From dc84fe5065544941d7c773aa4faf65a83e16ed48 Mon Sep 17 00:00:00 2001 From: Xory Date: Mon, 27 Oct 2025 14:09:51 +0200 Subject: [PATCH 1/3] feat: basic firejail & wrappers --- hosts/voidspear/configuration.nix | 43 +++++++++++++++++++++++++++++++ hosts/voidspear/home.nix | 5 ---- 2 files changed, 43 insertions(+), 5 deletions(-) diff --git a/hosts/voidspear/configuration.nix b/hosts/voidspear/configuration.nix index c18b301..5aeead9 100644 --- a/hosts/voidspear/configuration.nix +++ b/hosts/voidspear/configuration.nix @@ -77,12 +77,55 @@ services.zerotierone.enable = true; services.zerotierone.joinNetworks = [ "b3ce837c63" "363c67c55a726a89" ]; + # nix-ld programs.nix-ld.enable = true; programs.nix-ld.libraries = with pkgs; [ libGL SDL2 ]; + # Firejail + programs.firejail = { + enable = true; + wrappedBinaries = { + firefox = { + executable = "${pkgs.firefox}/bin/firefox"; + profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; + extraArgs = [ + "--env=GTK_THEME=Adwaita:dark" + ]; + }; + signal-desktop-bin = { + executable = "${pkgs.signal-desktop-bin}/bin/signal-desktop"; + profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile"; + extraArgs = [ + "--env=GTK_THEME=Adwaita:dark" + ]; + }; + vesktop = { + executable = "${pkgs.vesktop}/bin/vesktop"; + profile = "${pkgs.firejail}/etc/firejail/vesktop.profile"; + extraArgs = [ + "--env=GTK_THEME=Adwaita:dark" + ]; + }; + spotify = { + executable = "${pkgs.spotify}/bin/spotify"; + profile = "${pkgs.firejail}/etc/firejail/spotify.profile"; + extraArgs = [ + "--env=GTK_THEME=Adwaita:dark" + ]; + }; + obsidian = { + executable = "${pkgs.vesktop}/bin/obsidian"; + profile = "${pkgs.firejail}/etc/firejail/obsidian.profile"; + extraArgs = [ + "--env=GTK_THEME=Adwaita:dark" + "--net=none" # I don't use community plugins... yet. + ]; + }; + }; + }; # Enable the X11 windowing system. # You can disable this if you're only using the Wayland session. diff --git a/hosts/voidspear/home.nix b/hosts/voidspear/home.nix index e7110b9..60ad87e 100644 --- a/hosts/voidspear/home.nix +++ b/hosts/voidspear/home.nix @@ -6,7 +6,6 @@ home.packages = with pkgs; [ neovim fastfetch - firefox git cava kdePackages.qtwebsockets @@ -14,13 +13,11 @@ python313Packages.websockets python313Packages.requests # basic python test env ])) - signal-desktop-bin simplex-chat-desktop qbittorrent ffmpeg yt-dlp prismlauncher - vesktop keepassxc obs-studio mpv @@ -38,8 +35,6 @@ }) woeusb-ng ntfs3g - obsidian - spotify ]; home.file = { -- 2.49.1 From 461b145575e8f6c12ca77fd39eaeff91b1d3949f Mon Sep 17 00:00:00 2001 From: Xory Date: Mon, 27 Oct 2025 14:14:16 +0200 Subject: [PATCH 2/3] fix: apparently obsidian updates its base plugins separately or smth(?) --- hosts/voidspear/configuration.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/voidspear/configuration.nix b/hosts/voidspear/configuration.nix index 5aeead9..af4779f 100644 --- a/hosts/voidspear/configuration.nix +++ b/hosts/voidspear/configuration.nix @@ -121,7 +121,6 @@ profile = "${pkgs.firejail}/etc/firejail/obsidian.profile"; extraArgs = [ "--env=GTK_THEME=Adwaita:dark" - "--net=none" # I don't use community plugins... yet. ]; }; }; -- 2.49.1 From ea0019478cf1be50994f2f71043dade02829dde3 Mon Sep 17 00:00:00 2001 From: Xory Date: Mon, 27 Oct 2025 14:17:40 +0200 Subject: [PATCH 3/3] opt: use mapAttr for firejail profiles --- hosts/voidspear/configuration.nix | 60 ++++++++++++------------------- 1 file changed, 22 insertions(+), 38 deletions(-) diff --git a/hosts/voidspear/configuration.nix b/hosts/voidspear/configuration.nix index af4779f..babbd03 100644 --- a/hosts/voidspear/configuration.nix +++ b/hosts/voidspear/configuration.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { imports = @@ -87,43 +87,27 @@ # Firejail programs.firejail = { enable = true; - wrappedBinaries = { - firefox = { - executable = "${pkgs.firefox}/bin/firefox"; - profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; - extraArgs = [ - "--env=GTK_THEME=Adwaita:dark" - ]; - }; - signal-desktop-bin = { - executable = "${pkgs.signal-desktop-bin}/bin/signal-desktop"; - profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile"; - extraArgs = [ - "--env=GTK_THEME=Adwaita:dark" - ]; - }; - vesktop = { - executable = "${pkgs.vesktop}/bin/vesktop"; - profile = "${pkgs.firejail}/etc/firejail/vesktop.profile"; - extraArgs = [ - "--env=GTK_THEME=Adwaita:dark" - ]; - }; - spotify = { - executable = "${pkgs.spotify}/bin/spotify"; - profile = "${pkgs.firejail}/etc/firejail/spotify.profile"; - extraArgs = [ - "--env=GTK_THEME=Adwaita:dark" - ]; - }; - obsidian = { - executable = "${pkgs.vesktop}/bin/obsidian"; - profile = "${pkgs.firejail}/etc/firejail/obsidian.profile"; - extraArgs = [ - "--env=GTK_THEME=Adwaita:dark" - ]; - }; - }; + wrappedBinaries = + let + apps = { + firefox = {}; + "signal-desktop-bin" = { name = "signal-desktop"; }; + vesktop = {}; + spotify = {}; + obsidian = {}; + }; + in + lib.mapAttrs (pkg: conf: + let + binName = conf.name or pkg; + in + { + executable = "${pkgs.${pkg}}/bin/${binName}"; + profile = "${pkgs.firejail}/etc/firejail/${binName}.profile"; + extraArgs = [ + "--env=GTK_THEME=Adwaita:dark" + ]; + }) apps; }; # Enable the X11 windowing system. -- 2.49.1