diff --git a/hardening/README.md b/hardening/README.md index 09dda2d0..9122269e 100644 --- a/hardening/README.md +++ b/hardening/README.md @@ -108,13 +108,6 @@ provide a much higher level of security. - [Paranoid NixOS Setup - xeiaso](https://xeiaso.net/blog/paranoid-nixos-2021-07-18/) - [nix-mineral](https://github.com/cynicsketch/nix-mineral): NixOS module for convenient system hardening. -- nixpak configs: - - https://github.com/pokon548/OysterOS/tree/b97604d89953373d6316286b96f6a964af2c398d/desktop/application - - https://github.com/segment-tree/my-nixos/tree/ceb6041f73bd9edcb78a8818b27a28f7c629193b/hm/me/apps/nixpak - - https://github.com/Keksgesicht/nixos-config/tree/91cc77d8d6b598da7c4dbed143e0009c2dea6940/packages/nixpak - - https://github.com/bluskript/nix-config/blob/7ecb6a7254c1ac4969072f4c4febdc19f8b83b30/pkgs/nixpak/default.nix -- firejail configs: - - https://github.com/stelcodes/nixos-config/blob/f8967c82a5e5f3d128eb1aaf7498b5f918f719ec/packages/overlay.nix#L261 - apparmor configs: - https://github.com/zramctl/dotfiles/blob/4fe177f6984154960942bb47d5a375098ec6ed6a/modules/nixos/security/apparmor.nix#L4 - https://git.grimmauld.de/Grimmauld/grimm-nixos-laptop/src/branch/main/hardening diff --git a/hardening/nixpaks/default.nix b/hardening/nixpaks/default.nix index 06ffd623..633ce37a 100644 --- a/hardening/nixpaks/default.nix +++ b/hardening/nixpaks/default.nix @@ -23,9 +23,8 @@ in (_: super: { nixpaks = { qq = wrapper pkgs-patched ./qq.nix; - wechat = wrapper super ./wechat.nix; - + telegram-desktop = wrapper super ./telegram-desktop.nix; firefox = wrapper super ./firefox.nix; }; }) diff --git a/hardening/nixpaks/qq.nix b/hardening/nixpaks/qq.nix index 77dc0be5..feaa1dde 100644 --- a/hardening/nixpaks/qq.nix +++ b/hardening/nixpaks/qq.nix @@ -49,15 +49,6 @@ let # just trace-access qq # See the Justfile in the root of this repository for more information. bind.rw = [ - # given the read write permission to the following directories. - # NOTE: sloth.mkdir is used to create the directory if it does not exist! - (sloth.mkdir ( - sloth.concat [ - sloth.xdgConfigHome - "/QQ" - ] - )) - sloth.xdgDocumentsDir sloth.xdgDownloadDir sloth.xdgMusicDir diff --git a/hardening/nixpaks/telegram-desktop.nix b/hardening/nixpaks/telegram-desktop.nix new file mode 100644 index 00000000..52d3041a --- /dev/null +++ b/hardening/nixpaks/telegram-desktop.nix @@ -0,0 +1,91 @@ +{ + lib, + telegram-desktop, + buildEnv, + mkNixPak, + makeDesktopItem, + ... +}: +let + appId = "org.telegram.desktop"; + wrapped = mkNixPak { + config = + { sloth, ... }: + { + imports = [ + ./modules/gui-base.nix + ./modules/network.nix + ./modules/common.nix + ]; + app.package = telegram-desktop; + flatpak = { + appId = appId; + }; + dbus = { + enable = true; + policies = { + "org.gnome.Mutter.IdleMonitor" = "talk"; + "org.freedesktop.Notifications" = "talk"; + "org.kde.StatusNotifierWatcher" = "talk"; + "com.canonical.AppMenu.Registrar" = "talk"; + "com.canonical.indicator.application" = "talk"; + "org.ayatana.indicator.application" = "talk"; + "org.sigxcpu.Feedback" = "talk"; + }; + }; + + bubblewrap = { + bind.rw = [ + sloth.xdgDocumentsDir + sloth.xdgDownloadDir + sloth.xdgMusicDir + sloth.xdgVideosDir + ]; + sockets = { + x11 = false; + wayland = true; + pipewire = true; + }; + }; + }; + }; + exePath = lib.getExe wrapped.config.script; +in +buildEnv { + inherit (wrapped.config.script) name meta passthru; + paths = [ + wrapped.config.script + (makeDesktopItem { + name = appId; + desktopName = "Telegram"; + comment = "New era of messaging"; + tryExec = "${exePath}"; + exec = "${exePath} -- %u"; + icon = appId; + terminal = false; + type = "Application"; + categories = [ + "Chat" + "Network" + "InstantMessaging" + "Qt" + ]; + mimeTypes = [ + "x-scheme-handler/tg" + "x-scheme-handler/tonsite" + ]; + keywords = [ + "tg" + "chat" + "im" + "messaging" + "messenger" + "sms" + "tdesktop" + ]; + extraConfig = { + X-Flatpak = appId; + }; + }) + ]; +} diff --git a/home/linux/gui/base/misc.nix b/home/linux/gui/base/misc.nix index 2368fc63..f0478d69 100644 --- a/home/linux/gui/base/misc.nix +++ b/home/linux/gui/base/misc.nix @@ -10,18 +10,16 @@ # do not support .pdf foliate - # instant messaging - telegram-desktop - # discord # update too frequently, use the web version instead - # remote desktop(rdp connect) remmina freerdp # required by remmina # my custom hardened packages pkgs.nixpaks.qq + pkgs.nixpaks.telegram-desktop # qqmusic pkgs.bwraps.wechat + # discord # update too frequently, use the web version instead ]; # allow fontconfig to discover fonts and configurations installed through home.packages diff --git a/hosts/idols-ai/preservation.nix b/hosts/idols-ai/preservation.nix index 9c78a32f..1b2681d9 100644 --- a/hosts/idols-ai/preservation.nix +++ b/hosts/idols-ai/preservation.nix @@ -248,13 +248,6 @@ in ".local/share/StardewValley" ".local/share/feral-interactive" - # ====================================== - # Instant Messaging - # ====================================== - ".config/QQ" - - ".local/share/TelegramDesktop" - # ====================================== # Meeting / Remote Desktop / Recording # ====================================== @@ -289,7 +282,7 @@ in # ====================================== ".local/share/containers" ".local/share/flatpak" - # flatpak app's data + # flatpak/nixpak app's data ".var" # ======================================