145 lines
4.2 KiB
Nix
145 lines
4.2 KiB
Nix
# Vesktop Sandboxed with nix-bwrapper
|
|
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
inputs,
|
|
...
|
|
}:
|
|
|
|
let
|
|
bwrapperPkgs = pkgs.extend inputs.nix-bwrapper.overlays.default;
|
|
|
|
# Define specific Vesktop version to avoid build errors from source
|
|
vesktop-bin = pkgs.stdenv.mkDerivation rec {
|
|
pname = "vesktop";
|
|
version = "1.6.3";
|
|
|
|
src = pkgs.fetchurl {
|
|
url = "https://github.com/Vencord/Vesktop/releases/download/v${version}/vesktop_${version}_amd64.deb";
|
|
sha256 = "0c6k82rb21p0xi6c3xm5zrzbrph1v6x9qg0kmy9zxwv0z9lq47la";
|
|
};
|
|
|
|
nativeBuildInputs = [
|
|
pkgs.dpkg
|
|
pkgs.makeWrapper
|
|
];
|
|
|
|
unpackPhase = ''
|
|
dpkg-deb -x $src .
|
|
'';
|
|
|
|
installPhase = ''
|
|
runHook preInstall
|
|
mkdir -p $out
|
|
cp -r usr/* $out/
|
|
runHook postInstall
|
|
'';
|
|
|
|
meta.mainProgram = "vesktop";
|
|
};
|
|
in
|
|
{
|
|
nixpkgs.overlays = [
|
|
(final: prev: {
|
|
vesktop-sandboxed = bwrapperPkgs.mkBwrapper {
|
|
app = {
|
|
package = vesktop-bin;
|
|
id = "dev.vencord.Vesktop";
|
|
env = {
|
|
# Propagate XDG_DATA_DIRS for theming
|
|
XDG_DATA_DIRS = "$XDG_DATA_DIRS";
|
|
# Force Wayland
|
|
NIXOS_OZONE_WL = "1";
|
|
};
|
|
};
|
|
|
|
# Enable X11 and Wayland
|
|
sockets.x11 = true;
|
|
sockets.wayland = true;
|
|
|
|
# Disable flatpak emulation
|
|
flatpak.enable = false;
|
|
|
|
fhsenv.opts = {
|
|
unshareUser = true;
|
|
unshareUts = false;
|
|
unshareCgroup = false;
|
|
unsharePid = false;
|
|
unshareNet = false; # Need network for Discord
|
|
unshareIpc = false;
|
|
};
|
|
|
|
fhsenv.bwrap.baseArgs = lib.mkForce [
|
|
"--new-session"
|
|
"--proc /proc"
|
|
"--dev /dev"
|
|
"--dev-bind /dev/dri /dev/dri" # GPU acceleration
|
|
"--tmpfs /home"
|
|
"--tmpfs /tmp"
|
|
"--tmpfs /run"
|
|
"--dir /run/user"
|
|
"--dir /run/user/${toString config.users.users.ashie.uid}"
|
|
# System paths
|
|
"--ro-bind /sys /sys"
|
|
"--ro-bind-try /run/current-system /run/current-system"
|
|
"--ro-bind-try /run/opengl-driver /run/opengl-driver"
|
|
"--ro-bind-try /run/opengl-driver-32 /run/opengl-driver-32"
|
|
"--dir /run/systemd/resolve"
|
|
"--ro-bind-try /run/systemd/resolve /run/systemd/resolve"
|
|
# Audio
|
|
"--ro-bind-try /etc/asound.conf /etc/asound.conf"
|
|
];
|
|
|
|
mounts = {
|
|
read = [
|
|
"$HOME/.config/fontconfig"
|
|
"$HOME/.local/share/fonts"
|
|
"$HOME/.icons"
|
|
"$HOME/.themes"
|
|
"$HOME/.local/share/themes"
|
|
"$HOME/.config/kdedefaults"
|
|
"$HOME/.local/share/color-schemes"
|
|
];
|
|
readWrite = [
|
|
"$HOME/.config/vesktop"
|
|
"$HOME/Downloads"
|
|
];
|
|
};
|
|
|
|
# Disable built-in DBus module (invokes bwrap without --unshare-user)
|
|
dbus.enable = false;
|
|
|
|
# Manually set up DBus proxy with --unshare-user (session bus only)
|
|
script.preCmds.stage2 = (import ./sandbox-utils.nix { inherit pkgs lib; }).mkDbusProxyScript {
|
|
appId = "dev.vencord.Vesktop";
|
|
enableSystemBus = false;
|
|
proxyArgs = [
|
|
"--filter"
|
|
''--talk="org.freedesktop.portal.*"''
|
|
''--call="org.freedesktop.portal.*=*@/org/freedesktop/portal/desktop"''
|
|
''--talk="org.freedesktop.Notifications"''
|
|
''--talk="org.freedesktop.ScreenSaver"''
|
|
''--talk="org.kde.StatusNotifierWatcher"''
|
|
''--talk="org.gnome.Mutter.DisplayConfig"''
|
|
''--talk="com.canonical.AppMenu.Registrar"''
|
|
''--own="dev.vencord.Vesktop"''
|
|
''--own="dev.vencord.Vesktop.*"''
|
|
];
|
|
};
|
|
|
|
fhsenv.bwrap.additionalArgs = [
|
|
# D-Bus session proxy only
|
|
''--bind "$XDG_RUNTIME_DIR/app/dev.vencord.Vesktop/bus" "$XDG_RUNTIME_DIR/bus"''
|
|
|
|
# Wayland socket
|
|
''--bind "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"''
|
|
|
|
# PipeWire + Pulse
|
|
''--bind "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0"''
|
|
''--bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse"''
|
|
];
|
|
};
|
|
})
|
|
];
|
|
}
|