artem/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: artem:a2c2b2a2e5b64d5f7664c1067fbf05f9dffb7bd6
Branches Tags
artem:master artem:static
...
compare: artem:a37e25329ade48ca2d1401313bb8e86759e8a9ec
Branches Tags
artem:master artem:static

2 Commits
a2c2b2a2e5 ... a37e25329a

Author SHA1 Message Date
Artem Sheremet
a37e25329a Improve jailed-agy 
Add python, ruby, go, custom paths.
 2026-06-19 13:37:00 +00:00
Artem Sheremet
3975092d67 nix flake update 2026-06-19 12:03:08 +00:00
2 changed files with 159 additions and 73 deletions
Expand all files Collapse all files

52
flake.lock generated
View File

@@ -3,16 +3,16 @@
"brew-src": { "brew-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1779646357, "lastModified": 1781226006,
"narHash": "sha256-rnnAaESXxItX4D9xCMGvs3hfDBjbbTYht7OluRcvT8k=", "narHash": "sha256-w4ZTuOnhYiDxjaynrMTASzp802QblBWmo3wpB8wVN4Y=",
"owner": "Homebrew", "owner": "Homebrew",
"repo": "brew", "repo": "brew",
"rev": "10a163ac127624caa80cc5cc5a705e97f3615b0e", "rev": "109191be4988470b51a60a5ef1998520aa24c01b",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "Homebrew", "owner": "Homebrew",
"ref": "5.1.14", "ref": "6.0.1",
"repo": "brew", "repo": "brew",
"type": "github" "type": "github"
} }
@@ -24,11 +24,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1780795403, "lastModified": 1781761792,
"narHash": "sha256-AkWx4Zt9pQbD/f82Z8N57+d0HGLN/rV3gdMKJTpBPKs=", "narHash": "sha256-rCPytmKNjctLloB6UgK5CRrHSwV4b0ygxtJLPPp8R14=",
"owner": "nix-darwin", "owner": "nix-darwin",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "6a771120d607dcccb279a27d227650e324815c35", "rev": "a1fa429e945becaf60468600daf649be4ba0350c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -96,11 +96,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1780996927, "lastModified": 1781866110,
"narHash": "sha256-eHLRPZfoJqi65kmDmtH5WSrfB6rkmRNy9lg6r/mmmzM=", "narHash": "sha256-eysWGLqD/9ZshEAg1bj1O8QpJZ6UoDEpjWzBJaR6ono=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "06c21a86a1e097654e0657ebff648dbd47aeac6d", "rev": "7fdd373d58137cdcddd8ba6f00ee06186affe5a5",
"revCount": 35, "revCount": 36,
"type": "git", "type": "git",
"url": "https://github.com/futureware-tech/nix.git" "url": "https://github.com/futureware-tech/nix.git"
}, },
@@ -141,11 +141,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1778507602, "lastModified": 1781733627,
"narHash": "sha256-kTwur1wV+01SdqskVMSo6JMEpg71ps3HpbFY2GsflKs=", "narHash": "sha256-U3yTuGBnmXvXoQI3qkpfEDsn9RovQPAjN7ndRco+3u0=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "61ab0e80d9c7ab14c256b5b453d8b3fb0189ba0a", "rev": "3bbec39bc90eadfa031e6f3b77272f3f60803e39",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -204,11 +204,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1781009359, "lastModified": 1781844424,
"narHash": "sha256-w/mZkRscTatf8NWyUstli8ROzM/eopxZzi0WRjoeYkU=", "narHash": "sha256-sWBr0D6eu6UhmtM87NOd4oOYilIclFXGDd/s7tVvO10=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "c58ead12efcac436afffa93a22099a5595eb4157", "rev": "c804fab681f03ec772390af4421bcc9bce80c1d9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -219,11 +219,11 @@
}, },
"jail-nix": { "jail-nix": {
"locked": { "locked": {
"lastModified": 1772137954, "lastModified": 1776230864,
"narHash": "sha256-h4MGNbOo7L3RHi4uNFmsg5g17/DHXEfnv/xiG6BrNFQ=", "narHash": "sha256-YsEjjdOsGEzTeD+iT7ONh071BqWAOQWpzYVei3okAXE=",
"owner": "~alexdavid", "owner": "~alexdavid",
"repo": "jail.nix", "repo": "jail.nix",
"rev": "42b355c38ca63dab4904acc5c0d95f17954a8c9b", "rev": "404e7da9da5ab9aa643666682b2ba1312fa5fbe8",
"type": "sourcehut" "type": "sourcehut"
}, },
"original": { "original": {
@@ -237,11 +237,11 @@
"brew-src": "brew-src" "brew-src": "brew-src"
}, },
"locked": { "locked": {
"lastModified": 1780492467, "lastModified": 1781389246,
"narHash": "sha256-zMEJwtQPmsPPgPczFkyjWHgd1z0HagOPS2Wt2WDYLJY=", "narHash": "sha256-ORqLAo/hoJdsZC7UPAuEHev6S0+XIqKEC7vjo5prz1k=",
"owner": "zhaofengli", "owner": "zhaofengli",
"repo": "nix-homebrew", "repo": "nix-homebrew",
"rev": "562332f97de9f5ba51aa647d70462e88222b2988", "rev": "de7953a08ed4bb9245be043e468561c17b89130d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -252,11 +252,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1780749050, "lastModified": 1781577229,
"narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=", "narHash": "sha256-lrp67w8AulE9Ks53n27I45ADSzbOCn4H+CNW1Ck8B+8=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a799d3e3886da994fa307f817a6bc705ae538eeb", "rev": "567a49d1913ce81ac6e9582e3553dd90a955875f",
"type": "github" "type": "github"
}, },
"original": { "original": {

180
modules/nixos/jailed-agy.nix
View File

@@ -1,62 +1,148 @@
{ {
config,
lib,
pkgs, pkgs,
jail-nix, jail-nix,
primaryUser,
... ...
}: }:
let let
jail = jail-nix.lib.init pkgs; jail = jail-nix.lib.init pkgs;
allPackages =
with pkgs;
[
bashInteractive
curl
wget
jq
git
which
ripgrep
gnugrep
gnused
gawkInteractive
ps
findutils
gzip
unzip
gnutar
diffutils
coreutils
procps
python3
python3Packages.pip
esphome
ruby
go
gcc
gnumake
pkg-config
nix
]
++ config.programs.jailed-agy.extraPackages;
in in
{ {
environment.systemPackages = [ options.programs.jailed-agy = {
# Should be started as "jailed-agy --dangerously-skip-permissions" extraPackages = lib.mkOption {
(jail "jailed-agy" pkgs.antigravity-cli ( type = lib.types.listOf lib.types.package;
with jail.combinators; default = [ ];
[ description = "Extra packages to append to the jailed-agy environment.";
network };
time-zone };
no-new-session
mount-cwd
(readwrite (noescape "~/.gemini")) config = {
# The above is a stow-controlled symlink to the following. environment.systemPackages = [
(readwrite (noescape "~/dotfiles/legacy/.gemini")) (jail "jailed-agy" pkgs.antigravity-cli (
with jail.combinators;
[
network
time-zone
no-new-session
mount-cwd
# Enable easy installation of pip packages in the current directory. # Enforce that the wrapper is not run as root/privileged user
(set-env "PYTHONPATH" (noescape "\"$PWD/.pip-packages\"")) (add-runtime ''
(set-env "PIP_TARGET" (noescape "\"$PWD/.pip-packages\"")) if [ "$(id -u)" -eq 0 ]; then
(set-env "PIP_CACHE_DIR" (noescape "\"$PWD/.pip-cache\"")) echo "Error: jailed-agy must not be run as root/privileged user!" >&2
(set-env "PIP_BREAK_SYSTEM_PACKAGES" "1") exit 1
fi
'')
(add-pkg-deps ( # Automatically append --dangerously-skip-permissions to agy invocation
with pkgs; (set-argv [
[ "--dangerously-skip-permissions"
bashInteractive (noescape "\"$@\"")
curl ])
wget
jq
git
which
ripgrep
gnugrep
gnused
gawkInteractive
ps
findutils
gzip
unzip
gnutar
diffutils
coreutils
procps
python3 (readwrite (noescape "~/.gemini"))
python3Packages.pip # The above is a stow-controlled symlink to the following.
esphome (readwrite (noescape "~/dotfiles/legacy/.gemini"))
nix # Enable easy installation of pip packages in the current directory.
] (set-env "PYTHONPATH" (noescape "\"$PWD/.pip-packages\""))
)) (set-env "PIP_TARGET" (noescape "\"$PWD/.pip-packages\""))
] (set-env "PIP_CACHE_DIR" (noescape "\"$PWD/.pip-cache\""))
)) (set-env "PIP_BREAK_SYSTEM_PACKAGES" "1")
];
# Enable easy installation and persistence of RubyGems in the current directory.
(set-env "GEM_HOME" (noescape "\"$PWD/.gem\""))
# Enable easy installation and persistence of Go modules and caches in the current directory.
(set-env "GOPATH" (noescape "\"$PWD/.go\""))
(set-env "GOCACHE" (noescape "\"$PWD/.go-cache\""))
# Preconfigure compiler and linker flags dynamically for all jail packages.
# This allows compiling Ruby gems (e.g. ffi, which requires libffi) and Go packages
# (e.g. YubiKey plugins, which require pcsclite) out-of-the-box.
(set-env "PKG_CONFIG_PATH" (
lib.concatStringsSep ":" (map (pkg: "${pkg.dev or pkg}/lib/pkgconfig") allPackages)
))
(set-env "NIX_CFLAGS_COMPILE" (
lib.concatStringsSep " " (map (pkg: "-isystem ${pkg.dev or pkg}/include") allPackages)
))
(set-env "NIX_LDFLAGS" (
lib.concatStringsSep " " (map (pkg: "-L${pkg.out or pkg}/lib") allPackages)
))
# Mount system and user profiles so their packages are automatically available at runtime
(try-ro-bind "/run/current-system/sw" "/run/current-system/sw")
(try-ro-bind "/etc/profiles/per-user/${primaryUser}" "/etc/profiles/per-user/${primaryUser}")
# Mount Nix files and directories to support nix-shell and Nix operations in jail
(try-ro-bind "/nix/store" "/nix/store")
(try-ro-bind "/nix/var/nix/daemon-socket" "/nix/var/nix/daemon-socket")
(try-ro-bind "/nix/var/nix/profiles" "/nix/var/nix/profiles")
(try-ro-bind "/etc/nix" "/etc/nix")
(try-ro-bind "/etc/static" "/etc/static")
# Forward Nix environment variables
(try-fwd-env "NIX_REMOTE")
(try-fwd-env "NIX_PATH")
(try-fwd-env "NIX_SSL_CERT_FILE")
(add-pkg-deps allPackages)
# Prepend local project binary directories, system, and user bin paths to the jail's PATH.
# Note: We place this after `add-pkg-deps` so that local paths take highest precedence.
# We use explicit double quotes to allow bash to expand $PWD at runtime and handle spaces.
(
state:
state
// {
env = state.env // {
PATH =
if state.env ? PATH && state.env.PATH != "" then
"\"\$PWD/.gem/bin:\$PWD/.go/bin:\$PWD/.pip-packages/bin:/run/current-system/sw/bin:/etc/profiles/per-user/${primaryUser}/bin:${state.env.PATH}\""
else
"\"\$PWD/.gem/bin:\$PWD/.go/bin:\$PWD/.pip-packages/bin:/run/current-system/sw/bin:/etc/profiles/per-user/${primaryUser}/bin\"";
};
}
)
]
))
];
};
} }