grimm-nixos-laptop/common/tooling/apparmor/apparmor-d-module.nix

{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (lib) mkIf mergeAttrsList last path;

  cfg = config.security.apparmor_d;
  apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {};
  in
{
  options.security.apparmor_d = with lib; let 
    profile = types.submodule ({ config, ... }: {
      options = {
      enable = mkOption {
        type = types.bool;
        default = true;
        description = "whether to enable this profile";
      };

      enforce = mkOption {
        type = types.bool;
        default = true;
        description = "whether to enforce this profile";
      };

      name = mkOption {
        type = types.nonEmptyStr;
        description = "name of the apparmor profile within apparmor.d";
        example = "vesktop";
      };
      };
    });
  in {
    enable = mkEnableOption "enable apparmor.d support";

    profiles = mkOption {
      type = types.listOf (types.either types.nonEmptyStr profile);
      default = [];
      description = "set of apparmor profiles to include from apparmor.d";
    };
  };

  options.test = lib.mkOption { default = null; };
  
  config = mkIf (cfg.enable) {
    security.apparmor.packages = [ apparmor-d ];
    security.apparmor.policies = mergeAttrsList (map (p: if (builtins.isString p) then {
      "${p}" = {
        enable = true;
        enforce = true;
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/${p}"
        '';
      };
    } else {
      ${p.name} = {
        inherit (p) enable enforce;
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/${p.name}"
        '';
      };
    }) cfg.profiles );

    environment.systemPackages = [ apparmor-d ];
  };
}
a little more useable apparmor.d profile integration 2024-10-15 21:35:53 +02:00			`{`
			`pkgs,`
			`config,`
			`lib,`
			`...`
			`}:`
			`let`
			`inherit (lib) mkIf mergeAttrsList last path;`

			`cfg = config.security.apparmor_d;`
			`apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {};`
			`in`
			`{`
			`options.security.apparmor_d = with lib; let`
			`profile = types.submodule ({ config, ... }: {`
			`options = {`
			`enable = mkOption {`
			`type = types.bool;`
			`default = true;`
			`description = "whether to enable this profile";`
			`};`

			`enforce = mkOption {`
			`type = types.bool;`
			`default = true;`
			`description = "whether to enforce this profile";`
			`};`

			`name = mkOption {`
			`type = types.nonEmptyStr;`
use intended tooling: allows nixos-specific support in apparmor.d 2024-10-15 23:31:58 +02:00			`description = "name of the apparmor profile within apparmor.d";`
a little more useable apparmor.d profile integration 2024-10-15 21:35:53 +02:00			`example = "vesktop";`
			`};`
			`};`
			`});`
			`in {`
			`enable = mkEnableOption "enable apparmor.d support";`

			`profiles = mkOption {`
			`type = types.listOf (types.either types.nonEmptyStr profile);`
			`default = [];`
			`description = "set of apparmor profiles to include from apparmor.d";`
			`};`
			`};`

			`options.test = lib.mkOption { default = null; };`

			`config = mkIf (cfg.enable) {`
			`security.apparmor.packages = [ apparmor-d ];`
use intended tooling: allows nixos-specific support in apparmor.d 2024-10-15 23:31:58 +02:00			`security.apparmor.policies = mergeAttrsList (map (p: if (builtins.isString p) then {`
			`"${p}" = {`
a little more useable apparmor.d profile integration 2024-10-15 21:35:53 +02:00			`enable = true;`
			`enforce = true;`
			`profile = ''`
use intended tooling: allows nixos-specific support in apparmor.d 2024-10-15 23:31:58 +02:00			`include "${apparmor-d}/etc/apparmor.d/${p}"`
a little more useable apparmor.d profile integration 2024-10-15 21:35:53 +02:00			`'';`
			`};`
use intended tooling: allows nixos-specific support in apparmor.d 2024-10-15 23:31:58 +02:00			`} else {`
a little more useable apparmor.d profile integration 2024-10-15 21:35:53 +02:00			`${p.name} = {`
			`inherit (p) enable enforce;`
			`profile = ''`
use intended tooling: allows nixos-specific support in apparmor.d 2024-10-15 23:31:58 +02:00			`include "${apparmor-d}/etc/apparmor.d/${p.name}"`
a little more useable apparmor.d profile integration 2024-10-15 21:35:53 +02:00			`'';`
			`};`
			`}) cfg.profiles );`
use intended tooling: allows nixos-specific support in apparmor.d 2024-10-15 23:31:58 +02:00
			`environment.systemPackages = [ apparmor-d ];`
a little more useable apparmor.d profile integration 2024-10-15 21:35:53 +02:00			`};`
			`}`