Firejail: Difference between revisions

← Older edit

Firejail (view source)

Revision as of 21:01, 25 June 2024

1,010 bytes added , Tuesday at 21:01

m

→‎Torify application traffic

VisualWikitext

Klinger

trusted

602

edits

@@ Line 44: / Line 44: @@
      };
      signal-desktop = {
-       executable = "${pkgs.signal-desktop}/bin/signal-desktop --enable-features=UseOzonePlatform --ozone-platform=wayland";
+      # Enable tray icon otherwise Signal window might be hidden
+       executable = "${pkgs.signal-desktop}/bin/signal-desktop --use-tray-icon";
        profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
-       extraArgs = [ "--env=LC_ALL=C" "--env=GTK_THEME=Adwaita:dark" ];
+       extraArgs = [
+        # Enforce dark mode
+        "--env=GTK_THEME=Adwaita:dark"
+        # Enable Wayland mode
+        "--env=NIXOS_OZONE_WL=1"
+        # Allow tray icon (should be upstreamed into signal-desktop.profile)
+        "--dbus-user.talk=org.kde.StatusNotifierWatcher"
+      ];
      };
    };
@@ Line 55: / Line 63: @@
 === Torify application traffic ===
-{{Note|Parts of this instruction are not yet stable and will be available in the upcoming NixOS 23.05 release.}}
 The following example configuration creates a virtual network bridge which can be used in Firejail as an isolated network namespace. All traffic originating from this interface will be routed through a local [[Tor]] service which will therefore anonymize your internet traffic.
@@ Line 131: / Line 137: @@
 You can use a custom DNS server if you don't want to use the one of your system. In this example, it's a server by the German privacy NGO [https://digitalcourage.de/support/zensurfreier-dns-server Digitalcourage].
-Using [[networkd-dispatcher]] it is possible to restart the Tor daemon every time network reconnect is performaed. This avoids having to wait for Tor network timeouts and reastablishes a new connection faster.
+Using [[Systemd/networkd/dispatcher]] it is possible to restart the Tor daemon every time network reconnect is performaed. This avoids having to wait for Tor network timeouts and reastablishes a new connection faster.
 For a detailed explanation on this setup refer the [https://www.void.gr/kargig/blog/2016/12/12/firejail-with-tor-howto original guide]. Please note that this is a experimental setup which doesn't guarantee anonymity or security in any circumstances.
 === Add Desktop Icons to Firejailed Apps ===
@@ Line 162: / Line 168: @@
 home.file.".local/share/icons/hicolor/128x128/apps/google-chrome.png".source = "${pkgs.google-chrome}/share/icons/hicolor/128x128/apps/google-chrome.png";
 home.file.".local/share/icons/hicolor/256x256/apps/google-chrome.png".source = "${pkgs.google-chrome}/share/icons/hicolor/256x256/apps/google-chrome.png";
+</syntaxhighlight>
+Another way to do this is to create a package with the firejailed application icons. This way, it can be done without home manager, and thus have the icons for all users.
+<syntaxhighlight lang="nix">
+environment.systemPackages = [
+  (
+    let
+      packages = with pkgs; [
+        electrum
+        firefox
+        mpv
+        gajim
+        tor-browser
+        vlc
+      ];
+    in
+    pkgs.runCommand "firejail-icons"
+      {
+        preferLocalBuild = true;
+        allowSubstitutes = false;
+        meta.priority = -1;
+      }
+      ''
+        mkdir -p "$out/share/icons"
+        ${lib.concatLines (map (pkg: ''
+          tar -C "${pkg}" -c share/icons -h --mode 0755 -f - | tar -C "$out" -xf -
+        '') packages)}
+        find "$out/" -type f -print0 | xargs -0 chmod 0444
+        find "$out/" -type d -print0 | xargs -0 chmod 0555
+      ''
+  )
+];
 </syntaxhighlight>
 [[Category:Applications]]
 [[Category:Security]]