35 lines
847 B
Nix
35 lines
847 B
Nix
{
|
|
pkgs,
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib) mkIf mapAttrs;
|
|
|
|
cfg = config.security.apparmor_d;
|
|
apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {};
|
|
in
|
|
{
|
|
options.security.apparmor_d = with lib; {
|
|
enable = mkEnableOption "enable apparmor.d support";
|
|
|
|
profiles = mkOption {
|
|
type = types.attrsOf (types.enum [ "disable" "complain" "enforce" ]);
|
|
default = {};
|
|
description = "set of apparmor profiles to include from apparmor.d";
|
|
};
|
|
};
|
|
|
|
config = mkIf (cfg.enable) {
|
|
security.apparmor.packages = [ apparmor-d ];
|
|
security.apparmor.policies = mapAttrs (name: value: {
|
|
enable = value != "disable";
|
|
enforce = value == "enforce";
|
|
profile = ''include "${apparmor-d}/etc/apparmor.d/${name}"'';
|
|
}) cfg.profiles;
|
|
|
|
environment.systemPackages = [ apparmor-d ];
|
|
};
|
|
}
|