diff --git a/nixos.nix b/nixos.nix index 85c27da..7e5e48e 100644 --- a/nixos.nix +++ b/nixos.nix @@ -7,9 +7,6 @@ let inherit (lib) - types - mkOption - mkEnableOption mkIf mkDefault mapAttrs @@ -26,225 +23,7 @@ let in { - options = { - environment.fortify = { - enable = mkEnableOption "fortify"; - - package = mkOption { - type = types.package; - default = pkgs.callPackage ./package.nix { }; - description = "Package providing fortify."; - }; - - users = mkOption { - type = - let - inherit (types) attrsOf ints; - in - attrsOf (ints.between 0 99); - description = '' - Users allowed to spawn fortify apps, as well as their fortify ID value. - ''; - }; - - apps = mkOption { - type = - let - inherit (types) - str - enum - bool - package - anything - submodule - listOf - attrsOf - nullOr - functionTo - ; - in - listOf (submodule { - options = { - name = mkOption { - type = str; - description = '' - App name, typically command. - ''; - }; - - id = mkOption { - type = nullOr str; - default = null; - description = '' - Freedesktop application ID. - ''; - }; - - packages = mkOption { - type = listOf package; - default = [ ]; - description = '' - List of extra packages to install via home-manager. - ''; - }; - - extraConfig = mkOption { - type = anything; - default = { }; - description = "Extra home-manager configuration."; - }; - - script = mkOption { - type = nullOr str; - default = null; - description = '' - Application launch script. - ''; - }; - - command = mkOption { - type = nullOr str; - default = null; - description = '' - Command to run as the target user. - Setting this to null will default command to wrapper name. - Has no effect when script is set. - ''; - }; - - groups = mkOption { - type = listOf str; - default = [ ]; - description = '' - List of groups to inherit from the privileged user. - ''; - }; - - dbus = { - session = mkOption { - type = nullOr (functionTo anything); - default = null; - description = '' - D-Bus session bus custom configuration. - Setting this to null will enable built-in defaults. - ''; - }; - - system = mkOption { - type = nullOr anything; - default = null; - description = '' - D-Bus system bus custom configuration. - Setting this to null will disable the system bus proxy. - ''; - }; - }; - - env = mkOption { - type = nullOr (attrsOf str); - default = null; - description = '' - Environment variables to set for the initial process in the sandbox. - ''; - }; - - nix = mkEnableOption '' - Whether to allow nix daemon connections from within sandbox. - ''; - - userns = mkEnableOption '' - Whether to allow userns within sandbox. - ''; - - mapRealUid = mkEnableOption '' - Whether to map to fortify's real UID within the sandbox. - ''; - - net = - mkEnableOption '' - Whether to allow network access within sandbox. - '' - // { - default = true; - }; - - gpu = mkOption { - type = nullOr bool; - default = null; - description = '' - Target process GPU and driver access. - Setting this to null will enable GPU whenever X or Wayland is enabled. - ''; - }; - - dev = mkEnableOption '' - Whether to allow access to all devices within sandbox. - ''; - - extraPaths = mkOption { - type = listOf anything; - default = [ ]; - description = '' - Extra paths to make available inside the sandbox. - ''; - }; - - capability = { - wayland = mkOption { - type = bool; - default = true; - description = '' - Whether to share the Wayland socket. - ''; - }; - - x11 = mkOption { - type = bool; - default = false; - description = '' - Whether to share the X11 socket and allow connection. - ''; - }; - - dbus = mkOption { - type = bool; - default = true; - description = '' - Whether to proxy D-Bus. - ''; - }; - - pulse = mkOption { - type = bool; - default = true; - description = '' - Whether to share the PulseAudio socket and cookie. - ''; - }; - }; - - share = mkOption { - type = nullOr package; - default = null; - description = '' - Package containing share files. - Setting this to null will default package name to wrapper name. - ''; - }; - }; - }); - default = [ ]; - description = "Applications managed by fortify."; - }; - - stateDir = mkOption { - type = types.str; - description = '' - The path to persistent storage where per-user state should be stored. - ''; - }; - }; - }; + imports = [ ./options.nix ]; config = mkIf cfg.enable { security.wrappers.fsu = { diff --git a/options.nix b/options.nix new file mode 100644 index 0000000..93ea3b5 --- /dev/null +++ b/options.nix @@ -0,0 +1,227 @@ +{ lib, pkgs, ... }: + +let + inherit (lib) types mkOption mkEnableOption; +in + +{ + options = { + environment.fortify = { + enable = mkEnableOption "fortify"; + + package = mkOption { + type = types.package; + default = pkgs.callPackage ./package.nix { }; + description = "Package providing fortify."; + }; + + users = mkOption { + type = + let + inherit (types) attrsOf ints; + in + attrsOf (ints.between 0 99); + description = '' + Users allowed to spawn fortify apps, as well as their fortify ID value. + ''; + }; + + apps = mkOption { + type = + let + inherit (types) + str + enum + bool + package + anything + submodule + listOf + attrsOf + nullOr + functionTo + ; + in + listOf (submodule { + options = { + name = mkOption { + type = str; + description = '' + App name, typically command. + ''; + }; + + id = mkOption { + type = nullOr str; + default = null; + description = '' + Freedesktop application ID. + ''; + }; + + packages = mkOption { + type = listOf package; + default = [ ]; + description = '' + List of extra packages to install via home-manager. + ''; + }; + + extraConfig = mkOption { + type = anything; + default = { }; + description = "Extra home-manager configuration."; + }; + + script = mkOption { + type = nullOr str; + default = null; + description = '' + Application launch script. + ''; + }; + + command = mkOption { + type = nullOr str; + default = null; + description = '' + Command to run as the target user. + Setting this to null will default command to wrapper name. + Has no effect when script is set. + ''; + }; + + groups = mkOption { + type = listOf str; + default = [ ]; + description = '' + List of groups to inherit from the privileged user. + ''; + }; + + dbus = { + session = mkOption { + type = nullOr (functionTo anything); + default = null; + description = '' + D-Bus session bus custom configuration. + Setting this to null will enable built-in defaults. + ''; + }; + + system = mkOption { + type = nullOr anything; + default = null; + description = '' + D-Bus system bus custom configuration. + Setting this to null will disable the system bus proxy. + ''; + }; + }; + + env = mkOption { + type = nullOr (attrsOf str); + default = null; + description = '' + Environment variables to set for the initial process in the sandbox. + ''; + }; + + nix = mkEnableOption '' + Whether to allow nix daemon connections from within sandbox. + ''; + + userns = mkEnableOption '' + Whether to allow userns within sandbox. + ''; + + mapRealUid = mkEnableOption '' + Whether to map to fortify's real UID within the sandbox. + ''; + + net = + mkEnableOption '' + Whether to allow network access within sandbox. + '' + // { + default = true; + }; + + gpu = mkOption { + type = nullOr bool; + default = null; + description = '' + Target process GPU and driver access. + Setting this to null will enable GPU whenever X or Wayland is enabled. + ''; + }; + + dev = mkEnableOption '' + Whether to allow access to all devices within sandbox. + ''; + + extraPaths = mkOption { + type = listOf anything; + default = [ ]; + description = '' + Extra paths to make available inside the sandbox. + ''; + }; + + capability = { + wayland = mkOption { + type = bool; + default = true; + description = '' + Whether to share the Wayland socket. + ''; + }; + + x11 = mkOption { + type = bool; + default = false; + description = '' + Whether to share the X11 socket and allow connection. + ''; + }; + + dbus = mkOption { + type = bool; + default = true; + description = '' + Whether to proxy D-Bus. + ''; + }; + + pulse = mkOption { + type = bool; + default = true; + description = '' + Whether to share the PulseAudio socket and cookie. + ''; + }; + }; + + share = mkOption { + type = nullOr package; + default = null; + description = '' + Package containing share files. + Setting this to null will default package name to wrapper name. + ''; + }; + }; + }); + default = [ ]; + description = "Applications managed by fortify."; + }; + + stateDir = mkOption { + type = types.str; + description = '' + The path to persistent storage where per-user state should be stored. + ''; + }; + }; + }; +}