From 1464d9efd3930dafecb45668e6c58349041ea830 Mon Sep 17 00:00:00 2001
From: Daiderd Jordan <daiderd@gmail.com>
Date: Sat, 16 Feb 2019 17:47:29 +0100
Subject: lnl: sandbox fetch-nixpkgs-updates service

---
 modules/examples/lnl.nix | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'modules/examples')

diff --git a/modules/examples/lnl.nix b/modules/examples/lnl.nix
index ba80e68..ebfbafb 100644
--- a/modules/examples/lnl.nix
+++ b/modules/examples/lnl.nix
@@ -60,8 +60,13 @@
   services.chunkwm.enable = true;
   services.skhd.enable = true;
 
-  launchd.user.agents.fetch-nixpkgs = {
-    command = "${pkgs.git}/bin/git -C /src/nixpkgs fetch origin master";
+  security.sandbox.profiles.fetch-nixpkgs-updates.closure = [ pkgs.cacert pkgs.git ];
+  security.sandbox.profiles.fetch-nixpkgs-updates.writablePaths = [ "/src/nixpkgs" ];
+  security.sandbox.profiles.fetch-nixpkgs-updates.allowNetworking = true;
+
+  launchd.user.agents.fetch-nixpkgs-updates = {
+    command = "/usr/bin/sandbox-exec -f ${config.security.sandbox.profiles.fetch-nixpkgs-updates.profile} ${pkgs.git}/bin/git -C /src/nixpkgs fetch origin master";
+    environment.HOME = "";
     environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
     serviceConfig.KeepAlive = false;
     serviceConfig.ProcessType = "Background";
-- 
cgit v1.2.3