colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
5,408 Commits 125 Branches 1 Tag 12 MiB
084541da4c
Commit Graph

1123 Commits

Author SHA1 Message Date
Colin
084541da4c modules/programs: require manual definition; don't auto-populate attrset 
this greatly decreases nix eval time
 2024-02-28 13:32:52 +00:00
Colin
6ef729bbaf assorted: prefer runCommandLocal over runCommand where it makes sense 2024-02-27 22:26:56 +00:00
Colin
8f424dcd5a programs: sandboxing: link /etc into sandboxed programs 
this is crucial for e.g. swaync, to find its resource files.
maybe a good idea to link *every* package directory which i also link
into /run/current-system.
 2024-02-27 22:25:17 +00:00
Colin
d5643a6a5d assorted static-nix-shell packages: use srcRoot 2024-02-25 17:37:38 +00:00
Colin
d2df668c9e modules/programs: sane-sandboxed: replace --sane-sandbox-keep-pidspace with --sane-sandbox-keep-namespace <pid|cgroup|ipc|uts> 2024-02-25 12:00:00 +00:00
Colin
f807d7c0a2 modules/programs: sane-sandboxed: bwrap: don't virtualize {/dev,/proc,/tmp} if explicitly asked to bind them instead 
this is necessary for some programs which want a near-maximial sandbox, like
launchers or shells, or more specifically, `sane-private-do`.
 2024-02-25 08:15:39 +00:00
Colin
6ab5dd8a8f modules/persist: ensure that the mountpoint for the private store is created at boot 2024-02-25 07:51:24 +00:00
Colin
52b8cd0209 modules/persist: ensure backing directory is created *before* we mount 2024-02-25 07:22:50 +00:00
Colin
00bf2f79cc ssh: clean up /etc/ssh/host_keys persistence 2024-02-25 05:19:44 +00:00
Colin
73b2594d9b programs: sandboxing: distinguish between "existingFileOrParent" and "existingOrParent" 2024-02-25 01:59:01 +00:00
Colin
a55dc5332d modules/programs: sane-sandboxed: introduce "existingOrParent" autodetect-cli option 
some programs will want this, to create directories by name; e.g. archive managers
 2024-02-25 01:48:10 +00:00
Colin
86108518da modules/programs: sane-sandboxed: add a new "existingFile" option for the cli autodetect 2024-02-25 01:43:39 +00:00
Colin
879d01ac2e modules/ssh: note that theres a better store to place the ssh host_keys in 2024-02-24 12:14:14 +00:00
Colin
0448df51e3 modules/programs: sane-sandboxed: add a --sane-sandbox-dry-run flag 2024-02-24 12:00:58 +00:00
Colin
8e3eed7d51 modules/programs: sane-sandboxed: factor out the actual execution of the sandbox/program into the toplevel 
this will make it easier to intercept
 2024-02-24 11:57:42 +00:00
Colin
88a70b41f1 modules/programs: handle more symlink forms when calculating a program's sandbox closure 2024-02-24 11:47:39 +00:00
Colin
6f59254a22 modules/programs: fix symlink following 2024-02-24 05:36:44 +00:00
Colin
4023960dc0 README: MANUAL MIGRATION: move "plaintext" store to /nix/persist/plaintext 
to migrate the data:
```sh
$ sudo mkdir /nix/persist/plaintext
$ sudo mv /nix/persist/{etc,home,var} /nix/persist/plaintext
$ sudo ln -s plaintext/etc /nix/persist/etc  #< temporarily; if deploying over ssh
$ switch
$ reboot
$ sudo rm /nix/persist/etc  #< if you did the symlink earlier
```
 2024-02-23 18:02:17 +00:00
Colin
fff9f9d49a README: MANUAL MIGRATION: move "private" store to /nix/persist/private 
to migrate the data, first unmount `~/private` (`sane-private-lock`), then:
```sh
$ sudo mv /nix/persist/home/colin/private /nix/persist
$ switch
$ reboot
```
 2024-02-23 16:01:09 +00:00
Colin
d7402ae170 persist: stores: make naming more consistent 2024-02-23 14:57:20 +00:00
Colin
6267e7f966 tidy up small persist/private nitpicks 2024-02-23 14:44:38 +00:00
Colin
120a41b169 persistence: split /var/log persistence into dedicated "initrd" store 2024-02-23 14:42:47 +00:00
Colin
aa0991bd6c persistence: cleanup so it all works well with symlink-based stores 2024-02-23 13:09:44 +00:00
Colin
af2f97d61e fs: ensure-file: don't error if the file already exists 2024-02-23 11:29:14 +00:00
Colin
5b8f13d9cc fs: notice when a fs entry is set to two incompatible types (e.g. symlink + dir) and error 2024-02-23 11:24:32 +00:00
Colin
c2696c1cd9 gnome-keyring: use sane.fs abstractions to write out the keyrings 2024-02-23 08:57:41 +00:00
Colin
057b9e3fed replace links/references to ~/private/FOO with just ~/FOO 2024-02-23 07:06:29 +00:00
Colin
170eeeacc4 programs: dereference not just the leaf, but any part of the path, when determining a program's sandbox closure 2024-02-23 07:06:29 +00:00
Colin
a402822084 move "private" store to /mnt/persist/private instead of ~/private 
this will allow me to add all of ~ to a sandbox without giving all of ~/private
 2024-02-23 07:06:29 +00:00
Colin
80ecdcc4f9 persist: plaintext: consider "/mnt/persist/plaintext" as the logical root, and abstract away "/nix/persist" 2024-02-23 07:06:29 +00:00
Colin
0864790bb7 docs: modules/persist: document the "origin" store parameter 2024-02-23 07:06:29 +00:00
Colin
478747a96e modules/persist: change default mounting method to symlink 
this changes the plaintext and cryptClearOnBoot stores: private was already symlink-based.
this isn't strictly necessary: the rationale is:
1. `mount` syscall *requires* CAP_SYS_ADMIN (i.e. superuser/suid).
   that's causing problems with sandboxing, particularly ~/private.
   that doesn't affect other stores *yet*, but it may in the future.
2. visibility. i.e. it makes *clear* where anything is persisted.
   if `realpath` doesn't evaluate to `/nix/persist`, then it's not
   persisted.
 2024-02-23 07:06:29 +00:00
Colin
2a528a5d8e sane-sandboxed: leave a note about future mount work 2024-02-21 16:08:42 +00:00
Colin
c6470918de types.string -> types.str 2024-02-21 00:25:44 +00:00
Colin
bb569b1668 sane-vpn: port away from systemd so that i can use it as an ordinary user (no sudo) 2024-02-20 22:21:02 +00:00
Colin
34524ea3e4 modules/vpn: fix the vpn-* systemd services 2024-02-20 20:40:46 +00:00
Colin
d7be5da483 warnings.nix: port to a proper module 2024-02-20 11:19:12 +00:00
Colin
34dedcff57 modules/programs: sane-sandboxed: fix normPath handling of paths containing special characters like [ 2024-02-19 15:32:23 +00:00
Colin
95cb5624ca modules/programs: sane-sandboxed: fix but that --sane-sandbox-path / wasnt being canonicalized 2024-02-18 13:53:53 +00:00
Colin
600f6eb56c modules/programs: sane-sandboxed: remove all remaining forks/subshells 
launchtime for firefox in bwrap is about 65ms; 35ms for --sane-sandbox-method none
 2024-02-18 13:15:04 +00:00
Colin
fd6f8493a7 modules/programs: sane-sandboxed: remove all forking from normPath 
reduces time for librewolf benchmark from 90ms -> 65ms. there's still _some_ forking in this script, but it's constant now.
 2024-02-18 12:25:03 +00:00
Colin
f10f1ee7b1 modules/programs: sane-sandboxed: optimize "normPath" to not invoke subshells 
each subshell causes like 5ms just on my laptop, which really adds up.
this implementation still forks internally, but doesn't exec.
runtime decreases from 150ms -> 90ms for
`time librewolf --sane-sandbox-replace-cli true`
 2024-02-18 12:08:23 +00:00
Colin
cef2591425 modules/programs: sane-sandboxed: capshonly/landlock: don't request capabilities we know won't be granted 2024-02-17 16:30:18 +00:00
Colin
4ced02b0b2 modules/programs: make-sandboxed: fix incorrect "priority" attribute 2024-02-17 03:32:49 +00:00
Colin
029ba43bd6 modules/programs: sane-sandboxed: invoke "capsh" with the --no-new-privs argument 2024-02-16 05:48:50 +00:00
Colin
8c9c6ec979 modules/programs: make-sandboxed: support /libexec binaries 2024-02-16 03:15:45 +00:00
Colin
1edb1fc8b6 modules/programs: sane-sandboxed: avoid adding the sandbox implementation to $PATH 2024-02-15 17:58:22 +00:00
Colin
8d20dcadd1 modules/programs: sane-sandboxed: add --sane-sandbox-keep-pidspace flag 2024-02-15 15:05:28 +00:00
Colin
c943442c94 modules/programs: sane-sandboxed: add --sane-sandbox-method none for benchmarking 2024-02-15 13:13:39 +00:00
Colin
02dd629616 modules/programs: sane-sandboxed: rework so portal env vars arent set when sandbox is disabled 
and by setting them only at launch time we aid introspectability/debugging
 2024-02-15 11:57:36 +00:00