539d9e45a2
networkmanager/modemmanager: ship separate packages for the daemon and CLI tools
...
they require fundamentally different sandboxing approaches. the daemon *can't* always use bwrap if it wants to run as non-root. meanwhile the CLI tools would mostly *prefer* to run under bwrap.
in the long term i'll maybe upstream the systemd sandboxing into nixpkgs, where there looks to be desire for it
2024-05-31 23:26:16 +00:00
326bf045b0
networkmanager/wpa_supplicant: switch user back to "networkmanager"
...
root gives too much power, even with bwrap/namespaces
2024-05-31 23:26:16 +00:00
a1181a10ea
networkmanager: install parallel dbus .conf files to allow the services to be run as *either* networkmanager or root user (hopefully!)
2024-05-31 23:26:16 +00:00
9bb6a903bb
wpa_supplicant: get it to run under bwrap
2024-05-31 23:26:16 +00:00
214f963d89
networkmanager: run all services as root instead of networkmanager user
...
i believe this may allow using bwrap instead of landlock
2024-05-31 23:26:16 +00:00
c7eb4b66a5
polyunfill: remove unused su
and sg
security wrappers
2024-05-31 14:59:23 +00:00
452543e6f3
fix rescue
host build
2024-05-31 10:37:03 +00:00
07aec3ca3c
apps: explain why i ship both engrampa and xarchiver archive managers
2024-05-31 08:39:23 +00:00
c7fd3d2217
nixpkgs: 2024-05-26 -> 2024-05-31, nixpkgs-wayland -> 2024-05-31
...
```
• Updated input 'nixpkgs-next-unpatched':
'github:nixos/nixpkgs/2baa940f86e1fc54757fd7d1ed551c0a38904bf2' (2024-05-26)
→ 'github:nixos/nixpkgs/d3d81af60c22e9e93a3930a9630b210362341ab9' (2024-05-31)
• Updated input 'nixpkgs-unpatched':
'github:nixos/nixpkgs/7780e5160e011b39019797a4c4b1a4babc80d1bf' (2024-05-26)
→ 'github:nixos/nixpkgs/4e60a4d94bdc1abafeefc1928aa3cda6ce6c4210' (2024-05-31)
• Updated input 'nixpkgs-wayland':
'github:nix-community/nixpkgs-wayland/397c85d463aef789a8dd24c4db467e9ad787907b' (2024-05-26)
→ 'github:nix-community/nixpkgs-wayland/1db9b79a45c8e346e03480767e6d9749fabfaf10' (2024-05-31)
```
2024-05-31 06:09:03 +00:00
0fcc3f8d5d
ModemManager: make the sandbox more strict
2024-05-30 21:32:35 +00:00
0bb887158b
implement a dropbear SSH module
2024-05-30 20:58:01 +00:00
6570c5ed84
modemmanager: sandbox with bwrap instead of landlock
2024-05-30 18:47:09 +00:00
820fdecfd5
modemmanager: minimal (working) sandbox
2024-05-30 18:27:34 +00:00
8d43565f31
sane-theme: disable sandbox
2024-05-30 16:54:10 +00:00
18364761dd
wireplumber: undo the enableSystemd=false patch
2024-05-30 16:50:53 +00:00
d3937487e6
moby: cleanup bonsai <-> sway circular dependency (slightly)
2024-05-30 12:43:09 +00:00
3fdeacc336
sane-input-handler: add a --help command
2024-05-30 12:30:41 +00:00
84f2006115
servo: fix gitea
2024-05-30 12:12:06 +00:00
7f5e12da8d
dbus: dont consider the service "up" until the unix pipe actually appears
2024-05-30 11:04:02 +00:00
afa8a3c52e
activationScripts.notifyActive: future-proof for if ever DBUS_SESSION_BUS_ADDRESS changes
2024-05-30 11:03:35 +00:00
bfbcb4789b
activationScripts.notifyActive: fix forrenamed XDG_RUNTIME_DIR
2024-05-30 10:56:17 +00:00
2531cc1cf6
bonsai: place the socket in a subdirectory to improve sandboxing
2024-05-30 09:54:28 +00:00
e55b75c333
wireplumber: build without systemd
2024-05-30 09:46:29 +00:00
adb54657d4
sway: fix bonsai to be visible in the sandbox
2024-05-30 09:46:04 +00:00
6eefb9ce20
wireplumber: build against the same pipewire i deploy
2024-05-30 09:06:41 +00:00
274a7821a7
wireplumber: remove no-longer-needed /run/systemd directory
...
not necessary when using seatd/when a member of the 'audio' group
2024-05-30 08:54:41 +00:00
175acf6442
pipewire: build without systemd
2024-05-30 08:44:11 +00:00
0761b6135a
users/colin: add myself to "audio" group so that wireplumber can access audio devices w/o systemd/logind
2024-05-30 08:44:11 +00:00
66c899d099
callaudiod: fix to not start before dbus/pipewire are up (avoids coredump on boot)
2024-05-30 06:07:08 +00:00
4aeb3360d3
cleanup: programs: dont assume sway
is always the wayland/x11 provider
2024-05-30 06:00:32 +00:00
0c456d11d8
programs: ensure things which depend on sound or wayland are ordered after it
2024-05-30 04:55:05 +00:00
f1d397940f
seatd: patch sandboxing for desko
2024-05-29 19:42:45 +00:00
fa94fa8e6c
seatd: sandbox with bwrap
...
it always surprises my that you can sandbox something with cap_sys_admin like this...
i think this works *only* because the user is root
2024-05-29 19:09:57 +00:00
4b9c125c8c
seatd: sandbox
2024-05-29 18:58:38 +00:00
0f7d25d8a5
doc: sway: say why i wrapperType = "inplace"
2024-05-29 18:58:05 +00:00
140641729e
gvfs: disable (it was broken)
2024-05-29 18:39:31 +00:00
32124d76bf
cups: disable (not currently used, and not sandboxed)
2024-05-29 18:33:17 +00:00
c5c174f988
sway: patch to use a narrower sandbox
2024-05-29 18:24:59 +00:00
29bc1608aa
sway: remove sandbox input which are no longer necessary
2024-05-29 17:07:18 +00:00
635ca1e5d8
seatd: pull the service definition into my own repo
...
this will allow me to configure the package
2024-05-29 16:34:32 +00:00
2789868703
seatd: split out of sway conf
2024-05-29 16:22:52 +00:00
c40ec1990a
sshd: disable systemd integration
2024-05-29 15:57:19 +00:00
d4dfcd6510
login
: remove systemd pam integration (so it doesnt try, and fail, to start the user manager)
2024-05-29 15:42:39 +00:00
d865be952a
refactor: sandboxing: replace manual --sanebox-keep-namespace pid
config with isolatePids = false
2024-05-29 12:56:46 +00:00
7c8a18ecbd
systemd: remove no-longer-used user@1000
override
2024-05-29 12:56:19 +00:00
35ff7de06e
dbus: manage it ourselves instead of having systemd do it
2024-05-29 12:55:51 +00:00
c570b7bf5d
dbus: manage it ourselves instead of having systemd do it
2024-05-29 11:30:33 +00:00
770fc2e574
systemd: fix typod IgnoreOnIsolate option
2024-05-29 11:30:33 +00:00
0ed7eb24fb
programs: assorted: remove legacy programs.feedback
setting
2024-05-29 11:30:33 +00:00
ad8e75b6a3
programs: assorted: remove /var/lib/alsa persistence; doesnt seem to be needed
2024-05-29 11:30:33 +00:00
e8dbe0750d
networkmanager: fix sandbox to actually work with systemd-resolved
2024-05-29 10:34:24 +00:00
4309d887da
wpa_supplicant: remove unused services
2024-05-29 09:33:25 +00:00
1ee21c4795
NetworkManager: run as user instead of root
2024-05-29 09:16:30 +00:00
fb7bcbb5f5
NetworkManager-wait-online: fix missing sanebox
path
2024-05-29 01:37:15 +00:00
0013e8305e
networkmanager: cleanup
2024-05-29 01:35:38 +00:00
7dedfcebb9
networkmanager: sandbox
2024-05-29 01:33:15 +00:00
247fc1f887
hosts/modules/gui: fold into hosts/common/programs
2024-05-28 16:51:02 +00:00
3c2ca46ef9
hosts/modules/gui/gtk: hoist to sane.programs.sane-theme
2024-05-28 16:44:27 +00:00
95dc395925
hosts/modules/gui/theme: lift my sway background up into its own package
2024-05-28 15:48:37 +00:00
cefd6c0534
documentation improvements
2024-05-28 13:36:01 +00:00
e8846b2d6b
wpa_supplicant: sandbox
2024-05-28 13:36:01 +00:00
7d242ab02c
sane-battery-estimate: sandbox
2024-05-28 09:41:04 +00:00
47611eaa26
sane-weather: sandbox
2024-05-28 09:38:04 +00:00
9719f0f785
mpv: relax sandboxing for the sake of subtitle downloading
2024-05-28 09:37:57 +00:00
8042ea76e6
assorted programs: specify sandbox.autodetectCliPaths variant more precisely than just true
2024-05-28 07:14:27 +00:00
c59236509b
sane-cast: sandbox
2024-05-28 07:07:11 +00:00
4ba0343315
networkmanager: hoist some lib.mkIf
s up a few levels
...
would you believe one of these attributes was being set without a mkIf cfg.enabled guard :)
2024-05-28 05:27:23 +00:00
cbe6072c03
polyunfill: remove policykit suid wrappers
2024-05-28 05:24:37 +00:00
bea1fd95e5
polyunfill: disable dbus-daemon-launch-helper suid wrapper
2024-05-28 05:14:06 +00:00
ae544c0649
polyunfill: disable mount/umount suid wrappers
2024-05-28 05:02:26 +00:00
b571f70988
polyunfill: remove fusermount suid wrapper
2024-05-28 04:56:14 +00:00
e6498ad152
notejot: fix sandboxing
2024-05-28 03:59:31 +00:00
976b8ae45e
rofi-snippets: make the filtering case insensitive, and improve ellipsis placement come 1.7.6
2024-05-28 03:38:36 +00:00
ab7c4d7410
rofi-snippets: remove the subshell and just use a pipe
...
i expect that this is faster, particularly because bash should stand up each section of the pipeline in parallel, right?
2024-05-28 03:23:04 +00:00
d2c3bec98e
rofi-snippets: remove an extraneous layer of sandbox
2024-05-28 03:04:57 +00:00
3c5e5632ee
wtype: sandbox
2024-05-28 03:04:26 +00:00
dcedb8d3f0
sanebox: handle --flag=path
style of autodetected paths
2024-05-28 03:04:02 +00:00
f38d2d52d2
alsa-ucm-pinephone-pmos: prefer the earpiece over the "internal speaker"
2024-05-27 14:13:56 +00:00
04bbf54385
alsa-ucm-conf: switch to postmarketos version
2024-05-27 13:41:03 +00:00
f2271180dd
alsa-ucm-conf: split the patched alsa confs out into their own package
2024-05-27 12:53:33 +00:00
60b1ab1429
conky: split sane-battery-estimate out into its own program
2024-05-27 11:33:40 +00:00
a024f685c3
firefox: replace i-still-dont-care-about-cookies extension with a uBlock filter list
...
simpler that way; fewer extensions to trust
2024-05-27 07:43:55 +00:00
9c20cef6ea
firefox: ublacklist: disable (i wasnt using any rules; it wasnt blocking anything from google search results)
2024-05-27 07:22:47 +00:00
f6f1a6e136
firefox: uBlock Origin: ship filter lists statically
2024-05-27 06:54:52 +00:00
7941a8b1ed
refactor: firefox: fix uBlock json indentation
2024-05-27 04:46:38 +00:00
063b0be5b6
hosts/modules/gui/greetd: remove
2024-05-27 00:44:01 +00:00
7e490f5c07
remove lingering references to sxmo
2024-05-27 00:38:30 +00:00
d46fa8a242
swaync-fbcli: sandbox (experimental)
2024-05-27 00:11:20 +00:00
62b2eb874c
swaync-service-dispatcher: sandbox
2024-05-27 00:07:30 +00:00
133c1b3699
swaync: remove unused systemd integrations
...
it's all s6 now
2024-05-27 00:06:03 +00:00
1b4300dbeb
swaync: remove unused vpn
button
2024-05-27 00:00:44 +00:00
b1c7061b21
vpn: fix typos from previous 2 commits
2024-05-26 14:26:47 +00:00
002639cc76
ovpn: use a single key per-device
...
this should fix the traffic collisions i'm seeing with the existing setup
2024-05-26 14:04:52 +00:00
45967fde7b
brave: fix sandboxing under pasta/netns
2024-05-26 13:05:44 +00:00
3a045f4d88
doc: polyunfill: point to https://github.com/NixOS/nixpkgs/pull/314791
2024-05-26 08:00:18 +00:00
57d6a9a4c3
polyunfill: simplify pam hacks
2024-05-26 07:04:12 +00:00
2ee39ca0cc
poly_unfill: remove /run/wrappers/bin/unix_chkpwd
...
non-privileged users don't need to check passwords
well, maybe they do (for desktop unlockers), but i've already solved that :)
2024-05-26 06:37:59 +00:00
9d9211c5fa
polyunfill: distribute /run/wrappers/bin/unix_chkpwd without suid bit
2024-05-26 01:18:30 +00:00
9ce7dcd57a
/run/wrappers: remove unused newgidmap,newuidmap,newgrp binaries
2024-05-26 01:18:30 +00:00
efa1ee6c69
iproute2: disable sandbox and fix ip
commands
2024-05-26 01:18:30 +00:00
6a15434cc6
net/vpn: remove the bridge devices from my VPN setup
2024-05-26 01:18:30 +00:00
8cb73687ce
unl0kr: don't add extra deps to user's PATH
2024-05-26 01:17:42 +00:00
73f5c9608e
sanebox: tighter dependency handling, to not rely on @BACKEND_FALLBACK@
2024-05-25 10:26:36 +00:00
b035d312aa
firejail: purge
2024-05-25 10:21:31 +00:00
a5e1a804c9
sane-vpn: port to sanebox/pasta (no more firejail)
2024-05-25 10:09:10 +00:00
7b1bc210fd
sanebox: integrate with pasta
(passt) for better net sandboxing
2024-05-25 09:39:18 +00:00
842651efd5
mpv: tune webm.conf
2024-05-25 02:05:18 +00:00
27b4d4da16
mpv: ship a music visualizer
...
note that it doesnt show in `webm` exports
2024-05-25 02:05:09 +00:00
e407467e55
mpv: ship mpv-webm
tool for clipping videos
2024-05-25 00:55:40 +00:00
30c677fafc
feeds: subscribe to weekinethereumnews.com
2024-05-25 00:52:39 +00:00
49b48b24fc
ship linux/posix manpages
2024-05-24 06:57:20 +00:00
844a128d60
iproute2: fix sandboxing (hopefully)
2024-05-24 06:41:12 +00:00
309797fe23
sane-input-handler: fix unrecoverable terminal state
...
bonsai is prone to miss inputs during high CPU load.
2024-05-24 04:29:34 +00:00
a6b10244eb
sane-input-handler: set vim filetype hint
2024-05-24 04:06:53 +00:00
2ccb4d94c5
nixpkgs: 2024-05-16 -> 2024-05-23, nixpkgs-wayland, sops-nix, uninsane-dot-org
...
```
• Updated input 'nixpkgs-next-unpatched':
'github:nixos/nixpkgs/1887e39d7e68bb191eb804c0f976ad25b3980595' (2024-05-16)
→ 'github:nixos/nixpkgs/?' (2024-05-23)
• Updated input 'nixpkgs-unpatched':
'github:nixos/nixpkgs/977a49df312d89b7dfbb3579bf13b7dfe23e7878' (2024-05-16)
→ 'github:nixos/nixpkgs/?' (2024-05-23)
• Updated input 'nixpkgs-wayland':
'github:nix-community/nixpkgs-wayland/5e2c5345f3204c867c9d4183cbb68069d0f7a951' (2024-05-16)
→ 'github:nix-community/nixpkgs-wayland/?' (2024-05-23)
• Updated input 'nixpkgs-wayland/lib-aggregate':
'github:nix-community/lib-aggregate/09883ca828e8cfaacdb09e29190a7b84ad1d9925' (2024-05-12)
→ 'github:nix-community/lib-aggregate/5fa64b174daa22fe0d20ebbcc0ec2c7905b503f1' (2024-05-19)
• Updated input 'nixpkgs-wayland/lib-aggregate/nixpkgs-lib':
'github:nix-community/nixpkgs.lib/58e03b95f65dfdca21979a081aa62db0eed6b1d8' (2024-05-12)
→ 'github:nix-community/nixpkgs.lib/0df131b5ee4d928a4b664b6d0cd99cf134d6ab6b' (2024-05-19)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e' (2024-05-12)
→ 'github:Mic92/sops-nix/b549832718b8946e875c016a4785d204fcfc2e53' (2024-05-22)
• Updated input 'sops-nix/nixpkgs-stable':
'github:NixOS/nixpkgs/8e47858badee5594292921c2668c11004c3b0142' (2024-05-11)
→ 'github:NixOS/nixpkgs/e7cc61784ddf51c81487637b3031a6dd2d6673a2' (2024-05-18)
• Updated input 'uninsane-dot-org':
'git+https://git.uninsane.org/colin/uninsane?ref=refs/heads/master&rev=af8420d1c256d990b5e24de14ad8592a5d85bf77 ' (2024-04-15)
→ 'git+https://git.uninsane.org/colin/uninsane?ref=refs/heads/master&rev=e6f88f563bdd1700c04018951de4f69862646dd1 ' (2024-05-16)
```
2024-05-24 02:57:53 +00:00
ca57fd692f
sane-input-handler: simplify the volume button controls; reduce vol-hold repeat count to 3
2024-05-23 02:50:38 +00:00
e6a8f5bae8
eg25-control: fix --enable-gps
and --ensure-agps
commands
...
these were failing due to pathing changes from systemd -> s6
2024-05-23 02:50:38 +00:00
c5e7ef7b0c
polyunfill: don't ship x86-only kernel modules to moby's initrd
...
notably, this relaxes some constraints on the kernel so that e.g.
postmarketOS kernel actually passes eval checks (and boots to ssh!
no graphics yet)
2024-05-21 22:47:12 +00:00
d0734947bf
polyunfill: disable swraid
2024-05-21 22:47:12 +00:00
2e07797065
megapixels: document how to debug
2024-05-21 10:12:20 +00:00
3d295e8757
gst-device-monitor: bundle more gstreamer plugins to improve node detection
2024-05-20 09:59:08 +00:00
e3a20477f7
gst-device-monitor: wrap with required gst-plugins-base
runtime dependency
2024-05-20 06:17:11 +00:00
cfedcc91bd
gst-device-monitor: fix so manpages are bundled
2024-05-20 03:00:23 +00:00
f20a0ac409
fractal-latest: purge (unused package)
2024-05-19 21:16:06 +00:00
87c84f0e2e
ship libcamera, snapshot
...
note that properly packaging these is still a WIP
2024-05-19 10:41:09 +00:00
c0a6313023
home/mime: micro-opt: use toString
instead of string coercion
2024-05-19 10:40:15 +00:00
5619bb3334
pkgs: ship gst-device-monitor binary
2024-05-19 10:40:15 +00:00
0fc4f83fc9
sane-input-handler: bump volume hold time from 600ms -> 750ms
...
hopefully this decreases the number of volup inputs which are misread as volup-hold (which happens a lot when the screen is off...?)
2024-05-19 00:34:23 +00:00
1b24bd50f9
errno: ship
2024-05-19 00:21:30 +00:00
58ef2cf863
calls/callaudiod: update documentation
2024-05-18 20:55:16 +00:00
41bc4ac7b4
callaudiod: fix repo URL
2024-05-18 08:10:34 +00:00
3361f2bbe7
zsh: port to sane.programs
2024-05-18 08:10:34 +00:00
c987f13ef0
calls: split callaudiod out and run it manually
2024-05-18 07:14:42 +00:00
ee36f2f052
sway: fix display names
2024-05-18 06:57:24 +00:00
09457bee5a
sway: position gnome-calls on workspace 1
2024-05-18 06:55:39 +00:00
278631b59e
calls: sandbox
2024-05-18 06:52:53 +00:00
4d09cce1aa
calls: fix latency so moby doesnt underrun
2024-05-18 06:47:26 +00:00
b2f2f88dc6
calls: exit on UI close
2024-05-18 06:32:23 +00:00
9c27b8e864
swaync: sort icons
2024-05-17 08:42:35 +00:00
af34d395fc
swaync: fix Discord icon
2024-05-17 07:18:23 +00:00
008b659a10
swaync: reorder icons
2024-05-17 05:49:28 +00:00
1ce2839df9
swaync: clean up icons a bit more
2024-05-17 05:45:15 +00:00
022d15c2c7
swaync: increase font size of service icons
2024-05-17 03:42:32 +00:00
908a2ca6c3
swaync: fix a bug that i couldnt see all icons on the same row
2024-05-17 03:21:41 +00:00
42fb79b025
swaync: improve gnome-calls icon
2024-05-17 00:49:40 +00:00
4265ea9b99
calls: auto-start
2024-05-17 00:41:32 +00:00
a7d376778e
gnome-calls: re-enable
2024-05-17 00:36:56 +00:00
157af52112
feeds: add Grumpy.website
2024-05-16 19:25:22 +00:00
3bb5546aaf
systemd-logind: fix to not sleep when i close the lid (again)
2024-05-16 02:13:02 +00:00
b4229ecb1e
sanebox: load the link cache from a static /etc path instead of via CLI args
2024-05-15 23:55:15 +00:00