pkg(termius): nixpak sandboxed

2026-03-22 18:52:43 +00:00 · 2026-03-21 23:33:17 +00:00 · 2026-03-21 23:33:17 +00:00 · fc0f5a83e1
commit fc0f5a83e1
parent ef66bb76c4
3 changed files with 97 additions and 7 deletions
--- a/nixcfgs/hardening/nixpaks/default.nix
+++ b/nixcfgs/hardening/nixpaks/default.nix
@ -2,19 +2,22 @@
  pkgs,
  inputs,
  ...
-}:
-let
+}: let
  mkNixPak = inputs.nixpak.lib.nixpak {
    inherit (pkgs) lib;
    inherit pkgs;
  };
-in
-{
-  # Expose sandboxed app(s) through nixpkgs overlay.
+
+  callNixPak = path:
+    pkgs.callPackage path {
+      inherit mkNixPak;
+    };
+in {
  nixpkgs.overlays = [
    (_: prev: {
-      nixpaks.qq = prev.callPackage ./qq.nix {
-        inherit mkNixPak;
+      nixpaks = {
+        qq = callNixPak ./qq.nix;
+        termius = callNixPak ./termius.nix;
      };
    })
  ];
--- a/nixcfgs/hardening/nixpaks/termius.nix
+++ b/nixcfgs/hardening/nixpaks/termius.nix
@ -0,0 +1,86 @@
+{
+  lib,
+  pkgs,
+  mkNixPak,
+  buildEnv,
+  makeDesktopItem,
+  ...
+}: let
+  appId = "com.terminus.Termius";
+
+  wrapped = mkNixPak {
+    config = {sloth, ...}: {
+      app = {
+        package = buildEnv {
+          name = "nixpak-termius";
+          paths = with pkgs; [
+            termius
+            libglvnd
+            mesa.drivers
+            stdenv.cc.cc.lib
+          ];
+        };
+        binPath = "bin/termius-app";
+      };
+      flatpak.appId = appId;
+
+      imports = [
+        ./modules/gui-base.nix
+        ./modules/network.nix
+        ./modules/common.nix
+      ];
+
+      bubblewrap = {
+        bind.rw = [
+          sloth.xdgDocumentsDir
+          sloth.xdgDownloadDir
+          sloth.xdgMusicDir
+          sloth.xdgVideosDir
+          sloth.xdgPicturesDir
+        ];
+        bind.ro = [
+          "${pkgs.libglvnd}/lib"
+          "${pkgs.mesa.drivers}/lib"
+          "${pkgs.stdenv.cc.cc.lib}/lib"
+          "/etc/passwd"
+          "/etc/group"
+          "/etc/nsswitch.conf"
+        ];
+        sockets = {
+          x11 = false;
+          wayland = true;
+          pipewire = true;
+        };
+        env = {
+          LD_LIBRARY_PATH = "${pkgs.libglvnd}/lib:${pkgs.mesa.drivers}/lib:${pkgs.stdenv.cc.cc.lib}/lib";
+          LIBGL_DRIVERS_PATH = "${pkgs.mesa.drivers}/lib/dri";
+        };
+      };
+    };
+  };
+  exePath = lib.getExe wrapped.config.script;
+in
+  buildEnv {
+    inherit (wrapped.config.script) name meta passthru;
+    paths = [
+      wrapped.config.script
+      (makeDesktopItem {
+        name = appId;
+        desktopName = "Termius";
+        genericName = "Cross-platform SSH client";
+        comment = "The SSH client that works on Desktop and Mobile";
+        exec = "${exePath} --ozone-platform-hint=auto %U";
+        terminal = false;
+        icon = "${pkgs.termius}/share/icons/hicolor/1024x1024/termius-app.png";
+        startupNotify = true;
+        startupWMClass = "Termius";
+        type = "Application";
+        categories = [
+          "Network"
+        ];
+        extraConfig = {
+          X-Flatpak = appId;
+        };
+      })
+    ];
+  }