284b698015
sane-reclaim-boot-space: fix, and sandbox
...
well i didn't get to test this thoroughly: might still have problems
2024-02-20 19:16:36 +00:00
bc50daf685
nix.settings: port to structured attrs
2024-02-20 18:35:03 +00:00
47dcfb9cba
fix nix.settings.nix-path
to actually take effect
...
now i can `nix-shell` again! nix-path takes precedence over `NIX_PATH`
env var.
2024-02-20 17:54:25 +00:00
2bd99f6e51
remove no-longer-needed nix trusted-users setting
...
well, it *seems* to work, at least!
2024-02-20 13:43:41 +00:00
8beac8df2f
programs: sandbox sane-shutdown, sane-reboot
2024-02-20 13:43:05 +00:00
58db553c84
programs: unl0kr: sandbox
2024-02-20 13:29:56 +00:00
2ea3776d84
programs: sane-sync-from-servo: remove
...
this was obsoleted by the top-level flake `sync` scripts
2024-02-20 13:16:21 +00:00
d596d005ca
systemd: configure a 25s stop timeout for the user manager too (hopefully)
2024-02-20 13:11:47 +00:00
e92db138ef
systemd: allow ordinary users to invoke shutdown/reboot
2024-02-20 12:25:04 +00:00
5fed127c23
refactor: split systemd config into own file
2024-02-20 12:18:28 +00:00
db49f0461c
refactor: move nix stuff out of common/default.nix -> common/nix/default.nix
2024-02-20 12:16:00 +00:00
73bb7827c0
refactor: nix-path/ -> nix/
2024-02-20 12:13:52 +00:00
a624571b22
move glib program recommendation into programs/assorted.nix
2024-02-20 12:11:26 +00:00
53cbe5c8da
dconf: split into own sane.programs
definition
2024-02-20 12:09:52 +00:00
46de7b7e0d
move environment.defaultPackages clearing into polyunfill.nix
2024-02-20 11:54:39 +00:00
d7be5da483
warnings.nix: port to a proper module
2024-02-20 11:19:12 +00:00
902e351085
hack: silence the warning about using hashedPasswordFile *and* initialPassword
...
see: <https://github.com/NixOS/nixpkgs/pull/287506 >
i'll factor this into something more general, later
2024-02-20 11:11:07 +00:00
a05184f956
programs: neovim: fix nvim-treesitter typo
2024-02-20 10:23:52 +00:00
36ad2d5421
programs: unl0kr: auto-derive the user option
2024-02-20 07:21:22 +00:00
b0f62830a5
unl0kr: port to sane.programs
2024-02-20 07:14:30 +00:00
f970679266
sxmo: remove symlinks for legacy sxmo_hook_{poweroff,reboot}.sh
2024-02-20 06:49:42 +00:00
c7f4661c1c
programs: htop: persist config
2024-02-20 05:38:45 +00:00
e8306831c5
programs: qemu: mark as slowToBuild
2024-02-20 05:34:47 +00:00
41b1a013d7
programs: sane-sudo-redirect: disable sandbox
2024-02-19 17:09:27 +00:00
f785ccd351
programs: sane-reclaim-disk-space: sandbox
2024-02-19 17:06:22 +00:00
48744dcaaa
programs: sane-ip-reconnect: remove (unused)
2024-02-19 17:05:27 +00:00
9373864b60
programs: sane-git-init: remove (unused)
2024-02-19 16:53:59 +00:00
c16c9dfe0b
programs: sandbox a bunch of sane scripts
2024-02-19 16:51:53 +00:00
2d17826731
programs: eza: sandbox with bwrap instead of landlock
2024-02-19 15:32:40 +00:00
de297f22be
programs: split sane-scripts out of assorted.nix
2024-02-19 14:19:10 +00:00
4b47b76461
programs: sfeed: sandbox
2024-02-19 14:14:59 +00:00
3effd59c9b
xdg-desktop-portal-{gtk,wlr}: start via service manager, with ordered deps, instead of letting dbus activate it for us
...
that gets more reliable environment importing, etc
2024-02-19 13:44:23 +00:00
44647e0d36
programs: forkstat: sandbox
2024-02-19 13:15:15 +00:00
da1053d635
programs: configure auto-launching programs to only start *after* graphical-session.target
...
this ensures they really have their environment
2024-02-19 12:58:08 +00:00
273b1b84e3
systemd: reduce the stop job timeout
2024-02-19 12:58:08 +00:00
0b6b98bba6
sway: add a safeguard to catch if the systemd environ race condition is re-introduced
2024-02-19 12:58:08 +00:00
8886177c23
xdg-desktop-portal: fix it to find all the portal configs again
...
maybe i broke this when i simplified XDG_CONFIG_DIRS? not sure
2024-02-19 12:58:08 +00:00
7e343bfc05
sway: fix race condition around dbus/systemd environment importing
2024-02-19 10:52:51 +00:00
f72bdb6f3a
activationScripts: notify on deploy: fix to work with new SWAYSOCK name
2024-02-19 08:21:23 +00:00
5666a05ef0
strip out a bunch of unused nixpkgs defaults
2024-02-19 06:20:13 +00:00
35b4cc779f
megapixels: switch to bwrap, to support Loupe image viewer
2024-02-18 18:46:37 +00:00
c7d111a318
megapixels: 1.7.0 -> 1.8.0
2024-02-18 18:27:47 +00:00
7e5eb6324d
megapixels: sandbox
...
it's iffy... 1.8.0 is released, which can be sandboxed w/o sys/dev/char or ~/.local/share/applications, but seems to be even flakier
2024-02-18 17:44:49 +00:00
55c305812d
WIP: megapixels: sandbox
2024-02-18 13:53:18 +00:00
67395bdcd3
programs: ship forkstat
2024-02-18 11:58:30 +00:00
90ceeede74
programs: flare-signal: disable (unused)
2024-02-18 07:07:29 +00:00
32a704b1b8
moby: disable unused "calls" program
...
i may have future use for it, but as-is currently it's not worth the difficulty of sandboxing
2024-02-18 07:07:29 +00:00
a591be98d4
programs: portfolio-filemanager: sandbox
2024-02-18 07:07:29 +00:00
82e028e37d
programs: nautilus: assign a mime priority
2024-02-18 07:07:29 +00:00
a531676d0d
mime: include an error message when two file associations have identical mime priority
2024-02-18 07:07:29 +00:00
7f7543ee78
programs: planify: sandbox
2024-02-18 07:07:29 +00:00
8d0e3e0db3
programs: notejot: sandbox
2024-02-18 07:07:29 +00:00
bf352d184c
programs: tangram: sandbox
2024-02-18 07:07:29 +00:00
81a6600f54
programs: xarchiver: sandbox
2024-02-18 07:07:29 +00:00
536f0aedc3
open-in-mpv: remove my patch which has been upstreamed, previously required to use xdg-open
2024-02-18 04:52:27 +00:00
408059420d
snippets: prefer the repology link which specifically shows my outdated packages
2024-02-18 04:15:05 +00:00
6760fcf1f4
snippets: remove home-manager; add repology
2024-02-18 03:43:32 +00:00
98aafead94
programs: wob: add missing "coreutils" dep
...
it *should* be acquired via user's PATH, but wob-pulse can start before sway imports PATH to systemd
2024-02-17 16:38:22 +00:00
f8663cd827
programs: monero-gui: sandbox
2024-02-17 16:06:58 +00:00
af1ee1734d
programs: wireguard-tools: sandbox
2024-02-17 15:54:16 +00:00
5375cab716
programs: ntfy-sh: sandbox
2024-02-17 15:47:47 +00:00
162b3f5674
imagemagick: don't add 'ghostscript' package to path
2024-02-17 15:45:50 +00:00
a729f91d21
programs: jq: add working sandbox criteria, but don't enable yet
...
i need to handle the extremely common `cat foo | jq .` without adding
`.` to the sandbox
2024-02-17 15:36:41 +00:00
a273b559e2
programs: gnome-disk-utility: sandbox
2024-02-17 15:36:28 +00:00
785b375671
programs: smartmontools (smartctl): sandbox
2024-02-17 15:36:13 +00:00
24cba0c856
programs: xq: remove
2024-02-17 15:30:23 +00:00
df1db5d01c
programs: sox: sandbox
2024-02-17 15:27:22 +00:00
6749b64bca
programs: nautilus: add mounted media to the sandbox
2024-02-17 15:26:49 +00:00
d3e4bdfcd5
programs: gdisk: fix sandboxing
2024-02-17 15:26:16 +00:00
799cd4373f
programs: socat: disable
2024-02-17 15:11:12 +00:00
2efa6d1e27
programs: mepo: sandbox
2024-02-17 15:08:21 +00:00
a1470956a5
programs: gdisk: sandbox
2024-02-17 14:57:33 +00:00
556c20bc04
programs: vulkan-tools: sandbox
2024-02-17 14:53:22 +00:00
cf5f58dda6
programs: nmap: sandbox
2024-02-17 14:51:26 +00:00
fd30f7abbc
dev-machines: disable broken ldd-aarch64 program
2024-02-17 14:47:28 +00:00
6f8c299c69
programs: xdg-desktop-portal: log more
2024-02-17 14:40:56 +00:00
bbf7aac062
programs: gnome-frog: sandbox
2024-02-17 14:40:42 +00:00
7d1fd2f30a
programs: nvme-cli: sandbox
2024-02-17 14:40:29 +00:00
472987f164
programs: gimp: fix sandboxing failure
2024-02-17 13:43:35 +00:00
784c2145f3
programs: iputils: sandbox
2024-02-17 03:33:05 +00:00
0000afb315
programs: make nixosBuiltins
package set more precise
2024-02-17 03:08:14 +00:00
31fa21bd20
programs: host/iproute2/iw/nettools/wirelesstools: sandbox
2024-02-17 03:05:58 +00:00
9510817604
programs: document nixosBuiltins programs
2024-02-17 02:40:28 +00:00
4a84de3ee4
programs: inetutils/iptables: sandbox
2024-02-17 02:32:57 +00:00
ab42a4cc5a
programs: qemu: disable sandbox
2024-02-17 01:43:58 +00:00
f6537b083a
programs: discord: add dbus to sandbox
2024-02-17 01:42:22 +00:00
5ff1d014b8
servo: transmission: fix user agent
2024-02-17 01:35:40 +00:00
1b4306e649
programs: switch bridge-utils, btrfs-progs from landlock -> bwrap
...
landlock can't isolate net yet, so bwrap gives better sandboxing
2024-02-16 15:32:41 +00:00
af8a8358bd
programs: hdparm: sandbox
2024-02-16 15:32:41 +00:00
464c6c56c5
programs: btrfs-progs: sandbox
2024-02-16 15:32:41 +00:00
8e314e8b73
programs: bridge-utils: sandbox
2024-02-16 15:32:41 +00:00
198029f95f
programs: netcat: sandbox
2024-02-16 15:32:41 +00:00
1d646459ab
programs: pulsemixer: sandbox
2024-02-16 15:32:41 +00:00
8f3bab3636
programs: sort
2024-02-16 15:32:41 +00:00
a909a93c29
programs: strings: fix sandboxing
2024-02-16 15:32:41 +00:00
6aaa724abf
programs: strings: sandbox
2024-02-16 14:57:25 +00:00
a1c721d5b4
programs: binutils-unwrapped -> strings: distribute just the binary i care about
2024-02-16 14:57:25 +00:00
4002a57e03
servo: transmission: advertise as 3.00 to deal with old trackers
2024-02-16 12:58:08 +00:00
74a0b0d125
gitea: serve phone-case-cq/ build files as proper html/js content type
2024-02-16 12:07:28 +00:00
cd3b4dde7b
programs: nix-index: sandbox
2024-02-16 11:39:05 +00:00
a9d384688a
programs: alsaUtils: sandbox
2024-02-16 11:28:43 +00:00
fffd6f4204
programs: pciutils: sandbox
2024-02-16 11:12:47 +00:00
324485d105
programs: networkmanagerapplet: sandbox
2024-02-16 11:07:24 +00:00
7cb8b144b2
programs: sandbox fatresize
2024-02-16 10:45:56 +00:00
c2bb97e7e6
programs: ethtool: sandbox
2024-02-16 10:38:39 +00:00
3cbdc03369
programs: zeal: disable sandboxing
2024-02-16 10:32:49 +00:00
5c7fa591a0
programs: sandbox: dtrx/e2fsprogs/efibootmgr/electrum
2024-02-16 10:32:18 +00:00
18c54e8b04
programs: sandbox cryptsetup and ddrescue (latter is untested, probably lacking!)
2024-02-16 10:05:24 +00:00
1416856fb6
programs: blueberry: sandbox
2024-02-16 07:58:00 +00:00
2a5bc6f612
programs: util-linux: disable sandbox
2024-02-16 07:37:59 +00:00
c56a6a8c24
programs: disable libcap_ng since it cant sandbox
2024-02-16 07:32:34 +00:00
f5a4bdedaf
programs: libcap_ng (netcap): disable sandbox
2024-02-16 07:32:05 +00:00
114a45f347
programs: pstree: sandbox
2024-02-16 06:57:45 +00:00
d53344d527
programs: killall: sandbox
2024-02-16 06:57:32 +00:00
561447de70
programs: shattered-pixel-dungeon: sandbox
2024-02-16 06:57:03 +00:00
9cc12fab5d
programs: gpodder: fix to work in sandbox (add dbus)
2024-02-16 06:07:46 +00:00
5cda3b2805
programs: firefox/fractal: document portal filechooser limitations
2024-02-16 05:49:56 +00:00
4afd56ff4c
programs: powertop: fix capabilities typo in sandbox definition
2024-02-16 05:49:13 +00:00
00e4078300
programs: disable lemoa. it's broken and development doesn't seem to be progressing
2024-02-16 05:34:24 +00:00
94b4f78e39
programs: lemoa: sandbox
2024-02-16 05:32:22 +00:00
3fd89ec91b
programs: sandbox powertop
2024-02-16 05:28:17 +00:00
4085828575
programs: sandbox parted
2024-02-16 05:28:07 +00:00
1a972927b6
programs: sandbox nethogs, nmon, nixpkgs-review
2024-02-16 05:27:50 +00:00
5f3ec42f57
programs: sandbox lsof with capsh only
...
can't get it to sandbox any more aggressively with either landlock or
bwrap
2024-02-16 04:55:18 +00:00
28aaeb051f
programs: disable sandboxing for strace and screen
2024-02-16 04:51:52 +00:00
9d252d095e
programs: htop/iotop/iftop: sandbox
2024-02-16 04:51:18 +00:00
4e5e4219ec
programs: usbutils: sandbox
2024-02-16 04:03:47 +00:00
824dd7c1f5
programs: endless-sky: sandbox with bwrap
2024-02-16 04:00:27 +00:00
b840a0d61c
programs: space-cadet-pinball: sandbox w/ bwrap
2024-02-16 03:58:09 +00:00
36bcecfd68
programs: sort
2024-02-16 03:53:53 +00:00
c3a5fb9394
programs: wdisplays: sandbox with bwrap
2024-02-16 03:53:27 +00:00
30507c3564
programs: soundconverter: sandbox with bwrap
2024-02-16 03:51:23 +00:00
2b66ffc58a
programs: feedbackd: sandbox w/ bwrap
2024-02-16 03:49:59 +00:00
48d96c1f36
programs: hase: sandbox with bwrap
...
couldn't test the net feature, because hase servers have since gone
offline :((
2024-02-16 03:48:59 +00:00
cdf61755a3
programs: splatmoji: document the sandboxing approach
2024-02-16 03:46:48 +00:00
dd1dc69530
packages: remove unused kid3
2024-02-16 03:39:45 +00:00
481f54ea2f
packages: disable unused packages: makemkv, mumble, openscad
2024-02-16 03:20:17 +00:00
511752fab5
programs: xdg-desktop-portal{-gtk,-wlr}: enable sandbox
2024-02-16 03:17:19 +00:00
40ed7cff1b
programs: git: fix failing sandbox build
2024-02-16 03:16:46 +00:00
5e7f914354
programs: superTux: fix failing sandbox build
2024-02-16 03:16:28 +00:00
0dec8b6d5b
programs: fontconfig: sandbox
2024-02-15 18:26:45 +00:00
7eaffc9fa0
programs: w3m: enable sandbox
2024-02-15 18:25:48 +00:00
b7c1a6331d
programs: mate.engrampa: enable sandbox
2024-02-15 18:24:27 +00:00
d6868d58e6
xdg-desktop-portal: disable sandbox
2024-02-15 18:23:40 +00:00
52d768a162
programs: xterm: mark as not needing a sandbox
2024-02-15 17:26:55 +00:00
7a685d8de9
programs: inkscape: sandbox with bwrap
2024-02-15 17:26:37 +00:00
838c6d7dc8
programs: swaync: sandbox
2024-02-15 16:38:38 +00:00
9d706df5b5
programs: waybar: narrow the /run/user paths to just sway-ipc.sock
2024-02-15 14:40:01 +00:00
06f1f1e9ea
sway: give SWAYSOCK a consistent name
2024-02-15 14:38:54 +00:00
2fbbe7fd78
sway: remove unused "sane.gui.sway.package" option
2024-02-15 14:38:10 +00:00
24d23f7903
programs: bemenu: fix sandboxing
2024-02-15 14:33:20 +00:00
0394aa65e9
sway: simplify config
2024-02-15 14:25:45 +00:00
5090c4e88c
sway: define without using nixos "programs.sway"
...
motivation was to leverage 'sane.programs.sway.env' to statically configure SWAYSOCK. i think that's still the right way: we'll see
2024-02-15 14:25:27 +00:00
081114da65
programs: waybar: sandbox in a way that works well for moby too
2024-02-15 13:16:18 +00:00
02b7586ffa
programs: komikku: add dbus to the sandbox to fix it
2024-02-15 11:58:08 +00:00
25dcb7f89a
programs: open-in-mpv: document that upstream merged my PR
2024-02-15 11:38:37 +00:00
88f1d63b6e
firefox: properly integrate xdg-desktop-portal for opening media
2024-02-15 11:36:50 +00:00
d36e269edd
programs: loupe: remove the dbus services to make it work with Firefox
2024-02-15 11:36:24 +00:00
582a003739
programs: waybar: fix battery indicator within sandbox
2024-02-15 10:35:24 +00:00
df60be8c61
open-in-mpv: sandbox with bwrap
2024-02-15 09:49:03 +00:00
e8b4c36442
programs: nautilus: specify inode/directory mime association
2024-02-15 09:48:26 +00:00
2f699737f5
firefox: fix open-in-mpv integration
...
two parts: add open-in-mpv's config to firefox's sandbox; patch open-in-mpv to forward to xdg-open
2024-02-15 09:14:57 +00:00
4a3d24be3f
waybar: migrate all config to "sane.programs"
2024-02-15 07:18:12 +00:00
10feb319fe
sway: lift waybar to own file and sandbox it
2024-02-15 02:33:40 +00:00
b2fcf6fdfd
programs: messengers (fractal, signal, dino, tuba): add media libraries to the sandbox
2024-02-15 00:49:24 +00:00
dcc2eb265d
programs: re-enable sandbox for tumiki-fighters and losslesscut (X applications)
2024-02-15 00:09:40 +00:00
518c3afd07
programs: sandbox: disable losslesscut/tumiki-fighters sandbox until i can figure out Xwayland
2024-02-14 14:37:59 +00:00
90dee85664
programs: sort alphabetically
2024-02-14 14:28:22 +00:00
26fc283fd9
programs: losslesscut: sandbox
2024-02-14 14:26:56 +00:00
d0430ce1e9
programs: pavucontrol/pwvucontrol: enable audio devices inside the sandbox
2024-02-14 14:26:56 +00:00
368a52b91e
programs: speedtest-cli: sandbox with bwrap
2024-02-14 14:26:56 +00:00
d90dacee1f
programs: grimshot: sandbox with bwrap
2024-02-14 14:17:41 +00:00
a6e2b3bc5c
programs: xdg-terminal-exec: disable sandbox
2024-02-14 14:11:35 +00:00
8863a3c674
programs: wob: sandbox with bwrap
2024-02-14 14:10:20 +00:00
fa8d6dbb9f
programs: wob: fix config substitution
2024-02-14 14:04:54 +00:00
e5e79a6b60
programs: FileMimeInfo: disable sandbox
2024-02-14 13:54:21 +00:00
95f7eeeb5c
programs: libnotify: sandbox with bwrap
2024-02-14 13:49:48 +00:00
29d638c68b
programs: dig: sandbox with bwrap
2024-02-14 13:47:44 +00:00
7d22a5466f
programs: zsh: fix "switch" function to be friendly to sandboxing
2024-02-14 13:45:56 +00:00
5907d9fa42
Revert "xdg-desktop-portal-gtk: build without support for notifications"
...
This reverts commit c9e02bfd8a
.
disable notifications at this level did not cause fractal (gtk app) to
send its notifications to swaync. instead, it still tried to deliver to
the Portal, where the Portal wasn't expecting anything and just returned
an error to fractal.
setting `GNOTIFICATION_BACKEND = "freedesktop"` seems to be the correct
way to get gtk apps to behave as desired with their notifications.
2024-02-14 11:09:37 +00:00
67fe8d4666
swaync: propagate GNOTIFICATION_BACKEND = "freedesktop"
to all users
2024-02-14 11:09:20 +00:00
c9e02bfd8a
xdg-desktop-portal-gtk: build without support for notifications
2024-02-14 10:51:18 +00:00
03b58b3cab
programs: vim: support system copy/paste inside of sandbox
2024-02-14 09:11:31 +00:00
ae01c17c05
programs: splatmoji: fix to work inside a sandbox again
2024-02-14 09:11:12 +00:00
677e6e679b
programs: sandbox {s,}waylock lockscreen
2024-02-14 08:48:03 +00:00
3eb47a9a8d
programs: swaylock: *partially* sandbox with capsh
2024-02-14 05:46:36 +00:00
f11e443678
programs: waylock: *partially* sandbox with capsh
2024-02-14 05:46:28 +00:00
8f8ec090c4
programs: add "waylock"
2024-02-14 05:01:33 +00:00
e174eaeff0
programs: loupe: fix sandboxing
2024-02-14 04:32:10 +00:00
f12b7afa1e
programs: mimeo: dont sandbox
2024-02-14 01:51:26 +00:00
080bd856ec
programs: sandboxing: only permit wayland socket access to those specific apps which require it
2024-02-14 01:49:49 +00:00
2d7c5b9fa5
programs: mpv: explicitly add Videos/servo, Books/servo to sandbox
2024-02-13 15:38:57 +00:00
83cb29aeeb
xdg-utils: re-add mimetype
package
2024-02-13 12:31:04 +00:00
1a18ed533b
programs: don't include dbus in the sandbox by default
2024-02-13 11:58:33 +00:00
18eec98cae
programs: brightnessctl: switch to landlock
2024-02-13 11:58:33 +00:00
82c386a6a4
programs: tor-browser-bundle-bin -> tor-browser
...
they're the same (aliased), only my programs API expects 'tor-browser' specifically
2024-02-13 11:58:33 +00:00
634dc318cd
programs: spotify: remove old/unused firejail config
2024-02-13 11:15:30 +00:00
6eaaeeb91a
programs: remove audio from the sandbox by default
2024-02-13 11:14:38 +00:00
94be4a7551
programs: wob: fix service definition (Exec -> ExecStart)
2024-02-13 11:03:18 +00:00
b4a20da78a
programs: brightnessctl: sandbox
2024-02-13 10:55:44 +00:00