nix(t14): add some firejail programs

2023-12-11 12:47:36 +01:00 · 2023-12-11 12:47:36 +01:00 · 7217bbd0cb
commit 7217bbd0cb
parent 5e74b57b7b
2 changed files with 25 additions and 0 deletions
--- a/nix/hosts/t14/configuration.nix
+++ b/nix/hosts/t14/configuration.nix
@ -13,6 +13,7 @@

    ../../modules/base.nix
    ../../modules/dnscrypt.nix
+    ../../modules/firejail.nix
    ../../modules/zram.nix
  ];

--- a/nix/modules/firejail.nix
+++ b/nix/modules/firejail.nix
@ -0,0 +1,24 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  programs.firejail.enable = true;
+
+  # required to run chromium
+  security.chromiumSuidSandbox.enable = true;
+
+  # create system-wide executables firefox and chromium
+  # that will wrap the real binaries so everything
+  # work out of the box.
+  programs.firejail.wrappedBinaries = {
+    jailfirefox = {
+      executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox";
+      profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+    };
+    jailchromium = {
+      executable = "${pkgs.lib.getBin pkgs.chromium}/bin/chromium";
+      profile = "${pkgs.firejail}/etc/firejail/chromium.profile";
+    };
+  };
+}