From a591be98d48ee5f9f9f54ece9644746b2109d356 Mon Sep 17 00:00:00 2001 From: Colin Date: Sun, 18 Feb 2024 06:32:20 +0000 Subject: [PATCH] programs: portfolio-filemanager: sandbox --- hosts/common/programs/default.nix | 1 + .../common/programs/portfolio-filemanager.nix | 47 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 hosts/common/programs/portfolio-filemanager.nix diff --git a/hosts/common/programs/default.nix b/hosts/common/programs/default.nix index 0cb919fd..fff7994d 100644 --- a/hosts/common/programs/default.nix +++ b/hosts/common/programs/default.nix @@ -68,6 +68,7 @@ ./offlineimap.nix ./open-in-mpv.nix ./planify.nix + ./portfolio-filemanager.nix ./playerctl.nix ./rhythmbox.nix ./ripgrep.nix diff --git a/hosts/common/programs/portfolio-filemanager.nix b/hosts/common/programs/portfolio-filemanager.nix new file mode 100644 index 00000000..07bae107 --- /dev/null +++ b/hosts/common/programs/portfolio-filemanager.nix @@ -0,0 +1,47 @@ +{ ... }: +{ + sane.programs.portfolio-filemanager = { + # this is all taken pretty directly from nautilus config + sandbox.method = "bwrap"; + sandbox.wrapperType = "inplace"; + sandbox.whitelistDbus = [ "user" ]; # for portals launching apps + sandbox.whitelistWayland = true; + sandbox.extraHomePaths = [ + # grant access to pretty much everything, except for secret keys. + # ".cache" + # ".config" + # ".local" + "archive" + "Books" + "dev" + "knowledge" + "Music" + "nixos" + "Pictures" + # "private" #< explicitly NOT + "records" + "ref" + "tmp" + "use" + "Videos" + ]; + sandbox.extraPaths = [ + "/boot" + "/mnt" + # "nix" + "/run/media" # for mounted devices + "/tmp" + "/var" + ]; + sandbox.extraRuntimePaths = [ + # not sure if these are actually necessary + "gvfs" + "gvfsd" + ]; + + mime.priority = 160; #< default is 100, so higher means we fall-back to other apps that might be more specialized + mime.associations = { + "inode/directory" = "dev.tchx84.Portfolio.desktop"; + }; + }; +}