sandbox-system: use upstreamed restrictNetwork option

1 files changed, 3 insertions, 14 deletions

diff --git a/lib/mk-sandbox-system.nix b/lib/mk-sandbox-system.nix
index 1e1c596..9408be3 100644
--- a/lib/mk-sandbox-system.nix
+++ b/lib/mk-sandbox-system.nix
@@ -5,7 +5,6 @@ flake:
 , config ? { }
 , tools ? []
 , envVars ? { }
-, restrictNetwork ? true  # to be replaced with virtualisation.restrictNetwork
 }@params:
 
 let
@@ -98,7 +97,7 @@ in rec {
           print.printSharedDirs}
         ${shellLib.ifSomeList config.virtualisation.forwardPorts
           print.printForwardedPorts}
-        ${print.printRestrictedNetwork restrictNetwork}
+        ${print.printRestrictedNetwork config.virtualisation.restrictNetwork}
       '';
     };
 
@@ -111,10 +110,7 @@ in rec {
         target = "/mnt";
       };
 
-      # Uncomment when this is merged:
-      # https://github.com/NixOS/nixpkgs/pull/200225
-      #restrictNetwork = lib.mkDefault true;
-
+      restrictNetwork = lib.mkDefault true;
     };
   });
 
@@ -122,14 +118,7 @@ in rec {
 
   apps.${name} = {
     type = "app";
-    program = toString (pkgs.writeShellScript "sandbox-vm" (
-    (pkgs.lib.optionalString restrictNetwork ''
-      # Isolate from network
-      # Stopgap solution until this is merged:
-      # https://github.com/NixOS/nixpkgs/pull/200225
-      QEMU_NET_OPTS="restrict=yes,''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
-      export QEMU_NET_OPTS
-    '') + ''
+    program = toString (pkgs.writeShellScript "sandbox-vm" (''
       # Save current directory for mounting in VM
       SHARED_CWD=$PWD
       export SHARED_CWD