From e9b76d519eb55a586d6e42a3a02307eac427998a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cyryl=20P=C5=82otnicki?= Date: Sat, 15 Jan 2022 23:43:25 +0000 Subject: [PATCH] wip on firejail for firefox --- nixos/gui/default.nix | 172 ++++++++++++++++++++--------------------- nixos/gui/firejail.nix | 8 ++ 2 files changed, 94 insertions(+), 86 deletions(-) create mode 100644 nixos/gui/firejail.nix diff --git a/nixos/gui/default.nix b/nixos/gui/default.nix index af5b5883..4c0a494d 100644 --- a/nixos/gui/default.nix +++ b/nixos/gui/default.nix @@ -2,92 +2,92 @@ let unstable = inputs.nixpkgs-nixos-unstable.legacyPackages.${pkgs.system}; in -{ - programs.firejail.enable = true; - - programs.firejail.wrappedBinaries = { - firefox = { - executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox"; - profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; - }; - chromium = { - executable = "${pkgs.lib.getBin pkgs.chromium}/bin/chromium"; - profile = "${pkgs.firejail}/etc/firejail/chromium.profile"; - }; - }; - - home-manager.users.cyryl = { ... }: { - gtk = { - enable = true; - iconTheme = { - name = "Adwaita"; - package = pkgs.gnome3.adwaita-icon-theme; + { + programs.firejail.enable = true; + programs.firejail.wrappedBinaries = { + firefox = { + executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox"; + profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; + }; + chromium = { + executable = "${pkgs.lib.getBin pkgs.chromium}/bin/chromium"; + profile = "${pkgs.firejail}/etc/firejail/chromium.profile"; }; }; - qt = { - enable = true; - platformTheme = "gnome"; - style.name = "adwaita-dark"; - style.package = pkgs.adwaita-qt; + + home-manager.users.cyryl = { ... }: { + gtk = { + enable = true; + iconTheme = { + name = "Adwaita"; + package = pkgs.gnome3.adwaita-icon-theme; + }; + }; + qt = { + enable = true; + platformTheme = "gnome"; + style.name = "adwaita-dark"; + style.package = pkgs.adwaita-qt; + }; + + imports = [ + ./vscode.nix + ./firejail.nix + ]; + + home.packages = with pkgs; with pkgs.gnome3; with pkgs.python38Packages; [ + anarchism + apvlv + binwalk-full + brave + cheese + digikam + discord + electrum + element-desktop + eog + evince + fontconfig + freecad + ghidra-bin + gimp + glxinfo + gnome-screenshot + gsettings-desktop-schemas + hopper + inkscape + keybase-gui + libreoffice + mindforger + modem-manager-gui + nautilus + nyxt + obs-studio + openscad + passff-host + pdfarranger + qcad + qemu + remmina + shotwell + signal-desktop + simple-scan + slack + spotify + ssb-patchwork + tlaplusToolbox + tlaps + vlc + wineFull + wireshark + wsjtx + xclip + xidlehook + yubico-piv-tool + yubikey-manager-qt + yubikey-personalization + yubikey-personalization-gui + zoom-us + ]; }; - - imports = [ - ./vscode.nix - ]; - - home.packages = with pkgs; with pkgs.gnome3; with pkgs.python38Packages; [ - anarchism - apvlv - binwalk-full - brave - cheese - digikam - discord - electrum - element-desktop - eog - evince - fontconfig - freecad - ghidra-bin - gimp - glxinfo - gnome-screenshot - gsettings-desktop-schemas - hopper - inkscape - keybase-gui - libreoffice - mindforger - modem-manager-gui - nautilus - nyxt - obs-studio - openscad - passff-host - pdfarranger - qcad - qemu - remmina - shotwell - signal-desktop - simple-scan - slack - spotify - ssb-patchwork - tlaplusToolbox - tlaps - vlc - wineFull - wireshark - wsjtx - xclip - xidlehook - yubico-piv-tool - yubikey-manager-qt - yubikey-personalization - yubikey-personalization-gui - zoom-us - ]; - }; -} + } diff --git a/nixos/gui/firejail.nix b/nixos/gui/firejail.nix new file mode 100644 index 00000000..1525ae19 --- /dev/null +++ b/nixos/gui/firejail.nix @@ -0,0 +1,8 @@ +{ config, pkgs, lib, ... }: +{ + home.file.".config/firejail/firefox.profile".text = '' + include ${pkgs.firejail}/etc/firejail/firefox.profile + + ignore apparmor + ignore noexec '' + "$" + "{HOME}"; + }