Merge pull request #166 from ryan4yin/nixpaks

feat: nixpakd-firefox
2026-04-24 01:38:28 +02:00 · 2024-09-25 19:54:43 +08:00
parent 9197bc7f0d 4236df4281
commit fed81fad1c
5 changed files with 18 additions and 14 deletions
--- a/hardening/README.md
+++ b/hardening/README.md
@@ -1,5 +1,7 @@
 # Linux Hardening
 > Work in progress.
 ## Goal
 - **System Level**: Protect critical files from being accessed by untrusted applications.
--- a/hardening/nixpaks/firefox.nix
+++ b/hardening/nixpaks/firefox.nix
@@ -61,11 +61,6 @@ mkNixPak {
      };
      bind.dev = [
        "/dev/shm" # Shared Memory
        # seems required when using nvidia as primary gpu
        "/dev/nvidia0"
        "/dev/nvidia-uvm"
        "/dev/nvidia-modeset"
      ];
      tmpfs = [
        "/tmp"
--- a/hardening/nixpaks/modules/gui-base.nix
+++ b/hardening/nixpaks/modules/gui-base.nix
@@ -31,7 +31,7 @@ in {
    };
    # https://github.com/nixpak/nixpak/blob/master/modules/gui/fonts.nix
    # it works not well, bind system's /etc/fonts directly instead
-    fonts.enable = true;
+    fonts.enable = false;
    # https://github.com/nixpak/nixpak/blob/master/modules/locale.nix
    locale.enable = true;
    bubblewrap = {
@@ -66,7 +66,19 @@ in {
        "/etc/fonts" # for fontconfig
        "/etc/machine-id"
        "/etc/localtime"
        # Fix: libEGL warning: egl: failed to create dri2 screen
        "/etc/egl"
        "/etc/static/egl"
      ];
      bind.dev = [
        # seems required when using nvidia as primary gpu
        "/dev/nvidia0"
        "/dev/nvidiactl"
        "/dev/nvidia-modeset"
        "/dev/nvidia-uvm"
      ];
      env = {
        XDG_DATA_DIRS = lib.mkForce (lib.makeSearchPath "share" [
          iconTheme
--- a/hardening/nixpaks/qq.nix
+++ b/hardening/nixpaks/qq.nix
@@ -45,11 +45,6 @@ mkNixPak {
      };
      bind.dev = [
        "/dev/shm" # Shared Memory
        # seems required when using nvidia as primary gpu
        "/dev/nvidia0"
        "/dev/nvidia-uvm"
        "/dev/nvidia-modeset"
      ];
      tmpfs = [
        "/tmp"
--- a/home/linux/gui/hyprland/values/wayland-apps.nix
+++ b/home/linux/gui/hyprland/values/wayland-apps.nix
@@ -22,9 +22,9 @@
    + (builtins.readFile "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-foot}/catppuccin-mocha.conf");
  home.packages = [
-    pkgs.firefox-wayland
+    # pkgs.firefox-wayland
-    # pkgs.nixpaks.firefox
+    pkgs.nixpaks.firefox
-    # pkgs.nixpaks.firefox-desktop-item
+    pkgs.nixpaks.firefox-desktop-item
  ];
  programs = {