diff --git a/profiles/personal/configuration.nix b/profiles/personal/configuration.nix index fc5c95bc..60314faa 100644 --- a/profiles/personal/configuration.nix +++ b/profiles/personal/configuration.nix @@ -11,6 +11,7 @@ ( import ../../system/app/docker.nix {storageDriver = "btrfs"; inherit username pkgs config lib;} ) ../../system/app/gamemode.nix ../../system/app/steam.nix + ../../system/app/prismlauncher.nix ../../system/security/doas.nix ../../system/security/gpg.nix ../../system/security/blocklist.nix diff --git a/profiles/work/configuration.nix b/profiles/work/configuration.nix index 35fa0715..18a39d0e 100644 --- a/profiles/work/configuration.nix +++ b/profiles/work/configuration.nix @@ -16,6 +16,7 @@ ../../system/security/gpg.nix ../../system/security/blocklist.nix ../../system/security/firewall.nix + ../../system/security/firejail.nix ../../system/security/openvpn.nix ../../system/style/stylix.nix ]; diff --git a/system/app/prismlauncher.nix b/system/app/prismlauncher.nix new file mode 100644 index 00000000..0709ae1f --- /dev/null +++ b/system/app/prismlauncher.nix @@ -0,0 +1,5 @@ +{ config, lib, pkgs, ... }: + +{ + environment.systemPackages = [ pkgs.prismlauncher ]; +} diff --git a/system/app/steam.nix b/system/app/steam.nix index c0c1d36c..12267292 100644 --- a/system/app/steam.nix +++ b/system/app/steam.nix @@ -3,4 +3,5 @@ { hardware.opengl.driSupport32Bit = true; programs.steam.enable = true; + environment.systemPackages = [ pkgs.steam ]; } diff --git a/system/security/firejail-profiles/prismlauncher.profile b/system/security/firejail-profiles/prismlauncher.profile new file mode 100644 index 00000000..83c3f007 --- /dev/null +++ b/system/security/firejail-profiles/prismlauncher.profile @@ -0,0 +1,51 @@ +# Firejail profile for prismlauncher +# Description: An Open Source Minecraft launcher that can manage multiple instances +# This file is overwritten after every install/update +# Persistent global definitions +include globals.local + +ignore noexec ${HOME} + +noblacklist ${HOME}/.local/share/PrismLauncher + +include allow-java.inc + +include disable-common.inc +include disable-devel.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.local/share/PrismLauncher +whitelist ${HOME}/.local/share/PrismLauncher +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +tracelog + +disable-mnt +private-bin java,java-config,minecraft-launcher,prismlauncher +private-cache +private-dev +# If multiplayer or realms break, add 'private-etc ' +# or 'ignore private-etc' to your minecraft-launcher.local. +private-tmp + +dbus-system none + +restrict-namespaces diff --git a/system/security/firejail.nix b/system/security/firejail.nix new file mode 100644 index 00000000..382a3467 --- /dev/null +++ b/system/security/firejail.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ firejail ]; + programs.firejail.enable = true; + programs.firejail.wrappedBinaries = { + prismlauncher = { + executable = "${pkgs.prismlauncher}/bin/prismlauncher"; + profile = ./firejail-profiles/prismlauncher.profile; + }; + steam = { + executable = "${pkgs.steam}/bin/steam"; + profile = "${pkgs.firejail}/etc/firejail/steam.profile"; + }; + steam-run = { + executable = "${pkgs.steam}/bin/steam-run"; + profile = "${pkgs.firejail}/etc/firejail/steam.profile"; + }; + }; +} diff --git a/user/app/games/games.nix b/user/app/games/games.nix index 4e89440d..431dcc88 100644 --- a/user/app/games/games.nix +++ b/user/app/games/games.nix @@ -14,13 +14,10 @@ in { home.packages = with pkgs; [ # Games - steam # also requires system-level steam.nix to run gamehub myRetroarch airshipper qjoypad - prismlauncher - #TODO need flatpak steam - I don't have this declaratively yet ]; # The following 2 declarations allow retroarch to be imported into gamehub # Set retroarch core directory to ~/.local/bin/libretro