|
bb569b1668
|
sane-vpn: port away from systemd so that i can use it as an ordinary user (no sudo)
|
2024-02-20 22:21:02 +00:00 |
|
|
71025329e7
|
programs: sane-dev-cargo-loop: sandbox
|
2024-02-20 19:26:38 +00:00 |
|
|
ca4d1e3b9d
|
programs: sane-tag-music: sandbox
|
2024-02-20 19:26:18 +00:00 |
|
|
284b698015
|
sane-reclaim-boot-space: fix, and sandbox
well i didn't get to test this thoroughly: might still have problems
|
2024-02-20 19:16:36 +00:00 |
|
|
bc50daf685
|
nix.settings: port to structured attrs
|
2024-02-20 18:35:03 +00:00 |
|
|
47dcfb9cba
|
fix nix.settings.nix-path to actually take effect
now i can `nix-shell` again! nix-path takes precedence over `NIX_PATH`
env var.
|
2024-02-20 17:54:25 +00:00 |
|
|
2bd99f6e51
|
remove no-longer-needed nix trusted-users setting
well, it *seems* to work, at least!
|
2024-02-20 13:43:41 +00:00 |
|
|
8beac8df2f
|
programs: sandbox sane-shutdown, sane-reboot
|
2024-02-20 13:43:05 +00:00 |
|
|
58db553c84
|
programs: unl0kr: sandbox
|
2024-02-20 13:29:56 +00:00 |
|
|
2ea3776d84
|
programs: sane-sync-from-servo: remove
this was obsoleted by the top-level flake `sync` scripts
|
2024-02-20 13:16:21 +00:00 |
|
|
d596d005ca
|
systemd: configure a 25s stop timeout for the user manager too (hopefully)
|
2024-02-20 13:11:47 +00:00 |
|
|
e92db138ef
|
systemd: allow ordinary users to invoke shutdown/reboot
|
2024-02-20 12:25:04 +00:00 |
|
|
5fed127c23
|
refactor: split systemd config into own file
|
2024-02-20 12:18:28 +00:00 |
|
|
db49f0461c
|
refactor: move nix stuff out of common/default.nix -> common/nix/default.nix
|
2024-02-20 12:16:00 +00:00 |
|
|
73bb7827c0
|
refactor: nix-path/ -> nix/
|
2024-02-20 12:13:52 +00:00 |
|
|
a624571b22
|
move glib program recommendation into programs/assorted.nix
|
2024-02-20 12:11:26 +00:00 |
|
|
53cbe5c8da
|
dconf: split into own sane.programs definition
|
2024-02-20 12:09:52 +00:00 |
|
|
46de7b7e0d
|
move environment.defaultPackages clearing into polyunfill.nix
|
2024-02-20 11:54:39 +00:00 |
|
|
d7be5da483
|
warnings.nix: port to a proper module
|
2024-02-20 11:19:12 +00:00 |
|
|
902e351085
|
hack: silence the warning about using hashedPasswordFile *and* initialPassword
see: <https://github.com/NixOS/nixpkgs/pull/287506>
i'll factor this into something more general, later
|
2024-02-20 11:11:07 +00:00 |
|
|
a05184f956
|
programs: neovim: fix nvim-treesitter typo
|
2024-02-20 10:23:52 +00:00 |
|
|
36ad2d5421
|
programs: unl0kr: auto-derive the user option
|
2024-02-20 07:21:22 +00:00 |
|
|
b0f62830a5
|
unl0kr: port to sane.programs
|
2024-02-20 07:14:30 +00:00 |
|
|
f970679266
|
sxmo: remove symlinks for legacy sxmo_hook_{poweroff,reboot}.sh
|
2024-02-20 06:49:42 +00:00 |
|
|
c7f4661c1c
|
programs: htop: persist config
|
2024-02-20 05:38:45 +00:00 |
|
|
e8306831c5
|
programs: qemu: mark as slowToBuild
|
2024-02-20 05:34:47 +00:00 |
|
|
41b1a013d7
|
programs: sane-sudo-redirect: disable sandbox
|
2024-02-19 17:09:27 +00:00 |
|
|
f785ccd351
|
programs: sane-reclaim-disk-space: sandbox
|
2024-02-19 17:06:22 +00:00 |
|
|
48744dcaaa
|
programs: sane-ip-reconnect: remove (unused)
|
2024-02-19 17:05:27 +00:00 |
|
|
9373864b60
|
programs: sane-git-init: remove (unused)
|
2024-02-19 16:53:59 +00:00 |
|
|
c16c9dfe0b
|
programs: sandbox a bunch of sane scripts
|
2024-02-19 16:51:53 +00:00 |
|
|
2d17826731
|
programs: eza: sandbox with bwrap instead of landlock
|
2024-02-19 15:32:40 +00:00 |
|
|
de297f22be
|
programs: split sane-scripts out of assorted.nix
|
2024-02-19 14:19:10 +00:00 |
|
|
4b47b76461
|
programs: sfeed: sandbox
|
2024-02-19 14:14:59 +00:00 |
|
|
3effd59c9b
|
xdg-desktop-portal-{gtk,wlr}: start via service manager, with ordered deps, instead of letting dbus activate it for us
that gets more reliable environment importing, etc
|
2024-02-19 13:44:23 +00:00 |
|
|
44647e0d36
|
programs: forkstat: sandbox
|
2024-02-19 13:15:15 +00:00 |
|
|
da1053d635
|
programs: configure auto-launching programs to only start *after* graphical-session.target
this ensures they really have their environment
|
2024-02-19 12:58:08 +00:00 |
|
|
273b1b84e3
|
systemd: reduce the stop job timeout
|
2024-02-19 12:58:08 +00:00 |
|
|
0b6b98bba6
|
sway: add a safeguard to catch if the systemd environ race condition is re-introduced
|
2024-02-19 12:58:08 +00:00 |
|
|
8886177c23
|
xdg-desktop-portal: fix it to find all the portal configs again
maybe i broke this when i simplified XDG_CONFIG_DIRS? not sure
|
2024-02-19 12:58:08 +00:00 |
|
|
7e343bfc05
|
sway: fix race condition around dbus/systemd environment importing
|
2024-02-19 10:52:51 +00:00 |
|
|
f72bdb6f3a
|
activationScripts: notify on deploy: fix to work with new SWAYSOCK name
|
2024-02-19 08:21:23 +00:00 |
|
|
5666a05ef0
|
strip out a bunch of unused nixpkgs defaults
|
2024-02-19 06:20:13 +00:00 |
|
|
35b4cc779f
|
megapixels: switch to bwrap, to support Loupe image viewer
|
2024-02-18 18:46:37 +00:00 |
|
|
c7d111a318
|
megapixels: 1.7.0 -> 1.8.0
|
2024-02-18 18:27:47 +00:00 |
|
|
7e5eb6324d
|
megapixels: sandbox
it's iffy... 1.8.0 is released, which can be sandboxed w/o sys/dev/char or ~/.local/share/applications, but seems to be even flakier
|
2024-02-18 17:44:49 +00:00 |
|
|
55c305812d
|
WIP: megapixels: sandbox
|
2024-02-18 13:53:18 +00:00 |
|
|
67395bdcd3
|
programs: ship forkstat
|
2024-02-18 11:58:30 +00:00 |
|
|
90ceeede74
|
programs: flare-signal: disable (unused)
|
2024-02-18 07:07:29 +00:00 |
|
|
32a704b1b8
|
moby: disable unused "calls" program
i may have future use for it, but as-is currently it's not worth the difficulty of sandboxing
|
2024-02-18 07:07:29 +00:00 |
|
|
a591be98d4
|
programs: portfolio-filemanager: sandbox
|
2024-02-18 07:07:29 +00:00 |
|
|
82e028e37d
|
programs: nautilus: assign a mime priority
|
2024-02-18 07:07:29 +00:00 |
|
|
a531676d0d
|
mime: include an error message when two file associations have identical mime priority
|
2024-02-18 07:07:29 +00:00 |
|
|
7f7543ee78
|
programs: planify: sandbox
|
2024-02-18 07:07:29 +00:00 |
|
|
8d0e3e0db3
|
programs: notejot: sandbox
|
2024-02-18 07:07:29 +00:00 |
|
|
bf352d184c
|
programs: tangram: sandbox
|
2024-02-18 07:07:29 +00:00 |
|
|
81a6600f54
|
programs: xarchiver: sandbox
|
2024-02-18 07:07:29 +00:00 |
|
|
536f0aedc3
|
open-in-mpv: remove my patch which has been upstreamed, previously required to use xdg-open
|
2024-02-18 04:52:27 +00:00 |
|
|
408059420d
|
snippets: prefer the repology link which specifically shows my outdated packages
|
2024-02-18 04:15:05 +00:00 |
|
|
6760fcf1f4
|
snippets: remove home-manager; add repology
|
2024-02-18 03:43:32 +00:00 |
|
|
98aafead94
|
programs: wob: add missing "coreutils" dep
it *should* be acquired via user's PATH, but wob-pulse can start before sway imports PATH to systemd
|
2024-02-17 16:38:22 +00:00 |
|
|
f8663cd827
|
programs: monero-gui: sandbox
|
2024-02-17 16:06:58 +00:00 |
|
|
af1ee1734d
|
programs: wireguard-tools: sandbox
|
2024-02-17 15:54:16 +00:00 |
|
|
5375cab716
|
programs: ntfy-sh: sandbox
|
2024-02-17 15:47:47 +00:00 |
|
|
162b3f5674
|
imagemagick: don't add 'ghostscript' package to path
|
2024-02-17 15:45:50 +00:00 |
|
|
a729f91d21
|
programs: jq: add working sandbox criteria, but don't enable yet
i need to handle the extremely common `cat foo | jq .` without adding
`.` to the sandbox
|
2024-02-17 15:36:41 +00:00 |
|
|
a273b559e2
|
programs: gnome-disk-utility: sandbox
|
2024-02-17 15:36:28 +00:00 |
|
|
785b375671
|
programs: smartmontools (smartctl): sandbox
|
2024-02-17 15:36:13 +00:00 |
|
|
24cba0c856
|
programs: xq: remove
|
2024-02-17 15:30:23 +00:00 |
|
|
df1db5d01c
|
programs: sox: sandbox
|
2024-02-17 15:27:22 +00:00 |
|
|
6749b64bca
|
programs: nautilus: add mounted media to the sandbox
|
2024-02-17 15:26:49 +00:00 |
|
|
d3e4bdfcd5
|
programs: gdisk: fix sandboxing
|
2024-02-17 15:26:16 +00:00 |
|
|
799cd4373f
|
programs: socat: disable
|
2024-02-17 15:11:12 +00:00 |
|
|
2efa6d1e27
|
programs: mepo: sandbox
|
2024-02-17 15:08:21 +00:00 |
|
|
a1470956a5
|
programs: gdisk: sandbox
|
2024-02-17 14:57:33 +00:00 |
|
|
556c20bc04
|
programs: vulkan-tools: sandbox
|
2024-02-17 14:53:22 +00:00 |
|
|
cf5f58dda6
|
programs: nmap: sandbox
|
2024-02-17 14:51:26 +00:00 |
|
|
fd30f7abbc
|
dev-machines: disable broken ldd-aarch64 program
|
2024-02-17 14:47:28 +00:00 |
|
|
6f8c299c69
|
programs: xdg-desktop-portal: log more
|
2024-02-17 14:40:56 +00:00 |
|
|
bbf7aac062
|
programs: gnome-frog: sandbox
|
2024-02-17 14:40:42 +00:00 |
|
|
7d1fd2f30a
|
programs: nvme-cli: sandbox
|
2024-02-17 14:40:29 +00:00 |
|
|
472987f164
|
programs: gimp: fix sandboxing failure
|
2024-02-17 13:43:35 +00:00 |
|
|
784c2145f3
|
programs: iputils: sandbox
|
2024-02-17 03:33:05 +00:00 |
|
|
0000afb315
|
programs: make nixosBuiltins package set more precise
|
2024-02-17 03:08:14 +00:00 |
|
|
31fa21bd20
|
programs: host/iproute2/iw/nettools/wirelesstools: sandbox
|
2024-02-17 03:05:58 +00:00 |
|
|
9510817604
|
programs: document nixosBuiltins programs
|
2024-02-17 02:40:28 +00:00 |
|
|
4a84de3ee4
|
programs: inetutils/iptables: sandbox
|
2024-02-17 02:32:57 +00:00 |
|
|
ab42a4cc5a
|
programs: qemu: disable sandbox
|
2024-02-17 01:43:58 +00:00 |
|
|
f6537b083a
|
programs: discord: add dbus to sandbox
|
2024-02-17 01:42:22 +00:00 |
|
|
5ff1d014b8
|
servo: transmission: fix user agent
|
2024-02-17 01:35:40 +00:00 |
|
|
1b4306e649
|
programs: switch bridge-utils, btrfs-progs from landlock -> bwrap
landlock can't isolate net yet, so bwrap gives better sandboxing
|
2024-02-16 15:32:41 +00:00 |
|
|
af8a8358bd
|
programs: hdparm: sandbox
|
2024-02-16 15:32:41 +00:00 |
|
|
464c6c56c5
|
programs: btrfs-progs: sandbox
|
2024-02-16 15:32:41 +00:00 |
|
|
8e314e8b73
|
programs: bridge-utils: sandbox
|
2024-02-16 15:32:41 +00:00 |
|
|
198029f95f
|
programs: netcat: sandbox
|
2024-02-16 15:32:41 +00:00 |
|
|
1d646459ab
|
programs: pulsemixer: sandbox
|
2024-02-16 15:32:41 +00:00 |
|
|
8f3bab3636
|
programs: sort
|
2024-02-16 15:32:41 +00:00 |
|
|
a909a93c29
|
programs: strings: fix sandboxing
|
2024-02-16 15:32:41 +00:00 |
|
|
6aaa724abf
|
programs: strings: sandbox
|
2024-02-16 14:57:25 +00:00 |
|
|
a1c721d5b4
|
programs: binutils-unwrapped -> strings: distribute just the binary i care about
|
2024-02-16 14:57:25 +00:00 |
|
|
4002a57e03
|
servo: transmission: advertise as 3.00 to deal with old trackers
|
2024-02-16 12:58:08 +00:00 |
|
|
74a0b0d125
|
gitea: serve phone-case-cq/ build files as proper html/js content type
|
2024-02-16 12:07:28 +00:00 |
|
|
cd3b4dde7b
|
programs: nix-index: sandbox
|
2024-02-16 11:39:05 +00:00 |
|
|
a9d384688a
|
programs: alsaUtils: sandbox
|
2024-02-16 11:28:43 +00:00 |
|
|
fffd6f4204
|
programs: pciutils: sandbox
|
2024-02-16 11:12:47 +00:00 |
|
|
324485d105
|
programs: networkmanagerapplet: sandbox
|
2024-02-16 11:07:24 +00:00 |
|
|
7cb8b144b2
|
programs: sandbox fatresize
|
2024-02-16 10:45:56 +00:00 |
|
|
c2bb97e7e6
|
programs: ethtool: sandbox
|
2024-02-16 10:38:39 +00:00 |
|
|
3cbdc03369
|
programs: zeal: disable sandboxing
|
2024-02-16 10:32:49 +00:00 |
|
|
5c7fa591a0
|
programs: sandbox: dtrx/e2fsprogs/efibootmgr/electrum
|
2024-02-16 10:32:18 +00:00 |
|
|
18c54e8b04
|
programs: sandbox cryptsetup and ddrescue (latter is untested, probably lacking!)
|
2024-02-16 10:05:24 +00:00 |
|
|
1416856fb6
|
programs: blueberry: sandbox
|
2024-02-16 07:58:00 +00:00 |
|
|
2a5bc6f612
|
programs: util-linux: disable sandbox
|
2024-02-16 07:37:59 +00:00 |
|
|
c56a6a8c24
|
programs: disable libcap_ng since it cant sandbox
|
2024-02-16 07:32:34 +00:00 |
|
|
f5a4bdedaf
|
programs: libcap_ng (netcap): disable sandbox
|
2024-02-16 07:32:05 +00:00 |
|
|
114a45f347
|
programs: pstree: sandbox
|
2024-02-16 06:57:45 +00:00 |
|
|
d53344d527
|
programs: killall: sandbox
|
2024-02-16 06:57:32 +00:00 |
|
|
561447de70
|
programs: shattered-pixel-dungeon: sandbox
|
2024-02-16 06:57:03 +00:00 |
|
|
9cc12fab5d
|
programs: gpodder: fix to work in sandbox (add dbus)
|
2024-02-16 06:07:46 +00:00 |
|
|
5cda3b2805
|
programs: firefox/fractal: document portal filechooser limitations
|
2024-02-16 05:49:56 +00:00 |
|
|
4afd56ff4c
|
programs: powertop: fix capabilities typo in sandbox definition
|
2024-02-16 05:49:13 +00:00 |
|
|
00e4078300
|
programs: disable lemoa. it's broken and development doesn't seem to be progressing
|
2024-02-16 05:34:24 +00:00 |
|
|
94b4f78e39
|
programs: lemoa: sandbox
|
2024-02-16 05:32:22 +00:00 |
|
|
3fd89ec91b
|
programs: sandbox powertop
|
2024-02-16 05:28:17 +00:00 |
|
|
4085828575
|
programs: sandbox parted
|
2024-02-16 05:28:07 +00:00 |
|
|
1a972927b6
|
programs: sandbox nethogs, nmon, nixpkgs-review
|
2024-02-16 05:27:50 +00:00 |
|
|
5f3ec42f57
|
programs: sandbox lsof with capsh only
can't get it to sandbox any more aggressively with either landlock or
bwrap
|
2024-02-16 04:55:18 +00:00 |
|
|
28aaeb051f
|
programs: disable sandboxing for strace and screen
|
2024-02-16 04:51:52 +00:00 |
|
|
9d252d095e
|
programs: htop/iotop/iftop: sandbox
|
2024-02-16 04:51:18 +00:00 |
|
|
4e5e4219ec
|
programs: usbutils: sandbox
|
2024-02-16 04:03:47 +00:00 |
|
|
824dd7c1f5
|
programs: endless-sky: sandbox with bwrap
|
2024-02-16 04:00:27 +00:00 |
|
|
b840a0d61c
|
programs: space-cadet-pinball: sandbox w/ bwrap
|
2024-02-16 03:58:09 +00:00 |
|
|
36bcecfd68
|
programs: sort
|
2024-02-16 03:53:53 +00:00 |
|
|
c3a5fb9394
|
programs: wdisplays: sandbox with bwrap
|
2024-02-16 03:53:27 +00:00 |
|
|
30507c3564
|
programs: soundconverter: sandbox with bwrap
|
2024-02-16 03:51:23 +00:00 |
|
|
2b66ffc58a
|
programs: feedbackd: sandbox w/ bwrap
|
2024-02-16 03:49:59 +00:00 |
|
|
48d96c1f36
|
programs: hase: sandbox with bwrap
couldn't test the net feature, because hase servers have since gone
offline :((
|
2024-02-16 03:48:59 +00:00 |
|
|
cdf61755a3
|
programs: splatmoji: document the sandboxing approach
|
2024-02-16 03:46:48 +00:00 |
|
|
dd1dc69530
|
packages: remove unused kid3
|
2024-02-16 03:39:45 +00:00 |
|
|
481f54ea2f
|
packages: disable unused packages: makemkv, mumble, openscad
|
2024-02-16 03:20:17 +00:00 |
|
|
511752fab5
|
programs: xdg-desktop-portal{-gtk,-wlr}: enable sandbox
|
2024-02-16 03:17:19 +00:00 |
|
|
40ed7cff1b
|
programs: git: fix failing sandbox build
|
2024-02-16 03:16:46 +00:00 |
|
|
5e7f914354
|
programs: superTux: fix failing sandbox build
|
2024-02-16 03:16:28 +00:00 |
|
|
0dec8b6d5b
|
programs: fontconfig: sandbox
|
2024-02-15 18:26:45 +00:00 |
|
|
7eaffc9fa0
|
programs: w3m: enable sandbox
|
2024-02-15 18:25:48 +00:00 |
|
|
b7c1a6331d
|
programs: mate.engrampa: enable sandbox
|
2024-02-15 18:24:27 +00:00 |
|
|
d6868d58e6
|
xdg-desktop-portal: disable sandbox
|
2024-02-15 18:23:40 +00:00 |
|
|
52d768a162
|
programs: xterm: mark as not needing a sandbox
|
2024-02-15 17:26:55 +00:00 |
|
|
7a685d8de9
|
programs: inkscape: sandbox with bwrap
|
2024-02-15 17:26:37 +00:00 |
|
|
838c6d7dc8
|
programs: swaync: sandbox
|
2024-02-15 16:38:38 +00:00 |
|