sandbox: add nix read-only mount if found

ahayzen · Dec 1, 2024 · e0e7603 · e0e7603
1 parent 4b03bb9
commit e0e7603
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/build.sh b/build.sh
@@ -34,6 +34,7 @@ PROJECT_FILES=(
     "src/sandbox/input.sh"
     "src/sandbox/kvm.sh"
     "src/sandbox/name.sh"
+    "src/sandbox/nix.sh"
     "src/sandbox/pipewire.sh"
     "src/sandbox/pulseaudio.sh"
     "src/sandbox/selinux.sh"

diff --git a/src/sandbox/main.sh b/src/sandbox/main.sh
@@ -17,6 +17,8 @@ function sandbox_setup() {
     sandbox_setup_input
     printf "\r(%s) Finding KVM ... " "$TAG_NAME"
     sandbox_setup_kvm
+    printf "\r(%s) Finding Nix ..." "$TAG_NAME"
+    sandbox_setup_nix
     printf "\r(%s) Finding pipewire ... " "$TAG_NAME"
     sandbox_setup_pipewire
     printf "\r(%s) Finding pulseaudio ... " "$TAG_NAME"

diff --git a/src/sandbox/nix.sh b/src/sandbox/nix.sh
@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: Andrew Hayzen <ahayzen@gmail.com>
+#
+# SPDX-License-Identifier: MPL-2.0
+
+function sandbox_setup_nix() {
+    # If /nix exists then mount it in as our /home config could have symlinks
+    # into /nix folders and would fail otherwise
+    #
+    # We do not source any folders so the container environment is isolated
+    if [ -d /nix ]; then
+      CONTAINER_RUN_ARGS+=(--volume=/nix:/nix:ro)
+    fi
+}