2023-09-11 22:31:54 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2023-08-02 21:08:19 +00:00
|
|
|
let
|
|
|
|
declPackageSet = pkgs: {
|
2024-01-20 11:11:12 +00:00
|
|
|
packageUnwrapped = null;
|
2023-08-02 21:08:19 +00:00
|
|
|
suggestedPrograms = pkgs;
|
|
|
|
};
|
|
|
|
in
|
2023-07-03 07:49:44 +00:00
|
|
|
{
|
|
|
|
sane.programs = {
|
|
|
|
# PACKAGE SETS
|
2024-02-17 02:40:28 +00:00
|
|
|
|
|
|
|
# packages which are unavoidably enabled system-wide by default nixos deployment
|
|
|
|
# the only real reason to make a proper package set out of these is for documentation
|
|
|
|
# and to allow them to be easily replaced by sandboxed versions.
|
|
|
|
nixosBuiltins = {
|
|
|
|
enableFor.system = lib.mkDefault true;
|
|
|
|
packageUnwrapped = null;
|
2024-02-17 03:08:14 +00:00
|
|
|
suggestedPrograms = [ "nixosBuiltinsNet" ]
|
|
|
|
++ lib.optionals config.networking.wireless.enable [ "nixosBuiltinsWireless" ];
|
2024-02-17 02:40:28 +00:00
|
|
|
};
|
2024-02-17 03:08:14 +00:00
|
|
|
nixosBuiltinsNet = declPackageSet [
|
|
|
|
# from nixos/modules/tasks/network-interfaces.nix
|
|
|
|
"host"
|
|
|
|
"iproute2"
|
|
|
|
"iputils"
|
|
|
|
"nettools"
|
|
|
|
];
|
|
|
|
nixosBuiltinsWireless = declPackageSet [
|
|
|
|
# from nixos/modules/tasks/network-interfaces.nix
|
|
|
|
# if config.networking.wireless.enable
|
|
|
|
"wirelesstools"
|
|
|
|
"iw"
|
|
|
|
];
|
2024-02-17 02:40:28 +00:00
|
|
|
|
2023-08-02 21:11:49 +00:00
|
|
|
sysadminUtils = declPackageSet [
|
2024-01-28 11:34:33 +00:00
|
|
|
"bridge-utils" # for brctl; debug linux "bridge" inet devices
|
2023-08-02 21:11:49 +00:00
|
|
|
"btrfs-progs"
|
|
|
|
"cacert.unbundled" # some services require unbundled /etc/ssl/certs
|
|
|
|
"cryptsetup"
|
2023-11-06 23:57:48 +00:00
|
|
|
"ddrescue"
|
2023-08-02 21:11:49 +00:00
|
|
|
"dig"
|
2023-09-10 09:49:31 +00:00
|
|
|
"dtc" # device tree [de]compiler
|
2023-11-08 14:16:16 +00:00
|
|
|
"e2fsprogs" # resize2fs
|
2023-08-02 21:11:49 +00:00
|
|
|
"efibootmgr"
|
2023-09-18 13:36:58 +00:00
|
|
|
"ethtool"
|
2023-08-02 21:11:49 +00:00
|
|
|
"fatresize"
|
|
|
|
"fd"
|
|
|
|
"file"
|
2024-02-18 11:58:30 +00:00
|
|
|
"forkstat" # monitor every spawned/forked process
|
2023-08-04 07:47:00 +00:00
|
|
|
# "fwupd"
|
2023-08-02 21:11:49 +00:00
|
|
|
"gawk"
|
2023-10-12 01:59:28 +00:00
|
|
|
"gdb" # to debug segfaults
|
2023-08-02 21:11:49 +00:00
|
|
|
"git"
|
2023-11-08 14:16:16 +00:00
|
|
|
"gptfdisk" # gdisk
|
2023-08-02 21:11:49 +00:00
|
|
|
"hdparm"
|
|
|
|
"htop"
|
|
|
|
"iftop"
|
|
|
|
"inetutils" # for telnet
|
|
|
|
"iotop"
|
|
|
|
"iptables"
|
2024-01-28 10:40:57 +00:00
|
|
|
# "iw"
|
2023-08-02 21:11:49 +00:00
|
|
|
"jq"
|
|
|
|
"killall"
|
2024-02-29 15:18:51 +00:00
|
|
|
"less"
|
2024-04-18 04:17:10 +00:00
|
|
|
"lftp"
|
2024-02-16 07:32:34 +00:00
|
|
|
# "libcap_ng" # for `netcap`
|
2023-08-02 21:11:49 +00:00
|
|
|
"lsof"
|
2024-05-24 06:57:20 +00:00
|
|
|
"man-pages"
|
|
|
|
"man-pages-posix"
|
2024-01-28 11:34:33 +00:00
|
|
|
# "miniupnpc"
|
2023-08-02 21:11:49 +00:00
|
|
|
"nano"
|
|
|
|
# "ncdu" # ncurses disk usage. doesn't cross compile (zig)
|
|
|
|
"neovim"
|
|
|
|
"netcat"
|
|
|
|
"nethogs"
|
|
|
|
"nmap"
|
2023-11-08 14:16:16 +00:00
|
|
|
"nvme-cli" # nvme
|
2024-01-28 11:34:33 +00:00
|
|
|
# "openssl"
|
2023-08-02 21:11:49 +00:00
|
|
|
"parted"
|
|
|
|
"pciutils"
|
|
|
|
"powertop"
|
|
|
|
"pstree"
|
|
|
|
"ripgrep"
|
2024-03-18 02:02:24 +00:00
|
|
|
"s6-rc" # service manager
|
2023-08-02 21:11:49 +00:00
|
|
|
"screen"
|
2023-11-08 14:16:16 +00:00
|
|
|
"smartmontools" # smartctl
|
2024-02-17 15:11:12 +00:00
|
|
|
# "socat"
|
2023-08-02 21:11:49 +00:00
|
|
|
"strace"
|
|
|
|
"subversion"
|
|
|
|
"tcpdump"
|
|
|
|
"tree"
|
2024-01-28 11:34:33 +00:00
|
|
|
"usbutils" # lsusb
|
2023-11-08 14:16:16 +00:00
|
|
|
"util-linux" # lsblk, lscpu, etc
|
2024-04-12 23:49:20 +00:00
|
|
|
"valgrind"
|
2023-08-02 21:11:49 +00:00
|
|
|
"wget"
|
|
|
|
"wirelesstools" # iwlist
|
2024-02-17 15:30:23 +00:00
|
|
|
# "xq" # jq for XML
|
2023-12-03 00:58:49 +00:00
|
|
|
# "zfs" # doesn't cross-compile (requires samba)
|
2023-08-02 21:11:49 +00:00
|
|
|
];
|
|
|
|
sysadminExtraUtils = declPackageSet [
|
|
|
|
"backblaze-b2"
|
|
|
|
"duplicity"
|
|
|
|
"sane-scripts.backup"
|
|
|
|
"sqlite" # to debug sqlite3 databases
|
|
|
|
];
|
2023-07-03 07:58:02 +00:00
|
|
|
|
2023-07-03 07:49:44 +00:00
|
|
|
# TODO: split these into smaller groups.
|
|
|
|
# - moby doesn't want a lot of these.
|
|
|
|
# - categories like
|
|
|
|
# - dev?
|
|
|
|
# - debugging?
|
2023-08-02 21:11:49 +00:00
|
|
|
consoleUtils = declPackageSet [
|
|
|
|
"alsaUtils" # for aplay, speaker-test
|
|
|
|
# "cdrtools"
|
2024-01-28 11:34:33 +00:00
|
|
|
# "clinfo"
|
|
|
|
# "dmidecode"
|
2023-08-02 21:11:49 +00:00
|
|
|
"dtrx" # `unar` alternative, "Do The Right eXtraction"
|
2024-01-28 11:34:33 +00:00
|
|
|
# "efivar"
|
2023-10-10 22:08:58 +00:00
|
|
|
"eza" # a better 'ls'
|
2023-08-02 21:11:49 +00:00
|
|
|
# "flashrom"
|
|
|
|
"git" # needed as a user package, for config.
|
2024-02-20 12:11:26 +00:00
|
|
|
# "glib" # for `gsettings`
|
2023-08-02 21:11:49 +00:00
|
|
|
# "gnupg"
|
|
|
|
# "gocryptfs"
|
|
|
|
# "gopass"
|
|
|
|
# "gopass-jsonapi"
|
2024-01-28 10:40:57 +00:00
|
|
|
# "helix" # text editor
|
2024-04-05 21:52:33 +00:00
|
|
|
"htop" # needed as a user package, for ~/.config/htop
|
2024-01-28 11:34:33 +00:00
|
|
|
# "libsecret" # for managing user keyrings (secret-tool)
|
|
|
|
# "lm_sensors" # for sensors-detect
|
|
|
|
# "lshw"
|
2023-08-02 21:11:49 +00:00
|
|
|
# "memtester"
|
2023-10-12 01:59:28 +00:00
|
|
|
"mercurial" # hg
|
2023-12-11 03:03:22 +00:00
|
|
|
"mimeo" # like xdg-open
|
2023-08-02 21:11:49 +00:00
|
|
|
"neovim" # needed as a user package, for swap persistence
|
|
|
|
# "nettools"
|
|
|
|
# "networkmanager"
|
|
|
|
# "nixos-generators"
|
|
|
|
"nmon"
|
|
|
|
# "node2nix"
|
|
|
|
# "oathToolkit" # for oathtool
|
2024-04-12 23:49:20 +00:00
|
|
|
"objdump"
|
2023-08-02 21:11:49 +00:00
|
|
|
# "ponymix"
|
|
|
|
"pulsemixer"
|
2023-11-05 20:02:40 +00:00
|
|
|
"python3-repl"
|
2023-08-02 21:11:49 +00:00
|
|
|
# "python3Packages.eyeD3" # music tagging
|
|
|
|
"ripgrep" # needed as a user package so that its user-level config file can be installed
|
|
|
|
"rsync"
|
|
|
|
"sane-scripts.bittorrent"
|
|
|
|
"sane-scripts.cli"
|
2024-01-28 10:40:57 +00:00
|
|
|
# "snapper"
|
2024-01-31 15:30:15 +00:00
|
|
|
"sops" # for manually viewing secrets; outside `sane-secrets` (TODO: improve sane-secrets!)
|
2023-08-02 21:11:49 +00:00
|
|
|
"speedtest-cli"
|
|
|
|
# "ssh-to-age"
|
2024-04-12 23:49:20 +00:00
|
|
|
"strings"
|
2023-08-02 21:11:49 +00:00
|
|
|
"sudo"
|
|
|
|
# "tageditor" # music tagging
|
|
|
|
# "unar"
|
2023-09-11 22:31:54 +00:00
|
|
|
"unzip"
|
2024-01-28 11:34:33 +00:00
|
|
|
"wireguard-tools" # for `wg`
|
2023-08-02 21:11:49 +00:00
|
|
|
"xdg-utils" # for xdg-open
|
|
|
|
# "yarn"
|
|
|
|
"zsh"
|
|
|
|
];
|
2023-07-03 07:58:02 +00:00
|
|
|
|
2023-11-18 22:56:53 +00:00
|
|
|
pcConsoleUtils = declPackageSet [
|
2024-05-19 00:21:30 +00:00
|
|
|
"errno" # 2024/05/18: doesn't cross compile (perl File-ShareDir / Module-Build-Tiny)
|
2024-01-28 10:40:57 +00:00
|
|
|
# "gh" # MS GitHub cli
|
2023-08-02 21:11:49 +00:00
|
|
|
"nix-index"
|
|
|
|
"nixpkgs-review"
|
|
|
|
"sane-scripts.dev"
|
|
|
|
"sequoia"
|
|
|
|
];
|
2023-07-30 11:59:38 +00:00
|
|
|
|
2023-08-02 21:11:49 +00:00
|
|
|
consoleMediaUtils = declPackageSet [
|
2024-03-10 04:09:34 +00:00
|
|
|
"blast-ugjka" # cast audio to UPNP/DLNA devices (via pulseaudio sink)
|
2024-01-28 10:40:57 +00:00
|
|
|
# "catt" # cast videos to chromecast
|
2023-08-02 21:11:49 +00:00
|
|
|
"ffmpeg"
|
2024-01-04 16:22:33 +00:00
|
|
|
"go2tv" # cast videos to UPNP/DLNA device (i.e. tv).
|
2023-08-02 21:11:49 +00:00
|
|
|
"imagemagick"
|
2024-04-29 21:50:03 +00:00
|
|
|
"sane-cast" # cast videos to UPNP/DLNA, with compatibility
|
2023-08-02 21:11:49 +00:00
|
|
|
"sox"
|
|
|
|
"yt-dlp"
|
|
|
|
];
|
2023-07-03 07:58:02 +00:00
|
|
|
|
2023-11-18 22:56:53 +00:00
|
|
|
pcTuiApps = declPackageSet [
|
2023-08-02 21:11:49 +00:00
|
|
|
"aerc" # email client
|
2024-01-28 11:34:33 +00:00
|
|
|
# "msmtp" # sendmail
|
|
|
|
# "offlineimap" # email mailbox sync
|
2023-11-18 22:56:53 +00:00
|
|
|
# "sfeed" # RSS fetcher
|
2023-08-02 21:11:49 +00:00
|
|
|
"visidata" # TUI spreadsheet viewer/editor
|
|
|
|
"w3m" # web browser
|
|
|
|
];
|
2023-07-03 07:58:02 +00:00
|
|
|
|
2023-08-02 21:11:49 +00:00
|
|
|
iphoneUtils = declPackageSet [
|
2024-01-28 10:40:57 +00:00
|
|
|
# "ifuse"
|
|
|
|
# "ipfs"
|
|
|
|
# "libimobiledevice"
|
2023-08-02 21:11:49 +00:00
|
|
|
"sane-scripts.sync-from-iphone"
|
|
|
|
];
|
2023-07-03 07:58:02 +00:00
|
|
|
|
2023-08-02 21:11:49 +00:00
|
|
|
devPkgs = declPackageSet [
|
2023-10-01 03:47:45 +00:00
|
|
|
"cargo"
|
2023-08-02 21:11:49 +00:00
|
|
|
"clang"
|
2023-10-20 23:07:02 +00:00
|
|
|
"lua"
|
2023-08-02 21:11:49 +00:00
|
|
|
"nodejs"
|
2023-11-05 20:02:40 +00:00
|
|
|
"patchelf"
|
2023-10-01 03:47:45 +00:00
|
|
|
"rustc"
|
2024-01-28 11:03:09 +00:00
|
|
|
# "tree-sitter"
|
2023-08-02 21:11:49 +00:00
|
|
|
];
|
2023-07-04 10:27:59 +00:00
|
|
|
|
2024-05-28 16:51:02 +00:00
|
|
|
gameApps = declPackageSet [
|
|
|
|
"animatch"
|
|
|
|
"gnome-2048"
|
|
|
|
"gnome.hitori" # like sudoku
|
|
|
|
];
|
|
|
|
|
|
|
|
pcGameApps = declPackageSet [
|
|
|
|
# "andyetitmoves" # TODO: fix build!
|
|
|
|
# "armagetronad" # tron/lightcycles; WAN and LAN multiplayer
|
|
|
|
"celeste64"
|
|
|
|
# "cutemaze" # meh: trivial maze game; qt6 and keyboard-only
|
|
|
|
# "cuyo" # trivial puyo-puyo clone
|
|
|
|
"endless-sky" # space merchantilism/exploration
|
|
|
|
# "factorio"
|
|
|
|
"frozen-bubble" # WAN + LAN + 1P/2P bubble bobble
|
|
|
|
"hase" # WAN worms game
|
|
|
|
# "hedgewars" # WAN + LAN worms game (5~10 people online at any moment; <https://hedgewars.org>)
|
|
|
|
# "libremines" # meh: trivial minesweeper; qt6
|
|
|
|
# "mario0" # SMB + portal
|
|
|
|
# "mindustry"
|
|
|
|
# "minesweep-rs" # CLI minesweeper
|
|
|
|
# "nethack"
|
|
|
|
# "osu-lazer"
|
|
|
|
# "pinball" # 3d pinball; kb/mouse. old sourceforge project
|
|
|
|
# "powermanga" # STYLISH space invaders derivative (keyboard-only)
|
|
|
|
"shattered-pixel-dungeon" # doesn't cross compile
|
|
|
|
"space-cadet-pinball" # LMB/RMB controls (bindable though. volume buttons?)
|
|
|
|
"superTux" # keyboard-only controls
|
|
|
|
"superTuxKart" # poor FPS on pinephone
|
|
|
|
"tumiki-fighters" # keyboard-only
|
|
|
|
"vvvvvv" # keyboard-only controls
|
|
|
|
# "wine"
|
|
|
|
];
|
|
|
|
|
|
|
|
guiApps = declPackageSet [
|
|
|
|
# package sets
|
|
|
|
"gameApps"
|
|
|
|
"guiBaseApps"
|
|
|
|
];
|
|
|
|
|
|
|
|
guiBaseApps = declPackageSet [
|
|
|
|
# "abaddon" # discord client
|
|
|
|
"alacritty" # terminal emulator
|
|
|
|
"calls" # gnome calls (dialer/handler)
|
2024-05-29 11:30:29 +00:00
|
|
|
"dbus"
|
2024-05-28 16:51:02 +00:00
|
|
|
"dconf" # required by many packages, but not well-documented :(
|
|
|
|
# "delfin" # Jellyfin client
|
|
|
|
"dialect" # language translation
|
|
|
|
"dino" # XMPP client
|
|
|
|
"dissent" # Discord client (formerly known as: gtkcord4)
|
|
|
|
# "emote"
|
|
|
|
# "evince" # PDF viewer
|
|
|
|
# "flare-signal" # gtk4 signal client
|
|
|
|
# "foliate" # e-book reader
|
|
|
|
"fractal" # matrix client
|
|
|
|
"g4music" # local music player
|
|
|
|
# "gnome.cheese"
|
|
|
|
# "gnome-feeds" # RSS reader (with claimed mobile support)
|
|
|
|
# "gnome.file-roller"
|
|
|
|
"gnome.geary" # adaptive e-mail client; uses webkitgtk 4.1
|
|
|
|
"gnome.gnome-calculator"
|
|
|
|
"gnome.gnome-calendar"
|
|
|
|
"gnome.gnome-clocks"
|
|
|
|
"gnome.gnome-maps"
|
|
|
|
# "gnome-podcasts"
|
|
|
|
# "gnome.gnome-system-monitor"
|
|
|
|
# "gnome.gnome-terminal" # works on phosh
|
|
|
|
"gnome.gnome-weather"
|
|
|
|
# "gnome.seahorse" # keyring/secret manager
|
|
|
|
"gnome-frog" # OCR/QR decoder
|
|
|
|
"gpodder"
|
|
|
|
"gst-device-monitor" # for debugging audio/video
|
|
|
|
# "gthumb"
|
|
|
|
# "lemoa" # lemmy app
|
|
|
|
"libcamera" # for `cam` binary (useful for debugging cameras)
|
|
|
|
"libnotify" # for notify-send; debugging
|
|
|
|
# "lollypop"
|
|
|
|
"loupe" # image viewer
|
|
|
|
"mate.engrampa" # archive manager
|
|
|
|
"mepo" # maps viewer
|
|
|
|
"mpv"
|
|
|
|
"networkmanagerapplet" # for nm-connection-editor: it's better than not having any gui!
|
|
|
|
"ntfy-sh" # notification service
|
|
|
|
# "newsflash" # RSS viewer
|
|
|
|
"pavucontrol"
|
|
|
|
"pwvucontrol" # pipewire version of pavu
|
|
|
|
# "picard" # music tagging
|
|
|
|
# "libsForQt5.plasmatube" # Youtube player
|
|
|
|
"signal-desktop"
|
|
|
|
"snapshot" # camera app
|
|
|
|
"spot" # Gnome Spotify client
|
|
|
|
# "sublime-music"
|
|
|
|
# "tdesktop" # broken on phosh
|
|
|
|
# "tokodon"
|
|
|
|
"tuba" # mastodon/pleroma client (stores pw in keyring)
|
|
|
|
"vulkan-tools" # vulkaninfo
|
|
|
|
# "whalebird" # pleroma client (Electron). input is broken on phosh.
|
|
|
|
"xdg-terminal-exec"
|
|
|
|
"zathura" # PDF/CBZ/ePUB viewer
|
|
|
|
];
|
|
|
|
|
|
|
|
handheldGuiApps = declPackageSet [
|
|
|
|
# "celluloid" # mpv frontend
|
|
|
|
# "chatty" # matrix/xmpp/irc client (2023/12/29: disabled because broken cross build)
|
|
|
|
"cozy" # audiobook player
|
|
|
|
"epiphany" # gnome's web browser
|
|
|
|
# "iotas" # note taking app
|
|
|
|
"komikku"
|
|
|
|
"koreader"
|
|
|
|
"megapixels" # camera app
|
|
|
|
"notejot" # note taking, e.g. shopping list
|
|
|
|
"planify" # todo-tracker/planner
|
|
|
|
"portfolio-filemanager"
|
|
|
|
"tangram" # web browser
|
|
|
|
"wike" # Wikipedia Reader
|
|
|
|
"xarchiver"
|
|
|
|
];
|
|
|
|
|
|
|
|
pcGuiApps = declPackageSet [
|
|
|
|
# package sets
|
|
|
|
"pcGameApps"
|
|
|
|
"pcTuiApps"
|
|
|
|
####
|
|
|
|
"audacity"
|
|
|
|
# "blanket" # ambient noise generator
|
|
|
|
"brave" # for the integrated wallet -- as a backup
|
|
|
|
# "cantata" # music player (mpd frontend)
|
|
|
|
# "chromium" # chromium takes hours to build. brave is chromium-based, distributed in binary form, so prefer it.
|
2024-05-29 18:33:17 +00:00
|
|
|
# "cups"
|
2024-05-28 16:51:02 +00:00
|
|
|
"discord" # x86-only
|
|
|
|
"electrum"
|
|
|
|
"element-desktop"
|
|
|
|
"firefox"
|
|
|
|
"font-manager"
|
|
|
|
# "gajim" # XMPP client. cross build tries to import host gobject-introspection types (2023/09/01)
|
|
|
|
"gimp" # broken on phosh
|
|
|
|
# "gnome.dconf-editor"
|
|
|
|
# "gnome.file-roller"
|
|
|
|
"gnome.gnome-disk-utility"
|
|
|
|
"gnome.nautilus" # file browser
|
|
|
|
# "gnome.totem" # video player, supposedly supports UPnP
|
|
|
|
"handbrake"
|
|
|
|
"inkscape"
|
|
|
|
# "jellyfin-media-player"
|
|
|
|
"kdenlive"
|
|
|
|
# "kid3" # audio tagging
|
|
|
|
"krita"
|
|
|
|
"libreoffice" # TODO: replace with an office suite that uses saner packaging?
|
|
|
|
"losslesscut-bin" # x86-only
|
|
|
|
# "makemkv" # x86-only
|
|
|
|
# "monero-gui" # x86-only
|
|
|
|
# "mumble"
|
|
|
|
# "nheko" # Matrix chat client
|
|
|
|
# "nicotine-plus" # soulseek client. before re-enabling this make sure it's properly sandboxed!
|
|
|
|
# "obsidian"
|
|
|
|
# "openscad" # 3d modeling
|
|
|
|
# "rhythmbox" # local music player
|
|
|
|
# "slic3r"
|
|
|
|
"soundconverter"
|
|
|
|
"spotify" # x86-only
|
|
|
|
"steam"
|
|
|
|
"tor-browser" # x86-only
|
|
|
|
# "vlc"
|
|
|
|
"wireshark" # could maybe ship the cli as sysadmin pkg
|
|
|
|
# "xterm" # requires Xwayland
|
|
|
|
# "zecwallet-lite" # x86-only
|
|
|
|
# "zulip"
|
|
|
|
];
|
|
|
|
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2023-07-03 07:49:44 +00:00
|
|
|
# INDIVIDUAL PACKAGE DEFINITIONS
|
2024-02-16 11:28:43 +00:00
|
|
|
|
|
|
|
alsaUtils.sandbox.method = "landlock";
|
|
|
|
alsaUtils.sandbox.whitelistAudio = true; #< not strictly necessary?
|
|
|
|
|
2024-02-28 13:19:39 +00:00
|
|
|
backblaze-b2 = {};
|
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
blanket.buildCost = 1;
|
2024-02-05 18:26:21 +00:00
|
|
|
blanket.sandbox.method = "bwrap";
|
2024-02-13 11:14:38 +00:00
|
|
|
blanket.sandbox.whitelistAudio = true;
|
2024-02-13 11:58:12 +00:00
|
|
|
# blanket.sandbox.whitelistDbus = [ "user" ]; # TODO: untested
|
2024-02-14 01:49:49 +00:00
|
|
|
blanket.sandbox.whitelistWayland = true;
|
2024-02-05 18:26:21 +00:00
|
|
|
|
2024-02-16 07:58:00 +00:00
|
|
|
blueberry.sandbox.method = "bwrap";
|
2024-02-28 17:35:40 +00:00
|
|
|
blueberry.sandbox.wrapperType = "inplace"; #< various /lib scripts refer to the bins by full path
|
2024-02-16 07:58:00 +00:00
|
|
|
blueberry.sandbox.whitelistWayland = true;
|
|
|
|
blueberry.sandbox.extraPaths = [
|
|
|
|
"/dev/rfkill"
|
|
|
|
"/run/dbus"
|
|
|
|
"/sys/class/rfkill"
|
|
|
|
"/sys/devices"
|
|
|
|
];
|
|
|
|
|
2024-02-16 15:29:25 +00:00
|
|
|
bridge-utils.sandbox.method = "bwrap"; #< bwrap, landlock: both work
|
2024-02-16 15:10:49 +00:00
|
|
|
bridge-utils.sandbox.net = "all";
|
|
|
|
|
2024-02-13 11:23:41 +00:00
|
|
|
brightnessctl.sandbox.method = "landlock"; # also bwrap, but landlock is more responsive
|
2024-02-13 10:55:44 +00:00
|
|
|
brightnessctl.sandbox.extraPaths = [
|
|
|
|
"/sys/class/backlight"
|
2024-02-15 14:22:40 +00:00
|
|
|
"/sys/class/leds"
|
2024-02-13 10:55:44 +00:00
|
|
|
"/sys/devices"
|
|
|
|
];
|
|
|
|
brightnessctl.sandbox.whitelistDbus = [ "system" ];
|
|
|
|
|
2024-02-16 15:29:25 +00:00
|
|
|
btrfs-progs.sandbox.method = "bwrap"; #< bwrap, landlock: both work
|
2024-02-16 15:16:39 +00:00
|
|
|
btrfs-progs.sandbox.autodetectCliPaths = "existing"; # e.g. `btrfs filesystem df /my/fs`
|
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
"cacert.unbundled".sandbox.enable = false;
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2023-11-08 15:32:50 +00:00
|
|
|
cargo.persist.byStore.plaintext = [ ".cargo" ];
|
2023-09-30 02:56:31 +00:00
|
|
|
|
2024-02-28 13:19:39 +00:00
|
|
|
clang = {};
|
|
|
|
|
2024-02-16 10:05:24 +00:00
|
|
|
# cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
|
|
|
|
cryptsetup.sandbox.method = "landlock";
|
|
|
|
cryptsetup.sandbox.extraPaths = [
|
|
|
|
"/dev/mapper"
|
|
|
|
"/dev/random"
|
|
|
|
"/dev/urandom"
|
|
|
|
"/run" #< it needs the whole directory, at least if using landlock
|
|
|
|
"/proc"
|
|
|
|
"/sys/dev/block"
|
|
|
|
"/sys/devices"
|
|
|
|
];
|
|
|
|
cryptsetup.sandbox.capabilities = [ "sys_admin" ];
|
|
|
|
cryptsetup.sandbox.autodetectCliPaths = "existing";
|
|
|
|
|
|
|
|
ddrescue.sandbox.method = "landlock"; # TODO:sandbox: untested
|
2024-02-25 01:55:46 +00:00
|
|
|
ddrescue.sandbox.autodetectCliPaths = "existingOrParent";
|
2024-02-16 10:05:24 +00:00
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
delfin.buildCost = 1;
|
2024-02-05 20:44:47 +00:00
|
|
|
delfin.sandbox.method = "bwrap";
|
2024-02-13 11:14:38 +00:00
|
|
|
delfin.sandbox.whitelistAudio = true;
|
2024-02-21 13:27:19 +00:00
|
|
|
delfin.sandbox.whitelistDbus = [ "user" ]; # else `mpris` plugin crashes the player
|
2024-02-05 20:44:47 +00:00
|
|
|
delfin.sandbox.whitelistDri = true;
|
2024-02-14 01:49:49 +00:00
|
|
|
delfin.sandbox.whitelistWayland = true;
|
2024-02-08 21:51:32 +00:00
|
|
|
delfin.sandbox.net = "clearnet";
|
2024-05-13 19:59:03 +00:00
|
|
|
# auth token, preferences
|
2023-12-15 08:17:07 +00:00
|
|
|
delfin.persist.byStore.private = [ ".config/delfin" ];
|
|
|
|
|
2024-02-14 13:47:44 +00:00
|
|
|
dig.sandbox.method = "bwrap";
|
|
|
|
dig.sandbox.net = "all";
|
|
|
|
|
2023-07-03 07:49:44 +00:00
|
|
|
# creds, but also 200 MB of node modules, etc
|
2024-04-06 09:36:55 +00:00
|
|
|
discord.persist.byStore.private = [ ".config/discord" ];
|
|
|
|
discord.suggestedPrograms = [ "xwayland" ];
|
2024-01-28 11:43:05 +00:00
|
|
|
discord.sandbox.method = "bwrap";
|
2024-02-06 19:55:55 +00:00
|
|
|
discord.sandbox.wrapperType = "inplace"; #< /opt-style packaging
|
2024-02-13 11:14:38 +00:00
|
|
|
discord.sandbox.whitelistAudio = true;
|
2024-02-17 01:42:22 +00:00
|
|
|
discord.sandbox.whitelistDbus = [ "user" ]; # needed for xdg-open
|
2024-02-14 01:49:49 +00:00
|
|
|
discord.sandbox.whitelistWayland = true;
|
2024-04-06 09:36:55 +00:00
|
|
|
discord.sandbox.whitelistX = true;
|
2024-02-08 21:51:32 +00:00
|
|
|
discord.sandbox.net = "clearnet";
|
2024-04-06 09:36:55 +00:00
|
|
|
discord.sandbox.extraHomePaths = [
|
|
|
|
# still needs these paths despite it using the portal's file-chooser :?
|
|
|
|
"Pictures/cat"
|
|
|
|
"Pictures/Screenshots"
|
|
|
|
"Pictures/servo-macros"
|
|
|
|
"Videos/local"
|
|
|
|
"Videos/servo"
|
|
|
|
"tmp"
|
|
|
|
];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
dtc.sandbox.method = "bwrap";
|
2024-05-28 07:14:27 +00:00
|
|
|
dtc.sandbox.autodetectCliPaths = "existingFile"; # TODO:sandbox: untested
|
2024-01-28 11:43:05 +00:00
|
|
|
|
2024-02-28 13:19:39 +00:00
|
|
|
duplicity = {};
|
|
|
|
|
2024-02-16 10:32:18 +00:00
|
|
|
e2fsprogs.sandbox.method = "landlock";
|
|
|
|
e2fsprogs.sandbox.autodetectCliPaths = "existing";
|
|
|
|
|
|
|
|
efibootmgr.sandbox.method = "landlock";
|
|
|
|
efibootmgr.sandbox.extraPaths = [
|
|
|
|
"/sys/firmware/efi"
|
|
|
|
];
|
|
|
|
|
2024-02-28 13:19:39 +00:00
|
|
|
eg25-control = {};
|
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
electrum.buildCost = 1;
|
2024-02-16 10:32:18 +00:00
|
|
|
electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
|
|
|
electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always
|
|
|
|
electrum.sandbox.whitelistWayland = true;
|
|
|
|
electrum.persist.byStore.cryptClearOnBoot = [ ".electrum" ]; #< TODO: use XDG dirs!
|
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
endless-sky.buildCost = 1;
|
2023-11-17 00:13:34 +00:00
|
|
|
endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
|
2024-02-16 04:00:27 +00:00
|
|
|
endless-sky.sandbox.method = "bwrap";
|
|
|
|
endless-sky.sandbox.whitelistAudio = true;
|
|
|
|
endless-sky.sandbox.whitelistDri = true;
|
|
|
|
endless-sky.sandbox.whitelistWayland = true;
|
2023-11-17 00:13:34 +00:00
|
|
|
|
2023-07-03 07:49:44 +00:00
|
|
|
# `emote` will show a first-run dialog based on what's in this directory.
|
|
|
|
# mostly, it just keeps a LRU of previously-used emotes to optimize display order.
|
|
|
|
# TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
|
2023-11-08 15:32:50 +00:00
|
|
|
emote.persist.byStore.plaintext = [ ".local/share/Emote" ];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2024-02-16 10:38:39 +00:00
|
|
|
ethtool.sandbox.method = "landlock";
|
|
|
|
ethtool.sandbox.capabilities = [ "net_admin" ];
|
|
|
|
|
2024-02-19 15:32:40 +00:00
|
|
|
# eza `ls` replacement
|
|
|
|
# eza.sandbox.method = "landlock";
|
2024-05-29 07:24:12 +00:00
|
|
|
eza.sandbox.method = "bwrap"; #< note that bwrap causes `/proc` files to be listed differently (e.g. `eza /proc/sys/net/ipv6/conf/`)
|
2024-05-28 07:14:27 +00:00
|
|
|
eza.sandbox.autodetectCliPaths = "existing";
|
2024-01-28 11:43:05 +00:00
|
|
|
eza.sandbox.whitelistPwd = true;
|
2024-02-23 06:43:27 +00:00
|
|
|
eza.sandbox.extraHomePaths = [
|
|
|
|
# so that e.g. `eza -l ~` can show which symlink exist
|
|
|
|
".persist/ephemeral"
|
|
|
|
".persist/plaintext"
|
|
|
|
];
|
2024-01-28 11:43:05 +00:00
|
|
|
|
2024-02-16 10:45:56 +00:00
|
|
|
fatresize.sandbox.method = "landlock";
|
|
|
|
fatresize.sandbox.autodetectCliPaths = "parent"; # /dev/sda1 -> needs /dev/sda
|
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
fd.sandbox.method = "landlock";
|
2024-05-28 07:14:27 +00:00
|
|
|
fd.sandbox.autodetectCliPaths = "existing";
|
2024-01-28 11:43:05 +00:00
|
|
|
fd.sandbox.whitelistPwd = true;
|
2024-02-23 06:43:27 +00:00
|
|
|
fd.sandbox.extraHomePaths = [
|
|
|
|
# let it follow symlinks to non-sensitive data
|
|
|
|
".persist/ephemeral"
|
|
|
|
".persist/plaintext"
|
|
|
|
];
|
2024-01-28 11:43:05 +00:00
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
ffmpeg.buildCost = 1;
|
2024-01-28 11:43:05 +00:00
|
|
|
ffmpeg.sandbox.method = "bwrap";
|
2024-02-03 00:17:54 +00:00
|
|
|
ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting
|
2024-01-28 11:43:05 +00:00
|
|
|
|
|
|
|
file.sandbox.method = "bwrap";
|
2024-05-28 07:14:27 +00:00
|
|
|
file.sandbox.autodetectCliPaths = "existing"; #< file OR directory, yes
|
2024-01-28 11:43:05 +00:00
|
|
|
|
2024-02-20 23:31:58 +00:00
|
|
|
findutils.sandbox.method = "bwrap";
|
2024-05-28 07:14:27 +00:00
|
|
|
findutils.sandbox.autodetectCliPaths = "existing";
|
2024-02-20 23:31:58 +00:00
|
|
|
findutils.sandbox.whitelistPwd = true;
|
2024-02-23 06:43:27 +00:00
|
|
|
findutils.sandbox.extraHomePaths = [
|
|
|
|
# let it follow symlinks to non-sensitive data
|
|
|
|
".persist/ephemeral"
|
|
|
|
".persist/plaintext"
|
|
|
|
];
|
2024-02-20 23:31:58 +00:00
|
|
|
|
2023-11-08 15:32:50 +00:00
|
|
|
fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
|
2023-07-03 08:03:55 +00:00
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
font-manager.buildCost = 1;
|
2024-01-28 11:43:05 +00:00
|
|
|
font-manager.sandbox.method = "bwrap";
|
2024-04-14 21:55:52 +00:00
|
|
|
font-manager.sandbox.whitelistWayland = true;
|
2024-02-28 17:35:40 +00:00
|
|
|
font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
|
2023-09-16 12:44:09 +00:00
|
|
|
# build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0
|
|
|
|
withWebkit = false;
|
2024-02-28 17:35:40 +00:00
|
|
|
});
|
2023-09-16 12:44:09 +00:00
|
|
|
|
2024-02-19 13:15:15 +00:00
|
|
|
forkstat.sandbox.method = "landlock"; #< doesn't seem to support bwrap
|
2024-05-29 12:33:18 +00:00
|
|
|
forkstat.sandbox.isolatePids = false;
|
2024-02-19 13:15:15 +00:00
|
|
|
forkstat.sandbox.extraPaths = [
|
|
|
|
"/proc"
|
|
|
|
];
|
|
|
|
|
2024-02-06 02:34:46 +00:00
|
|
|
fuzzel.sandbox.method = "bwrap"; #< landlock nearly works, but unable to open ~/.cache
|
2024-02-14 01:49:49 +00:00
|
|
|
fuzzel.sandbox.whitelistWayland = true;
|
2024-02-23 13:09:44 +00:00
|
|
|
fuzzel.persist.byStore.private = [
|
|
|
|
# this is a file of recent selections
|
|
|
|
{ path=".cache/fuzzel"; type="file"; }
|
|
|
|
];
|
2024-02-06 02:34:46 +00:00
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
gawk.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
2024-02-28 17:35:40 +00:00
|
|
|
gawk.sandbox.wrapperType = "inplace"; # /share/gawk libraries refer to /libexec
|
2024-05-28 07:14:27 +00:00
|
|
|
gawk.sandbox.autodetectCliPaths = "existingFile";
|
2024-01-28 11:43:05 +00:00
|
|
|
|
2024-02-03 23:53:34 +00:00
|
|
|
gdb.sandbox.enable = false; # gdb doesn't sandbox well. i don't know how you could.
|
|
|
|
# gdb.sandbox.method = "landlock"; # permission denied when trying to attach, even as root
|
2024-01-28 11:43:05 +00:00
|
|
|
gdb.sandbox.autodetectCliPaths = true;
|
|
|
|
|
2024-02-28 13:19:39 +00:00
|
|
|
geoclue2-with-demo-agent = {};
|
|
|
|
|
2023-07-03 07:49:44 +00:00
|
|
|
# MS GitHub stores auth token in .config
|
|
|
|
# TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
|
2023-11-08 15:32:50 +00:00
|
|
|
gh.persist.byStore.private = [ ".config/gh" ];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
gimp.buildCost = 1;
|
2024-02-05 20:53:05 +00:00
|
|
|
gimp.sandbox.method = "bwrap";
|
2024-03-23 15:33:23 +00:00
|
|
|
gimp.sandbox.whitelistX = true;
|
2024-02-14 01:49:49 +00:00
|
|
|
gimp.sandbox.whitelistWayland = true;
|
2024-02-05 20:53:05 +00:00
|
|
|
gimp.sandbox.extraHomePaths = [
|
2024-02-27 21:36:18 +00:00
|
|
|
"Pictures/albums"
|
|
|
|
"Pictures/cat"
|
|
|
|
"Pictures/from"
|
|
|
|
"Pictures/Photos"
|
|
|
|
"Pictures/Screenshots"
|
2024-02-12 12:54:16 +00:00
|
|
|
"Pictures/servo-macros"
|
2024-02-05 20:53:05 +00:00
|
|
|
"dev"
|
|
|
|
"ref"
|
|
|
|
"tmp"
|
|
|
|
];
|
|
|
|
gimp.sandbox.autodetectCliPaths = true;
|
2024-02-17 13:43:35 +00:00
|
|
|
gimp.sandbox.extraPaths = [
|
|
|
|
"/tmp" # "Cannot open display:" if it can't mount /tmp 👀
|
|
|
|
];
|
2024-02-05 20:53:05 +00:00
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
"gnome.gnome-calculator".buildCost = 1;
|
2024-02-05 20:58:38 +00:00
|
|
|
"gnome.gnome-calculator".sandbox.method = "bwrap";
|
2024-02-14 01:49:49 +00:00
|
|
|
"gnome.gnome-calculator".sandbox.whitelistWayland = true;
|
2024-02-05 20:58:38 +00:00
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
"gnome.gnome-calendar".buildCost = 1;
|
2024-02-05 21:46:27 +00:00
|
|
|
# gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
|
|
|
|
"gnome.gnome-calendar".sandbox.method = "bwrap";
|
2024-02-14 01:49:49 +00:00
|
|
|
"gnome.gnome-calendar".sandbox.whitelistWayland = true;
|
2024-02-05 21:46:27 +00:00
|
|
|
|
2024-02-17 15:36:28 +00:00
|
|
|
# gnome-disks
|
2024-05-13 19:59:03 +00:00
|
|
|
"gnome.gnome-disk-utility".buildCost = 1;
|
2024-02-17 15:36:28 +00:00
|
|
|
"gnome.gnome-disk-utility".sandbox.method = "bwrap";
|
|
|
|
"gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ];
|
|
|
|
"gnome.gnome-disk-utility".sandbox.whitelistWayland = true;
|
2024-05-06 05:15:28 +00:00
|
|
|
"gnome.gnome-disk-utility".sandbox.extraHomePaths = [
|
|
|
|
"tmp"
|
|
|
|
"use/iso"
|
|
|
|
# TODO: probably need /dev and such
|
|
|
|
];
|
2024-02-17 15:36:28 +00:00
|
|
|
|
2024-02-25 12:03:42 +00:00
|
|
|
# seahorse: dump gnome-keyring secrets.
|
2024-05-13 19:59:03 +00:00
|
|
|
"gnome.seahorse".buildCost = 1;
|
2024-02-25 12:03:42 +00:00
|
|
|
# N.B.: it can also manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
|
|
|
|
"gnome.seahorse".sandbox.method = "bwrap";
|
|
|
|
"gnome.seahorse".sandbox.whitelistDbus = [ "user" ];
|
|
|
|
"gnome.seahorse".sandbox.whitelistWayland = true;
|
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
gnome-2048.buildCost = 1;
|
2024-02-05 08:26:06 +00:00
|
|
|
gnome-2048.sandbox.method = "bwrap";
|
2024-02-14 01:49:49 +00:00
|
|
|
gnome-2048.sandbox.whitelistWayland = true;
|
2023-11-14 03:36:15 +00:00
|
|
|
gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
|
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
gnome-frog.buildCost = 1;
|
2024-02-17 14:40:42 +00:00
|
|
|
gnome-frog.sandbox.method = "bwrap";
|
|
|
|
gnome-frog.sandbox.whitelistWayland = true;
|
|
|
|
gnome-frog.sandbox.whitelistDbus = [ "user" ];
|
|
|
|
gnome-frog.sandbox.extraPaths = [
|
|
|
|
# needed when processing screenshots
|
|
|
|
"/tmp"
|
|
|
|
];
|
|
|
|
gnome-frog.sandbox.extraHomePaths = [
|
|
|
|
# for OCR'ing photos from disk
|
|
|
|
"tmp"
|
2024-02-27 21:36:18 +00:00
|
|
|
"Pictures/albums"
|
|
|
|
"Pictures/cat"
|
|
|
|
"Pictures/from"
|
|
|
|
"Pictures/Photos"
|
|
|
|
"Pictures/Screenshots"
|
|
|
|
"Pictures/servo-macros"
|
2024-02-17 14:40:42 +00:00
|
|
|
];
|
|
|
|
gnome-frog.persist.byStore.cryptClearOnBoot = [
|
|
|
|
".local/share/tessdata" # 15M; dunno what all it is.
|
|
|
|
];
|
|
|
|
|
2024-02-05 21:52:57 +00:00
|
|
|
# hitori rules:
|
|
|
|
# - click to shade a tile
|
|
|
|
# 1. no number may appear unshaded more than once in the same row/column
|
|
|
|
# 2. no two shaded tiles can be direct N/S/E/W neighbors
|
|
|
|
# - win once (1) and (2) are satisfied
|
2024-05-13 19:59:03 +00:00
|
|
|
"gnome.hitori".buildCost = 1;
|
2024-02-05 21:52:57 +00:00
|
|
|
"gnome.hitori".sandbox.method = "bwrap";
|
2024-02-14 01:49:49 +00:00
|
|
|
"gnome.hitori".sandbox.whitelistWayland = true;
|
2024-02-05 21:52:57 +00:00
|
|
|
|
2024-02-25 11:53:49 +00:00
|
|
|
gnugrep.sandbox.method = "bwrap";
|
2024-05-28 07:14:27 +00:00
|
|
|
gnugrep.sandbox.autodetectCliPaths = "existing";
|
2024-02-25 11:53:49 +00:00
|
|
|
gnugrep.sandbox.whitelistPwd = true;
|
|
|
|
gnugrep.sandbox.extraHomePaths = [
|
|
|
|
# let it follow symlinks to non-sensitive data
|
|
|
|
".persist/ephemeral"
|
|
|
|
".persist/plaintext"
|
|
|
|
];
|
|
|
|
|
2024-03-03 06:57:42 +00:00
|
|
|
gnused.sandbox.method = "bwrap";
|
|
|
|
gnused.sandbox.autodetectCliPaths = "existingFile";
|
|
|
|
gnused.sandbox.whitelistPwd = true; #< `-i` flag creates a temporary file in pwd (?) and then moves it.
|
|
|
|
|
2024-02-28 13:19:39 +00:00
|
|
|
gpsd = {};
|
|
|
|
|
2024-02-25 11:53:49 +00:00
|
|
|
gptfdisk.sandbox.method = "landlock";
|
|
|
|
gptfdisk.sandbox.extraPaths = [
|
|
|
|
"/dev"
|
|
|
|
];
|
|
|
|
gptfdisk.sandbox.autodetectCliPaths = "existing"; #< sometimes you'll use gdisk on a device file.
|
|
|
|
|
2024-03-02 06:22:28 +00:00
|
|
|
grim.sandbox.method = "bwrap";
|
|
|
|
grim.sandbox.autodetectCliPaths = "existingOrParent";
|
|
|
|
grim.sandbox.whitelistWayland = true;
|
2024-02-28 13:19:39 +00:00
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
hase.buildCost = 1;
|
2024-02-16 03:48:59 +00:00
|
|
|
hase.sandbox.method = "bwrap";
|
|
|
|
hase.sandbox.net = "clearnet";
|
|
|
|
hase.sandbox.whitelistAudio = true;
|
|
|
|
hase.sandbox.whitelistDri = true;
|
|
|
|
hase.sandbox.whitelistWayland = true;
|
|
|
|
|
2024-02-16 15:19:33 +00:00
|
|
|
# hdparm: has to be run as sudo. e.g. `sudo hdparm -i /dev/sda`
|
|
|
|
hdparm.sandbox.method = "bwrap";
|
2024-05-28 07:14:27 +00:00
|
|
|
hdparm.sandbox.autodetectCliPaths = "existingFile";
|
2024-02-16 15:19:33 +00:00
|
|
|
|
2024-02-17 03:05:58 +00:00
|
|
|
host.sandbox.method = "landlock";
|
|
|
|
host.sandbox.net = "all"; #< technically, only needs to contact localhost's DNS server
|
|
|
|
|
2024-02-16 04:51:18 +00:00
|
|
|
iftop.sandbox.method = "landlock";
|
|
|
|
iftop.sandbox.capabilities = [ "net_raw" ];
|
|
|
|
|
2024-02-16 15:29:25 +00:00
|
|
|
# inetutils: ping, ifconfig, hostname, traceroute, whois, ....
|
2024-02-17 02:32:57 +00:00
|
|
|
# N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
|
|
|
|
inetutils.sandbox.method = "landlock"; # want to keep the same netns, at least.
|
2024-02-16 04:51:18 +00:00
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
inkscape.buildCost = 1;
|
2024-02-15 17:26:37 +00:00
|
|
|
inkscape.sandbox.method = "bwrap";
|
|
|
|
inkscape.sandbox.whitelistWayland = true;
|
|
|
|
inkscape.sandbox.extraHomePaths = [
|
2024-02-27 21:36:18 +00:00
|
|
|
"Pictures/albums"
|
|
|
|
"Pictures/cat"
|
|
|
|
"Pictures/from"
|
|
|
|
"Pictures/Photos"
|
|
|
|
"Pictures/Screenshots"
|
2024-02-15 17:26:37 +00:00
|
|
|
"Pictures/servo-macros"
|
|
|
|
"dev"
|
|
|
|
"ref"
|
|
|
|
"tmp"
|
|
|
|
];
|
|
|
|
inkscape.sandbox.autodetectCliPaths = true;
|
|
|
|
|
2024-02-17 02:32:57 +00:00
|
|
|
iotop.sandbox.method = "landlock";
|
|
|
|
iotop.sandbox.extraPaths = [
|
|
|
|
"/proc"
|
|
|
|
];
|
|
|
|
iotop.sandbox.capabilities = [ "net_admin" ];
|
|
|
|
|
2024-05-24 06:41:01 +00:00
|
|
|
# provides `ip`, `routel`, `bridge`, others.
|
2024-05-25 10:49:19 +00:00
|
|
|
# landlock works fine for most of these, but `ip netns exec` wants to attach to an existing namespace
|
|
|
|
# and that means we can't use ANY sandboxer for it.
|
|
|
|
iproute2.sandbox.enable = false;
|
|
|
|
# iproute2.sandbox.net = "all";
|
|
|
|
# iproute2.sandbox.capabilities = [ "net_admin" ];
|
|
|
|
# iproute2.sandbox.extraPaths = [
|
|
|
|
# "/run/netns" # for `ip netns ...` to work, but maybe not needed anymore?
|
|
|
|
# "/sys/class/net" # for `ip netns ...` to work
|
|
|
|
# "/var/run/netns"
|
|
|
|
# ];
|
2024-02-17 03:05:58 +00:00
|
|
|
|
2024-02-17 02:32:57 +00:00
|
|
|
iptables.sandbox.method = "landlock";
|
|
|
|
iptables.sandbox.net = "all";
|
|
|
|
iptables.sandbox.capabilities = [ "net_admin" ];
|
|
|
|
|
2024-02-17 03:05:58 +00:00
|
|
|
# iputils provides `ping` (and arping, clockdiff, tracepath)
|
2024-02-17 03:33:05 +00:00
|
|
|
iputils.sandbox.method = "landlock";
|
|
|
|
iputils.sandbox.net = "all";
|
|
|
|
iputils.sandbox.capabilities = [ "net_raw" ];
|
2024-02-17 03:05:58 +00:00
|
|
|
|
|
|
|
iw.sandbox.method = "landlock";
|
|
|
|
iw.sandbox.net = "all";
|
|
|
|
iw.sandbox.capabilities = [ "net_admin" ];
|
|
|
|
|
2024-02-25 01:56:30 +00:00
|
|
|
jq.sandbox.method = "bwrap";
|
|
|
|
jq.sandbox.autodetectCliPaths = "existingFile";
|
2024-01-28 11:43:05 +00:00
|
|
|
|
2024-02-16 06:57:32 +00:00
|
|
|
killall.sandbox.method = "landlock";
|
|
|
|
killall.sandbox.extraPaths = [
|
|
|
|
"/proc"
|
|
|
|
];
|
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
krita.buildCost = 1;
|
2024-02-13 10:32:02 +00:00
|
|
|
krita.sandbox.method = "bwrap";
|
2024-02-14 01:49:49 +00:00
|
|
|
krita.sandbox.whitelistWayland = true;
|
2024-02-13 10:32:02 +00:00
|
|
|
krita.sandbox.autodetectCliPaths = "existing";
|
|
|
|
krita.sandbox.extraHomePaths = [
|
|
|
|
"dev"
|
2024-02-27 21:36:18 +00:00
|
|
|
"Pictures/albums"
|
|
|
|
"Pictures/cat"
|
|
|
|
"Pictures/from"
|
|
|
|
"Pictures/Photos"
|
|
|
|
"Pictures/Screenshots"
|
2024-02-13 10:32:02 +00:00
|
|
|
"Pictures/servo-macros"
|
|
|
|
"ref"
|
|
|
|
"tmp"
|
|
|
|
];
|
|
|
|
|
2024-05-19 10:41:09 +00:00
|
|
|
libcamera = {};
|
|
|
|
|
2024-05-25 10:26:36 +00:00
|
|
|
libcap.sandbox.enable = false; #< for `capsh`, which i use as a sandboxer
|
2024-02-16 07:32:05 +00:00
|
|
|
libcap_ng.sandbox.enable = false; # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only)
|
|
|
|
|
2024-02-14 13:49:48 +00:00
|
|
|
libnotify.sandbox.method = "bwrap";
|
|
|
|
libnotify.sandbox.whitelistDbus = [ "user" ]; # notify-send
|
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
losslesscut-bin.buildCost = 1;
|
2024-02-15 00:09:40 +00:00
|
|
|
losslesscut-bin.sandbox.method = "bwrap";
|
|
|
|
losslesscut-bin.sandbox.extraHomePaths = [
|
|
|
|
"Music"
|
2024-02-27 21:36:18 +00:00
|
|
|
"Pictures/from" # videos from e.g. mobile phone
|
2024-02-15 00:09:40 +00:00
|
|
|
"Pictures/servo-macros"
|
2024-02-27 21:36:18 +00:00
|
|
|
"Videos/local"
|
2024-02-15 00:09:40 +00:00
|
|
|
"Videos/servo"
|
|
|
|
"tmp"
|
|
|
|
];
|
|
|
|
losslesscut-bin.sandbox.whitelistAudio = true;
|
|
|
|
losslesscut-bin.sandbox.whitelistDri = true;
|
|
|
|
losslesscut-bin.sandbox.whitelistWayland = true;
|
|
|
|
losslesscut-bin.sandbox.whitelistX = true;
|
2024-02-14 14:26:13 +00:00
|
|
|
|
2024-02-16 04:53:18 +00:00
|
|
|
lsof.sandbox.method = "capshonly"; # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
|
2024-04-17 23:29:59 +00:00
|
|
|
lsof.sandbox.capabilities = [ "dac_override" "sys_ptrace" ];
|
2024-02-16 04:53:18 +00:00
|
|
|
|
2024-02-28 13:19:39 +00:00
|
|
|
lua = {};
|
|
|
|
|
2024-05-24 06:57:20 +00:00
|
|
|
man-pages.sandbox.enable = false;
|
|
|
|
man-pages-posix.sandbox.enable = false;
|
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
mercurial.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
2024-02-08 21:51:32 +00:00
|
|
|
mercurial.sandbox.net = "clearnet";
|
2024-01-28 11:43:05 +00:00
|
|
|
mercurial.sandbox.whitelistPwd = true;
|
|
|
|
|
2023-07-03 07:49:44 +00:00
|
|
|
# actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
|
2024-05-13 19:59:03 +00:00
|
|
|
monero-gui.buildCost = 1;
|
2023-07-03 07:49:44 +00:00
|
|
|
# XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
|
2023-11-08 15:32:50 +00:00
|
|
|
monero-gui.persist.byStore.plaintext = [ ".bitmonero" ];
|
2024-02-17 16:06:58 +00:00
|
|
|
monero-gui.sandbox.method = "bwrap";
|
|
|
|
monero-gui.sandbox.net = "all";
|
|
|
|
monero-gui.sandbox.extraHomePaths = [
|
|
|
|
"records/finance/cryptocurrencies/monero"
|
|
|
|
];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
mumble.buildCost = 1;
|
2023-11-08 15:32:50 +00:00
|
|
|
mumble.persist.byStore.private = [ ".local/share/Mumble" ];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
nano.sandbox.method = "bwrap";
|
2024-02-03 00:17:54 +00:00
|
|
|
nano.sandbox.autodetectCliPaths = "existingFileOrParent";
|
2024-01-28 11:43:05 +00:00
|
|
|
|
2024-02-16 15:08:42 +00:00
|
|
|
netcat.sandbox.method = "landlock";
|
|
|
|
netcat.sandbox.net = "all";
|
|
|
|
|
2024-02-16 05:27:50 +00:00
|
|
|
nethogs.sandbox.method = "capshonly"; # *partially* works under landlock w/ full access to /
|
|
|
|
nethogs.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
|
|
|
|
2024-02-17 03:05:58 +00:00
|
|
|
# provides `arp`, `hostname`, `route`, `ifconfig`
|
|
|
|
nettools.sandbox.method = "landlock";
|
|
|
|
nettools.sandbox.net = "all";
|
|
|
|
nettools.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
|
|
|
nettools.sandbox.extraPaths = [
|
|
|
|
"/proc"
|
|
|
|
];
|
|
|
|
|
2024-02-16 11:07:24 +00:00
|
|
|
networkmanagerapplet.sandbox.method = "bwrap";
|
|
|
|
networkmanagerapplet.sandbox.whitelistWayland = true;
|
|
|
|
networkmanagerapplet.sandbox.whitelistDbus = [ "system" ];
|
|
|
|
|
2024-02-16 05:27:50 +00:00
|
|
|
nixpkgs-review.sandbox.method = "bwrap";
|
|
|
|
nixpkgs-review.sandbox.wrapperType = "inplace"; #< shell completions use full paths
|
|
|
|
nixpkgs-review.sandbox.net = "clearnet";
|
|
|
|
nixpkgs-review.sandbox.whitelistPwd = true;
|
|
|
|
nixpkgs-review.sandbox.extraPaths = [
|
|
|
|
"/nix"
|
|
|
|
];
|
|
|
|
|
2024-02-17 14:51:26 +00:00
|
|
|
nmap.sandbox.method = "bwrap";
|
|
|
|
nmap.sandbox.net = "all"; # clearnet and lan
|
|
|
|
|
2024-02-16 15:01:28 +00:00
|
|
|
nmon.sandbox.method = "landlock";
|
|
|
|
nmon.sandbox.extraPaths = [
|
|
|
|
"/proc"
|
|
|
|
];
|
|
|
|
|
2024-02-28 13:19:39 +00:00
|
|
|
nodejs = {};
|
|
|
|
|
2024-02-17 14:40:29 +00:00
|
|
|
# `nvme list` only shows results when run as root.
|
|
|
|
nvme-cli.sandbox.method = "landlock";
|
|
|
|
nvme-cli.sandbox.extraPaths = [
|
|
|
|
"/sys/devices"
|
|
|
|
"/sys/class/nvme"
|
|
|
|
"/sys/class/nvme-subsystem"
|
|
|
|
"/sys/class/nvme-generic"
|
|
|
|
"/dev"
|
|
|
|
];
|
|
|
|
nvme-cli.sandbox.capabilities = [ "sys_rawio" ];
|
|
|
|
|
2024-02-21 00:02:40 +00:00
|
|
|
# contains only `oathtool`, which i only use for evaluating TOTP codes from CLI/stdin
|
|
|
|
oath-toolkit.sandbox.method = "bwrap";
|
|
|
|
|
2023-07-03 07:49:44 +00:00
|
|
|
# settings (electron app)
|
2023-11-08 15:32:50 +00:00
|
|
|
obsidian.persist.byStore.plaintext = [ ".config/obsidian" ];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2024-05-25 09:39:18 +00:00
|
|
|
passt.sandbox.enable = false; #< sandbox helper (netns specifically)
|
|
|
|
|
2024-02-16 05:28:07 +00:00
|
|
|
parted.sandbox.method = "landlock";
|
|
|
|
parted.sandbox.extraPaths = [
|
|
|
|
"/dev"
|
|
|
|
];
|
|
|
|
parted.sandbox.autodetectCliPaths = "existing"; #< sometimes you'll use parted on a device file.
|
|
|
|
|
2024-02-28 13:19:39 +00:00
|
|
|
patchelf = {};
|
|
|
|
|
2024-02-05 22:15:48 +00:00
|
|
|
pavucontrol.sandbox.method = "bwrap";
|
2024-02-14 14:21:03 +00:00
|
|
|
pavucontrol.sandbox.whitelistAudio = true;
|
2024-02-14 01:49:49 +00:00
|
|
|
pavucontrol.sandbox.whitelistWayland = true;
|
2024-02-05 22:15:48 +00:00
|
|
|
|
2024-02-16 11:07:38 +00:00
|
|
|
pciutils.sandbox.method = "landlock";
|
|
|
|
pciutils.sandbox.extraPaths = [
|
|
|
|
"/sys/bus/pci"
|
|
|
|
"/sys/devices"
|
|
|
|
];
|
|
|
|
|
2024-02-14 13:54:21 +00:00
|
|
|
"perlPackages.FileMimeInfo".sandbox.enable = false; #< TODO: sandbox `mimetype` but not `mimeopen`.
|
|
|
|
|
2024-02-16 05:28:17 +00:00
|
|
|
powertop.sandbox.method = "landlock";
|
2024-02-16 05:49:13 +00:00
|
|
|
powertop.sandbox.capabilities = [ "ipc_lock" "sys_admin" ];
|
2024-02-16 05:28:17 +00:00
|
|
|
powertop.sandbox.extraPaths = [
|
|
|
|
"/proc"
|
|
|
|
"/sys/class"
|
|
|
|
"/sys/devices"
|
|
|
|
"/sys/kernel"
|
|
|
|
];
|
|
|
|
|
2024-03-03 06:55:17 +00:00
|
|
|
# procps: free, pgrep, pidof, pkill, ps, pwait, top, uptime, couple others
|
|
|
|
procps.sandbox.method = "bwrap";
|
2024-05-29 12:33:18 +00:00
|
|
|
procps.sandbox.isolatePids = false;
|
2024-02-29 01:26:38 +00:00
|
|
|
|
2024-02-16 06:57:45 +00:00
|
|
|
pstree.sandbox.method = "landlock";
|
|
|
|
pstree.sandbox.extraPaths = [
|
|
|
|
"/proc"
|
|
|
|
];
|
|
|
|
|
2024-02-29 01:26:38 +00:00
|
|
|
pulseaudio = {};
|
|
|
|
|
2024-02-16 15:01:42 +00:00
|
|
|
pulsemixer.sandbox.method = "landlock";
|
|
|
|
pulsemixer.sandbox.whitelistAudio = true;
|
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
pwvucontrol.buildCost = 1;
|
2024-02-05 22:15:48 +00:00
|
|
|
pwvucontrol.sandbox.method = "bwrap";
|
2024-02-14 14:21:03 +00:00
|
|
|
pwvucontrol.sandbox.whitelistAudio = true;
|
2024-04-16 20:49:33 +00:00
|
|
|
pwvucontrol.sandbox.whitelistDri = true; # else perf on moby is unusable
|
2024-02-14 01:49:49 +00:00
|
|
|
pwvucontrol.sandbox.whitelistWayland = true;
|
2024-02-05 22:15:48 +00:00
|
|
|
|
2024-01-20 11:11:12 +00:00
|
|
|
python3-repl.packageUnwrapped = pkgs.python3.withPackages (ps: with ps; [
|
2024-04-21 10:08:46 +00:00
|
|
|
psutil
|
2023-11-05 20:02:40 +00:00
|
|
|
requests
|
|
|
|
]);
|
2024-02-25 18:43:52 +00:00
|
|
|
python3-repl.sandbox.method = "bwrap";
|
|
|
|
python3-repl.sandbox.net = "clearnet";
|
|
|
|
python3-repl.sandbox.extraHomePaths = [
|
|
|
|
"/"
|
|
|
|
".persist/plaintext"
|
|
|
|
];
|
2023-11-05 20:02:40 +00:00
|
|
|
|
2024-02-17 01:43:58 +00:00
|
|
|
qemu.sandbox.enable = false; #< it's a launcher
|
2024-05-13 19:45:34 +00:00
|
|
|
qemu.buildCost = 2;
|
2024-02-17 01:43:58 +00:00
|
|
|
|
2024-02-23 06:43:27 +00:00
|
|
|
rsync.sandbox.method = "bwrap";
|
2024-02-08 21:51:32 +00:00
|
|
|
rsync.sandbox.net = "clearnet";
|
2024-02-25 01:55:46 +00:00
|
|
|
rsync.sandbox.autodetectCliPaths = "existingOrParent";
|
2024-01-28 11:43:05 +00:00
|
|
|
|
2024-02-28 13:19:39 +00:00
|
|
|
rustc = {};
|
|
|
|
|
2024-05-28 07:07:11 +00:00
|
|
|
sane-cast.sandbox.method = "bwrap";
|
|
|
|
sane-cast.sandbox.net = "clearnet";
|
|
|
|
sane-cast.sandbox.autodetectCliPaths = "existingFile";
|
|
|
|
sane-cast.suggestedPrograms = [ "go2tv" ];
|
2024-04-23 07:49:05 +00:00
|
|
|
|
2024-04-21 10:08:46 +00:00
|
|
|
sane-die-with-parent.sandbox.enable = false; #< it's a launcher; can't sandbox
|
|
|
|
|
2024-05-28 09:38:04 +00:00
|
|
|
sane-weather.sandbox.method = "bwrap";
|
|
|
|
sane-weather.sandbox.net = "clearnet";
|
2024-05-27 11:33:40 +00:00
|
|
|
|
2024-02-16 04:51:52 +00:00
|
|
|
screen.sandbox.enable = false; #< tty; needs to run anything
|
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
|
|
|
sequoia.sandbox.whitelistPwd = true;
|
2024-05-28 07:14:27 +00:00
|
|
|
sequoia.sandbox.autodetectCliPaths = "existingFileOrParent"; # supports `-o <file-to-create>`
|
2024-01-28 11:43:05 +00:00
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
shattered-pixel-dungeon.buildCost = 1;
|
2023-11-15 05:53:14 +00:00
|
|
|
shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
|
2024-02-16 06:57:03 +00:00
|
|
|
shattered-pixel-dungeon.sandbox.method = "bwrap";
|
|
|
|
shattered-pixel-dungeon.sandbox.whitelistAudio = true;
|
|
|
|
shattered-pixel-dungeon.sandbox.whitelistDri = true;
|
|
|
|
shattered-pixel-dungeon.sandbox.whitelistWayland = true;
|
2023-11-15 05:53:14 +00:00
|
|
|
|
2023-07-03 07:49:44 +00:00
|
|
|
# printer/filament settings
|
2024-05-13 19:59:03 +00:00
|
|
|
slic3r.buildCost = 1;
|
2023-11-08 15:32:50 +00:00
|
|
|
slic3r.persist.byStore.plaintext = [ ".Slic3r" ];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2024-03-02 06:19:25 +00:00
|
|
|
slurp.sandbox.method = "bwrap";
|
|
|
|
slurp.sandbox.whitelistWayland = true;
|
2024-02-28 13:19:39 +00:00
|
|
|
|
2024-02-17 15:36:13 +00:00
|
|
|
# use like `sudo smartctl /dev/sda -a`
|
|
|
|
smartmontools.sandbox.method = "landlock";
|
2024-02-27 22:25:17 +00:00
|
|
|
smartmontools.sandbox.wrapperType = "inplace"; # ships a script in /etc that calls into its bin
|
2024-02-17 15:36:13 +00:00
|
|
|
smartmontools.sandbox.autodetectCliPaths = "existing";
|
|
|
|
smartmontools.sandbox.capabilities = [ "sys_rawio" ];
|
|
|
|
|
2024-05-27 12:53:06 +00:00
|
|
|
# snapshot camera, based on libcamera
|
|
|
|
# TODO: enable dma heaps for more efficient buffer sharing: <https://gitlab.com/postmarketOS/pmaports/-/issues/2789>
|
2024-05-19 10:41:09 +00:00
|
|
|
snapshot = {};
|
|
|
|
|
2024-01-31 15:30:15 +00:00
|
|
|
sops.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
|
|
|
sops.sandbox.extraHomePaths = [
|
|
|
|
".config/sops"
|
2024-04-20 21:43:13 +00:00
|
|
|
"nixos"
|
2024-01-31 15:30:15 +00:00
|
|
|
# TODO: sops should only need access to knowledge/secrets,
|
|
|
|
# except that i currently put its .sops.yaml config in the root of ~/knowledge
|
|
|
|
"knowledge"
|
|
|
|
];
|
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
soundconverter.buildCost = 1;
|
2024-02-16 03:51:23 +00:00
|
|
|
soundconverter.sandbox.method = "bwrap";
|
|
|
|
soundconverter.sandbox.whitelistWayland = true;
|
|
|
|
soundconverter.sandbox.extraHomePaths = [
|
|
|
|
"Music"
|
|
|
|
"tmp"
|
|
|
|
"use"
|
|
|
|
];
|
|
|
|
soundconverter.sandbox.extraPaths = [
|
|
|
|
"/mnt/servo/media/Music"
|
|
|
|
"/mnt/servo/media/games"
|
|
|
|
];
|
2024-02-25 01:55:46 +00:00
|
|
|
soundconverter.sandbox.autodetectCliPaths = "existingOrParent";
|
2024-02-16 03:51:23 +00:00
|
|
|
|
2024-02-17 15:27:22 +00:00
|
|
|
sox.sandbox.method = "bwrap";
|
|
|
|
sox.sandbox.autodetectCliPaths = "existingFileOrParent";
|
|
|
|
sox.sandbox.whitelistAudio = true;
|
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
space-cadet-pinball.buildCost = 1;
|
2023-11-17 00:13:34 +00:00
|
|
|
space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
|
2024-02-16 03:58:09 +00:00
|
|
|
space-cadet-pinball.sandbox.method = "bwrap";
|
|
|
|
space-cadet-pinball.sandbox.whitelistAudio = true;
|
|
|
|
space-cadet-pinball.sandbox.whitelistDri = true;
|
|
|
|
space-cadet-pinball.sandbox.whitelistWayland = true;
|
2023-11-17 00:13:34 +00:00
|
|
|
|
2024-02-14 14:16:59 +00:00
|
|
|
speedtest-cli.sandbox.method = "bwrap";
|
|
|
|
speedtest-cli.sandbox.net = "all";
|
|
|
|
|
2024-02-28 13:19:39 +00:00
|
|
|
sqlite = {};
|
|
|
|
|
2024-04-01 00:50:14 +00:00
|
|
|
sshfs-fuse = {}; # used by fs.nix
|
|
|
|
|
2024-02-16 04:51:52 +00:00
|
|
|
strace.sandbox.enable = false; #< needs to `exec` its args, and therefore support *anything*
|
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
subversion.sandbox.method = "bwrap";
|
2024-02-08 21:51:32 +00:00
|
|
|
subversion.sandbox.net = "clearnet";
|
2024-01-28 11:43:05 +00:00
|
|
|
subversion.sandbox.whitelistPwd = true;
|
|
|
|
sudo.sandbox.enable = false;
|
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
superTux.buildCost = 1;
|
2024-02-06 01:16:36 +00:00
|
|
|
superTux.sandbox.method = "bwrap";
|
2024-02-16 03:16:28 +00:00
|
|
|
superTux.sandbox.wrapperType = "inplace"; # package Makefile incorrectly installs to $out/games/superTux instead of $out/share/games
|
2024-02-13 11:14:38 +00:00
|
|
|
superTux.sandbox.whitelistAudio = true;
|
2024-02-06 01:16:36 +00:00
|
|
|
superTux.sandbox.whitelistDri = true;
|
2024-02-14 01:49:49 +00:00
|
|
|
superTux.sandbox.whitelistWayland = true;
|
2023-11-13 22:16:56 +00:00
|
|
|
superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
|
|
|
|
|
2024-03-02 06:17:56 +00:00
|
|
|
swappy.sandbox.method = "bwrap";
|
|
|
|
swappy.sandbox.autodetectCliPaths = "existingFileOrParent";
|
|
|
|
swappy.sandbox.whitelistWayland = true;
|
2024-03-02 05:53:05 +00:00
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
tcpdump.sandbox.method = "landlock";
|
2024-02-08 21:51:32 +00:00
|
|
|
tcpdump.sandbox.net = "all";
|
2024-02-03 00:17:54 +00:00
|
|
|
tcpdump.sandbox.autodetectCliPaths = "existingFileOrParent";
|
2024-01-28 11:43:05 +00:00
|
|
|
tcpdump.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
2024-02-14 14:28:22 +00:00
|
|
|
|
|
|
|
tdesktop.persist.byStore.private = [ ".local/share/TelegramDesktop" ];
|
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
tokodon.buildCost = 1;
|
2024-02-14 14:28:22 +00:00
|
|
|
tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
|
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
tree.sandbox.method = "landlock";
|
2024-05-28 07:14:27 +00:00
|
|
|
tree.sandbox.autodetectCliPaths = "existing";
|
2024-01-28 11:43:05 +00:00
|
|
|
tree.sandbox.whitelistPwd = true;
|
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
tumiki-fighters.buildCost = 1;
|
2024-02-15 00:09:40 +00:00
|
|
|
tumiki-fighters.sandbox.method = "bwrap";
|
|
|
|
tumiki-fighters.sandbox.whitelistAudio = true;
|
|
|
|
tumiki-fighters.sandbox.whitelistDri = true; #< not strictly necessary, but triples CPU perf
|
|
|
|
tumiki-fighters.sandbox.whitelistWayland = true;
|
|
|
|
tumiki-fighters.sandbox.whitelistX = true;
|
2024-02-14 14:37:59 +00:00
|
|
|
|
2024-02-16 07:37:59 +00:00
|
|
|
util-linux.sandbox.enable = false; #< TODO: possible to sandbox if i specific a different profile for each of its ~50 binaries
|
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
unzip.sandbox.method = "bwrap";
|
2024-02-25 01:55:46 +00:00
|
|
|
unzip.sandbox.autodetectCliPaths = "existingOrParent";
|
2024-01-28 11:43:05 +00:00
|
|
|
unzip.sandbox.whitelistPwd = true;
|
|
|
|
|
2024-02-16 04:03:47 +00:00
|
|
|
usbutils.sandbox.method = "bwrap"; # breaks `usbhid-dump`, but `lsusb`, `usb-devices` work
|
|
|
|
usbutils.sandbox.extraPaths = [
|
|
|
|
"/sys/devices"
|
|
|
|
"/sys/bus/usb"
|
|
|
|
];
|
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
valgrind.buildCost = 1;
|
2024-04-23 04:17:02 +00:00
|
|
|
valgrind.sandbox.enable = false; #< it's a launcher: can't sandbox
|
2024-04-12 23:49:20 +00:00
|
|
|
|
2024-01-28 11:43:05 +00:00
|
|
|
visidata.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
|
|
|
visidata.sandbox.autodetectCliPaths = true;
|
|
|
|
|
2024-02-17 14:53:22 +00:00
|
|
|
# `vulkaninfo`, `vkcube`
|
|
|
|
vulkan-tools.sandbox.method = "landlock";
|
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
vvvvvv.buildCost = 1;
|
2024-02-06 01:34:04 +00:00
|
|
|
vvvvvv.sandbox.method = "bwrap";
|
2024-02-13 11:14:38 +00:00
|
|
|
vvvvvv.sandbox.whitelistAudio = true;
|
2024-02-06 01:34:04 +00:00
|
|
|
vvvvvv.sandbox.whitelistDri = true; #< playable without, but burns noticably more CPU
|
2024-02-14 01:49:49 +00:00
|
|
|
vvvvvv.sandbox.whitelistWayland = true;
|
2023-11-16 20:50:40 +00:00
|
|
|
vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
|
|
|
|
|
2024-02-15 18:24:37 +00:00
|
|
|
w3m.sandbox.method = "bwrap";
|
|
|
|
w3m.sandbox.net = "all";
|
|
|
|
w3m.sandbox.extraHomePaths = [
|
|
|
|
# little-used feature, but you can save web pages :)
|
|
|
|
"tmp"
|
|
|
|
];
|
|
|
|
|
2024-02-16 03:53:27 +00:00
|
|
|
wdisplays.sandbox.method = "bwrap";
|
|
|
|
wdisplays.sandbox.whitelistWayland = true;
|
|
|
|
|
2024-02-16 03:53:53 +00:00
|
|
|
wget.sandbox.method = "bwrap";
|
|
|
|
wget.sandbox.net = "all";
|
|
|
|
wget.sandbox.whitelistPwd = true; # saves to pwd by default
|
|
|
|
|
2024-05-13 19:59:03 +00:00
|
|
|
whalebird.buildCost = 1;
|
2023-11-08 15:32:50 +00:00
|
|
|
whalebird.persist.byStore.private = [ ".config/Whalebird" ];
|
2023-06-09 00:36:47 +00:00
|
|
|
|
2024-02-17 15:54:16 +00:00
|
|
|
# `wg`, `wg-quick`
|
|
|
|
wireguard-tools.sandbox.method = "landlock";
|
|
|
|
wireguard-tools.sandbox.capabilities = [ "net_admin" ];
|
|
|
|
|
2024-02-17 03:05:58 +00:00
|
|
|
# provides `iwconfig`, `iwlist`, `iwpriv`, ...
|
|
|
|
wirelesstools.sandbox.method = "landlock";
|
|
|
|
wirelesstools.sandbox.capabilities = [ "net_admin" ];
|
|
|
|
|
2024-02-16 03:53:27 +00:00
|
|
|
wl-clipboard.sandbox.method = "bwrap";
|
|
|
|
wl-clipboard.sandbox.whitelistWayland = true;
|
|
|
|
|
2024-02-28 13:19:39 +00:00
|
|
|
wtype = {};
|
2024-05-28 03:04:26 +00:00
|
|
|
wtype.sandbox.method = "bwrap";
|
|
|
|
wtype.sandbox.whitelistWayland = true;
|
2024-02-28 13:19:39 +00:00
|
|
|
|
2024-02-22 22:11:24 +00:00
|
|
|
xwayland.sandbox.method = "bwrap";
|
2024-02-23 01:05:24 +00:00
|
|
|
xwayland.sandbox.wrapperType = "inplace"; #< consumers use it as a library (e.g. wlroots)
|
2024-02-22 22:11:24 +00:00
|
|
|
xwayland.sandbox.whitelistWayland = true; #< just assuming this is needed
|
2024-03-23 15:33:23 +00:00
|
|
|
xwayland.sandbox.whitelistX = true;
|
2024-02-22 22:11:24 +00:00
|
|
|
xwayland.sandbox.whitelistDri = true; #< would assume this gives better gfx perf
|
|
|
|
|
2024-02-15 17:26:55 +00:00
|
|
|
xterm.sandbox.enable = false; # need to be able to do everything
|
2024-02-14 14:11:35 +00:00
|
|
|
|
2023-11-08 15:32:50 +00:00
|
|
|
yarn.persist.byStore.plaintext = [ ".cache/yarn" ];
|
2024-01-28 11:43:05 +00:00
|
|
|
|
|
|
|
yt-dlp.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
2024-02-08 21:51:32 +00:00
|
|
|
yt-dlp.sandbox.net = "all";
|
2024-01-28 11:43:05 +00:00
|
|
|
yt-dlp.sandbox.whitelistPwd = true; # saves to pwd by default
|
2024-02-28 13:19:39 +00:00
|
|
|
|
|
|
|
zfs = {};
|
2023-07-03 07:49:44 +00:00
|
|
|
};
|
2023-09-11 22:31:54 +00:00
|
|
|
|
2024-05-28 16:51:02 +00:00
|
|
|
sane.persist.sys.byStore.plaintext = lib.mkIf config.sane.programs.guiApps.enabled [
|
2024-05-29 09:53:25 +00:00
|
|
|
# "/var/lib/alsa" # preserve output levels, default devices
|
2024-05-28 16:51:02 +00:00
|
|
|
{ path = "/var/lib/systemd/backlight"; method = "bind"; } # backlight brightness; bind because systemd T_T
|
|
|
|
];
|
|
|
|
|
|
|
|
systemd.services."systemd-backlight@" = lib.mkIf config.sane.programs.guiApps.enabled {
|
|
|
|
after = [
|
|
|
|
"ensure-var-lib-systemd-backlight.service"
|
|
|
|
];
|
|
|
|
wants = [
|
|
|
|
"ensure-var-lib-systemd-backlight.service"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
hardware.opengl = lib.mkIf config.sane.programs.guiApps.enabled ({
|
|
|
|
enable = true;
|
|
|
|
driSupport = lib.mkDefault true;
|
|
|
|
} // (lib.optionalAttrs pkgs.stdenv.isx86_64 {
|
|
|
|
# for 32 bit applications
|
|
|
|
# upstream nixpkgs forbids setting driSupport32Bit unless specifically x86_64 (so aarch64 isn't allowed)
|
|
|
|
driSupport32Bit = lib.mkDefault true;
|
|
|
|
}));
|
|
|
|
|
|
|
|
system.activationScripts.notifyActive = lib.mkIf config.sane.programs.guiApps.enabled {
|
2024-05-30 10:56:17 +00:00
|
|
|
text = lib.concatStringsSep "\n" ([
|
|
|
|
''
|
|
|
|
tryNotifyUser() {
|
|
|
|
local user="$1"
|
|
|
|
local new_path="$PATH:${pkgs.sudo}/bin:${pkgs.libnotify}/bin"
|
|
|
|
local version="$(cat $systemConfig/nixos-version)"
|
|
|
|
PATH="$new_path" sudo -u "$user" \
|
|
|
|
env PATH="$new_path" NIXOS_VERSION="$version" /bin/sh -c \
|
|
|
|
'. $HOME/.profile; dbus_file="$XDG_RUNTIME_DIR/bus"; if [ -e "$dbus_file" ]; then DBUS_SESSION_BUS_ADDRESS="unix:path=$dbus_file" notify-send "nixos activated" "version: $NIXOS_VERSION" ; fi'
|
|
|
|
}
|
|
|
|
''
|
|
|
|
] ++ lib.mapAttrsToList
|
|
|
|
(user: en: lib.optionalString en "tryNotifyUser ${user}")
|
|
|
|
config.sane.programs.guiApps.enableFor.user
|
|
|
|
);
|
2024-05-28 16:51:02 +00:00
|
|
|
};
|
2023-06-09 00:36:47 +00:00
|
|
|
}
|