colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
5,284 Commits 125 Branches 1 Tag 12 MiB
687db545b4
Commit Graph

5284 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Colin
687db545b4 gnome-keyring: move persistence and init script to sane.programs 2024-02-23 07:22:07 +00:00
Colin
24d1d13d0a programs: simplify sandboxing of file browsers/etc now that private data lives on a different mount 2024-02-23 07:06:29 +00:00
Colin
2ada436634 home: remove ~/private symlink; move to .persist/private and add related aliases 2024-02-23 07:06:29 +00:00
Colin
e5ad0862fb refactor: move ~/ fs definitions into hosts/common/home, not users/ 2024-02-23 07:06:29 +00:00
Colin
057b9e3fed replace links/references to ~/private/FOO with just ~/FOO 2024-02-23 07:06:29 +00:00
Colin
1bcfccf7e3 refactor: persist ~/knowledge formally instead of relying on the symlink 2024-02-23 07:06:29 +00:00
Colin
170eeeacc4 programs: dereference not just the leaf, but any part of the path, when determining a program's sandbox closure 2024-02-23 07:06:29 +00:00
Colin
a402822084 move "private" store to /mnt/persist/private instead of ~/private 
this will allow me to add all of ~ to a sandbox without giving all of ~/private
 2024-02-23 07:06:29 +00:00
Colin
80ecdcc4f9 persist: plaintext: consider "/mnt/persist/plaintext" as the logical root, and abstract away "/nix/persist" 2024-02-23 07:06:29 +00:00
Colin
0864790bb7 docs: modules/persist: document the "origin" store parameter 2024-02-23 07:06:29 +00:00
Colin
478747a96e modules/persist: change default mounting method to symlink 
this changes the plaintext and cryptClearOnBoot stores: private was already symlink-based.
this isn't strictly necessary: the rationale is:
1. `mount` syscall *requires* CAP_SYS_ADMIN (i.e. superuser/suid).
   that's causing problems with sandboxing, particularly ~/private.
   that doesn't affect other stores *yet*, but it may in the future.
2. visibility. i.e. it makes *clear* where anything is persisted.
   if `realpath` doesn't evaluate to `/nix/persist`, then it's not
   persisted.
 2024-02-23 07:06:29 +00:00
Colin
771dc2e1ce fs: allow common /mnt points to be mounted by me without sudo 2024-02-23 07:06:29 +00:00
Colin
4a316d4b91 bonsai: lift out of sxmo 2024-02-23 07:06:29 +00:00
Colin
0ff8154e96 icu: fix cross compilation 2024-02-23 07:04:39 +00:00
Colin
af03b3f6e8 xwayland: sandbox 2024-02-23 01:05:24 +00:00
Colin
5819f07181 programs: xwayland: sandbox 2024-02-22 22:12:03 +00:00
Colin
122f3fa5cc sway: remove xwayland-specific placement of Signal 
it breaks non-xwayland sway config parsing, and Signal is native Wayland now anyway even with Xwayland running'
 2024-02-22 22:01:48 +00:00
Colin
ece612ea70 nixpkgs: 2024-02-21 -> 2024-02-22 
```
• Updated input 'nixpkgs-next-unpatched':
    'github:nixos/nixpkgs/97c19bdc7ecbe44755084a52acf38e17bdf2bc71' (2024-02-21)
  → 'github:nixos/nixpkgs/024149d718e25378f4decfeeb614b88208c2f700' (2024-02-22)
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/0e74ca98a74bc7270d28838369593635a5db3260' (2024-02-21)
  → 'github:nixos/nixpkgs/a7fa133a1e973c127e9c83e2c8e3407ae3797099' (2024-02-22)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/acfcce2a36da17ebb724d2e100d47881880c2e48' (2024-02-20)
  → 'github:Mic92/sops-nix/f6b80ab6cd25e57f297fe466ad689d8a77057c11' (2024-02-21)
```
 2024-02-22 07:07:29 +00:00
Colin
f27f994090 systemd: fix the timeout for the user service manager 2024-02-22 00:24:05 +00:00
Colin
473999c001 sway: re-enable networkmanager 2024-02-21 23:46:25 +00:00
Colin
d1de9efde1 sway: port xwayland use to sane.programs API 2024-02-21 23:32:10 +00:00
Colin
50c3f04714 pipewire: remove dead alsa comments 2024-02-21 23:26:40 +00:00
Colin
49bad8f186 sway: split pipewire persisted file into pipewire.nix 2024-02-21 23:26:25 +00:00
Colin
fd9f500e97 sway: split pipewire config into separate sane.programs.pipewire 2024-02-21 23:23:52 +00:00
Colin
386651044e sway: port to sane.programs API 2024-02-21 23:18:57 +00:00
Colin
55a6c828f2 sway: lift portal/menu reset into polyunfill.nix 2024-02-21 22:09:53 +00:00
Colin
7ecebd7521 sway: treat fontconfig as an ordinary sane.programs 2024-02-21 22:08:45 +00:00
Colin
7b299176e3 sway: simplify the wrapper 2024-02-21 22:06:10 +00:00
Colin
4da9cb5ac8 sway: simplify the wrapper... slightly 2024-02-21 21:42:48 +00:00
Colin
f068da709f sway: compile with xwayland only if we plan to use it at runtime 
else it's just extra weight
 2024-02-21 21:05:41 +00:00
Colin
5b21257e4f gui: sway: remove useGreeter option (provide a greeter always, via suggestedPrograms) 2024-02-21 20:59:34 +00:00
Colin
d77a12ce7b unl0kr: remove the "afterLogin" option and choose automatically which desktop to launch 2024-02-21 20:47:48 +00:00
Colin
153d2a1047 GSK_RENDERER: don't set globally, but just for the apps which _actually_ require it 
this way i can avoid conflicts around apps which don't expect this to be set (e.g. delfin)
 2024-02-21 16:56:56 +00:00
Colin
2a528a5d8e sane-sandboxed: leave a note about future mount work 2024-02-21 16:08:42 +00:00
Colin
b8f090be93 programs: delfin: add required mpris permissions 2024-02-21 13:27:19 +00:00
Colin
b16902bec1 delfin: downgrade 0.4.1 -> 0.4.0 
0.4.1 doesn't cross compile because of rust requirement. 0.4.0 does
 2024-02-21 13:26:54 +00:00
Colin
c919372324 delfin: add option to build in debug mode, and with debug patches 2024-02-21 12:09:48 +00:00
Colin
60371585e4 delfin: 0.4.0 -> 0.4.1 2024-02-21 09:04:49 +00:00
Colin
20cb850fb5 nixpkgs: 2024-02-18 -> 2024-02-21 
```
• Updated input 'nixpkgs-next-unpatched':
    'github:nixos/nixpkgs/d076cde70cbceca9315a11bdc609ddfcec9dfbca' (2024-02-18)
  → 'github:nixos/nixpkgs/97c19bdc7ecbe44755084a52acf38e17bdf2bc71' (2024-02-21)
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/9511a7b219df1f8d8f5c2a58c4870fde169fe397' (2024-02-18)
  → 'github:nixos/nixpkgs/0e74ca98a74bc7270d28838369593635a5db3260' (2024-02-21)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/ffed177a9d2c685901781c3c6c9024ae0ffc252b' (2024-02-18)
  → 'github:Mic92/sops-nix/acfcce2a36da17ebb724d2e100d47881880c2e48' (2024-02-20)
```
 2024-02-21 00:35:14 +00:00
Colin
c6470918de types.string -> types.str 2024-02-21 00:25:44 +00:00
Colin
c0f374bd80 programs: sane-secrets-dump: don't leak secrets onto proc/cmdline 2024-02-21 00:24:31 +00:00
Colin
5a0760a571 programs: sandbox oathtools 2024-02-21 00:03:48 +00:00
Colin
757ab79724 programs: dconf: sandbox 2024-02-20 23:43:25 +00:00
Colin
81148b7b42 programs: explicitly depend on dconf instead of manually persisting dconf's dirs 2024-02-20 23:39:27 +00:00
Colin
429d0c53e7 programs: ripgrep: sandbox with bwrap instead of landlock 
this provides network isolation
 2024-02-20 23:32:54 +00:00
Colin
6cf1bc5a28 programs: grep: sandbox 2024-02-20 23:32:28 +00:00
Colin
768b340c93 findutils: sandbox 
use bwrap instead of landlock for the dumb preference that i can disable
net
 2024-02-20 23:31:58 +00:00
Colin
d9901aa161 programs: sane-secrets-*: sandbox 2024-02-20 23:31:39 +00:00
Colin
be2098c18a programs: sane-vpn: sandbox 2024-02-20 23:05:24 +00:00
Colin
ee7d99289a sane-vpn: allow shorthands like "sane-vpn up us" instead of full ovpnd-us 2024-02-20 23:01:53 +00:00