colin
/
nix-files
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
6,209 Commits 119 Branches 0 Tags 14 MiB
Commit Graph

1247 Commits

Author SHA1 Message Date
Colin 05b37669e3 s6-rc: fix service `run` file to have expected format 2024-03-21 17:16:11 +00:00
Colin ea9768c6ab modules/users: prototype s6 integration: ~/.config/s6/{sources,compiled} 2024-03-21 17:16:11 +00:00
Colin 38353dbc29 modules/users: remove unused `requiredBy` service option 2024-03-21 17:16:11 +00:00
Colin ef4a8e1989 modules: users: split services -> fs mapping into own `systemd.nix` file 2024-03-21 17:16:11 +00:00
Colin acc9a9cb48 modules/users: make it a directory 2024-03-21 17:16:11 +00:00
Colin 70b5c57b50 modules/programs: enforce (or rather document) a stricter schema 
this should make it easier to switch to a different service manager
 2024-03-21 17:16:01 +00:00
Colin c28ac38652 modules/users: refactor to remove `inherit`s 2024-03-21 17:16:01 +00:00
Colin 3c43fba878 feeds: add NativLang per Ben's rec 2024-03-14 07:53:19 +00:00
Colin b25df1d997 sane-sandboxed: fix capabilities example 2024-03-14 01:36:46 +00:00
Colin 288d57e5d5 feeds: subscribe to pmOS blog 2024-03-13 23:20:45 +00:00
Colin 4510352c07 sane-sandboxed: implement --sane-sandbox-no-portal flag 2024-03-13 04:49:48 +00:00
Colin 430592632c sane-sandboxed: add a help message 2024-03-13 04:49:48 +00:00
Colin 56aca78d84 make-sandboxed: also sandbox the `.lib` output of a package 2024-03-13 04:49:48 +00:00
Colin 30d49dc3c3 feeds: update Anish's URL 2024-03-09 20:51:15 +00:00
Colin 8e0031e770 feeds: update Byrne Hobart's feed URL 2024-03-09 20:49:01 +00:00
Colin c453dbac8e lwn.net: update feed URL 2024-03-09 20:42:03 +00:00
Colin 90e3c33536 feeds: subscribe to slatecave.net 2024-03-06 22:40:57 +00:00
Colin 8029744c90 modules/programs: don't expose *all* of /run/secrets/home to every program 
this was actually causing a lot of bwrap errors because that directory's not user-readable

turns out any program which already uses programs.xyz.secrets gets the /run/secrets mounts for free via symlink following
 2024-03-02 18:51:39 +00:00
Colin a45e42910d make-sandboxed: generalize runCommand patch to handle any derivation, called with or without callPackage 2024-03-02 07:11:45 +00:00
Colin db89ac88f0 sane-sandboxed: add new `--sane-sandbox-keep-namespace all` option 2024-03-01 20:48:56 +00:00
Colin 40e30cf2f8 programs: make sandbox.wrapperType default to "wrappedDerivation" and remove everywhere i manually set that 2024-02-28 17:39:00 +00:00
Colin 812c0c8029 packages: reduce the number of packages which are using inplace sandbox wrapping 2024-02-28 17:35:40 +00:00
Colin a4248fd5cc make-sandboxed: don't try to wrap directories 
whoops. test -x is true for directories
 2024-02-28 16:28:25 +00:00
Colin c380f61bea fix "rescue" host to eval again 2024-02-28 14:19:45 +00:00
Colin b302113fc0 modules/programs: require manual definition; don't auto-populate attrset 
this greatly decreases nix eval time
 2024-02-28 13:35:09 +00:00
Colin 6ef729bbaf assorted: prefer runCommandLocal over runCommand where it makes sense 2024-02-27 22:26:56 +00:00
Colin 8f424dcd5a programs: sandboxing: link /etc into sandboxed programs 
this is crucial for e.g. swaync, to find its resource files.
maybe a good idea to link *every* package directory which i also link
into /run/current-system.
 2024-02-27 22:25:17 +00:00
Colin d5643a6a5d assorted static-nix-shell packages: use `srcRoot` 2024-02-25 17:37:38 +00:00
Colin d2df668c9e modules/programs: sane-sandboxed: replace --sane-sandbox-keep-pidspace with --sane-sandbox-keep-namespace <pid|cgroup|ipc|uts> 2024-02-25 12:00:00 +00:00
Colin f807d7c0a2 modules/programs: sane-sandboxed: bwrap: don't virtualize {/dev,/proc,/tmp} if explicitly asked to bind them instead 
this is necessary for some programs which want a near-maximial sandbox, like
launchers or shells, or more specifically, `sane-private-do`.
 2024-02-25 08:15:39 +00:00
Colin 6ab5dd8a8f modules/persist: ensure that the mountpoint for the private store is created at boot 2024-02-25 07:51:24 +00:00
Colin 52b8cd0209 modules/persist: ensure backing directory is created *before* we mount 2024-02-25 07:22:50 +00:00
Colin 00bf2f79cc ssh: clean up /etc/ssh/host_keys persistence 2024-02-25 05:19:44 +00:00
Colin 73b2594d9b programs: sandboxing: distinguish between "existingFileOrParent" and "existingOrParent" 2024-02-25 01:59:01 +00:00
Colin a55dc5332d modules/programs: sane-sandboxed: introduce "existingOrParent" autodetect-cli option 
some programs will want this, to create directories by name; e.g. archive managers
 2024-02-25 01:48:10 +00:00
Colin 86108518da modules/programs: sane-sandboxed: add a new "existingFile" option for the cli autodetect 2024-02-25 01:43:39 +00:00
Colin 879d01ac2e modules/ssh: note that theres a better store to place the ssh host_keys in 2024-02-24 12:14:14 +00:00
Colin 0448df51e3 modules/programs: sane-sandboxed: add a --sane-sandbox-dry-run flag 2024-02-24 12:00:58 +00:00
Colin 8e3eed7d51 modules/programs: sane-sandboxed: factor out the actual execution of the sandbox/program into the toplevel 
this will make it easier to intercept
 2024-02-24 11:57:42 +00:00
Colin 88a70b41f1 modules/programs: handle more symlink forms when calculating a program's sandbox closure 2024-02-24 11:47:39 +00:00
Colin 6f59254a22 modules/programs: fix symlink following 2024-02-24 05:36:44 +00:00
Colin 4023960dc0 README: MANUAL MIGRATION: move "plaintext" store to /nix/persist/plaintext 
to migrate the data:
```sh
$ sudo mkdir /nix/persist/plaintext
$ sudo mv /nix/persist/{etc,home,var} /nix/persist/plaintext
$ sudo ln -s plaintext/etc /nix/persist/etc  #< temporarily; if deploying over ssh
$ switch
$ reboot
$ sudo rm /nix/persist/etc  #< if you did the symlink earlier
```
 2024-02-23 18:02:17 +00:00
Colin fff9f9d49a README: MANUAL MIGRATION: move "private" store to /nix/persist/private 
to migrate the data, first unmount `~/private` (`sane-private-lock`), then:
```sh
$ sudo mv /nix/persist/home/colin/private /nix/persist
$ switch
$ reboot
```
 2024-02-23 16:01:09 +00:00
Colin d7402ae170 persist: stores: make naming more consistent 2024-02-23 14:57:20 +00:00
Colin 6267e7f966 tidy up small persist/private nitpicks 2024-02-23 14:44:38 +00:00
Colin 120a41b169 persistence: split /var/log persistence into dedicated "initrd" store 2024-02-23 14:42:47 +00:00
Colin aa0991bd6c persistence: cleanup so it all works well with symlink-based stores 2024-02-23 13:09:44 +00:00
Colin af2f97d61e fs: ensure-file: don't error if the file already exists 2024-02-23 11:29:14 +00:00
Colin 5b8f13d9cc fs: notice when a fs entry is set to two incompatible types (e.g. symlink + dir) and error 2024-02-23 11:24:32 +00:00
Colin c2696c1cd9 gnome-keyring: use sane.fs abstractions to write out the keyrings 2024-02-23 08:57:41 +00:00
Colin 057b9e3fed replace links/references to ~/private/FOO with just ~/FOO 2024-02-23 07:06:29 +00:00
Colin 170eeeacc4 programs: dereference not just the leaf, but any part of the path, when determining a program's sandbox closure 2024-02-23 07:06:29 +00:00
Colin a402822084 move "private" store to /mnt/persist/private instead of ~/private 
this will allow me to add all of ~ to a sandbox without giving all of ~/private
 2024-02-23 07:06:29 +00:00
Colin 80ecdcc4f9 persist: plaintext: consider "/mnt/persist/plaintext" as the logical root, and abstract away "/nix/persist" 2024-02-23 07:06:29 +00:00
Colin 0864790bb7 docs: modules/persist: document the "origin" store parameter 2024-02-23 07:06:29 +00:00
Colin 478747a96e modules/persist: change default mounting method to symlink 
this changes the plaintext and cryptClearOnBoot stores: private was already symlink-based.
this isn't strictly necessary: the rationale is:
1. `mount` syscall *requires* CAP_SYS_ADMIN (i.e. superuser/suid).
   that's causing problems with sandboxing, particularly ~/private.
   that doesn't affect other stores *yet*, but it may in the future.
2. visibility. i.e. it makes *clear* where anything is persisted.
   if `realpath` doesn't evaluate to `/nix/persist`, then it's not
   persisted.
 2024-02-23 07:06:29 +00:00
Colin 2a528a5d8e sane-sandboxed: leave a note about future mount work 2024-02-21 16:08:42 +00:00
Colin c6470918de types.string -> types.str 2024-02-21 00:25:44 +00:00
Colin bb569b1668 sane-vpn: port away from systemd so that i can use it as an ordinary user (no sudo) 2024-02-20 22:21:02 +00:00
Colin 34524ea3e4 modules/vpn: fix the vpn-* systemd services 2024-02-20 20:40:46 +00:00
Colin d7be5da483 warnings.nix: port to a proper module 2024-02-20 11:19:12 +00:00
Colin 34dedcff57 modules/programs: sane-sandboxed: fix normPath handling of paths containing special characters like [ 2024-02-19 15:32:23 +00:00
Colin 95cb5624ca modules/programs: sane-sandboxed: fix but that --sane-sandbox-path / wasnt being canonicalized 2024-02-18 13:53:53 +00:00
Colin 600f6eb56c modules/programs: sane-sandboxed: remove all remaining forks/subshells 
launchtime for firefox in bwrap is about 65ms; 35ms for --sane-sandbox-method none
 2024-02-18 13:15:04 +00:00
Colin fd6f8493a7 modules/programs: sane-sandboxed: remove all forking from normPath 
reduces time for librewolf benchmark from 90ms -> 65ms. there's still _some_ forking in this script, but it's constant now.
 2024-02-18 12:25:03 +00:00
Colin f10f1ee7b1 modules/programs: sane-sandboxed: optimize "normPath" to not invoke subshells 
each subshell causes like 5ms just on my laptop, which really adds up.
this implementation still forks internally, but doesn't exec.
runtime decreases from 150ms -> 90ms for
`time librewolf --sane-sandbox-replace-cli true`
 2024-02-18 12:08:23 +00:00
Colin cef2591425 modules/programs: sane-sandboxed: capshonly/landlock: don't request capabilities we know won't be granted 2024-02-17 16:30:18 +00:00
Colin 4ced02b0b2 modules/programs: make-sandboxed: fix incorrect "priority" attribute 2024-02-17 03:32:49 +00:00
Colin 029ba43bd6 modules/programs: sane-sandboxed: invoke "capsh" with the --no-new-privs argument 2024-02-16 05:48:50 +00:00
Colin 8c9c6ec979 modules/programs: make-sandboxed: support /libexec binaries 2024-02-16 03:15:45 +00:00
Colin 1edb1fc8b6 modules/programs: sane-sandboxed: avoid adding the sandbox implementation to $PATH 2024-02-15 17:58:22 +00:00
Colin 8d20dcadd1 modules/programs: sane-sandboxed: add --sane-sandbox-keep-pidspace flag 2024-02-15 15:05:28 +00:00
Colin c943442c94 modules/programs: sane-sandboxed: add --sane-sandbox-method none for benchmarking 2024-02-15 13:13:39 +00:00
Colin 02dd629616 modules/programs: sane-sandboxed: rework so portal env vars arent set when sandbox is disabled 
and by setting them only at launch time we aid introspectability/debugging
 2024-02-15 11:57:36 +00:00
Colin 5f1036118f modules/programs: sandboxing: add a "whitelistX" option 2024-02-15 00:09:16 +00:00
Colin 22ca253ae0 modules/programs: better document the `env` option 2024-02-14 11:08:43 +00:00
Colin 8b32f2f231 modules/programs: add support for 'autodetectCliPaths = parent' 2024-02-14 04:31:59 +00:00
Colin 080bd856ec programs: sandboxing: only permit wayland socket access to those specific apps which require it 2024-02-14 01:49:49 +00:00
Colin 548a95a7e1 modules/programs: sandboxing: unshare ipc/cgroup/uts by default 2024-02-14 01:48:59 +00:00
Colin 34b148f6cc modules/programs: allow specifying perlPackages members as programs, as i do with python3Packages, etc 2024-02-13 12:31:04 +00:00
Colin 1a18ed533b programs: don't include dbus in the sandbox by default 2024-02-13 11:58:33 +00:00
Colin 6eaaeeb91a programs: remove audio from the sandbox by default 2024-02-13 11:14:38 +00:00
Colin bb68506839 modules/programs: add separate "user" v.s. "system" options for whitelistDbus 2024-02-13 10:55:10 +00:00
Colin 126f3e4922 programs: sandboxing: restrict /run/user dir to just dbus/pipewire/pulse/wayland, by default 2024-02-13 10:28:30 +00:00
Colin 73afceb8c6 modules/programs: sandbox: add `whitelistWayland` option 2024-02-13 10:24:35 +00:00
Colin 27fd81ad80 modules/programs: add new options for whitelisting audio/dbus 2024-02-12 15:23:35 +00:00
Colin d82b4b0f62 modules/programs: sane-sandboxed: reorder the --sane-sandbox-profile-dir arg so it takes precedence 2024-02-12 14:56:48 +00:00
Colin 7b28023e08 modules/programs: re-introduce the "withEmbeddedSandboxer" passthru attr 2024-02-12 14:27:48 +00:00
Colin 2b9db897a1 implement `sane.defaultUser` attr 2024-02-12 14:27:32 +00:00
Colin 6124cb9b36 modules/programs: sane-sandboxed: search for profiles in XDG_DATA_DIRS, not NIX_PROFILES 2024-02-12 13:16:48 +00:00
Colin b0394d877d modules/programs: rename allowedRootPaths -> allowedPaths 
now that allowedHomePaths doesn't exist
 2024-02-12 13:00:10 +00:00
Colin 14d8230821 modules/programs: sane-sandboxed: remove --sane-sandbox-home-path argument and plumbing 
no longer needed, and mixing this with root paths is liable to cause troubles at this point, around symlink dereferencing/canonicalization/etc
 2024-02-12 12:57:54 +00:00
Colin a90b5b53db modules/programs: sandboxing: dereference symlinks and also include those in the sandbox 2024-02-12 12:48:02 +00:00
Colin eee3e138ff modules/programs: sandboxing: allow specifying individual /run/user/$uid paths to expose to the sandbox 2024-02-12 12:18:59 +00:00
Colin f61cd17e99 modules/programs: sandboxing: specialize profiles per-user by expanding $HOME 2024-02-12 12:08:58 +00:00
Colin 3e0b0a0f02 modules/programs: make-sandboxed: lift profile creation logic out to the toplevel 2024-02-12 11:52:33 +00:00
Colin 2ee34e9af3 modules/profiles: remove sandbox.embedProfile option 
with upcoming refactors, this setting would force a different package to be installed per user, which doesn't mesh with the existing sane.programs infra
 2024-02-12 11:35:59 +00:00
Colin 7c05d221d6 modules/programs: split "make-sandbox-profile" out of "make-sandboxed" 2024-02-12 11:20:40 +00:00
Colin 93012664e5 modules/programs: simplify how sandbox profiles make it into system packages 2024-02-12 10:52:44 +00:00
Colin c424f7ac3b sane-sandboxed: load all profiles, not just the first one we find 
this allows some amount of overriding, or splitting profiles between system and user dirs
 2024-02-12 10:40:15 +00:00
Colin 088b6f1b9a sane-sandboxed: load profiles via $NIX_PROFILES env var 2024-02-12 10:37:26 +00:00
Colin 96575acf3a programs: sane-sandboxed: move parseArgsExtra to outer scope; improve docs 2024-02-12 10:28:14 +00:00
Colin e81df0ac86 modules/programs: enforce that user services don't accidentally override PATH 2024-02-12 08:44:55 +00:00
Colin 87050a0500 feeds: add "FullTimeNix" podcast :) 2024-02-12 00:09:49 +00:00
Colin 0861edd7f9 modules/programs: remove ~/.config/mimeo from sandbox defaults 2024-02-11 23:35:27 +00:00
Colin b6bf8720c9 modules/programs: implement --sane-sandbox-portal flag for apps which want to use the portal to open other apps 2024-02-11 23:32:24 +00:00
Colin 0d3adcdc5c modules: users: have user services inherit PATH from environment rather than forcibly overwriting it 2024-02-09 09:50:26 +00:00
Colin 9ac0e0e4fc modules/programs: put things in a pid namespace by default 2024-02-08 23:36:59 +00:00
Colin c9af5bf9b4 programs: sandboxing: enable net isolation for most sandboxed programs 2024-02-08 21:51:32 +00:00
Colin bc85169e3d programs: sandboxer: allow disable net access 2024-02-08 21:07:34 +00:00
Colin 0c050d1953 programs: fuzzel: fix overly-aggressive sandboxing 2024-02-06 20:10:29 +00:00
Colin 2fc1fe7510 modules/programs: make-sandboxed: fix that /share/* was being linked into top-level /; better way to enforce sandboxing of /share entries 2024-02-06 19:55:55 +00:00
Colin 5f8699fcef rearrange /mnt structure for host-based subdirs 
e.g. /mnt/servo/media, /mnt/desko/home, etc
 2024-02-06 05:48:11 +00:00
Colin d7612d5034 modules/programs: make-sandboxed: avoid deep-copying all of /share when sandboxing 
saves like 1 GiB of closure. but i haven't thoroughly tested this
 2024-02-06 05:02:02 +00:00
Colin ed3935318d feeds: subscribe to non-paywalled Matt Levine 2024-02-05 16:41:38 +00:00
Colin 413903d03c make-sandboxed: also embed profiles for the withEmbeddedSandboxer passthru pkg 2024-02-05 08:26:40 +00:00
Colin 4d51c34ad2 programs: allow `sane.strictSandboxing = "warn"` 2024-02-05 05:28:02 +00:00
Colin 3439ca34b8 sane-sandboxed: add more autodetect options, and a "withEmbeddedSandboxer" package output (for dev) 2024-02-03 00:17:24 +00:00
Colin 0ee9f2026c sane-sandboxed: hopefully fix a problem with path normalization for paths with spaces 2024-02-02 22:56:43 +00:00
Colin 5e3c2636db programs: make-sandboxed: handle packages which use relative links in bin (like spotify) 2024-02-02 22:38:36 +00:00
Colin 2bb9115f35 modules/programs: sandboxing: add "whitelistDri" option for gfx-intensive apps 2024-02-02 17:18:51 +00:00
Colin 065d045640 fix so sway inherits program env vars 2024-02-02 15:36:06 +00:00
Colin 567c7993b6 modules/programs: sandbox: allow mimeo config in any sandbox 2024-02-02 12:52:36 +00:00
Colin 00f995aec9 fixup landlock-sandboxer to work well for all systems 
downgrade lappy/desko/servo back to default linux; zfs doesn't support latest

build landlock-sandboxer against the specific kernel being deployed; it's less noisy that way
 2024-01-31 21:19:10 +00:00
Colin 881d2f79ed modules/programs: add "unchecked" passthru to aid debugging 2024-01-29 13:36:01 +00:00
Colin 47abdfb831 modules/programs: patch dbus-1 files to use sandboxed binaries 2024-01-29 13:09:43 +00:00
Colin 3831c6f087 TODO: fold 2024-01-29 13:07:44 +00:00
Colin 4f8d476ebf modules/programs: patch old /nix/store paths in .desktop files 2024-01-29 12:56:08 +00:00
Colin 7af970f38c modules/programs: extend wrapperType="wrappedDerivation" to handle common share/ items 2024-01-29 11:59:38 +00:00
Colin 32824cfade modules/programs: sandbox in a manner that's more compatible with link-heavy apps like busybox, git, etc 2024-01-29 09:56:30 +00:00
Colin 51fc61b211 sane-sandboxed: cleanup 2024-01-29 09:14:43 +00:00
Colin 7b9795ea3d modules/programs: implement `embedWrapper` option 2024-01-29 09:13:49 +00:00
Colin 5f3e481fe4 sane-sandboxed: refactor and avoid passing duplicate/subpaths into the sandbox 2024-01-29 07:15:02 +00:00
Colin 86219d7006 sane-sandboxed: simplify: consolidate homePaths and rootPaths into just "paths" 2024-01-29 05:43:10 +00:00
Colin 24c70c3683 feeds: switch acoup.blog to the database type feed 
at some point my feed script became capable of understanding his RSS :)
 2024-01-28 12:37:38 +00:00
Colin 294f167df0 sane-sandboxed: fix CLI escaping with capsh 2024-01-28 11:11:07 +00:00
Colin f100595257 modules/programs: properly forward autodetectCliPaths to the sandboxer 2024-01-28 10:31:07 +00:00
Colin e84da827c2 sane-sandboxed: fix typo in add-pwd flag 2024-01-28 09:17:12 +00:00
Colin 42f9fa029d modules/programs: fix that whitelistPwd wasnt passed into the sandbox profile 2024-01-28 09:04:27 +00:00
Colin 40fee97b06 modules/programs: make-sandboxed: disallowReferences to the fake sane-sandboxed used during checkPhase 2024-01-28 08:58:13 +00:00
Colin 3cc8292d8b modules/programs: make-sandboxed: support packages with checkPhase by bypassing the sandbox 2024-01-28 07:45:08 +00:00
Colin 9261d30a34 modules/programs: reformatting 2024-01-28 05:58:08 +00:00
Colin 3eb3a8db5a modules/programs: add a `whitelistPwd` option to grant the program access to the directory it was called from 2024-01-28 05:57:30 +00:00
Colin 97129268f0 modules/programs: sandbox: add "capshonly" as a valid sandbox.method 2024-01-28 05:57:11 +00:00
Colin 4d7414c941 programs: introduce and use "autodetectCliPaths" nix config 2024-01-27 17:19:48 +00:00
Colin a7d081bfcb modules/programs: add a sane.strictSandboxing option 2024-01-27 17:11:07 +00:00
Colin 5ca208d07f modules/programs: sandbox: add enable flag and capabilities structured config 2024-01-27 17:08:27 +00:00
Colin 26b978dcf2 modules/programs: sandbox: fix "inline" -> "inplace" typo 2024-01-27 14:42:25 +00:00
Colin d8b6d419b6 modules/programs: sandboxing: add `wrapperType = "wrappedDerivation"` to wrap without rebuilding the whole package 2024-01-27 14:26:41 +00:00
Colin a06c81643c sane-sandboxed: don't error if ~ files aren't available to be bound 2024-01-27 12:48:58 +00:00