From 3a441fceafe9e823a19224782fc5675e980fbe23 Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Sun, 12 Nov 2023 13:38:43 +0800 Subject: [PATCH] nixos,home: sandbox {firefox,librewolf} with nixpak --- flake.lock | 78 +++++++++++++++++++ flake.nix | 22 +++++- .../resources/browser/firefox.nix | 64 +++++++++++++-- .../resources/browser/librewolf.nix | 52 ++++++++++++- 4 files changed, 206 insertions(+), 10 deletions(-) diff --git a/flake.lock b/flake.lock index e2d0798..3678e57 100755 --- a/flake.lock +++ b/flake.lock @@ -139,6 +139,29 @@ "type": "github" } }, + "hercules-ci-effects": { + "inputs": { + "flake-parts": [ + "flake-parts" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1699381651, + "narHash": "sha256-mZlQ54xJs3j5+SJrLhzePPMXzS+Czbx7gNyOnOAQrHA=", + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "rev": "0bd99f5ab7ec7a74c11238bd02bb29e709c14328", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -344,6 +367,58 @@ "type": "github" } }, + "nixpak": { + "inputs": { + "flake-parts": [ + "flake-parts" + ], + "hercules-ci-effects": [ + "hercules-ci-effects" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1699560481, + "narHash": "sha256-JwmozcjXfwo8HaAR5LBKS6+MJbfzHHE+phtFMJRmyik=", + "owner": "nixpak", + "repo": "nixpak", + "rev": "755ea83c7835d17975d151e326bf21987dd2ce57", + "type": "github" + }, + "original": { + "owner": "nixpak", + "repo": "nixpak", + "type": "github" + } + }, + "nixpak-pkgs": { + "inputs": { + "flake-parts": [ + "flake-parts" + ], + "hercules-ci-effects": [ + "hercules-ci-effects" + ], + "nixpak": [ + "nixpak" + ] + }, + "locked": { + "lastModified": 1699512458, + "narHash": "sha256-PzQp4qsphDYTXdDDdrSKq5HJak6DnlziupeYG9Q99To=", + "owner": "nixpak", + "repo": "pkgs", + "rev": "65a857c8bcae181c5b8198dc44d2ed8d81a77a49", + "type": "github" + }, + "original": { + "owner": "nixpak", + "repo": "pkgs", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1699099776, @@ -443,6 +518,7 @@ "flake-parts": "flake-parts", "flake-utils": "flake-utils", "gitignore": "gitignore", + "hercules-ci-effects": "hercules-ci-effects", "home-manager": "home-manager", "hosts": "hosts", "hyprland": "hyprland", @@ -452,6 +528,8 @@ "lanzaboote": "lanzaboote", "metacubexd": "metacubexd", "nix-darwin": "nix-darwin", + "nixpak": "nixpak", + "nixpak-pkgs": "nixpak-pkgs", "nixpkgs": "nixpkgs", "nixpkgs-stable": "nixpkgs-stable", "nvfetcher": "nvfetcher", diff --git a/flake.nix b/flake.nix index fa61f1b..0fdc1ff 100755 --- a/flake.nix +++ b/flake.nix @@ -52,6 +52,18 @@ url = "github:LnL7/nix-darwin"; inputs.nixpkgs.follows = "nixpkgs"; }; + nixpak = { + url = "github:nixpak/nixpak"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-parts.follows = "flake-parts"; + inputs.hercules-ci-effects.follows = "hercules-ci-effects"; + }; + nixpak-pkgs = { + url = "github:nixpak/pkgs"; + inputs.nixpak.follows = "nixpak"; + inputs.flake-parts.follows = "flake-parts"; + inputs.hercules-ci-effects.follows = "hercules-ci-effects"; + }; sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -84,6 +96,11 @@ url = "github:hercules-ci/gitignore.nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + hercules-ci-effects = { + url = "github:hercules-ci/hercules-ci-effects"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-parts.follows = "flake-parts"; + }; hyprland-protocols = { url = "github:hyprwm/hyprland-protocols"; inputs.nixpkgs.follows = "nixpkgs"; @@ -129,10 +146,6 @@ # url = "github:NixOS/nixos-hardware/master"; # #inputs.nixpkgs.follows = "nixpkgs"; #}; - #nixpak = { - # url = "github:nixpak/nixpak"; - # inputs.nixpkgs.follows = "nixpkgs"; - #}; ## Non-Flake ### Color scheme files @@ -163,6 +176,7 @@ impermanence, tokyonight, metacubexd, + nixpak, ... } @ inputs: { formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra; diff --git a/users/guanranwang/home-manager/resources/browser/firefox.nix b/users/guanranwang/home-manager/resources/browser/firefox.nix index 596beda..0fd2d48 100644 --- a/users/guanranwang/home-manager/resources/browser/firefox.nix +++ b/users/guanranwang/home-manager/resources/browser/firefox.nix @@ -1,7 +1,61 @@ -{...}: { - programs = { - enable = true; - # TODO - profiles."default" = {}; +{ + inputs, + pkgs, + ... +}: let + mkNixPak = inputs.nixpak.lib.nixpak { + inherit (pkgs) lib; + inherit pkgs; }; + + firefox = mkNixPak { + config = { + config, + sloth, + ... + }: { + app.package = pkgs.firefox; + flatpak.appId = "org.mozilla.firefox"; + + imports = [ + (inputs.nixpak-pkgs + "/pkgs/modules/gui-base.nix") + (inputs.nixpak-pkgs + "/pkgs/modules/network.nix") + ]; + + # Specified in https://github.com/schizofox/schizofox/blob/main/modules/hm/default.nix + # I really don't have any idea what am I doing, it just works™ + bubblewrap = let + envSuffix = envKey: sloth.concat' (sloth.env envKey); + in { + bind.rw = [ + "/tmp/.X11-unix" + (sloth.envOr "XAUTHORITY" "/no-xauth") + (envSuffix "XDG_RUNTIME_DIR" "/dconf") + (sloth.concat' sloth.homeDir "/.mozilla") + (sloth.concat' sloth.homeDir "/Downloads") + ]; + bind.ro = [ + "/etc/localtime" + "/sys/bus/pci" + + ["${pkgs.firefox}/lib/firefox" "/app/etc/firefox"] + (sloth.concat' sloth.xdgConfigHome "/dconf") + + # https://github.com/nixpak/pkgs/pull/22 + (sloth.concat' sloth.xdgConfigHome "/fontconfig") + ]; + }; + }; + }; +in { + home.packages = [firefox.config.env]; + + # TODO: does not seem to work + #programs.firefox = { + # enable = true; + # package = firefox.config.env; + # + # # TODO + # profiles."default" = {}; + #}; } diff --git a/users/guanranwang/home-manager/resources/browser/librewolf.nix b/users/guanranwang/home-manager/resources/browser/librewolf.nix index 1ce7c4f..1c5ee9a 100644 --- a/users/guanranwang/home-manager/resources/browser/librewolf.nix +++ b/users/guanranwang/home-manager/resources/browser/librewolf.nix @@ -1,6 +1,56 @@ -{...}: { +{ + inputs, + pkgs, + ... +}: let + mkNixPak = inputs.nixpak.lib.nixpak { + inherit (pkgs) lib; + inherit pkgs; + }; + + librewolf = mkNixPak { + config = { + config, + sloth, + ... + }: { + app.package = pkgs.librewolf; + flatpak.appId = "io.gitlab.librewolf-community"; + + imports = [ + (inputs.nixpak-pkgs + "/pkgs/modules/gui-base.nix") + (inputs.nixpak-pkgs + "/pkgs/modules/network.nix") + ]; + + # Specified in https://github.com/schizofox/schizofox/blob/main/modules/hm/default.nix + # I really don't have any idea what am I doing, it just works™ + bubblewrap = let + envSuffix = envKey: sloth.concat' (sloth.env envKey); + in { + bind.rw = [ + "/tmp/.X11-unix" + (sloth.envOr "XAUTHORITY" "/no-xauth") + (envSuffix "XDG_RUNTIME_DIR" "/dconf") + (sloth.concat' sloth.homeDir "/.librewolf") + (sloth.concat' sloth.homeDir "/Downloads") + ]; + bind.ro = [ + "/etc/localtime" + "/sys/bus/pci" + + ["${pkgs.firefox}/lib/firefox" "/app/etc/firefox"] + (sloth.concat' sloth.xdgConfigHome "/dconf") + + # https://github.com/nixpak/pkgs/pull/22 + (sloth.concat' sloth.xdgConfigHome "/fontconfig") + ]; + }; + }; + }; +in { programs.librewolf = { enable = true; + package = librewolf.config.env; settings = { "identity.fxaccounts.enabled" = true;