nixos,home: sandbox {firefox,librewolf} with nixpak

2023-11-12 13:38:43 +08:00 · 2023-11-12 13:38:43 +08:00 · 3a441fceaf
commit 3a441fceaf
parent 934a0eeea5
4 changed files with 206 additions and 10 deletions
--- a/flake.lock
+++ b/flake.lock
@ -139,6 +139,29 @@
        "type": "github"
      }
    },
+    "hercules-ci-effects": {
+      "inputs": {
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1699381651,
+        "narHash": "sha256-mZlQ54xJs3j5+SJrLhzePPMXzS+Czbx7gNyOnOAQrHA=",
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-effects",
+        "rev": "0bd99f5ab7ec7a74c11238bd02bb29e709c14328",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-effects",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -344,6 +367,58 @@
        "type": "github"
      }
    },
+    "nixpak": {
+      "inputs": {
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "hercules-ci-effects": [
+          "hercules-ci-effects"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1699560481,
+        "narHash": "sha256-JwmozcjXfwo8HaAR5LBKS6+MJbfzHHE+phtFMJRmyik=",
+        "owner": "nixpak",
+        "repo": "nixpak",
+        "rev": "755ea83c7835d17975d151e326bf21987dd2ce57",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixpak",
+        "repo": "nixpak",
+        "type": "github"
+      }
+    },
+    "nixpak-pkgs": {
+      "inputs": {
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "hercules-ci-effects": [
+          "hercules-ci-effects"
+        ],
+        "nixpak": [
+          "nixpak"
+        ]
+      },
+      "locked": {
+        "lastModified": 1699512458,
+        "narHash": "sha256-PzQp4qsphDYTXdDDdrSKq5HJak6DnlziupeYG9Q99To=",
+        "owner": "nixpak",
+        "repo": "pkgs",
+        "rev": "65a857c8bcae181c5b8198dc44d2ed8d81a77a49",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixpak",
+        "repo": "pkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1699099776,
@ -443,6 +518,7 @@
        "flake-parts": "flake-parts",
        "flake-utils": "flake-utils",
        "gitignore": "gitignore",
+        "hercules-ci-effects": "hercules-ci-effects",
        "home-manager": "home-manager",
        "hosts": "hosts",
        "hyprland": "hyprland",
@ -452,6 +528,8 @@
        "lanzaboote": "lanzaboote",
        "metacubexd": "metacubexd",
        "nix-darwin": "nix-darwin",
+        "nixpak": "nixpak",
+        "nixpak-pkgs": "nixpak-pkgs",
        "nixpkgs": "nixpkgs",
        "nixpkgs-stable": "nixpkgs-stable",
        "nvfetcher": "nvfetcher",
--- a/flake.nix
+++ b/flake.nix
@ -52,6 +52,18 @@
      url = "github:LnL7/nix-darwin";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    nixpak = {
+      url = "github:nixpak/nixpak";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-parts.follows = "flake-parts";
+      inputs.hercules-ci-effects.follows = "hercules-ci-effects";
+    };
+    nixpak-pkgs = {
+      url = "github:nixpak/pkgs";
+      inputs.nixpak.follows = "nixpak";
+      inputs.flake-parts.follows = "flake-parts";
+      inputs.hercules-ci-effects.follows = "hercules-ci-effects";
+    };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
@ -84,6 +96,11 @@
      url = "github:hercules-ci/gitignore.nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    hercules-ci-effects = {
+      url = "github:hercules-ci/hercules-ci-effects";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-parts.follows = "flake-parts";
+    };
    hyprland-protocols = {
      url = "github:hyprwm/hyprland-protocols";
      inputs.nixpkgs.follows = "nixpkgs";
@ -129,10 +146,6 @@
    #  url = "github:NixOS/nixos-hardware/master";
    #  #inputs.nixpkgs.follows = "nixpkgs";
    #};
-    #nixpak = {
-    #  url = "github:nixpak/nixpak";
-    #  inputs.nixpkgs.follows = "nixpkgs";
-    #};

    ## Non-Flake
    ### Color scheme files
@ -163,6 +176,7 @@
    impermanence,
    tokyonight,
    metacubexd,
+    nixpak,
    ...
  } @ inputs: {
    formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra;
--- a/users/guanranwang/home-manager/resources/browser/firefox.nix
+++ b/users/guanranwang/home-manager/resources/browser/firefox.nix
@ -1,7 +1,61 @@
-{...}: {
-  programs = {
-    enable = true;
-    # TODO
-    profiles."default" = {};
+{
+  inputs,
+  pkgs,
+  ...
+}: let
+  mkNixPak = inputs.nixpak.lib.nixpak {
+    inherit (pkgs) lib;
+    inherit pkgs;
  };
+
+  firefox = mkNixPak {
+    config = {
+      config,
+      sloth,
+      ...
+    }: {
+      app.package = pkgs.firefox;
+      flatpak.appId = "org.mozilla.firefox";
+
+      imports = [
+        (inputs.nixpak-pkgs + "/pkgs/modules/gui-base.nix")
+        (inputs.nixpak-pkgs + "/pkgs/modules/network.nix")
+      ];
+
+      # Specified in https://github.com/schizofox/schizofox/blob/main/modules/hm/default.nix
+      # I really don't have any idea what am I doing, it just works™
+      bubblewrap = let
+        envSuffix = envKey: sloth.concat' (sloth.env envKey);
+      in {
+        bind.rw = [
+          "/tmp/.X11-unix"
+          (sloth.envOr "XAUTHORITY" "/no-xauth")
+          (envSuffix "XDG_RUNTIME_DIR" "/dconf")
+          (sloth.concat' sloth.homeDir "/.mozilla")
+          (sloth.concat' sloth.homeDir "/Downloads")
+        ];
+        bind.ro = [
+          "/etc/localtime"
+          "/sys/bus/pci"
+
+          ["${pkgs.firefox}/lib/firefox" "/app/etc/firefox"]
+          (sloth.concat' sloth.xdgConfigHome "/dconf")
+
+          # https://github.com/nixpak/pkgs/pull/22
+          (sloth.concat' sloth.xdgConfigHome "/fontconfig")
+        ];
+      };
+    };
+  };
+in {
+  home.packages = [firefox.config.env];
+
+  # TODO: does not seem to work
+  #programs.firefox = {
+  #  enable = true;
+  #  package = firefox.config.env;
+  #
+  #  # TODO
+  #  profiles."default" = {};
+  #};
 }
--- a/users/guanranwang/home-manager/resources/browser/librewolf.nix
+++ b/users/guanranwang/home-manager/resources/browser/librewolf.nix
@ -1,6 +1,56 @@
-{...}: {
+{
+  inputs,
+  pkgs,
+  ...
+}: let
+  mkNixPak = inputs.nixpak.lib.nixpak {
+    inherit (pkgs) lib;
+    inherit pkgs;
+  };
+
+  librewolf = mkNixPak {
+    config = {
+      config,
+      sloth,
+      ...
+    }: {
+      app.package = pkgs.librewolf;
+      flatpak.appId = "io.gitlab.librewolf-community";
+
+      imports = [
+        (inputs.nixpak-pkgs + "/pkgs/modules/gui-base.nix")
+        (inputs.nixpak-pkgs + "/pkgs/modules/network.nix")
+      ];
+
+      # Specified in https://github.com/schizofox/schizofox/blob/main/modules/hm/default.nix
+      # I really don't have any idea what am I doing, it just works™
+      bubblewrap = let
+        envSuffix = envKey: sloth.concat' (sloth.env envKey);
+      in {
+        bind.rw = [
+          "/tmp/.X11-unix"
+          (sloth.envOr "XAUTHORITY" "/no-xauth")
+          (envSuffix "XDG_RUNTIME_DIR" "/dconf")
+          (sloth.concat' sloth.homeDir "/.librewolf")
+          (sloth.concat' sloth.homeDir "/Downloads")
+        ];
+        bind.ro = [
+          "/etc/localtime"
+          "/sys/bus/pci"
+
+          ["${pkgs.firefox}/lib/firefox" "/app/etc/firefox"]
+          (sloth.concat' sloth.xdgConfigHome "/dconf")
+
+          # https://github.com/nixpak/pkgs/pull/22
+          (sloth.concat' sloth.xdgConfigHome "/fontconfig")
+        ];
+      };
+    };
+  };
+in {
  programs.librewolf = {
    enable = true;
+    package = librewolf.config.env;
    settings = {
      "identity.fxaccounts.enabled" = true;