feat: nixpak package sandboxing

2025-02-09 00:16:27 -03:00
parent 0a425f0252
commit 5e9284c874
4 changed files with 159 additions and 1 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -284,6 +284,27 @@
      }
    },
    "flake-parts_3": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nixpak",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1738453229,
+        "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_4": {
      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib"
      },
@@ -561,6 +582,31 @@
        "type": "github"
      }
    },
+    "hercules-ci-effects_2": {
+      "inputs": {
+        "flake-parts": [
+          "nixpak",
+          "flake-parts"
+        ],
+        "nixpkgs": [
+          "nixpak",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1738237977,
+        "narHash": "sha256-oJN/yvRL7G0WlR/hTkQIjFbPkzCV+sFnNB/38Tb9RL4=",
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-effects",
+        "rev": "6d1b6d5d59758b4f5f05745f774fc13cdc59da43",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-effects",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -921,6 +967,28 @@
        "type": "github"
      }
    },
+    "nixpak": {
+      "inputs": {
+        "flake-parts": "flake-parts_3",
+        "hercules-ci-effects": "hercules-ci-effects_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1738808839,
+        "narHash": "sha256-/Y0RSTyDOA7m3p9hXz4oFzHE34eaJ5Ffbwuq0qA2YZI=",
+        "owner": "nixpak",
+        "repo": "nixpak",
+        "rev": "8766590d404bb6864fa26f86c1fbb36901b982cb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixpak",
+        "repo": "nixpak",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1728241625,
@@ -1105,6 +1173,7 @@
      "inputs": {
        "dot013-nvim": "dot013-nvim",
        "home-manager": "home-manager",
+        "nixpak": "nixpak",
        "nixpkgs": "nixpkgs_4",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "sops-nix": "sops-nix",
@@ -1392,7 +1461,7 @@
      "inputs": {
        "crane": "crane",
        "devshell": "devshell",
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_4",
        "home-manager": "home-manager_2",
        "hyprland": "hyprland",
        "nixpkgs": [
--- a/flake.nix
+++ b/flake.nix
@@ -24,6 +24,11 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    nixpak = {
+      url = "github:nixpak/nixpak";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    # Dependecy of the Neovim configuration at ./modules/home-manager/devenv.nix
    dot013-nvim = {
      url = "github:dot013/nvim";
@@ -110,6 +115,10 @@

    packages = forAllSystems (pkgs: {
      zen-browser = pkgs.callPackage ./packages/zen-browser {};
+      nixpak = import ./packages/nixpak {
+        inherit (pkgs) lib;
+        inherit pkgs inputs;
+      };
    });
  };
 }
--- a/packages/nixpak/default.nix
+++ b/packages/nixpak/default.nix
@@ -0,0 +1,10 @@
+{
+  inputs,
+  pkgs,
+  lib,
+}: let
+  mkNixPak = inputs.nixpak.lib.nixpak {
+    inherit lib pkgs;
+  };
+in {
+}
--- a/packages/nixpak/modules/gui-base.nix
+++ b/packages/nixpak/modules/gui-base.nix
@@ -0,0 +1,70 @@
+{
+  config,
+  lib,
+  pkgs,
+  sloth,
+  ...
+}: {
+  config = {
+    dbus.policies = {
+      "${config.flatpak.appId}" = "own";
+      "org.freedesktop.DBus" = "talk";
+      "org.gtk.vfs.*" = "talk";
+      "org.gtk.vfs" = "talk";
+      "ca.desrt.dconf" = "talk";
+      "org.freedesktop.portal" = "talk";
+      "org.a11y.Bus" = "talk";
+    };
+
+    gpu.enable = lib.mkDefault true;
+    gpu.provider = "bundle";
+
+    fonts.enable = true;
+
+    locale.enable = true;
+
+    bubblewrap = {
+      network = lib.mkDefault false;
+
+      sockets = {
+        wayland = true;
+        pulse = true;
+      };
+
+      bind.rw = [
+        [sloth.appCacheDir sloth.xdgCacheHome]
+        (sloth.concat' sloth.xdgCacheHome "/fontconfig")
+        (sloth.concat' sloth.xdgCacheHome "/mesa_shader_cache")
+
+        (sloth.concat' sloth.runtimeDir "/at-spi/bus")
+        (sloth.concat' sloth.runtimeDir "/gvfsd")
+      ];
+      bind.ro = [
+        (sloth.concat' sloth.runtimeDir "/doc")
+
+        # Follow user theme
+
+        ## Access to user theme config
+        (sloth.concat' sloth.xdgConfigHome "/gtk-2.0")
+        (sloth.concat' sloth.xdgConfigHome "/gtk-3.0")
+        (sloth.concat' sloth.xdgConfigHome "/gtk-4.0")
+        (sloth.concat' sloth.xdgConfigHome "/fontconfig")
+
+        ## Access to user themes
+        (sloth.concat' sloth.homeDir "/.themes")
+        (sloth.concat' sloth.homeDir "/.icons")
+      ];
+
+      env = {
+        "XDG_DATA_DIRS" = lib.makeSearchPath "share" (with pkgs; [
+          adwaita-icon-theme
+          shared-mime-info
+        ]);
+        "XCURSOR_PATH" = lib.concatStringsSep ":" (with pkgs; [
+          "${adwaita-icon-theme}/share/icons"
+          "${adwaita-icon-theme}/share/pixmaps"
+        ]);
+      };
+    };
+  };
+}