efc16a9e80
persist: harden the "ephemeral" store mount environment
...
there's only so much this can actually achieve. it's still quite possible for someone who knows what they're doing to do large amounts of damage
2024-08-01 22:40:55 +00:00
6aa6c0020c
lightning-cli: fix sandboxing
2024-08-01 19:59:23 +00:00
acd46940e4
clightning: lift the build fix into pkgs/default.nix
...
this lets me apply it outside the context of a nixos module
2024-08-01 19:53:05 +00:00
00a25f1533
feeds: fix complex systems URL
2024-08-01 19:52:22 +00:00
bc0a1eb1b3
feeds: sub to Complex Systems Podcast
2024-08-01 18:58:39 +00:00
33efbeda8a
link manpages into all linkIntoOwnPackage users
2024-08-01 17:43:58 +00:00
b53f376d70
servo: clightning: tighten sandboxing for bitcoin-cli interaction
2024-07-30 12:41:33 +00:00
621c147483
clightning: remove /var/lib/bitcond-mainnet from the service paths -- again
2024-07-30 11:17:10 +00:00
841076fd9e
clightning: move /var/lib/bitcoind-mainnet from ReadWritePaths -> ReadOnlyPaths
...
i think i can go further, remote it altogether
2024-07-29 23:19:26 +00:00
43232ff569
kiwix-serve: harden
2024-07-29 03:42:52 +00:00
dc2d46b9c0
servo: cryptocurrencies: get clightning back into a state where i can see its working
2024-07-29 03:42:52 +00:00
666744bda3
bitcoin-cli,lightning-cli: ship as own package instead of shipping the whole daemon
2024-07-29 03:42:52 +00:00
eb3651ce59
refactor: assorted: python: logger.warn -> logger.warning
...
the former is deprecated
2024-07-28 03:41:30 +00:00
ace03bb0e9
persist/private: actually do enable "auto", for servo where i dont auto-tty-login as colin
...
this doesn't seem to block the boot
2024-07-26 22:02:57 +00:00
8819142128
modules/users: use = instead of -eq for comparison to fix warning which XDG_VTNR is unset
2024-07-26 20:57:23 +00:00
3b8d6c8587
refactor: s6/unl0kr/profile: put more shell init stuff directly in modules/users/default.nix when it doesnt benefit from being pluggable
2024-07-26 15:58:59 +00:00
f4df121e3d
persist/private: s6: use systemd to explicitly start the mount, rather than assume it's already been initiated
2024-07-26 14:01:31 +00:00
96f786de20
persist/private: fix so systemd actually knows when the mount has completed
2024-07-26 12:44:32 +00:00
fcbbfc4a65
fix s6 service ordering: unl0kr -> (wait for mount) -> sway
...
note that the systemd-aware mount never completes -- it's stuck in 'activating' forever. that's the next challenge
2024-07-26 12:18:14 +00:00
4daf5452e8
unl0kr: dont echo password to terminal
2024-07-26 09:36:06 +00:00
af905a2f58
unl0kr: split the gocryptfs unlocking into its own separate service
...
/mnt/persist/private can be depended on by both s6 user services and systemd system services (which will become useful for servo)
/mnt/persist/private can be unlocked by dropping the key in remotely, however that won't kill unl0kr
TODO: fix unl0kr to not also output text to the tty
TODO: ensure gocryptfs mount can handle being fed a wrong password
2024-07-26 08:08:21 +00:00
8ef5920d84
unl0kr: port to an s6 service
...
this has some drawbacks in its current form and will be tidied
it writes the password also to the consold. it requires 'sudo'.
2024-07-25 18:45:01 +00:00
b554d32133
fix permissions of /nix/persist/private, to be user-writable
...
this is important for my rsync-net backup scripts, which need to record timestamps in there
2024-07-25 18:42:45 +00:00
2203d6db59
cleanup: remove XDG_SESSION_TYPE, XDG_VTNR from global environment
2024-07-25 15:26:24 +00:00
874b7aecfa
persist: rename "cryptClearOnBoot" to "ephemeral"
2024-07-25 12:11:46 +00:00
cf8e9f798d
persist/crypt: simplify the fileSystems definitions
...
turns out you can just declare your own fs type, that's cool
2024-07-25 12:11:46 +00:00
70d4925483
gps-share: dont launch until after the modem is actually powered on
2024-07-24 11:15:44 +00:00
225c8de7a2
trust-dns: fix dyn-dns reactor (trust-dns-lan does not exist)
2024-07-24 07:18:29 +00:00
34e770c5f5
sanebox: fix missing dependency on iptables/iproute2
2024-07-24 03:32:12 +00:00
db292850b0
modules/programs: fix sandbox.net = "vpn" option
2024-07-19 12:44:09 +00:00
8e6272bafd
static-nix-shell: better enforce that all nix-shell deps are specified
2024-07-19 12:21:10 +00:00
a1de7a4afd
users: configure XDG_SESSION_TYPE during shell setup
2024-07-18 00:15:29 +00:00
0b7d8310df
trust-dns: patch resolver to handle more edge-case domains (api.mangadex.org., m.wikipedia.org., ...)
2024-07-17 15:28:41 +00:00
8472320629
sane-vpn: route DNS through the VPN's server
2024-07-17 02:00:05 +00:00
132798be23
sanebox: ensure sanebox is always on the PATH of sandboxed binaries
2024-07-16 07:24:42 +00:00
514cfe7b0b
feeds: subscribe to "Better Offline" podcast
2024-07-12 01:20:00 +00:00
46bf7c5ac9
nixpkgs: 2024-07-06 -> 2024-07-07
2024-07-08 05:38:44 +00:00
6824080f6b
avahi: fix broken sandboxing
2024-07-06 03:08:36 +00:00
3c53bca156
vpn: log a message whenever the endpoint is updated
...
only as i'm actively working in this area. hopefully this log message can be less noisy in the future
2024-07-06 03:03:38 +00:00
5048bd8d70
sanebox: fix that pasta-sandboxed programs would fail compile-time sandboxing test
2024-07-05 20:41:28 +00:00
a12aa02655
sane.programs: provide sandbox.net = "vpn.wg-home" to tunnel through my home ISP
2024-07-05 20:18:34 +00:00
6d66a5dbf8
vpn: add a service to auto-refresh wireguard endpoints
2024-07-05 20:06:16 +00:00
5d80e298b5
wg-home: deploy so as to be compatible with sane-vpn (e.g., route *WAN* traffic through it)
2024-07-05 18:45:26 +00:00
823f8f2be3
feeds: subscribe to FLOSS Weekly
2024-07-04 13:34:48 +00:00
e72f9be1bf
feeds: subscribe to Sharp Tech
2024-07-04 13:23:36 +00:00
24ed242bac
servo: fix warning for getExe and iptables
2024-07-04 12:43:02 +00:00
e82feb9f71
make-sandboxed: migrate to binary wrapper
2024-07-03 19:35:56 +00:00
4839a40205
make-sandboxed: use makeWrapper proper, rather than rolling my own
...
i can't use the _binary_ wrapper unless i use a fully-qualified path to 'sanebox' or hide it behind something like /usr/bin/env
2024-07-03 17:54:38 +00:00
e9c51eddb3
feeds: subscribe to Matt Stoller
2024-07-01 07:33:41 +00:00
9b8c461ce9
dont treat python packages specially: lift all python packages out of python-packages/ subdir; remove pyPkgs arg from static-nix-shell.mkPython3
2024-06-27 11:28:17 +00:00
