Commit Graph

1445 Commits

Author SHA1 Message Date
044bf8b783 refactor: remove dead modules/lib/fs.nix file 2024-10-01 03:55:29 +00:00
61df81291b refactor: optimize eval time
lifting `let` bindings up where possible helps reduce the number of thunks nix has to allocate. this patch only does that by 0.3%-ish, though
2024-10-01 03:54:44 +00:00
80c67caf19 modules/fs: remove unused symlink.targetName option 2024-09-30 15:18:32 +00:00
1eea81c4ff refactor: sane.fs: lift acl up to the toplevel; drop generated options 2024-09-30 15:15:30 +00:00
97d38aecab feeds: subscribe to timclicks.dev 2024-09-30 15:00:45 +00:00
e29842aa9d sane.fs: simplify 2024-09-30 10:19:39 +00:00
50c52683ff sane.fs: remove unused mount.mountConfig, mount.unitConfig options 2024-09-30 10:19:39 +00:00
ca85dac4ac sane.fs: make bind a required sub-option of mount 2024-09-30 10:19:39 +00:00
e52f57f5a2 sane.fs: remove unused mount.depends 2024-09-30 10:19:39 +00:00
49b5da6385 sane.fs: dont generate systemd services for every file/dir/symlink
that's handled by systemd-tmpfiles now
2024-09-30 10:19:39 +00:00
572dd5854d WIP: sane.fs: remove wantedBy/wantedBeforeBy options 2024-09-30 10:19:39 +00:00
0c270fe4a3 WIP: sane.fs consumers: avoid wantedBy/wantedBeforeBy 2024-09-30 10:19:39 +00:00
48c81610a5 sane.fs: remove public access to the "unit" fields
fs entries soon won't correspond to systemd units, and hence that option's a bit nonsensical
2024-09-30 09:10:40 +00:00
6983dbe8c4 sane.fs: fix so my tmpfiles.d always runs before anything else (like e.g. /var/lib stuff) 2024-09-30 05:44:42 +00:00
c71d2c846c sane.fs: symlink files into place using systemd.tmpfiles 2024-09-30 05:43:51 +00:00
c9d5d3eeca refactor: modules/users: dont hardcode $HOME 2024-09-29 07:17:00 +00:00
5857bdcc81 persist: remove the unused "initrd" store 2024-09-28 14:25:40 +00:00
d7c26b736c remove all users of sane.fs.*.generated (except derived-secrets, that comes later)
this will allow me to reduce the scope of sane.fs, and then optimize it to not create a systemd service per each entry
2024-09-28 14:25:40 +00:00
aa7e1dfd33 refactor: modules/data/feeds: fewer file-level inherits 2024-09-28 09:55:12 +00:00
d073250032 users: switch to systemd services by default 2024-09-28 03:38:46 +00:00
edb665abd0 users: add a systemd backend for managing services 2024-09-28 03:38:46 +00:00
3bbec161bf servo: fix clightning service 2024-09-27 15:50:53 +00:00
6d0a2d63fc users: make the service manager partly configurable 2024-09-25 15:39:57 +00:00
31615340a7 programs/assorted: remove explicit (and extraneous) sandbox.method = "bunpen" declarations 2024-09-21 23:35:06 +00:00
ea3eaf048e programs: sandbox with bunpen *by default*; manually opt out or opt to a different sandboxer where required 2024-09-21 23:00:49 +00:00
208b634040 programs/sandboxing: add required args to use pasta 2024-09-21 12:21:11 +00:00
8979ff0eec bunpen: plumb pasta related arguments into make-sandboxed
for testing only: these options don't yet have the intended effect
2024-09-19 23:54:43 +00:00
034c3f987e programs/make-sandboxed: fix for apps which ship thumbnailers (i.e. gnome papers) 2024-09-17 02:33:51 +00:00
e9decbbf40 sandboxing: add a global toggle to disable sandboxing 2024-09-16 00:38:02 +00:00
b5f9ba62d0 camera: fix sandboxing for pipewire (so snapshot can open the camera), and share that with megapixels (which opens it directly)
N.B. snapshot (pipewire) doesn't work with the current kernel deployment; it requires linux-postmarketos-allwinner and even then only the front camera works (at about 1 fps)

this wasn't always the case: i believe that once, the rear camera worked as well. although now i think about it, i'm not positive of that
2024-09-15 11:14:23 +00:00
6e0c83b4f3 modules/programs: don't install bunpen/sanebox unless some program actually requires it 2024-09-14 23:10:19 +00:00
b43ee23459 firefox: allow webcam access 2024-09-13 00:02:48 +00:00
e7f54cda6b feeds: subscribe to Marijn Braam's blog 2024-09-10 19:54:46 +00:00
ae5bad1514 feeds: subscribe to mii beta / Baby Wogue 2024-09-10 18:16:45 +00:00
1599df26e7 /mnt/persist/private: remove unneeded "sandbox.keepPids" 2024-09-10 01:09:21 +00:00
0b39f18faa /mnt/persist/ephemeral: dont even try to delete the backing directory -- just everything contained in it 2024-09-10 00:45:07 +00:00
8ae7e255e5 gocryptfs: sandbox with bunpen 2024-09-10 00:02:03 +00:00
95994de1ad provision-private-key (/run/gocryptfs/private.key): sandbox with bunpen 2024-09-09 03:56:55 +00:00
3ef98a5ab3 modules/programs: support "sandbox.keepIpc = true" 2024-09-07 22:10:11 +00:00
8255e419be modules/programs: rename "keepUsers" -> "tryKeepUsers" 2024-09-06 06:32:49 +00:00
6e30527688 modules/programs: simplfiy the common combination of keeping pids AND /proc by introducing "keepPidsAndProc" 2024-09-06 04:18:46 +00:00
9340f52df1 modules/programs: rename isolatePids -> keepPids, isolateUsers -> keepUsers
this follows my explicit whitelisting elsewhere
2024-09-06 04:06:42 +00:00
850c975321 modules/programs: when sandboxing, use makeBinaryWrapper if supported 2024-09-06 01:17:21 +00:00
8d87a15e60 modules/image: be verbose when we flash the bootloader 2024-09-04 13:50:22 +00:00
9a7fca267e modules/image: bump /boot space from 1 GiB to 2 GiB 2024-09-04 13:49:40 +00:00
3e182b2a06 modules/persist: lint 2024-09-04 13:13:14 +00:00
6ff35b4366 dbus: place the bus in a subdirectory for better sandboxing 2024-09-04 13:04:20 +00:00
35a41be824 modules/*: lint (esp: modules/vpn.nix -- removed unused priorityWgTable) 2024-09-03 20:24:36 +00:00
50d443ad46 make-sandboxed: fix quoting error 2024-09-03 14:10:06 +00:00
ce7a082447 modules/programs: plum sandbox.keepPids and whitelistPwd into bunpen 2024-09-03 02:25:28 +00:00