diff --git a/nix/hosts/t14/configuration.nix b/nix/hosts/t14/configuration.nix index 45e7b36..842723e 100644 --- a/nix/hosts/t14/configuration.nix +++ b/nix/hosts/t14/configuration.nix @@ -13,6 +13,7 @@ ../../modules/base.nix ../../modules/dnscrypt.nix + ../../modules/firejail.nix ../../modules/zram.nix ]; diff --git a/nix/modules/firejail.nix b/nix/modules/firejail.nix new file mode 100644 index 0000000..cb2400a --- /dev/null +++ b/nix/modules/firejail.nix @@ -0,0 +1,24 @@ +{ + config, + pkgs, + ... +}: { + programs.firejail.enable = true; + + # required to run chromium + security.chromiumSuidSandbox.enable = true; + + # create system-wide executables firefox and chromium + # that will wrap the real binaries so everything + # work out of the box. + programs.firejail.wrappedBinaries = { + jailfirefox = { + executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox"; + profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; + }; + jailchromium = { + executable = "${pkgs.lib.getBin pkgs.chromium}/bin/chromium"; + profile = "${pkgs.firejail}/etc/firejail/chromium.profile"; + }; + }; +}