penal-colony/nixos
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

init

Browse source
This commit is contained in:
ashisgreat22 2026-01-14 21:24:19 +01:00
commit 2be8de47fa
87 changed files with 11501 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

145
modules/system/vesktop-sandboxed.nix Normal file
View file

@ -0,0 +1,145 @@
# Vesktop Sandboxed with nix-bwrapper
{
config,
lib,
pkgs,
inputs,
...
}:
let
bwrapperPkgs = pkgs.extend inputs.nix-bwrapper.overlays.default;
# Define specific Vesktop version to avoid build errors from source
vesktop-bin = pkgs.stdenv.mkDerivation rec {
pname = "vesktop";
version = "1.6.3";
src = pkgs.fetchurl {
url = "https://github.com/Vencord/Vesktop/releases/download/v${version}/vesktop_${version}_amd64.deb";
sha256 = "0c6k82rb21p0xi6c3xm5zrzbrph1v6x9qg0kmy9zxwv0z9lq47la";
};
nativeBuildInputs = [
pkgs.dpkg
pkgs.makeWrapper
];
unpackPhase = ''
dpkg-deb -x $src .
'';
installPhase = ''
runHook preInstall
mkdir -p $out
cp -r usr/* $out/
runHook postInstall
'';
meta.mainProgram = "vesktop";
};
in
{
nixpkgs.overlays = [
(final: prev: {
vesktop-sandboxed = bwrapperPkgs.mkBwrapper {
app = {
package = vesktop-bin;
id = "dev.vencord.Vesktop";
env = {
# Propagate XDG_DATA_DIRS for theming
XDG_DATA_DIRS = "$XDG_DATA_DIRS";
# Force Wayland
NIXOS_OZONE_WL = "1";
};
};
# Enable X11 and Wayland
sockets.x11 = true;
sockets.wayland = true;
# Disable flatpak emulation
flatpak.enable = false;
fhsenv.opts = {
unshareUser = true;
unshareUts = false;
unshareCgroup = false;
unsharePid = false;
unshareNet = false; # Need network for Discord
unshareIpc = false;
};
fhsenv.bwrap.baseArgs = lib.mkForce [
"--new-session"
"--proc /proc"
"--dev /dev"
"--dev-bind /dev/dri /dev/dri" # GPU acceleration
"--tmpfs /home"
"--tmpfs /tmp"
"--tmpfs /run"
"--dir /run/user"
"--dir /run/user/${toString config.users.users.ashie.uid}"
# System paths
"--ro-bind /sys /sys"
"--ro-bind-try /run/current-system /run/current-system"
"--ro-bind-try /run/opengl-driver /run/opengl-driver"
"--ro-bind-try /run/opengl-driver-32 /run/opengl-driver-32"
"--dir /run/systemd/resolve"
"--ro-bind-try /run/systemd/resolve /run/systemd/resolve"
# Audio
"--ro-bind-try /etc/asound.conf /etc/asound.conf"
];
mounts = {
read = [
"$HOME/.config/fontconfig"
"$HOME/.local/share/fonts"
"$HOME/.icons"
"$HOME/.themes"
"$HOME/.local/share/themes"
"$HOME/.config/kdedefaults"
"$HOME/.local/share/color-schemes"
];
readWrite = [
"$HOME/.config/vesktop"
"$HOME/Downloads"
];
};
# Disable built-in DBus module (invokes bwrap without --unshare-user)
dbus.enable = false;
# Manually set up DBus proxy with --unshare-user (session bus only)
script.preCmds.stage2 = (import ./sandbox-utils.nix { inherit pkgs lib; }).mkDbusProxyScript {
appId = "dev.vencord.Vesktop";
enableSystemBus = false;
proxyArgs = [
"--filter"
''--talk="org.freedesktop.portal.*"''
''--call="org.freedesktop.portal.*=*@/org/freedesktop/portal/desktop"''
''--talk="org.freedesktop.Notifications"''
''--talk="org.freedesktop.ScreenSaver"''
''--talk="org.kde.StatusNotifierWatcher"''
''--talk="org.gnome.Mutter.DisplayConfig"''
''--talk="com.canonical.AppMenu.Registrar"''
''--own="dev.vencord.Vesktop"''
''--own="dev.vencord.Vesktop.*"''
];
};
fhsenv.bwrap.additionalArgs = [
# D-Bus session proxy only
''--bind "$XDG_RUNTIME_DIR/app/dev.vencord.Vesktop/bus" "$XDG_RUNTIME_DIR/bus"''
# Wayland socket
''--bind "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"''
# PipeWire + Pulse
''--bind "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0"''
''--bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse"''
];
};
})
];
}