sandboxed qutebrowser

Author: functora

nix/configuration.nix

@@ -776,6 +776,7 @@ in {
         (import ./vidmaker.nix)
         (import ./clipmaker.nix)
         (import ./bar.nix {inherit pkgs;})
+        (import ./qute.nix {inherit pkgs;})
         (import ./bip39-wordlist.nix)
       ];
       programs.git = {

nix/qute.nix

@@ -0,0 +1,48 @@
+{pkgs}: let
+  nixpak = import ./nixpak.nix;
+  mkNixPak = nixpak.lib.nixpak {
+    inherit (pkgs) lib;
+    inherit pkgs;
+  };
+  app = pkgs.writeShellApplication {
+    name = "qute";
+    text = ''
+      ${pkgs.qutebrowser}/bin/qutebrowser "$@"
+    '';
+  };
+  sandbox = mkNixPak {
+    config = {sloth, ...}: {
+      app.package = app;
+      gpu.enable = true;
+      gpu.provider = "bundle";
+      fonts.enable = true;
+      locale.enable = true;
+      etc.sslCertificates.enable = true;
+      bubblewrap = {
+        network = true;
+        sockets.pulse = true;
+        sockets.wayland = true;
+        bind.ro = [
+          [
+            (toString ../cfg/qutebrowser.py)
+            (
+              sloth.concat'
+              sloth.homeDir
+              ".config/qutebrowser/config.py"
+            )
+          ]
+        ];
+        bind.rw = [
+          [
+            (sloth.mkdir (sloth.concat' sloth.homeDir "/qute"))
+            sloth.homeDir
+          ]
+        ];
+        tmpfs = [
+          "/tmp"
+        ];
+      };
+    };
+  };
+in
+  sandbox.config.env