|
|
bebf6bdaeb
|
rsync-net: hardcode fewer paths
|
2024-08-03 11:38:43 +00:00 |
|
|
|
04fc601c9c
|
rsync-net: fix sandboxing (dont set PrivateUsers: we lose perms in the root ns doing that)
|
2024-08-03 11:25:50 +00:00 |
|
|
|
ee062d61d0
|
sane-tag-media: rework the tag extrapolation to be less intrusive
|
2024-08-03 07:58:43 +00:00 |
|
|
|
0dba9987c5
|
sane-tag-media: remove unused "confirm" function
|
2024-08-03 07:19:53 +00:00 |
|
|
|
4761690b6d
|
sane-tag-media: have --derive + --override-existing NOT override the existing tags when the derived ones apear to be simply lower-quality versions of the same on-disk data
|
2024-08-03 07:19:08 +00:00 |
|
|
|
604782c3a6
|
sane-tag-media: refactor (simplify)
|
2024-08-03 03:57:09 +00:00 |
|
|
|
365d33c357
|
sane-tag-media: empty manual tags always overwrite tags, regardless of --override-existing flag
|
2024-08-03 03:38:22 +00:00 |
|
|
|
a39ad8a508
|
sane-tag-media: rename --force flag to --override-existing
|
2024-08-03 03:31:16 +00:00 |
|
|
|
c49e9a4c2b
|
sane-tag-media: implement the --ignore-existing flag
|
2024-08-03 03:18:07 +00:00 |
|
|
|
36491842cc
|
sanebox: bwrap: micro-optimize to not require env
|
2024-08-02 22:44:27 +00:00 |
|
|
|
81ea2210c9
|
sanebox: allow keeping the net namespace
|
2024-08-02 22:44:27 +00:00 |
|
|
|
f678508b33
|
sanebox: add --sanebox-capsh-arg flag
|
2024-08-02 22:44:27 +00:00 |
|
|
|
6135be5f72
|
sanebox: refactor: bwrapFlags -> bwrapArgs
|
2024-08-02 22:44:27 +00:00 |
|
|
|
c8989ca1a8
|
pasta: allow running as root
|
2024-08-02 22:44:26 +00:00 |
|
|
|
1d665f8ecc
|
sanebox: support "--sanebox-cap all" special case
|
2024-08-02 22:43:52 +00:00 |
|
|
|
7c284ad8da
|
sane-vpn: use pasta instead of full bwrap for net namespacing
|
2024-08-02 22:42:56 +00:00 |
|
|
|
1c26674da7
|
rsync-net: temporarily use only RestrictNetworkInterfaces option and disable the internal sane-vpn logic
this is temporary, until i can fix sane-vpn to preserve linux capabilities
|
2024-08-02 22:10:44 +00:00 |
|
|
|
dae8481176
|
firefox: ship a "stub DNS" desktop file variant
though note that my stub-dns seems to be broken recently...
|
2024-08-02 21:41:07 +00:00 |
|
|
|
42b27f0433
|
sane-vpn: fix broken doc on --verbose flag
|
2024-08-02 21:39:29 +00:00 |
|
|
|
84be0cae5a
|
todo.md: note another website which doesnt resolve with trust-dns
|
2024-08-02 21:20:31 +00:00 |
|
|
|
fbfd0afca4
|
common/fs: only desclare /mnt/$host mounts for hosts this machine is authorized to access
|
2024-08-02 20:29:22 +00:00 |
|
|
|
e586b7b449
|
signal-desktop-from-src: 7.16.0 -> 7.18.0
|
2024-08-02 10:52:44 +00:00 |
|
|
|
222c37b056
|
uassets: 2024-07-29 -> 2024-08-02
|
2024-08-02 10:52:25 +00:00 |
|
|
|
53b17ec230
|
nixpkgs-wayland: 2024-07-28 -> 2024-08-02
|
2024-08-02 10:52:07 +00:00 |
|
|
|
7697704aff
|
nixpkgs: 2024-07-31 -> 2024-08-02
|
2024-08-02 10:51:44 +00:00 |
|
|
|
c490b6e6ad
|
common/polyunfill: simplify my config by using the new security.pam.package option
|
2024-08-02 10:04:20 +00:00 |
|
|
|
89d678c729
|
nixpkgs: 2024-07-29 -> 2024-07-31
|
2024-08-02 10:03:48 +00:00 |
|
|
|
c64163290c
|
gocryptfs: return to running mainline
i don't need the bug fix anymore, since i don't use pam_mount anymore
|
2024-08-02 09:52:20 +00:00 |
|
|
|
eaeb8380dc
|
fs: enable @basic-api everywhere, since its required by systemd restart logic
|
2024-08-02 09:13:55 +00:00 |
|
|
|
05a9e8e819
|
common: /mnt/servo: fix systemd mount files to be aware of the timeout, again
|
2024-08-02 08:16:13 +00:00 |
|
|
|
cf20230d96
|
sane.fs: cleanup
plumb systemd.{mounts,services} instead of the less detailed 'systemd'
|
2024-08-02 08:01:38 +00:00 |
|
|
|
9dbb2a6266
|
sane.fs: take in the role of generating systemd.mounts files
|
2024-08-02 07:33:21 +00:00 |
|
|
|
113b107d73
|
persist: fix ordering so stores arent required by local-fs.target
maybe they should be, but then there's weird stuff about getty depending on sysinit.target, and that being blocked by the private store...
|
2024-08-02 06:20:39 +00:00 |
|
|
|
96dfe79a8c
|
fs: persist/private: harden systemd mount file
|
2024-08-02 05:17:44 +00:00 |
|
|
|
6e5bde17aa
|
cleanup: persist/private: simplify
|
2024-08-02 05:00:55 +00:00 |
|
|
|
3eb66c098b
|
trust-dns: make it a dependency of "network-online.target"
|
2024-08-02 04:54:58 +00:00 |
|
|
|
515aab5370
|
cleanup: persist/private: encode the dependencies more precisely, rather than just having it all depend on default.target
|
2024-08-02 04:50:33 +00:00 |
|
|
|
f925dd9a20
|
fs: isolate /mnt/servo/* and /mnt/persist/ephemeral a bit more
|
2024-08-02 04:45:14 +00:00 |
|
|
|
cbe6bdf158
|
hosts: fs: sandbox /mnt/servo/* mounts
|
2024-08-02 03:17:53 +00:00 |
|
|
|
949a52dee1
|
activationScripts.notifyActive: be quiet about sane-deadlines/sane-sysload
|
2024-08-02 01:11:19 +00:00 |
|
|
|
2ee1fb17c4
|
sane-deadlines, sane-sysload: fix ordering to not run before the environment is configured
|
2024-08-02 01:04:07 +00:00 |
|
|
|
48cc718700
|
login: remove systemd-user-sessions integration so that we dont block on remote-fs
tested on lappy. will it work on servo, with gitea?
|
2024-08-02 00:52:51 +00:00 |
|
|
|
6a7dd31755
|
vpn: fix warning about missing /32 syntax
|
2024-08-02 00:37:58 +00:00 |
|
|
|
2197951e12
|
NetworkManager-dispatcher: cleanup an ordering cycle between it and trust-dns-localhost
|
2024-08-02 00:36:54 +00:00 |
|
|
|
883db3e9ba
|
todo.md: sync
|
2024-08-02 00:33:35 +00:00 |
|
|
|
312b0a5554
|
todo.md: sandbox the remaining filesystems
|
2024-08-01 22:50:03 +00:00 |
|
|
|
07de46c616
|
todo.md: remove completed items
|
2024-08-01 22:48:49 +00:00 |
|
|
|
efc16a9e80
|
persist: harden the "ephemeral" store mount environment
there's only so much this can actually achieve. it's still quite possible for someone who knows what they're doing to do large amounts of damage
|
2024-08-01 22:40:55 +00:00 |
|
|
|
161f272f41
|
gpodder-adaptive: track youtube-dl upstreaming
|
2024-08-01 20:02:47 +00:00 |
|
|
|
6aa6c0020c
|
lightning-cli: fix sandboxing
|
2024-08-01 19:59:23 +00:00 |
|
