firejail: remove chat apps

2024-04-01 17:17:36 +02:00 · 2024-04-01 17:17:36 +02:00 · 5ee63e7e1c
parent e127ae6062
commit 5ee63e7e1c
4 changed files with 27 additions and 19 deletions
--- a/modules/core/hardening.nix
+++ b/modules/core/hardening.nix
@ -34,22 +34,10 @@ in {
  # required to run chromium
  security.chromiumSuidSandbox.enable = true;

-  # enable firejail
-  programs.firejail.enable = true;
-
  # create system-wide executables firefox and chromium
  # that will wrap the real binaries so everything
  # work out of the box.
-  programs.firejail.wrappedBinaries = {
-    firefox = {
-      executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox";
-      profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
-    };
-    ungoogled-chromium = {
-      executable = "${pkgs.lib.getBin pkgs.ungoogled-chromium}/bin/chromium";
-      profile = "${pkgs.firejail}/etc/firejail/chromium.profile";
-    };
-  };
+  programs.firejail.enable = true;

  # enable antivirus clamav and
  # keep the signatures' database updated
--- a/modules/desktop-extended/default.nix
+++ b/modules/desktop-extended/default.nix
@ -11,14 +11,12 @@ in {
  hardware.logitech.wireless.enable = true;

  users.users."${psCfg.user.name}".packages = with pkgs; [
-    ungoogled-chromium
    wine

    gimp
    present-md
    inkscape
    gpxsee
-    digikam
    nix-output-monitor
    tigervnc
    nodejs
@ -28,8 +26,6 @@ in {
    signal-desktop
    tdesktop
    element-desktop
-    cinny-desktop
-    irssi

    # Nix specific utilities
    alejandra
@ -39,6 +35,25 @@ in {
    nvd
  ];

+  programs.firejail.wrappedBinaries = {
+    chromium = {
+      executable = "${pkgs.lib.getBin pkgs.ungoogled-chromium}/bin/chromium";
+      profile = "${pkgs.firejail}/etc/firejail/chromium.profile";
+    };
+    # signal-desktop = {
+    #   executable = "${pkgs.lib.getBin pkgs.signal-desktop}/bin/signal-desktop";
+    #   profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
+    # };
+    # telegram-desktop = {
+    #   executable = "${pkgs.lib.getBin pkgs.tdesktop}/bin/telegram-desktop";
+    #   profile = "${pkgs.firejail}/etc/firejail/telegram-desktop.profile";
+    # };
+    # element-desktop = {
+    #   executable = "${pkgs.lib.getBin pkgs.element-desktop}/bin/element-desktop";
+    #   profile = "${pkgs.firejail}/etc/firejail/element-desktop.profile";
+    # };
+  };
+
  fonts = {
    packages = with pkgs; [
      dejavu_fonts
--- a/modules/graphical/default.nix
+++ b/modules/graphical/default.nix
@ -88,7 +88,6 @@ in {

    users.users."${psCfg.user.name}".packages = with pkgs; [
      alacritty
-      firefox-wayland
      flameshot
      gnome.adwaita-icon-theme
      gnome.eog
@ -103,6 +102,13 @@ in {
      wcwd
    ];

+    programs.firejail.wrappedBinaries = {
+      firefox = {
+        executable = "${pkgs.lib.getBin pkgs.firefox-wayland}/bin/firefox";
+        profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+      };
+    };
+
    home-manager.users."${psCfg.user.name}" = {
      home.file."xinitrc".source = ./.xinitrc;
      xdg.configFile."alacritty/alacritty.yml".source = yamlFormat.generate "alacritty.yml" (import ./alacritty.nix);
--- a/modules/persistence/default.nix
+++ b/modules/persistence/default.nix
@ -8,7 +8,6 @@
      "/var/lib/nixos"
      "/var/lib/systemd/coredump"
      "/etc/NetworkManager/system-connections"
-      "/etc/firejail"
    ];

    files = [