ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

learning about firejail

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2025-07-16 15:05:50 -05:00
parent 8f3ad07c18
commit 8ebc88bbfe
2 changed files with 71 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
hosts/lio/flake.nix
View file

@ -31,6 +31,7 @@
./configuration.nix ./configuration.nix
./hardware-configuration.nix ./hardware-configuration.nix
(import ./containers.nix { inherit inputs; }) (import ./containers.nix { inherit inputs; })
./jails_text.nix
( (
{ {
config, config,

70
hosts/lio/jails_text.nix Normal file
View file

@ -0,0 +1,70 @@
{
config,
pkgs,
lib,
...
}:
{
options = { };
imports = [
];
config = {
environment.systemPackages = with pkgs; [
firejail
];
boot.kernelModules = [ "dummy" ];
networking.interfaces.sandbox0 = {
ipv4.addresses = [
{
address = "10.10.10.2";
prefixLength = 24;
}
];
};
networking.nftables.ruleset = ''
table inet filter {
chain input {
type filter hook input priority 0;
iifname "lo" accept
iifname "sandbox0" ip saddr 93.184.216.34 accept
drop
}
chain output {
type filter hook output priority 0;
oifname "lo" accept
oifname "sandbox0" ip daddr 93.184.216.34 accept
drop
}
}
'';
programs.firejail = {
enable = true;
wrappedBinaries = {
jcurl = {
executable = lib.getExe pkgs.curl;
extraArgs = [
"--quiet"
"--noprofile"
"--private"
"--net=none"
"--seccomp"
];
};
jbat = {
executable = lib.getExe pkgs.bat;
extraArgs = [
"--quiet"
"--noprofile"
"--private"
"--net=none"
"--seccomp"
];
};
};
};
};
}