programs: don't persist mesaCacheDir by default
and explicitly add it to every program that uses mesa. wow, that's a *lot*
This commit is contained in:
@@ -531,10 +531,10 @@ in
|
|||||||
|
|
||||||
endless-sky.buildCost = 1;
|
endless-sky.buildCost = 1;
|
||||||
endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
|
endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
|
||||||
|
endless-sky.sandbox.mesaCacheDir = ".cache/endless-sky/mesa";
|
||||||
endless-sky.sandbox.whitelistAudio = true;
|
endless-sky.sandbox.whitelistAudio = true;
|
||||||
endless-sky.sandbox.whitelistDri = true;
|
endless-sky.sandbox.whitelistDri = true;
|
||||||
endless-sky.sandbox.whitelistWayland = true;
|
endless-sky.sandbox.whitelistWayland = true;
|
||||||
# endless-sky.sandbox.whitelistX = true;
|
|
||||||
endless-sky.packageUnwrapped = pkgs.endless-sky.overrideAttrs (base: {
|
endless-sky.packageUnwrapped = pkgs.endless-sky.overrideAttrs (base: {
|
||||||
nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
|
nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
|
||||||
pkgs.makeWrapper
|
pkgs.makeWrapper
|
||||||
@@ -596,6 +596,7 @@ in
|
|||||||
# ];
|
# ];
|
||||||
|
|
||||||
font-manager.buildCost = 1;
|
font-manager.buildCost = 1;
|
||||||
|
font-manager.sandbox.mesaCacheDir = ".cache/font-manager/mesa";
|
||||||
font-manager.sandbox.whitelistWayland = true;
|
font-manager.sandbox.whitelistWayland = true;
|
||||||
font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
|
font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
|
||||||
# build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0
|
# build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0
|
||||||
@@ -646,9 +647,11 @@ in
|
|||||||
gitea = {};
|
gitea = {};
|
||||||
|
|
||||||
gnome-calculator.buildCost = 1;
|
gnome-calculator.buildCost = 1;
|
||||||
|
gnome-calculator.sandbox.mesaCacheDir = ".cache/gnome-calculator/mesa"; # TODO: is this the correct app-id?
|
||||||
gnome-calculator.sandbox.whitelistWayland = true;
|
gnome-calculator.sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
gnome-calendar.buildCost = 2; # depends on webkitgtk_6_0 via evolution-data-server
|
gnome-calendar.buildCost = 2; # depends on webkitgtk_6_0 via evolution-data-server
|
||||||
|
gnome-calendar.sandbox.mesaCacheDir = ".cache/gnome-calendar/mesa"; # TODO: is this the correct app-id?
|
||||||
# gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
|
# gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
|
||||||
gnome-calendar.sandbox.whitelistWayland = true;
|
gnome-calendar.sandbox.whitelistWayland = true;
|
||||||
gnome-calendar.sandbox.whitelistDbus = [ "user" ];
|
gnome-calendar.sandbox.whitelistDbus = [ "user" ];
|
||||||
@@ -697,13 +700,14 @@ in
|
|||||||
|
|
||||||
gnome-2048.buildCost = 1;
|
gnome-2048.buildCost = 1;
|
||||||
gnome-2048.sandbox.whitelistWayland = true;
|
gnome-2048.sandbox.whitelistWayland = true;
|
||||||
|
gnome-2048.sandbox.mesaCacheDir = ".cache/gnome-2048/mesa";
|
||||||
gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
|
gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
|
||||||
|
|
||||||
gnome-frog.buildCost = 1;
|
gnome-frog.buildCost = 1;
|
||||||
gnome-frog.sandbox.whitelistWayland = true;
|
gnome-frog.sandbox.whitelistWayland = true;
|
||||||
gnome-frog.sandbox.whitelistDbus = [ "user" ];
|
gnome-frog.sandbox.whitelistDbus = [ "user" ];
|
||||||
gnome-frog.sandbox.extraPaths = [
|
gnome-frog.sandbox.extraPaths = [
|
||||||
# needed when processing screenshots
|
# needed when processing screenshots (TODO: can i have it use a custom TMPDIR?)
|
||||||
"/tmp"
|
"/tmp"
|
||||||
];
|
];
|
||||||
gnome-frog.sandbox.extraHomePaths = [
|
gnome-frog.sandbox.extraHomePaths = [
|
||||||
@@ -719,6 +723,7 @@ in
|
|||||||
gnome-frog.persist.byStore.ephemeral = [
|
gnome-frog.persist.byStore.ephemeral = [
|
||||||
".local/share/tessdata" # 15M; dunno what all it is.
|
".local/share/tessdata" # 15M; dunno what all it is.
|
||||||
];
|
];
|
||||||
|
gnome-frog.sandbox.mesaCacheDir = ".cache/gnome-frog/mesa"; # TODO: is this the correct app-id?
|
||||||
|
|
||||||
gnugrep.sandbox.autodetectCliPaths = "existing";
|
gnugrep.sandbox.autodetectCliPaths = "existing";
|
||||||
gnugrep.sandbox.whitelistPwd = true;
|
gnugrep.sandbox.whitelistPwd = true;
|
||||||
@@ -741,7 +746,6 @@ in
|
|||||||
# N.B.: if the user doesn't specify an output path, `grim` will output to ~/Pictures (which isn't included in this sandbox)
|
# N.B.: if the user doesn't specify an output path, `grim` will output to ~/Pictures (which isn't included in this sandbox)
|
||||||
grim.sandbox.autodetectCliPaths = "existingOrParent";
|
grim.sandbox.autodetectCliPaths = "existingOrParent";
|
||||||
grim.sandbox.whitelistWayland = true;
|
grim.sandbox.whitelistWayland = true;
|
||||||
grim.sandbox.mesaCacheDir = null; # not a GUI even though it uses wayland
|
|
||||||
|
|
||||||
hase.buildCost = 1;
|
hase.buildCost = 1;
|
||||||
hase.sandbox.net = "clearnet";
|
hase.sandbox.net = "clearnet";
|
||||||
@@ -839,6 +843,7 @@ in
|
|||||||
losslesscut-bin.sandbox.whitelistDri = true;
|
losslesscut-bin.sandbox.whitelistDri = true;
|
||||||
losslesscut-bin.sandbox.whitelistWayland = true;
|
losslesscut-bin.sandbox.whitelistWayland = true;
|
||||||
# losslesscut-bin.sandbox.whitelistX = true;
|
# losslesscut-bin.sandbox.whitelistX = true;
|
||||||
|
losslesscut-bin.sandbox.mesaCacheDir = ".cache/losslesscut/mesa"; # TODO: is this the correct app-id?
|
||||||
losslesscut-bin.packageUnwrapped = pkgs.losslesscut-bin.overrideAttrs (base: {
|
losslesscut-bin.packageUnwrapped = pkgs.losslesscut-bin.overrideAttrs (base: {
|
||||||
extraMakeWrapperArgs = (base.extraMakeWrapperArgs or []) ++ [
|
extraMakeWrapperArgs = (base.extraMakeWrapperArgs or []) ++ [
|
||||||
"--append-flags '--ozone-platform-hint=auto --ozone-platform=wayland --enable-features=WaylandWindowDecorations'"
|
"--append-flags '--ozone-platform-hint=auto --ozone-platform=wayland --enable-features=WaylandWindowDecorations'"
|
||||||
@@ -965,6 +970,7 @@ in
|
|||||||
pavucontrol.sandbox.whitelistAudio = true;
|
pavucontrol.sandbox.whitelistAudio = true;
|
||||||
pavucontrol.sandbox.whitelistDri = true; #< to be a little more responsive
|
pavucontrol.sandbox.whitelistDri = true; #< to be a little more responsive
|
||||||
pavucontrol.sandbox.whitelistWayland = true;
|
pavucontrol.sandbox.whitelistWayland = true;
|
||||||
|
pavucontrol.sandbox.mesaCacheDir = ".cache/pavucontrol/mesa";
|
||||||
|
|
||||||
pciutils.sandbox.extraPaths = [
|
pciutils.sandbox.extraPaths = [
|
||||||
"/sys/bus/pci"
|
"/sys/bus/pci"
|
||||||
@@ -1006,6 +1012,7 @@ in
|
|||||||
pwvucontrol.sandbox.whitelistAudio = true;
|
pwvucontrol.sandbox.whitelistAudio = true;
|
||||||
pwvucontrol.sandbox.whitelistDri = true; # else perf on moby is unusable
|
pwvucontrol.sandbox.whitelistDri = true; # else perf on moby is unusable
|
||||||
pwvucontrol.sandbox.whitelistWayland = true;
|
pwvucontrol.sandbox.whitelistWayland = true;
|
||||||
|
pwvucontrol.sandbox.mesaCacheDir = ".cache/pwvucontrol/mesa"; # TODO: is this the correct app-id?
|
||||||
|
|
||||||
pyright.sandbox.whitelistPwd = true;
|
pyright.sandbox.whitelistPwd = true;
|
||||||
|
|
||||||
@@ -1053,6 +1060,7 @@ in
|
|||||||
"wl-clipboard"
|
"wl-clipboard"
|
||||||
# "zenity"
|
# "zenity"
|
||||||
];
|
];
|
||||||
|
sane-color-picker.sandbox.mesaCacheDir = ".cache/sane-color-picker/mesa"; # TODO: is this the correct app-id?
|
||||||
|
|
||||||
sane-die-with-parent.sandbox.enable = false; #< it's a launcher; can't sandbox
|
sane-die-with-parent.sandbox.enable = false; #< it's a launcher; can't sandbox
|
||||||
|
|
||||||
@@ -1075,6 +1083,7 @@ in
|
|||||||
shattered-pixel-dungeon.sandbox.whitelistAudio = true;
|
shattered-pixel-dungeon.sandbox.whitelistAudio = true;
|
||||||
shattered-pixel-dungeon.sandbox.whitelistDri = true;
|
shattered-pixel-dungeon.sandbox.whitelistDri = true;
|
||||||
shattered-pixel-dungeon.sandbox.whitelistWayland = true;
|
shattered-pixel-dungeon.sandbox.whitelistWayland = true;
|
||||||
|
shattered-pixel-dungeon.sandbox.mesaCacheDir = ".cache/.shatteredpixel/mesa";
|
||||||
|
|
||||||
# printer/filament settings
|
# printer/filament settings
|
||||||
slic3r.buildCost = 1;
|
slic3r.buildCost = 1;
|
||||||
@@ -1084,7 +1093,6 @@ in
|
|||||||
slic3r.sandbox.autodetectCliPaths = "existingFileOrParent"; # slic3r <my-file>.stl -o <out>.gcode
|
slic3r.sandbox.autodetectCliPaths = "existingFileOrParent"; # slic3r <my-file>.stl -o <out>.gcode
|
||||||
|
|
||||||
slurp.sandbox.whitelistWayland = true;
|
slurp.sandbox.whitelistWayland = true;
|
||||||
slurp.sandbox.mesaCacheDir = null; # not a GUI even though it uses wayland
|
|
||||||
|
|
||||||
# snapshot camera, based on libcamera
|
# snapshot camera, based on libcamera
|
||||||
# TODO: enable dma heaps for more efficient buffer sharing: <https://gitlab.com/postmarketOS/pmaports/-/issues/2789>
|
# TODO: enable dma heaps for more efficient buffer sharing: <https://gitlab.com/postmarketOS/pmaports/-/issues/2789>
|
||||||
@@ -1103,6 +1111,7 @@ in
|
|||||||
|
|
||||||
space-cadet-pinball.buildCost = 1;
|
space-cadet-pinball.buildCost = 1;
|
||||||
space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
|
space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
|
||||||
|
space-cadet-pinball.sandbox.mesaCacheDir = ".cache/SpaceCadetPinball/mesa"; # TODO: is this the correct app-id?
|
||||||
space-cadet-pinball.sandbox.whitelistAudio = true;
|
space-cadet-pinball.sandbox.whitelistAudio = true;
|
||||||
space-cadet-pinball.sandbox.whitelistDri = true;
|
space-cadet-pinball.sandbox.whitelistDri = true;
|
||||||
space-cadet-pinball.sandbox.whitelistWayland = true;
|
space-cadet-pinball.sandbox.whitelistWayland = true;
|
||||||
@@ -1134,6 +1143,7 @@ in
|
|||||||
superTux.sandbox.whitelistDri = true;
|
superTux.sandbox.whitelistDri = true;
|
||||||
superTux.sandbox.whitelistWayland = true;
|
superTux.sandbox.whitelistWayland = true;
|
||||||
# superTux.sandbox.whitelistX = true;
|
# superTux.sandbox.whitelistX = true;
|
||||||
|
superTux.sandbox.mesaCacheDir = ".cache/supertux2/mesa"; # TODO: is this the correct app-id?
|
||||||
superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
|
superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
|
||||||
superTux.packageUnwrapped = pkgs.superTux.overrideAttrs (base: {
|
superTux.packageUnwrapped = pkgs.superTux.overrideAttrs (base: {
|
||||||
nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
|
nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
|
||||||
@@ -1175,6 +1185,7 @@ in
|
|||||||
tumiki-fighters.sandbox.whitelistDri = true; #< not strictly necessary, but triples CPU perf
|
tumiki-fighters.sandbox.whitelistDri = true; #< not strictly necessary, but triples CPU perf
|
||||||
tumiki-fighters.sandbox.whitelistWayland = true;
|
tumiki-fighters.sandbox.whitelistWayland = true;
|
||||||
tumiki-fighters.sandbox.whitelistX = true;
|
tumiki-fighters.sandbox.whitelistX = true;
|
||||||
|
tumiki-fighters.sandbox.mesaCacheDir = ".cache/tumiki-fighters/mesa"; # TODO: is this the correct app-id?
|
||||||
tumiki-fighters.suggestedPrograms = [
|
tumiki-fighters.suggestedPrograms = [
|
||||||
"xwayland" #< XXX(2024-11-10): does not start without X(wayland), not even with SDL_VIDEDRIVER=wayland
|
"xwayland" #< XXX(2024-11-10): does not start without X(wayland), not even with SDL_VIDEDRIVER=wayland
|
||||||
];
|
];
|
||||||
@@ -1205,7 +1216,6 @@ in
|
|||||||
# `vulkaninfo`, `vkcube`
|
# `vulkaninfo`, `vkcube`
|
||||||
vulkan-tools.sandbox.whitelistDri = true;
|
vulkan-tools.sandbox.whitelistDri = true;
|
||||||
vulkan-tools.sandbox.whitelistWayland = true;
|
vulkan-tools.sandbox.whitelistWayland = true;
|
||||||
vulkan-tools.sandbox.mesaCacheDir = null; # doesn't use mesa even though it uses wayland
|
|
||||||
vulkan-tools.sandbox.whitelistX = true;
|
vulkan-tools.sandbox.whitelistX = true;
|
||||||
vulkan-tools.sandbox.extraPaths = [
|
vulkan-tools.sandbox.extraPaths = [
|
||||||
"/sys/dev/char"
|
"/sys/dev/char"
|
||||||
@@ -1216,6 +1226,7 @@ in
|
|||||||
vvvvvv.sandbox.whitelistAudio = true;
|
vvvvvv.sandbox.whitelistAudio = true;
|
||||||
vvvvvv.sandbox.whitelistDri = true; #< playable without, but burns noticably more CPU
|
vvvvvv.sandbox.whitelistDri = true; #< playable without, but burns noticably more CPU
|
||||||
vvvvvv.sandbox.whitelistWayland = true;
|
vvvvvv.sandbox.whitelistWayland = true;
|
||||||
|
vvvvvv.sandbox.mesaCacheDir = ".cache/VVVVVV/mesa";
|
||||||
vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
|
vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
|
||||||
|
|
||||||
w3m.sandbox.net = "all";
|
w3m.sandbox.net = "all";
|
||||||
@@ -1226,6 +1237,7 @@ in
|
|||||||
|
|
||||||
watch.sandbox.enable = false; #< it executes the command it's given
|
watch.sandbox.enable = false; #< it executes the command it's given
|
||||||
|
|
||||||
|
wdisplays.sandbox.mesaCacheDir = ".cache/wdisplays/mesa"; # TODO: is this the correct app-id?
|
||||||
wdisplays.sandbox.whitelistWayland = true;
|
wdisplays.sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
wget.sandbox.net = "all";
|
wget.sandbox.net = "all";
|
||||||
@@ -1246,16 +1258,15 @@ in
|
|||||||
|
|
||||||
wl-clipboard.sandbox.whitelistWayland = true;
|
wl-clipboard.sandbox.whitelistWayland = true;
|
||||||
wl-clipboard.sandbox.keepPids = true; #< this is needed, but not sure why?
|
wl-clipboard.sandbox.keepPids = true; #< this is needed, but not sure why?
|
||||||
wl-clipboard.sandbox.mesaCacheDir = null; # not a GUI even though it uses wayland
|
|
||||||
|
|
||||||
wtype = {};
|
wtype = {};
|
||||||
wtype.sandbox.whitelistWayland = true;
|
wtype.sandbox.whitelistWayland = true;
|
||||||
wtype.sandbox.mesaCacheDir = null; # not a GUI even though it uses wayland
|
|
||||||
|
|
||||||
xwayland.sandbox.wrapperType = "inplace"; #< consumers use it as a library (e.g. wlroots)
|
xwayland.sandbox.wrapperType = "inplace"; #< consumers use it as a library (e.g. wlroots)
|
||||||
xwayland.sandbox.whitelistWayland = true; #< just assuming this is needed
|
xwayland.sandbox.whitelistWayland = true; #< just assuming this is needed
|
||||||
xwayland.sandbox.whitelistX = true;
|
xwayland.sandbox.whitelistX = true;
|
||||||
xwayland.sandbox.whitelistDri = true; #< would assume this gives better gfx perf
|
xwayland.sandbox.whitelistDri = true; #< would assume this gives better gfx perf
|
||||||
|
xwayland.sandbox.mesaCacheDir = ".cache/xwayland/mesa"; # TODO: is this the correct app-id?
|
||||||
|
|
||||||
xterm.sandbox.enable = false; # need to be able to do everything
|
xterm.sandbox.enable = false; # need to be able to do everything
|
||||||
|
|
||||||
|
@@ -22,6 +22,7 @@
|
|||||||
sandbox.extraPaths = [
|
sandbox.extraPaths = [
|
||||||
"/tmp" # needed particularly if run from `sane-vpn do`
|
"/tmp" # needed particularly if run from `sane-vpn do`
|
||||||
];
|
];
|
||||||
|
sandbox.mesaCacheDir = ".cache/BraveSoftware/mesa";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDri = true;
|
sandbox.whitelistDri = true;
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
@@ -102,6 +102,7 @@ in
|
|||||||
];
|
];
|
||||||
}));
|
}));
|
||||||
|
|
||||||
|
sandbox.mesaCacheDir = ".cache/calls/mesa";
|
||||||
sandbox.net = "vpn.wg-home"; #< XXX(2024/07/05): my cell carrier seems to block RTP, so tunnel it.
|
sandbox.net = "vpn.wg-home"; #< XXX(2024/07/05): my cell carrier seems to block RTP, so tunnel it.
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [ "user" ]; # necessary for secrets, at the minimum
|
sandbox.whitelistDbus = [ "user" ]; # necessary for secrets, at the minimum
|
||||||
|
@@ -14,5 +14,6 @@
|
|||||||
# save data, controls map
|
# save data, controls map
|
||||||
".local/share/Celeste64"
|
".local/share/Celeste64"
|
||||||
];
|
];
|
||||||
|
sandbox.mesaCacheDir = ".cache/Celeste64/mesa";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@@ -9,7 +9,6 @@
|
|||||||
# "/sys/devices/system"
|
# "/sys/devices/system"
|
||||||
];
|
];
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.mesaCacheDir = null; # doesn't use mesa even though it uses wayland
|
|
||||||
|
|
||||||
suggestedPrograms = [
|
suggestedPrograms = [
|
||||||
"sane-sysload"
|
"sane-sysload"
|
||||||
|
@@ -16,5 +16,7 @@
|
|||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
# gsettingsPersist = [ "app/drey/Dialect" ];
|
# gsettingsPersist = [ "app/drey/Dialect" ];
|
||||||
|
|
||||||
|
sandbox.mesaCacheDir = ".cache/dialect/mesa"; # TODO: is this the correct app-dir?
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@@ -84,6 +84,7 @@ in
|
|||||||
# ".cache/gstreamer-1.0" # 1.3 MB #< TODO: place the gst cache in ~/.cache/dino/gstreamer-1.0
|
# ".cache/gstreamer-1.0" # 1.3 MB #< TODO: place the gst cache in ~/.cache/dino/gstreamer-1.0
|
||||||
# ];
|
# ];
|
||||||
persist.byStore.private = [ ".local/share/dino" ];
|
persist.byStore.private = [ ".local/share/dino" ];
|
||||||
|
sandbox.mesaCacheDir = ".cache/dino/mesa";
|
||||||
|
|
||||||
services.dino = {
|
services.dino = {
|
||||||
description = "dino XMPP client";
|
description = "dino XMPP client";
|
||||||
|
@@ -6,6 +6,7 @@
|
|||||||
installPhase = lib.replaceStrings [ "NIXOS_OZONE_WL" ] [ "WAYLAND_DISPLAY" ] base.installPhase;
|
installPhase = lib.replaceStrings [ "NIXOS_OZONE_WL" ] [ "WAYLAND_DISPLAY" ] base.installPhase;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
sandbox.mesaCacheDir = ".cache/discord/mesa";
|
||||||
# creds, but also 200 MB of node modules, etc
|
# creds, but also 200 MB of node modules, etc
|
||||||
persist.byStore.private = [ ".config/discord" ];
|
persist.byStore.private = [ ".config/discord" ];
|
||||||
sandbox.wrapperType = "inplace"; #< package contains broken symlinks that my wrapper can't handle
|
sandbox.wrapperType = "inplace"; #< package contains broken symlinks that my wrapper can't handle
|
||||||
|
@@ -49,6 +49,7 @@
|
|||||||
"/dev/snd" #< needed only when playing embedded audio (not embedded video!)
|
"/dev/snd" #< needed only when playing embedded audio (not embedded video!)
|
||||||
];
|
];
|
||||||
|
|
||||||
|
sandbox.mesaCacheDir = ".cache/Element/mesa";
|
||||||
# creds/session keys, etc
|
# creds/session keys, etc
|
||||||
persist.byStore.private = [ ".config/Element" ];
|
persist.byStore.private = [ ".config/Element" ];
|
||||||
};
|
};
|
||||||
|
@@ -230,6 +230,7 @@ in
|
|||||||
] ++ addonHomePaths;
|
] ++ addonHomePaths;
|
||||||
|
|
||||||
sandbox.tmpDir = ".cache/mozilla/tmp";
|
sandbox.tmpDir = ".cache/mozilla/tmp";
|
||||||
|
sandbox.mesaCacheDir = ".cache/mozilla/mesa";
|
||||||
|
|
||||||
mime.associations = let
|
mime.associations = let
|
||||||
desktop = "firefox.desktop";
|
desktop = "firefox.desktop";
|
||||||
|
@@ -23,6 +23,8 @@
|
|||||||
];
|
];
|
||||||
sandbox.autodetectCliPaths = "existing";
|
sandbox.autodetectCliPaths = "existing";
|
||||||
|
|
||||||
|
sandbox.mesaCacheDir = ".cache/com.github.johnfactotum.Foliate/mesa";
|
||||||
|
|
||||||
persist.byStore.plaintext = [
|
persist.byStore.plaintext = [
|
||||||
".local/share/com.github.johnfactotum.Foliate" #< books added, reading position
|
".local/share/com.github.johnfactotum.Foliate" #< books added, reading position
|
||||||
".cache/com.github.johnfactotum.Foliate" #< webkit cache
|
".cache/com.github.johnfactotum.Foliate" #< webkit cache
|
||||||
|
@@ -17,6 +17,7 @@
|
|||||||
"Music"
|
"Music"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
sandbox.mesaCacheDir = ".cache/com.github.neithern.g4music/mesa";
|
||||||
persist.byStore.plaintext = [
|
persist.byStore.plaintext = [
|
||||||
# index?
|
# index?
|
||||||
".cache/com.github.neithern.g4music"
|
".cache/com.github.neithern.g4music"
|
||||||
|
@@ -49,6 +49,7 @@ in
|
|||||||
# fs.".local/share/folks".dir = {};
|
# fs.".local/share/folks".dir = {};
|
||||||
|
|
||||||
buildCost = 3; # uses webkitgtk 4.1
|
buildCost = 3; # uses webkitgtk 4.1
|
||||||
|
sandbox.mesaCacheDir = ".cache/geary/mesa";
|
||||||
persist.byStore.private = [
|
persist.byStore.private = [
|
||||||
# attachments, and email -- contained in a sqlite db
|
# attachments, and email -- contained in a sqlite db
|
||||||
".local/share/geary"
|
".local/share/geary"
|
||||||
|
@@ -4,6 +4,7 @@
|
|||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [ "user" ]; #< required for DE notification when alarm rings
|
sandbox.whitelistDbus = [ "user" ]; #< required for DE notification when alarm rings
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
sandbox.mesaCacheDir = ".cache/gnome-clocks/mesa"; # TODO: is this the correct app-id?
|
||||||
gsettingsPersist = [ "org/gnome/clocks" ];
|
gsettingsPersist = [ "org/gnome/clocks" ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@@ -33,6 +33,8 @@
|
|||||||
sandbox.whitelistDri = true; #< speculative, but i'd like it to be responsive on mobile
|
sandbox.whitelistDri = true; #< speculative, but i'd like it to be responsive on mobile
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
|
sandbox.mesaCacheDir = ".cache/gnome-calendar/mesa"; # TODO: is this the correct app-id?
|
||||||
|
|
||||||
suggestedPrograms = [
|
suggestedPrograms = [
|
||||||
"evolution-data-server" #< REQUIRED for saving/loading of any contacts
|
"evolution-data-server" #< REQUIRED for saving/loading of any contacts
|
||||||
];
|
];
|
||||||
|
@@ -41,6 +41,7 @@
|
|||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
|
|
||||||
|
sandbox.mesaCacheDir = ".cache/gnome-maps/mesa";
|
||||||
persist.byStore.plaintext = [ ".cache/shumate" ];
|
persist.byStore.plaintext = [ ".cache/shumate" ];
|
||||||
# ~/.local/share/gnome-maps/places.json (previously: ../maps-places.json); to persist starred locations, recent locations+routes
|
# ~/.local/share/gnome-maps/places.json (previously: ../maps-places.json); to persist starred locations, recent locations+routes
|
||||||
# TODO: building in "developer mode" causes gnome-maps to pretty-print the .json instead of minifying it
|
# TODO: building in "developer mode" causes gnome-maps to pretty-print the .json instead of minifying it
|
||||||
|
@@ -15,6 +15,8 @@
|
|||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
|
|
||||||
|
sandbox.mesaCacheDir = ".cache/gnome-weather/mesa"; # TODO: is this the correct app-id?
|
||||||
|
|
||||||
persist.byStore.plaintext = [
|
persist.byStore.plaintext = [
|
||||||
".cache/libgweather" # weather data (or maybe a http cache)
|
".cache/libgweather" # weather data (or maybe a http cache)
|
||||||
];
|
];
|
||||||
|
@@ -17,7 +17,6 @@
|
|||||||
sandbox.keepPids = true; #< needed by wl-clipboard
|
sandbox.keepPids = true; #< needed by wl-clipboard
|
||||||
sandbox.whitelistDbus = [ "user" ];
|
sandbox.whitelistDbus = [ "user" ];
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.mesaCacheDir = null; # not a GUI even though it uses wayland
|
|
||||||
sandbox.extraRuntimePaths = [
|
sandbox.extraRuntimePaths = [
|
||||||
"sway"
|
"sway"
|
||||||
];
|
];
|
||||||
|
@@ -3,6 +3,8 @@
|
|||||||
sane.programs.handbrake = {
|
sane.programs.handbrake = {
|
||||||
buildCost = 1;
|
buildCost = 1;
|
||||||
|
|
||||||
|
sandbox.mesaCacheDir = ".cache/handbrake/mesa"; # TODO: is this the correct app-id?
|
||||||
|
|
||||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
|
@@ -17,6 +17,7 @@
|
|||||||
"tmp"
|
"tmp"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
sandbox.mesaCacheDir = ".cache/krita/mesa"; # TODO: is this the correct app-id?
|
||||||
suggestedPrograms = [
|
suggestedPrograms = [
|
||||||
"xwayland" #< XXX(2024-11-10): does not start without X(wayland); not even with QT_QPA_PLATFORM=wayland. see e.g. <https://discuss.kde.org/t/is-there-any-plans-to-add-wayland-support-to-krita/18153>
|
"xwayland" #< XXX(2024-11-10): does not start without X(wayland); not even with QT_QPA_PLATFORM=wayland. see e.g. <https://discuss.kde.org/t/is-there-any-plans-to-add-wayland-support-to-krita/18153>
|
||||||
];
|
];
|
||||||
|
@@ -21,6 +21,8 @@
|
|||||||
"tmp"
|
"tmp"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
sandbox.mesaCacheDir = ".cache/loupe/mesa"; # TODO: is this the correct app-id?
|
||||||
|
|
||||||
mime.associations = {
|
mime.associations = {
|
||||||
"image/avif" = "org.gnome.Loupe.desktop";
|
"image/avif" = "org.gnome.Loupe.desktop";
|
||||||
"image/gif" = "org.gnome.Loupe.desktop";
|
"image/gif" = "org.gnome.Loupe.desktop";
|
||||||
|
@@ -55,6 +55,7 @@ in
|
|||||||
"/sys/class/leds" #< for flash, presumably
|
"/sys/class/leds" #< for flash, presumably
|
||||||
];
|
];
|
||||||
sandbox.whitelistAvDev = true;
|
sandbox.whitelistAvDev = true;
|
||||||
|
sandbox.mesaCacheDir = ".cache/megapixels/mesa"; # TODO: is this the correct app-id?
|
||||||
gsettings."me/gapixels/megapixels" = {
|
gsettings."me/gapixels/megapixels" = {
|
||||||
# **required** for it to find its postprocess script
|
# **required** for it to find its postprocess script
|
||||||
postprocessor = "${cfg.package}/share/megapixels/postprocess.sh";
|
postprocessor = "${cfg.package}/share/megapixels/postprocess.sh";
|
||||||
|
@@ -40,6 +40,7 @@
|
|||||||
"/sys/class/leds" #< for flash, presumably
|
"/sys/class/leds" #< for flash, presumably
|
||||||
];
|
];
|
||||||
sandbox.whitelistAvDev = true;
|
sandbox.whitelistAvDev = true;
|
||||||
|
sandbox.mesaCacheDir = ".cache/megapixels/mesa"; # TODO: is this the correct app-id?
|
||||||
gsettingsPersist = [
|
gsettingsPersist = [
|
||||||
"org/postmarketos/megapixels" #< needs to set `postprocessor` else it will segfault during post-process
|
"org/postmarketos/megapixels" #< needs to set `postprocessor` else it will segfault during post-process
|
||||||
];
|
];
|
||||||
|
@@ -19,6 +19,7 @@
|
|||||||
"system" # system is required for non-portal location services
|
"system" # system is required for non-portal location services
|
||||||
"user" #< not sure if "user" is necessary?
|
"user" #< not sure if "user" is necessary?
|
||||||
];
|
];
|
||||||
|
sandbox.mesaCacheDir = ".cache/mepo/mesa";
|
||||||
|
|
||||||
persist.byStore.plaintext = [ ".cache/mepo/tiles" ];
|
persist.byStore.plaintext = [ ".cache/mepo/tiles" ];
|
||||||
# ~/.cache/mepo/savestate has precise coordinates and pins: keep those private
|
# ~/.cache/mepo/savestate has precise coordinates and pins: keep those private
|
||||||
|
@@ -208,6 +208,7 @@ in
|
|||||||
"Videos/local"
|
"Videos/local"
|
||||||
"Videos/servo"
|
"Videos/servo"
|
||||||
];
|
];
|
||||||
|
sandbox.mesaCacheDir = ".cache/mpv/mesa";
|
||||||
|
|
||||||
persist.byStore.plaintext = [
|
persist.byStore.plaintext = [
|
||||||
# for `watch_later`
|
# for `watch_later`
|
||||||
|
@@ -43,7 +43,6 @@ in
|
|||||||
|
|
||||||
sandbox.autodetectCliPaths = "existingOrParent";
|
sandbox.autodetectCliPaths = "existingOrParent";
|
||||||
sandbox.whitelistWayland = true; # for system clipboard integration
|
sandbox.whitelistWayland = true; # for system clipboard integration
|
||||||
sandbox.mesaCacheDir = null; # not a GUI even though it uses wayland
|
|
||||||
# sandbox.whitelistPwd = true;
|
# sandbox.whitelistPwd = true;
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
".local/share/dasht/docsets"
|
".local/share/dasht/docsets"
|
||||||
|
@@ -15,6 +15,8 @@ let
|
|||||||
wanted-feeds = feeds.filterByFormat [ "text" "image" "podcast" "video" ] all-feeds;
|
wanted-feeds = feeds.filterByFormat [ "text" "image" "podcast" "video" ] all-feeds;
|
||||||
in {
|
in {
|
||||||
sane.programs.newsflash = {
|
sane.programs.newsflash = {
|
||||||
|
buildCost = 2; # mainly for desktop: webkitgtk-6.0
|
||||||
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistAudio = true; #< for embedded videos
|
sandbox.whitelistAudio = true; #< for embedded videos
|
||||||
sandbox.whitelistDbus = [ "user" ];
|
sandbox.whitelistDbus = [ "user" ];
|
||||||
@@ -29,7 +31,7 @@ in {
|
|||||||
"/sys/class/block/loop7"
|
"/sys/class/block/loop7"
|
||||||
];
|
];
|
||||||
|
|
||||||
buildCost = 2; # mainly for desktop: webkitgtk-6.0
|
sandbox.mesaCacheDir = ".cache/nesh_flash/mesa";
|
||||||
persist.byStore.plaintext = [
|
persist.byStore.plaintext = [
|
||||||
".local/share/news-flash" #< sqlite database, the actually important stuff
|
".local/share/news-flash" #< sqlite database, the actually important stuff
|
||||||
# ".local/share/news_flash" #< device IDs (?)
|
# ".local/share/news_flash" #< device IDs (?)
|
||||||
|
@@ -22,6 +22,7 @@
|
|||||||
# and then update the config on disk. it errors if it can't `mv` it like that.
|
# and then update the config on disk. it errors if it can't `mv` it like that.
|
||||||
".config/nicotine"
|
".config/nicotine"
|
||||||
];
|
];
|
||||||
|
# sandbox.mesaCacheDir = ".cache/nicotine/mesa"; # don't persist (privacy); (might want to apply that to downloads too)
|
||||||
|
|
||||||
# the config has loooads of options, but the only critical one is auth/creds.
|
# the config has loooads of options, but the only critical one is auth/creds.
|
||||||
# run with ~/.config/nicotine in the sandbox and nicotine will derive the whole config
|
# run with ~/.config/nicotine in the sandbox and nicotine will derive the whole config
|
||||||
|
@@ -5,6 +5,7 @@
|
|||||||
sandbox.whitelistDri = true; #< otherwise intolerably slow on moby
|
sandbox.whitelistDri = true; #< otherwise intolerably slow on moby
|
||||||
gsettingsPersist = [ "io/github/lainsce/Notejot" ]; #< TODO: probably not needed
|
gsettingsPersist = [ "io/github/lainsce/Notejot" ]; #< TODO: probably not needed
|
||||||
|
|
||||||
|
sandbox.mesaCacheDir = ".cache/io.github.lainsce.Notejot/mesa";
|
||||||
persist.byStore.private = [
|
persist.byStore.private = [
|
||||||
".local/share/io.github.lainsce.Notejot"
|
".local/share/io.github.lainsce.Notejot"
|
||||||
];
|
];
|
||||||
|
@@ -11,6 +11,7 @@
|
|||||||
sandbox.whitelistDri = true; #< speedier
|
sandbox.whitelistDri = true; #< speedier
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.autodetectCliPaths = "existingFile";
|
sandbox.autodetectCliPaths = "existingFile";
|
||||||
|
sandbox.mesaCacheDir = ".cache/papers/mesa"; # TODO: is this the correct app-id?
|
||||||
|
|
||||||
mime.associations."application/pdf" = "org.gnome.Papers.desktop";
|
mime.associations."application/pdf" = "org.gnome.Papers.desktop";
|
||||||
# XXX(2024-10-06): even with `sandbox.net = "all"` and glib-networking, papers can only open *http* URLs and not https
|
# XXX(2024-10-06): even with `sandbox.net = "all"` and glib-networking, papers can only open *http* URLs and not https
|
||||||
|
@@ -3,8 +3,9 @@
|
|||||||
sane.programs.planify = {
|
sane.programs.planify = {
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
|
sandbox.mesaCacheDir = ".cache/io.github.alainm23/mesa";
|
||||||
persist.byStore.private = [
|
persist.byStore.private = [
|
||||||
# TODO items as a sqlite database
|
# todo items as a sqlite database
|
||||||
".local/share/io.github.alainm23.planify"
|
".local/share/io.github.alainm23.planify"
|
||||||
];
|
];
|
||||||
# TODO: can probably configure gsettings statically?
|
# TODO: can probably configure gsettings statically?
|
||||||
|
@@ -37,6 +37,7 @@
|
|||||||
# "gvfs"
|
# "gvfs"
|
||||||
# "gvfsd"
|
# "gvfsd"
|
||||||
# ];
|
# ];
|
||||||
|
sandbox.mesaCacheDir = ".cache/portfolio/mesa"; # TODO: is this the correct app-id?
|
||||||
|
|
||||||
# suggestedPrograms = [ "gvfs" ]; #< TODO: fix (ftp:// share, USB drive browsing)
|
# suggestedPrograms = [ "gvfs" ]; #< TODO: fix (ftp:// share, USB drive browsing)
|
||||||
|
|
||||||
|
@@ -26,7 +26,6 @@
|
|||||||
# so doesn't need all sandboxing.
|
# so doesn't need all sandboxing.
|
||||||
# that might hint that the packages should be split/restructured...
|
# that might hint that the packages should be split/restructured...
|
||||||
sandbox.whitelistWayland = true; #< to access clipboard
|
sandbox.whitelistWayland = true; #< to access clipboard
|
||||||
sandbox.mesaCacheDir = null; # not a GUI even though it uses wayland
|
|
||||||
sandbox.whitelistDbus = [ "user" ];
|
sandbox.whitelistDbus = [ "user" ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@@ -3,7 +3,6 @@
|
|||||||
sane.programs.sane-screenshot = {
|
sane.programs.sane-screenshot = {
|
||||||
sandbox.whitelistDbus = [ "user" ]; #< to send notifications
|
sandbox.whitelistDbus = [ "user" ]; #< to send notifications
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.mesaCacheDir = null; # doesn't use mesa even though it uses wayland
|
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
"Pictures/Screenshots"
|
"Pictures/Screenshots"
|
||||||
];
|
];
|
||||||
|
@@ -54,5 +54,6 @@
|
|||||||
"system" #< reads NMEA data via ModemManager
|
"system" #< reads NMEA data via ModemManager
|
||||||
];
|
];
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
sandbox.mesaCacheDir = ".cache/satellite/mesa"; # TODO: is this the correct app-id?
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@@ -25,6 +25,7 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
sandbox.mesaCacheDir = ".cache/schlock/mesa";
|
||||||
|
|
||||||
secrets.".config/schlock/schlock.pin" = ../../../secrets/common/schlock.pin.bin;
|
secrets.".config/schlock/schlock.pin" = ../../../secrets/common/schlock.pin.bin;
|
||||||
|
|
||||||
|
@@ -37,8 +37,6 @@ in
|
|||||||
# ;
|
# ;
|
||||||
# });
|
# });
|
||||||
|
|
||||||
name = "Signal"; #< it places its files in ~/.config/Signal, etc
|
|
||||||
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [
|
sandbox.whitelistDbus = [
|
||||||
@@ -58,6 +56,7 @@ in
|
|||||||
"Videos/servo"
|
"Videos/servo"
|
||||||
"tmp"
|
"tmp"
|
||||||
];
|
];
|
||||||
|
sandbox.mesaCacheDir = ".cache/Signal/mesa";
|
||||||
sandbox.tmpDir = ".cache/Signal/tmp"; # 60MB+ sqlite database(s)
|
sandbox.tmpDir = ".cache/Signal/tmp"; # 60MB+ sqlite database(s)
|
||||||
|
|
||||||
# creds, media
|
# creds, media
|
||||||
|
@@ -13,6 +13,7 @@ in
|
|||||||
"/dev/input" #< for controllers
|
"/dev/input" #< for controllers
|
||||||
];
|
];
|
||||||
|
|
||||||
|
sandbox.mesaCacheDir = ".cache/sm64ex-coop/mesa";
|
||||||
persist.byStore.plaintext = [
|
persist.byStore.plaintext = [
|
||||||
".local/share/sm64ex-coop"
|
".local/share/sm64ex-coop"
|
||||||
];
|
];
|
||||||
|
@@ -7,6 +7,7 @@
|
|||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDri = true;
|
sandbox.whitelistDri = true;
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
sandbox.mesaCacheDir = ".cache/supertuxkart/mesa";
|
||||||
|
|
||||||
persist.byStore.plaintext = [
|
persist.byStore.plaintext = [
|
||||||
".cache/supertuxkart"
|
".cache/supertuxkart"
|
||||||
|
@@ -248,6 +248,7 @@ in
|
|||||||
".config/sway"
|
".config/sway"
|
||||||
# it (may) launch xwayland, in which case xwayland needs access to its stuff too
|
# it (may) launch xwayland, in which case xwayland needs access to its stuff too
|
||||||
] ++ config.sane.programs.xwayland.sandbox.extraHomePaths;
|
] ++ config.sane.programs.xwayland.sandbox.extraHomePaths;
|
||||||
|
sandbox.mesaCacheDir = ".cache/sway/mesa";
|
||||||
|
|
||||||
fs.".config/xdg-desktop-portal/sway-portals.conf".symlink.text = ''
|
fs.".config/xdg-desktop-portal/sway-portals.conf".symlink.text = ''
|
||||||
# portals.conf docs: <https://flatpak.github.io/xdg-desktop-portal/docs/portals.conf.html>
|
# portals.conf docs: <https://flatpak.github.io/xdg-desktop-portal/docs/portals.conf.html>
|
||||||
|
@@ -87,7 +87,6 @@ in
|
|||||||
];
|
];
|
||||||
sandbox.whitelistSystemctl = true;
|
sandbox.whitelistSystemctl = true;
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.mesaCacheDir = null; # not a GUI even though it uses wayland
|
|
||||||
sandbox.extraRuntimePaths = [ "sway" ];
|
sandbox.extraRuntimePaths = [ "sway" ];
|
||||||
|
|
||||||
services.swayidle = {
|
services.swayidle = {
|
||||||
|
@@ -38,7 +38,6 @@ in
|
|||||||
"/etc/shadow"
|
"/etc/shadow"
|
||||||
];
|
];
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.mesaCacheDir = null; # doesn't use mesa even though it uses wayland
|
|
||||||
|
|
||||||
services.swaylock = {
|
services.swaylock = {
|
||||||
description = "swaylock screen locker";
|
description = "swaylock screen locker";
|
||||||
|
@@ -113,7 +113,6 @@ in
|
|||||||
];
|
];
|
||||||
sandbox.whitelistSystemctl = true;
|
sandbox.whitelistSystemctl = true;
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.mesaCacheDir = null; # doesn't use mesa even though it uses wayland
|
|
||||||
sandbox.extraPaths = [
|
sandbox.extraPaths = [
|
||||||
"/sys/class/backlight"
|
"/sys/class/backlight"
|
||||||
"/sys/devices"
|
"/sys/devices"
|
||||||
|
@@ -30,5 +30,6 @@
|
|||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.whitelistDbus = [ "system" ]; #< to speak with NetworkManager
|
sandbox.whitelistDbus = [ "system" ]; #< to speak with NetworkManager
|
||||||
sandbox.whitelistAudio = true; #< even with this, the sound plugin doesn't seem to work...
|
sandbox.whitelistAudio = true; #< even with this, the sound plugin doesn't seem to work...
|
||||||
|
sandbox.mesaCacheDir = ".cache/switchboard/mesa"; # TODO: is this the correct app-id?
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@@ -7,6 +7,7 @@
|
|||||||
"/sys/class/backlight" #< crashes if unable to access this directory
|
"/sys/class/backlight" #< crashes if unable to access this directory
|
||||||
# "/sys/devices" #< only if you want it to actually show when the backlight changes
|
# "/sys/devices" #< only if you want it to actually show when the backlight changes
|
||||||
];
|
];
|
||||||
|
sandbox.mesaCacheDir = ".cache/sys64/hud/mesa";
|
||||||
|
|
||||||
fs.".config/sys64/hud/config.conf".symlink.text = ''
|
fs.".config/sys64/hud/config.conf".symlink.text = ''
|
||||||
[main]
|
[main]
|
||||||
|
@@ -13,8 +13,9 @@
|
|||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [ "user" ]; #< so `tor-browser http://...` can open using an existing instance
|
sandbox.whitelistDbus = [ "user" ]; #< so `tor-browser http://...` can open using an existing instance
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
# sandbox.mesaCacheDir = ".cache/tor-browser/mesa"; # don't persist mesa dir (privacy)
|
||||||
persist.byStore.ephemeral = [
|
persist.byStore.ephemeral = [
|
||||||
".local/share/tor-browser"
|
".local/share/tor-browser" # persisted because of downloads, i think??
|
||||||
];
|
];
|
||||||
mime.urlAssociations."^https?://.+\.onion$" = "torbrowser.desktop";
|
mime.urlAssociations."^https?://.+\.onion$" = "torbrowser.desktop";
|
||||||
};
|
};
|
||||||
|
@@ -19,6 +19,7 @@
|
|||||||
"Videos/servo"
|
"Videos/servo"
|
||||||
"tmp"
|
"tmp"
|
||||||
];
|
];
|
||||||
|
sandbox.mesaCacheDir = ".cache/tuba/mesa"; # TODO: is this the correct app-id?
|
||||||
|
|
||||||
suggestedPrograms = [ "gnome-keyring" ];
|
suggestedPrograms = [ "gnome-keyring" ];
|
||||||
};
|
};
|
||||||
|
@@ -12,5 +12,6 @@
|
|||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDri = true;
|
sandbox.whitelistDri = true;
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
sandbox.mesaCacheDir = ".cache/video-trimmer/mesa"; # TODO: is this the correct app-id?
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@@ -1,6 +1,8 @@
|
|||||||
{ ... }:
|
{ ... }:
|
||||||
{
|
{
|
||||||
sane.programs.wike = {
|
sane.programs.wike = {
|
||||||
|
buildCost = 2;
|
||||||
|
|
||||||
sandbox.wrapperType = "inplace"; # share/wike/wike-sp refers back to the binaries and share
|
sandbox.wrapperType = "inplace"; # share/wike/wike-sp refers back to the binaries and share
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
@@ -18,8 +20,7 @@
|
|||||||
"/sys/dev"
|
"/sys/dev"
|
||||||
"/sys/devices"
|
"/sys/devices"
|
||||||
];
|
];
|
||||||
|
sandbox.mesaCacheDir = ".cache/wike/mesa"; # TODO: is this the correct app-id?
|
||||||
buildCost = 2;
|
|
||||||
|
|
||||||
# wike probably meant to put everything here in a subdir, but didn't.
|
# wike probably meant to put everything here in a subdir, but didn't.
|
||||||
# see: <https://github.com/hugolabe/Wike/issues/176>
|
# see: <https://github.com/hugolabe/Wike/issues/176>
|
||||||
|
@@ -9,6 +9,7 @@
|
|||||||
});
|
});
|
||||||
|
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
sandbox.mesaCacheDir = ".cache/wvkbd/mesa"; # TODO: is this the correct app-id?
|
||||||
|
|
||||||
env.KEYBOARD = "wvkbd-mobintl";
|
env.KEYBOARD = "wvkbd-mobintl";
|
||||||
|
|
||||||
|
@@ -16,5 +16,6 @@
|
|||||||
];
|
];
|
||||||
# allow extracting an archive in the rare case it's outside the common directories
|
# allow extracting an archive in the rare case it's outside the common directories
|
||||||
sandbox.autodetectCliPaths = "existing";
|
sandbox.autodetectCliPaths = "existing";
|
||||||
|
sandbox.mesaCacheDir = ".cache/xarchiver/mesa"; # TODO: is this the correct app-id?
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@@ -59,6 +59,7 @@
|
|||||||
"/tmp"
|
"/tmp"
|
||||||
"/var"
|
"/var"
|
||||||
];
|
];
|
||||||
|
sandbox.mesaCacheDir = ".cache/xdg-desktop-portal-nautilus/mesa"; # TODO: is this the correct app-id?
|
||||||
|
|
||||||
services.xdg-desktop-portal-nautilus = {
|
services.xdg-desktop-portal-nautilus = {
|
||||||
description = "xdg-desktop-portal-nautilus backend (provides file chooser for xdg-desktop-portal)";
|
description = "xdg-desktop-portal-nautilus backend (provides file chooser for xdg-desktop-portal)";
|
||||||
|
@@ -16,6 +16,7 @@ in
|
|||||||
"/sys/dev/char"
|
"/sys/dev/char"
|
||||||
"/sys/devices"
|
"/sys/devices"
|
||||||
];
|
];
|
||||||
|
sandbox.mesaCacheDir = ".cache/xdg-desktop-portal-wlr/mesa"; # TODO: is this the correct app-id?
|
||||||
|
|
||||||
services.xdg-desktop-portal-wlr = {
|
services.xdg-desktop-portal-wlr = {
|
||||||
description = "xdg-desktop-portal-wlr backend (provides screenshot functionality for xdg-desktop-portal)";
|
description = "xdg-desktop-portal-wlr backend (provides screenshot functionality for xdg-desktop-portal)";
|
||||||
|
@@ -10,6 +10,7 @@
|
|||||||
# history, bookmarks
|
# history, bookmarks
|
||||||
".local/share/zathura"
|
".local/share/zathura"
|
||||||
];
|
];
|
||||||
|
sandbox.mesaCacheDir = ".cache/zathura/mesa";
|
||||||
|
|
||||||
mime.priority = 150; #< default is 100; fallback to more specialized cbz handlers, e.g.
|
mime.priority = 150; #< default is 100; fallback to more specialized cbz handlers, e.g.
|
||||||
mime.associations."application/pdf" = "org.pwmt.zathura.desktop";
|
mime.associations."application/pdf" = "org.pwmt.zathura.desktop";
|
||||||
|
@@ -543,18 +543,15 @@ let
|
|||||||
};
|
};
|
||||||
sandbox.mesaCacheDir = mkOption {
|
sandbox.mesaCacheDir = mkOption {
|
||||||
type = types.nullOr types.str;
|
type = types.nullOr types.str;
|
||||||
default = if config.sandbox.whitelistWayland then
|
default = null;
|
||||||
# XXX: mesa will create its *own* directory under here (or file, based on how it's been configured).
|
|
||||||
# to locate empty mesa shader cache dirs (and identify apps that aren't using it):
|
|
||||||
# - `fd mesa ~/.cache | xargs -n 1 sh -c 'test -d $1/mesa_shader_cache_db || echo $1' -- | sort`
|
|
||||||
".cache/${config.name}/mesa"
|
|
||||||
else
|
|
||||||
null
|
|
||||||
;
|
|
||||||
description = ''
|
description = ''
|
||||||
place the mesa cache in a custom directory.
|
place the mesa cache in a custom directory.
|
||||||
generally, most GUI applications should have their mesa cache directory
|
generally, most GUI applications should have their mesa cache directory
|
||||||
persisted to disk to (1) reduce ram consumption and (2) massively improve loading speed.
|
persisted to disk to (1) reduce ram consumption and (2) massively improve loading speed.
|
||||||
|
mesa will create its *own* directory under here.
|
||||||
|
|
||||||
|
to locate empty mesa shader cache dirs (and identify apps that aren't using it):
|
||||||
|
- `fd mesa ~/.cache | xargs -n 1 sh -c 'test -d $1/mesa_shader_cache_db || echo $1' -- | sort`
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
sandbox.tmpDir = mkOption {
|
sandbox.tmpDir = mkOption {
|
||||||
|
Reference in New Issue
Block a user