pkg(termius): nixpak sandboxed

2026-03-22 18:52:43 +00:00 · 2026-03-21 23:33:17 +00:00 · 2026-03-21 23:33:17 +00:00 · fc0f5a83e1
commit fc0f5a83e1
parent ef66bb76c4
3 changed files with 97 additions and 7 deletions
--- a/nixcfgs/hardening/nixpaks/default.nix
+++ b/nixcfgs/hardening/nixpaks/default.nix
@ -2,19 +2,22 @@
  pkgs,
  inputs,
  ...
-}:
+}: let
 let
  mkNixPak = inputs.nixpak.lib.nixpak {
    inherit (pkgs) lib;
    inherit pkgs;
  };
-in
+
-{
+  callNixPak = path:
-  # Expose sandboxed app(s) through nixpkgs overlay.
+    pkgs.callPackage path {
      inherit mkNixPak;
    };
 in {
  nixpkgs.overlays = [
    (_: prev: {
-      nixpaks.qq = prev.callPackage ./qq.nix {
+      nixpaks = {
-        inherit mkNixPak;
+        qq = callNixPak ./qq.nix;
        termius = callNixPak ./termius.nix;
      };
    })
  ];
--- a/nixcfgs/hardening/nixpaks/termius.nix
+++ b/nixcfgs/hardening/nixpaks/termius.nix
@ -0,0 +1,86 @@
 {
  lib,
  pkgs,
  mkNixPak,
  buildEnv,
  makeDesktopItem,
  ...
 }: let
  appId = "com.terminus.Termius";
  wrapped = mkNixPak {
    config = {sloth, ...}: {
      app = {
        package = buildEnv {
          name = "nixpak-termius";
          paths = with pkgs; [
            termius
            libglvnd
            mesa.drivers
            stdenv.cc.cc.lib
          ];
        };
        binPath = "bin/termius-app";
      };
      flatpak.appId = appId;
      imports = [
        ./modules/gui-base.nix
        ./modules/network.nix
        ./modules/common.nix
      ];
      bubblewrap = {
        bind.rw = [
          sloth.xdgDocumentsDir
          sloth.xdgDownloadDir
          sloth.xdgMusicDir
          sloth.xdgVideosDir
          sloth.xdgPicturesDir
        ];
        bind.ro = [
          "${pkgs.libglvnd}/lib"
          "${pkgs.mesa.drivers}/lib"
          "${pkgs.stdenv.cc.cc.lib}/lib"
          "/etc/passwd"
          "/etc/group"
          "/etc/nsswitch.conf"
        ];
        sockets = {
          x11 = false;
          wayland = true;
          pipewire = true;
        };
        env = {
          LD_LIBRARY_PATH = "${pkgs.libglvnd}/lib:${pkgs.mesa.drivers}/lib:${pkgs.stdenv.cc.cc.lib}/lib";
          LIBGL_DRIVERS_PATH = "${pkgs.mesa.drivers}/lib/dri";
        };
      };
    };
  };
  exePath = lib.getExe wrapped.config.script;
 in
  buildEnv {
    inherit (wrapped.config.script) name meta passthru;
    paths = [
      wrapped.config.script
      (makeDesktopItem {
        name = appId;
        desktopName = "Termius";
        genericName = "Cross-platform SSH client";
        comment = "The SSH client that works on Desktop and Mobile";
        exec = "${exePath} --ozone-platform-hint=auto %U";
        terminal = false;
        icon = "${pkgs.termius}/share/icons/hicolor/1024x1024/termius-app.png";
        startupNotify = true;
        startupWMClass = "Termius";
        type = "Application";
        categories = [
          "Network"
        ];
        extraConfig = {
          X-Flatpak = appId;
        };
      })
    ];
  }
--- a/nixcfgs/users/js0ny/packages/gui.nix
+++ b/nixcfgs/users/js0ny/packages/gui.nix
@ -85,6 +85,7 @@ in {
      pcloud
      nixpaks.qq
      nixpaks.termius
      signal-desktop
      siyuan
      localsend