security: firejail firefox

micartey · micartey · commit 9a4b8a633bc4 · 2025-12-30T18:33:00.000+01:00
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -3,6 +3,7 @@
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
+    nixpkgs-legacy.url = "github:nixos/nixpkgs/nixos-25.05";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
     nixpkgs-edge.url = "github:nixos/nixpkgs/nixos-unstable";
 
@@ -28,6 +29,7 @@
     {
       nixpkgs,
       nixpkgs-unstable,
+      nixpkgs-legacy,
       nixpkgs-edge,
       ...
     }@inputs:
@@ -48,6 +50,11 @@
         config.allowUnfree = true;
       };
 
+      pkgs-legacy = import nixpkgs-legacy {
+        inherit system;
+        config.allowUnfree = true;
+      };
+
       meta = {
         user = {
           description = "default non-root user";
@@ -70,6 +77,7 @@
             inherit
               inputs
               pkgs-unstable
+              pkgs-legacy
               pkgs-edge
               stateVersion
               meta
@@ -85,6 +93,7 @@
             inherit
               inputs
               pkgs-unstable
+              pkgs-legacy
               pkgs-edge
               system
               stateVersion
diff --git a/home-manager/apps/firefox.nix b/home-manager/apps/firefox.nix
@@ -1,6 +1,47 @@
-{ pkgs-unstable, ... }:
+{ pkgs, pkgs-unstable, ... }:
 
+let
+  firefox-wrapper = pkgs.writeShellScriptBin "firefox-firejail" ''
+    exec firejail --ignore=private-bin \
+      --env=XDG_DATA_DIRS="$XDG_DATA_DIRS" \
+      --env=GTK_THEME=Adwaita:dark \
+      --env=XCURSOR_PATH="$XCURSOR_PATH" \
+      --env=NIXOS_OZONE_WL=1 \
+      --noblacklist=/nix/store \
+      --read-only=/nix/store \
+      "$(readlink -f $(which firefox))" \
+      --no-remote "$@"
+  '';
+in
 {
+  home.packages = [ firefox-wrapper ];
+
+  # Override Firefox desktop entry to use firejail
+  xdg.desktopEntries.firefox = {
+    name = "Firefox";
+    genericName = "Web Browser";
+    exec = "firefox-firejail %U";
+    terminal = false;
+    categories = [
+      "Network"
+      "WebBrowser"
+    ];
+    mimeType = [
+      "text/html"
+      "text/xml"
+      "application/xhtml+xml"
+      "application/vnd.mozilla.xul+xml"
+      "application/rss+xml"
+      "application/rdf+xml"
+      "image/svg+xml"
+      "image/png"
+      "image/ico"
+      "image/gif"
+      "text/plain"
+    ];
+    icon = "firefox";
+  };
+
   programs.firefox = {
     enable = true;
     package = pkgs-unstable.firefox;
diff --git a/hosts/desktop/default.nix b/hosts/desktop/default.nix
@@ -3,6 +3,7 @@
   lib,
   pkgs,
   pkgs-edge,
+  pkgs-legacy,
   pkgs-unstable,
   stateVersion,
   meta,
@@ -21,6 +22,7 @@
       inherit
         inputs
         pkgs-edge
+        pkgs-legacy
         pkgs-unstable
         stateVersion
         meta
@@ -37,6 +39,7 @@
         lib
         pkgs
         pkgs-edge
+        pkgs-legacy
         pkgs-unstable
         stateVersion
         meta
diff --git a/modules/applications/sunshine.nix b/modules/applications/sunshine.nix
@@ -1,10 +1,11 @@
-{ ... }:
+{ pkgs-legacy, ... }:
 
 {
   # I don't need moonlight here on my main desktop as this is often the host
   # environment.systemPackages = with pkgs; [ moonlight-qt ];
 
   services.sunshine = {
+    package = pkgs-legacy.sunshine;
     enable = true;
     autoStart = false;
     capSysAdmin = true;
diff --git a/modules/security/firejail.nix b/modules/security/firejail.nix
@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  programs.firejail.enable = true;
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +{ ... }:
++
 +{
 +  programs.firejail.enable = true;
 +}