aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/mk-sandbox-system.nix17
1 files changed, 3 insertions, 14 deletions
diff --git a/lib/mk-sandbox-system.nix b/lib/mk-sandbox-system.nix
index 1e1c596..9408be3 100644
--- a/lib/mk-sandbox-system.nix
+++ b/lib/mk-sandbox-system.nix
@@ -5,7 +5,6 @@ flake:
5, config ? { } 5, config ? { }
6, tools ? [] 6, tools ? []
7, envVars ? { } 7, envVars ? { }
8, restrictNetwork ? true # to be replaced with virtualisation.restrictNetwork
9}@params: 8}@params:
10 9
11let 10let
@@ -98,7 +97,7 @@ in rec {
98 print.printSharedDirs} 97 print.printSharedDirs}
99 ${shellLib.ifSomeList config.virtualisation.forwardPorts 98 ${shellLib.ifSomeList config.virtualisation.forwardPorts
100 print.printForwardedPorts} 99 print.printForwardedPorts}
101 ${print.printRestrictedNetwork restrictNetwork} 100 ${print.printRestrictedNetwork config.virtualisation.restrictNetwork}
102 ''; 101 '';
103 }; 102 };
104 103
@@ -111,10 +110,7 @@ in rec {
111 target = "/mnt"; 110 target = "/mnt";
112 }; 111 };
113 112
114 # Uncomment when this is merged: 113 restrictNetwork = lib.mkDefault true;
115 # https://github.com/NixOS/nixpkgs/pull/200225
116 #restrictNetwork = lib.mkDefault true;
117
118 }; 114 };
119 }); 115 });
120 116
@@ -122,14 +118,7 @@ in rec {
122 118
123 apps.${name} = { 119 apps.${name} = {
124 type = "app"; 120 type = "app";
125 program = toString (pkgs.writeShellScript "sandbox-vm" ( 121 program = toString (pkgs.writeShellScript "sandbox-vm" (''
126 (pkgs.lib.optionalString restrictNetwork ''
127 # Isolate from network
128 # Stopgap solution until this is merged:
129 # https://github.com/NixOS/nixpkgs/pull/200225
130 QEMU_NET_OPTS="restrict=yes,''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
131 export QEMU_NET_OPTS
132 '') + ''
133 # Save current directory for mounting in VM 122 # Save current directory for mounting in VM
134 SHARED_CWD=$PWD 123 SHARED_CWD=$PWD
135 export SHARED_CWD 124 export SHARED_CWD