nix(t14): add some firejail programs

nix/hosts/t14/configuration.nix

@@ -13,6 +13,7 @@
 
     ../../modules/base.nix
     ../../modules/dnscrypt.nix
+    ../../modules/firejail.nix
     ../../modules/zram.nix
   ];
 

nix/modules/firejail.nix

@@ -0,0 +1,24 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  programs.firejail.enable = true;
+
+  # required to run chromium
+  security.chromiumSuidSandbox.enable = true;
+
+  # create system-wide executables firefox and chromium
+  # that will wrap the real binaries so everything
+  # work out of the box.
+  programs.firejail.wrappedBinaries = {
+    jailfirefox = {
+      executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox";
+      profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+    };
+    jailchromium = {
+      executable = "${pkgs.lib.getBin pkgs.chromium}/bin/chromium";
+      profile = "${pkgs.firejail}/etc/firejail/chromium.profile";
+    };
+  };
+}