Advanced configuration

All configuration options on this page can be passed into nono-nix.lib.extend.

additionalCombinators

additionalCombinators takes a function from builtin combinators to an attribute set of additional combinators, exposing them under nono.combinators and in sandbox definitions.

For example, this creates a nono function that exposes a my-permission combinator:

nono = nono-nix.lib.extend {
  inherit pkgs;
  additionalCombinators = builtinCombinators: with builtinCombinators; {
    my-permission = compose [
      (readonly "/foo")
      (readonly "/bar")
    ];
  };
};

# Now my-permission is available wherever builtin combinators are:

sandboxed-hello = nono "sandboxed-hello" pkgs.hello (c: with c; [
  my-permission
]);

# Or via nono.combinators:

sandboxed-hello = nono "sandboxed-hello" pkgs.hello [
  nono.combinators.my-permission
];

basePermissions

By default, nono.nix applies a base set of permissions to every sandbox. This option lets you replace them.

The defaults give most programs enough to run: coreutils on PATH, HOME/LANG/TERM forwarded, and read access to the program's Nix runtime closure.

nono = nono-nix.lib.extend {
  inherit pkgs;
  basePermissions = combinators: with combinators; [
    base
    bind-nix-store-runtime-closure
  ];
};

If you prefer to grant the entire Nix store rather than just the runtime closure, you can do:

nono = nono-nix.lib.extend {
  inherit pkgs;
  basePermissions = combinators: with combinators; [
    base
    (readonly "/nix/store")
  ];
};

nonoPackage

Override the nono binary that nono.nix uses. Defaults to pkgs.nono.

nono = nono-nix.lib.extend {
  inherit pkgs;
  nonoPackage = pkgs.nono.override { ... };
};