colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
5,087 Commits 125 Branches 1 Tag 13 MiB
3fd89ec91b
Commit Graph

1279 Commits

Author SHA1 Message Date
Colin
e5e79a6b60 programs: FileMimeInfo: disable sandbox 2024-02-14 13:54:21 +00:00
Colin
95f7eeeb5c programs: libnotify: sandbox with bwrap 2024-02-14 13:49:48 +00:00
Colin
29d638c68b programs: dig: sandbox with bwrap 2024-02-14 13:47:44 +00:00
Colin
7d22a5466f programs: zsh: fix "switch" function to be friendly to sandboxing 2024-02-14 13:45:56 +00:00
Colin
5907d9fa42 Revert "xdg-desktop-portal-gtk: build without support for notifications" 
This reverts commit c9e02bfd8a.

disable notifications at this level did not cause fractal (gtk app) to
send its notifications to swaync. instead, it still tried to deliver to
the Portal, where the Portal wasn't expecting anything and just returned
an error to fractal.

setting `GNOTIFICATION_BACKEND = "freedesktop"` seems to be the correct
way to get gtk apps to behave as desired with their notifications.
 2024-02-14 11:09:37 +00:00
Colin
67fe8d4666 swaync: propagate GNOTIFICATION_BACKEND = "freedesktop" to all users 2024-02-14 11:09:20 +00:00
Colin
c9e02bfd8a xdg-desktop-portal-gtk: build without support for notifications 2024-02-14 10:51:18 +00:00
Colin
03b58b3cab programs: vim: support system copy/paste inside of sandbox 2024-02-14 09:11:31 +00:00
Colin
ae01c17c05 programs: splatmoji: fix to work inside a sandbox again 2024-02-14 09:11:12 +00:00
Colin
677e6e679b programs: sandbox {s,}waylock lockscreen 2024-02-14 08:48:03 +00:00
Colin
3eb47a9a8d programs: swaylock: *partially* sandbox with capsh 2024-02-14 05:46:36 +00:00
Colin
f11e443678 programs: waylock: *partially* sandbox with capsh 2024-02-14 05:46:28 +00:00
Colin
8f8ec090c4 programs: add "waylock" 2024-02-14 05:01:33 +00:00
Colin
e174eaeff0 programs: loupe: fix sandboxing 2024-02-14 04:32:10 +00:00
Colin
f12b7afa1e programs: mimeo: dont sandbox 2024-02-14 01:51:26 +00:00
Colin
080bd856ec programs: sandboxing: only permit wayland socket access to those specific apps which require it 2024-02-14 01:49:49 +00:00
Colin
2d7c5b9fa5 programs: mpv: explicitly add Videos/servo, Books/servo to sandbox 2024-02-13 15:38:57 +00:00
Colin
83cb29aeeb xdg-utils: re-add mimetype package 2024-02-13 12:31:04 +00:00
Colin
1a18ed533b programs: don't include dbus in the sandbox by default 2024-02-13 11:58:33 +00:00
Colin
18eec98cae programs: brightnessctl: switch to landlock 2024-02-13 11:58:33 +00:00
Colin
82c386a6a4 programs: tor-browser-bundle-bin -> tor-browser 
they're the same (aliased), only my programs API expects 'tor-browser' specifically
 2024-02-13 11:58:33 +00:00
Colin
634dc318cd programs: spotify: remove old/unused firejail config 2024-02-13 11:15:30 +00:00
Colin
6eaaeeb91a programs: remove audio from the sandbox by default 2024-02-13 11:14:38 +00:00
Colin
94be4a7551 programs: wob: fix service definition (Exec -> ExecStart) 2024-02-13 11:03:18 +00:00
Colin
b4a20da78a programs: brightnessctl: sandbox 2024-02-13 10:55:44 +00:00
Colin
bb68506839 modules/programs: add separate "user" v.s. "system" options for whitelistDbus 2024-02-13 10:55:10 +00:00
Colin
77e2af0ed9 programs: krita: enable sandbox 2024-02-13 10:36:42 +00:00
Colin
126f3e4922 programs: sandboxing: restrict /run/user dir to just dbus/pipewire/pulse/wayland, by default 2024-02-13 10:28:30 +00:00
Colin
371af5939e programs: mpv: tighten the /run/user portion of the sandbox 2024-02-12 15:24:07 +00:00
Colin
e94e338040 programs: handbrake: remove unneeded Pictures/servo-macros from sandbox 2024-02-12 12:54:41 +00:00
Colin
354ce378f6 programs: assorted: convert /mnt/servo "extraPaths" into "extraHomePaths" where possible 2024-02-12 12:54:16 +00:00
Colin
f9a998eb92 programs: koreader: remove "sandbox.embedProfile = true" 
i guess this was set while i was debugging
 2024-02-12 11:33:55 +00:00
Colin
1e05119adc mpv: fix loading of album art within sandbox 2024-02-12 08:59:46 +00:00
Colin
e81df0ac86 modules/programs: enforce that user services don't accidentally override PATH 2024-02-12 08:44:55 +00:00
Colin
b19492ba23 programs: mpv: add .config/mpv to sandbox paths 2024-02-12 08:26:51 +00:00
Colin
8b26fa1303 programs: wob: split the script into an actual package 2024-02-12 08:26:51 +00:00
Colin
6b3a71aadf programs: xdg-desktop-portal: dont show app chooser for apps which are the default association 2024-02-12 07:12:04 +00:00
Colin
66ca822ac1 remove xdg-desktop-portal-gtk service; xdg-desktop-portal knows how to start that itself 2024-02-12 01:33:34 +00:00
Colin
db7a414030 xdg-desktop-portal(s): dont install globally 2024-02-12 01:16:17 +00:00
Colin
87050a0500 feeds: add "FullTimeNix" podcast :) 2024-02-12 00:09:49 +00:00
Colin
bf53e3628a xdg-utils: cleanup 2024-02-11 23:57:50 +00:00
Colin
d35f938806 mime.nix: fix cross build 2024-02-11 23:44:55 +00:00
Colin
d719eb0f11 programs: gPodder: enable Videos/gPodder in sandbox 2024-02-11 23:37:16 +00:00
Colin
0fbc10fce3 mime: store mime associations in ~/.local/share/applications instead of /run/current-system/sw/share/applications to facilitate sandboxing 2024-02-11 23:31:43 +00:00
Colin
772f1070e7 xdg-desktop-portal: configure myself, to unblock future portal-related work 2024-02-11 23:29:07 +00:00
Colin
590a239f7d programs: gpodder: sandbox with bwrap 
which we can do, now that xdg-open works correctly within sandboxes
 2024-02-09 10:31:42 +00:00
Colin
bcbc57f5ef programs: get xdg-open to work from within sandboxes 
note that implementation may have a quirk that applications launched via the portal cannot themselves "xdg-open" through the portal, because of the environment variable manipulation.

not sure how best to address that.
 2024-02-09 10:27:30 +00:00
Colin
c9af5bf9b4 programs: sandboxing: enable net isolation for most sandboxed programs 2024-02-08 21:51:32 +00:00
Colin
f6ca6210f9 feeds: link to podcastindex.org 2024-02-07 21:47:19 +00:00
Colin
0c050d1953 programs: fuzzel: fix overly-aggressive sandboxing 2024-02-06 20:10:29 +00:00
Colin
2fc1fe7510 modules/programs: make-sandboxed: fix that /share/* was being linked into top-level /; better way to enforce sandboxing of /share entries 2024-02-06 19:55:55 +00:00
Colin
5fbf66fb15 programs: loupe: sandbox with bwrap 2024-02-06 06:05:32 +00:00
Colin
97d50629e9 programs: handbrake: sandbox with landlock 2024-02-06 05:48:54 +00:00
Colin
5f8699fcef rearrange /mnt structure for host-based subdirs 
e.g. /mnt/servo/media, /mnt/desko/home, etc
 2024-02-06 05:48:11 +00:00
Colin
5ff7bf0c69 programs: fuzzel: sandbox 2024-02-06 02:34:46 +00:00
Colin
2495200b67 tidy: programs: wget: remove warning about the sandbox being untested 2024-02-06 01:34:40 +00:00
Colin
4c499629f5 programs: vvvvvv: sandbox with bwrap 2024-02-06 01:34:04 +00:00
Colin
7b9f54dd54 programs: superTux: sandbox with bwrap 2024-02-06 01:16:36 +00:00
Colin
bda932c3df programs: supertuxkart: sandbox with bwrap 2024-02-06 01:10:39 +00:00
Colin
1c4e2f97fe swaylock: mark sandboxing as unsupported 2024-02-05 23:36:35 +00:00
Colin
594a729968 feeds: remove balaji 2024-02-05 22:48:09 +00:00
Colin
6eb2a3d67f programs: handbrake: sandbox with bwrap 2024-02-05 22:28:15 +00:00
Colin
ddc41bc9d8 programs: pavucontrol/pwvucontrol: sandbox with bwrap 2024-02-05 22:15:48 +00:00
Colin
7d833ebf76 programs: kdenlive: sandbox with bwrap 2024-02-05 22:07:37 +00:00
Colin
bfc0eadfaa programs: hitori: sandbox with bwrap 2024-02-05 21:52:57 +00:00
Colin
ff1cbcc16b programs: gnome-clocks,gnome-calendar: sandbox with bwrap 2024-02-05 21:46:27 +00:00
Colin
9a8d8a20bd programs: frozen-bubble: persist data and sandbox with bwrap 2024-02-05 21:32:58 +00:00
Colin
cd1d22e7b9 programs: gnome-calculator: sandbox with bwrap 2024-02-05 20:58:38 +00:00
Colin
2c0e93826d programs: gimp: sandbox with bwrap 2024-02-05 20:53:05 +00:00
Colin
cab346f3ad programs: delfin: sandbox with bwrap 2024-02-05 20:44:47 +00:00
Colin
a2decaff9c programs: bemenu: sandbox with landlock 2024-02-05 18:41:52 +00:00
Colin
8ef9f7a485 epiphany: persist dconf settings; reduce sandboxer errors 2024-02-05 18:31:38 +00:00
Colin
12846732b9 programs: blanket: sandbox with bwrap 2024-02-05 18:26:21 +00:00
Colin
e84079e84c programs: firefox: allow sandbox access to ~/dev 2024-02-05 18:17:49 +00:00
Colin
45ffd9246d programs: brave: sandbox with bwrap 2024-02-05 18:17:28 +00:00
Colin
ed3935318d feeds: subscribe to non-paywalled Matt Levine 2024-02-05 16:41:38 +00:00
Colin
6d1eae2200 programs: gnome-2048: sandbox with bwrap 2024-02-05 08:26:06 +00:00
Colin
293eab8225 koreader: use modern openssl 2024-02-04 20:05:02 +00:00
Colin
abdbb83e10 koreader: replace vendored dependencies with their nixpkgs equivalents much more effectively 
the old method was still causing everything to be re-compiled within koreader, rather than linking against the nix store.

decreases build time to about 3m on a desktop
 2024-02-04 19:39:32 +00:00
Colin
dc74bca06a programs: vim: add private/knowledge to sandbox 2024-02-03 23:53:53 +00:00
Colin
42523b75a8 programs: gdb: disable sandboxing 2024-02-03 23:53:34 +00:00
Colin
111946eb1d programs: vim, imagemagick: fix sandboxing to consider uncreated files 2024-02-03 14:07:53 +00:00
Colin
14b20fd9c2 programs: komikku: fix sandboxing 2024-02-03 00:52:17 +00:00
Colin
2df1b20f02 programs: epiphany: simplify the sandboxing 2024-02-03 00:44:23 +00:00
Colin
2f9fad503c programs: fix sandboxing errors for programs which create files (notably: ffmpeg) 2024-02-03 00:17:54 +00:00
Colin
56734fe5da mpv: add /dev/dri to the sandbox 2024-02-02 19:18:30 +00:00
Colin
3c96f6d418 programs: koreader: enable DRI in the sandbox, and use wrappedDerivation 2024-02-02 17:22:57 +00:00
Colin
86b23e8183 programs: fractal: enable DRI in sandbox 2024-02-02 17:19:35 +00:00
Colin
6151eee8d5 programs (assorted): fix wantedBy = "default.target" to be more specific 
now GUI apps aren't stuck in a restart loop until sway starts

in particular, signal-desktop can actually be autostarted
 2024-02-02 14:21:57 +00:00
Colin
2824671bde tune nix deploy parameters (specifically for moby) 
this is experimental; hard to understand immediately how significant are the effects
 2024-02-02 00:50:25 +00:00
Colin
efcaef2c35 lappy/desko/servo: downgrade kernel 6.7 -> 6.6 (latest supported by zfs) 2024-02-01 16:21:46 +00:00
Colin
3100189172 purge supercap 
i no longer have access to dispatch build jobs to it :((((
 2024-02-01 15:36:37 +00:00
Colin
715ac42f13 remove samba from closure 
current samba hangs during configurePhase. this is not the first time samba has failed to build. nor the third. purge it.
 2024-02-01 15:28:40 +00:00
Colin
a9810e7343 re-ship linux 6.7 to lappy/desko/servo 
now that landlock-sandboxer builds against the correct linux headers,
this can actually work.
 2024-02-01 13:54:44 +00:00
Colin
00f995aec9 fixup landlock-sandboxer to work well for all systems 
downgrade lappy/desko/servo back to default linux; zfs doesn't support latest

build landlock-sandboxer against the specific kernel being deployed; it's less noisy that way
 2024-01-31 21:19:10 +00:00
Colin
368eb2c29b programs: git: whitelist more repo roots 2024-01-31 21:17:48 +00:00
Colin
5f793523d1 ship linux 6.7 to lappy/desko/servo 2024-01-31 20:33:15 +00:00
Colin
30288cd67f user: add CAP_NET_ADMIN,CAP_NET_RAW even outside of systemd session 
in fact, *only* outside of systemd session because they broke ambient caps in 255
 2024-01-31 15:42:43 +00:00
Colin
8736ca478b programs: firefox: allow access to servo image-macros 2024-01-31 15:36:09 +00:00
Colin
cb3960fb21 programs: git: fix access to ~/private/knowledge 2024-01-31 15:35:21 +00:00