machines/shiki: add zoomboxed

Filesystem sandbox around zoom-us.

3 files changed, 17 insertions, 5 deletions

diff --git a/machines/profpatsch/pkgs.nix b/machines/profpatsch/pkgs.nix
index 98a7988c..4afe40c1 100644
--- a/machines/profpatsch/pkgs.nix
+++ b/machines/profpatsch/pkgs.nix
@@ -1,4 +1,8 @@
-{ pkgs, lib, myLib }:
+{ pkgs, lib, myLib
+, withUnfree ? false, unfreeAndNonDistributablePkgs ? null
+}:
+
+assert withUnfree -> unfreeAndNonDistributablePkgs != null;
 
 let
 
@@ -33,6 +37,14 @@ let
         --replace 'notify-send' '${notify-send}'
     '';
 
+  zoomboxed = pkgs.vuizvui.buildSandbox unfreeAndNonDistributablePkgs.zoom-us {
+    paths.required = [
+      "$XDG_CONFIG_HOME/zoomus.conf"
+      "$XDG_CONFIG_HOME/.zoom"
+    ];
+    allowBinSh = true;
+  };
+
 in
 { inherit
     mpv
@@ -40,5 +52,6 @@ in
     vim
     # fast-init
     pyrnotify
+    zoomboxed
     ;
 }
diff --git a/machines/profpatsch/shiki.nix b/machines/profpatsch/shiki.nix
index 3e08f774..ad7c75bd 100644
--- a/machines/profpatsch/shiki.nix
+++ b/machines/profpatsch/shiki.nix
@@ -2,7 +2,7 @@
 let
 
   myLib  = import ./lib.nix  { inherit pkgs lib; };
-  myPkgs = import ./pkgs.nix { inherit pkgs lib myLib; };
+  myPkgs = import ./pkgs.nix { inherit pkgs lib myLib unfreeAndNonDistributablePkgs; };
 
 in {
 
@@ -243,6 +243,7 @@ in {
         # move script/nix-cache-binary to here
         cdb
         taskwarrior tasksh
+        myPkgs.zoomboxed
       ];
     in systemPkgs ++ xPkgs ++ guiPkgs
     ++ programmingTools ++ documentation
diff --git a/pkgs/profpatsch/default.nix b/pkgs/profpatsch/default.nix
index 1bc29d57..86eb15db 100644
--- a/pkgs/profpatsch/default.nix
+++ b/pkgs/profpatsch/default.nix
@@ -83,9 +83,7 @@ let
         testing.drvSeqL tests (itLocal name args execline);
     };
 
-  writeExeclineFns = import ./execline/write-execline.nix {
-    inherit pkgs;
-  };
+  writeExeclineFns = callPackage ./execline/write-execline.nix {};
 
 
 in rec {