From 7217bbd0cbd515d91f0a2075e52eae8d8d1c720a Mon Sep 17 00:00:00 2001
From: surtur <wanderer@dotya.ml>
Date: Mon, 11 Dec 2023 12:47:36 +0100
Subject: [PATCH] nix(t14): add some firejail programs

---
 nix/hosts/t14/configuration.nix |  1 +
 nix/modules/firejail.nix        | 24 ++++++++++++++++++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 nix/modules/firejail.nix

diff --git a/nix/hosts/t14/configuration.nix b/nix/hosts/t14/configuration.nix
index 45e7b36..842723e 100644
--- a/nix/hosts/t14/configuration.nix
+++ b/nix/hosts/t14/configuration.nix
@@ -13,6 +13,7 @@
 
     ../../modules/base.nix
     ../../modules/dnscrypt.nix
+    ../../modules/firejail.nix
     ../../modules/zram.nix
   ];
 
diff --git a/nix/modules/firejail.nix b/nix/modules/firejail.nix
new file mode 100644
index 0000000..cb2400a
--- /dev/null
+++ b/nix/modules/firejail.nix
@@ -0,0 +1,24 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  programs.firejail.enable = true;
+
+  # required to run chromium
+  security.chromiumSuidSandbox.enable = true;
+
+  # create system-wide executables firefox and chromium
+  # that will wrap the real binaries so everything
+  # work out of the box.
+  programs.firejail.wrappedBinaries = {
+    jailfirefox = {
+      executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox";
+      profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+    };
+    jailchromium = {
+      executable = "${pkgs.lib.getBin pkgs.chromium}/bin/chromium";
+      profile = "${pkgs.firejail}/etc/firejail/chromium.profile";
+    };
+  };
+}