diff --git a/hosts/common/programs/default.nix b/hosts/common/programs/default.nix
index 0cb919fd..fff7994d 100644
--- a/hosts/common/programs/default.nix
+++ b/hosts/common/programs/default.nix
@@ -68,6 +68,7 @@
     ./offlineimap.nix
     ./open-in-mpv.nix
     ./planify.nix
+    ./portfolio-filemanager.nix
     ./playerctl.nix
     ./rhythmbox.nix
     ./ripgrep.nix
diff --git a/hosts/common/programs/portfolio-filemanager.nix b/hosts/common/programs/portfolio-filemanager.nix
new file mode 100644
index 00000000..07bae107
--- /dev/null
+++ b/hosts/common/programs/portfolio-filemanager.nix
@@ -0,0 +1,47 @@
+{ ... }:
+{
+  sane.programs.portfolio-filemanager = {
+    # this is all taken pretty directly from nautilus config
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "inplace";
+    sandbox.whitelistDbus = [ "user" ];  # for portals launching apps
+    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      # grant access to pretty much everything, except for secret keys.
+      # ".cache"
+      # ".config"
+      # ".local"
+      "archive"
+      "Books"
+      "dev"
+      "knowledge"
+      "Music"
+      "nixos"
+      "Pictures"
+      # "private"  #< explicitly NOT
+      "records"
+      "ref"
+      "tmp"
+      "use"
+      "Videos"
+    ];
+    sandbox.extraPaths = [
+      "/boot"
+      "/mnt"
+      # "nix"
+      "/run/media"  # for mounted devices
+      "/tmp"
+      "/var"
+    ];
+    sandbox.extraRuntimePaths = [
+      # not sure if these are actually necessary
+      "gvfs"
+      "gvfsd"
+    ];
+
+    mime.priority = 160;  #< default is 100, so higher means we fall-back to other apps that might be more specialized
+    mime.associations = {
+      "inode/directory" = "dev.tchx84.Portfolio.desktop";
+    };
+  };
+}