Hi,
As one of my machines is a bit more security sensitive I’ve been looking into securing neovim a bit more and not having Lua code “free running” on my machine. This is mostly an experiment
I’ve been happy with the (somewhat) sense of security firejail and neovim profile with no network option gives but then this all goes away once I need to run neovim with network access to update packages et al.
So my question is: is it possible to package all that I need to run neovim (Lua code, mason installed binaries, etc) into an app image or some other format to then run under firejail? Which folders would I need besides the usual ones (.config/neovim)
As for package updates I was thinking about doing it in my personal machine where I would then package everything and install it on the sensitive machine
If you want to go the “packaging way”, you could use nix’s nixCats-nvim to make a fully hermetic nvim installation where you track the origin of all the dependencies (LSPs too) and plugins, all with receipts and hashes and all the good stuff of a reproducible build system. The security industry likes reproducible build systems because there’s only one way you can go from source to the artifact.
Then, you package that in e.g. a docker container (which nix can build for you, too) and ship where you need it.