colin
/
nix-files
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
6,209 Commits 119 Branches 0 Tags 14 MiB
Commit Graph

1247 Commits

Author SHA1 Message Date
Colin 74e994598e feeds: add David Revoy 2024-03-31 20:28:41 +00:00
Colin 856b6fcd7a feeds: add Willow 2024-03-31 18:20:49 +00:00
Colin 89d4b0ae0b s6-rc: don't tee to /dev/stderr, as i don't want any logs going to the console and interfering with text entry 2024-03-31 05:20:33 +00:00
Colin eff37765ae sane.image: fix so `imgs.moby` includes a working bootloader 2024-03-31 03:24:33 +00:00
Colin 32e691b85b feeds: add Hardcore Software by Steven Sinofsky 2024-03-26 14:08:13 +00:00
Colin 6c5b32aac2 s6-rc: fix so the service manager knows about readiness notifications again 2024-03-26 13:34:38 +00:00
Colin f59dd99470 s6-rc: init services in the "down" state 2024-03-26 12:55:40 +00:00
Colin 55c8a98c33 s6-rc: pre-compute more stuff as nix exprs; don't even run s6-rc-init 2024-03-26 12:36:46 +00:00
Colin 5cd9f34884 s6-rc: remove more unnecessarily files from live dir 2024-03-26 00:45:24 +00:00
Colin 2cabe51956 s6-rc: remove a couple more unused files from the live dir 2024-03-26 00:22:14 +00:00
Colin cb8e9b7a23 s6-rc: make it so, once started, other programs can start/stop services but NOT edit/create them 2024-03-26 00:11:02 +00:00
Colin 4eb6b5735e users/s6-rc: allow `startS6 ""` 2024-03-25 16:46:51 +00:00
Colin 5d3899959b users/s6-rc: split out `compiled` var 2024-03-25 14:56:41 +00:00
Colin ad951ad919 users/s6-rc: add symlink capabilities to my fs abstraction 2024-03-25 14:46:43 +00:00
Colin 48a4c1bd26 feeds: add nixpkgs.news 2024-03-25 13:13:03 +00:00
Colin febedb9323 nits: update `--replace` uses to `--replace-{fail,quiet}` as appropriate 2024-03-24 12:49:18 +00:00
Colin 03fbb780b2 sane.programs: sandbox: refactor extraRuntimePaths computation 2024-03-24 12:03:38 +00:00
Colin 9c0b175260 swaync: allow toggling of s6 services 2024-03-24 11:54:12 +00:00
Colin e62be121e2 users/services: s6: fix so `s6-rc stop` can actually kill processes 2024-03-24 11:48:41 +00:00
Colin 7f8cae42ff s6: migrate to /run/user/$id/s6 2024-03-23 21:33:08 +00:00
Colin 2e58353b0e refactor: users/services: have `waitExists` support waiting on multiple paths 2024-03-23 17:28:29 +00:00
Colin 6102a0301d sway: move $WAYLAND_DISPLAY into a subdir to make it easier to sandbox 2024-03-23 16:37:22 +00:00
Colin 39de5b84c2 sway: fix readiness check 2024-03-23 15:54:20 +00:00
Colin 5205251f6f programs: xwayland: sandbox it without exposing net access 2024-03-23 15:33:23 +00:00
Colin 8c48adefa5 pipewire: move sockets into a subdirectory for easier sandboxing 2024-03-23 13:34:13 +00:00
Colin 4418c16967 users/services: s6: push bundle dependencies down onto the actual atomic services 2024-03-23 13:04:12 +00:00
Colin 8008fd35cb modules/users: allow `readiness.pathExists` 2024-03-23 13:03:11 +00:00
Colin e6c00e6215 users/services: implement dbus readiness checks for s6-rc 2024-03-21 17:16:11 +00:00
Colin fff9d69e3e users/services: s6-rc: implement readiness polling 2024-03-21 17:16:11 +00:00
Colin 4fa7e6113d users/services: s6: `exec` into the run/finish commands 2024-03-21 17:16:11 +00:00
Colin 16ca71188f users/services: simplify the before/after/wantedBy criteria, to match s6 concepts 2024-03-21 17:16:11 +00:00
Colin c5c37e79ac users/services: actually remove the systemd backend 2024-03-21 17:16:11 +00:00
Colin d2f6648bce users/services: refactor: replace ExecStart/ExecStopPost with command/cleanupCommand 
note that this completely breaks the systemd backend (though easily fixable if wanted)
 2024-03-21 17:16:11 +00:00
Colin 5c9c7f8073 modules/users/s6-rc: add per-service logging 2024-03-21 17:16:11 +00:00
Colin 218072b2fe refactor: modules/users/s6-rc.nix 2024-03-21 17:16:11 +00:00
Colin d4f217a4f5 refactor: modules/users/s6-rc.nix 2024-03-21 17:16:11 +00:00
Colin 40f6f88a64 users/services: s6: remove broken `log` stuff 
apparently the /log shorthand is only applicable to base `s6-supervise`,
and not `s6-rc`. "pipeline"s are the s6-rc equivalent:
<https://wiki.gentoo.org/wiki/S6-rc#Longrun_pipelining>
 2024-03-21 17:16:11 +00:00
Colin fbbb09322a users/services: s6-rc: support ExecStopPost option 2024-03-21 17:16:11 +00:00
Colin e7153ce4a1 users/services: remove ExecStartPre option 2024-03-21 17:16:11 +00:00
Colin b13e7c38c7 users/services: remove `script` option 2024-03-21 17:16:11 +00:00
Colin 1417497001 users/services: remove serviceConfig.Type option 2024-03-21 17:16:11 +00:00
Colin db12e03f64 users/services: remove `oneshot` service type 2024-03-21 17:16:11 +00:00
Colin dee4866737 users/services: remove `ConditionEnvironment` option 2024-03-21 17:16:11 +00:00
Colin 81a6c53c26 users/services: remove RemainAfterExit option 2024-03-21 17:16:11 +00:00
Colin 9afd9725d1 users: services: remove no-longer-needed `Restart` and `RestartSec` options 2024-03-21 17:16:11 +00:00
Colin 452619dbfc s6: log when a service starts up 
it still seems to be all logging into a single file though?
 2024-03-21 17:16:11 +00:00
Colin 8bedc860ae s6: add some minimal logging 
the root s6 call seems to be doing some logging, notably feedbackd; still don't know where the other logs are going
 2024-03-21 17:16:11 +00:00
Colin cbecdc4a95 s6: use `exec` in the `run` trampoline, to forward file descriptors and keep a cleaner process tree 2024-03-21 17:16:11 +00:00
Colin e1001f57c5 modules/users: remove no-longer-need `environment` option 2024-03-21 17:16:11 +00:00
Colin 2336767059 port service manager to s6 
still a lot of cleanup to do (e.g. support dbus service types), but it boots to a usable desktop
 2024-03-21 17:16:11 +00:00
Colin 05b37669e3 s6-rc: fix service `run` file to have expected format 2024-03-21 17:16:11 +00:00
Colin ea9768c6ab modules/users: prototype s6 integration: ~/.config/s6/{sources,compiled} 2024-03-21 17:16:11 +00:00
Colin 38353dbc29 modules/users: remove unused `requiredBy` service option 2024-03-21 17:16:11 +00:00
Colin ef4a8e1989 modules: users: split services -> fs mapping into own `systemd.nix` file 2024-03-21 17:16:11 +00:00
Colin acc9a9cb48 modules/users: make it a directory 2024-03-21 17:16:11 +00:00
Colin 70b5c57b50 modules/programs: enforce (or rather document) a stricter schema 
this should make it easier to switch to a different service manager
 2024-03-21 17:16:01 +00:00
Colin c28ac38652 modules/users: refactor to remove `inherit`s 2024-03-21 17:16:01 +00:00
Colin 3c43fba878 feeds: add NativLang per Ben's rec 2024-03-14 07:53:19 +00:00
Colin b25df1d997 sane-sandboxed: fix capabilities example 2024-03-14 01:36:46 +00:00
Colin 288d57e5d5 feeds: subscribe to pmOS blog 2024-03-13 23:20:45 +00:00
Colin 4510352c07 sane-sandboxed: implement --sane-sandbox-no-portal flag 2024-03-13 04:49:48 +00:00
Colin 430592632c sane-sandboxed: add a help message 2024-03-13 04:49:48 +00:00
Colin 56aca78d84 make-sandboxed: also sandbox the `.lib` output of a package 2024-03-13 04:49:48 +00:00
Colin 30d49dc3c3 feeds: update Anish's URL 2024-03-09 20:51:15 +00:00
Colin 8e0031e770 feeds: update Byrne Hobart's feed URL 2024-03-09 20:49:01 +00:00
Colin c453dbac8e lwn.net: update feed URL 2024-03-09 20:42:03 +00:00
Colin 90e3c33536 feeds: subscribe to slatecave.net 2024-03-06 22:40:57 +00:00
Colin 8029744c90 modules/programs: don't expose *all* of /run/secrets/home to every program 
this was actually causing a lot of bwrap errors because that directory's not user-readable

turns out any program which already uses programs.xyz.secrets gets the /run/secrets mounts for free via symlink following
 2024-03-02 18:51:39 +00:00
Colin a45e42910d make-sandboxed: generalize runCommand patch to handle any derivation, called with or without callPackage 2024-03-02 07:11:45 +00:00
Colin db89ac88f0 sane-sandboxed: add new `--sane-sandbox-keep-namespace all` option 2024-03-01 20:48:56 +00:00
Colin 40e30cf2f8 programs: make sandbox.wrapperType default to "wrappedDerivation" and remove everywhere i manually set that 2024-02-28 17:39:00 +00:00
Colin 812c0c8029 packages: reduce the number of packages which are using inplace sandbox wrapping 2024-02-28 17:35:40 +00:00
Colin a4248fd5cc make-sandboxed: don't try to wrap directories 
whoops. test -x is true for directories
 2024-02-28 16:28:25 +00:00
Colin c380f61bea fix "rescue" host to eval again 2024-02-28 14:19:45 +00:00
Colin b302113fc0 modules/programs: require manual definition; don't auto-populate attrset 
this greatly decreases nix eval time
 2024-02-28 13:35:09 +00:00
Colin 6ef729bbaf assorted: prefer runCommandLocal over runCommand where it makes sense 2024-02-27 22:26:56 +00:00
Colin 8f424dcd5a programs: sandboxing: link /etc into sandboxed programs 
this is crucial for e.g. swaync, to find its resource files.
maybe a good idea to link *every* package directory which i also link
into /run/current-system.
 2024-02-27 22:25:17 +00:00
Colin d5643a6a5d assorted static-nix-shell packages: use `srcRoot` 2024-02-25 17:37:38 +00:00
Colin d2df668c9e modules/programs: sane-sandboxed: replace --sane-sandbox-keep-pidspace with --sane-sandbox-keep-namespace <pid|cgroup|ipc|uts> 2024-02-25 12:00:00 +00:00
Colin f807d7c0a2 modules/programs: sane-sandboxed: bwrap: don't virtualize {/dev,/proc,/tmp} if explicitly asked to bind them instead 
this is necessary for some programs which want a near-maximial sandbox, like
launchers or shells, or more specifically, `sane-private-do`.
 2024-02-25 08:15:39 +00:00
Colin 6ab5dd8a8f modules/persist: ensure that the mountpoint for the private store is created at boot 2024-02-25 07:51:24 +00:00
Colin 52b8cd0209 modules/persist: ensure backing directory is created *before* we mount 2024-02-25 07:22:50 +00:00
Colin 00bf2f79cc ssh: clean up /etc/ssh/host_keys persistence 2024-02-25 05:19:44 +00:00
Colin 73b2594d9b programs: sandboxing: distinguish between "existingFileOrParent" and "existingOrParent" 2024-02-25 01:59:01 +00:00
Colin a55dc5332d modules/programs: sane-sandboxed: introduce "existingOrParent" autodetect-cli option 
some programs will want this, to create directories by name; e.g. archive managers
 2024-02-25 01:48:10 +00:00
Colin 86108518da modules/programs: sane-sandboxed: add a new "existingFile" option for the cli autodetect 2024-02-25 01:43:39 +00:00
Colin 879d01ac2e modules/ssh: note that theres a better store to place the ssh host_keys in 2024-02-24 12:14:14 +00:00
Colin 0448df51e3 modules/programs: sane-sandboxed: add a --sane-sandbox-dry-run flag 2024-02-24 12:00:58 +00:00
Colin 8e3eed7d51 modules/programs: sane-sandboxed: factor out the actual execution of the sandbox/program into the toplevel 
this will make it easier to intercept
 2024-02-24 11:57:42 +00:00
Colin 88a70b41f1 modules/programs: handle more symlink forms when calculating a program's sandbox closure 2024-02-24 11:47:39 +00:00
Colin 6f59254a22 modules/programs: fix symlink following 2024-02-24 05:36:44 +00:00
Colin 4023960dc0 README: MANUAL MIGRATION: move "plaintext" store to /nix/persist/plaintext 
to migrate the data:
```sh
$ sudo mkdir /nix/persist/plaintext
$ sudo mv /nix/persist/{etc,home,var} /nix/persist/plaintext
$ sudo ln -s plaintext/etc /nix/persist/etc  #< temporarily; if deploying over ssh
$ switch
$ reboot
$ sudo rm /nix/persist/etc  #< if you did the symlink earlier
```
 2024-02-23 18:02:17 +00:00
Colin fff9f9d49a README: MANUAL MIGRATION: move "private" store to /nix/persist/private 
to migrate the data, first unmount `~/private` (`sane-private-lock`), then:
```sh
$ sudo mv /nix/persist/home/colin/private /nix/persist
$ switch
$ reboot
```
 2024-02-23 16:01:09 +00:00
Colin d7402ae170 persist: stores: make naming more consistent 2024-02-23 14:57:20 +00:00
Colin 6267e7f966 tidy up small persist/private nitpicks 2024-02-23 14:44:38 +00:00
Colin 120a41b169 persistence: split /var/log persistence into dedicated "initrd" store 2024-02-23 14:42:47 +00:00
Colin aa0991bd6c persistence: cleanup so it all works well with symlink-based stores 2024-02-23 13:09:44 +00:00
Colin af2f97d61e fs: ensure-file: don't error if the file already exists 2024-02-23 11:29:14 +00:00
Colin 5b8f13d9cc fs: notice when a fs entry is set to two incompatible types (e.g. symlink + dir) and error 2024-02-23 11:24:32 +00:00
Colin c2696c1cd9 gnome-keyring: use sane.fs abstractions to write out the keyrings 2024-02-23 08:57:41 +00:00