|
|
dae7785ee2
|
wireshark: remove dead code
|
2024-01-27 09:04:08 +00:00 |
|
|
|
27f3b2bd76
|
firefox: allow ~/tmp and ~/Pictures access
|
2024-01-27 06:00:46 +00:00 |
|
|
|
3e6278fa21
|
wireshark: sandbox with landlock instead of firejail
and remove the SUID wrapper, yay!
|
2024-01-27 04:44:21 +00:00 |
|
|
|
8ecb17ed3e
|
programs: enable libcap_ng/netcap
|
2024-01-26 09:13:20 +00:00 |
|
|
|
c4874c85b1
|
bubblewrap: debugging
|
2024-01-26 09:13:00 +00:00 |
|
|
|
563a75e9b2
|
users: launch entire systemd --user namespace with cap_net_admin, cap_net_raw
this should make sandboxing wireshark *much* easier, and same with things which require net namespaces, in the future
|
2024-01-25 15:05:35 +00:00 |
|
|
|
79e2bd2913
|
epiphany: sandbox with bwrap
this is the first app which *requires* DRI/DRM to function correctly. maybe this effects anything webkitgtk (like wike)?
|
2024-01-24 06:25:20 +00:00 |
|
|
|
95161b55cd
|
spot: sandbox with bwrap
|
2024-01-24 05:47:04 +00:00 |
|
|
|
d91759068c
|
element-desktop: sandbox with bwrap
|
2024-01-24 05:37:46 +00:00 |
|
|
|
c23c496066
|
programs: tuba: sandbox with bwrap
it complains "Fontconfig error: No writable cache directories"
seeeeeveral times. not sure if that's new or not. no obvious
consequences.
|
2024-01-24 05:34:10 +00:00 |
|
|
|
f8e8d23857
|
vlc: sandbox with bwrap instead of firejail
|
2024-01-24 05:19:20 +00:00 |
|
|
|
8484bb7978
|
docs: mime: document how to show the nix mime associations
|
2024-01-24 05:00:35 +00:00 |
|
|
|
0e99b296bc
|
animatch: remove the (unused) .config directory
|
2024-01-24 02:18:58 +00:00 |
|
|
|
d0e1241bd1
|
animatch: fix to run on wayland w/o Xwayland, and enable bwrap sandbox
|
2024-01-24 01:43:33 +00:00 |
|
|
|
c1a0a08b76
|
gtkcord4: sandbox with bwrap
|
2024-01-24 00:12:12 +00:00 |
|
|
|
7cf9b342cc
|
gpodder: fixup GPODDER_DOWNLOAD_DIR to be more friendly to sandboxing
|
2024-01-23 16:44:47 +00:00 |
|
|
|
8739851f48
|
evince: port sandbox from firejail to bwrap
|
2024-01-23 16:44:13 +00:00 |
|
|
|
d945b43f6b
|
signal-desktop: switch sandbox from firejail -> bwrap
|
2024-01-23 16:42:48 +00:00 |
|
|
|
ccf4f66dd9
|
programs: dialect: sandbox with bubblewrap
|
2024-01-23 16:23:14 +00:00 |
|
|
|
b38e5403a5
|
splatmoji: sandbox
|
2024-01-23 16:01:27 +00:00 |
|
|
|
09af041745
|
g4music: ensure it can access the Music dir in its sandbox
|
2024-01-23 16:00:21 +00:00 |
|
|
|
cb5131746f
|
programs: audacity: sandbox with bubblewrap
|
2024-01-23 15:59:50 +00:00 |
|
|
|
bfd5630e21
|
programs: sandbox: omit media dirs by default, and implement --sane-sandbox-autodetect for programs which are liable to load data from paths
|
2024-01-23 15:48:12 +00:00 |
|
|
|
026f5dee4d
|
programs: g4music: sandbox with bwrap
|
2024-01-23 15:06:45 +00:00 |
|
|
|
b59be8338a
|
firefox: fix up sandboxing of ssh/sops
|
2024-01-23 14:57:57 +00:00 |
|
|
|
ab4bbc2224
|
programs: remove explicit firejail installation; let sane.programs decide when to install it sys-wide
|
2024-01-23 14:57:33 +00:00 |
|
|
|
156fcd1bf2
|
aerc: enable bwrap sandbox
|
2024-01-23 14:57:33 +00:00 |
|
|
|
bb63a594ab
|
conky: fixup needed paths for bwrap
|
2024-01-23 14:57:33 +00:00 |
|
|
|
f148334b58
|
programs: port extraFirejailConfig to extraConfig
|
2024-01-23 14:57:33 +00:00 |
|
|
|
da537ea8ea
|
fractal: switch from firejail -> bwrap
|
2024-01-23 14:13:09 +00:00 |
|
|
|
18d224dc34
|
dino: switch from firejail to bwrap
|
2024-01-23 14:12:52 +00:00 |
|
|
|
38fd171713
|
spotify: sandbox with bwrap instead of firejail
|
2024-01-23 12:12:56 +00:00 |
|
|
|
84c78d9256
|
conky: sandbox with bwrap instead of firejail
|
2024-01-23 12:11:22 +00:00 |
|
|
|
973203d85e
|
programs: mpv: sandbox with bwrap instead of firejail
|
2024-01-23 11:37:37 +00:00 |
|
|
|
f9174dd2aa
|
programs: firefox: sandbox with bwrap instead of firejail
|
2024-01-23 11:37:19 +00:00 |
|
|
|
0bed4d0ada
|
mpv: disable firejail sandboxing (it fails on moby)
|
2024-01-23 01:01:21 +00:00 |
|
|
|
f3e8af3fdb
|
doc: libreoffice: mention "still" v.s. "fresh" variants
|
2024-01-23 01:00:34 +00:00 |
|
|
|
af542ec05f
|
docs: gnome-keyring: point out that system gnome-keyring doesn't inherit my sandboxing
|
2024-01-23 01:00:06 +00:00 |
|
|
|
399a1d2052
|
steam: use wrapped package as system steam
|
2024-01-23 00:59:23 +00:00 |
|
|
|
bb6e5611d4
|
docs: conky: point out that un-sandboxed conky is used by sxmo-utils
|
2024-01-23 00:58:56 +00:00 |
|
|
|
c11f5a1401
|
wireshark: fix security.wrappers when wireshark is disabled
|
2024-01-22 23:58:04 +00:00 |
|
|
|
5b220f3fec
|
wireshark: enable firejail isolation
|
2024-01-22 13:12:10 +00:00 |
|
|
|
df861a3ef0
|
programs: firejail: inject custom firejail config through /etc/firejail
this improves rebuild times, and makes it easier for packages to inject their own free-form config
|
2024-01-22 11:12:18 +00:00 |
|
|
|
d6754b6cac
|
evince: sandbox with firejail
|
2024-01-22 10:20:29 +00:00 |
|
|
|
b03d7f7fb0
|
geary: test the firejail profile; it's not ready
|
2024-01-22 10:04:18 +00:00 |
|
|
|
008b186479
|
audacity: test the firejail profile; it's not ready
|
2024-01-22 10:04:03 +00:00 |
|
|
|
914f9b3703
|
vlc: sandbox with firejail
|
2024-01-22 09:47:24 +00:00 |
|
|
|
ed7ec4a371
|
conky: sandbox with firejail
|
2024-01-22 09:31:00 +00:00 |
|
|
|
2d338201a5
|
signal-desktop: sandbox with firejail
TODO: fix URL opening / xdg-open
|
2024-01-22 09:30:34 +00:00 |
|
|
|
a8aad1f98f
|
dino: sandbox with firejail
TODO: fix URL opening / xdg-open
|
2024-01-22 09:30:13 +00:00 |
|
|
|
2d06b93118
|
fractal: sandbox with firejail
TODO: seems this broke link opening? (xdg-open?)
|
2024-01-22 09:28:50 +00:00 |
|
|
|
60547204a8
|
sane.programs: firejail: support wrapping "runCommand" packages
|
2024-01-22 09:16:25 +00:00 |
|
|
|
3d763a0021
|
tor-browser-bundle-bin -> tor-browser
upstream nixpgs just has tor-browser-bundle-bin as an alias for tor-browser
|
2024-01-22 08:13:37 +00:00 |
|
|
|
0f3f0933b1
|
mpv: sandbox with firejail
|
2024-01-22 03:50:28 +00:00 |
|
|
|
f8440e3811
|
go2tv: allow more ports through the firewall
|
2024-01-22 03:50:04 +00:00 |
|
|
|
9ecd0adcbe
|
firefox: sandbox with firejail
TODO: get it so open-in-mpv launches an mpv that has access to ~/.config/mpv
i guess this is the 'firejail url problem'
|
2024-01-21 23:59:15 +00:00 |
|
|
|
cf475c4696
|
nicotine-plus: remove distro-specific symlink
|
2024-01-21 03:56:33 +00:00 |
|
|
|
ce35330923
|
vpn.nix: factor into a proper module
this will allow for better integration with 'sane.programs'
|
2024-01-21 00:49:34 +00:00 |
|
|
|
59187a0ec0
|
programs: allow running binaries in a netns-style firejail
|
2024-01-20 11:11:12 +00:00 |
|
|
|
7d670facd4
|
feeds: sort
|
2024-01-19 21:38:45 +00:00 |
|
|
|
61e5704fd6
|
feeds: unsub LW
too verbose, and too many of y'all turned into authoritarians
|
2024-01-19 21:38:14 +00:00 |
|
|
|
fd0723169f
|
nix-serve: fix coredump loop
|
2024-01-19 21:34:45 +00:00 |
|
|
|
a725d42bf5
|
ip_forward: consolidate the options to fix servo build
|
2024-01-19 21:34:18 +00:00 |
|
|
|
c03cea2d4e
|
net/vpn.nix: cleanup dead code
|
2024-01-19 09:58:13 +00:00 |
|
|
|
f43d6bff92
|
route VPN traffic such that i can configure any app to selectively use the VPN
e.g. firejail --net=br-ovpnd-us-mi --noprofile --dns=46.227.67.134 getent ahostsv4 uninsane.org
|
2024-01-19 09:54:01 +00:00 |
|
|
|
43a8ca90a7
|
feeds: add Cat and Girl
|
2024-01-16 19:12:25 +00:00 |
|
|
|
851c15aa6d
|
vpn: port ovpnd connections to use systemd-network
this should allow better integration with e.g. systemd-run, in future
|
2024-01-16 03:20:40 +00:00 |
|
|
|
c45898f903
|
WIP: wg-dev
|
2024-01-15 04:15:17 +00:00 |
|
|
|
0efec20904
|
hosts/common/net/vpn: remove unused "extraOptions" argument
|
2024-01-15 03:52:31 +00:00 |
|
|
|
5b9c58dbc6
|
hosts/common: use servo-style dns on all machines
it'll be handy as i want to place individual applications inside VPNs/namespaces
|
2024-01-15 01:16:22 +00:00 |
|
|
|
a7964c4f0c
|
hosts/common: net: split upnp config into own file
|
2024-01-15 01:12:09 +00:00 |
|
|
|
006a7e9f72
|
consolidate net-related stuff into hosts/common/net/ directory
|
2024-01-15 01:11:13 +00:00 |
|
|
|
3856710faf
|
net: annotate the UPNP rule
|
2024-01-15 01:08:10 +00:00 |
|
|
|
34bcdb5128
|
firefox: disable kinetic scrolling
|
2024-01-14 20:34:14 +00:00 |
|
|
|
a5c6e41622
|
feeds: subscribe to POD OF JAKE
|
2024-01-14 05:20:28 +00:00 |
|
|
|
812a02bc6b
|
feeds: add The Dollop podcast
|
2024-01-14 00:49:29 +00:00 |
|
|
|
27898ecdc8
|
feeds: unsubscribe from Louis Rossman
his channel is kinda just the same idea played over and over
|
2024-01-14 00:36:52 +00:00 |
|
|
|
70f059eaac
|
feeds: subscribe to Jack Stauber
|
2024-01-13 16:43:41 +00:00 |
|
|
|
aebd11ea82
|
alacritty: port config: yaml to toml
|
2024-01-12 03:24:55 +00:00 |
|
|
|
e2a43ddfa0
|
servo: clightning: allow group members to run lightning-cli
|
2024-01-11 15:59:32 +00:00 |
|
|
|
e63438bedf
|
feeds: disable The Linux Experience
|
2024-01-09 00:45:18 +00:00 |
|
|
|
4ce93f74c6
|
wob: add debug logging
|
2024-01-04 17:07:47 +00:00 |
|
|
|
09b806d7a7
|
go2tv: document youtube workarounds
|
2024-01-04 16:26:25 +00:00 |
|
|
|
ca3f97ec51
|
docs: go2tv: elaborate seeking limitations
|
2024-01-04 16:25:49 +00:00 |
|
|
|
daf046861c
|
wob: implement as part of sway instead of exclusive to sxmo
|
2024-01-04 13:08:20 +00:00 |
|
|
|
22f5853741
|
firefox: remove unused functions
|
2024-01-03 14:59:59 +00:00 |
|
|
|
fe217f6667
|
firefox: disable ctrl+shift+c shortcut more broadly
|
2024-01-03 14:59:27 +00:00 |
|
|
|
41ae86f40f
|
servo: enable clightning
|
2024-01-03 13:56:42 +00:00 |
|
|
|
75b649543a
|
firefox: enable ctrl-shift-c-should-copy extension
|
2024-01-03 13:42:58 +00:00 |
|
|
|
041855dbc7
|
zsh: fix broken <del> and <ctrl>+<arrow> keybindings
|
2024-01-03 13:07:29 +00:00 |
|
|
|
6471524f4a
|
programs: zecwallet-lite: move to own file
|
2024-01-01 15:17:51 +00:00 |
|
|
|
8d0707699c
|
mpv/vlc: associate with flv video type
|
2024-01-01 11:48:18 +00:00 |
|
|
|
6d8b6c61a2
|
feeds: sort
|
2024-01-01 03:56:25 +00:00 |
|
|
|
822653ec10
|
feeds: vitalik.ca -> vitalik.eth.limo
|
2024-01-01 03:48:06 +00:00 |
|
|
|
68502ca944
|
feeds: add webcurious.co.uk link aggregator
|
2024-01-01 03:46:52 +00:00 |
|
|
|
103d11a87c
|
net: fix broken firewall/ipset setup
|
2023-12-31 14:25:36 +00:00 |
|
|
|
f9361af41c
|
go2tv: remove firewall fix and allow SSDP at the iptables layer
|
2023-12-30 06:16:17 +00:00 |
|
|
|
b0ddb1b31c
|
conky: use the same percent symbol even in battery_estimate
|
2023-12-28 17:43:34 +00:00 |
|
|
|
70ee98736a
|
conky/battery_estimate: handle the static state better
|
2023-12-28 17:35:33 +00:00 |
|
|
|
5de06cef35
|
conky: fix text substitutions
|
2023-12-28 17:07:29 +00:00 |
|
