nix: provide options for capability flags

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-08 02:45:00 +09:00 · 2024-09-08 02:45:00 +09:00 · 60e4846542
parent 1906853382
commit 60e4846542
2 changed files with 48 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -75,7 +75,7 @@ This adds the `environment.fortify` option:
      chronos = {
        launchers = {
          weechat.method = "sudo";
-          claws-mail.pulse = false;
+          claws-mail.capability.pulse = false;
          discord = {
            command = "vesktop --ozone-platform-hint=wayland";
            share = pkgs.vesktop;
@ -125,7 +125,13 @@ This adds the `environment.fortify` option:

        * `command`, the command to run as the target user. Defaults to launcher name.

-        * `pulse`, whether to share the PulseAudio socket and cookie.
+        * `capability.wayland`, whether to share the Wayland socket.
+
+        * `capability.x11`, whether to share the X11 socket and allow connection.
+
+        * `capability.dbus`, whether to proxy D-Bus. NOTE: this option is subject to change and should not be used
+
+        * `capability.pulse`, whether to share the PulseAudio socket and cookie.

        * `share`, package containing desktop/icon files. Defaults to launcher name.

--- a/nixos.nix
+++ b/nixos.nix
@ -63,6 +63,31 @@ in
                      '';
                    };

+                    capability = {
+                      wayland = mkOption {
+                        type = bool;
+                        default = true;
+                        description = ''
+                          Whether to share the Wayland socket.
+                        '';
+                      };
+
+                      x11 = mkOption {
+                        type = bool;
+                        default = false;
+                        description = ''
+                          Whether to share the X11 socket and allow connection.
+                        '';
+                      };
+
+                      dbus = mkOption {
+                        type = bool;
+                        default = false;
+                        description = ''
+                          Whether to proxy D-Bus.
+                        '';
+                      };
+
                      pulse = mkOption {
                        type = bool;
                        default = true;
@ -70,6 +95,7 @@ in
                          Whether to share the PulseAudio socket and cookie.
                        '';
                      };
+                    };

                    share = mkOption {
                      type = nullOr package;
@ -164,8 +190,15 @@ in
              user: launchers:
              mapAttrsToList (
                name: launcher:
+                with launcher.capability;
                let
                  command = if launcher.command == null then name else launcher.command;
+                  capArgs =
+                    (if wayland then " -wayland" else "")
+                    + (if x11 then " -X" else "")
+                    + (if dbus then " -dbus" else "")
+                    + (if pulse then " -pulse" else "")
+                    + (if launcher.method == "fortify-sudo" then " -sudo" else "");
                in
                pkgs.writeShellScriptBin name (
                  if launcher.method == "sudo" then
@ -174,9 +207,7 @@ in
                    ''
                  else
                    ''
-                      exec fortify${if launcher.pulse then " -pulse" else ""} -u ${user}${
-                        if launcher.method == "fortify-sudo" then " -sudo" else ""
-                      } ${cfg.shell} -c "exec ${command} $@"
+                      exec fortify${capArgs} -u ${user} ${cfg.shell} -c "exec ${command} $@"
                    ''
                )
              ) launchers;