From 8ebc88bbfe0ee3f3d3ad5e482b80a40f98e82d9b Mon Sep 17 00:00:00 2001
From: "RingOfStorms (Joshua Bell)" <ringofstorms@gmail.com>
Date: Wed, 16 Jul 2025 15:05:50 -0500
Subject: [PATCH] learning about firejail

---
 hosts/lio/flake.nix      |  1 +
 hosts/lio/jails_text.nix | 70 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)
 create mode 100644 hosts/lio/jails_text.nix

diff --git a/hosts/lio/flake.nix b/hosts/lio/flake.nix
index c1065ad..dfbf212 100644
--- a/hosts/lio/flake.nix
+++ b/hosts/lio/flake.nix
@@ -31,6 +31,7 @@
               ./configuration.nix
               ./hardware-configuration.nix
               (import ./containers.nix { inherit inputs; })
+              ./jails_text.nix
               (
                 {
                   config,
diff --git a/hosts/lio/jails_text.nix b/hosts/lio/jails_text.nix
new file mode 100644
index 0000000..b3ffab9
--- /dev/null
+++ b/hosts/lio/jails_text.nix
@@ -0,0 +1,70 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  options = { };
+
+  imports = [
+  ];
+
+  config = {
+    environment.systemPackages = with pkgs; [
+      firejail
+    ];
+
+    boot.kernelModules = [ "dummy" ];
+    networking.interfaces.sandbox0 = {
+      ipv4.addresses = [
+        {
+          address = "10.10.10.2";
+          prefixLength = 24;
+        }
+      ];
+    };
+    networking.nftables.ruleset = ''
+      table inet filter {
+        chain input {
+          type filter hook input priority 0;
+          iifname "lo" accept
+          iifname "sandbox0" ip saddr 93.184.216.34 accept
+          drop
+        }
+        chain output {
+          type filter hook output priority 0;
+          oifname "lo" accept
+          oifname "sandbox0" ip daddr 93.184.216.34 accept
+          drop
+        }
+      }
+    '';
+
+    programs.firejail = {
+      enable = true;
+      wrappedBinaries = {
+        jcurl = {
+          executable = lib.getExe pkgs.curl;
+          extraArgs = [
+            "--quiet"
+            "--noprofile"
+            "--private"
+            "--net=none"
+            "--seccomp"
+          ];
+        };
+        jbat = {
+          executable = lib.getExe pkgs.bat;
+          extraArgs = [
+            "--quiet"
+            "--noprofile"
+            "--private"
+            "--net=none"
+            "--seccomp"
+          ];
+        };
+      };
+    };
+  };
+}