init

2026-01-14 21:24:19 +01:00 · 2026-01-14 21:24:19 +01:00 · 2be8de47fa
commit 2be8de47fa
87 changed files with 11501 additions and 0 deletions
--- a/modules/system/brave-sandboxed.nix
+++ b/modules/system/brave-sandboxed.nix
@ -0,0 +1,153 @@
+# Brave Sandboxed with nix-bwrapper
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}:
+
+let
+  bwrapperPkgs = pkgs.extend inputs.nix-bwrapper.overlays.default;
+
+  # create a custom settings.ini to force dark mode
+  darkSettingsIni = pkgs.writeText "settings.ini" ''
+    [Settings]
+    gtk-theme-name=catppuccin-mocha-mauve-standard
+    gtk-application-prefer-dark-theme=1
+    gtk-cursor-theme-name=Future-Cyan-Hyprcursor_Theme
+    gtk-xft-antialias=1
+    gtk-xft-hinting=1
+    gtk-xft-hintstyle=hintslight
+    gtk-xft-rgba=rgb
+  '';
+
+  # Define policies.json with Catppuccin Mocha Theme (Chrome Web Store)
+  bravePolicies = pkgs.writeText "policies.json" (
+    builtins.toJSON {
+      ExtensionInstallForcelist = [
+        "pgonbchglnnkjolggcdhphlbnjihfofh;https://clients2.google.com/service/update2/crx" # Catppuccin Mocha
+      ];
+    }
+  );
+in
+{
+  nixpkgs.overlays = [
+    (final: prev: {
+      brave-sandboxed = bwrapperPkgs.mkBwrapper {
+        app = {
+          package = pkgs.symlinkJoin {
+            name = "brave-single-desktop";
+            paths = [ prev.brave ];
+            inherit (prev.brave) pname version meta;
+            postBuild = ''
+              rm $out/share/applications/com.brave.Browser.desktop
+            '';
+          };
+          # id = "brave-browser"; # Omit app.id to avoid potential bind errors (like Firefox)
+          env = {
+            # Propagate XDG_DATA_DIRS so GTK can find themes in user profile/system
+            XDG_DATA_DIRS = "$XDG_DATA_DIRS";
+            GTK_THEME = "catppuccin-mocha-mauve-standard";
+            HYPRCURSOR_THEME = "Future-Cyan-Hyprcursor_Theme";
+            HYPRCURSOR_SIZE = "32";
+            # Force ozone/wayland usage for Brave/Chromium
+            NIXOS_OZONE_WL = "1";
+          };
+        };
+
+        flatpak.enable = false;
+        sockets.x11 = false;
+        sockets.wayland = true;
+        fhsenv.opts = {
+          unshareUser = true;
+          unshareUts = false;
+          unshareCgroup = false;
+          unsharePid = false;
+          unshareNet = false;
+          unshareIpc = false;
+        };
+
+        fhsenv.bwrap.baseArgs = lib.mkForce [
+          "--new-session"
+          "--proc /proc"
+          "--dev /dev"
+          "--dev-bind /dev/dri /dev/dri"
+          "--tmpfs /home"
+          "--tmpfs /mnt"
+          "--tmpfs /run"
+          "--ro-bind-try /run/current-system /run/current-system"
+          "--ro-bind-try /run/booted-system /run/booted-system"
+          "--ro-bind-try /run/opengl-driver /run/opengl-driver"
+          "--ro-bind-try /run/opengl-driver-32 /run/opengl-driver-32"
+          # Brave flags
+          "--setenv NIXOS_OZONE_WL \"1\""
+          "--setenv NOTIFY_IGNORE_PORTAL 1"
+          # Bind policies for Theme
+          "--dir /etc/brave/policies/managed"
+          "--ro-bind ${bravePolicies} /etc/brave/policies/managed/policies.json"
+          # Fallback paths for Chromium/Chrome base
+          "--dir /etc/chromium/policies/managed"
+          "--ro-bind ${bravePolicies} /etc/chromium/policies/managed/policies.json"
+          "--dir /etc/opt/chrome/policies/managed"
+          "--ro-bind ${bravePolicies} /etc/opt/chrome/policies/managed/policies.json"
+        ];
+
+        # Filesystem: Limited to Brave directories and Downloads
+        mounts = {
+          read = [
+            "$HOME/.config/kdedefaults"
+            "$HOME/.config/fontconfig"
+            "$HOME/.config/user-dirs.dirs"
+            "$HOME/.config/mimeapps.list"
+            "$HOME/.local/share/color-schemes"
+            "$HOME/.local/share/fonts"
+            "$HOME/.icons"
+            "$HOME/.themes"
+            "$HOME/.local/share/themes"
+            "$HOME/.config/gtk-3.0"
+          ];
+          readWrite = [
+            "$HOME/.config/BraveSoftware"
+            "$HOME/.cache/BraveSoftware"
+            "$HOME/Downloads"
+          ];
+        };
+
+        # Bind mount systemd-resolved socket for DNS and required system files
+        # Disable built-in DBus module because it invokes bwrap without --unshare-user
+        dbus.enable = false;
+
+        # Manually set up DBus proxy with --unshare-user
+        script.preCmds.stage2 = (import ./sandbox-utils.nix { inherit pkgs lib; }).mkDbusProxyScript {
+          appId = "nix.bwrapper.brave";
+          proxyArgs = [
+            "--filter"
+            ''--talk="org.freedesktop.portal.Desktop"''
+            ''--talk="org.freedesktop.portal.OpenURI"''
+            ''--talk="org.freedesktop.portal.FileChooser"''
+            ''--talk="org.freedesktop.secrets"''
+            ''--talk="org.kde.StatusNotifierWatcher"''
+            ''--call="org.freedesktop.portal.*=*@/org/freedesktop/portal/desktop"''
+            ''--own="org.chromium.LibCrosService"'' # Chromium/Brave specific
+            ''--own="org.mpris.MediaPlayer2.chromium.*"''
+            ''--own="org.mpris.MediaPlayer2.brave.*"''
+          ];
+          enableSystemBus = true;
+          systemProxyArgs = [
+            "--filter"
+            ''--talk="org.freedesktop.NetworkManager"''
+          ];
+        };
+
+        fhsenv.bwrap.additionalArgs = [
+          ''--bind "$XDG_RUNTIME_DIR/app/nix.bwrapper.brave/bus" "$XDG_RUNTIME_DIR/bus"''
+          ''--bind "$XDG_RUNTIME_DIR/app/nix.bwrapper.brave/bus_system" /run/dbus/system_bus_socket''
+          "--dir /run/systemd/resolve"
+          "--ro-bind-try /run/systemd/resolve /run/systemd/resolve"
+          "--bind-try /run/user/${toString config.users.users.ashie.uid}/dconf /run/user/${toString config.users.users.ashie.uid}/dconf"
+        ];
+      };
+    })
+  ];
+}