b4b95be588
make-sandboxed: fix to preserve the specified output, for packages like dig
2024-08-21 04:00:45 +00:00
ae0d6cb8e8
make-sandboxed: preserve outputs of multiple-output packages
...
especially, this fixes the dconf service, since we keep '/libexec'
2024-08-21 03:28:02 +00:00
4055c6d3e9
podcasts: subscribe to C-Span's _The Weekly_
2024-08-20 02:23:41 +00:00
1b4266f8a7
hickory-dns: fix compilation error with newer rustc
2024-08-19 13:29:09 +00:00
ca793af819
make-sandboxed: fix double-wrapping when two symlinks point to the same binary by non-canonical paths (e.g. mount.sshfs -> ../bin/sshfs)
2024-08-16 10:50:20 +00:00
e846a5046a
feeds: subscribe to 404 media
2024-08-16 02:41:17 +00:00
a552ed625b
make-sandboxed: fix several edge-cases for e.g. brave, firefox, especially around handling of wrapped binaries
2024-08-16 02:15:46 +00:00
fd6959230f
make-sandboxed: handle /opt-style packaging, with toplevels linked into /bin, a bit better
2024-08-15 10:32:18 +00:00
87e9856497
sanebox: forward argv0
2024-08-15 10:31:21 +00:00
e7d5a61014
libcap: split into separate capsh and captree programs, and sandbox the latter
2024-08-12 10:13:50 +00:00
d4290588bf
rename: trust-dns -> hickory-dns
2024-08-12 01:23:39 +00:00
bfe278c17a
feeds: subscribe to Weird Little Guys
2024-08-12 00:35:34 +00:00
8aebc1fe87
feeds: subscribe to Oyez supreme court oral arguments
2024-08-10 11:16:54 +00:00
f986936bbd
wg-home-refresh: use the sandboxed wireguard-tools
2024-08-09 23:52:31 +00:00
055ad222e3
wg-home-refresh: harden systemd service
2024-08-09 23:05:58 +00:00
f8aea34e96
sanebox: bwrap: make user namespace unsharing more obvious
2024-08-07 21:23:21 +00:00
020e5f8c6e
/mnt/persist/private: split waiting on the keyfile out of the mount process
2024-08-06 02:03:55 +00:00
809c3af7fa
/mnt/persist/private: minor improvements to file permissions
2024-08-06 01:26:53 +00:00
93cb1bc546
/mnt/persist/private: sandbox in a way that the actual gocryptfs instance doesn't get CAP_SYS_ADMIN
2024-08-06 00:52:48 +00:00
53acab834c
refactor: persist/stores/ephemeral: move to its own source directory
2024-08-05 23:05:02 +00:00
3a0610b029
/mnt/persist/ephemeral: sandbox in a way that the actual gocryptfs instance doesn't get CAP_SYS_ADMIN
...
instead, only fuse does, and the capability is lost during the handoff between fuse and gocryptfs
2024-08-05 23:04:14 +00:00
c706a19836
landlock-sandboxer: rename the binary, so that it can be included on PATH without collisions
2024-08-05 22:59:14 +00:00
74662df720
persist/{private,ephemeral}: mount via fuse
...
gocryptfs is compatible with --drop-permissions style of mount.fuse3. only, i can't actually use that today because i need to keep permissions :o
but maybe i'll enable that in the future
2024-08-03 18:51:58 +00:00
3adbbe5fa7
/mnt/$host/home: run as user instead of as root
2024-08-03 15:13:04 +00:00
eaeb8380dc
fs: enable @basic-api everywhere, since its required by systemd restart logic
2024-08-02 09:13:55 +00:00
cf20230d96
sane.fs: cleanup
...
plumb systemd.{mounts,services} instead of the less detailed 'systemd'
2024-08-02 08:01:38 +00:00
9dbb2a6266
sane.fs: take in the role of generating systemd.mounts files
2024-08-02 07:33:21 +00:00
113b107d73
persist: fix ordering so stores arent required by local-fs.target
...
maybe they should be, but then there's weird stuff about getty depending on sysinit.target, and that being blocked by the private store...
2024-08-02 06:20:39 +00:00
96dfe79a8c
fs: persist/private: harden systemd mount file
2024-08-02 05:17:44 +00:00
6e5bde17aa
cleanup: persist/private: simplify
2024-08-02 05:00:55 +00:00
3eb66c098b
trust-dns: make it a dependency of "network-online.target"
2024-08-02 04:54:58 +00:00
515aab5370
cleanup: persist/private: encode the dependencies more precisely, rather than just having it all depend on default.target
2024-08-02 04:50:33 +00:00
f925dd9a20
fs: isolate /mnt/servo/* and /mnt/persist/ephemeral a bit more
2024-08-02 04:45:14 +00:00
6a7dd31755
vpn: fix warning about missing /32 syntax
2024-08-02 00:37:58 +00:00
2197951e12
NetworkManager-dispatcher: cleanup an ordering cycle between it and trust-dns-localhost
2024-08-02 00:36:54 +00:00
efc16a9e80
persist: harden the "ephemeral" store mount environment
...
there's only so much this can actually achieve. it's still quite possible for someone who knows what they're doing to do large amounts of damage
2024-08-01 22:40:55 +00:00
6aa6c0020c
lightning-cli: fix sandboxing
2024-08-01 19:59:23 +00:00
acd46940e4
clightning: lift the build fix into pkgs/default.nix
...
this lets me apply it outside the context of a nixos module
2024-08-01 19:53:05 +00:00
00a25f1533
feeds: fix complex systems URL
2024-08-01 19:52:22 +00:00
bc0a1eb1b3
feeds: sub to Complex Systems Podcast
2024-08-01 18:58:39 +00:00
33efbeda8a
link manpages into all linkIntoOwnPackage users
2024-08-01 17:43:58 +00:00
b53f376d70
servo: clightning: tighten sandboxing for bitcoin-cli interaction
2024-07-30 12:41:33 +00:00
621c147483
clightning: remove /var/lib/bitcond-mainnet from the service paths -- again
2024-07-30 11:17:10 +00:00
841076fd9e
clightning: move /var/lib/bitcoind-mainnet from ReadWritePaths -> ReadOnlyPaths
...
i think i can go further, remote it altogether
2024-07-29 23:19:26 +00:00
43232ff569
kiwix-serve: harden
2024-07-29 03:42:52 +00:00
dc2d46b9c0
servo: cryptocurrencies: get clightning back into a state where i can see its working
2024-07-29 03:42:52 +00:00
666744bda3
bitcoin-cli,lightning-cli: ship as own package instead of shipping the whole daemon
2024-07-29 03:42:52 +00:00
eb3651ce59
refactor: assorted: python: logger.warn -> logger.warning
...
the former is deprecated
2024-07-28 03:41:30 +00:00
ace03bb0e9
persist/private: actually do enable "auto", for servo where i dont auto-tty-login as colin
...
this doesn't seem to block the boot
2024-07-26 22:02:57 +00:00
8819142128
modules/users: use = instead of -eq for comparison to fix warning which XDG_VTNR is unset
2024-07-26 20:57:23 +00:00
