73afceb8c6
modules/programs: sandbox: add whitelistWayland
option
2024-02-13 10:24:35 +00:00
371af5939e
programs: mpv: tighten the /run/user portion of the sandbox
2024-02-12 15:24:07 +00:00
27fd81ad80
modules/programs: add new options for whitelisting audio/dbus
2024-02-12 15:23:35 +00:00
d82b4b0f62
modules/programs: sane-sandboxed: reorder the --sane-sandbox-profile-dir arg so it takes precedence
2024-02-12 14:56:48 +00:00
7b28023e08
modules/programs: re-introduce the "withEmbeddedSandboxer" passthru attr
2024-02-12 14:27:48 +00:00
2b9db897a1
implement sane.defaultUser
attr
2024-02-12 14:27:32 +00:00
6124cb9b36
modules/programs: sane-sandboxed: search for profiles in XDG_DATA_DIRS, not NIX_PROFILES
2024-02-12 13:16:48 +00:00
b0394d877d
modules/programs: rename allowedRootPaths -> allowedPaths
...
now that allowedHomePaths doesn't exist
2024-02-12 13:00:10 +00:00
14d8230821
modules/programs: sane-sandboxed: remove --sane-sandbox-home-path argument and plumbing
...
no longer needed, and mixing this with root paths is liable to cause troubles at this point, around symlink dereferencing/canonicalization/etc
2024-02-12 12:57:54 +00:00
e94e338040
programs: handbrake: remove unneeded Pictures/servo-macros from sandbox
2024-02-12 12:54:41 +00:00
354ce378f6
programs: assorted: convert /mnt/servo "extraPaths" into "extraHomePaths" where possible
2024-02-12 12:54:16 +00:00
a90b5b53db
modules/programs: sandboxing: dereference symlinks and also include those in the sandbox
2024-02-12 12:48:02 +00:00
eee3e138ff
modules/programs: sandboxing: allow specifying individual /run/user/$uid paths to expose to the sandbox
2024-02-12 12:18:59 +00:00
f61cd17e99
modules/programs: sandboxing: specialize profiles per-user by expanding $HOME
2024-02-12 12:08:58 +00:00
3e0b0a0f02
modules/programs: make-sandboxed: lift profile creation logic out to the toplevel
2024-02-12 11:52:33 +00:00
2ee34e9af3
modules/profiles: remove sandbox.embedProfile option
...
with upcoming refactors, this setting would force a different package to be installed per user, which doesn't mesh with the existing sane.programs infra
2024-02-12 11:35:59 +00:00
f9a998eb92
programs: koreader: remove "sandbox.embedProfile = true"
...
i guess this was set while i was debugging
2024-02-12 11:33:55 +00:00
7c05d221d6
modules/programs: split "make-sandbox-profile" out of "make-sandboxed"
2024-02-12 11:20:40 +00:00
93012664e5
modules/programs: simplify how sandbox profiles make it into system packages
2024-02-12 10:52:44 +00:00
c424f7ac3b
sane-sandboxed: load all profiles, not just the first one we find
...
this allows some amount of overriding, or splitting profiles between system and user dirs
2024-02-12 10:40:15 +00:00
088b6f1b9a
sane-sandboxed: load profiles via $NIX_PROFILES env var
2024-02-12 10:37:26 +00:00
96575acf3a
programs: sane-sandboxed: move parseArgsExtra to outer scope; improve docs
2024-02-12 10:28:14 +00:00
1e05119adc
mpv: fix loading of album art within sandbox
2024-02-12 08:59:46 +00:00
e81df0ac86
modules/programs: enforce that user services don't accidentally override PATH
2024-02-12 08:44:55 +00:00
b19492ba23
programs: mpv: add .config/mpv to sandbox paths
2024-02-12 08:26:51 +00:00
8b26fa1303
programs: wob: split the script into an actual package
2024-02-12 08:26:51 +00:00
c0883dc777
sway: refactor: store sway-portals.conf in the user dir instead of system-wide
...
it's a user service, so prefer to configure it via user/home conf dirs
2024-02-12 07:13:39 +00:00
6b3a71aadf
programs: xdg-desktop-portal: dont show app chooser for apps which are the default association
2024-02-12 07:12:04 +00:00
8d0d20757e
gui: fold xdg-desktop-portal.nix back into sway config
2024-02-12 01:38:05 +00:00
66ca822ac1
remove xdg-desktop-portal-gtk service; xdg-desktop-portal knows how to start that itself
2024-02-12 01:33:34 +00:00
db7a414030
xdg-desktop-portal(s): dont install globally
2024-02-12 01:16:17 +00:00
87050a0500
feeds: add "FullTimeNix" podcast :)
2024-02-12 00:09:49 +00:00
bf53e3628a
xdg-utils: cleanup
2024-02-11 23:57:50 +00:00
d35f938806
mime.nix: fix cross build
2024-02-11 23:44:55 +00:00
d719eb0f11
programs: gPodder: enable Videos/gPodder in sandbox
2024-02-11 23:37:16 +00:00
0861edd7f9
modules/programs: remove ~/.config/mimeo from sandbox defaults
2024-02-11 23:35:27 +00:00
b6bf8720c9
modules/programs: implement --sane-sandbox-portal flag for apps which want to use the portal to open other apps
2024-02-11 23:32:24 +00:00
0fbc10fce3
mime: store mime associations in ~/.local/share/applications instead of /run/current-system/sw/share/applications to facilitate sandboxing
2024-02-11 23:31:43 +00:00
772f1070e7
xdg-desktop-portal: configure myself, to unblock future portal-related work
2024-02-11 23:29:07 +00:00
50c6e406bc
programs: disable zecwallet-lite
2024-02-09 20:23:56 +00:00
41020b2c0d
nixpkgs: 2024-02-08 -> 2024-02-09
...
```
• Updated input 'nixpkgs-next-unpatched':
'github:nixos/nixpkgs/74098fff8838394e2cdf78012bbc7f5bf835197e' (2024-02-08)
→ 'github:nixos/nixpkgs/b38903da74d4fa07bd7045e89bb31e6d4cc13548' (2024-02-09)
• Updated input 'nixpkgs-unpatched':
'github:nixos/nixpkgs/075bf9cffe5b04d39874747239022de9aec5cdcd' (2024-02-08)
→ 'github:nixos/nixpkgs/410b90f31644cc71ffc145261d76a351012aac66' (2024-02-09)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/23f61b897c00b66855074db471ba016e0cda20dd' (2024-02-04)
→ 'github:Mic92/sops-nix/2168851d58595431ee11ebfc3a49d60d318b7312' (2024-02-08)
• Updated input 'sops-nix/nixpkgs-stable':
'github:NixOS/nixpkgs/9a333eaa80901efe01df07eade2c16d183761fa3' (2024-01-22)
→ 'github:NixOS/nixpkgs/bc6cb3d59b7aab88e967264254f8c1aa4c0284e9' (2024-02-08)
```
2024-02-09 10:39:27 +00:00
590a239f7d
programs: gpodder: sandbox with bwrap
...
which we can do, now that xdg-open works correctly within sandboxes
2024-02-09 10:31:42 +00:00
bcbc57f5ef
programs: get xdg-open to work from within sandboxes
...
note that implementation may have a quirk that applications launched via the portal cannot themselves "xdg-open" through the portal, because of the environment variable manipulation.
not sure how best to address that.
2024-02-09 10:27:30 +00:00
0d3adcdc5c
modules: users: have user services inherit PATH from environment rather than forcibly overwriting it
2024-02-09 09:50:26 +00:00
d19907a38d
sway: enable OpenURI interface in xdg-desktop-portal
2024-02-09 05:57:02 +00:00
9ac0e0e4fc
modules/programs: put things in a pid namespace by default
2024-02-08 23:36:59 +00:00
c9af5bf9b4
programs: sandboxing: enable net isolation for most sandboxed programs
2024-02-08 21:51:32 +00:00
bc85169e3d
programs: sandboxer: allow disable net access
2024-02-08 21:07:34 +00:00
7b9b3344a0
nixpkgs: 2024-02-07 -> 2024-02-08
...
```
• Updated input 'nixpkgs-next-unpatched':
'github:nixos/nixpkgs/966fd30804ad0e400fa3502e9f848bfad63b1852' (2024-02-07)
→ 'github:nixos/nixpkgs/74098fff8838394e2cdf78012bbc7f5bf835197e' (2024-02-08)
• Updated input 'nixpkgs-unpatched':
'github:nixos/nixpkgs/be4596f17b30403478c629b27d87fd914a2b9f8a' (2024-02-07)
→ 'github:nixos/nixpkgs/075bf9cffe5b04d39874747239022de9aec5cdcd' (2024-02-08)
```
2024-02-08 11:09:25 +00:00
f6ca6210f9
feeds: link to podcastindex.org
2024-02-07 21:47:19 +00:00