|
530664294a
|
programs: sandbox: always specify --sanebox-profile-dir instead of loading from XDG_DATA_DIRS
|
2024-05-15 08:54:16 +00:00 |
|
|
b649071d98
|
programs: sandboxing: make the profiles be generic across users
this is a step toward making the profile not even be dynamically loaded, since its content is no longer dynamic :)
|
2024-05-15 08:48:09 +00:00 |
|
|
ea2653b7ce
|
programs: sandboxing: pass home- and runtime-relative paths to the sandboxer, instead of making absolute first
|
2024-05-15 08:20:09 +00:00 |
|
|
4c1b1282d6
|
modules/programs: sandbox: be compatible with systemd resolved again
|
2024-05-15 02:57:40 +00:00 |
|
|
adfaa7f9c1
|
sane-sandboxed -> sanebox
|
2024-05-15 01:41:40 +00:00 |
|
|
66f73c92bd
|
trust-dns: asSystemResolver: listen also on ipv6 address
|
2024-05-14 23:38:01 +00:00 |
|
|
d5e8974a4a
|
refactor: trust-dns: listenAddrs -> listenAddrsIpv4
|
2024-05-14 23:22:50 +00:00 |
|
|
f3cf9e0bed
|
trust-dns: set it to NOT be the system resolver for servo
trust-dns recursor is too beta for servo
|
2024-05-14 09:03:10 +00:00 |
|
|
3a7c9022af
|
trust-dns: bump StartLimitBurst so systemd doesnt abort the service too early
|
2024-05-14 08:50:37 +00:00 |
|
|
2a199bf373
|
trust-dns: recursor: merge DHCP DNS servers from all non-downed connections
otherwise overwriting the toml configs gets messy, when interfaces come up in unpredictable order
|
2024-05-14 08:25:59 +00:00 |
|
|
53198128e8
|
trust-dns: hook NetworkManager for state changes
there may be some edgecases to sort out around e.g. first-run,
but so far it seems to be importing the DHCP search zones :)
|
2024-05-14 07:42:41 +00:00 |
|
|
bee3eea040
|
modules/programs: sandbox: remove no-longer-needed /run/systemd/resolve from sandbox
|
2024-05-14 04:18:29 +00:00 |
|
|
39eb1d150a
|
dns: deploy trust-dns as the default recursive resolver
outstanding issues: native.uninsane.org doesn't resolve. appears possibly to be an issue with following CNAMEs
|
2024-05-14 04:18:29 +00:00 |
|
|
f3106ee316
|
programs: maxBuildCost: fix to actually build everything by default
|
2024-05-13 22:57:40 +00:00 |
|
|
43d32641f3
|
programs: buildCost: introduce a new level between min and light
|
2024-05-13 22:45:33 +00:00 |
|
|
2ae286ff75
|
nixpkgs: 2024-05-08 -> 2024-05-13, nixpkgs-wayland, sops-nix
```
• Updated input 'nixpkgs-next-unpatched':
'github:nixos/nixpkgs/c8e3f684443d7c2875ff169f6ef2533534105e7b' (2024-05-08)
→ 'github:nixos/nixpkgs/6a217e9b1d39415076c7a6cfc44be5e935e7a839' (2024-05-13)
• Updated input 'nixpkgs-unpatched':
'github:nixos/nixpkgs/a751e2faa2fc94c1337c32aaf6a6e417afe90be9' (2024-05-08)
→ 'github:nixos/nixpkgs/6bc8c8a7ac13182ee24a5e2caab7ad739f1c55c5' (2024-05-13)
• Updated input 'nixpkgs-wayland':
'github:nix-community/nixpkgs-wayland/7dc8fb2aa7db995ac1ce2a8f2f8d8784b2af591c' (2024-05-08)
→ 'github:nix-community/nixpkgs-wayland/5f7272dff81558143f93e2cb32189a52ef965892' (2024-05-13)
• Updated input 'nixpkgs-wayland/lib-aggregate':
'github:nix-community/lib-aggregate/26fabca301e1133abd3d9192b1bcb6fb45b30f1d' (2024-05-05)
→ 'github:nix-community/lib-aggregate/09883ca828e8cfaacdb09e29190a7b84ad1d9925' (2024-05-12)
• Updated input 'nixpkgs-wayland/lib-aggregate/nixpkgs-lib':
'github:nix-community/nixpkgs.lib/4b620020fd73bdd5104e32c702e65b60b6869426' (2024-05-05)
→ 'github:nix-community/nixpkgs.lib/58e03b95f65dfdca21979a081aa62db0eed6b1d8' (2024-05-12)
• Updated input 'nixpkgs-wayland/nix-eval-jobs':
'github:nix-community/nix-eval-jobs/7b6640f2a10701bf0db16aff048070f400e8ea7c' (2024-04-23)
→ 'github:nix-community/nix-eval-jobs/63154bdfb22091041b307d17863bdc0e01a32a00' (2024-05-09)
• Updated input 'nixpkgs-wayland/nix-eval-jobs/nixpkgs':
'github:NixOS/nixpkgs/1e1dc66fe68972a76679644a5577828b6a7e8be4' (2024-04-22)
→ 'github:NixOS/nixpkgs/ad7efee13e0d216bf29992311536fce1d3eefbef' (2024-05-06)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/893e3df091f6838f4f9d71c61ab079d5c5dedbd1' (2024-05-06)
→ 'github:Mic92/sops-nix/b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e' (2024-05-12)
• Updated input 'sops-nix/nixpkgs-stable':
'github:NixOS/nixpkgs/b980b91038fc4b09067ef97bbe5ad07eecca1e76' (2024-05-04)
→ 'github:NixOS/nixpkgs/8e47858badee5594292921c2668c11004c3b0142' (2024-05-11)
```
|
2024-05-13 22:45:33 +00:00 |
|
|
46d95805e9
|
programs: simplify sandbox symlink closure code
|
2024-05-13 07:49:00 +00:00 |
|
|
bd3e06982b
|
sane-sandboxed: tweak symlink caching to allow /run/current-system to be bind-mounted instead of symlinked
|
2024-05-13 02:11:47 +00:00 |
|
|
660ba94c7c
|
sane-sandboxed: introduce a symlink cache to reduce readlink calls even more
it's all a bit silly. i still do a bunch of -L tests: i just avoid the costly readlink fork :|
|
2024-05-13 01:31:30 +00:00 |
|
|
954c5c8344
|
trust-dns: fix so it starts as part of boot
|
2024-05-09 07:19:17 +00:00 |
|
|
8d8bf00a34
|
s6-rc: use s6-rc stop instead of exiting 125 in the no-restart branch of "restartCondition = on-failure"
exiting 125 stops the service, but does NOT put it in the down state, preventing it from being re-started
|
2024-05-07 15:24:14 +00:00 |
|
|
4f56acc316
|
s6-rc: implement restartCondition to allow restarting of the service only on failure
|
2024-05-07 15:01:40 +00:00 |
|
|
fdf1b20368
|
s6-rc: propagate service status out of run script
|
2024-05-07 12:50:09 +00:00 |
|
|
889b332ade
|
trust-dns: split the parts which are generalizable into their own file
i can try to build this into a recursive resolver for *all* my hosts
|
2024-04-30 14:35:56 +00:00 |
|
|
9021ab9f05
|
s6: fix oneshot service runner
the runner previously couldn't find the 'live' directory, where the service state lives. now it can
|
2024-04-27 08:05:54 +00:00 |
|
|
79bba42768
|
s6-rc: fix oneshot services to generate up , not run
|
2024-04-27 06:33:24 +00:00 |
|
|
8dd4fe06f3
|
s6: longshot -> longrun (typo)
|
2024-04-27 05:22:35 +00:00 |
|
|
19115dfb65
|
eg25-control: port to s6 (hopefully)
|
2024-04-26 21:44:13 +00:00 |
|
|
46a513b263
|
feeds: subscribe to SamuelDR
|
2024-04-26 17:19:38 +00:00 |
|
|
7843f9650a
|
feeds: subscribe to The Amp Hour (podcast)
|
2024-04-25 05:54:10 +00:00 |
|
|
82dce71b9c
|
feeds: add microarch.club podcast
|
2024-04-25 05:51:52 +00:00 |
|
|
a59a7b5346
|
feeds: podcasts: add Tech Tales
|
2024-04-19 21:46:03 +00:00 |
|
|
40af93a7fb
|
feeds: add apenwarr
|
2024-04-18 17:29:50 +00:00 |
|
|
2eea562d1f
|
sandbox: remove unused "binMap" option
|
2024-04-15 19:56:33 +00:00 |
|
|
0385c09f23
|
sane-sandboxed: split out into an actual package
|
2024-04-15 18:57:22 +00:00 |
|
|
2d74d0725d
|
feeds: podcasts: add Money Stuff
|
2024-04-14 20:39:53 +00:00 |
|
|
4b22fd95bf
|
introduce 'moby-min' host variant for the quickest deployment (no webkitgtk)
|
2024-04-13 20:29:24 +00:00 |
|
|
527a9e7612
|
feeds: add The Side View
|
2024-04-10 04:47:34 +00:00 |
|
|
3686e6e508
|
feeds: subscribe to Future of Coding
|
2024-04-10 03:06:30 +00:00 |
|
|
fe4b6c36c4
|
feeds: subscribe to jwz.org
|
2024-04-09 03:55:25 +00:00 |
|
|
a814832e48
|
feeds: add Hacker Public Radio podcast
|
2024-04-02 19:34:42 +00:00 |
|
|
74e994598e
|
feeds: add David Revoy
|
2024-03-31 20:28:41 +00:00 |
|
|
856b6fcd7a
|
feeds: add Willow
|
2024-03-31 18:20:49 +00:00 |
|
|
89d4b0ae0b
|
s6-rc: don't tee to /dev/stderr, as i don't want any logs going to the console and interfering with text entry
|
2024-03-31 05:20:33 +00:00 |
|
|
eff37765ae
|
sane.image: fix so imgs.moby includes a working bootloader
|
2024-03-31 03:24:33 +00:00 |
|
|
32e691b85b
|
feeds: add Hardcore Software by Steven Sinofsky
|
2024-03-26 14:08:13 +00:00 |
|
|
6c5b32aac2
|
s6-rc: fix so the service manager knows about readiness notifications again
|
2024-03-26 13:34:38 +00:00 |
|
|
f59dd99470
|
s6-rc: init services in the "down" state
|
2024-03-26 12:55:40 +00:00 |
|
|
55c8a98c33
|
s6-rc: pre-compute more stuff as nix exprs; don't even run s6-rc-init
|
2024-03-26 12:36:46 +00:00 |
|
|
5cd9f34884
|
s6-rc: remove more unnecessarily files from live dir
|
2024-03-26 00:45:24 +00:00 |
|
|
2cabe51956
|
s6-rc: remove a couple more unused files from the live dir
|
2024-03-26 00:22:14 +00:00 |
|
|
cb8e9b7a23
|
s6-rc: make it so, once started, other programs can start/stop services but NOT edit/create them
|
2024-03-26 00:11:02 +00:00 |
|
|
4eb6b5735e
|
users/s6-rc: allow startS6 ""
|
2024-03-25 16:46:51 +00:00 |
|
|
5d3899959b
|
users/s6-rc: split out compiled var
|
2024-03-25 14:56:41 +00:00 |
|
|
ad951ad919
|
users/s6-rc: add symlink capabilities to my fs abstraction
|
2024-03-25 14:46:43 +00:00 |
|
|
48a4c1bd26
|
feeds: add nixpkgs.news
|
2024-03-25 13:13:03 +00:00 |
|
|
febedb9323
|
nits: update --replace uses to --replace-{fail,quiet} as appropriate
|
2024-03-24 12:49:18 +00:00 |
|
|
03fbb780b2
|
sane.programs: sandbox: refactor extraRuntimePaths computation
|
2024-03-24 12:03:38 +00:00 |
|
|
9c0b175260
|
swaync: allow toggling of s6 services
|
2024-03-24 11:54:12 +00:00 |
|
|
e62be121e2
|
users/services: s6: fix so s6-rc stop can actually kill processes
|
2024-03-24 11:48:41 +00:00 |
|
|
7f8cae42ff
|
s6: migrate to /run/user/$id/s6
|
2024-03-23 21:33:08 +00:00 |
|
|
2e58353b0e
|
refactor: users/services: have waitExists support waiting on multiple paths
|
2024-03-23 17:28:29 +00:00 |
|
|
6102a0301d
|
sway: move $WAYLAND_DISPLAY into a subdir to make it easier to sandbox
|
2024-03-23 16:37:22 +00:00 |
|
|
39de5b84c2
|
sway: fix readiness check
|
2024-03-23 15:54:20 +00:00 |
|
|
5205251f6f
|
programs: xwayland: sandbox it without exposing net access
|
2024-03-23 15:33:23 +00:00 |
|
|
8c48adefa5
|
pipewire: move sockets into a subdirectory for easier sandboxing
|
2024-03-23 13:34:13 +00:00 |
|
|
4418c16967
|
users/services: s6: push bundle dependencies down onto the actual atomic services
|
2024-03-23 13:04:12 +00:00 |
|
|
8008fd35cb
|
modules/users: allow readiness.pathExists
|
2024-03-23 13:03:11 +00:00 |
|
|
e6c00e6215
|
users/services: implement dbus readiness checks for s6-rc
|
2024-03-21 17:16:11 +00:00 |
|
|
fff9d69e3e
|
users/services: s6-rc: implement readiness polling
|
2024-03-21 17:16:11 +00:00 |
|
|
4fa7e6113d
|
users/services: s6: exec into the run/finish commands
|
2024-03-21 17:16:11 +00:00 |
|
|
16ca71188f
|
users/services: simplify the before/after/wantedBy criteria, to match s6 concepts
|
2024-03-21 17:16:11 +00:00 |
|
|
c5c37e79ac
|
users/services: actually remove the systemd backend
|
2024-03-21 17:16:11 +00:00 |
|
|
d2f6648bce
|
users/services: refactor: replace ExecStart/ExecStopPost with command/cleanupCommand
note that this completely breaks the systemd backend (though easily fixable if wanted)
|
2024-03-21 17:16:11 +00:00 |
|
|
5c9c7f8073
|
modules/users/s6-rc: add per-service logging
|
2024-03-21 17:16:11 +00:00 |
|
|
218072b2fe
|
refactor: modules/users/s6-rc.nix
|
2024-03-21 17:16:11 +00:00 |
|
|
d4f217a4f5
|
refactor: modules/users/s6-rc.nix
|
2024-03-21 17:16:11 +00:00 |
|
|
40f6f88a64
|
users/services: s6: remove broken log stuff
apparently the /log shorthand is only applicable to base `s6-supervise`,
and not `s6-rc`. "pipeline"s are the s6-rc equivalent:
<https://wiki.gentoo.org/wiki/S6-rc#Longrun_pipelining>
|
2024-03-21 17:16:11 +00:00 |
|
|
fbbb09322a
|
users/services: s6-rc: support ExecStopPost option
|
2024-03-21 17:16:11 +00:00 |
|
|
e7153ce4a1
|
users/services: remove ExecStartPre option
|
2024-03-21 17:16:11 +00:00 |
|
|
b13e7c38c7
|
users/services: remove script option
|
2024-03-21 17:16:11 +00:00 |
|
|
1417497001
|
users/services: remove serviceConfig.Type option
|
2024-03-21 17:16:11 +00:00 |
|
|
db12e03f64
|
users/services: remove oneshot service type
|
2024-03-21 17:16:11 +00:00 |
|
|
dee4866737
|
users/services: remove ConditionEnvironment option
|
2024-03-21 17:16:11 +00:00 |
|
|
81a6c53c26
|
users/services: remove RemainAfterExit option
|
2024-03-21 17:16:11 +00:00 |
|
|
9afd9725d1
|
users: services: remove no-longer-needed Restart and RestartSec options
|
2024-03-21 17:16:11 +00:00 |
|
|
452619dbfc
|
s6: log when a service starts up
it still seems to be all logging into a single file though?
|
2024-03-21 17:16:11 +00:00 |
|
|
8bedc860ae
|
s6: add some minimal logging
the root s6 call seems to be doing some logging, notably feedbackd; still don't know where the other logs are going
|
2024-03-21 17:16:11 +00:00 |
|
|
cbecdc4a95
|
s6: use exec in the run trampoline, to forward file descriptors and keep a cleaner process tree
|
2024-03-21 17:16:11 +00:00 |
|
|
e1001f57c5
|
modules/users: remove no-longer-need environment option
|
2024-03-21 17:16:11 +00:00 |
|
|
2336767059
|
port service manager to s6
still a lot of cleanup to do (e.g. support dbus service types), but it boots to a usable desktop
|
2024-03-21 17:16:11 +00:00 |
|
|
05b37669e3
|
s6-rc: fix service run file to have expected format
|
2024-03-21 17:16:11 +00:00 |
|
|
ea9768c6ab
|
modules/users: prototype s6 integration: ~/.config/s6/{sources,compiled}
|
2024-03-21 17:16:11 +00:00 |
|
|
38353dbc29
|
modules/users: remove unused requiredBy service option
|
2024-03-21 17:16:11 +00:00 |
|
|
ef4a8e1989
|
modules: users: split services -> fs mapping into own systemd.nix file
|
2024-03-21 17:16:11 +00:00 |
|
|
acc9a9cb48
|
modules/users: make it a directory
|
2024-03-21 17:16:11 +00:00 |
|
|
70b5c57b50
|
modules/programs: enforce (or rather document) a stricter schema
this should make it easier to switch to a different service manager
|
2024-03-21 17:16:01 +00:00 |
|
|
c28ac38652
|
modules/users: refactor to remove inherit s
|
2024-03-21 17:16:01 +00:00 |
|
|
3c43fba878
|
feeds: add NativLang per Ben's rec
|
2024-03-14 07:53:19 +00:00 |
|
|
b25df1d997
|
sane-sandboxed: fix capabilities example
|
2024-03-14 01:36:46 +00:00 |
|