From 1aff8b0da7fc04e48aa43b15da971399bc9265d4 Mon Sep 17 00:00:00 2001
From: caem <me@caem.dev>
Date: Fri, 24 Jan 2025 20:17:36 +0100
Subject: [PATCH] huge if it works

---
 overlays/nixpkgs/firefox.nix | 68 ++++++++++--------------------------
 1 file changed, 18 insertions(+), 50 deletions(-)

diff --git a/overlays/nixpkgs/firefox.nix b/overlays/nixpkgs/firefox.nix
index 6a61ba3..c02b59e 100644
--- a/overlays/nixpkgs/firefox.nix
+++ b/overlays/nixpkgs/firefox.nix
@@ -1,4 +1,5 @@
-# Shamelessly stolen most parts from https://github.com/schizofox/schizofox
+# Shamelessly stolen most parts from here:
+# https://github.com/ryan4yin/nix-config/blob/7deed26cc5a3af2072b8c89a688f265607babc80/hardening/nixpaks/firefox.nix
 
 { ... }: final: prev: {
   firefox-esr = let
@@ -7,68 +8,35 @@
         app.package = prev.firefox-esr;
         app.binPath = "bin/firefox-esr";
         flatpak.appId = "org.mozilla.firefox";
+
         dbus.policies = {
-          "org.mozilla.Firefox" = "own";
-          "org.mozilla.Firefox.*" = "own";
-          "org.a11y.Bus" = "talk";
-          "org.gnome.SessionManager" = "talk";
-          "org.freedesktop.ScreenSaver" = "talk";
-          "org.gtk.vfs.*" = "talk";
-          "org.gtk.vfs" = "talk";
-          "org.freedesktop.Notifications" = "talk";
-          "org.freedesktop.portal.FileChooser" = "talk";
-          "org.freedesktop.portal.Settings" = "talk";
-          "org.mpris.MediaPlayer2.firefox.*" = "own";
           "org.mozilla.firefox.*" = "own";
+          "org.mozilla.firefox_esr.*" = "own";
           "org.mozilla.firefox_beta.*" = "own";
-          "org.freedesktop.DBus" = "talk";
-          "org.freedesktop.DBus.*" = "talk";
-          "ca.desrt.dconf" = "talk";
-          "org.freedesktop.portal.*" = "talk";
+          "org.mpris.MediaPlayer2.firefox.*" = "own";
           "org.freedesktop.NetworkManager" = "talk";
-          "org.freedesktop.FileManager1" = "talk";
         };
 
-        gpu.enable = true;
-        gpu.provider = "bundle";
-        fonts.enable = true;
-        locale.enable = true;
-        etc.sslCertificates.enable = true;
-
-        bubblewrap = let
-          envSuffix = envKey: sloth.concat' (sloth.env envKey);
-        in {
-          network = true;
+        bubblewrap = {
+          bind.dev = [ "/dev/shm" ];
+          tmpfs = [ "/tmp" ];
 
           bind.rw = [
-            (sloth.concat' sloth.xdgCacheHome "/fontconfig")
-            (sloth.concat' sloth.xdgCacheHome "/mesa_shader_cache")
-            (sloth.concat [
-              (sloth.env "XDG_RUNTIME_DIR")
-              "/"
-              (sloth.envOr "WAYLAND_DISPLAY" "no")
-            ])
-            "/tmp/.X11-unix"
-            (sloth.envOr "XAUTHORITY" "/no-xauth")
-
-            (envSuffix "XDG_RUNTIME_DIR" "/at-spi/bus")
-            (envSuffix "XDG_RUNTIME_DIR" "/gvfsd")
-            (envSuffix "XDG_RUNTIME_DIR" "/pulse")
-            (envSuffix "XDG_RUNTIME_DIR" "/doc")
-            (envSuffix "XDG_RUNTIME_DIR" "/dconf")
-
-            (sloth.concat' sloth.xdgConfigHome "/.mozilla")
+            [ (sloth.mkdir (sloth.concat' sloth.xdgConfigHome "/mozilla")) (sloth.concat' sloth.homeDir "/.mozilla")]
+            sloth.xdgDownloadDir
           ];
 
           bind.ro = [
-            "/etc/resolv.conf"
-            (sloth.concat' sloth.xdgConfigHome "/gtk-2.0")
-            (sloth.concat' sloth.xdgConfigHome "/gtk-3.0")
-            (sloth.concat' sloth.xdgConfigHome "/gtk-4.0")
-            (sloth.concat' sloth.xdgConfigHome "/dconf")
-            "/etc/localtime"
             "/sys/bus/pci"
+            ["${prev.firefox-esr}/lib/firefox" "/app/etc/firefox"]
+            (sloth.concat' sloth.xdgConfigHome "/dconf")
           ];
+
+          sockets = {
+            x11 = false;
+            wayland = true;
+            pipewire = true;
+          };
         };
       };
     };