# Shamelessly stolen most parts from here:
# https://github.com/ryan4yin/nix-config/blob/7deed26cc5a3af2072b8c89a688f265607babc80/hardening/nixpaks/firefox.nix

{ ... }: final: prev: {
  firefox-esr = let
    sandboxed-firefox-esr = prev.mkNixPak {
      config = { sloth, ... }: {
        app.package = prev.firefox-esr;
        app.binPath = "bin/firefox-esr";
        flatpak.appId = "org.mozilla.firefox";

        dbus.policies = {
          "org.mozilla.firefox.*" = "own";
          "org.mozilla.firefox_esr.*" = "own";
          "org.mozilla.firefox_beta.*" = "own";
          "org.mpris.MediaPlayer2.firefox.*" = "own";
          "org.freedesktop.NetworkManager" = "talk";
        };

        bubblewrap = {
          bind.dev = [ "/dev/shm" ];
          tmpfs = [ "/tmp" ];

          bind.rw = [
            [ (sloth.mkdir (sloth.concat' sloth.xdgConfigHome "/mozilla")) (sloth.concat' sloth.homeDir "/.mozilla")]
            sloth.xdgDownloadDir
          ];

          bind.ro = [
            "/sys/bus/pci"
            ["${prev.firefox-esr}/lib/firefox" "/app/etc/firefox"]
            (sloth.concat' sloth.xdgConfigHome "/dconf")
          ];

          sockets = {
            x11 = false;
            wayland = true;
            pipewire = true;
          };
        };
      };
    };
  in
    sandboxed-firefox-esr.config.env;
}