From ae289ab8690bef9d4cf8854806702e6c32910b23 Mon Sep 17 00:00:00 2001 From: Ryan Yin Date: Wed, 25 Sep 2024 19:47:14 +0800 Subject: [PATCH 1/2] fix: libEGL warning: egl: failed to create dri2 screen --- hardening/README.md | 2 ++ hardening/nixpaks/firefox.nix | 5 ----- hardening/nixpaks/modules/gui-base.nix | 12 ++++++++++++ hardening/nixpaks/qq.nix | 5 ----- home/linux/gui/hyprland/values/wayland-apps.nix | 6 +++--- 5 files changed, 17 insertions(+), 13 deletions(-) diff --git a/hardening/README.md b/hardening/README.md index 9537f08a..9f4cd73a 100644 --- a/hardening/README.md +++ b/hardening/README.md @@ -1,5 +1,7 @@ # Linux Hardening +> Work in progress. + ## Goal - **System Level**: Protect critical files from being accessed by untrusted applications. diff --git a/hardening/nixpaks/firefox.nix b/hardening/nixpaks/firefox.nix index 8da09fd6..5111f1dc 100644 --- a/hardening/nixpaks/firefox.nix +++ b/hardening/nixpaks/firefox.nix @@ -61,11 +61,6 @@ mkNixPak { }; bind.dev = [ "/dev/shm" # Shared Memory - - # seems required when using nvidia as primary gpu - "/dev/nvidia0" - "/dev/nvidia-uvm" - "/dev/nvidia-modeset" ]; tmpfs = [ "/tmp" diff --git a/hardening/nixpaks/modules/gui-base.nix b/hardening/nixpaks/modules/gui-base.nix index 840a547e..197dbadb 100644 --- a/hardening/nixpaks/modules/gui-base.nix +++ b/hardening/nixpaks/modules/gui-base.nix @@ -66,7 +66,19 @@ in { "/etc/fonts" # for fontconfig "/etc/machine-id" "/etc/localtime" + + # Fix: libEGL warning: egl: failed to create dri2 screen + "/etc/egl" + "/etc/static/egl" + ]; + bind.dev = [ + # seems required when using nvidia as primary gpu + "/dev/nvidia0" + "/dev/nvidiactl" + "/dev/nvidia-modeset" + "/dev/nvidia-uvm" ]; + env = { XDG_DATA_DIRS = lib.mkForce (lib.makeSearchPath "share" [ iconTheme diff --git a/hardening/nixpaks/qq.nix b/hardening/nixpaks/qq.nix index cb6280b9..51ed7971 100644 --- a/hardening/nixpaks/qq.nix +++ b/hardening/nixpaks/qq.nix @@ -45,11 +45,6 @@ mkNixPak { }; bind.dev = [ "/dev/shm" # Shared Memory - - # seems required when using nvidia as primary gpu - "/dev/nvidia0" - "/dev/nvidia-uvm" - "/dev/nvidia-modeset" ]; tmpfs = [ "/tmp" diff --git a/home/linux/gui/hyprland/values/wayland-apps.nix b/home/linux/gui/hyprland/values/wayland-apps.nix index 717230fa..c358c96d 100644 --- a/home/linux/gui/hyprland/values/wayland-apps.nix +++ b/home/linux/gui/hyprland/values/wayland-apps.nix @@ -22,9 +22,9 @@ + (builtins.readFile "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-foot}/catppuccin-mocha.conf"); home.packages = [ - pkgs.firefox-wayland - # pkgs.nixpaks.firefox - # pkgs.nixpaks.firefox-desktop-item + # pkgs.firefox-wayland + pkgs.nixpaks.firefox + pkgs.nixpaks.firefox-desktop-item ]; programs = { From 4236df4281f449badc11336bfdb61263b1cdd6cc Mon Sep 17 00:00:00 2001 From: Ryan Yin Date: Wed, 25 Sep 2024 19:49:53 +0800 Subject: [PATCH 2/2] fix: nixpaks - font --- hardening/nixpaks/modules/gui-base.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening/nixpaks/modules/gui-base.nix b/hardening/nixpaks/modules/gui-base.nix index 197dbadb..2d786981 100644 --- a/hardening/nixpaks/modules/gui-base.nix +++ b/hardening/nixpaks/modules/gui-base.nix @@ -31,7 +31,7 @@ in { }; # https://github.com/nixpak/nixpak/blob/master/modules/gui/fonts.nix # it works not well, bind system's /etc/fonts directly instead - fonts.enable = true; + fonts.enable = false; # https://github.com/nixpak/nixpak/blob/master/modules/locale.nix locale.enable = true; bubblewrap = {