9749ff0442
sane.gui.phosh: remove
2024-02-28 13:35:05 +00:00
3816393e06
rofi: try integrating rofi-emoji (failed)
2024-02-28 01:28:05 +00:00
4c6c470c86
sway: snippets: port from fuzzel -> rofi
2024-02-28 01:26:22 +00:00
409a4db232
splatmoji: use rofi instead of fuzzel
...
will be best if i can port everything to one dmenu helper
2024-02-28 01:18:51 +00:00
8f424dcd5a
programs: sandboxing: link /etc into sandboxed programs
...
this is crucial for e.g. swaync, to find its resource files.
maybe a good idea to link *every* package directory which i also link
into /run/current-system.
2024-02-27 22:25:17 +00:00
67536e3c1f
programs: assorted: correct sandbox paths now that Pictures/Videos/Books are categorized
...
i don't like this Pictures/ approach though. i may reconsolidate some of those
2024-02-27 21:37:20 +00:00
715de37954
rofi: fix files to be opened with xdg-open
2024-02-27 21:20:12 +00:00
c8035abddf
fs: Books: persist subdirectories individually
...
TODO: KOReader will need to be updated for this
2024-02-27 20:48:38 +00:00
ef1cdac6b4
fs: split Pictures into separate persisted directory
...
TODO: update camera and screenshot apps to be aware of these directories
2024-02-27 20:46:25 +00:00
e37a7d85b3
~/Videos: don't persist ALL videos: just ~/Videos/local
...
otherwise, ~/Videos/servo is a symlink which the programs module doesn't know how to traverse (and hence, sandbox).
2024-02-27 20:45:56 +00:00
36f6c72183
rofi: sandbox, and launch apps via xdg-open or gdbus
2024-02-27 18:35:15 +00:00
20a1aeb5b3
programs: add gdbus as a standalone program, separate from the rest of glib
2024-02-27 18:28:24 +00:00
4379addf9e
plumb my configured sway through to everywhere that wants pkgs.sway
.
...
kinda ugly. this lets me avoid having multiple versions of sway on my
system.
2024-02-27 16:11:10 +00:00
5c7eceeb55
grimshot: move to own file
2024-02-27 14:54:53 +00:00
50aa16df81
cross compilation: remove unused patches; note upstreaming status
2024-02-27 14:53:26 +00:00
40e22533fb
swaynotificationcenter: update config/patches to be compatible with 0.10.0
2024-02-27 11:19:29 +00:00
92033c8414
rofi: place druncache into rofi cache dir
2024-02-27 01:21:27 +00:00
16f0424631
rofi: patch so that i can use -run-command "my-launcher {app_id}.desktop"
...
this plus xdg-desktop-portal's DynamicLauncher should provide a way to sandbox everything
2024-02-27 01:03:21 +00:00
6fd1ce1f61
rofi: port cache from plaintext to cryptClearOnBoot
...
because i don't think it has any invalidation logic
2024-02-26 23:04:50 +00:00
a7c325c8e1
xdg-desktop-portal: link applications
so that DynamicLauncher portal can work
2024-02-26 22:31:48 +00:00
fc7814e6cd
docs: mime: document gio launch
2024-02-26 22:29:15 +00:00
245e6c93cd
docs: xdg-desktop-portal: document notable dbus endpoints
2024-02-26 22:29:03 +00:00
ec073592ed
sway: use rofi app launcher instead of fuzzel
2024-02-26 21:22:03 +00:00
617525a317
programs: add rofi (dmenu-style launcher/file browser)
2024-02-26 21:21:30 +00:00
7d613d90d8
nixcache: disable my own substituters by default
2024-02-26 17:35:34 +00:00
dd6e1c5e38
flake: fix "deploy" commands to bypass substituters, and address deprecated nix path signing
2024-02-26 15:01:14 +00:00
d0d7994c2f
sxmo: remove 'greeter' option
2024-02-26 07:27:33 +00:00
f2e1bb6b86
programs: python3-repl: sandbox
2024-02-25 18:52:55 +00:00
fe0f6988bd
programs: disable wine
(unused)
2024-02-25 18:42:25 +00:00
c402a265cd
programs: stepmania: sandbox
2024-02-25 18:26:32 +00:00
d5643a6a5d
assorted static-nix-shell packages: use srcRoot
2024-02-25 17:37:38 +00:00
c9c1181242
programs: wireplumber: sandbox
2024-02-25 17:11:48 +00:00
f9888fe8d6
programs: sane-private-init: sandbox
2024-02-25 16:46:10 +00:00
036145e6ba
programs: sane-private-change-passwd: sandbox
...
note that this is entirely untested
2024-02-25 16:35:13 +00:00
7c486492c8
programs: pipewire: port sandbox to bwrap and restrict further
2024-02-25 15:19:57 +00:00
890b41f563
programs: pipewire: sandbox
...
still need to sandbox wireplumber
2024-02-25 14:34:11 +00:00
ca36fe1b96
programs: gnome.seahorse: sandbox
2024-02-25 12:03:42 +00:00
d2df668c9e
modules/programs: sane-sandboxed: replace --sane-sandbox-keep-pidspace with --sane-sandbox-keep-namespace <pid|cgroup|ipc|uts>
2024-02-25 12:00:00 +00:00
b7921ac41b
refactor: programs: sort
2024-02-25 11:53:49 +00:00
c304367e21
programs: gnome-maps: sandbox
2024-02-25 11:51:50 +00:00
2ad33a49df
refactor: pipewire: remove dead code
2024-02-25 10:38:42 +00:00
0b4efd2ab2
pipewire: migrate services to sane.programs to completely disable socket activation
...
see: https://github.com/NixOS/nixpkgs/issues/291318
2024-02-25 10:36:21 +00:00
0745e9fc06
refactor: programs: split gnome-maps into own file
2024-02-25 09:06:32 +00:00
e0267b5669
programs: pipewire: disable socket activation
2024-02-25 08:55:59 +00:00
b3c7aac8c5
programs: wike: sandbox: enable DRI to fix graphical glitches
2024-02-25 08:38:10 +00:00
c788596c45
programs: sane-private-do: grant net access
...
crucial for e.g. sane-private-do git push
2024-02-25 08:25:13 +00:00
6865331b48
programs: sandbox sane-scripts.private-do
2024-02-25 05:41:27 +00:00
04a6055d06
remove /libexec from environment.pathsToLink
2024-02-25 05:12:44 +00:00
f714bd8281
programs: jq: sandbox
2024-02-25 01:59:01 +00:00
73b2594d9b
programs: sandboxing: distinguish between "existingFileOrParent" and "existingOrParent"
2024-02-25 01:59:01 +00:00
0f1ad0f3c9
fs: auto-mount /mnt/<host>/home and enable "follow_symlinks" option
2024-02-24 16:04:04 +00:00
eecb98e2ee
programs: bonsai: fix eval error
2024-02-23 16:00:32 +00:00
c6ebcfe66e
servo: port legacy /var/lib users over to "method = bind" persistence
...
i may wittle these down in the future
2024-02-23 15:49:54 +00:00
bd7ca20361
desko: fs: remove dead code
2024-02-23 14:45:57 +00:00
f5ef1e96ca
lappy: fs: remove dead code
2024-02-23 14:44:49 +00:00
6267e7f966
tidy up small persist/private nitpicks
2024-02-23 14:44:38 +00:00
120a41b169
persistence: split /var/log persistence into dedicated "initrd" store
2024-02-23 14:42:47 +00:00
aa0991bd6c
persistence: cleanup so it all works well with symlink-based stores
2024-02-23 13:09:44 +00:00
62b39bf01e
firefox: integrate the "persist" config into "sane.programs"
2024-02-23 11:23:41 +00:00
0d8307e877
programs: gnome-keyring: sandbox
...
and now secrets are readable again. they were broken for the last ~10 commits :)
2024-02-23 09:49:35 +00:00
9b1a2ae9bb
programs: mpv: remove useless "extraRuntimePaths = []" override
2024-02-23 09:32:19 +00:00
b8b805765b
programs: gnome-keyring-daemon: remove the SUID wrapper
...
it's not actually mandated. just, when enabled, gkd will `mlock` its
secrets into memory. but i don't use swap anyway. plus, i'll enable that
momentarily anyway (though systemd will probably not understand the
capablity)
2024-02-23 09:28:41 +00:00
84eae20765
gnome-keyring: don't integrate with PAM
...
PAM integration is only required if the keyring is encrypted on-disk
2024-02-23 09:15:30 +00:00
4a10c5f729
gnome-keyring: start as systemd service explicitly, not as implicit dbus service
2024-02-23 09:09:54 +00:00
c2696c1cd9
gnome-keyring: use sane.fs abstractions to write out the keyrings
2024-02-23 08:57:41 +00:00
c23e4dc9c7
servo: note why i use file.text instead of symlink.text here
2024-02-23 08:14:27 +00:00
ea6f45555c
gnome-keyring: simplify the scripts (untested)
2024-02-23 08:14:09 +00:00
687db545b4
gnome-keyring: move persistence and init script to sane.programs
2024-02-23 07:22:07 +00:00
24d1d13d0a
programs: simplify sandboxing of file browsers/etc now that private data lives on a different mount
2024-02-23 07:06:29 +00:00
2ada436634
home: remove ~/private symlink; move to .persist/private and add related aliases
2024-02-23 07:06:29 +00:00
e5ad0862fb
refactor: move ~/ fs definitions into hosts/common/home, not users/
2024-02-23 07:06:29 +00:00
057b9e3fed
replace links/references to ~/private/FOO with just ~/FOO
2024-02-23 07:06:29 +00:00
1bcfccf7e3
refactor: persist ~/knowledge formally instead of relying on the symlink
2024-02-23 07:06:29 +00:00
a402822084
move "private" store to /mnt/persist/private instead of ~/private
...
this will allow me to add all of ~ to a sandbox without giving all of ~/private
2024-02-23 07:06:29 +00:00
478747a96e
modules/persist: change default mounting method to symlink
...
this changes the plaintext and cryptClearOnBoot stores: private was already symlink-based.
this isn't strictly necessary: the rationale is:
1. `mount` syscall *requires* CAP_SYS_ADMIN (i.e. superuser/suid).
that's causing problems with sandboxing, particularly ~/private.
that doesn't affect other stores *yet*, but it may in the future.
2. visibility. i.e. it makes *clear* where anything is persisted.
if `realpath` doesn't evaluate to `/nix/persist`, then it's not
persisted.
2024-02-23 07:06:29 +00:00
771dc2e1ce
fs: allow common /mnt points to be mounted by me without sudo
2024-02-23 07:06:29 +00:00
4a316d4b91
bonsai: lift out of sxmo
2024-02-23 07:06:29 +00:00
af03b3f6e8
xwayland: sandbox
2024-02-23 01:05:24 +00:00
5819f07181
programs: xwayland: sandbox
2024-02-22 22:12:03 +00:00
122f3fa5cc
sway: remove xwayland-specific placement of Signal
...
it breaks non-xwayland sway config parsing, and Signal is native Wayland now anyway even with Xwayland running'
2024-02-22 22:01:48 +00:00
f27f994090
systemd: fix the timeout for the user service manager
2024-02-22 00:24:05 +00:00
473999c001
sway: re-enable networkmanager
2024-02-21 23:46:25 +00:00
d1de9efde1
sway: port xwayland use to sane.programs API
2024-02-21 23:32:10 +00:00
50c3f04714
pipewire: remove dead alsa comments
2024-02-21 23:26:40 +00:00
49bad8f186
sway: split pipewire persisted file into pipewire.nix
2024-02-21 23:26:25 +00:00
fd9f500e97
sway: split pipewire config into separate sane.programs.pipewire
2024-02-21 23:23:52 +00:00
386651044e
sway: port to sane.programs API
2024-02-21 23:18:57 +00:00
55a6c828f2
sway: lift portal/menu reset into polyunfill.nix
2024-02-21 22:09:53 +00:00
7ecebd7521
sway: treat fontconfig as an ordinary sane.programs
2024-02-21 22:08:45 +00:00
7b299176e3
sway: simplify the wrapper
2024-02-21 22:06:10 +00:00
4da9cb5ac8
sway: simplify the wrapper... slightly
2024-02-21 21:42:48 +00:00
f068da709f
sway: compile with xwayland only if we plan to use it at runtime
...
else it's just extra weight
2024-02-21 21:05:41 +00:00
5b21257e4f
gui: sway: remove useGreeter
option (provide a greeter always, via suggestedPrograms)
2024-02-21 20:59:34 +00:00
d77a12ce7b
unl0kr: remove the "afterLogin" option and choose automatically which desktop to launch
2024-02-21 20:47:48 +00:00
153d2a1047
GSK_RENDERER: don't set globally, but just for the apps which _actually_ require it
...
this way i can avoid conflicts around apps which don't expect this to be set (e.g. delfin)
2024-02-21 16:56:56 +00:00
b8f090be93
programs: delfin: add required mpris permissions
2024-02-21 13:27:19 +00:00
5a0760a571
programs: sandbox oathtools
2024-02-21 00:03:48 +00:00
757ab79724
programs: dconf: sandbox
2024-02-20 23:43:25 +00:00
81148b7b42
programs: explicitly depend on dconf instead of manually persisting dconf's dirs
2024-02-20 23:39:27 +00:00
429d0c53e7
programs: ripgrep: sandbox with bwrap instead of landlock
...
this provides network isolation
2024-02-20 23:32:54 +00:00