feat: hardening nixos desktops (#160)

* feat: hardening nixos desktops * refactor: move hardening to the root folder * feat: add nixpaks into nixpkgs via overlays * feat: nixpak - add netease music * docs: hardening * fix: nvidia * fix: disable apparmor & hardening profile to avoid neovim being killed * fix: firefox cursor & fonts
2026-05-19 14:17:26 +02:00 · 2024-09-05 23:59:39 +08:00
parent 773688a9e5
commit df9ca7aefa
21 changed files with 626 additions and 13 deletions
@@ -0,0 +1,35 @@
+# https://www.reddit.com/r/NixOS/comments/1b56jdx/simple_nix_function_for_wrapping_executables_with/
+pkgs: {
+  name ? "firejail-wrapper",
+  executable,
+  desktop ? null,
+  profile ? null,
+  extraArgs ? [],
+}:
+pkgs.runCommand name
+{
+  preferLocalBuild = true;
+  allowSubstitutes = false;
+  meta.priority = -1; # take precedence over non-firejailed versions
+}
+(
+  let
+    firejailArgs = pkgs.lib.concatStringsSep " " (
+      extraArgs ++ (pkgs.lib.optional (profile != null) "--profile=${toString profile}")
+    );
+  in
+    ''
+      command_path="$out/bin/$(basename ${executable})-jailed"
+      mkdir -p $out/bin
+      mkdir -p $out/share/applications
+      cat <<'_EOF' >"$command_path"
+      #! ${pkgs.runtimeShell} -e
+      exec /run/wrappers/bin/firejail ${firejailArgs} -- ${toString executable} "\$@"
+      _EOF
+      chmod 0755 "$command_path"
+    ''
+    + pkgs.lib.optionalString (desktop != null) ''
+      substitute ${desktop} $out/share/applications/$(basename ${desktop}) \
+        --replace ${executable} "$command_path"
+    ''
+)