82133a8f16
refactor: move logind config into systemd.nix
2024-06-04 14:09:58 +00:00
43a63d4f6e
hosts/modules: remove unused yggdrasil
2024-06-04 13:58:49 +00:00
394259fe21
modemmanager: harden systemd service
2024-06-03 16:41:51 +00:00
8c256c629b
networkmanager: harden further with NoNewPrivileges and PrivateTmp
2024-06-03 16:23:22 +00:00
0e2d86ac96
NetworkManager-dispatcher: note why we cant use DynamicUser
2024-06-03 15:57:41 +00:00
e2a1e6730d
NetworkManager-dispatcher: harden systemd service
2024-06-03 15:44:22 +00:00
a1e923f999
networkmanager: tighten ProtectSystem to "strict"
2024-06-03 15:10:14 +00:00
09333c992c
wpa_supplicant: harden systemd service
2024-06-03 15:09:32 +00:00
80eb385c64
networkmanager: restrict service (using systemd options)
2024-06-03 14:27:00 +00:00
f6725f60b9
networkmanager: re-introduce my polkit patches
2024-06-03 13:04:48 +00:00
42fed64b75
NetworkManager: split specific config options out of my main net/default.nix file
2024-06-03 11:24:38 +00:00
682143d47f
NetworkManager: 1.46.0 -> 1.48.0
...
mostly so i can review the PR and get this update mainlined sooner :)
2024-06-03 11:23:33 +00:00
9d109644b7
nixpkgs: 2024-06-01 -> 2024-06-03; sops-nix -> 2024-06-02
...
```
• Updated input 'nixpkgs-next-unpatched':
'github:nixos/nixpkgs/f7de25c01e4c073c06e0525226a0c2311d530cee' (2024-06-01)
→ 'github:nixos/nixpkgs/c987c730bbf2121264ebd68921b443db5bb28543' (2024-06-03)
• Updated input 'nixpkgs-unpatched':
'github:nixos/nixpkgs/61c1d282153dbfcb5fe413c228d172d0fe7c2a7e' (2024-06-01)
→ 'github:nixos/nixpkgs/77a51024c0f953d503eb3ed364aa4bff378649f8' (2024-06-03)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/962797a8d7f15ed7033031731d0bb77244839960' (2024-05-26)
→ 'github:Mic92/sops-nix/ab2a43b0d21d1d37d4d5726a892f714eaeb4b075' (2024-06-02)
• Updated input 'sops-nix/nixpkgs-stable':
'github:NixOS/nixpkgs/59a450646ec8ee0397f5fa54a08573e8240eb91f' (2024-05-25)
→ 'github:NixOS/nixpkgs/3b1b4895b2c5f9f5544d02132896aeb9ceea77bc' (2024-06-01)
```
2024-06-03 05:31:28 +00:00
e4bcbab224
hosts: networking: switch to using nixos NetworkManager/ModemManager/etc, just patched for hardening
2024-06-02 11:22:03 +00:00
1b85aa0441
networkmanager/modemmanager: get closer to nixpkgs upstream
...
i've seen enough, that there's a path toward getting nixos proper to sandbox this in a way i'm happy with -- in time
2024-06-02 08:56:38 +00:00
f5e5d1bcc4
networkmanager: fix polkit integrations when running not as root
...
now nmcli/etc work
2024-06-02 05:10:11 +00:00
30d41f82f2
refactor: networkmanager: use substitute instead of sed when patching
2024-06-01 22:16:18 +00:00
62dbad3486
polyunfill: remove a few more default systemPackages
2024-06-01 21:06:40 +00:00
4287ecf0ed
polyfill: don't ship unused mtools package
2024-06-01 20:15:04 +00:00
b13ca92b72
polyfill: remove boot.{enableContainers,bcache}
2024-06-01 20:14:49 +00:00
53bbd611da
nixpkgs-review: persist the ~/.cache/nixpkgs-review directory
2024-06-01 17:15:54 +00:00
cb1d5d53c6
feeds: add mintcast podcast
2024-06-01 16:28:42 +00:00
a5a635f00b
sftpgo: simplify my package override now that sftpgo 2.6.0 is merged
2024-06-01 16:22:22 +00:00
6fe3d26b30
modemmanager: fix missing mmcli binary in service definition
2024-06-01 15:41:14 +00:00
8340cf059f
nixpkgs-review: fix sandboxing
2024-06-01 15:26:23 +00:00
e0da3ece60
errno: simplify
2024-06-01 14:48:55 +00:00
8ea379d53b
errno: ship on all platforms
2024-06-01 14:04:45 +00:00
c7dd49af91
errno: fix cross compilation by not building *all* of moreutils
2024-06-01 14:03:59 +00:00
d8d11de9bc
sftpgo: replace deprecated "crypt" with "passlib"
2024-06-01 13:01:19 +00:00
07194d062a
servo: nfs: disable
2024-06-01 12:45:10 +00:00
8657cf1fcf
ship ausyscall binary
2024-06-01 12:17:08 +00:00
e3e86a43a9
brightnessctl: disable unused dbus access
2024-06-01 12:09:51 +00:00
05986d363d
brightnessctl: fix udev rules so i can run it again
2024-06-01 12:02:24 +00:00
539d9e45a2
networkmanager/modemmanager: ship separate packages for the daemon and CLI tools
...
they require fundamentally different sandboxing approaches. the daemon *can't* always use bwrap if it wants to run as non-root. meanwhile the CLI tools would mostly *prefer* to run under bwrap.
in the long term i'll maybe upstream the systemd sandboxing into nixpkgs, where there looks to be desire for it
2024-05-31 23:26:16 +00:00
326bf045b0
networkmanager/wpa_supplicant: switch user back to "networkmanager"
...
root gives too much power, even with bwrap/namespaces
2024-05-31 23:26:16 +00:00
a1181a10ea
networkmanager: install parallel dbus .conf files to allow the services to be run as *either* networkmanager or root user (hopefully!)
2024-05-31 23:26:16 +00:00
9bb6a903bb
wpa_supplicant: get it to run under bwrap
2024-05-31 23:26:16 +00:00
214f963d89
networkmanager: run all services as root instead of networkmanager user
...
i believe this may allow using bwrap instead of landlock
2024-05-31 23:26:16 +00:00
c7eb4b66a5
polyunfill: remove unused su and sg security wrappers
2024-05-31 14:59:23 +00:00
452543e6f3
fix rescue host build
2024-05-31 10:37:03 +00:00
07aec3ca3c
apps: explain why i ship both engrampa and xarchiver archive managers
2024-05-31 08:39:23 +00:00
c7fd3d2217
nixpkgs: 2024-05-26 -> 2024-05-31, nixpkgs-wayland -> 2024-05-31
...
```
• Updated input 'nixpkgs-next-unpatched':
'github:nixos/nixpkgs/2baa940f86e1fc54757fd7d1ed551c0a38904bf2' (2024-05-26)
→ 'github:nixos/nixpkgs/d3d81af60c22e9e93a3930a9630b210362341ab9' (2024-05-31)
• Updated input 'nixpkgs-unpatched':
'github:nixos/nixpkgs/7780e5160e011b39019797a4c4b1a4babc80d1bf' (2024-05-26)
→ 'github:nixos/nixpkgs/4e60a4d94bdc1abafeefc1928aa3cda6ce6c4210' (2024-05-31)
• Updated input 'nixpkgs-wayland':
'github:nix-community/nixpkgs-wayland/397c85d463aef789a8dd24c4db467e9ad787907b' (2024-05-26)
→ 'github:nix-community/nixpkgs-wayland/1db9b79a45c8e346e03480767e6d9749fabfaf10' (2024-05-31)
```
2024-05-31 06:09:03 +00:00
0fcc3f8d5d
ModemManager: make the sandbox more strict
2024-05-30 21:32:35 +00:00
0bb887158b
implement a dropbear SSH module
2024-05-30 20:58:01 +00:00
6570c5ed84
modemmanager: sandbox with bwrap instead of landlock
2024-05-30 18:47:09 +00:00
820fdecfd5
modemmanager: minimal (working) sandbox
2024-05-30 18:27:34 +00:00
8d43565f31
sane-theme: disable sandbox
2024-05-30 16:54:10 +00:00
18364761dd
wireplumber: undo the enableSystemd=false patch
2024-05-30 16:50:53 +00:00
d3937487e6
moby: cleanup bonsai <-> sway circular dependency (slightly)
2024-05-30 12:43:09 +00:00
3fdeacc336
sane-input-handler: add a --help command
2024-05-30 12:30:41 +00:00
84f2006115
servo: fix gitea
2024-05-30 12:12:06 +00:00
7f5e12da8d
dbus: dont consider the service "up" until the unix pipe actually appears
2024-05-30 11:04:02 +00:00
afa8a3c52e
activationScripts.notifyActive: future-proof for if ever DBUS_SESSION_BUS_ADDRESS changes
2024-05-30 11:03:35 +00:00
bfbcb4789b
activationScripts.notifyActive: fix forrenamed XDG_RUNTIME_DIR
2024-05-30 10:56:17 +00:00
2531cc1cf6
bonsai: place the socket in a subdirectory to improve sandboxing
2024-05-30 09:54:28 +00:00
e55b75c333
wireplumber: build without systemd
2024-05-30 09:46:29 +00:00
adb54657d4
sway: fix bonsai to be visible in the sandbox
2024-05-30 09:46:04 +00:00
6eefb9ce20
wireplumber: build against the same pipewire i deploy
2024-05-30 09:06:41 +00:00
274a7821a7
wireplumber: remove no-longer-needed /run/systemd directory
...
not necessary when using seatd/when a member of the 'audio' group
2024-05-30 08:54:41 +00:00
175acf6442
pipewire: build without systemd
2024-05-30 08:44:11 +00:00
0761b6135a
users/colin: add myself to "audio" group so that wireplumber can access audio devices w/o systemd/logind
2024-05-30 08:44:11 +00:00
66c899d099
callaudiod: fix to not start before dbus/pipewire are up (avoids coredump on boot)
2024-05-30 06:07:08 +00:00
4aeb3360d3
cleanup: programs: dont assume sway is always the wayland/x11 provider
2024-05-30 06:00:32 +00:00
0c456d11d8
programs: ensure things which depend on sound or wayland are ordered after it
2024-05-30 04:55:05 +00:00
f1d397940f
seatd: patch sandboxing for desko
2024-05-29 19:42:45 +00:00
fa94fa8e6c
seatd: sandbox with bwrap
...
it always surprises my that you can sandbox something with cap_sys_admin like this...
i think this works *only* because the user is root
2024-05-29 19:09:57 +00:00
4b9c125c8c
seatd: sandbox
2024-05-29 18:58:38 +00:00
0f7d25d8a5
doc: sway: say why i wrapperType = "inplace"
2024-05-29 18:58:05 +00:00
140641729e
gvfs: disable (it was broken)
2024-05-29 18:39:31 +00:00
32124d76bf
cups: disable (not currently used, and not sandboxed)
2024-05-29 18:33:17 +00:00
c5c174f988
sway: patch to use a narrower sandbox
2024-05-29 18:24:59 +00:00
29bc1608aa
sway: remove sandbox input which are no longer necessary
2024-05-29 17:07:18 +00:00
635ca1e5d8
seatd: pull the service definition into my own repo
...
this will allow me to configure the package
2024-05-29 16:34:32 +00:00
2789868703
seatd: split out of sway conf
2024-05-29 16:22:52 +00:00
c40ec1990a
sshd: disable systemd integration
2024-05-29 15:57:19 +00:00
d4dfcd6510
login: remove systemd pam integration (so it doesnt try, and fail, to start the user manager)
2024-05-29 15:42:39 +00:00
d865be952a
refactor: sandboxing: replace manual --sanebox-keep-namespace pid config with isolatePids = false
2024-05-29 12:56:46 +00:00
7c8a18ecbd
systemd: remove no-longer-used user@1000 override
2024-05-29 12:56:19 +00:00
35ff7de06e
dbus: manage it ourselves instead of having systemd do it
2024-05-29 12:55:51 +00:00
c570b7bf5d
dbus: manage it ourselves instead of having systemd do it
2024-05-29 11:30:33 +00:00
770fc2e574
systemd: fix typod IgnoreOnIsolate option
2024-05-29 11:30:33 +00:00
0ed7eb24fb
programs: assorted: remove legacy programs.feedback setting
2024-05-29 11:30:33 +00:00
ad8e75b6a3
programs: assorted: remove /var/lib/alsa persistence; doesnt seem to be needed
2024-05-29 11:30:33 +00:00
e8dbe0750d
networkmanager: fix sandbox to actually work with systemd-resolved
2024-05-29 10:34:24 +00:00
1378988f21
desko: *really* disable wpa_supplicant
2024-05-29 10:34:03 +00:00
4309d887da
wpa_supplicant: remove unused services
2024-05-29 09:33:25 +00:00
1ee21c4795
NetworkManager: run as user instead of root
2024-05-29 09:16:30 +00:00
fb7bcbb5f5
NetworkManager-wait-online: fix missing sanebox path
2024-05-29 01:37:15 +00:00
0013e8305e
networkmanager: cleanup
2024-05-29 01:35:38 +00:00
7dedfcebb9
networkmanager: sandbox
2024-05-29 01:33:15 +00:00
247fc1f887
hosts/modules/gui: fold into hosts/common/programs
2024-05-28 16:51:02 +00:00
3c2ca46ef9
hosts/modules/gui/gtk: hoist to sane.programs.sane-theme
2024-05-28 16:44:27 +00:00
95dc395925
hosts/modules/gui/theme: lift my sway background up into its own package
2024-05-28 15:48:37 +00:00
cefd6c0534
documentation improvements
2024-05-28 13:36:01 +00:00
05efec8fd7
wg-home: decrease the refresh timeout
2024-05-28 13:36:01 +00:00
e8846b2d6b
wpa_supplicant: sandbox
2024-05-28 13:36:01 +00:00
7d242ab02c
sane-battery-estimate: sandbox
2024-05-28 09:41:04 +00:00
47611eaa26
sane-weather: sandbox
2024-05-28 09:38:04 +00:00
9719f0f785
mpv: relax sandboxing for the sake of subtitle downloading
2024-05-28 09:37:57 +00:00
8042ea76e6
assorted programs: specify sandbox.autodetectCliPaths variant more precisely than just true
2024-05-28 07:14:27 +00:00
c59236509b
sane-cast: sandbox
2024-05-28 07:07:11 +00:00
4ba0343315
networkmanager: hoist some lib.mkIfs up a few levels
...
would you believe one of these attributes was being set without a mkIf cfg.enabled guard :)
2024-05-28 05:27:23 +00:00
cbe6072c03
polyunfill: remove policykit suid wrappers
2024-05-28 05:24:37 +00:00
bea1fd95e5
polyunfill: disable dbus-daemon-launch-helper suid wrapper
2024-05-28 05:14:06 +00:00
ae544c0649
polyunfill: disable mount/umount suid wrappers
2024-05-28 05:02:26 +00:00
b571f70988
polyunfill: remove fusermount suid wrapper
2024-05-28 04:56:14 +00:00
e6498ad152
notejot: fix sandboxing
2024-05-28 03:59:31 +00:00
976b8ae45e
rofi-snippets: make the filtering case insensitive, and improve ellipsis placement come 1.7.6
2024-05-28 03:38:36 +00:00
ab7c4d7410
rofi-snippets: remove the subshell and just use a pipe
...
i expect that this is faster, particularly because bash should stand up each section of the pipeline in parallel, right?
2024-05-28 03:23:04 +00:00
d2c3bec98e
rofi-snippets: remove an extraneous layer of sandbox
2024-05-28 03:04:57 +00:00
3c5e5632ee
wtype: sandbox
2024-05-28 03:04:26 +00:00
dcedb8d3f0
sanebox: handle --flag=path style of autodetected paths
2024-05-28 03:04:02 +00:00
f38d2d52d2
alsa-ucm-pinephone-pmos: prefer the earpiece over the "internal speaker"
2024-05-27 14:13:56 +00:00
04bbf54385
alsa-ucm-conf: switch to postmarketos version
2024-05-27 13:41:03 +00:00
f2271180dd
alsa-ucm-conf: split the patched alsa confs out into their own package
2024-05-27 12:53:33 +00:00
60b1ab1429
conky: split sane-battery-estimate out into its own program
2024-05-27 11:33:40 +00:00
a024f685c3
firefox: replace i-still-dont-care-about-cookies extension with a uBlock filter list
...
simpler that way; fewer extensions to trust
2024-05-27 07:43:55 +00:00
9c20cef6ea
firefox: ublacklist: disable (i wasnt using any rules; it wasnt blocking anything from google search results)
2024-05-27 07:22:47 +00:00
f6f1a6e136
firefox: uBlock Origin: ship filter lists statically
2024-05-27 06:54:52 +00:00
7941a8b1ed
refactor: firefox: fix uBlock json indentation
2024-05-27 04:46:38 +00:00
063b0be5b6
hosts/modules/gui/greetd: remove
2024-05-27 00:44:01 +00:00
7e490f5c07
remove lingering references to sxmo
2024-05-27 00:38:30 +00:00
10a985e7f9
hosts/modules/gui/sxmo: remove
2024-05-27 00:27:53 +00:00
f3c3df2ca7
sxmo_suspend.sh: lift out of hosts/modules/gui/sxmo/hooks
...
i want to preserve this script for the future, while deleting the rest of my (unused) SXMO config
2024-05-27 00:23:50 +00:00
f477604063
hosts/modules/gui: remove gnome
2024-05-27 00:13:19 +00:00
d46fa8a242
swaync-fbcli: sandbox (experimental)
2024-05-27 00:11:20 +00:00
62b2eb874c
swaync-service-dispatcher: sandbox
2024-05-27 00:07:30 +00:00
133c1b3699
swaync: remove unused systemd integrations
...
it's all s6 now
2024-05-27 00:06:03 +00:00
1b4300dbeb
swaync: remove unused vpn button
2024-05-27 00:00:44 +00:00
b159240b7f
servo: import ovpn privkey
2024-05-26 14:37:33 +00:00
8a9f96eefc
moby: import own OVPN privkey
2024-05-26 14:31:08 +00:00
b1c7061b21
vpn: fix typos from previous 2 commits
2024-05-26 14:26:47 +00:00
c528bb3ec9
desko: add to OVPN
2024-05-26 14:07:32 +00:00
002639cc76
ovpn: use a single key per-device
...
this should fix the traffic collisions i'm seeing with the existing setup
2024-05-26 14:04:52 +00:00
45967fde7b
brave: fix sandboxing under pasta/netns
2024-05-26 13:05:44 +00:00
3a045f4d88
doc: polyunfill: point to https://github.com/NixOS/nixpkgs/pull/314791
2024-05-26 08:00:18 +00:00
57d6a9a4c3
polyunfill: simplify pam hacks
2024-05-26 07:04:12 +00:00
2ee39ca0cc
poly_unfill: remove /run/wrappers/bin/unix_chkpwd
...
non-privileged users don't need to check passwords
well, maybe they do (for desktop unlockers), but i've already solved that :)
2024-05-26 06:37:59 +00:00
9d9211c5fa
polyunfill: distribute /run/wrappers/bin/unix_chkpwd without suid bit
2024-05-26 01:18:30 +00:00
9ce7dcd57a
/run/wrappers: remove unused newgidmap,newuidmap,newgrp binaries
2024-05-26 01:18:30 +00:00
efa1ee6c69
iproute2: disable sandbox and fix ip commands
2024-05-26 01:18:30 +00:00
6a15434cc6
net/vpn: remove the bridge devices from my VPN setup
2024-05-26 01:18:30 +00:00
6365bb7594
desko: disable wpa_supplicant/wireless networking again
2024-05-26 01:18:17 +00:00
8cb73687ce
unl0kr: don't add extra deps to user's PATH
2024-05-26 01:17:42 +00:00
73f5c9608e
sanebox: tighter dependency handling, to not rely on @BACKEND_FALLBACK@
2024-05-25 10:26:36 +00:00
b035d312aa
firejail: purge
2024-05-25 10:21:31 +00:00
a5e1a804c9
sane-vpn: port to sanebox/pasta (no more firejail)
2024-05-25 10:09:10 +00:00
7b1bc210fd
sanebox: integrate with pasta (passt) for better net sandboxing
2024-05-25 09:39:18 +00:00
842651efd5
mpv: tune webm.conf
2024-05-25 02:05:18 +00:00
27b4d4da16
mpv: ship a music visualizer
...
note that it doesnt show in `webm` exports
2024-05-25 02:05:09 +00:00
