|
15fd7bf4a5
|
sane-sandboxed: implement a "capshonly" backend
|
2024-01-27 12:39:36 +00:00 |
|
|
a6b824d3c4
|
modules/programs/sandbox: add an "embedProfile" option to source sandbox settings from the package instead of the system
|
2024-01-27 12:23:25 +00:00 |
|
|
3b4884fcf1
|
sane-sandbox: fix secret binding
|
2024-01-27 11:26:10 +00:00 |
|
|
4319dc58eb
|
programs: landlock: restrict the capabilities of sandboxed processes
|
2024-01-27 09:49:51 +00:00 |
|
|
3122434908
|
programs: add an option to configure extra home paths to make accessible in the sandbox
|
2024-01-27 09:11:32 +00:00 |
|
|
d54f8b1e93
|
programs: fix so environment variables make it onto user sessions
|
2024-01-27 09:02:55 +00:00 |
|
|
b417f60769
|
sane-sandboxed: try binding /proc/self in landlock. still doesnt work well
|
2024-01-27 05:59:40 +00:00 |
|
|
df2d5b6d01
|
sane-sandboxed: fixup /dev/std* for wireshark
|
2024-01-27 05:12:43 +00:00 |
|
|
a66b257644
|
sane-sandboxed: better support for landlock and SANE_SANDBOX_PREPEND/APPEND
|
2024-01-27 04:43:42 +00:00 |
|
|
ef66d2ec72
|
sane-sandboxed: add support for landlock backend
|
2024-01-27 03:39:26 +00:00 |
|
|
64878bee67
|
sane-sandboxed: add SANE_SANDBOX_PREPEND, SANE_SANDBOX_APPEND env vars
|
2024-01-26 09:14:18 +00:00 |
|
|
c4874c85b1
|
bubblewrap: debugging
|
2024-01-26 09:13:00 +00:00 |
|
|
7f002b8718
|
programs: sane-sandboxed: implement --sane-sandbox-cap for capabilities setting
|
2024-01-24 06:34:11 +00:00 |
|
|
824630f7d1
|
programs: sandboxing: document /dev/dri a bit more
|
2024-01-24 05:28:27 +00:00 |
|
|
57105c6861
|
sane-sandboxed: autodetect: handle file:/// URIs
|
2024-01-24 05:00:08 +00:00 |
|
|
3758044e7b
|
sane-sandboxed: better handle "--"
|
2024-01-24 04:59:24 +00:00 |
|
|
bfaf098c31
|
sane-sandboxed: fix handling of -- (which previously smushed arguments)
|
2024-01-24 02:52:01 +00:00 |
|
|
089f86d5e4
|
programs: make /usr/bin/env available in the sandbox
enables KOReader to run
|
2024-01-24 01:48:02 +00:00 |
|
|
bdd70f8fa2
|
sane-sandboxed: ignore the executable path when autodetecting media
|
2024-01-23 16:32:06 +00:00 |
|
|
bfd5630e21
|
programs: sandbox: omit media dirs by default, and implement --sane-sandbox-autodetect for programs which are liable to load data from paths
|
2024-01-23 15:48:12 +00:00 |
|
|
576d2c32f0
|
programs: support secrets even when sandboxed
|
2024-01-23 14:57:33 +00:00 |
|
|
25739ec2ba
|
programs: sane-sandboxed: avoid reading firejail profiles when the backend isnt firejail
this should provide a marginal perf gain
|
2024-01-23 14:57:33 +00:00 |
|
|
f148334b58
|
programs: port extraFirejailConfig to extraConfig
|
2024-01-23 14:57:33 +00:00 |
|
|
3a6ee8708e
|
programs: sane-sandboxed: dont error if network mountpoints are offline
|
2024-01-23 13:13:31 +00:00 |
|
|
983bf93d8f
|
programs: sane-sandboxed: make the profile handle arguments with spaces
|
2024-01-23 12:47:25 +00:00 |
|
|
40cc8f5d1c
|
programs: sane-sandboxed: make more debuggable
|
2024-01-23 12:27:23 +00:00 |
|
|
cce03a5dc8
|
programs: sandbox: use --dev-bind-try for root paths; fixes mpv on moby
|
2024-01-23 12:18:32 +00:00 |
|
|
98dfc3aa5a
|
programs: sandbox: allow all programs to access media
hopefully this is just a stopgap
|
2024-01-23 11:36:58 +00:00 |
|
|
27b56b1a12
|
programs: sane-sandbox: implement a cleaner debugshell and test API
|
2024-01-23 11:19:52 +00:00 |
|
|
6e9220d2bb
|
programs: allow programs to specify "sandbox.method = "bwrap"" for bubblewrap sandboxing
|
2024-01-23 10:44:13 +00:00 |
|
|
0ddcfcaa23
|
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds
|
2024-01-23 08:01:23 +00:00 |
|
|
a4cb6645b4
|
programs: indirect firejail access through sane-sandboxed
|
2024-01-23 04:02:31 +00:00 |
|
|
2492ed2ca7
|
programs: introduce a sane-sandboxed helper
not yet used, but will be soon
|
2024-01-23 02:29:33 +00:00 |
|
|
f49d2a1e0e
|
programs: split "makeSandboxed" into its own file
|
2024-01-23 01:23:14 +00:00 |
|
|
0dc3f4f7f2
|
modules/programs: move to subdir
this will help me factor out helpers
|
2024-01-23 01:02:04 +00:00 |
|
|
d5901afb8e
|
programs: firejail: specify profile via : (clarifies to firejail that its an identifier and not a path); invoke firejail via name instead of absolute path
|
2024-01-22 23:58:54 +00:00 |
|
|
8bf41ea858
|
programs: fix missing newline in firejail config concatenation
|
2024-01-22 13:11:47 +00:00 |
|
|
df861a3ef0
|
programs: firejail: inject custom firejail config through /etc/firejail
this improves rebuild times, and makes it easier for packages to inject their own free-form config
|
2024-01-22 11:12:18 +00:00 |
|
|
60547204a8
|
sane.programs: firejail: support wrapping "runCommand" packages
|
2024-01-22 09:16:25 +00:00 |
|
|
dd35136ac0
|
firejail: fix so /run/wrappers are available inside a jail
|
2024-01-22 07:18:50 +00:00 |
|
|
0f3f0933b1
|
mpv: sandbox with firejail
|
2024-01-22 03:50:28 +00:00 |
|
|
9ecd0adcbe
|
firefox: sandbox with firejail
TODO: get it so open-in-mpv launches an mpv that has access to ~/.config/mpv
i guess this is the 'firejail url problem'
|
2024-01-21 23:59:15 +00:00 |
|
|
ad92a2e158
|
programs: abort when no firejail profile is found for a program.
in the future, i can whitelist specific binaries to omit their firejail
profiles.
|
2024-01-21 04:32:49 +00:00 |
|
|
5f5891d241
|
programs: apply firejail profile to programs which are net isolated
|
2024-01-21 04:28:48 +00:00 |
|
|
992194a1f0
|
programs: achieve network sandboxing without "sane-vpn do"
|
2024-01-21 03:51:12 +00:00 |
|
|
bad6a7bfee
|
programs: implement "default vpn" with native nix code instead of sane-vpn
|
2024-01-21 01:04:31 +00:00 |
|
|
66d5e204be
|
vpn: enforce "id" restrictions
|
2024-01-21 00:57:46 +00:00 |
|
|
ce35330923
|
vpn.nix: factor into a proper module
this will allow for better integration with 'sane.programs'
|
2024-01-21 00:49:34 +00:00 |
|
|
59187a0ec0
|
programs: allow running binaries in a netns-style firejail
|
2024-01-20 11:11:12 +00:00 |
|
|
fd0723169f
|
nix-serve: fix coredump loop
|
2024-01-19 21:34:45 +00:00 |
|
|
43a8ca90a7
|
feeds: add Cat and Girl
|
2024-01-16 19:12:25 +00:00 |
|
|
a5c6e41622
|
feeds: subscribe to POD OF JAKE
|
2024-01-14 05:20:28 +00:00 |
|
|
812a02bc6b
|
feeds: add The Dollop podcast
|
2024-01-14 00:49:29 +00:00 |
|
|
70f059eaac
|
feeds: subscribe to Jack Stauber
|
2024-01-13 16:43:41 +00:00 |
|
|
e2a43ddfa0
|
servo: clightning: allow group members to run lightning-cli
|
2024-01-11 15:59:32 +00:00 |
|
|
cecb114810
|
clightning: harden
|
2024-01-04 18:47:40 +00:00 |
|
|
7378d6c5b2
|
bitcoind: host behind tor
|
2024-01-04 16:25:49 +00:00 |
|
|
43498c62f9
|
clightning: integrate with tor
|
2024-01-03 18:29:16 +00:00 |
|
|
41ae86f40f
|
servo: enable clightning
|
2024-01-03 13:56:42 +00:00 |
|
|
3e52956a3a
|
servo: clightning: integrate, but do not enable
|
2024-01-02 18:32:34 +00:00 |
|
|
28d0a72c62
|
define (but dont activate) a clighting bitcoin service
|
2024-01-02 14:29:52 +00:00 |
|
|
822653ec10
|
feeds: vitalik.ca -> vitalik.eth.limo
|
2024-01-01 03:48:06 +00:00 |
|
|
68502ca944
|
feeds: add webcurious.co.uk link aggregator
|
2024-01-01 03:46:52 +00:00 |
|
|
d18e94ea87
|
feeds: subscribe to linmob.net
|
2023-12-14 22:20:30 +00:00 |
|
|
3467a5df48
|
feeds: subscribe Origin Stories
|
2023-12-13 22:31:58 +00:00 |
|
|
694dd59e27
|
feeds: subscribe bitsaboutmoney
|
2023-12-13 22:29:22 +00:00 |
|
|
69bc219efa
|
ports: fix systemd RandomizedDelaySec typo
|
2023-12-12 02:14:27 +00:00 |
|
|
4c5fb74c7d
|
feeds: subscribe to kosmosghost
|
2023-12-11 04:55:47 +00:00 |
|
|
008a6192d4
|
mpv: associate with https://youtube.com/...
|
2023-12-11 04:52:49 +00:00 |
|
|
f7a318c937
|
modules/users: fix services to specify PATH with correct precedence
|
2023-12-10 15:18:26 +00:00 |
|
|
01de6f84cf
|
feeds: subscribe to Louis Rossmann
|
2023-12-09 08:14:16 +00:00 |
|
|
2d06401f3c
|
feeds: subscribe to Tom Scott
|
2023-12-06 16:19:37 +00:00 |
|
|
2db56f2499
|
feeds: subscribe to TheB1M
|
2023-12-06 16:18:03 +00:00 |
|
|
63ea6d7002
|
feeds: subscribe to Exurb1a
|
2023-12-06 16:16:29 +00:00 |
|
|
3e2523cc2c
|
feeds: subscribe to Cold Fusion
|
2023-12-06 16:15:25 +00:00 |
|
|
ad3f5e305e
|
feeds: subscribe to Vox
don't @ me
|
2023-12-06 16:13:08 +00:00 |
|
|
aa5b9e3db3
|
user services: wrap with user PATH
notably, this alllows Fractal to open links with the preferred browser
|
2023-12-06 16:09:07 +00:00 |
|
|
46123719e9
|
feeds: subscribe to Vihart
|
2023-12-06 16:09:07 +00:00 |
|
|
16bce990c6
|
feeds: subscribe to PolyMatter
|
2023-12-06 16:09:07 +00:00 |
|
|
d55e387187
|
feeds: subscribe to Vsauce
|
2023-12-06 16:09:06 +00:00 |
|
|
e75c3375dc
|
feeds: subscribe to Channel5 News
|
2023-12-06 16:08:50 +00:00 |
|
|
b1c7cb367a
|
feeds: subcsribe to hbomberguy
|
2023-12-06 15:47:39 +00:00 |
|
|
d63d660ec2
|
feeds: subscribe to ContraPoints
|
2023-12-06 15:45:43 +00:00 |
|
|
9704dcc997
|
feeds: add support for video; subscribe to videos in gpodder
|
2023-12-06 15:36:05 +00:00 |
|
|
80875d6312
|
feeds: subscribe to Technology Connections
|
2023-12-06 15:35:38 +00:00 |
|
|
4cc5eed884
|
feeds: subscribe to srslywrong.com
|
2023-12-05 04:25:25 +00:00 |
|
|
8f9c9efca1
|
feeds: econlib: update feed URL
|
2023-11-26 02:17:36 +00:00 |
|
|
1cb83032a1
|
feeds: postmarketOS: update feed url
|
2023-11-26 02:17:23 +00:00 |
|
|
121e86013e
|
feeds: add Hard Fork podcast
|
2023-11-23 05:57:23 +00:00 |
|
|
e0a1dcd51f
|
refactor: remove modules/data/keys.nix
|
2023-11-23 03:56:00 +00:00 |
|
|
758281f772
|
modules/feeds: remove unused parameter
|
2023-11-23 03:37:18 +00:00 |
|
|
23f4b2e2e4
|
nixserve: dependency-inject the pubkey
this is in modules/ dir; shouldn't have that kind of data in it
|
2023-11-23 02:14:18 +00:00 |
|
|
2d65282643
|
nixremote: define the user as part of the nixserve module
|
2023-11-23 02:08:45 +00:00 |
|
|
77a0a36bb8
|
enable remote-building for lappy/moby
|
2023-11-23 01:59:37 +00:00 |
|
|
3ff9c0ad0c
|
add a "nixremote" user for remote bulding (experimental; builds arent actually enabled yet)
|
2023-11-23 01:27:28 +00:00 |
|
|
52b59bcde8
|
feeds: add Mic92 (nix dev)
|
2023-11-19 10:55:51 +00:00 |
|
|
91c2f6fc95
|
implement sane.programs.slowToBuild and {moby,desko,lappy}-light targets
i'm not sure this is the exact right abstraction, but it's a starting point
|
2023-11-18 22:06:42 +00:00 |
|
|
ad495301c0
|
feeds: add Jeff Geerling
|
2023-11-18 00:23:58 +00:00 |
|
|
cd79be5414
|
feeds: remove unused fields
|
2023-11-10 17:27:51 +00:00 |
|
|
6acd363f55
|
sane.persist.root-on-tmpfs -> sane.root-on-tmpfs
|
2023-11-09 00:15:04 +00:00 |
|
|
23c46079a9
|
image: allow configuring the sector size
|
2023-11-08 16:42:25 +00:00 |
|
|
28d4a4b065
|
persistence: move stores behind a byStore attr to support disabling persistence altogether (for e.g. rescue image)
|
2023-11-08 15:33:15 +00:00 |
|
|
25e314c02e
|
blogs: follow artemis.sh
|
2023-11-01 04:38:04 +00:00 |
|
|
6191542805
|
nix-serve: port 5000 -> 5001; prosody: enable proxy65 on port 5000
|
2023-10-20 04:48:30 +00:00 |
|
|
3942ae0f1b
|
feeds: subscribe to Benjamin Mako
|
2023-10-18 21:57:56 +00:00 |
|
|
fa65b0b92e
|
feeds: add Samana Harihareswara
|
2023-10-18 21:53:51 +00:00 |
|
|
697ae02797
|
podcasts: The Daily: port to db
|
2023-10-18 21:37:12 +00:00 |
|
|
ab35a46e5f
|
podcasts: sub Tech Wont Save Us, Trash Future
|
2023-10-18 21:35:36 +00:00 |
|
|
90b1215a89
|
s/types.string/types.str/
|
2023-10-17 22:46:02 +00:00 |
|
|
827d9626d6
|
ports: actually forward ovpns ports into the root namespace
|
2023-10-17 09:42:13 +00:00 |
|
|
5cfde63d5d
|
wowlan: document theory on wake failure
|
2023-10-11 10:01:15 +00:00 |
|
|
6dd1d5759b
|
wowlan: document a new failure mode/workaround
|
2023-10-10 21:33:34 +00:00 |
|
|
2de947d96e
|
wowlan: move the implementation into sxmo_suspend.sh instead of a systemd service
|
2023-10-10 09:26:48 +00:00 |
|
|
85e5d30b0f
|
wowlan module: port to rtl8723cs-wowlan python script
|
2023-10-10 08:34:02 +00:00 |
|
|
114df5efab
|
wowlan: enable CONFIG_ARP_KEEP_ALIVE (experimental)
|
2023-10-10 05:24:57 +00:00 |
|
|
a9ddfb2752
|
WIP: sxmo: port to systemd
|
2023-10-09 00:25:03 +00:00 |
|
|
4682ca32e2
|
wowlan: document another failure
|
2023-10-09 00:25:03 +00:00 |
|
|
cf553b1386
|
wowlan: more documentation
|
2023-10-08 00:00:26 +00:00 |
|
|
e40cbaf1cf
|
wowlan: document more about disconnections detection
|
2023-10-07 21:51:33 +00:00 |
|
|
19b8c0c923
|
wowlan: document known issues
|
2023-10-07 21:29:55 +00:00 |
|
|
e5125065d6
|
eg25-control: add a timeout to how long a power-on can take
|
2023-10-07 04:27:14 +00:00 |
|
|
6c6e1ee84b
|
moby: add gps-related services to the "dialout" group
|
2023-10-03 01:01:06 +00:00 |
|
|
43fc050eed
|
feeds: subscribe to FasterThanLime
|
2023-09-29 18:23:14 +00:00 |
|
|
bdf049d9e4
|
moby: wowlan: also wake on ARP requests (experimental)
|
2023-09-28 20:55:18 +00:00 |
|
|
9205e076c5
|
modules/wowlan: move options to "ipv4" attrset for future protocol expansion
|
2023-09-28 20:09:04 +00:00 |
|
|
ebbef901c1
|
wowlan: document VPN shortcomings
|
2023-09-27 01:32:50 +00:00 |
|
|
1ef203ee07
|
wowlan: docs: caveats
|
2023-09-27 01:30:06 +00:00 |
|
|
ca645ed23d
|
wowlan: remove the version/ip header length match
|
2023-09-27 01:26:51 +00:00 |
|
|
742ed50960
|
moby: configure wake-on-lan
|
2023-09-27 01:04:53 +00:00 |
|
|
21838afc0d
|
feeds: subscribe to turnoff.us
|
2023-09-25 23:09:56 +00:00 |
|
|
de12a2200e
|
feeds: add amosbbatto
|
2023-09-25 12:09:38 +00:00 |
|
|
083bdad88f
|
feeds: update metadata for all
this should fix a couple broken feeds whose URL changed, but most changes here are inconsequential
|
2023-09-24 12:25:04 +00:00 |
|
|
2f7655e1c1
|
eg25-control: don't auto-start GPS on boot
this also means we don't power the modem on boot
this is OK to do now that i have a toggle in swaync for GPS
|
2023-09-15 16:55:27 +00:00 |
|
|
71c01795f4
|
moby: eg25-control-freshen-agps: fix to actually run hourly
|
2023-09-15 07:35:05 +00:00 |
|
|
2291c89dbc
|
moby: eg25-control: fixup perms & add service that DLs new agps data when stale
|
2023-09-15 04:47:12 +00:00 |
|
|
1546304b4e
|
eg25-control: run as own user
its perms might still need adjustment so that it can control modem power and write to mmcli
|
2023-09-15 03:54:01 +00:00 |
|
|
a0c2ed38e6
|
eg25-control: allow finer-grained service control
|
2023-09-15 01:38:50 +00:00 |
|
|
9ad1be40b2
|
persist: stores: crypt: remove unrecognized nodev flag
|
2023-09-13 06:07:04 +00:00 |
|
|
910d0fa59e
|
persist: remove the nosuid flag since gocryptfs cant parse it here
|
2023-09-13 05:13:43 +00:00 |
|
|
7bef6b4089
|
modules: users/programs: cleaner option passthrough
|
2023-09-12 05:44:53 +00:00 |
|
|
8011e78e21
|
persist: cryptClearOnBoot: note rare (but predictable) bug during redeploy
|
2023-09-12 04:58:56 +00:00 |
|
|
3e33313bf0
|
programs: add a "services" option which forwards into the user config
|
2023-09-12 04:44:07 +00:00 |
|
|
6138291a8d
|
users: add a "services" option via which to configure per-user systemd services
|
2023-09-12 04:43:23 +00:00 |
|
|
6addf5a3b2
|
fs: symlink: add an option by which to control the symlink target name
|
2023-09-12 04:41:32 +00:00 |
|
|
0da8d282fe
|
feeds: add Andrew Heaton - Political Orphanage
|
2023-09-09 02:33:48 +00:00 |
|
|
51ecf1b54b
|
sxmo: fix sxmo_hook_init.sh -> sxmo_hook_start.sh
|
2023-09-05 17:31:33 +00:00 |
|
|
f62c844aaf
|
modules: fs: allow symlink target to be a path
|
2023-09-05 17:21:02 +00:00 |
|
|
68bce9c8b7
|
ports: if they fail to forward, retry after some interval
|
2023-09-01 00:30:32 +00:00 |
|
|
ded5d94d69
|
modules: fs: add a "text" type to populate static text files when symlinks wont do
|
2023-08-31 12:56:30 +00:00 |
|
|
ff39fc5d95
|
ports: make upnp service files more human-readable
|
2023-08-31 01:02:48 +00:00 |
|