From 165a600f9acde441938c1cbc7041ae27813db928 Mon Sep 17 00:00:00 2001 From: tdro Date: Sat, 7 Oct 2023 17:13:38 -0400 Subject: .config/nixpkgs/jails -> .config/nixpkgs/shells --- .config/nixpkgs/jails/bubblewrap/jail.nix | 36 -------------------- .config/nixpkgs/jails/firejail/jail.nix | 48 -------------------------- .config/nixpkgs/jails/nsjail/jail.nix | 52 ----------------------------- .config/nixpkgs/jails/proot/jail.nix | 52 ----------------------------- .config/nixpkgs/shells/bubblewrap/shell.nix | 36 ++++++++++++++++++++ .config/nixpkgs/shells/firejail/shell.nix | 48 ++++++++++++++++++++++++++ .config/nixpkgs/shells/nsjail/shell.nix | 52 +++++++++++++++++++++++++++++ .config/nixpkgs/shells/proot/shell.nix | 52 +++++++++++++++++++++++++++++ 8 files changed, 188 insertions(+), 188 deletions(-) delete mode 100644 .config/nixpkgs/jails/bubblewrap/jail.nix delete mode 100644 .config/nixpkgs/jails/firejail/jail.nix delete mode 100644 .config/nixpkgs/jails/nsjail/jail.nix delete mode 100644 .config/nixpkgs/jails/proot/jail.nix create mode 100644 .config/nixpkgs/shells/bubblewrap/shell.nix create mode 100644 .config/nixpkgs/shells/firejail/shell.nix create mode 100644 .config/nixpkgs/shells/nsjail/shell.nix create mode 100644 .config/nixpkgs/shells/proot/shell.nix (limited to '.config/nixpkgs') diff --git a/.config/nixpkgs/jails/bubblewrap/jail.nix b/.config/nixpkgs/jails/bubblewrap/jail.nix deleted file mode 100644 index aee8a8b..0000000 --- a/.config/nixpkgs/jails/bubblewrap/jail.nix +++ /dev/null @@ -1,36 +0,0 @@ -let - - # nix-shell -E 'import (builtins.fetchurl "$url")' - # https://github.com/containers/bubblewrap/blob/main/demos/bubblewrap-shell.sh - # https://manpages.debian.org/testing/bubblewrap/bwrap.1.en.html - - name = "nix-shell.bubblewrap"; - - pkgs = import (builtins.fetchTarball { - url = "https://releases.nixos.org/nixos/22.11/nixos-22.11.466.596a8e828c5/nixexprs.tar.xz"; - sha256 = "1367bad5zz0mfm4czb6p0s0ni38f0x1ffh02z76rx4nranipqbgg"; - }) { }; - - bubblewrap = arguments@{ ... }: pkgs.writeShellApplication { - inherit name; - text = '' - PATH=${pkgs.lib.strings.makeBinPath [ pkgs.bubblewrap ]} - bwrap \ - '' + pkgs.lib.strings.concatStringsSep " \\\n" - (pkgs.lib.attrsets.mapAttrsToList (argument: value: "--${argument} ${value} ") - arguments) + "/bin/sh\n"; - }; - - jail = bubblewrap { - clearenv = ""; - setenv = "PATH ${pkgs.lib.strings.makeBinPath [ pkgs.busybox ]}"; - ro-bind = "/nix /nix" + " --ro-bind /bin /bin"; - }; - -in pkgs.mkShell { - inherit name; - shellHook = '' - printf '%s\n' "${jail}/bin/${jail.name}" - exec "${jail}/bin/${jail.name}" - ''; -} diff --git a/.config/nixpkgs/jails/firejail/jail.nix b/.config/nixpkgs/jails/firejail/jail.nix deleted file mode 100644 index 4f5e5e1..0000000 --- a/.config/nixpkgs/jails/firejail/jail.nix +++ /dev/null @@ -1,48 +0,0 @@ -let - - # nix-shell -E 'import (builtins.fetchurl "$url")' - # https://www.man7.org/linux/man-pages/man1/Firejail.1.html - - name = "nix-shell.firejail"; - - pkgs = import (builtins.fetchTarball { - url = "https://releases.nixos.org/nixos/22.11/nixos-22.11.466.596a8e828c5/nixexprs.tar.xz"; - sha256 = "1367bad5zz0mfm4czb6p0s0ni38f0x1ffh02z76rx4nranipqbgg"; - }) { }; - - firejail = { - rootfs ? "rootfs", - options ? [ ], - path ? [ pkgs.busybox ], - entrypoint ? "/bin/sh" - }: - pkgs.writeShellApplication { - inherit name; - text = '' - set -euxo pipefail - PATH=${pkgs.lib.strings.makeBinPath [ pkgs.firejail pkgs.coreutils ]} - mkdir --parents '${rootfs}' - firejail \ - --chroot '${rootfs}' \ - ${pkgs.lib.strings.concatMapStringsSep " " (value: value) options} \ - -- /usr/bin/env --ignore-environment ${ - pkgs.writeScript "entrypoint-${name}" '' - set -eu - export PATH=${pkgs.lib.strings.makeBinPath path} - ${entrypoint} - '' - }; - ''; - }; - - jail = firejail { - options = [ ]; - }; - -in pkgs.mkShell { - inherit name; - shellHook = '' - printf '%s\n' "${jail}/bin/${jail.name}" - exec "${jail}/bin/${jail.name}" - ''; -} diff --git a/.config/nixpkgs/jails/nsjail/jail.nix b/.config/nixpkgs/jails/nsjail/jail.nix deleted file mode 100644 index d954588..0000000 --- a/.config/nixpkgs/jails/nsjail/jail.nix +++ /dev/null @@ -1,52 +0,0 @@ -let - - # nix-shell -E 'import (builtins.fetchurl "$url")' - # https://nsjail.dev/ - - name = "nix-shell.nsjail"; - - pkgs = import (builtins.fetchTarball { - url = "https://releases.nixos.org/nixos/22.11/nixos-22.11.466.596a8e828c5/nixexprs.tar.xz"; - sha256 = "1367bad5zz0mfm4czb6p0s0ni38f0x1ffh02z76rx4nranipqbgg"; - }) { }; - - nsjail = { - rootfs ? "rootfs", - options ? [ ], - path ? [ pkgs.busybox ], - entrypoint ? "/bin/sh" - }: - pkgs.writeShellApplication { - inherit name; - text = '' - set -euxo pipefail - PATH=${pkgs.lib.strings.makeBinPath [ pkgs.nsjail pkgs.coreutils ]} - mkdir --parents '${rootfs}' - nsjail \ - --chroot "$(pwd)"/'${rootfs}' \ - ${pkgs.lib.strings.concatMapStringsSep " " (value: value) options} \ - -- /usr/bin/env --ignore-environment ${ - pkgs.writeScript "entrypoint-${name}" '' - set -eu - export PATH=${pkgs.lib.strings.makeBinPath path} - ${entrypoint} - '' - }; - ''; - }; - - jail = nsjail { - options = [ - "--bindmount_ro /nix" - "--bindmount_ro /usr" - "--bindmount_ro /bin" - ]; - }; - -in pkgs.mkShell { - inherit name; - shellHook = '' - printf '%s\n' "${jail}/bin/${jail.name}" - exec "${jail}/bin/${jail.name}" - ''; -} diff --git a/.config/nixpkgs/jails/proot/jail.nix b/.config/nixpkgs/jails/proot/jail.nix deleted file mode 100644 index 46ed76f..0000000 --- a/.config/nixpkgs/jails/proot/jail.nix +++ /dev/null @@ -1,52 +0,0 @@ -let - - # nix-shell -E 'import (builtins.fetchurl "$url")' - # https://manpages.ubuntu.com/manpages/trusty/man1/proot.1.html - - name = "nix-shell.proot"; - - pkgs = import (builtins.fetchTarball { - url = "https://releases.nixos.org/nixos/22.11/nixos-22.11.466.596a8e828c5/nixexprs.tar.xz"; - sha256 = "1367bad5zz0mfm4czb6p0s0ni38f0x1ffh02z76rx4nranipqbgg"; - }) { }; - - proot = { - rootfs ? "rootfs", - binds ? [ ], - options ? [ ], - path ? [ pkgs.busybox ], - entrypoint ? "/bin/sh" - }: - pkgs.writeShellApplication { - inherit name; - text = '' - set -euxo pipefail - PATH=${pkgs.lib.strings.makeBinPath [ pkgs.proot pkgs.coreutils ]} - mkdir --parents '${rootfs}' - proot \ - --rootfs='${rootfs}' \ - ${pkgs.lib.strings.concatMapStringsSep " " (option: "--bind=${option}") binds} \ - ${pkgs.lib.strings.concatMapStringsSep " " (value: value) options} \ - /usr/bin/env --ignore-environment ${ - pkgs.writeScript "entrypoint-${name}" '' - set -eu - export HISTFILE=/dev/null - export PATH=${pkgs.lib.strings.makeBinPath path} - ${entrypoint} - '' - }; - ''; - }; - - jail = proot { - binds = [ "/nix" "/usr" "/bin" ]; - options = [ "--cwd=/" "--verbose=0" ]; - }; - -in pkgs.mkShell { - inherit name; - shellHook = '' - printf '%s\n' "${jail}/bin/${jail.name}" - exec "${jail}/bin/${jail.name}" - ''; -} diff --git a/.config/nixpkgs/shells/bubblewrap/shell.nix b/.config/nixpkgs/shells/bubblewrap/shell.nix new file mode 100644 index 0000000..aee8a8b --- /dev/null +++ b/.config/nixpkgs/shells/bubblewrap/shell.nix @@ -0,0 +1,36 @@ +let + + # nix-shell -E 'import (builtins.fetchurl "$url")' + # https://github.com/containers/bubblewrap/blob/main/demos/bubblewrap-shell.sh + # https://manpages.debian.org/testing/bubblewrap/bwrap.1.en.html + + name = "nix-shell.bubblewrap"; + + pkgs = import (builtins.fetchTarball { + url = "https://releases.nixos.org/nixos/22.11/nixos-22.11.466.596a8e828c5/nixexprs.tar.xz"; + sha256 = "1367bad5zz0mfm4czb6p0s0ni38f0x1ffh02z76rx4nranipqbgg"; + }) { }; + + bubblewrap = arguments@{ ... }: pkgs.writeShellApplication { + inherit name; + text = '' + PATH=${pkgs.lib.strings.makeBinPath [ pkgs.bubblewrap ]} + bwrap \ + '' + pkgs.lib.strings.concatStringsSep " \\\n" + (pkgs.lib.attrsets.mapAttrsToList (argument: value: "--${argument} ${value} ") + arguments) + "/bin/sh\n"; + }; + + jail = bubblewrap { + clearenv = ""; + setenv = "PATH ${pkgs.lib.strings.makeBinPath [ pkgs.busybox ]}"; + ro-bind = "/nix /nix" + " --ro-bind /bin /bin"; + }; + +in pkgs.mkShell { + inherit name; + shellHook = '' + printf '%s\n' "${jail}/bin/${jail.name}" + exec "${jail}/bin/${jail.name}" + ''; +} diff --git a/.config/nixpkgs/shells/firejail/shell.nix b/.config/nixpkgs/shells/firejail/shell.nix new file mode 100644 index 0000000..4f5e5e1 --- /dev/null +++ b/.config/nixpkgs/shells/firejail/shell.nix @@ -0,0 +1,48 @@ +let + + # nix-shell -E 'import (builtins.fetchurl "$url")' + # https://www.man7.org/linux/man-pages/man1/Firejail.1.html + + name = "nix-shell.firejail"; + + pkgs = import (builtins.fetchTarball { + url = "https://releases.nixos.org/nixos/22.11/nixos-22.11.466.596a8e828c5/nixexprs.tar.xz"; + sha256 = "1367bad5zz0mfm4czb6p0s0ni38f0x1ffh02z76rx4nranipqbgg"; + }) { }; + + firejail = { + rootfs ? "rootfs", + options ? [ ], + path ? [ pkgs.busybox ], + entrypoint ? "/bin/sh" + }: + pkgs.writeShellApplication { + inherit name; + text = '' + set -euxo pipefail + PATH=${pkgs.lib.strings.makeBinPath [ pkgs.firejail pkgs.coreutils ]} + mkdir --parents '${rootfs}' + firejail \ + --chroot '${rootfs}' \ + ${pkgs.lib.strings.concatMapStringsSep " " (value: value) options} \ + -- /usr/bin/env --ignore-environment ${ + pkgs.writeScript "entrypoint-${name}" '' + set -eu + export PATH=${pkgs.lib.strings.makeBinPath path} + ${entrypoint} + '' + }; + ''; + }; + + jail = firejail { + options = [ ]; + }; + +in pkgs.mkShell { + inherit name; + shellHook = '' + printf '%s\n' "${jail}/bin/${jail.name}" + exec "${jail}/bin/${jail.name}" + ''; +} diff --git a/.config/nixpkgs/shells/nsjail/shell.nix b/.config/nixpkgs/shells/nsjail/shell.nix new file mode 100644 index 0000000..d954588 --- /dev/null +++ b/.config/nixpkgs/shells/nsjail/shell.nix @@ -0,0 +1,52 @@ +let + + # nix-shell -E 'import (builtins.fetchurl "$url")' + # https://nsjail.dev/ + + name = "nix-shell.nsjail"; + + pkgs = import (builtins.fetchTarball { + url = "https://releases.nixos.org/nixos/22.11/nixos-22.11.466.596a8e828c5/nixexprs.tar.xz"; + sha256 = "1367bad5zz0mfm4czb6p0s0ni38f0x1ffh02z76rx4nranipqbgg"; + }) { }; + + nsjail = { + rootfs ? "rootfs", + options ? [ ], + path ? [ pkgs.busybox ], + entrypoint ? "/bin/sh" + }: + pkgs.writeShellApplication { + inherit name; + text = '' + set -euxo pipefail + PATH=${pkgs.lib.strings.makeBinPath [ pkgs.nsjail pkgs.coreutils ]} + mkdir --parents '${rootfs}' + nsjail \ + --chroot "$(pwd)"/'${rootfs}' \ + ${pkgs.lib.strings.concatMapStringsSep " " (value: value) options} \ + -- /usr/bin/env --ignore-environment ${ + pkgs.writeScript "entrypoint-${name}" '' + set -eu + export PATH=${pkgs.lib.strings.makeBinPath path} + ${entrypoint} + '' + }; + ''; + }; + + jail = nsjail { + options = [ + "--bindmount_ro /nix" + "--bindmount_ro /usr" + "--bindmount_ro /bin" + ]; + }; + +in pkgs.mkShell { + inherit name; + shellHook = '' + printf '%s\n' "${jail}/bin/${jail.name}" + exec "${jail}/bin/${jail.name}" + ''; +} diff --git a/.config/nixpkgs/shells/proot/shell.nix b/.config/nixpkgs/shells/proot/shell.nix new file mode 100644 index 0000000..46ed76f --- /dev/null +++ b/.config/nixpkgs/shells/proot/shell.nix @@ -0,0 +1,52 @@ +let + + # nix-shell -E 'import (builtins.fetchurl "$url")' + # https://manpages.ubuntu.com/manpages/trusty/man1/proot.1.html + + name = "nix-shell.proot"; + + pkgs = import (builtins.fetchTarball { + url = "https://releases.nixos.org/nixos/22.11/nixos-22.11.466.596a8e828c5/nixexprs.tar.xz"; + sha256 = "1367bad5zz0mfm4czb6p0s0ni38f0x1ffh02z76rx4nranipqbgg"; + }) { }; + + proot = { + rootfs ? "rootfs", + binds ? [ ], + options ? [ ], + path ? [ pkgs.busybox ], + entrypoint ? "/bin/sh" + }: + pkgs.writeShellApplication { + inherit name; + text = '' + set -euxo pipefail + PATH=${pkgs.lib.strings.makeBinPath [ pkgs.proot pkgs.coreutils ]} + mkdir --parents '${rootfs}' + proot \ + --rootfs='${rootfs}' \ + ${pkgs.lib.strings.concatMapStringsSep " " (option: "--bind=${option}") binds} \ + ${pkgs.lib.strings.concatMapStringsSep " " (value: value) options} \ + /usr/bin/env --ignore-environment ${ + pkgs.writeScript "entrypoint-${name}" '' + set -eu + export HISTFILE=/dev/null + export PATH=${pkgs.lib.strings.makeBinPath path} + ${entrypoint} + '' + }; + ''; + }; + + jail = proot { + binds = [ "/nix" "/usr" "/bin" ]; + options = [ "--cwd=/" "--verbose=0" ]; + }; + +in pkgs.mkShell { + inherit name; + shellHook = '' + printf '%s\n' "${jail}/bin/${jail.name}" + exec "${jail}/bin/${jail.name}" + ''; +} -- cgit v1.2.3