atagen/yoke
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

improve nixos wrapper module

Browse source
This commit is contained in:
atagen 2026-02-26 15:20:32 +11:00
parent cb9cdc8501
commit bf06ab5fe8
3 changed files with 51 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

2
TODO Normal file
View file

@ -0,0 +1,2 @@
fix tcp rules ?!
namespaces

8
flake.nix
View file

@ -46,11 +46,9 @@
sys = pkgs.stdenv.hostPlatform.system;
in
{
config = {
imports = [ ./nix/module.nix ];
wrapperPkg = self.packages.${sys}.yoke-lite;
environment.systemPackages = [ self.packages.${sys}.yoke ];
};
imports = [ ./nix/module.nix ];
security.yoke.wrapperPkg = self.packages.${sys}.yoke-lite;
environment.systemPackages = [ self.packages.${sys}.yoke ];
};
};
}

58
nix/module.nix
View file

@ -16,6 +16,10 @@ let
type = types.str;
default = "";
};
extraPackages = mkOption {
type = types.listOf types.package;
default = [ ];
};
args = mkOption {
type = types.listOf types.str;
default = [ ];
@ -32,29 +36,54 @@ let
type = types.bool;
default = false;
};
additionalPaths = mkOption {
pathRules = mkOption {
type = types.listOf types.str;
default = [ ];
};
tcpRules = mkOption {
type = types.listOf types.str;
default = [ ];
};
unrestrictTcp = mkOption {
type = types.bool;
default = false;
};
unrestrictSockets = mkOption {
type = types.bool;
default = false;
};
unrestrictSignals = mkOption {
type = types.bool;
default = false;
};
};
};
in
{
options = {
wrappers = mkOption {
type = types.attrsOf wrapperType;
security.yoke = {
wrappers = mkOption {
type = types.attrsOf wrapperType;
default = { };
};
wrapperPkg = mkPackageOption "wrapper" { } { nullable = false; };
};
wrapperPkg = mkPackageOption "wrapper" { } { nullable = false; };
};
config =
let
wrap =
name: opts:
let
extraPkgsBins = config.extraPackages |> lib.makeBinPath;
extraPkgsAllow = config.extraPackages |> map (f: toString f) |> lib.concatStringsSep ":";
envPlus = opts.env // {
PATH = opts.env.PATH ++ extraPkgsBins;
};
envs = lib.concatStringsSep " " (
lib.mapAttrsToList (n: v: "${n}=${lib.concatStringsSep ":" v}") opts.env
lib.mapAttrsToList (n: v: "${n}=${lib.concatStringsSep ":" v}") envPlus
);
extra = lib.concatStringsSep " " opts.additionalPaths;
extraPaths = lib.concatStringsSep " " opts.pathRules;
tcpRules = lib.concatStringsSep " " opts.tcpRules;
sandboxArgs = pkgs.stdenvNoCC.mkDerivation {
name = "${name}-opts";
__structuredAttrs = true;
@ -68,8 +97,10 @@ in
echo -n "--fs rx=" > $out
jq -r '.closure[].path' < "$NIX_ATTRS_JSON_FILE" \
| tr '\n' ':' | sed 's/:$//' >> $out
${if (lib.length opts.additionalPaths != 0) then "echo -n ' ${extra}' >> $out" else ""}
${if (strNotEmpty envs) then "echo -n ' --env ${envs}' >> $out" else ""}
${lib.optionalString (lib.length opts.extraPackages != 0) "echo -n '${extraPkgsAllow}' >> $out"}
${lib.optionalString (lib.length opts.pathRules != 0) "echo -n ' ${extraPaths}' >> $out"}
${lib.optionalString (lib.length opts.tcpRules != 0) "echo -n ' --tcp ${tcpRules}' >> $out"}
${lib.optionalString (strNotEmpty envs) "echo -n ' --env ${envs}' >> $out"}
'';
};
command = lib.getExe' opts.package (
@ -78,9 +109,12 @@ in
wrappedArgs = lib.concatStringsSep " " opts.args;
script = ''
#! /usr/bin/env bash
${lib.getExe' config.wrapperPkg "yoke"} \
${if opts.addPwd then "--fs rwx=$PWD" else ""} \
${if opts.retainEnv then "--retain-env" else ""} \
${lib.getExe' config.security.yoke.wrapperPkg "yoke"} \
${lib.optionalString opts.addPwd "--fs rwx=$PWD"} \
${lib.optionalString opts.retainEnv "--retain-env"} \
${lib.optionalString opts.unrestrictTcp "--no-tcp"} \
${lib.optionalString opts.unrestrictSockets "--sockets"} \
${lib.optionalString opts.unrestrictSignals "--signals"} \
--fd-args -- \
${command} \
${wrappedArgs} $@ \
@ -90,6 +124,6 @@ in
pkgs.writeScriptBin "${name}" script;
in
{
environment.systemPackages = lib.mapAttrsToList wrap config.wrappers;
environment.systemPackages = lib.mapAttrsToList wrap config.security.yoke.wrappers;
};
}