2023-09-11 22:31:54 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2023-08-02 21:08:19 +00:00
|
|
|
let
|
|
|
|
declPackageSet = pkgs: {
|
2024-01-20 11:11:12 +00:00
|
|
|
packageUnwrapped = null;
|
2023-08-02 21:08:19 +00:00
|
|
|
suggestedPrograms = pkgs;
|
|
|
|
};
|
|
|
|
in
|
2023-07-03 07:49:44 +00:00
|
|
|
{
|
|
|
|
sane.programs = {
|
|
|
|
# PACKAGE SETS
|
2023-08-02 21:08:19 +00:00
|
|
|
"sane-scripts.backup" = declPackageSet [
|
|
|
|
"sane-scripts.backup-ls"
|
|
|
|
"sane-scripts.backup-restore"
|
|
|
|
];
|
|
|
|
"sane-scripts.bittorrent" = declPackageSet [
|
|
|
|
"sane-scripts.bt-add"
|
|
|
|
"sane-scripts.bt-rm"
|
|
|
|
"sane-scripts.bt-search"
|
|
|
|
"sane-scripts.bt-show"
|
|
|
|
];
|
|
|
|
"sane-scripts.dev" = declPackageSet [
|
2023-11-24 21:27:08 +00:00
|
|
|
"sane-scripts.clone"
|
2023-08-02 21:08:19 +00:00
|
|
|
"sane-scripts.dev-cargo-loop"
|
|
|
|
"sane-scripts.git-init"
|
|
|
|
];
|
|
|
|
"sane-scripts.cli" = declPackageSet [
|
|
|
|
"sane-scripts.deadlines"
|
|
|
|
"sane-scripts.find-dotfiles"
|
|
|
|
"sane-scripts.ip-check"
|
|
|
|
"sane-scripts.ip-reconnect"
|
|
|
|
"sane-scripts.private-change-passwd"
|
|
|
|
"sane-scripts.private-do"
|
|
|
|
"sane-scripts.private-init"
|
|
|
|
"sane-scripts.private-lock"
|
|
|
|
"sane-scripts.private-unlock"
|
|
|
|
"sane-scripts.rcp"
|
|
|
|
"sane-scripts.reboot"
|
|
|
|
"sane-scripts.reclaim-boot-space"
|
|
|
|
"sane-scripts.reclaim-disk-space"
|
|
|
|
"sane-scripts.secrets-dump"
|
|
|
|
"sane-scripts.secrets-unlock"
|
|
|
|
"sane-scripts.secrets-update-keys"
|
|
|
|
"sane-scripts.shutdown"
|
|
|
|
"sane-scripts.sudo-redirect"
|
|
|
|
"sane-scripts.sync-from-servo"
|
2023-11-29 12:29:58 +00:00
|
|
|
"sane-scripts.tag-music"
|
2023-09-19 15:41:54 +00:00
|
|
|
"sane-scripts.vpn"
|
2023-08-02 21:08:19 +00:00
|
|
|
"sane-scripts.which"
|
2023-12-03 14:25:35 +00:00
|
|
|
"sane-scripts.wipe"
|
2023-08-02 21:08:19 +00:00
|
|
|
];
|
|
|
|
"sane-scripts.sys-utils" = declPackageSet [
|
|
|
|
"sane-scripts.ip-port-forward"
|
2023-08-15 01:47:45 +00:00
|
|
|
"sane-scripts.sync-music"
|
2023-08-02 21:08:19 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
|
2023-08-02 21:11:49 +00:00
|
|
|
sysadminUtils = declPackageSet [
|
2024-01-28 11:34:33 +00:00
|
|
|
"bridge-utils" # for brctl; debug linux "bridge" inet devices
|
2023-08-02 21:11:49 +00:00
|
|
|
"btrfs-progs"
|
|
|
|
"cacert.unbundled" # some services require unbundled /etc/ssl/certs
|
|
|
|
"cryptsetup"
|
2023-11-06 23:57:48 +00:00
|
|
|
"ddrescue"
|
2023-08-02 21:11:49 +00:00
|
|
|
"dig"
|
2023-09-10 09:49:31 +00:00
|
|
|
"dtc" # device tree [de]compiler
|
2023-11-08 14:16:16 +00:00
|
|
|
"e2fsprogs" # resize2fs
|
2023-08-02 21:11:49 +00:00
|
|
|
"efibootmgr"
|
2023-09-18 13:36:58 +00:00
|
|
|
"ethtool"
|
2023-08-02 21:11:49 +00:00
|
|
|
"fatresize"
|
|
|
|
"fd"
|
|
|
|
"file"
|
2023-08-04 07:47:00 +00:00
|
|
|
# "fwupd"
|
2023-08-02 21:11:49 +00:00
|
|
|
"gawk"
|
2023-10-12 01:59:28 +00:00
|
|
|
"gdb" # to debug segfaults
|
2023-08-02 21:11:49 +00:00
|
|
|
"git"
|
2023-11-08 14:16:16 +00:00
|
|
|
"gptfdisk" # gdisk
|
2023-08-02 21:11:49 +00:00
|
|
|
"hdparm"
|
|
|
|
"htop"
|
|
|
|
"iftop"
|
|
|
|
"inetutils" # for telnet
|
|
|
|
"iotop"
|
|
|
|
"iptables"
|
2024-01-28 10:40:57 +00:00
|
|
|
# "iw"
|
2023-08-02 21:11:49 +00:00
|
|
|
"jq"
|
|
|
|
"killall"
|
2024-01-26 09:13:20 +00:00
|
|
|
"libcap_ng" # for `netcap`
|
2023-08-02 21:11:49 +00:00
|
|
|
"lsof"
|
2024-01-28 11:34:33 +00:00
|
|
|
# "miniupnpc"
|
2023-08-02 21:11:49 +00:00
|
|
|
"nano"
|
|
|
|
# "ncdu" # ncurses disk usage. doesn't cross compile (zig)
|
|
|
|
"neovim"
|
|
|
|
"netcat"
|
|
|
|
"nethogs"
|
|
|
|
"nmap"
|
2023-11-08 14:16:16 +00:00
|
|
|
"nvme-cli" # nvme
|
2024-01-28 11:34:33 +00:00
|
|
|
# "openssl"
|
2023-08-02 21:11:49 +00:00
|
|
|
"parted"
|
|
|
|
"pciutils"
|
|
|
|
"powertop"
|
|
|
|
"pstree"
|
|
|
|
"ripgrep"
|
|
|
|
"screen"
|
2023-11-08 14:16:16 +00:00
|
|
|
"smartmontools" # smartctl
|
2023-08-02 21:11:49 +00:00
|
|
|
"socat"
|
|
|
|
"strace"
|
|
|
|
"subversion"
|
|
|
|
"tcpdump"
|
|
|
|
"tree"
|
2024-01-28 11:34:33 +00:00
|
|
|
"usbutils" # lsusb
|
2023-11-08 14:16:16 +00:00
|
|
|
"util-linux" # lsblk, lscpu, etc
|
2023-08-02 21:11:49 +00:00
|
|
|
"wget"
|
|
|
|
"wirelesstools" # iwlist
|
2023-11-10 19:28:16 +00:00
|
|
|
"xq" # jq for XML
|
2023-12-03 00:58:49 +00:00
|
|
|
# "zfs" # doesn't cross-compile (requires samba)
|
2023-08-02 21:11:49 +00:00
|
|
|
];
|
|
|
|
sysadminExtraUtils = declPackageSet [
|
|
|
|
"backblaze-b2"
|
|
|
|
"duplicity"
|
|
|
|
"sane-scripts.backup"
|
|
|
|
"sqlite" # to debug sqlite3 databases
|
|
|
|
];
|
2023-07-03 07:58:02 +00:00
|
|
|
|
2023-07-03 07:49:44 +00:00
|
|
|
# TODO: split these into smaller groups.
|
|
|
|
# - moby doesn't want a lot of these.
|
|
|
|
# - categories like
|
|
|
|
# - dev?
|
|
|
|
# - debugging?
|
2023-08-02 21:11:49 +00:00
|
|
|
consoleUtils = declPackageSet [
|
|
|
|
"alsaUtils" # for aplay, speaker-test
|
2023-10-11 22:15:28 +00:00
|
|
|
"binutils-unwrapped" # for strings; though this brings 80MB of unrelated baggage too
|
2023-08-02 21:11:49 +00:00
|
|
|
# "cdrtools"
|
2024-01-28 11:34:33 +00:00
|
|
|
# "clinfo"
|
|
|
|
# "dmidecode"
|
2023-08-02 21:11:49 +00:00
|
|
|
"dtrx" # `unar` alternative, "Do The Right eXtraction"
|
2024-01-28 11:34:33 +00:00
|
|
|
# "efivar"
|
2023-10-10 22:08:58 +00:00
|
|
|
"eza" # a better 'ls'
|
2023-08-02 21:11:49 +00:00
|
|
|
# "flashrom"
|
|
|
|
"git" # needed as a user package, for config.
|
|
|
|
# "gnupg"
|
|
|
|
# "gocryptfs"
|
|
|
|
# "gopass"
|
|
|
|
# "gopass-jsonapi"
|
2024-01-28 10:40:57 +00:00
|
|
|
# "helix" # text editor
|
2024-01-28 11:34:33 +00:00
|
|
|
# "libsecret" # for managing user keyrings (secret-tool)
|
|
|
|
# "lm_sensors" # for sensors-detect
|
|
|
|
# "lshw"
|
2023-08-02 21:11:49 +00:00
|
|
|
# "memtester"
|
2023-10-12 01:59:28 +00:00
|
|
|
"mercurial" # hg
|
2023-12-11 03:03:22 +00:00
|
|
|
"mimeo" # like xdg-open
|
2023-08-02 21:11:49 +00:00
|
|
|
"neovim" # needed as a user package, for swap persistence
|
|
|
|
# "nettools"
|
|
|
|
# "networkmanager"
|
|
|
|
# "nixos-generators"
|
|
|
|
"nmon"
|
|
|
|
# "node2nix"
|
|
|
|
# "oathToolkit" # for oathtool
|
|
|
|
# "ponymix"
|
|
|
|
"pulsemixer"
|
2023-11-05 20:02:40 +00:00
|
|
|
"python3-repl"
|
2023-08-02 21:11:49 +00:00
|
|
|
# "python3Packages.eyeD3" # music tagging
|
|
|
|
"ripgrep" # needed as a user package so that its user-level config file can be installed
|
|
|
|
"rsync"
|
|
|
|
"sane-scripts.bittorrent"
|
|
|
|
"sane-scripts.cli"
|
2024-01-28 10:40:57 +00:00
|
|
|
# "snapper"
|
2024-01-31 15:30:15 +00:00
|
|
|
"sops" # for manually viewing secrets; outside `sane-secrets` (TODO: improve sane-secrets!)
|
2023-08-02 21:11:49 +00:00
|
|
|
"speedtest-cli"
|
|
|
|
# "ssh-to-age"
|
|
|
|
"sudo"
|
|
|
|
# "tageditor" # music tagging
|
|
|
|
# "unar"
|
2023-09-11 22:31:54 +00:00
|
|
|
"unzip"
|
2024-01-28 11:34:33 +00:00
|
|
|
"wireguard-tools" # for `wg`
|
2023-08-02 21:11:49 +00:00
|
|
|
"xdg-utils" # for xdg-open
|
|
|
|
# "yarn"
|
|
|
|
"zsh"
|
|
|
|
];
|
2023-07-03 07:58:02 +00:00
|
|
|
|
2023-11-18 22:56:53 +00:00
|
|
|
pcConsoleUtils = declPackageSet [
|
2024-01-28 10:40:57 +00:00
|
|
|
# "gh" # MS GitHub cli
|
2023-08-02 21:11:49 +00:00
|
|
|
"nix-index"
|
|
|
|
"nixpkgs-review"
|
|
|
|
"sane-scripts.dev"
|
|
|
|
"sequoia"
|
|
|
|
];
|
2023-07-30 11:59:38 +00:00
|
|
|
|
2023-08-02 21:11:49 +00:00
|
|
|
consoleMediaUtils = declPackageSet [
|
2024-01-28 10:40:57 +00:00
|
|
|
# "catt" # cast videos to chromecast
|
2023-08-02 21:11:49 +00:00
|
|
|
"ffmpeg"
|
2024-01-04 16:22:33 +00:00
|
|
|
"go2tv" # cast videos to UPNP/DLNA device (i.e. tv).
|
2023-08-02 21:11:49 +00:00
|
|
|
"imagemagick"
|
|
|
|
"sox"
|
|
|
|
"yt-dlp"
|
|
|
|
];
|
2023-07-03 07:58:02 +00:00
|
|
|
|
2023-11-18 22:56:53 +00:00
|
|
|
pcTuiApps = declPackageSet [
|
2023-08-02 21:11:49 +00:00
|
|
|
"aerc" # email client
|
2024-01-28 11:34:33 +00:00
|
|
|
# "msmtp" # sendmail
|
|
|
|
# "offlineimap" # email mailbox sync
|
2023-11-18 22:56:53 +00:00
|
|
|
# "sfeed" # RSS fetcher
|
2023-08-02 21:11:49 +00:00
|
|
|
"visidata" # TUI spreadsheet viewer/editor
|
|
|
|
"w3m" # web browser
|
|
|
|
];
|
2023-07-03 07:58:02 +00:00
|
|
|
|
2023-08-02 21:11:49 +00:00
|
|
|
iphoneUtils = declPackageSet [
|
2024-01-28 10:40:57 +00:00
|
|
|
# "ifuse"
|
|
|
|
# "ipfs"
|
|
|
|
# "libimobiledevice"
|
2023-08-02 21:11:49 +00:00
|
|
|
"sane-scripts.sync-from-iphone"
|
|
|
|
];
|
2023-07-03 07:58:02 +00:00
|
|
|
|
2023-08-02 21:11:49 +00:00
|
|
|
devPkgs = declPackageSet [
|
2023-10-01 03:47:45 +00:00
|
|
|
"cargo"
|
2023-08-02 21:11:49 +00:00
|
|
|
"clang"
|
2023-10-20 23:07:02 +00:00
|
|
|
"lua"
|
2023-08-02 21:11:49 +00:00
|
|
|
"nodejs"
|
2023-11-05 20:02:40 +00:00
|
|
|
"patchelf"
|
2023-10-01 03:47:45 +00:00
|
|
|
"rustc"
|
2024-01-28 11:03:09 +00:00
|
|
|
# "tree-sitter"
|
2023-08-02 21:11:49 +00:00
|
|
|
];
|
2023-07-04 10:27:59 +00:00
|
|
|
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2023-07-03 07:49:44 +00:00
|
|
|
# INDIVIDUAL PACKAGE DEFINITIONS
|
2024-02-05 18:26:21 +00:00
|
|
|
blanket.sandbox.method = "bwrap";
|
|
|
|
blanket.sandbox.wrapperType = "wrappedDerivation";
|
2024-02-13 11:14:38 +00:00
|
|
|
blanket.sandbox.whitelistAudio = true;
|
2024-02-05 18:26:21 +00:00
|
|
|
|
2024-02-13 10:55:44 +00:00
|
|
|
brightnessctl.sandbox.method = "bwrap";
|
|
|
|
brightnessctl.sandbox.wrapperType = "wrappedDerivation";
|
|
|
|
brightnessctl.sandbox.extraPaths = [
|
|
|
|
"/sys/class/backlight"
|
|
|
|
"/sys/devices"
|
|
|
|
];
|
|
|
|
brightnessctl.sandbox.whitelistDbus = [ "system" ];
|
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
"cacert.unbundled".sandbox.enable = false;
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2023-11-08 15:32:50 +00:00
|
|
|
cargo.persist.byStore.plaintext = [ ".cargo" ];
|
2023-09-30 02:56:31 +00:00
|
|
|
|
2023-12-15 08:17:07 +00:00
|
|
|
# auth token, preferences
|
2024-02-05 20:44:47 +00:00
|
|
|
delfin.sandbox.method = "bwrap";
|
|
|
|
delfin.sandbox.wrapperType = "wrappedDerivation";
|
2024-02-13 11:14:38 +00:00
|
|
|
delfin.sandbox.whitelistAudio = true;
|
2024-02-05 20:44:47 +00:00
|
|
|
delfin.sandbox.whitelistDri = true;
|
2024-02-08 21:51:32 +00:00
|
|
|
delfin.sandbox.net = "clearnet";
|
2023-12-15 08:17:07 +00:00
|
|
|
delfin.persist.byStore.private = [ ".config/delfin" ];
|
|
|
|
|
2023-07-03 07:49:44 +00:00
|
|
|
# creds, but also 200 MB of node modules, etc
|
2024-01-28 11:43:05 +00:00
|
|
|
discord.sandbox.method = "bwrap";
|
2024-02-06 19:55:55 +00:00
|
|
|
discord.sandbox.wrapperType = "inplace"; #< /opt-style packaging
|
2024-02-13 11:14:38 +00:00
|
|
|
discord.sandbox.whitelistAudio = true;
|
2024-02-08 21:51:32 +00:00
|
|
|
discord.sandbox.net = "clearnet";
|
2023-11-08 15:32:50 +00:00
|
|
|
discord.persist.byStore.private = [ ".config/discord" ];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
dtc.sandbox.method = "bwrap";
|
|
|
|
dtc.sandbox.autodetectCliPaths = true; # TODO:sandbox: untested
|
|
|
|
|
2023-11-17 00:13:34 +00:00
|
|
|
endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
|
|
|
|
|
2023-07-03 07:49:44 +00:00
|
|
|
# `emote` will show a first-run dialog based on what's in this directory.
|
|
|
|
# mostly, it just keeps a LRU of previously-used emotes to optimize display order.
|
|
|
|
# TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
|
2023-11-08 15:32:50 +00:00
|
|
|
emote.persist.byStore.plaintext = [ ".local/share/Emote" ];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
eza.sandbox.method = "landlock"; # ls replacement
|
|
|
|
eza.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
|
|
|
eza.sandbox.autodetectCliPaths = true;
|
|
|
|
eza.sandbox.whitelistPwd = true;
|
|
|
|
|
|
|
|
fd.sandbox.method = "landlock";
|
|
|
|
fd.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
|
|
|
fd.sandbox.autodetectCliPaths = true;
|
|
|
|
fd.sandbox.whitelistPwd = true;
|
|
|
|
|
|
|
|
ffmpeg.sandbox.method = "bwrap";
|
|
|
|
ffmpeg.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
2024-02-03 00:17:54 +00:00
|
|
|
ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting
|
2024-01-28 11:43:05 +00:00
|
|
|
|
|
|
|
file.sandbox.method = "bwrap";
|
2024-01-29 15:21:16 +00:00
|
|
|
file.sandbox.wrapperType = "wrappedDerivation";
|
2024-01-28 11:43:05 +00:00
|
|
|
file.sandbox.autodetectCliPaths = true;
|
|
|
|
|
2023-11-08 15:32:50 +00:00
|
|
|
fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
|
2023-07-03 08:03:55 +00:00
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
font-manager.sandbox.method = "bwrap";
|
2024-01-29 15:21:16 +00:00
|
|
|
font-manager.sandbox.wrapperType = "inplace"; # .desktop and dbus .service file refer to /libexec
|
2024-01-20 11:11:12 +00:00
|
|
|
font-manager.packageUnwrapped = pkgs.font-manager.override {
|
2023-09-16 12:44:09 +00:00
|
|
|
# build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0
|
|
|
|
withWebkit = false;
|
|
|
|
};
|
|
|
|
|
2024-02-06 20:10:29 +00:00
|
|
|
# fuzzel: TODO: re-enable sandbox. i use fuzzel both as an entry system (snippets) AND an app-launcher.
|
|
|
|
# as an app-launcher, it cannot be sandboxed without over-restricting the app it launches.
|
|
|
|
# should probably make it not be an app-launcher
|
|
|
|
fuzzel.sandbox.enable = false;
|
2024-02-06 02:34:46 +00:00
|
|
|
fuzzel.sandbox.method = "bwrap"; #< landlock nearly works, but unable to open ~/.cache
|
|
|
|
fuzzel.sandbox.wrapperType = "wrappedDerivation";
|
|
|
|
fuzzel.persist.byStore.private = [ ".cache/fuzzel" ]; #< this is a file of recent selections
|
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
gawk.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
2024-01-29 15:21:16 +00:00
|
|
|
gawk.sandbox.wrapperType = "inplace"; # share/gawk libraries refer to /libexec
|
2024-01-28 11:43:05 +00:00
|
|
|
gawk.sandbox.autodetectCliPaths = true;
|
|
|
|
|
2024-02-03 23:53:34 +00:00
|
|
|
gdb.sandbox.enable = false; # gdb doesn't sandbox well. i don't know how you could.
|
|
|
|
# gdb.sandbox.method = "landlock"; # permission denied when trying to attach, even as root
|
2024-01-29 15:21:16 +00:00
|
|
|
gdb.sandbox.wrapperType = "wrappedDerivation";
|
2024-01-28 11:43:05 +00:00
|
|
|
gdb.sandbox.autodetectCliPaths = true;
|
|
|
|
|
2023-07-03 07:49:44 +00:00
|
|
|
# MS GitHub stores auth token in .config
|
|
|
|
# TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
|
2023-11-08 15:32:50 +00:00
|
|
|
gh.persist.byStore.private = [ ".config/gh" ];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2024-02-05 20:53:05 +00:00
|
|
|
gimp.sandbox.method = "bwrap";
|
|
|
|
gimp.sandbox.wrapperType = "wrappedDerivation";
|
|
|
|
gimp.sandbox.extraHomePaths = [
|
|
|
|
"Pictures"
|
2024-02-12 12:54:16 +00:00
|
|
|
"Pictures/servo-macros"
|
2024-02-05 20:53:05 +00:00
|
|
|
"dev"
|
|
|
|
"ref"
|
|
|
|
"tmp"
|
|
|
|
];
|
|
|
|
gimp.sandbox.autodetectCliPaths = true;
|
|
|
|
|
2024-02-05 20:58:38 +00:00
|
|
|
"gnome.gnome-calculator".sandbox.method = "bwrap";
|
|
|
|
"gnome.gnome-calculator".sandbox.wrapperType = "inplace"; # /libexec/gnome-calculator-search-provider
|
|
|
|
|
2024-02-05 21:46:27 +00:00
|
|
|
# gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
|
|
|
|
"gnome.gnome-calendar".sandbox.method = "bwrap";
|
|
|
|
"gnome.gnome-calendar".sandbox.wrapperType = "wrappedDerivation";
|
|
|
|
|
|
|
|
"gnome.gnome-clocks".sandbox.method = "bwrap";
|
|
|
|
"gnome.gnome-clocks".sandbox.wrapperType = "wrappedDerivation";
|
|
|
|
"gnome.gnome-clocks".persist.byStore.private = [
|
|
|
|
".config/dconf"
|
|
|
|
];
|
|
|
|
|
2024-02-05 08:26:06 +00:00
|
|
|
gnome-2048.sandbox.method = "bwrap";
|
|
|
|
gnome-2048.sandbox.wrapperType = "wrappedDerivation";
|
2023-11-14 03:36:15 +00:00
|
|
|
gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
|
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
# TODO: gnome-maps: move to own file
|
2023-11-08 15:32:50 +00:00
|
|
|
"gnome.gnome-maps".persist.byStore.plaintext = [ ".cache/shumate" ];
|
|
|
|
"gnome.gnome-maps".persist.byStore.private = [ ".local/share/maps-places.json" ];
|
2023-10-02 04:07:21 +00:00
|
|
|
|
2024-02-05 21:52:57 +00:00
|
|
|
# hitori rules:
|
|
|
|
# - click to shade a tile
|
|
|
|
# 1. no number may appear unshaded more than once in the same row/column
|
|
|
|
# 2. no two shaded tiles can be direct N/S/E/W neighbors
|
|
|
|
# - win once (1) and (2) are satisfied
|
|
|
|
"gnome.hitori".sandbox.method = "bwrap";
|
|
|
|
"gnome.hitori".sandbox.wrapperType = "wrappedDerivation";
|
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
# jq.sandbox.autodetectCliPaths = true; # liable to over-detect
|
|
|
|
|
2024-02-13 10:32:02 +00:00
|
|
|
krita.sandbox.method = "bwrap";
|
|
|
|
krita.sandbox.wrapperType = "wrappedDerivation";
|
|
|
|
krita.sandbox.autodetectCliPaths = "existing";
|
|
|
|
krita.sandbox.extraHomePaths = [
|
|
|
|
"dev"
|
|
|
|
"Pictures"
|
|
|
|
"Pictures/servo-macros"
|
|
|
|
"ref"
|
|
|
|
"tmp"
|
|
|
|
];
|
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
mercurial.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
2024-01-29 15:21:16 +00:00
|
|
|
mercurial.sandbox.wrapperType = "wrappedDerivation";
|
2024-02-08 21:51:32 +00:00
|
|
|
mercurial.sandbox.net = "clearnet";
|
2024-01-28 11:43:05 +00:00
|
|
|
mercurial.sandbox.whitelistPwd = true;
|
|
|
|
mimeo.sandbox.method = "capshonly"; # xdg-open replacement
|
|
|
|
|
2023-07-03 07:49:44 +00:00
|
|
|
# actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
|
|
|
|
# XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
|
2023-11-08 15:32:50 +00:00
|
|
|
monero-gui.persist.byStore.plaintext = [ ".bitmonero" ];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2023-11-08 15:32:50 +00:00
|
|
|
mumble.persist.byStore.private = [ ".local/share/Mumble" ];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
nano.sandbox.method = "bwrap";
|
2024-01-29 15:21:16 +00:00
|
|
|
nano.sandbox.wrapperType = "wrappedDerivation";
|
2024-02-03 00:17:54 +00:00
|
|
|
nano.sandbox.autodetectCliPaths = "existingFileOrParent";
|
2024-01-28 11:43:05 +00:00
|
|
|
|
2023-07-03 07:49:44 +00:00
|
|
|
# settings (electron app)
|
2023-11-08 15:32:50 +00:00
|
|
|
obsidian.persist.byStore.plaintext = [ ".config/obsidian" ];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2024-02-05 22:15:48 +00:00
|
|
|
pavucontrol.sandbox.method = "bwrap";
|
|
|
|
pavucontrol.sandbox.wrapperType = "wrappedDerivation";
|
|
|
|
|
|
|
|
pwvucontrol.sandbox.method = "bwrap";
|
|
|
|
pwvucontrol.sandbox.wrapperType = "wrappedDerivation";
|
|
|
|
|
2024-01-20 11:11:12 +00:00
|
|
|
python3-repl.packageUnwrapped = pkgs.python3.withPackages (ps: with ps; [
|
2023-11-05 20:02:40 +00:00
|
|
|
requests
|
|
|
|
]);
|
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
rsync.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
2024-01-29 15:21:16 +00:00
|
|
|
rsync.sandbox.wrapperType = "wrappedDerivation";
|
2024-02-08 21:51:32 +00:00
|
|
|
rsync.sandbox.net = "clearnet";
|
2024-02-03 00:17:54 +00:00
|
|
|
rsync.sandbox.autodetectCliPaths = "existingFileOrParent";
|
2024-01-28 11:43:05 +00:00
|
|
|
|
|
|
|
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
|
|
|
sequoia.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
|
|
|
sequoia.sandbox.whitelistPwd = true;
|
|
|
|
sequoia.sandbox.autodetectCliPaths = true;
|
|
|
|
|
2023-11-15 05:53:14 +00:00
|
|
|
shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
|
|
|
|
|
2023-07-03 07:49:44 +00:00
|
|
|
# printer/filament settings
|
2023-11-08 15:32:50 +00:00
|
|
|
slic3r.persist.byStore.plaintext = [ ".Slic3r" ];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2024-01-31 15:30:15 +00:00
|
|
|
sops.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
|
|
|
sops.sandbox.wrapperType = "wrappedDerivation";
|
|
|
|
sops.sandbox.extraHomePaths = [
|
|
|
|
".config/sops"
|
|
|
|
"dev/nixos"
|
|
|
|
# TODO: sops should only need access to knowledge/secrets,
|
|
|
|
# except that i currently put its .sops.yaml config in the root of ~/knowledge
|
|
|
|
"knowledge"
|
|
|
|
];
|
|
|
|
|
2023-11-17 00:13:34 +00:00
|
|
|
space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
|
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
subversion.sandbox.method = "bwrap";
|
2024-01-29 15:21:16 +00:00
|
|
|
subversion.sandbox.wrapperType = "wrappedDerivation";
|
2024-02-08 21:51:32 +00:00
|
|
|
subversion.sandbox.net = "clearnet";
|
2024-01-28 11:43:05 +00:00
|
|
|
subversion.sandbox.whitelistPwd = true;
|
|
|
|
sudo.sandbox.enable = false;
|
|
|
|
|
2024-02-06 01:16:36 +00:00
|
|
|
superTux.sandbox.method = "bwrap";
|
|
|
|
superTux.sandbox.wrapperType = "wrappedDerivation";
|
2024-02-13 11:14:38 +00:00
|
|
|
superTux.sandbox.whitelistAudio = true;
|
2024-02-06 01:16:36 +00:00
|
|
|
superTux.sandbox.whitelistDri = true;
|
2023-11-13 22:16:56 +00:00
|
|
|
superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
|
|
|
|
|
2024-02-05 23:36:35 +00:00
|
|
|
swaylock.sandbox.enable = false; #< neither landlock nor bwrap works. pam_authenticate failed: invalid credentials. does it rely on SUID?
|
|
|
|
|
2023-11-08 15:32:50 +00:00
|
|
|
tdesktop.persist.byStore.private = [ ".local/share/TelegramDesktop" ];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2023-11-08 15:32:50 +00:00
|
|
|
tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
tcpdump.sandbox.method = "landlock";
|
2024-01-29 15:21:16 +00:00
|
|
|
tcpdump.sandbox.wrapperType = "wrappedDerivation";
|
2024-02-08 21:51:32 +00:00
|
|
|
tcpdump.sandbox.net = "all";
|
2024-02-03 00:17:54 +00:00
|
|
|
tcpdump.sandbox.autodetectCliPaths = "existingFileOrParent";
|
2024-01-28 11:43:05 +00:00
|
|
|
tcpdump.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
|
|
|
tree.sandbox.method = "landlock";
|
2024-01-29 15:21:16 +00:00
|
|
|
tree.sandbox.wrapperType = "wrappedDerivation";
|
2024-01-28 11:43:05 +00:00
|
|
|
tree.sandbox.autodetectCliPaths = true;
|
|
|
|
tree.sandbox.whitelistPwd = true;
|
|
|
|
|
|
|
|
unzip.sandbox.method = "bwrap";
|
2024-01-29 15:21:16 +00:00
|
|
|
unzip.sandbox.wrapperType = "wrappedDerivation";
|
2024-02-03 00:17:54 +00:00
|
|
|
unzip.sandbox.autodetectCliPaths = "existingFileOrParent";
|
2024-01-28 11:43:05 +00:00
|
|
|
unzip.sandbox.whitelistPwd = true;
|
|
|
|
|
|
|
|
visidata.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
2024-01-29 15:21:16 +00:00
|
|
|
visidata.sandbox.wrapperType = "wrappedDerivation";
|
2024-01-28 11:43:05 +00:00
|
|
|
visidata.sandbox.autodetectCliPaths = true;
|
|
|
|
|
2024-02-06 01:34:04 +00:00
|
|
|
vvvvvv.sandbox.method = "bwrap";
|
|
|
|
vvvvvv.sandbox.wrapperType = "wrappedDerivation";
|
2024-02-13 11:14:38 +00:00
|
|
|
vvvvvv.sandbox.whitelistAudio = true;
|
2024-02-06 01:34:04 +00:00
|
|
|
vvvvvv.sandbox.whitelistDri = true; #< playable without, but burns noticably more CPU
|
2023-11-16 20:50:40 +00:00
|
|
|
vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
|
|
|
|
|
2024-02-06 01:34:40 +00:00
|
|
|
wget.sandbox.method = "bwrap";
|
2024-01-29 15:21:16 +00:00
|
|
|
wget.sandbox.wrapperType = "wrappedDerivation";
|
2024-02-08 21:51:32 +00:00
|
|
|
wget.sandbox.net = "all";
|
2024-01-28 11:43:05 +00:00
|
|
|
wget.sandbox.whitelistPwd = true; # saves to pwd by default
|
|
|
|
|
2023-11-08 15:32:50 +00:00
|
|
|
whalebird.persist.byStore.private = [ ".config/Whalebird" ];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2023-11-08 15:32:50 +00:00
|
|
|
yarn.persist.byStore.plaintext = [ ".cache/yarn" ];
|
2024-01-28 11:43:05 +00:00
|
|
|
|
|
|
|
yt-dlp.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
2024-01-29 15:21:16 +00:00
|
|
|
yt-dlp.sandbox.wrapperType = "wrappedDerivation";
|
2024-02-08 21:51:32 +00:00
|
|
|
yt-dlp.sandbox.net = "all";
|
2024-01-28 11:43:05 +00:00
|
|
|
yt-dlp.sandbox.whitelistPwd = true; # saves to pwd by default
|
2023-07-03 07:49:44 +00:00
|
|
|
};
|
2023-09-11 22:31:54 +00:00
|
|
|
|
|
|
|
programs.feedbackd = lib.mkIf config.sane.programs.feedbackd.enabled {
|
|
|
|
enable = true;
|
|
|
|
};
|
2024-01-19 09:54:01 +00:00
|
|
|
|
|
|
|
programs.firejail = lib.mkIf config.sane.programs.firejail.enabled {
|
|
|
|
enable = true; #< install the suid binary
|
|
|
|
};
|
2023-06-09 00:36:47 +00:00
|
|
|
}
|