Landrun-Nix: Nix flake-parts module for landrun

1 month ago 6

GitHub Discussions

A Nix flake-parts module for wrapping programs with landrun (Landlock) sandbox.

In your flake.nix:

{ inputs.landrun-nix.url = "github:srid/landrun-nix"; outputs = { flake-parts, landrun-nix, ... }: flake-parts.lib.mkFlake { inherit inputs; } { imports = [ landrun-nix.flakeModule ]; perSystem = { pkgs, ... }: { landrunApps.my-app-sandboxed = { program = "${pkgs.my-app}/bin/my-app"; features = { tty = true; # Terminal support nix = true; # Nix store access (default) network = true; # Network access tmp = true; # /tmp access (default) }; # Raw arguments to pass to `landrun` CLI cli = { rw = [ "$HOME/.config/my-app" ]; rox = [ "/etc/hosts" ]; }; }; }; }; }

Run with: nix run .#my-app-sandboxed

landrun-nix provides reusable modules for common applications via landrunModules.*. These can be imported into your app configurations:

{ inputs.landrun-nix.url = "github:srid/landrun-nix"; outputs = { flake-parts, landrun-nix, ... }: flake-parts.lib.mkFlake { inherit inputs; } { imports = [ landrun-nix.flakeModule ]; perSystem = { pkgs, ... }: { landrunApps.my-app = { imports = [ landrun-nix.landrunModules.gh # Import GitHub CLI module ]; program = "${pkgs.my-app}/bin/my-app"; features.network = true; }; }; }; }
Module Description
landrunModules.gh GitHub CLI (gh) configuration with D-Bus keyring support

Sandbox Claude Code with access to project directory, config files, and network.

See examples/claude-sandboxed for a complete working example.

Try it:

nix run github:srid/landrun-nix?dir=examples/claude-sandboxed

High-level feature flags automatically configure common sandboxing patterns:

Feature Default Description
features.tty false TTY devices, terminfo, locale env vars
features.nix true Nix store, system paths, PATH env var
features.network false DNS resolution, SSL certificates, unrestricted network
features.tmp true Read-write access to /tmp
features.dbus false D-Bus session bus, keyring access for Secret Service API

Fine-grained control via cli.*:

Option Description
rox Read-only + execute paths
ro Read-only paths
rwx Read-write-execute paths
rw Read-write paths
env Environment variables to pass through
unrestrictedNetwork Allow all network access
addExec Auto-add executable to rox (default: true)

https://github.com/srid/landrun-nix/discussions

GPL-3.0

From the original announcement post:

  • nixpak: a fancy declarative wrapper around bubblewrap.
  • jail.nix: helper to make it easy and ergonomic to wrap your derivations in bubblewrap.
Read Entire Article
  1. Homepage
  2. Technology
  3. Landrun-Nix: Nix flake-parts module for landrun

Related

Press reviews for the new Framework Laptop 16

Press reviews for the new Framework Laptop 16

12 minutes ago 0
LLM Output Drift in Financial Workflows: Validation and Mitigation (arXiv)

LLM Output Drift in Financial Workflows: Validation and Miti...

12 minutes ago 0
Despite my love-hate relationship with Motorola, I have to stick with it.

Despite my love-hate relationship with Motorola, I have to s...

12 minutes ago 0
Hostinger Web Hosting