|
|
7904957544
|
give self cap_sys_nice
|
2024-03-14 07:02:57 +00:00 |
|
|
|
4d6d79cc81
|
servo: /var/lib/uninsane/media -> /var/media
|
2024-03-05 18:44:30 +00:00 |
|
|
|
c380f61bea
|
fix "rescue" host to eval again
|
2024-02-28 14:19:45 +00:00 |
|
|
|
6267e7f966
|
tidy up small persist/private nitpicks
|
2024-02-23 14:44:38 +00:00 |
|
|
|
aa0991bd6c
|
persistence: cleanup so it all works well with symlink-based stores
|
2024-02-23 13:09:44 +00:00 |
|
|
|
0d8307e877
|
programs: gnome-keyring: sandbox
and now secrets are readable again. they were broken for the last ~10 commits :)
|
2024-02-23 09:49:35 +00:00 |
|
|
|
e5ad0862fb
|
refactor: move ~/ fs definitions into hosts/common/home, not users/
|
2024-02-23 07:06:29 +00:00 |
|
|
|
1bcfccf7e3
|
refactor: persist ~/knowledge formally instead of relying on the symlink
|
2024-02-23 07:06:29 +00:00 |
|
|
|
a402822084
|
move "private" store to /mnt/persist/private instead of ~/private
this will allow me to add all of ~ to a sandbox without giving all of ~/private
|
2024-02-23 07:06:29 +00:00 |
|
|
|
d7be5da483
|
warnings.nix: port to a proper module
|
2024-02-20 11:19:12 +00:00 |
|
|
|
0dec8b6d5b
|
programs: fontconfig: sandbox
|
2024-02-15 18:26:45 +00:00 |
|
|
|
677e6e679b
|
programs: sandbox {s,}waylock lockscreen
|
2024-02-14 08:48:03 +00:00 |
|
|
|
5f8699fcef
|
rearrange /mnt structure for host-based subdirs
e.g. /mnt/servo/media, /mnt/desko/home, etc
|
2024-02-06 05:48:11 +00:00 |
|
|
|
30288cd67f
|
user: add CAP_NET_ADMIN,CAP_NET_RAW even outside of systemd session
in fact, *only* outside of systemd session because they broke ambient caps in 255
|
2024-01-31 15:42:43 +00:00 |
|
|
|
381da74e6c
|
users: enable pam_cap for "login" program
|
2024-01-28 17:55:19 +00:00 |
|
|
|
563a75e9b2
|
users: launch entire systemd --user namespace with cap_net_admin, cap_net_raw
this should make sandboxing wireshark *much* easier, and same with things which require net namespaces, in the future
|
2024-01-25 15:05:35 +00:00 |
|
|
|
9ecd0adcbe
|
firefox: sandbox with firejail
TODO: get it so open-in-mpv launches an mpv that has access to ~/.config/mpv
i guess this is the 'firejail url problem'
|
2024-01-21 23:59:15 +00:00 |
|
|
|
e2a43ddfa0
|
servo: clightning: allow group members to run lightning-cli
|
2024-01-11 15:59:32 +00:00 |
|
|
|
2d65282643
|
nixremote: define the user as part of the nixserve module
|
2023-11-23 02:08:45 +00:00 |
|
|
|
0bd9125484
|
remote builder: simplify auth
|
2023-11-23 02:06:54 +00:00 |
|
|
|
f26b64c660
|
nixremote: fix up perms
|
2023-11-23 01:44:27 +00:00 |
|
|
|
3ff9c0ad0c
|
add a "nixremote" user for remote bulding (experimental; builds arent actually enabled yet)
|
2023-11-23 01:27:28 +00:00 |
|
|
|
28d4a4b065
|
persistence: move stores behind a byStore attr to support disabling persistence altogether (for e.g. rescue image)
|
2023-11-08 15:33:15 +00:00 |
|
|
|
4c708baf63
|
remove Videos/servo-incomplete symlink
|
2023-10-02 03:23:44 +00:00 |
|
|
|
cb3cf57465
|
cargo: when enabled, persist ~/.cargo
|
2023-09-30 02:57:30 +00:00 |
|
|
|
321cc62ca0
|
passwordFile -> hashedPasswordFile to fix deprecation warning
|
2023-09-16 08:17:48 +00:00 |
|
|
|
d87015836e
|
swaync: integrate with feedbackd for notification sounds
|
2023-09-15 10:20:18 +00:00 |
|
|
|
56ad2370dc
|
colin: add to systemd-journal group
|
2023-09-12 00:06:00 +00:00 |
|
|
|
edf936820a
|
transmission: fix permission-related errors
|
2023-09-07 06:14:11 +00:00 |
|
|
|
4fdf74fdbe
|
export: enforce a quota
|
2023-09-01 03:37:33 +00:00 |
|
|
|
c824751682
|
~: don't symlink ~/Music/servo
it gets in the way for devices that have a full copy of their music
|
2023-08-14 08:10:06 +00:00 |
|
|
|
44b15ba8ed
|
users: apply default permissions to any user who goes through the sane.users module
|
2023-07-14 23:56:01 +00:00 |
|
|
|
8feafbb615
|
pinephone: fix flashlight permissions, the proper way (udev)
|
2023-07-14 05:55:44 +00:00 |
|
|
|
f2eba95dfc
|
users/colin: persist some notable cache directories
|
2023-07-13 07:17:27 +00:00 |
|
|
|
427e6bb696
|
/root: back by a physical store
|
2023-07-13 06:50:46 +00:00 |
|
|
|
0a519eddb4
|
persist: allow persisting of individual files, not just directories
i actually do already, with ~/.ssh/id_ed25519 -- it works only as a fluke
|
2023-07-08 01:31:14 +00:00 |
|
|
|
ebf6f46948
|
persist ~/Books
|
2023-07-03 22:38:30 +00:00 |
|
|
|
5db9c4f558
|
nix-index/nix-locate: re-enable
|
2023-06-29 21:24:32 +00:00 |
|
|
|
dbd312e9bd
|
guest: enable access to shelvacu
|
2023-06-29 09:11:22 +00:00 |
|
|
|
038d252f7d
|
guest: allow external configuration of authorized ssh keys
|
2023-06-28 03:53:19 +00:00 |
|
|
|
68cda2006b
|
cleanup/refactor users
|
2023-06-28 03:46:29 +00:00 |
|
|
|
ddf79e54e9
|
users: split colin and guest apart
|
2023-06-28 03:34:15 +00:00 |
|
|
|
ac5e2cc023
|
users.nix: move to subdir
|
2023-06-28 03:21:05 +00:00 |
|
