colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

programs: fix most service invokers (sway, nwg-panel, etc) to use systemd

Browse Source
This commit is contained in:
Colin
2024-10-03 03:20:05 +00:00
parent 9991518a64
commit 0744237c13
10 changed files with 35 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
hosts/common/programs/assorted.nix
View File

@@ -1071,6 +1071,9 @@ in
swappy.sandbox.autodetectCliPaths = "existingFileOrParent"; swappy.sandbox.autodetectCliPaths = "existingFileOrParent";
swappy.sandbox.whitelistWayland = true; swappy.sandbox.whitelistWayland = true;
systemctl.packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.systemdMinimal "systemctl";
systemctl.sandbox.whitelistSystemctl = true;
tcpdump.sandbox.net = "all"; tcpdump.sandbox.net = "all";
tcpdump.sandbox.autodetectCliPaths = "existingFileOrParent"; tcpdump.sandbox.autodetectCliPaths = "existingFileOrParent";
tcpdump.sandbox.capabilities = [ "net_admin" "net_raw" ]; tcpdump.sandbox.capabilities = [ "net_admin" "net_raw" ];

2
hosts/common/programs/nwg-panel/config.nix
View File

@@ -93,7 +93,7 @@
menu.items = [ menu.items = [
{ {
name = "Lock"; name = "Lock";
cmd = "s6-rc start ${locker}"; cmd = "systemctl start ${locker}";
} }
# { # {
# name = "Logout"; # name = "Logout";

6
hosts/common/programs/nwg-panel/default.nix
View File

@@ -69,7 +69,7 @@ in
type = types.str; type = types.str;
default = config.sane.programs.swayidle.config.actions.lock.service; default = config.sane.programs.swayidle.config.actions.lock.service;
description = '' description = ''
s6 service to start which can lock the screen service to start which can lock the screen
''; '';
}; };
torch = mkOption { torch = mkOption {
@@ -197,14 +197,12 @@ in
sandbox.whitelistAudio = true; sandbox.whitelistAudio = true;
sandbox.whitelistDri = true; sandbox.whitelistDri = true;
sandbox.whitelistS6 = true; sandbox.whitelistSystemctl = true;
sandbox.whitelistWayland = true; sandbox.whitelistWayland = true;
sandbox.whitelistDbus = [ sandbox.whitelistDbus = [
"user" # playerctl, swaync, ... "user" # playerctl, swaync, ...
"system" # for "shutdown" option to speak to systemd
]; ];
sandbox.extraPaths = [ sandbox.extraPaths = [
"/run/systemd" #< for "shutdown" option
"/sys/class/backlight" "/sys/class/backlight"
"/sys/class/leds" #< for torch/flashlight on moby "/sys/class/leds" #< for torch/flashlight on moby
"/sys/class/power_supply" #< for the battery indicator "/sys/class/power_supply" #< for the battery indicator

27
hosts/common/programs/sane-scripts.nix
View File

@@ -138,12 +138,7 @@ in
"sane-scripts.reboot".sandbox = { "sane-scripts.reboot".sandbox = {
method = "bunpen"; method = "bunpen";
whitelistDbus = [ whitelistSystemctl = true;
"system"
];
extraPaths = [
"/run/systemd"
];
}; };
"sane-scripts.reclaim-disk-space".sandbox = { "sane-scripts.reclaim-disk-space".sandbox = {
@@ -172,22 +167,12 @@ in
"sane-scripts.shutdown".sandbox = { "sane-scripts.shutdown".sandbox = {
method = "bunpen"; method = "bunpen";
whitelistDbus = [ whitelistSystemctl = true;
"system"
];
extraPaths = [
"/run/systemd"
];
}; };
"sane-scripts.stop-all-servo".sandbox = { "sane-scripts.stop-all-servo".sandbox = {
method = "bwrap"; method = "bwrap";
whitelistDbus = [ whitelistSystemctl = true;
"system"
];
extraPaths = [
"/run/systemd"
];
}; };
# if `tee` isn't trustworthy we have bigger problems # if `tee` isn't trustworthy we have bigger problems
@@ -244,8 +229,10 @@ in
"sane-scripts.wipe".sandbox = { "sane-scripts.wipe".sandbox = {
method = "bunpen"; method = "bunpen";
whitelistDbus = [ "user" ]; #< for `secret-tool` whitelistDbus = [
whitelistS6 = true; #< for stopping services before wiping "user" #< for `secret-tool`
];
whitelistSystemctl = true;
extraHomePaths = [ extraHomePaths = [
# could be more specific, but at a maintenance cost. # could be more specific, but at a maintenance cost.
# TODO: needs updating, now that persisted data lives behind symlinks! # TODO: needs updating, now that persisted data lives behind symlinks!

2
hosts/common/programs/sway/config
View File

@@ -81,7 +81,7 @@ bindsym --locked XF86MonBrightnessDown exec brightnessctl set 5%-
bindsym Print exec sane-open --application sane-screenshot.desktop bindsym Print exec sane-open --application sane-screenshot.desktop
bindsym $mod+Print exec sane-open --application sane-screenshot.desktop bindsym $mod+Print exec sane-open --application sane-screenshot.desktop
bindsym $mod+p exec sane-open --application sane-screenshot.desktop bindsym $mod+p exec sane-open --application sane-screenshot.desktop
bindsym $mod+l exec s6-rc -b start $locker bindsym $mod+l exec systemctl start $locker
bindsym $mod+s exec sane-open --application rofi-snippets.desktop bindsym $mod+s exec sane-open --application rofi-snippets.desktop
# bindsym $mod+slash exec sane-open splatmoji.desktop # bindsym $mod+slash exec sane-open splatmoji.desktop
bindsym $mod+d exec sane-open --application rofi.desktop bindsym $mod+d exec sane-open --application rofi.desktop

4
hosts/common/programs/sway/default.nix
View File

@@ -158,7 +158,6 @@ in
"playerctl" # for waybar & particularly to have playerctld running "playerctl" # for waybar & particularly to have playerctld running
"rofi" # menu/launcher "rofi" # menu/launcher
"rofi-snippets" "rofi-snippets"
"s6-rc" # used by sway config
"sane-screenshot" "sane-screenshot"
"sane-open" "sane-open"
"sane-theme" "sane-theme"
@@ -169,6 +168,7 @@ in
"swaynotificationcenter" # notification daemon "swaynotificationcenter" # notification daemon
"switchboard" # network/bluetooth/sound control panel "switchboard" # network/bluetooth/sound control panel
"syshud" # volume notifier "syshud" # volume notifier
"systemctl" # used by sway config
"unl0kr" # greeter "unl0kr" # greeter
# "waybar" # "waybar"
"wdisplays" # like xrandr "wdisplays" # like xrandr
@@ -202,7 +202,7 @@ in
sandbox.whitelistAudio = true; # it runs playerctl directly sandbox.whitelistAudio = true; # it runs playerctl directly
sandbox.whitelistDbus = [ "system" "user" ]; # to e.g. launch apps sandbox.whitelistDbus = [ "system" "user" ]; # to e.g. launch apps
sandbox.whitelistDri = true; sandbox.whitelistDri = true;
sandbox.whitelistS6 = true; #< for Super+L to start the screen locker service sandbox.whitelistSystemctl = true; #< for Super+L to start the screen locker service
sandbox.whitelistX = true; # sway invokes xwayland itself sandbox.whitelistX = true; # sway invokes xwayland itself
sandbox.whitelistWayland = true; sandbox.whitelistWayland = true;
sandbox.extraRuntimePaths = [ sandbox.extraRuntimePaths = [

8
hosts/common/programs/swayidle.nix
View File

@@ -38,7 +38,7 @@ let
lib.escapeShellArgs [ "sane-open" "--application" "${config.desktop}" ]) lib.escapeShellArgs [ "sane-open" "--application" "${config.desktop}" ])
) )
(lib.mkIf (config.service != null) ( (lib.mkIf (config.service != null) (
lib.escapeShellArgs [ "s6-rc" "start" "${config.service}" ]) lib.escapeShellArgs [ "systemctl" "start" "${config.service}" ])
) )
]; ];
}); });
@@ -85,8 +85,10 @@ in
# "sway" #< required, but circular dep # "sway" #< required, but circular dep
]; ];
sandbox.whitelistDbus = [ "user" ]; #< might need system too, for inhibitors sandbox.whitelistDbus = [
sandbox.whitelistS6 = true; "user" #< ??
];
sandbox.whitelistSystemctl = true;
sandbox.whitelistWayland = true; sandbox.whitelistWayland = true;
sandbox.extraRuntimePaths = [ "sway" ]; sandbox.extraRuntimePaths = [ "sway" ];

11
modules/programs/default.nix
View File

@@ -434,6 +434,13 @@ let
allow the program to start/stop s6 services. allow the program to start/stop s6 services.
''; '';
}; };
sandbox.whitelistSystemctl = mkOption {
type = types.bool;
default = false;
description = ''
allow the program to start/stop systemd system services.
'';
};
sandbox.whitelistWayland = mkOption { sandbox.whitelistWayland = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@@ -530,6 +537,8 @@ let
sandbox.keepPids = lib.mkIf config.sandbox.keepPidsAndProc true; sandbox.keepPids = lib.mkIf config.sandbox.keepPidsAndProc true;
sandbox.whitelistDbus = lib.mkIf config.sandbox.whitelistSystemctl [ "system" ];
sandbox.extraPaths = sandbox.extraPaths =
lib.optionals config.sandbox.whitelistDri [ lib.optionals config.sandbox.whitelistDri [
# /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary) # /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary)
@@ -563,6 +572,8 @@ let
"/sys/devices" "/sys/devices"
"/sys/firmware" #< for moby camera, to parse its devicetree "/sys/firmware" #< for moby camera, to parse its devicetree
# "/dev" # "/dev"
] ++ lib.optionals config.sandbox.whitelistSystemctl [
"/run/systemd/system"
] ]
; ;
sandbox.extraRuntimePaths = sandbox.extraRuntimePaths =

2
pkgs/additional/sane-scripts/default.nix
View File

@@ -216,7 +216,7 @@ let
wipe = static-nix-shell.mkBash { wipe = static-nix-shell.mkBash {
pname = "sane-wipe"; pname = "sane-wipe";
srcRoot = ./src; srcRoot = ./src;
pkgs = [ "dconf" "libsecret" "procps" "s6-rc" ]; pkgs = [ "dconf" "libsecret" "procps" "systemdMinimal" ];
}; };
}; };
in sane-bin // { in sane-bin // {

4
pkgs/additional/sane-scripts/src/sane-wipe
View File

@@ -1,5 +1,5 @@
#!/usr/bin/env nix-shell #!/usr/bin/env nix-shell
#!nix-shell -i bash -p bash -p dconf -p libsecret -p procps -p s6-rc #!nix-shell -i bash -p bash -p dconf -p libsecret -p procps -p systemdMinimal
help() { help() {
echo "usage: sane-wipe <resource>" echo "usage: sane-wipe <resource>"
@@ -52,7 +52,7 @@ wipe_flare() {
} }
wipe_fractal() { wipe_fractal() {
s6-rc stop fractal systemctl stop fractal
# first, ensure the relevant secrets are unlocked # first, ensure the relevant secrets are unlocked
secret-tool search --all --unlock 'xdg:schema' 'org.gnome.Fractal' secret-tool search --all --unlock 'xdg:schema' 'org.gnome.Fractal'