6fe3d26b30
modemmanager: fix missing mmcli
binary in service definition
2024-06-01 15:41:14 +00:00
8340cf059f
nixpkgs-review: fix sandboxing
2024-06-01 15:26:23 +00:00
e0da3ece60
errno: simplify
2024-06-01 14:48:55 +00:00
8ea379d53b
errno: ship on all platforms
2024-06-01 14:04:45 +00:00
c7dd49af91
errno: fix cross compilation by not building *all* of moreutils
2024-06-01 14:03:59 +00:00
d8d11de9bc
sftpgo: replace deprecated "crypt" with "passlib"
2024-06-01 13:01:19 +00:00
07194d062a
servo: nfs: disable
2024-06-01 12:45:10 +00:00
8657cf1fcf
ship ausyscall
binary
2024-06-01 12:17:08 +00:00
e3e86a43a9
brightnessctl: disable unused dbus access
2024-06-01 12:09:51 +00:00
05986d363d
brightnessctl: fix udev rules so i can run it again
2024-06-01 12:02:24 +00:00
539d9e45a2
networkmanager/modemmanager: ship separate packages for the daemon and CLI tools
...
they require fundamentally different sandboxing approaches. the daemon *can't* always use bwrap if it wants to run as non-root. meanwhile the CLI tools would mostly *prefer* to run under bwrap.
in the long term i'll maybe upstream the systemd sandboxing into nixpkgs, where there looks to be desire for it
2024-05-31 23:26:16 +00:00
326bf045b0
networkmanager/wpa_supplicant: switch user back to "networkmanager"
...
root gives too much power, even with bwrap/namespaces
2024-05-31 23:26:16 +00:00
a1181a10ea
networkmanager: install parallel dbus .conf files to allow the services to be run as *either* networkmanager or root user (hopefully!)
2024-05-31 23:26:16 +00:00
9bb6a903bb
wpa_supplicant: get it to run under bwrap
2024-05-31 23:26:16 +00:00
214f963d89
networkmanager: run all services as root instead of networkmanager user
...
i believe this may allow using bwrap instead of landlock
2024-05-31 23:26:16 +00:00
c7eb4b66a5
polyunfill: remove unused su
and sg
security wrappers
2024-05-31 14:59:23 +00:00
452543e6f3
fix rescue
host build
2024-05-31 10:37:03 +00:00
07aec3ca3c
apps: explain why i ship both engrampa and xarchiver archive managers
2024-05-31 08:39:23 +00:00
c7fd3d2217
nixpkgs: 2024-05-26 -> 2024-05-31, nixpkgs-wayland -> 2024-05-31
...
```
• Updated input 'nixpkgs-next-unpatched':
'github:nixos/nixpkgs/2baa940f86e1fc54757fd7d1ed551c0a38904bf2' (2024-05-26)
→ 'github:nixos/nixpkgs/d3d81af60c22e9e93a3930a9630b210362341ab9' (2024-05-31)
• Updated input 'nixpkgs-unpatched':
'github:nixos/nixpkgs/7780e5160e011b39019797a4c4b1a4babc80d1bf' (2024-05-26)
→ 'github:nixos/nixpkgs/4e60a4d94bdc1abafeefc1928aa3cda6ce6c4210' (2024-05-31)
• Updated input 'nixpkgs-wayland':
'github:nix-community/nixpkgs-wayland/397c85d463aef789a8dd24c4db467e9ad787907b' (2024-05-26)
→ 'github:nix-community/nixpkgs-wayland/1db9b79a45c8e346e03480767e6d9749fabfaf10' (2024-05-31)
```
2024-05-31 06:09:03 +00:00
0fcc3f8d5d
ModemManager: make the sandbox more strict
2024-05-30 21:32:35 +00:00
0bb887158b
implement a dropbear SSH module
2024-05-30 20:58:01 +00:00
6570c5ed84
modemmanager: sandbox with bwrap instead of landlock
2024-05-30 18:47:09 +00:00
820fdecfd5
modemmanager: minimal (working) sandbox
2024-05-30 18:27:34 +00:00
8d43565f31
sane-theme: disable sandbox
2024-05-30 16:54:10 +00:00
18364761dd
wireplumber: undo the enableSystemd=false patch
2024-05-30 16:50:53 +00:00
d3937487e6
moby: cleanup bonsai <-> sway circular dependency (slightly)
2024-05-30 12:43:09 +00:00
3fdeacc336
sane-input-handler: add a --help command
2024-05-30 12:30:41 +00:00
84f2006115
servo: fix gitea
2024-05-30 12:12:06 +00:00
7f5e12da8d
dbus: dont consider the service "up" until the unix pipe actually appears
2024-05-30 11:04:02 +00:00
afa8a3c52e
activationScripts.notifyActive: future-proof for if ever DBUS_SESSION_BUS_ADDRESS changes
2024-05-30 11:03:35 +00:00
bfbcb4789b
activationScripts.notifyActive: fix forrenamed XDG_RUNTIME_DIR
2024-05-30 10:56:17 +00:00
2531cc1cf6
bonsai: place the socket in a subdirectory to improve sandboxing
2024-05-30 09:54:28 +00:00
e55b75c333
wireplumber: build without systemd
2024-05-30 09:46:29 +00:00
adb54657d4
sway: fix bonsai to be visible in the sandbox
2024-05-30 09:46:04 +00:00
6eefb9ce20
wireplumber: build against the same pipewire i deploy
2024-05-30 09:06:41 +00:00
274a7821a7
wireplumber: remove no-longer-needed /run/systemd directory
...
not necessary when using seatd/when a member of the 'audio' group
2024-05-30 08:54:41 +00:00
175acf6442
pipewire: build without systemd
2024-05-30 08:44:11 +00:00
0761b6135a
users/colin: add myself to "audio" group so that wireplumber can access audio devices w/o systemd/logind
2024-05-30 08:44:11 +00:00
66c899d099
callaudiod: fix to not start before dbus/pipewire are up (avoids coredump on boot)
2024-05-30 06:07:08 +00:00
4aeb3360d3
cleanup: programs: dont assume sway
is always the wayland/x11 provider
2024-05-30 06:00:32 +00:00
0c456d11d8
programs: ensure things which depend on sound or wayland are ordered after it
2024-05-30 04:55:05 +00:00
f1d397940f
seatd: patch sandboxing for desko
2024-05-29 19:42:45 +00:00
fa94fa8e6c
seatd: sandbox with bwrap
...
it always surprises my that you can sandbox something with cap_sys_admin like this...
i think this works *only* because the user is root
2024-05-29 19:09:57 +00:00
4b9c125c8c
seatd: sandbox
2024-05-29 18:58:38 +00:00
0f7d25d8a5
doc: sway: say why i wrapperType = "inplace"
2024-05-29 18:58:05 +00:00
140641729e
gvfs: disable (it was broken)
2024-05-29 18:39:31 +00:00
32124d76bf
cups: disable (not currently used, and not sandboxed)
2024-05-29 18:33:17 +00:00
c5c174f988
sway: patch to use a narrower sandbox
2024-05-29 18:24:59 +00:00
29bc1608aa
sway: remove sandbox input which are no longer necessary
2024-05-29 17:07:18 +00:00
635ca1e5d8
seatd: pull the service definition into my own repo
...
this will allow me to configure the package
2024-05-29 16:34:32 +00:00