colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
4,990 Commits 125 Branches 1 Tag 12 MiB
82c386a6a4
Commit Graph

4990 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Colin
82c386a6a4 programs: tor-browser-bundle-bin -> tor-browser 
they're the same (aliased), only my programs API expects 'tor-browser' specifically
 2024-02-13 11:58:33 +00:00
Colin
634dc318cd programs: spotify: remove old/unused firejail config 2024-02-13 11:15:30 +00:00
Colin
6eaaeeb91a programs: remove audio from the sandbox by default 2024-02-13 11:14:38 +00:00
Colin
94be4a7551 programs: wob: fix service definition (Exec -> ExecStart) 2024-02-13 11:03:18 +00:00
Colin
b4a20da78a programs: brightnessctl: sandbox 2024-02-13 10:55:44 +00:00
Colin
bb68506839 modules/programs: add separate "user" v.s. "system" options for whitelistDbus 2024-02-13 10:55:10 +00:00
Colin
77e2af0ed9 programs: krita: enable sandbox 2024-02-13 10:36:42 +00:00
Colin
126f3e4922 programs: sandboxing: restrict /run/user dir to just dbus/pipewire/pulse/wayland, by default 2024-02-13 10:28:30 +00:00
Colin
73afceb8c6 modules/programs: sandbox: add whitelistWayland option 2024-02-13 10:24:35 +00:00
Colin
371af5939e programs: mpv: tighten the /run/user portion of the sandbox 2024-02-12 15:24:07 +00:00
Colin
27fd81ad80 modules/programs: add new options for whitelisting audio/dbus 2024-02-12 15:23:35 +00:00
Colin
d82b4b0f62 modules/programs: sane-sandboxed: reorder the --sane-sandbox-profile-dir arg so it takes precedence 2024-02-12 14:56:48 +00:00
Colin
7b28023e08 modules/programs: re-introduce the "withEmbeddedSandboxer" passthru attr 2024-02-12 14:27:48 +00:00
Colin
2b9db897a1 implement sane.defaultUser attr 2024-02-12 14:27:32 +00:00
Colin
6124cb9b36 modules/programs: sane-sandboxed: search for profiles in XDG_DATA_DIRS, not NIX_PROFILES 2024-02-12 13:16:48 +00:00
Colin
b0394d877d modules/programs: rename allowedRootPaths -> allowedPaths 
now that allowedHomePaths doesn't exist
 2024-02-12 13:00:10 +00:00
Colin
14d8230821 modules/programs: sane-sandboxed: remove --sane-sandbox-home-path argument and plumbing 
no longer needed, and mixing this with root paths is liable to cause troubles at this point, around symlink dereferencing/canonicalization/etc
 2024-02-12 12:57:54 +00:00
Colin
e94e338040 programs: handbrake: remove unneeded Pictures/servo-macros from sandbox 2024-02-12 12:54:41 +00:00
Colin
354ce378f6 programs: assorted: convert /mnt/servo "extraPaths" into "extraHomePaths" where possible 2024-02-12 12:54:16 +00:00
Colin
a90b5b53db modules/programs: sandboxing: dereference symlinks and also include those in the sandbox 2024-02-12 12:48:02 +00:00
Colin
eee3e138ff modules/programs: sandboxing: allow specifying individual /run/user/$uid paths to expose to the sandbox 2024-02-12 12:18:59 +00:00
Colin
f61cd17e99 modules/programs: sandboxing: specialize profiles per-user by expanding $HOME 2024-02-12 12:08:58 +00:00
Colin
3e0b0a0f02 modules/programs: make-sandboxed: lift profile creation logic out to the toplevel 2024-02-12 11:52:33 +00:00
Colin
2ee34e9af3 modules/profiles: remove sandbox.embedProfile option 
with upcoming refactors, this setting would force a different package to be installed per user, which doesn't mesh with the existing sane.programs infra
 2024-02-12 11:35:59 +00:00
Colin
f9a998eb92 programs: koreader: remove "sandbox.embedProfile = true" 
i guess this was set while i was debugging
 2024-02-12 11:33:55 +00:00
Colin
7c05d221d6 modules/programs: split "make-sandbox-profile" out of "make-sandboxed" 2024-02-12 11:20:40 +00:00
Colin
93012664e5 modules/programs: simplify how sandbox profiles make it into system packages 2024-02-12 10:52:44 +00:00
Colin
c424f7ac3b sane-sandboxed: load all profiles, not just the first one we find 
this allows some amount of overriding, or splitting profiles between system and user dirs
 2024-02-12 10:40:15 +00:00
Colin
088b6f1b9a sane-sandboxed: load profiles via $NIX_PROFILES env var 2024-02-12 10:37:26 +00:00
Colin
96575acf3a programs: sane-sandboxed: move parseArgsExtra to outer scope; improve docs 2024-02-12 10:28:14 +00:00
Colin
1e05119adc mpv: fix loading of album art within sandbox 2024-02-12 08:59:46 +00:00
Colin
e81df0ac86 modules/programs: enforce that user services don't accidentally override PATH 2024-02-12 08:44:55 +00:00
Colin
b19492ba23 programs: mpv: add .config/mpv to sandbox paths 2024-02-12 08:26:51 +00:00
Colin
8b26fa1303 programs: wob: split the script into an actual package 2024-02-12 08:26:51 +00:00
Colin
c0883dc777 sway: refactor: store sway-portals.conf in the user dir instead of system-wide 
it's a user service, so prefer to configure it via user/home conf dirs
 2024-02-12 07:13:39 +00:00
Colin
6b3a71aadf programs: xdg-desktop-portal: dont show app chooser for apps which are the default association 2024-02-12 07:12:04 +00:00
Colin
8d0d20757e gui: fold xdg-desktop-portal.nix back into sway config 2024-02-12 01:38:05 +00:00
Colin
66ca822ac1 remove xdg-desktop-portal-gtk service; xdg-desktop-portal knows how to start that itself 2024-02-12 01:33:34 +00:00
Colin
db7a414030 xdg-desktop-portal(s): dont install globally 2024-02-12 01:16:17 +00:00
Colin
87050a0500 feeds: add "FullTimeNix" podcast :) 2024-02-12 00:09:49 +00:00
Colin
bf53e3628a xdg-utils: cleanup 2024-02-11 23:57:50 +00:00
Colin
d35f938806 mime.nix: fix cross build 2024-02-11 23:44:55 +00:00
Colin
d719eb0f11 programs: gPodder: enable Videos/gPodder in sandbox 2024-02-11 23:37:16 +00:00
Colin
0861edd7f9 modules/programs: remove ~/.config/mimeo from sandbox defaults 2024-02-11 23:35:27 +00:00
Colin
b6bf8720c9 modules/programs: implement --sane-sandbox-portal flag for apps which want to use the portal to open other apps 2024-02-11 23:32:24 +00:00
Colin
0fbc10fce3 mime: store mime associations in ~/.local/share/applications instead of /run/current-system/sw/share/applications to facilitate sandboxing 2024-02-11 23:31:43 +00:00
Colin
772f1070e7 xdg-desktop-portal: configure myself, to unblock future portal-related work 2024-02-11 23:29:07 +00:00
Colin
50c6e406bc programs: disable zecwallet-lite 2024-02-09 20:23:56 +00:00
Colin
41020b2c0d nixpkgs: 2024-02-08 -> 2024-02-09 
```
• Updated input 'nixpkgs-next-unpatched':
    'github:nixos/nixpkgs/74098fff8838394e2cdf78012bbc7f5bf835197e' (2024-02-08)
  → 'github:nixos/nixpkgs/b38903da74d4fa07bd7045e89bb31e6d4cc13548' (2024-02-09)
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/075bf9cffe5b04d39874747239022de9aec5cdcd' (2024-02-08)
  → 'github:nixos/nixpkgs/410b90f31644cc71ffc145261d76a351012aac66' (2024-02-09)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/23f61b897c00b66855074db471ba016e0cda20dd' (2024-02-04)
  → 'github:Mic92/sops-nix/2168851d58595431ee11ebfc3a49d60d318b7312' (2024-02-08)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/9a333eaa80901efe01df07eade2c16d183761fa3' (2024-01-22)
  → 'github:NixOS/nixpkgs/bc6cb3d59b7aab88e967264254f8c1aa4c0284e9' (2024-02-08)
```
 2024-02-09 10:39:27 +00:00
Colin
590a239f7d programs: gpodder: sandbox with bwrap 
which we can do, now that xdg-open works correctly within sandboxes
 2024-02-09 10:31:42 +00:00