Firejail: Difference between revisions
imported>Onny Remove unneeded workaorund in Signal-Desktop example |
|||
(5 intermediate revisions by 2 users not shown) | |||
Line 44: | Line 44: | ||
}; | }; | ||
signal-desktop = { | signal-desktop = { | ||
executable = "${pkgs.signal-desktop}/bin/signal-desktop -- | # Enable tray icon otherwise Signal window might be hidden | ||
executable = "${pkgs.signal-desktop}/bin/signal-desktop --use-tray-icon"; | |||
profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile"; | profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile"; | ||
extraArgs = [ "--env=GTK_THEME=Adwaita:dark" ]; | extraArgs = [ | ||
# Enforce dark mode | |||
"--env=GTK_THEME=Adwaita:dark" | |||
# Enable Wayland mode | |||
"--env=NIXOS_OZONE_WL=1" | |||
# Allow tray icon (should be upstreamed into signal-desktop.profile) | |||
"--dbus-user.talk=org.kde.StatusNotifierWatcher" | |||
]; | |||
}; | }; | ||
}; | }; | ||
Line 129: | Line 137: | ||
You can use a custom DNS server if you don't want to use the one of your system. In this example, it's a server by the German privacy NGO [https://digitalcourage.de/support/zensurfreier-dns-server Digitalcourage]. | You can use a custom DNS server if you don't want to use the one of your system. In this example, it's a server by the German privacy NGO [https://digitalcourage.de/support/zensurfreier-dns-server Digitalcourage]. | ||
Using [[networkd | Using [[Systemd/networkd/dispatcher]] it is possible to restart the Tor daemon every time network reconnect is performaed. This avoids having to wait for Tor network timeouts and reastablishes a new connection faster. | ||
For a detailed explanation on this setup refer the [https://www.void.gr/kargig/blog/2016/12/12/firejail-with-tor-howto original guide]. Please note that this is a experimental setup which doesn't guarantee anonymity or security in any circumstances. | For a detailed explanation on this setup refer the [https://www.void.gr/kargig/blog/2016/12/12/firejail-with-tor-howto original guide]. Please note that this is a experimental setup which doesn't guarantee anonymity or security in any circumstances. | ||
=== Add Desktop Icons to Firejailed Apps === | === Add Desktop Icons to Firejailed Apps === | ||
Line 160: | Line 168: | ||
home.file.".local/share/icons/hicolor/128x128/apps/google-chrome.png".source = "${pkgs.google-chrome}/share/icons/hicolor/128x128/apps/google-chrome.png"; | home.file.".local/share/icons/hicolor/128x128/apps/google-chrome.png".source = "${pkgs.google-chrome}/share/icons/hicolor/128x128/apps/google-chrome.png"; | ||
home.file.".local/share/icons/hicolor/256x256/apps/google-chrome.png".source = "${pkgs.google-chrome}/share/icons/hicolor/256x256/apps/google-chrome.png"; | home.file.".local/share/icons/hicolor/256x256/apps/google-chrome.png".source = "${pkgs.google-chrome}/share/icons/hicolor/256x256/apps/google-chrome.png"; | ||
</syntaxhighlight> | |||
Another way to do this is to create a package with the firejailed application icons. This way, it can be done without home manager, and thus have the icons for all users. | |||
<syntaxhighlight lang="nix"> | |||
environment.systemPackages = [ | |||
( | |||
let | |||
packages = with pkgs; [ | |||
electrum | |||
firefox | |||
mpv | |||
gajim | |||
tor-browser | |||
vlc | |||
]; | |||
in | |||
pkgs.runCommand "firejail-icons" | |||
{ | |||
preferLocalBuild = true; | |||
allowSubstitutes = false; | |||
meta.priority = -1; | |||
} | |||
'' | |||
mkdir -p "$out/share/icons" | |||
${lib.concatLines (map (pkg: '' | |||
tar -C "${pkg}" -c share/icons -h --mode 0755 -f - | tar -C "$out" -xf - | |||
'') packages)} | |||
find "$out/" -type f -print0 | xargs -0 chmod 0444 | |||
find "$out/" -type d -print0 | xargs -0 chmod 0555 | |||
'' | |||
) | |||
]; | |||
</syntaxhighlight> | </syntaxhighlight> | ||
[[Category:Applications]] | [[Category:Applications]] | ||
[[Category:Security]] | [[Category:Security]] |