improve nixos wrapper module
This commit is contained in:
atagen
parent
c53377a504
commit
af4d99518c
2 changed files with 32 additions and 13 deletions
|
|
@ -46,11 +46,9 @@
|
|||
sys = pkgs.stdenv.hostPlatform.system;
|
||||
in
|
||||
{
|
||||
config = {
|
||||
imports = [ ./nix/module.nix ];
|
||||
wrapperPkg = self.packages.${sys}.yoke-lite;
|
||||
environment.systemPackages = [ self.packages.${sys}.yoke ];
|
||||
};
|
||||
imports = [ ./nix/module.nix ];
|
||||
security.wrapperPkg = self.packages.${sys}.yoke-lite;
|
||||
environment.systemPackages = [ self.packages.${sys}.yoke ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,19 +32,35 @@ let
|
|||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
additionalPaths = mkOption {
|
||||
pathRules = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
};
|
||||
tcpRules = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
};
|
||||
unrestrictTcp = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
unrestrictSockets = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
unrestrictSignals = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
options = {
|
||||
wrappers = mkOption {
|
||||
security.wrappers = mkOption {
|
||||
type = types.attrsOf wrapperType;
|
||||
};
|
||||
wrapperPkg = mkPackageOption "wrapper" { } { nullable = false; };
|
||||
security.wrapperPkg = mkPackageOption "wrapper" { } { nullable = false; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
|
|
@ -54,7 +70,8 @@ in
|
|||
envs = lib.concatStringsSep " " (
|
||||
lib.mapAttrsToList (n: v: "${n}=${lib.concatStringsSep ":" v}") opts.env
|
||||
);
|
||||
extra = lib.concatStringsSep " " opts.additionalPaths;
|
||||
extraPaths = lib.concatStringsSep " " opts.pathRules;
|
||||
tcpRules = lib.concatStringsSep " " opts.tcpRules;
|
||||
sandboxArgs = pkgs.stdenvNoCC.mkDerivation {
|
||||
name = "${name}-opts";
|
||||
__structuredAttrs = true;
|
||||
|
|
@ -68,8 +85,9 @@ in
|
|||
echo -n "--fs rx=" > $out
|
||||
jq -r '.closure[].path' < "$NIX_ATTRS_JSON_FILE" \
|
||||
| tr '\n' ':' | sed 's/:$//' >> $out
|
||||
${if (lib.length opts.additionalPaths != 0) then "echo -n ' ${extra}' >> $out" else ""}
|
||||
${if (strNotEmpty envs) then "echo -n ' --env ${envs}' >> $out" else ""}
|
||||
${lib.optionalString (lib.length opts.pathRules != 0) "echo -n ' ${extraPaths}' >> $out"}
|
||||
${lib.optionalString (lib.length opts.tcpRules != 0) "echo -n ' --tcp ${tcpRules}' >> $out"}
|
||||
${lib.optionalString (strNotEmpty envs) "echo -n ' --env ${envs}' >> $out"}
|
||||
'';
|
||||
};
|
||||
command = lib.getExe' opts.package (
|
||||
|
|
@ -79,8 +97,11 @@ in
|
|||
script = ''
|
||||
#! /usr/bin/env bash
|
||||
${lib.getExe' config.wrapperPkg "yoke"} \
|
||||
${if opts.addPwd then "--fs rwx=$PWD" else ""} \
|
||||
${if opts.retainEnv then "--retain-env" else ""} \
|
||||
${lib.optionalString opts.addPwd "--fs rwx=$PWD"} \
|
||||
${lib.optionalString opts.retainEnv "--retain-env"} \
|
||||
${lib.optionalString opts.unrestrictTCP "--no-tcp"} \
|
||||
${lib.optionalString opts.unrestrictSockets "--sockets"} \
|
||||
${lib.optionalString opts.unrestrictSignals "--signals"} \
|
||||
--fd-args -- \
|
||||
${command} \
|
||||
${wrappedArgs} $@ \
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue