69 lines
1.6 KiB
Nix
69 lines
1.6 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib) mkIf mergeAttrsList last path;
|
|
|
|
cfg = config.security.apparmor_d;
|
|
apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {};
|
|
in
|
|
{
|
|
options.security.apparmor_d = with lib; let
|
|
profile = types.submodule ({ config, ... }: {
|
|
options = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = "whether to enable this profile";
|
|
};
|
|
|
|
enforce = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = "whether to enforce this profile";
|
|
};
|
|
|
|
name = mkOption {
|
|
type = types.nonEmptyStr;
|
|
description = "name of the apparmor profile within apparmor.d";
|
|
example = "vesktop";
|
|
};
|
|
};
|
|
});
|
|
in {
|
|
enable = mkEnableOption "enable apparmor.d support";
|
|
|
|
profiles = mkOption {
|
|
type = types.listOf (types.either types.nonEmptyStr profile);
|
|
default = [];
|
|
description = "set of apparmor profiles to include from apparmor.d";
|
|
};
|
|
};
|
|
|
|
options.test = lib.mkOption { default = null; };
|
|
|
|
config = mkIf (cfg.enable) {
|
|
security.apparmor.packages = [ apparmor-d ];
|
|
security.apparmor.policies = mergeAttrsList (map (p: if (builtins.isString p) then {
|
|
"${p}" = {
|
|
enable = true;
|
|
enforce = true;
|
|
profile = ''
|
|
include "${apparmor-d}/etc/apparmor.d/${p}"
|
|
'';
|
|
};
|
|
} else {
|
|
${p.name} = {
|
|
inherit (p) enable enforce;
|
|
profile = ''
|
|
include "${apparmor-d}/etc/apparmor.d/${p.name}"
|
|
'';
|
|
};
|
|
}) cfg.profiles );
|
|
|
|
environment.systemPackages = [ apparmor-d ];
|
|
};
|
|
}
|