From f54bcb2020d360c6f139c8fa6ad065a71fab4a49 Mon Sep 17 00:00:00 2001
From: Jonas Heinrich <onny@project-insanity.org>
Date: Wed, 5 Jan 2022 13:00:31 +0100
Subject: [PATCH] update to flake and nixos 21.11
---
configuration.nix | 79 ++++-----
flake.lock | 65 ++++++++
flake.nix | 48 ++++++
home.nix | 396 +++++++++++++++++++++++-----------------------
security.nix | 13 ++
5 files changed, 351 insertions(+), 250 deletions(-)
create mode 100644 flake.lock
create mode 100644 flake.nix
create mode 100644 security.nix
diff --git a/configuration.nix b/configuration.nix
index ac2bdd2..25d8bd2 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -11,14 +11,11 @@ let
"Qcb0vISeK5W"
];
- # FIXME
- unstableTarball =
- fetchTarball
- https://github.com/NixOS/nixpkgs/archive/nixos-unstable.tar.gz;
-
in
{
+ nixpkgs.config.allowUnfree = true;
+
# FIXME
nixpkgs = {
overlays = [
@@ -28,20 +25,13 @@ in
"https://github.com/onny/nixpkgs/archive/4d6cb6b4c8ebc35d848fe0ef5cda1ce5fcd6e072.tar.gz";
sha256 = "1ymfdil2z2q3sbdfgqhqn4wyz0p53q2ypj1bss8qgbmkilq1lxn4";
}) {}).opensnitch;
+ #cups = (import (builtins.fetchTarball {
+ # url =
+ # "https://github.com/onny/nixpkgs/archive/cups.tar.gz";
+ # sha256 = "06zh26jw8vbhahcapj7c47mswnrl4vzdzyxldgv1x4xzv7mnvr6h";
+ #}) {}).cups;
})
];
- config = {
- packageOverrides = pkgs: rec {
- nur = import (builtins.fetchTarball "https://github.com/nix-community/NUR/archive/master.tar.gz") {
- inherit pkgs;
- };
- unstable = import unstableTarball {
- config = config.nixpkgs.config;
- };
- };
- allowUnfree = true; # FIXME
- allowBroken = true; # FIXME For linux-libre
- };
};
imports =
@@ -51,7 +41,10 @@ in
./security.nix
./sway.nix
./home.nix
- "${fetchTarball "https://git.project-insanity.org/onny/py-iwd-autocaptiveauth/-/archive/master/py-iwd-autocaptiveauth-master.tar.gz"}/nixos" # FIXME
+ #"${fetchTarball {
+ # url = "https://git.project-insanity.org/onny/py-iwd-autocaptiveauth/-/archive/master/py-iwd-autocaptiveauth-master.tar.gz";
+ # sha256 = "0sg3syb2b0f2nbyy55a6f50hfzb5cm7yqf12yrgi9j43niyryvvl";
+ #}}/nixos" # FIXME
];
# FIXME: Setup for non-uefi
@@ -63,9 +56,6 @@ in
enableCryptodisk = true;
};
#kernelPackages = pkgs.linuxPackages_latest-libre; # FIXME
- extraModulePackages = [
- config.boot.kernelPackages.v4l2loopback
- ];
cleanTmpDir = true;
};
@@ -91,7 +81,7 @@ in
nix-index
# core
- nload nox wget fwup wirelesstools p7zip fd bat ripgrep unrar file acpid
+ nload nox wget fwup wirelesstools p7zip fd bat ripgrep file acpid unrar
tmux mosh wipe rsync openssl calc bc ethtool sshfs nfs-utils
gnome-firmware-updater bluez aria2 sd jq wdisplays lrzip
appimage-run exfatprogs exfat killall pwgen ntfs3g unzip
@@ -113,7 +103,6 @@ in
# security
gnome-passwordsafe lynis gnupg
- opensnitch-ui # FIXME
# networking
soulseekqt openvpn fragments
@@ -137,24 +126,16 @@ in
pygobject3 urwid pdfkit libvirt pyusb gobject-introspection
]))
unstable.nixopsUnstable # FIXME: Waiting for version 2.0 in stable
- unstable.ventoy-bin # FIXME
+ ventoy-bin # FIXME
# device support
libimobiledevice libirecovery idevicerestore
# temp
- xwayland
- xorg.xhost
- #iptables-nftables-compat
- iptables
- nur.repos.onny.librewolf-bin # FIXME
- nur.repos.onny.snipping_tool # FIXME convert to flake
- gnome3.adwaita-icon-theme # should be added as a dependency
- # for example for: foliate, fragments
- breeze-icons
- libsForQt5.kwayland
- qt5.qtwayland
+ #nur.repos.onny.librewolf-bin # FIXME
+ #nur.repos.onny.snipping_tool # FIXME convert to flake
# FIXME missing: vlc-bittorrent, popcorntime
+
];
virtualisation = {
@@ -166,23 +147,15 @@ in
enableOnBoot = false;
};
- };
+ spiceUSBRedirection.enable = true;
- # polkit and wrapper required to make usb redirection work in
- # gnome-boxes / libvirt
- # bug https://github.com/NixOS/nixpkgs/issues/60594
- # rtkit required for pipewire
- security = {
- polkit.enable = true;
- rtkit.enable = true;
- #wrappers.spice-client-glib-usb-acl-helper.source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper"; # FIXME, failed with 21.11
};
- fonts = {
- fonts = with pkgs; [
+ security.rtkit.enable = true; # required for pipewire
+
+ fonts.fonts = with pkgs; [
font-awesome-ttf
- ];
- };
+ ];
hardware = {
@@ -243,7 +216,7 @@ in
davfs2.enable = true;
- iwd-autocaptiveauth.enable = true;
+ #iwd-autocaptiveauth.enable = true;
usbmuxd = {
enable = true;
@@ -262,15 +235,21 @@ in
];
};
- devmon.enable = true;
+ devmon.enable = true;
+
logind.lidSwitch = "ignore";
+
blueman.enable = true;
+
tor = {
enable = true;
client.enable = true;
};
+
gvfs.enable = true;
+
fwupd.enable = true;
+
zerotierone = {
enable = false;
port = 9993;
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..ae62e08
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,65 @@
+{
+ "nodes": {
+ "home-manager": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs-unstable"
+ ]
+ },
+ "locked": {
+ "lastModified": 1640417317,
+ "narHash": "sha256-jT2uMARXs0Xm65ccroFsKyr4LTHSecw+9HAnmBdJO8U=",
+ "owner": "nix-community",
+ "repo": "home-manager",
+ "rev": "48f2b381dd397ec88040d3354ac9c036739ba139",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "ref": "master",
+ "repo": "home-manager",
+ "type": "github"
+ }
+ },
+ "nixpkgs": {
+ "locked": {
+ "lastModified": 1640264129,
+ "narHash": "sha256-gfTFmZhnHE9G+Tr0fdMmo6p/FHi5QpkO9oPPYSu6JO0=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "1158f3463912d54cc981d61213839ec6c02570d3",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixos-21.11",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs-unstable": {
+ "locked": {
+ "lastModified": 1640328990,
+ "narHash": "sha256-KQbvJx4qO9bo04tfTZuISyY4vRC5k3ZB3lyLS21XWIw=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "ab93217a2b74a1c36bc892c14f44ee5959c33f12",
+ "type": "github"
+ },
+ "original": {
+ "id": "nixpkgs",
+ "ref": "nixpkgs-unstable",
+ "type": "indirect"
+ }
+ },
+ "root": {
+ "inputs": {
+ "home-manager": "home-manager",
+ "nixpkgs": "nixpkgs",
+ "nixpkgs-unstable": "nixpkgs-unstable"
+ }
+ }
+ },
+ "root": "root",
+ "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..002d930
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,48 @@
+{
+ inputs = {
+ nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11";
+ nixpkgs-unstable.url = "nixpkgs/nixpkgs-unstable"; # FIXME
+ home-manager = {
+ # url = "github:rycee/home-manager/release-21.11";
+ url = "github:nix-community/home-manager/master";
+ inputs.nixpkgs.follows = "nixpkgs-unstable"; # FIXME
+ };
+ };
+
+ outputs = inputs: {
+
+ nixosConfigurations.tuxzentrale = inputs.nixpkgs.lib.nixosSystem {
+ system = "x86_64-linux";
+ modules = [
+ inputs.home-manager.nixosModules.home-manager
+
+ ({ pkgs, ... }:
+
+ # FIXME
+ let
+ overlay-unstable = final: prev: {
+ unstable = inputs.nixpkgs-unstable.legacyPackages.${prev.system};
+ };
+
+ in {
+
+ # FIXME
+ nix = {
+ extraOptions = "experimental-features = nix-command flakes";
+ package = pkgs.nixFlakes;
+ registry.nixpkgs.flake = inputs.nixpkgs;
+ };
+
+ home-manager.useGlobalPkgs = true;
+
+ # FIXME
+ nixpkgs.overlays = [ overlay-unstable ];
+
+ })
+
+ ./configuration.nix
+
+ ];
+ };
+ };
+}
diff --git a/home.nix b/home.nix
index d639d74..50776e3 100644
--- a/home.nix
+++ b/home.nix
@@ -5,233 +5,229 @@ let
in
{
- imports =
- [
- /home/onny/projects/home-manager/nixos # FIXME
- #"${builtins.fetchTarball https://github.com/rycee/home-manager/archive/release-21.11.tar.gz}/nixos"
- ];
+ home-manager.users.onny = {
- home-manager = {
- users.onny = {
+ services.opensnitch-ui.enable = true;
- services.opensnitch-ui.enable = true;
+ programs = {
- programs = {
-
- git = {
- enable = true;
- userName = "Jonas Heinrich";
- userEmail = "onny@project-insanity.org";
- };
+ git = {
+ enable = true;
+ userName = "Jonas Heinrich";
+ userEmail = "onny@project-insanity.org";
+ };
- termite = {
- enable = true;
- backgroundColor = "rgba(35, 35, 35, 1)";
- };
+ termite = {
+ enable = true;
+ backgroundColor = "rgba(35, 35, 35, 1)";
+ };
- mako = {
- enable = true;
- defaultTimeout = 3500;
- };
+ mako = {
+ enable = true;
+ defaultTimeout = 3500;
+ };
- fish = {
- enable = true;
- loginShellInit = ''
- if test -z "$DISPLAY" -a $XDG_VTNR -eq 1
- exec ${pkgs.dbus}/bin/dbus-run-session ${pkgs.sway}/bin/sway
- end
- '';
- interactiveShellInit = ''
- alias codium='codium --enable-features=UseOzonePlatform·--ozone-platform=wayland'
- alias signal-desktop='signal-desktop --enable-features=UseOzonePlatform·--ozone-platform=wayland'
- '';
- };
+ fish = {
+ enable = true;
+ loginShellInit = ''
+ if test -z "$DISPLAY" -a $XDG_VTNR -eq 1
+ exec ${pkgs.dbus}/bin/dbus-run-session ${pkgs.sway}/bin/sway
+ end
+ '';
+ interactiveShellInit = ''
+ alias codium='codium --enable-features=UseOzonePlatform·--ozone-platform=wayland'
+ alias signal-desktop='signal-desktop --enable-features=UseOzonePlatform·--ozone-platform=wayland'
+ alias snipping_tool='grim -g (slurp)'
+ '';
+ };
- waybar = {
- enable = true;
- package = (pkgs.waybar.override (oldAttrs: { pulseSupport = true;} ));
- settings = [{
- layer = "top";
- position = "top";
- height = 24;
- modules-left = ["sway/workspaces" "sway/mode"];
- modules-center = ["sway/window"];
- modules-right = ["custom/stopwatch" "network" "pulseaudio" "battery" "clock" "tray"];
- modules = {
- "sway/workspaces" = {
- format = "{icon}";
- format-icons = {
- "urgent" = "ïª";
- "focused" = "";
- "default" = "ï„‘";
- };
- };
- "custom/stopwatch" = {
- format = "  {} ";
- exec = "~/.config/waybar/sw";
- on-click = "~/.config/waybar/sw";
- on-click-right = "~/.config/waybar/sw --stop";
- return-type = "json";
- };
- "network" = {
- format-wifi = " {essid} ({signalStrength}%)";
- format-ethernet = "ïƒ {ifname}: {ipaddr}/{cidr}";
- format-disconnected = "Disconnected âš ";
- };
- "pulseaudio" = {
- format = "{icon} {volume}%";
- format-bluetooth = "{icon} {volume}%";
- format-muted = " 0%";
- format-icons = {
- "headphones" = "";
- "handsfree" = "ï–";
- "headset" = "ï–";
- "phone" = "ï‚•";
- "portable" = "ï‚•";
- "car" = "";
- "default" = ["" ""];
- };
+ waybar = {
+ enable = true;
+ package = (pkgs.waybar.override (oldAttrs: { pulseSupport = true;} ));
+ settings = [{
+ layer = "top";
+ position = "top";
+ height = 24;
+ modules-left = ["sway/workspaces" "sway/mode"];
+ modules-center = ["sway/window"];
+ modules-right = ["custom/stopwatch" "network" "pulseaudio" "battery" "clock" "tray"];
+ modules = {
+ "sway/workspaces" = {
+ format = "{icon}";
+ format-icons = {
+ "urgent" = "ïª";
+ "focused" = "";
+ "default" = "ï„‘";
};
- "battery" = {
- bat = "BAT0";
- states = {
- "warning" = 30;
- "critical" = 15;
- };
- format = "{icon} {capacity}%";
- format-icons = ["" "" "" "ï‰" ""];
+ };
+ "custom/stopwatch" = {
+ format = "  {} ";
+ exec = "~/.config/waybar/sw";
+ on-click = "~/.config/waybar/sw";
+ on-click-right = "~/.config/waybar/sw --stop";
+ return-type = "json";
+ };
+ "network" = {
+ format-wifi = " {essid} ({signalStrength}%)";
+ format-ethernet = "ïƒ {ifname}: {ipaddr}/{cidr}";
+ format-disconnected = "Disconnected âš ";
+ };
+ "pulseaudio" = {
+ format = "{icon} {volume}%";
+ format-bluetooth = "{icon} {volume}%";
+ format-muted = " 0%";
+ format-icons = {
+ "headphones" = "";
+ "handsfree" = "ï–";
+ "headset" = "ï–";
+ "phone" = "ï‚•";
+ "portable" = "ï‚•";
+ "car" = "";
+ "default" = ["" ""];
};
- "clock" = {
- format = "{:%a %d %b %H:%M}";
+ };
+ "battery" = {
+ bat = "BAT0";
+ states = {
+ "warning" = 30;
+ "critical" = 15;
};
+ format = "{icon} {capacity}%";
+ format-icons = ["" "" "" "ï‰" ""];
+ };
+ "clock" = {
+ format = "{:%a %d %b %H:%M}";
};
- }];
- style = (builtins.readFile ./configs/waybar/style.css);
- };
-
- };
-
- # Stopwatch script file
- xdg.configFile."waybar/sw".source = ./configs/waybar/sw;
-
- wayland.windowManager.sway = {
- enable = true;
- config = {
- terminal = "${pkgs.termite}/bin/termite";
- input = { "*" = { xkb_layout = "de"; } ; };
- menu = "${pkgs.bemenu}/bin/bemenu-run -b";
- modifier = "Mod4";
- startup = [
- { command = "firefox"; }
- { command = "signal-desktop --enable-features=UseOzonePlatform·--ozone-platform=wayland"; }
- { command = "waybar"; }
- { command = "mako"; }
- ];
- bars = [];
- assigns = {
- "1" = [{ app_id = "firefox"; }];
- "2" = [{ app_id = "Signal"; }];
- };
- workspaceAutoBackAndForth = true;
- keybindings = lib.mkOptionDefault{
- "XF86AudioRaiseVolume" = "exec ${pkgs.pulseaudioFull}/bin/pactl set-sink-volume 0 +5%";
- "XF86AudioLowerVolume" = "exec ${pkgs.pulseaudioFull}/bin/pactl set-sink-volume 0 -5%";
- "XF86AudioMute" = "exec ${pkgs.pulseaudioFull}/bin/pactl set-sink-mute 0 toggle";
- "XF86WebCam" = "exec ${pkgs.swaylock}/bin/swaylock -i /home/onny/pictures/catalina.jpg --scaling fill";
- "XF86MonBrightnessUp" = "exec ${pkgs.brightnessctl}/bin/brightnessctl s 5%+";
- "XF86MonBrightnessDown" = "exec ${pkgs.brightnessctl}/bin/brightnessctl s 5%-";
};
- floating.criteria = [
- { "title" = "^OpenSnitch v.*"; }
- ];
- };
+ }];
+ style = (builtins.readFile ./configs/waybar/style.css);
};
- gtk = {
- enable = true;
- iconTheme = {
- name = "Adwaita-dark";
- package = pkgs.gnome3.adwaita-icon-theme;
+ };
+
+ # Stopwatch script file
+ xdg.configFile."waybar/sw".source = ./configs/waybar/sw;
+
+ wayland.windowManager.sway = {
+ enable = true;
+ config = {
+ terminal = "${pkgs.termite}/bin/termite";
+ input = { "*" = { xkb_layout = "de"; } ; };
+ menu = "${pkgs.bemenu}/bin/bemenu-run -b";
+ modifier = "Mod4";
+ startup = [
+ { command = "firefox"; }
+ { command = "signal-desktop --enable-features=UseOzonePlatform·--ozone-platform=wayland"; }
+ { command = "waybar"; }
+ { command = "mako"; }
+ ];
+ bars = [];
+ assigns = {
+ "1" = [{ app_id = "firefox"; }];
+ "2" = [{ app_id = "Signal"; }];
};
- theme = {
- name = "Adwaita-dark";
- package = pkgs.gnome3.gnome_themes_standard;
+ workspaceAutoBackAndForth = true;
+ keybindings = lib.mkOptionDefault{
+ "XF86AudioRaiseVolume" = "exec ${pkgs.pulseaudioFull}/bin/pactl set-sink-volume 0 +5%";
+ "XF86AudioLowerVolume" = "exec ${pkgs.pulseaudioFull}/bin/pactl set-sink-volume 0 -5%";
+ "XF86AudioMute" = "exec ${pkgs.pulseaudioFull}/bin/pactl set-sink-mute 0 toggle";
+ "XF86WebCam" = "exec ${pkgs.swaylock}/bin/swaylock -i /home/onny/pictures/catalina.jpg --scaling fill";
+ "XF86MonBrightnessUp" = "exec ${pkgs.brightnessctl}/bin/brightnessctl s 5%+";
+ "XF86MonBrightnessDown" = "exec ${pkgs.brightnessctl}/bin/brightnessctl s 5%-";
};
+ floating.criteria = [
+ { "title" = "^OpenSnitch v.*"; }
+ ];
};
+ };
- home = {
- file = {
- ".ssh/id_rsa".text = "${secrets.ssh-privkey}";
- ".ssh/id_rsa.pub".text = "${secrets.ssh-pubkey}";
- ".netrc".text = ''default
- login ${secrets.nextcloud-user}
- password ${secrets.nextcloud-password}'';
- ".nextcloud/sync-exclude.lst".text = ''projects
- .cache
- .config
- .local
- .cargo
- .nvm
- .mozilla
- .purple
- .jd
- .conan
- .tor-browser-en
- downloads
- picloud'';
- };
+ gtk = {
+ enable = true;
+ iconTheme = {
+ name = "Adwaita";
+ package = pkgs.gnome3.adwaita-icon-theme;
+ };
+ theme = {
+ name = "Adwaita-dark";
+ package = pkgs.gnome3.gnome_themes_standard;
+ };
+ gtk4.extraConfig = {
+ gtk-application-prefer-dark-theme = true;
+ };
+ };
- sessionVariables = {
- GDK_BACKEND = "wayland,x11"; # FIXME: wayland only. electron patches!
- BROWSER = "librewolf-bin";
- TERMINAL = "termite";
- EDITOR = "nvim";
- QT_QPA_PLATFORM = "wayland-egl";
- XDG_DESKTOP_DIR = "/home/onny/downloads";
- XDG_DOWNLOAD_DIR = "/home/onny/downloads";
- XDG_PICTURES_DIR = "/home/onny/pictures";
- XDG_SESSION_TYPE = "wayland";
- XDG_RUNTIME_DIR = "/run/user/1000";
- };
+ home = {
+ file = {
+ ".ssh/id_rsa".text = "${secrets.ssh-privkey}";
+ ".ssh/id_rsa.pub".text = "${secrets.ssh-pubkey}";
+ ".netrc".text = ''default
+ login ${secrets.nextcloud-user}
+ password ${secrets.nextcloud-password}'';
+ ".nextcloud/sync-exclude.lst".text = ''projects
+ .cache
+ .config
+ .local
+ .cargo
+ .nvm
+ .mozilla
+ .purple
+ .jd
+ .conan
+ .tor-browser-en
+ downloads
+ picloud'';
+ };
+ sessionVariables = {
+ GDK_BACKEND = "wayland,x11"; # FIXME: wayland only. electron patches!
+ BROWSER = "librewolf-bin";
+ TERMINAL = "termite";
+ EDITOR = "nvim";
+ QT_QPA_PLATFORM = "wayland-egl";
+ XDG_DESKTOP_DIR = "/home/onny/downloads";
+ XDG_DOWNLOAD_DIR = "/home/onny/downloads";
+ XDG_PICTURES_DIR = "/home/onny/pictures";
+ XDG_SESSION_TYPE = "wayland";
+ XDG_RUNTIME_DIR = "/run/user/1000";
};
- systemd.user = {
- services = {
- nextcloud-autosync = {
- Unit = {
- Description = "Auto sync Nextcloud";
- After = "network-online.target";
- };
- Service = {
- Type = "simple";
- ExecStart= "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --exclude /home/onny/.nextcloud/sync-exclude.lst /home/onny/. https://nextcloud.project-insanity.org/remote.php/webdav/";
- TimeoutStopSec = "180";
- KillMode = "process";
- KillSignal = "SIGINT";
- };
- Install = {
- WantedBy = ["multi-user.target"];
- };
+ };
+
+ systemd.user = {
+ services = {
+ nextcloud-autosync = {
+ Unit = {
+ Description = "Auto sync Nextcloud";
+ After = "network-online.target";
+ };
+ Service = {
+ Type = "simple";
+ ExecStart= "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --exclude /home/onny/.nextcloud/sync-exclude.lst /home/onny/. https://nextcloud.project-insanity.org/remote.php/webdav/";
+ TimeoutStopSec = "180";
+ KillMode = "process";
+ KillSignal = "SIGINT";
+ };
+ Install = {
+ WantedBy = ["multi-user.target"];
};
};
- timers = {
- nextcloud-autosync = {
- Unit = {
- Description = "Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 60 minutes";
- };
- Timer = {
- OnBootSec = "5min";
- OnUnitActiveSec = "60min";
- Unit = "nextcloud-autosync.service";
- };
- Install = {
- WantedBy = ["multi-user.target" "timers.target"];
- };
+ };
+ timers = {
+ nextcloud-autosync = {
+ Unit = {
+ Description = "Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 60 minutes";
+ };
+ Timer = {
+ OnBootSec = "5min";
+ OnUnitActiveSec = "60min";
+ Unit = "nextcloud-autosync.service";
+ };
+ Install = {
+ WantedBy = ["multi-user.target" "timers.target"];
};
};
- startServices = true;
};
+ startServices = true;
};
};
diff --git a/security.nix b/security.nix
new file mode 100644
index 0000000..e8ccb14
--- /dev/null
+++ b/security.nix
@@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }:{
+
+ services.opensnitch.enable = true; # FIXME, currently unstable
+
+ programs.firejail = {
+ enable = true;
+ wrappedBinaries = {
+ firefox = "${pkgs.firefox}/bin/firefox";
+ signal-desktop = "${pkgs.signal-desktop}/bin/signal-desktop";
+ };
+ };
+
+}
--
GitLab