "AUTOCONFIGURE"}".value = lib.mkDefault "0";
}; };
} }
(lib.mkIf config.sandboxing.bubblewrap.dbus.enable { (lib.mkIf config.wraparound.bubblewrap.dbus.enable {
env.${envSuffix "DBUS_PROXY"}.value = lib.getExe' config.sandboxing.bubblewrap.dbus.filter.package "xdg-dbus-proxy"; env.${envSuffix "DBUS_PROXY"}.value = lib.getExe' config.wraparound.bubblewrap.dbus.filter.package "xdg-dbus-proxy";
env.${envSuffix "DBUS_PROXY_ARGS"}.value = lib.concatStringsSep " " config.sandboxing.bubblewrap.dbus.filter.extraArgs; env.${envSuffix "DBUS_PROXY_ARGS"}.value = lib.concatStringsSep " " config.wraparound.bubblewrap.dbus.filter.extraArgs;
env.${envSuffix "DBUS_PROXY_BWRAP_ARGS"}.value = lib.concatStringsSep " " config.sandboxing.bubblewrap.dbus.filter.bwrapArgs; env.${envSuffix "DBUS_PROXY_BWRAP_ARGS"}.value = lib.concatStringsSep " " config.wraparound.bubblewrap.dbus.filter.bwrapArgs;
}) })
(lib.mkIf submoduleCfg.integrations.pulseaudio.enable { (lib.mkIf submoduleCfg.integrations.pulseaudio.enable {

0
modules/wrapper-manager/sandboxing/bubblewrap/launcher/CHANGELOG.adoc → modules/wrapper-manager/wraparound/bubblewrap/launcher/CHANGELOG.adoc
View File

0
modules/wrapper-manager/sandboxing/bubblewrap/launcher/LICENSE → modules/wrapper-manager/wraparound/bubblewrap/launcher/LICENSE
View File

0
modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh → modules/wrapper-manager/wraparound/bubblewrap/launcher/app.sh
View File

0
modules/wrapper-manager/sandboxing/bubblewrap/launcher/meson.build → modules/wrapper-manager/wraparound/bubblewrap/launcher/meson.build
View File

0
modules/wrapper-manager/sandboxing/bubblewrap/launcher/package.nix → modules/wrapper-manager/wraparound/bubblewrap/launcher/package.nix
View File

10
modules/wrapper-manager/sandboxing/default.nix → modules/wrapper-manager/wraparound/default.nix
View File

@ -8,19 +8,19 @@
options.wrappers = options.wrappers =
let let
sandboxingType = { name, lib, config, options, ... }: { wraparoundType = { name, lib, config, options, ... }: {
options.sandboxing = { options.wraparound = {
variant = lib.mkOption { variant = lib.mkOption {
type = with lib.types; nullOr (enum []); type = with lib.types; nullOr (enum []);
description = '' description = ''
The sandboxing framework to be applied to the wrapper. A value of The wraparound variant to be applied to the wrapper. A value of
`null` will essentially disable it. `null` will essentially disable it.
''; '';
default = null; default = null;
example = "bubblewrap"; example = "bubblewrap";
}; };
wraparound = { subwrapper = {
arg0 = options.arg0; arg0 = options.arg0;
extraArgs = options.appendArgs; extraArgs = options.appendArgs;
}; };
@ -28,6 +28,6 @@
}; };
in in
lib.mkOption { lib.mkOption {
type = with lib.types; attrsOf (submodule sandboxingType); type = with lib.types; attrsOf (submodule wraparoundType);
}; };
} }