I am using Nixos 22.11. with thunderbird in a firejail wrapper.
In configuration.nix i have the following:
environment.sessionVariables = {
# TERM = "kitty";
DOWNLOADS = "\${HOME}/Downloads";
DOCUMENTS = "\${HOME}/Dokumente";
MUSIC = "\${HOME}/Speicher/Audio/Musik";
PICTURES = "\${HOME}/Speicher/Bilder";
VIDEOS = "\${HOME}/Speicher/Video";
EMAILS = "\${HOME}/Dokumente/Unterlagen/Emails";
EDITOR = "emacsclient -nw";
};
and regarding firejail:
programs.firejail.enable = true;
programs.firejail.wrappedBinaries = {
thunderbird = {
executable = "${pkgs.lib.getBin pkgs.thunderbird}/bin/thunderbird";
profile = pkgs.writeText "thunderbird.local" ''
noblacklist ''${DOWNLOADS}
whitelist ''${DOWNLOADS}
noblacklist ''${EMAILS}
whitelist ''${EMAILS}
# noblacklist ''${DOCUMENTS}
# whitelist ''${DOCUMENTS}
# mkdir ''${HOME}/Dokumente/Unterlagen/Emails
# noblacklist ''${HOME}/Dokumente/Unterlagen/Emails
# whitelist ''${HOME}/Dokumente/Unterlagen/Emails
include thunderbird.profile
'';
};
My other firejails programs work as expected but thunderbird is special:
If i whitelist the exact directory of the offline emails, it can’t access them (the 3 last lines commented out).
If i whitelist DOCUMENTS (presently commented out) it works fine, but this gives thunderbird access to more directories than i want to.
If i define EMAILS as a sessionVariable and then whitelist it for thunderbird as in the code i posted, i get
~ ❯ thunderbird
Reading profile /nix/store/hkpvjp170mvxh6rp8zi9snc891w9zdfg-thunderbird.local
Error: "${EMAILS}" is an invalid filename: rejected character: "{"
Why is that? If i run printenv, EMAILS has got the correct value and working with DOWNLOADS and DOCUMENTS works fine. So why is it handled differently?