lnl: sandbox fetch-nixpkgs-updates service

author: Daiderd Jordan <daiderd@gmail.com> 2019-02-16 17:47:29 +0100
committer: Daiderd Jordan <daiderd@gmail.com> 2019-02-16 17:47:29 +0100
commit: 1464d9efd3930dafecb45668e6c58349041ea830 (patch)
tree: fedcf79359fabbfa105d90967e0d68e505d71fd7 /modules/examples/lnl.nix
parent: 1e67f6a2bc496cb5014915a71e323603e4b41662 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/modules/examples/lnl.nix b/modules/examples/lnl.nix
index ba80e68..ebfbafb 100644
--- a/modules/examples/lnl.nix
+++ b/modules/examples/lnl.nix
@@ -60,8 +60,13 @@
   services.chunkwm.enable = true;
   services.skhd.enable = true;
 
-  launchd.user.agents.fetch-nixpkgs = {
-    command = "${pkgs.git}/bin/git -C /src/nixpkgs fetch origin master";
+  security.sandbox.profiles.fetch-nixpkgs-updates.closure = [ pkgs.cacert pkgs.git ];
+  security.sandbox.profiles.fetch-nixpkgs-updates.writablePaths = [ "/src/nixpkgs" ];
+  security.sandbox.profiles.fetch-nixpkgs-updates.allowNetworking = true;
+
+  launchd.user.agents.fetch-nixpkgs-updates = {
+    command = "/usr/bin/sandbox-exec -f ${config.security.sandbox.profiles.fetch-nixpkgs-updates.profile} ${pkgs.git}/bin/git -C /src/nixpkgs fetch origin master";
+    environment.HOME = "";
     environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
     serviceConfig.KeepAlive = false;
     serviceConfig.ProcessType = "Background";
author	Daiderd Jordan <daiderd@gmail.com>	2019-02-16 17:47:29 +0100
committer	Daiderd Jordan <daiderd@gmail.com>	2019-02-16 17:47:29 +0100
commit	1464d9efd3930dafecb45668e6c58349041ea830 (patch)
tree	fedcf79359fabbfa105d90967e0d68e505d71fd7 /modules/examples/lnl.nix
parent	1e67f6a2bc496cb5014915a71e323603e4b41662 (diff)