diff --git a/README.md b/README.md index eb9fd20..9f16102 100644 --- a/README.md +++ b/README.md @@ -62,16 +62,27 @@ This adds the `environment.fortify` option: { environment.fortify = { enable = true; - stateDir = "/var/lib/persist/module/fortify"; + stateDir = "/var/lib/fortify"; users = { alice = 0; nixos = 10; }; - apps = [ + commonPaths = [ { + src = "/sdcard"; + write = true; + } + ]; + + extraHomeConfig = { + home.stateVersion = "23.05"; + }; + + apps = { + "org.chromium.Chromium" = { name = "chromium"; - id = "org.chromium.Chromium"; + identity = 1; packages = [ pkgs.chromium ]; userns = true; mapRealUid = true; @@ -104,16 +115,20 @@ This adds the `environment.fortify` option: broadcast = { }; }; }; - } - { + }; + + "org.claws_mail.Claws-Mail" = { name = "claws-mail"; - id = "org.claws_mail.Claws-Mail"; + identity = 2; packages = [ pkgs.claws-mail ]; gpu = false; capability.pulse = false; - } - { + }; + + "org.weechat" = { name = "weechat"; + identity = 3; + shareUid = true; packages = [ pkgs.weechat ]; capability = { wayland = false; @@ -121,10 +136,12 @@ This adds the `environment.fortify` option: dbus = true; pulse = false; }; - } - { + }; + + "dev.vencord.Vesktop" = { name = "discord"; - id = "dev.vencord.Vesktop"; + identity = 3; + shareUid = true; packages = [ pkgs.vesktop ]; share = pkgs.vesktop; command = "vesktop --ozone-platform-hint=wayland"; @@ -142,9 +159,12 @@ This adds the `environment.fortify` option: }; system.filter = true; }; - } - { + }; + + "io.looking-glass" = { name = "looking-glass-client"; + identity = 4; + useCommonPaths = false; groups = [ "plugdev" ]; extraPaths = [ { @@ -155,8 +175,8 @@ This adds the `environment.fortify` option: extraConfig = { programs.looking-glass-client.enable = true; }; - } - ]; + }; + }; }; } ``` diff --git a/options.md b/options.md index 5780093..cc2cf3f 100644 --- a/options.md +++ b/options.md @@ -35,27 +35,27 @@ package *Default:* -` ` +` ` ## environment\.fortify\.apps -Declarative fortify apps\. +Declaratively configured fortify apps\. *Type:* -list of (submodule) +attribute set of (submodule) *Default:* -` [ ] ` +` { } ` -## environment\.fortify\.apps\.\*\.packages +## environment\.fortify\.apps\.\\.packages @@ -73,7 +73,7 @@ list of package -## environment\.fortify\.apps\.\*\.args +## environment\.fortify\.apps\.\\.args @@ -92,7 +92,7 @@ null or (list of string) -## environment\.fortify\.apps\.\*\.capability\.dbus +## environment\.fortify\.apps\.\\.capability\.dbus @@ -110,7 +110,7 @@ boolean -## environment\.fortify\.apps\.\*\.capability\.pulse +## environment\.fortify\.apps\.\\.capability\.pulse @@ -128,7 +128,7 @@ boolean -## environment\.fortify\.apps\.\*\.capability\.wayland +## environment\.fortify\.apps\.\\.capability\.wayland @@ -146,7 +146,7 @@ boolean -## environment\.fortify\.apps\.\*\.capability\.x11 +## environment\.fortify\.apps\.\\.capability\.x11 @@ -164,7 +164,7 @@ boolean -## environment\.fortify\.apps\.\*\.command +## environment\.fortify\.apps\.\\.command @@ -184,7 +184,7 @@ null or string -## environment\.fortify\.apps\.\*\.dbus\.session +## environment\.fortify\.apps\.\\.dbus\.session @@ -203,7 +203,7 @@ null or (function that evaluates to a(n) anything) -## environment\.fortify\.apps\.\*\.dbus\.system +## environment\.fortify\.apps\.\\.dbus\.system @@ -222,7 +222,7 @@ null or anything -## environment\.fortify\.apps\.\*\.devel +## environment\.fortify\.apps\.\\.devel @@ -245,7 +245,7 @@ boolean -## environment\.fortify\.apps\.\*\.device +## environment\.fortify\.apps\.\\.device @@ -268,7 +268,7 @@ boolean -## environment\.fortify\.apps\.\*\.env +## environment\.fortify\.apps\.\\.env @@ -286,7 +286,7 @@ null or (attribute set of string) -## environment\.fortify\.apps\.\*\.extraConfig +## environment\.fortify\.apps\.\\.extraConfig @@ -304,16 +304,16 @@ anything -## environment\.fortify\.apps\.\*\.extraPaths +## environment\.fortify\.apps\.\\.extraPaths -Extra paths to make available to the sandbox\. +Extra paths to make available to the container\. *Type:* -list of anything +list of (submodule) @@ -322,7 +322,107 @@ list of anything -## environment\.fortify\.apps\.\*\.gpu +## environment\.fortify\.apps\.\\.extraPaths\.\*\.dev + + + +Whether to enable use of device files\. + + + +*Type:* +boolean + + + +*Default:* +` false ` + + + +*Example:* +` true ` + + + +## environment\.fortify\.apps\.\\.extraPaths\.\*\.dst + + + +Mount point in container, same as src if null\. + + + +*Type:* +null or string + + + +*Default:* +` null ` + + + +## environment\.fortify\.apps\.\\.extraPaths\.\*\.require + + + +Whether to enable start failure if the bind mount cannot be established for any reason\. + + + +*Type:* +boolean + + + +*Default:* +` false ` + + + +*Example:* +` true ` + + + +## environment\.fortify\.apps\.\\.extraPaths\.\*\.src + + + +Host filesystem path to make available to the container\. + + + +*Type:* +string + + + +## environment\.fortify\.apps\.\\.extraPaths\.\*\.write + + + +Whether to enable mounting path as writable\. + + + +*Type:* +boolean + + + +*Default:* +` false ` + + + +*Example:* +` true ` + + + +## environment\.fortify\.apps\.\\.gpu @@ -341,7 +441,7 @@ null or boolean -## environment\.fortify\.apps\.\*\.groups +## environment\.fortify\.apps\.\\.groups @@ -359,25 +459,20 @@ list of string -## environment\.fortify\.apps\.\*\.id +## environment\.fortify\.apps\.\\.identity -Freedesktop application ID\. +Application identity\. Identity 0 is reserved for system services\. *Type:* -null or string +integer between 1 and 9999 (both inclusive) -*Default:* -` null ` - - - -## environment\.fortify\.apps\.\*\.insecureWayland +## environment\.fortify\.apps\.\\.insecureWayland @@ -400,7 +495,7 @@ boolean -## environment\.fortify\.apps\.\*\.mapRealUid +## environment\.fortify\.apps\.\\.mapRealUid @@ -423,7 +518,7 @@ boolean -## environment\.fortify\.apps\.\*\.multiarch +## environment\.fortify\.apps\.\\.multiarch @@ -446,7 +541,7 @@ boolean -## environment\.fortify\.apps\.\*\.name +## environment\.fortify\.apps\.\\.name @@ -459,7 +554,7 @@ string -## environment\.fortify\.apps\.\*\.net +## environment\.fortify\.apps\.\\.net @@ -482,7 +577,7 @@ boolean -## environment\.fortify\.apps\.\*\.nix +## environment\.fortify\.apps\.\\.nix @@ -505,7 +600,7 @@ boolean -## environment\.fortify\.apps\.\*\.path +## environment\.fortify\.apps\.\\.path @@ -524,7 +619,7 @@ null or string -## environment\.fortify\.apps\.\*\.script +## environment\.fortify\.apps\.\\.script @@ -542,7 +637,7 @@ null or string -## environment\.fortify\.apps\.\*\.share +## environment\.fortify\.apps\.\\.share @@ -561,7 +656,30 @@ null or package -## environment\.fortify\.apps\.\*\.tty +## environment\.fortify\.apps\.\\.shareUid + + + +Whether to enable sharing identity with another application\. + + + +*Type:* +boolean + + + +*Default:* +` false ` + + + +*Example:* +` true ` + + + +## environment\.fortify\.apps\.\\.tty @@ -584,7 +702,30 @@ boolean -## environment\.fortify\.apps\.\*\.userns +## environment\.fortify\.apps\.\\.useCommonPaths + + + +Whether to enable common extra paths\. + + + +*Type:* +boolean + + + +*Default:* +` true ` + + + +*Example:* +` true ` + + + +## environment\.fortify\.apps\.\\.userns @@ -607,7 +748,7 @@ boolean -## environment\.fortify\.apps\.\*\.verbose +## environment\.fortify\.apps\.\\.verbose @@ -630,6 +771,137 @@ boolean +## environment\.fortify\.commonPaths + + + +Common extra paths to make available to the container\. + + + +*Type:* +list of (submodule) + + + +*Default:* +` [ ] ` + + + +## environment\.fortify\.commonPaths\.\*\.dev + + + +Whether to enable use of device files\. + + + +*Type:* +boolean + + + +*Default:* +` false ` + + + +*Example:* +` true ` + + + +## environment\.fortify\.commonPaths\.\*\.dst + + + +Mount point in container, same as src if null\. + + + +*Type:* +null or string + + + +*Default:* +` null ` + + + +## environment\.fortify\.commonPaths\.\*\.require + + + +Whether to enable start failure if the bind mount cannot be established for any reason\. + + + +*Type:* +boolean + + + +*Default:* +` false ` + + + +*Example:* +` true ` + + + +## environment\.fortify\.commonPaths\.\*\.src + + + +Host filesystem path to make available to the container\. + + + +*Type:* +string + + + +## environment\.fortify\.commonPaths\.\*\.write + + + +Whether to enable mounting path as writable\. + + + +*Type:* +boolean + + + +*Default:* +` false ` + + + +*Example:* +` true ` + + + +## environment\.fortify\.extraHomeConfig + + + +Extra home-manager configuration to merge with all target users\. + + + +*Type:* +anything + + + ## environment\.fortify\.fsuPackage @@ -644,20 +916,7 @@ package *Default:* -` ` - - - -## environment\.fortify\.home-manager - - - -Target user shared home-manager configuration\. - - - -*Type:* -function that evaluates to a(n) function that evaluates to a(n) attribute set of anything +` ` diff --git a/package.nix b/package.nix index 6900aa3..e0f01c6 100644 --- a/package.nix +++ b/package.nix @@ -31,7 +31,7 @@ buildGoModule rec { pname = "fortify"; - version = "0.4.0"; + version = "0.4.1"; src = builtins.path { name = "${pname}-src";