From 9849923180e01cfb281eb9ce8e77a99818933fe2 Mon Sep 17 00:00:00 2001
From: Ryan Yin <xiaoyin_c@qq.com>
Date: Thu, 19 Jun 2025 00:13:49 +0800
Subject: [PATCH] refactor: nixpak apps

---
 hardening/nixpaks/firefox.nix          |  6 ------
 hardening/nixpaks/modules/gui-base.nix |  6 ++++++
 hardening/nixpaks/qq.nix               |  6 ------
 hardening/nixpaks/wechat-uos.nix       | 12 ++++--------
 4 files changed, 10 insertions(+), 20 deletions(-)

diff --git a/hardening/nixpaks/firefox.nix b/hardening/nixpaks/firefox.nix
index 7379dd50..c541ef74 100644
--- a/hardening/nixpaks/firefox.nix
+++ b/hardening/nixpaks/firefox.nix
@@ -79,12 +79,6 @@ mkNixPak {
         wayland = true;
         pipewire = true;
       };
-      bind.dev = [
-        "/dev/shm" # Shared Memory
-      ];
-      tmpfs = [
-        "/tmp"
-      ];
     };
   };
 }
diff --git a/hardening/nixpaks/modules/gui-base.nix b/hardening/nixpaks/modules/gui-base.nix
index 2d786981..44e7e5e4 100644
--- a/hardening/nixpaks/modules/gui-base.nix
+++ b/hardening/nixpaks/modules/gui-base.nix
@@ -72,6 +72,8 @@ in {
         "/etc/static/egl"
       ];
       bind.dev = [
+        "/dev/shm" # Shared Memory
+
         # seems required when using nvidia as primary gpu
         "/dev/nvidia0"
         "/dev/nvidiactl"
@@ -79,6 +81,10 @@ in {
         "/dev/nvidia-uvm"
       ];
 
+      tmpfs = [
+        "/tmp"
+      ];
+
       env = {
         XDG_DATA_DIRS = lib.mkForce (lib.makeSearchPath "share" [
           iconTheme
diff --git a/hardening/nixpaks/qq.nix b/hardening/nixpaks/qq.nix
index 7190dba9..4f5003cb 100644
--- a/hardening/nixpaks/qq.nix
+++ b/hardening/nixpaks/qq.nix
@@ -57,12 +57,6 @@ mkNixPak {
         wayland = true;
         pipewire = true;
       };
-      bind.dev = [
-        "/dev/shm" # Shared Memory
-      ];
-      tmpfs = [
-        "/tmp"
-      ];
     };
   };
 }
diff --git a/hardening/nixpaks/wechat-uos.nix b/hardening/nixpaks/wechat-uos.nix
index 032cebc2..2bfb0523 100644
--- a/hardening/nixpaks/wechat-uos.nix
+++ b/hardening/nixpaks/wechat-uos.nix
@@ -46,21 +46,17 @@ mkNixPak {
         # given the read write permission to the following directories.
         # NOTE: sloth.mkdir is used to create the directory if it does not exist!
         (sloth.mkdir (sloth.concat [sloth.homeDir "/.xwechat"]))
-        (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/xwechat_files"]))
-        (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/WeChat_Data/"]))
+
+        sloth.xdgDocumentsDir
         sloth.xdgDownloadDir
+        sloth.xdgMusicDir
+        sloth.xdgVideosDir
       ];
       sockets = {
         x11 = false;
         wayland = true;
         pipewire = true;
       };
-      bind.dev = [
-        "/dev/shm" # Shared Memory
-      ];
-      tmpfs = [
-        "/tmp"
-      ];
 
       env = {
         # Hidpi scale