foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 16:57:55 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
bf51e0dcde
nixos-config/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix

105 lines
3.4 KiB
Nix
Raw Blame History

# Essentially a poor man's version of NixOS filesystem module except that is
# made for Bubblewrap environment. Everything here should only make use of
# Bubblewrap's filesystem options from the command-line application.
{ config, lib, ... }:
let
cfg = config.sandboxing.bubblewrap;
bubblewrapModuleFactory = { isGlobal ? false }: let
filesystemSubmodule = { config, lib, name, ... }: {
options = {
source = lib.mkOption {
type = lib.types.path;
description = ''
The source of the path to be copied from.
'';
example = lib.literalExpression "./files/example.file";
};
perms = lib.mkOption {
type = with lib.types; nullOr (strMatch "[0-7]{0,4}");
description = ''
The permissions of the node in octal.
'';
default = null;
example = "0755";
};
symlink = lib.mkEnableOption "create the file as a symlink";
createDir = lib.mkEnableOption "create the directory in the Bubblewrap environment";
bindMount = lib.mkEnableOption "bind-mount the given source to the Bubblewrap environment";
bindMountReadOnly = lib.mkEnableOption "bind-mount read-only the given source to the Bubblewrap environment";
};
};
in {
options.filesystem = lib.mkOption {
type = with lib.types; attrsOf (submodule filesystemSubmodule);
description =
if isGlobal then ''
Set of filesystem configurations to be copied to per-wrapper.
'' else ''
Set of wrapper-specific filesystem configurations in the Bubblewrap
environment.
'';
default = if isGlobal then { } else cfg.filesystem;
example = lib.literalExpression ''
{
"/etc/hello" = {
source = ./files/hello;
perms = "0700";
};
"/etc/xdg" = {
source = ./configs;
perms = "0700";
};
"/srv/data" = {
source = "/srv/data";
symlink = true;
};
"/srv/logs".createDir = true;
}
'';
};
};
in
{
options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; };
options.wrappers =
let
bubblewrapModule = { config, lib, name, ... }: let
submoduleCfg = config;
in {
options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = false; };
config = lib.mkIf (config.sandboxing.variant == "bubblewrap") {
bubblewrap.extraArgs =
lib.lists.flatten
(lib.mapAttrsToList
(dst: metadata:
lib.optionals (metadata.perms != null) [ "--perms ${metadata.perms}" ]
++ (let
inherit (metadata) source;
in
if metadata.createDir
then [ "--dir ${dst}"]
else if metadata.symlink
then [ "--symlink ${source} ${dst}"]
else if metadata.bindMount
then [ "--bind-data ${source} ${dst}" ]
else if metadata.bindMountReadOnly
then [ "--ro-bind-data ${source} ${dst}" ]
else [ "--file ${source} ${dst}"]))
submoduleCfg.filesystem);
};
};
in
lib.mkOption {
type = with lib.types; attrsOf (submodule bubblewrapModule);
};
}
Reference in New Issue View Git Blame Copy Permalink