colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
5,459 Commits 125 Branches 1 Tag 12 MiB
bba149c670
Commit Graph

2439 Commits

Author SHA1 Message Date
Colin
c8035abddf fs: Books: persist subdirectories individually 
TODO: KOReader will need to be updated for this
 2024-02-27 20:48:38 +00:00
Colin
ef1cdac6b4 fs: split Pictures into separate persisted directory 
TODO: update camera and screenshot apps to be aware of these directories
 2024-02-27 20:46:25 +00:00
Colin
e37a7d85b3 ~/Videos: don't persist ALL videos: just ~/Videos/local 
otherwise, ~/Videos/servo is a symlink which the programs module doesn't know how to traverse (and hence, sandbox).
 2024-02-27 20:45:56 +00:00
Colin
36f6c72183 rofi: sandbox, and launch apps via xdg-open or gdbus 2024-02-27 18:35:15 +00:00
Colin
20a1aeb5b3 programs: add gdbus as a standalone program, separate from the rest of glib 2024-02-27 18:28:24 +00:00
Colin
4379addf9e plumb my configured sway through to everywhere that wants pkgs.sway. 
kinda ugly. this lets me avoid having multiple versions of sway on my
system.
 2024-02-27 16:11:10 +00:00
Colin
5c7eceeb55 grimshot: move to own file 2024-02-27 14:54:53 +00:00
Colin
50aa16df81 cross compilation: remove unused patches; note upstreaming status 2024-02-27 14:53:26 +00:00
Colin
40e22533fb swaynotificationcenter: update config/patches to be compatible with 0.10.0 2024-02-27 11:19:29 +00:00
Colin
92033c8414 rofi: place druncache into rofi cache dir 2024-02-27 01:21:27 +00:00
Colin
16f0424631 rofi: patch so that i can use -run-command "my-launcher {app_id}.desktop" 
this plus xdg-desktop-portal's DynamicLauncher should provide a way to sandbox everything
 2024-02-27 01:03:21 +00:00
Colin
6fd1ce1f61 rofi: port cache from plaintext to cryptClearOnBoot 
because i don't think it has any invalidation logic
 2024-02-26 23:04:50 +00:00
Colin
a7c325c8e1 xdg-desktop-portal: link applications so that DynamicLauncher portal can work 2024-02-26 22:31:48 +00:00
Colin
fc7814e6cd docs: mime: document gio launch 2024-02-26 22:29:15 +00:00
Colin
245e6c93cd docs: xdg-desktop-portal: document notable dbus endpoints 2024-02-26 22:29:03 +00:00
Colin
ec073592ed sway: use rofi app launcher instead of fuzzel 2024-02-26 21:22:03 +00:00
Colin
617525a317 programs: add rofi (dmenu-style launcher/file browser) 2024-02-26 21:21:30 +00:00
Colin
7d613d90d8 nixcache: disable my own substituters by default 2024-02-26 17:35:34 +00:00
Colin
dd6e1c5e38 flake: fix "deploy" commands to bypass substituters, and address deprecated nix path signing 2024-02-26 15:01:14 +00:00
Colin
d0d7994c2f sxmo: remove 'greeter' option 2024-02-26 07:27:33 +00:00
Colin
f2e1bb6b86 programs: python3-repl: sandbox 2024-02-25 18:52:55 +00:00
Colin
fe0f6988bd programs: disable wine (unused) 2024-02-25 18:42:25 +00:00
Colin
c402a265cd programs: stepmania: sandbox 2024-02-25 18:26:32 +00:00
Colin
d5643a6a5d assorted static-nix-shell packages: use srcRoot 2024-02-25 17:37:38 +00:00
Colin
c9c1181242 programs: wireplumber: sandbox 2024-02-25 17:11:48 +00:00
Colin
f9888fe8d6 programs: sane-private-init: sandbox 2024-02-25 16:46:10 +00:00
Colin
036145e6ba programs: sane-private-change-passwd: sandbox 
note that this is entirely untested
 2024-02-25 16:35:13 +00:00
Colin
7c486492c8 programs: pipewire: port sandbox to bwrap and restrict further 2024-02-25 15:19:57 +00:00
Colin
890b41f563 programs: pipewire: sandbox 
still need to sandbox wireplumber
 2024-02-25 14:34:11 +00:00
Colin
ca36fe1b96 programs: gnome.seahorse: sandbox 2024-02-25 12:03:42 +00:00
Colin
d2df668c9e modules/programs: sane-sandboxed: replace --sane-sandbox-keep-pidspace with --sane-sandbox-keep-namespace <pid|cgroup|ipc|uts> 2024-02-25 12:00:00 +00:00
Colin
b7921ac41b refactor: programs: sort 2024-02-25 11:53:49 +00:00
Colin
c304367e21 programs: gnome-maps: sandbox 2024-02-25 11:51:50 +00:00
Colin
2ad33a49df refactor: pipewire: remove dead code 2024-02-25 10:38:42 +00:00
Colin
0b4efd2ab2 pipewire: migrate services to sane.programs to completely disable socket activation 
see: https://github.com/NixOS/nixpkgs/issues/291318
 2024-02-25 10:36:21 +00:00
Colin
0745e9fc06 refactor: programs: split gnome-maps into own file 2024-02-25 09:06:32 +00:00
Colin
e0267b5669 programs: pipewire: disable socket activation 2024-02-25 08:55:59 +00:00
Colin
b3c7aac8c5 programs: wike: sandbox: enable DRI to fix graphical glitches 2024-02-25 08:38:10 +00:00
Colin
c788596c45 programs: sane-private-do: grant net access 
crucial for e.g. sane-private-do git push
 2024-02-25 08:25:13 +00:00
Colin
6865331b48 programs: sandbox sane-scripts.private-do 2024-02-25 05:41:27 +00:00
Colin
04a6055d06 remove /libexec from environment.pathsToLink 2024-02-25 05:12:44 +00:00
Colin
f714bd8281 programs: jq: sandbox 2024-02-25 01:59:01 +00:00
Colin
73b2594d9b programs: sandboxing: distinguish between "existingFileOrParent" and "existingOrParent" 2024-02-25 01:59:01 +00:00
Colin
0f1ad0f3c9 fs: auto-mount /mnt/<host>/home and enable "follow_symlinks" option 2024-02-24 16:04:04 +00:00
Colin
eecb98e2ee programs: bonsai: fix eval error 2024-02-23 16:00:32 +00:00
Colin
c6ebcfe66e servo: port legacy /var/lib users over to "method = bind" persistence 
i may wittle these down in the future
 2024-02-23 15:49:54 +00:00
Colin
bd7ca20361 desko: fs: remove dead code 2024-02-23 14:45:57 +00:00
Colin
f5ef1e96ca lappy: fs: remove dead code 2024-02-23 14:44:49 +00:00
Colin
6267e7f966 tidy up small persist/private nitpicks 2024-02-23 14:44:38 +00:00
Colin
120a41b169 persistence: split /var/log persistence into dedicated "initrd" store 2024-02-23 14:42:47 +00:00
Colin
aa0991bd6c persistence: cleanup so it all works well with symlink-based stores 2024-02-23 13:09:44 +00:00
Colin
62b39bf01e firefox: integrate the "persist" config into "sane.programs" 2024-02-23 11:23:41 +00:00
Colin
0d8307e877 programs: gnome-keyring: sandbox 
and now secrets are readable again. they were broken for the last ~10 commits :)
 2024-02-23 09:49:35 +00:00
Colin
9b1a2ae9bb programs: mpv: remove useless "extraRuntimePaths = []" override 2024-02-23 09:32:19 +00:00
Colin
b8b805765b programs: gnome-keyring-daemon: remove the SUID wrapper 
it's not actually mandated. just, when enabled, gkd will `mlock` its
secrets into memory. but i don't use swap anyway. plus, i'll enable that
momentarily anyway (though systemd will probably not understand the
capablity)
 2024-02-23 09:28:41 +00:00
Colin
84eae20765 gnome-keyring: don't integrate with PAM 
PAM integration is only required if the keyring is encrypted on-disk
 2024-02-23 09:15:30 +00:00
Colin
4a10c5f729 gnome-keyring: start as systemd service explicitly, not as implicit dbus service 2024-02-23 09:09:54 +00:00
Colin
c2696c1cd9 gnome-keyring: use sane.fs abstractions to write out the keyrings 2024-02-23 08:57:41 +00:00
Colin
c23e4dc9c7 servo: note why i use file.text instead of symlink.text here 2024-02-23 08:14:27 +00:00
Colin
ea6f45555c gnome-keyring: simplify the scripts (untested) 2024-02-23 08:14:09 +00:00
Colin
687db545b4 gnome-keyring: move persistence and init script to sane.programs 2024-02-23 07:22:07 +00:00
Colin
24d1d13d0a programs: simplify sandboxing of file browsers/etc now that private data lives on a different mount 2024-02-23 07:06:29 +00:00
Colin
2ada436634 home: remove ~/private symlink; move to .persist/private and add related aliases 2024-02-23 07:06:29 +00:00
Colin
e5ad0862fb refactor: move ~/ fs definitions into hosts/common/home, not users/ 2024-02-23 07:06:29 +00:00
Colin
057b9e3fed replace links/references to ~/private/FOO with just ~/FOO 2024-02-23 07:06:29 +00:00
Colin
1bcfccf7e3 refactor: persist ~/knowledge formally instead of relying on the symlink 2024-02-23 07:06:29 +00:00
Colin
a402822084 move "private" store to /mnt/persist/private instead of ~/private 
this will allow me to add all of ~ to a sandbox without giving all of ~/private
 2024-02-23 07:06:29 +00:00
Colin
478747a96e modules/persist: change default mounting method to symlink 
this changes the plaintext and cryptClearOnBoot stores: private was already symlink-based.
this isn't strictly necessary: the rationale is:
1. `mount` syscall *requires* CAP_SYS_ADMIN (i.e. superuser/suid).
   that's causing problems with sandboxing, particularly ~/private.
   that doesn't affect other stores *yet*, but it may in the future.
2. visibility. i.e. it makes *clear* where anything is persisted.
   if `realpath` doesn't evaluate to `/nix/persist`, then it's not
   persisted.
 2024-02-23 07:06:29 +00:00
Colin
771dc2e1ce fs: allow common /mnt points to be mounted by me without sudo 2024-02-23 07:06:29 +00:00
Colin
4a316d4b91 bonsai: lift out of sxmo 2024-02-23 07:06:29 +00:00
Colin
af03b3f6e8 xwayland: sandbox 2024-02-23 01:05:24 +00:00
Colin
5819f07181 programs: xwayland: sandbox 2024-02-22 22:12:03 +00:00
Colin
122f3fa5cc sway: remove xwayland-specific placement of Signal 
it breaks non-xwayland sway config parsing, and Signal is native Wayland now anyway even with Xwayland running'
 2024-02-22 22:01:48 +00:00
Colin
f27f994090 systemd: fix the timeout for the user service manager 2024-02-22 00:24:05 +00:00
Colin
473999c001 sway: re-enable networkmanager 2024-02-21 23:46:25 +00:00
Colin
d1de9efde1 sway: port xwayland use to sane.programs API 2024-02-21 23:32:10 +00:00
Colin
50c3f04714 pipewire: remove dead alsa comments 2024-02-21 23:26:40 +00:00
Colin
49bad8f186 sway: split pipewire persisted file into pipewire.nix 2024-02-21 23:26:25 +00:00
Colin
fd9f500e97 sway: split pipewire config into separate sane.programs.pipewire 2024-02-21 23:23:52 +00:00
Colin
386651044e sway: port to sane.programs API 2024-02-21 23:18:57 +00:00
Colin
55a6c828f2 sway: lift portal/menu reset into polyunfill.nix 2024-02-21 22:09:53 +00:00
Colin
7ecebd7521 sway: treat fontconfig as an ordinary sane.programs 2024-02-21 22:08:45 +00:00
Colin
7b299176e3 sway: simplify the wrapper 2024-02-21 22:06:10 +00:00
Colin
4da9cb5ac8 sway: simplify the wrapper... slightly 2024-02-21 21:42:48 +00:00
Colin
f068da709f sway: compile with xwayland only if we plan to use it at runtime 
else it's just extra weight
 2024-02-21 21:05:41 +00:00
Colin
5b21257e4f gui: sway: remove useGreeter option (provide a greeter always, via suggestedPrograms) 2024-02-21 20:59:34 +00:00
Colin
d77a12ce7b unl0kr: remove the "afterLogin" option and choose automatically which desktop to launch 2024-02-21 20:47:48 +00:00
Colin
153d2a1047 GSK_RENDERER: don't set globally, but just for the apps which _actually_ require it 
this way i can avoid conflicts around apps which don't expect this to be set (e.g. delfin)
 2024-02-21 16:56:56 +00:00
Colin
b8f090be93 programs: delfin: add required mpris permissions 2024-02-21 13:27:19 +00:00
Colin
5a0760a571 programs: sandbox oathtools 2024-02-21 00:03:48 +00:00
Colin
757ab79724 programs: dconf: sandbox 2024-02-20 23:43:25 +00:00
Colin
81148b7b42 programs: explicitly depend on dconf instead of manually persisting dconf's dirs 2024-02-20 23:39:27 +00:00
Colin
429d0c53e7 programs: ripgrep: sandbox with bwrap instead of landlock 
this provides network isolation
 2024-02-20 23:32:54 +00:00
Colin
6cf1bc5a28 programs: grep: sandbox 2024-02-20 23:32:28 +00:00
Colin
768b340c93 findutils: sandbox 
use bwrap instead of landlock for the dumb preference that i can disable
net
 2024-02-20 23:31:58 +00:00
Colin
d9901aa161 programs: sane-secrets-*: sandbox 2024-02-20 23:31:39 +00:00
Colin
be2098c18a programs: sane-vpn: sandbox 2024-02-20 23:05:24 +00:00
Colin
bb569b1668 sane-vpn: port away from systemd so that i can use it as an ordinary user (no sudo) 2024-02-20 22:21:02 +00:00
Colin
71025329e7 programs: sane-dev-cargo-loop: sandbox 2024-02-20 19:26:38 +00:00
Colin
ca4d1e3b9d programs: sane-tag-music: sandbox 2024-02-20 19:26:18 +00:00