security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 37 Wiki Activity
fortify/options.md
Ophestra 6c1205106d
All checks were successful
Release / Create release (push) Successful in 59s
Details
Test / Sandbox (push) Successful in 1m2s
Details
Test / Sandbox (race detector) (push) Successful in 5m25s
Details
Test / Create distribution (push) Successful in 28s
Details
Test / Fpkg (push) Successful in 8m35s
Details
Test / Fortify (push) Successful in 8m57s
Details
Test / Fortify (race detector) (push) Successful in 10m5s
Details
Test / Flake checks (push) Successful in 1m45s
Details
release: 0.4.1 
Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-05-26 02:55:19 +09:00

7.9 KiB
Raw Blame History

environment.fortify.enable

Whether to enable fortify.

Type: boolean

Default: false

Example: true

environment.fortify.package

The fortify package to use.

Type: package

Default: <derivation fortify-static-x86_64-unknown-linux-musl-0.4.1>

environment.fortify.apps

Declaratively configured fortify apps.

Type: attribute set of (submodule)

Default: { }

environment.fortify.apps.<name>.packages

List of extra packages to install via home-manager.

Type: list of package

Default: [ ]

environment.fortify.apps.<name>.args

Custom args. Setting this to null will default to script name.

Type: null or (list of string)

Default: null

environment.fortify.apps.<name>.capability.dbus

Whether to proxy D-Bus.

Type: boolean

Default: true

environment.fortify.apps.<name>.capability.pulse

Whether to share the PulseAudio socket and cookie.

Type: boolean

Default: true

environment.fortify.apps.<name>.capability.wayland

Whether to share the Wayland socket.

Type: boolean

Default: true

environment.fortify.apps.<name>.capability.x11

Whether to share the X11 socket and allow connection.

Type: boolean

Default: false

environment.fortify.apps.<name>.command

Command to run as the target user. Setting this to null will default command to launcher name. Has no effect when script is set.

Type: null or string

Default: null

environment.fortify.apps.<name>.dbus.session

D-Bus session bus custom configuration. Setting this to null will enable built-in defaults.

Type: null or (function that evaluates to a(n) anything)

Default: null

environment.fortify.apps.<name>.dbus.system

D-Bus system bus custom configuration. Setting this to null will disable the system bus proxy.

Type: null or anything

Default: null

environment.fortify.apps.<name>.devel

Whether to enable debugging-related kernel interfaces.

Type: boolean

Default: false

Example: true

environment.fortify.apps.<name>.device

Whether to enable access to all devices.

Type: boolean

Default: false

Example: true

environment.fortify.apps.<name>.env

Environment variables to set for the initial process in the sandbox.

Type: null or (attribute set of string)

Default: null

environment.fortify.apps.<name>.extraConfig

Extra home-manager configuration.

Type: anything

Default: { }

environment.fortify.apps.<name>.extraPaths

Extra paths to make available to the container.

Type: list of (submodule)

Default: [ ]

environment.fortify.apps.<name>.extraPaths.*.dev

Whether to enable use of device files.

Type: boolean

Default: false

Example: true

environment.fortify.apps.<name>.extraPaths.*.dst

Mount point in container, same as src if null.

Type: null or string

Default: null

environment.fortify.apps.<name>.extraPaths.*.require

Whether to enable start failure if the bind mount cannot be established for any reason.

Type: boolean

Default: false

Example: true

environment.fortify.apps.<name>.extraPaths.*.src

Host filesystem path to make available to the container.

Type: string

environment.fortify.apps.<name>.extraPaths.*.write

Whether to enable mounting path as writable.

Type: boolean

Default: false

Example: true

environment.fortify.apps.<name>.gpu

Target process GPU and driver access. Setting this to null will enable GPU whenever X or Wayland is enabled.

Type: null or boolean

Default: null

environment.fortify.apps.<name>.groups

List of groups to inherit from the privileged user.

Type: list of string

Default: [ ]

environment.fortify.apps.<name>.identity

Application identity. Identity 0 is reserved for system services.

Type: integer between 1 and 9999 (both inclusive)

environment.fortify.apps.<name>.insecureWayland

Whether to enable direct access to the Wayland socket.

Type: boolean

Default: false

Example: true

environment.fortify.apps.<name>.mapRealUid

Whether to enable mapping to priv-user uid.

Type: boolean

Default: false

Example: true

environment.fortify.apps.<name>.multiarch

Whether to enable multiarch kernel-level support.

Type: boolean

Default: false

Example: true

environment.fortify.apps.<name>.name

Name of the apps launcher script.

Type: string

environment.fortify.apps.<name>.net

Whether to enable network access.

Type: boolean

Default: true

Example: true

environment.fortify.apps.<name>.nix

Whether to enable nix daemon access.

Type: boolean

Default: false

Example: true

environment.fortify.apps.<name>.path

Custom executable path. Setting this to null will default to the start script.

Type: null or string

Default: null

environment.fortify.apps.<name>.script

Application launch script.

Type: null or string

Default: null

environment.fortify.apps.<name>.share

Package containing share files. Setting this to null will default package name to wrapper name.

Type: null or package

Default: null

environment.fortify.apps.<name>.shareUid

Whether to enable sharing identity with another application.

Type: boolean

Default: false

Example: true

environment.fortify.apps.<name>.tty

Whether to enable access to the controlling terminal.

Type: boolean

Default: false

Example: true

environment.fortify.apps.<name>.useCommonPaths

Whether to enable common extra paths.

Type: boolean

Default: true

Example: true

environment.fortify.apps.<name>.userns

Whether to enable user namespace creation.

Type: boolean

Default: false

Example: true

environment.fortify.apps.<name>.verbose

Whether to enable launchers with verbose output.

Type: boolean

Default: false

Example: true

environment.fortify.commonPaths

Common extra paths to make available to the container.

Type: list of (submodule)

Default: [ ]

environment.fortify.commonPaths.*.dev

Whether to enable use of device files.

Type: boolean

Default: false

Example: true

environment.fortify.commonPaths.*.dst

Mount point in container, same as src if null.

Type: null or string

Default: null

environment.fortify.commonPaths.*.require

Whether to enable start failure if the bind mount cannot be established for any reason.

Type: boolean

Default: false

Example: true

environment.fortify.commonPaths.*.src

Host filesystem path to make available to the container.

Type: string

environment.fortify.commonPaths.*.write

Whether to enable mounting path as writable.

Type: boolean

Default: false

Example: true

environment.fortify.extraHomeConfig

Extra home-manager configuration to merge with all target users.

Type: anything

environment.fortify.fsuPackage

The fsu package to use.

Type: package

Default: <derivation fortify-fsu-0.4.1>

environment.fortify.stateDir

The state directory where app home directories are stored.

Type: string

environment.fortify.users

Users allowed to spawn fortify apps and their corresponding fortify fid.

Type: attribute set of integer between 0 and 99 (both inclusive)