|
57105c6861
|
sane-sandboxed: autodetect: handle file:/// URIs
|
2024-01-24 05:00:08 +00:00 |
|
|
3758044e7b
|
sane-sandboxed: better handle "--"
|
2024-01-24 04:59:24 +00:00 |
|
|
bfaf098c31
|
sane-sandboxed: fix handling of -- (which previously smushed arguments)
|
2024-01-24 02:52:01 +00:00 |
|
|
089f86d5e4
|
programs: make /usr/bin/env available in the sandbox
enables KOReader to run
|
2024-01-24 01:48:02 +00:00 |
|
|
bdd70f8fa2
|
sane-sandboxed: ignore the executable path when autodetecting media
|
2024-01-23 16:32:06 +00:00 |
|
|
bfd5630e21
|
programs: sandbox: omit media dirs by default, and implement --sane-sandbox-autodetect for programs which are liable to load data from paths
|
2024-01-23 15:48:12 +00:00 |
|
|
576d2c32f0
|
programs: support secrets even when sandboxed
|
2024-01-23 14:57:33 +00:00 |
|
|
25739ec2ba
|
programs: sane-sandboxed: avoid reading firejail profiles when the backend isnt firejail
this should provide a marginal perf gain
|
2024-01-23 14:57:33 +00:00 |
|
|
f148334b58
|
programs: port extraFirejailConfig to extraConfig
|
2024-01-23 14:57:33 +00:00 |
|
|
3a6ee8708e
|
programs: sane-sandboxed: dont error if network mountpoints are offline
|
2024-01-23 13:13:31 +00:00 |
|
|
983bf93d8f
|
programs: sane-sandboxed: make the profile handle arguments with spaces
|
2024-01-23 12:47:25 +00:00 |
|
|
40cc8f5d1c
|
programs: sane-sandboxed: make more debuggable
|
2024-01-23 12:27:23 +00:00 |
|
|
cce03a5dc8
|
programs: sandbox: use --dev-bind-try for root paths; fixes mpv on moby
|
2024-01-23 12:18:32 +00:00 |
|
|
98dfc3aa5a
|
programs: sandbox: allow all programs to access media
hopefully this is just a stopgap
|
2024-01-23 11:36:58 +00:00 |
|
|
27b56b1a12
|
programs: sane-sandbox: implement a cleaner debugshell and test API
|
2024-01-23 11:19:52 +00:00 |
|
|
6e9220d2bb
|
programs: allow programs to specify "sandbox.method = "bwrap"" for bubblewrap sandboxing
|
2024-01-23 10:44:13 +00:00 |
|
|
0ddcfcaa23
|
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds
|
2024-01-23 08:01:23 +00:00 |
|
|
a4cb6645b4
|
programs: indirect firejail access through sane-sandboxed
|
2024-01-23 04:02:31 +00:00 |
|
|
2492ed2ca7
|
programs: introduce a sane-sandboxed helper
not yet used, but will be soon
|
2024-01-23 02:29:33 +00:00 |
|
|
f49d2a1e0e
|
programs: split "makeSandboxed" into its own file
|
2024-01-23 01:23:14 +00:00 |
|
|
0dc3f4f7f2
|
modules/programs: move to subdir
this will help me factor out helpers
|
2024-01-23 01:02:04 +00:00 |
|
|
d5901afb8e
|
programs: firejail: specify profile via : (clarifies to firejail that its an identifier and not a path); invoke firejail via name instead of absolute path
|
2024-01-22 23:58:54 +00:00 |
|
|
8bf41ea858
|
programs: fix missing newline in firejail config concatenation
|
2024-01-22 13:11:47 +00:00 |
|
|
df861a3ef0
|
programs: firejail: inject custom firejail config through /etc/firejail
this improves rebuild times, and makes it easier for packages to inject their own free-form config
|
2024-01-22 11:12:18 +00:00 |
|
|
60547204a8
|
sane.programs: firejail: support wrapping "runCommand" packages
|
2024-01-22 09:16:25 +00:00 |
|
|
dd35136ac0
|
firejail: fix so /run/wrappers are available inside a jail
|
2024-01-22 07:18:50 +00:00 |
|
|
0f3f0933b1
|
mpv: sandbox with firejail
|
2024-01-22 03:50:28 +00:00 |
|
|
9ecd0adcbe
|
firefox: sandbox with firejail
TODO: get it so open-in-mpv launches an mpv that has access to ~/.config/mpv
i guess this is the 'firejail url problem'
|
2024-01-21 23:59:15 +00:00 |
|
|
ad92a2e158
|
programs: abort when no firejail profile is found for a program.
in the future, i can whitelist specific binaries to omit their firejail
profiles.
|
2024-01-21 04:32:49 +00:00 |
|
|
5f5891d241
|
programs: apply firejail profile to programs which are net isolated
|
2024-01-21 04:28:48 +00:00 |
|
|
992194a1f0
|
programs: achieve network sandboxing without "sane-vpn do"
|
2024-01-21 03:51:12 +00:00 |
|
|
bad6a7bfee
|
programs: implement "default vpn" with native nix code instead of sane-vpn
|
2024-01-21 01:04:31 +00:00 |
|
|
66d5e204be
|
vpn: enforce "id" restrictions
|
2024-01-21 00:57:46 +00:00 |
|
|
ce35330923
|
vpn.nix: factor into a proper module
this will allow for better integration with 'sane.programs'
|
2024-01-21 00:49:34 +00:00 |
|
|
59187a0ec0
|
programs: allow running binaries in a netns-style firejail
|
2024-01-20 11:11:12 +00:00 |
|
|
fd0723169f
|
nix-serve: fix coredump loop
|
2024-01-19 21:34:45 +00:00 |
|
|
43a8ca90a7
|
feeds: add Cat and Girl
|
2024-01-16 19:12:25 +00:00 |
|
|
a5c6e41622
|
feeds: subscribe to POD OF JAKE
|
2024-01-14 05:20:28 +00:00 |
|
|
812a02bc6b
|
feeds: add The Dollop podcast
|
2024-01-14 00:49:29 +00:00 |
|
|
70f059eaac
|
feeds: subscribe to Jack Stauber
|
2024-01-13 16:43:41 +00:00 |
|
|
e2a43ddfa0
|
servo: clightning: allow group members to run lightning-cli
|
2024-01-11 15:59:32 +00:00 |
|
|
cecb114810
|
clightning: harden
|
2024-01-04 18:47:40 +00:00 |
|
|
7378d6c5b2
|
bitcoind: host behind tor
|
2024-01-04 16:25:49 +00:00 |
|
|
43498c62f9
|
clightning: integrate with tor
|
2024-01-03 18:29:16 +00:00 |
|
|
41ae86f40f
|
servo: enable clightning
|
2024-01-03 13:56:42 +00:00 |
|
|
3e52956a3a
|
servo: clightning: integrate, but do not enable
|
2024-01-02 18:32:34 +00:00 |
|
|
28d0a72c62
|
define (but dont activate) a clighting bitcoin service
|
2024-01-02 14:29:52 +00:00 |
|
|
822653ec10
|
feeds: vitalik.ca -> vitalik.eth.limo
|
2024-01-01 03:48:06 +00:00 |
|
|
68502ca944
|
feeds: add webcurious.co.uk link aggregator
|
2024-01-01 03:46:52 +00:00 |
|
|
d18e94ea87
|
feeds: subscribe to linmob.net
|
2023-12-14 22:20:30 +00:00 |
|
|
3467a5df48
|
feeds: subscribe Origin Stories
|
2023-12-13 22:31:58 +00:00 |
|
|
694dd59e27
|
feeds: subscribe bitsaboutmoney
|
2023-12-13 22:29:22 +00:00 |
|
|
69bc219efa
|
ports: fix systemd RandomizedDelaySec typo
|
2023-12-12 02:14:27 +00:00 |
|
|
4c5fb74c7d
|
feeds: subscribe to kosmosghost
|
2023-12-11 04:55:47 +00:00 |
|
|
008a6192d4
|
mpv: associate with https://youtube.com/...
|
2023-12-11 04:52:49 +00:00 |
|
|
f7a318c937
|
modules/users: fix services to specify PATH with correct precedence
|
2023-12-10 15:18:26 +00:00 |
|
|
01de6f84cf
|
feeds: subscribe to Louis Rossmann
|
2023-12-09 08:14:16 +00:00 |
|
|
2d06401f3c
|
feeds: subscribe to Tom Scott
|
2023-12-06 16:19:37 +00:00 |
|
|
2db56f2499
|
feeds: subscribe to TheB1M
|
2023-12-06 16:18:03 +00:00 |
|
|
63ea6d7002
|
feeds: subscribe to Exurb1a
|
2023-12-06 16:16:29 +00:00 |
|
|
3e2523cc2c
|
feeds: subscribe to Cold Fusion
|
2023-12-06 16:15:25 +00:00 |
|
|
ad3f5e305e
|
feeds: subscribe to Vox
don't @ me
|
2023-12-06 16:13:08 +00:00 |
|
|
aa5b9e3db3
|
user services: wrap with user PATH
notably, this alllows Fractal to open links with the preferred browser
|
2023-12-06 16:09:07 +00:00 |
|
|
46123719e9
|
feeds: subscribe to Vihart
|
2023-12-06 16:09:07 +00:00 |
|
|
16bce990c6
|
feeds: subscribe to PolyMatter
|
2023-12-06 16:09:07 +00:00 |
|
|
d55e387187
|
feeds: subscribe to Vsauce
|
2023-12-06 16:09:06 +00:00 |
|
|
e75c3375dc
|
feeds: subscribe to Channel5 News
|
2023-12-06 16:08:50 +00:00 |
|
|
b1c7cb367a
|
feeds: subcsribe to hbomberguy
|
2023-12-06 15:47:39 +00:00 |
|
|
d63d660ec2
|
feeds: subscribe to ContraPoints
|
2023-12-06 15:45:43 +00:00 |
|
|
9704dcc997
|
feeds: add support for video; subscribe to videos in gpodder
|
2023-12-06 15:36:05 +00:00 |
|
|
80875d6312
|
feeds: subscribe to Technology Connections
|
2023-12-06 15:35:38 +00:00 |
|
|
4cc5eed884
|
feeds: subscribe to srslywrong.com
|
2023-12-05 04:25:25 +00:00 |
|
|
8f9c9efca1
|
feeds: econlib: update feed URL
|
2023-11-26 02:17:36 +00:00 |
|
|
1cb83032a1
|
feeds: postmarketOS: update feed url
|
2023-11-26 02:17:23 +00:00 |
|
|
121e86013e
|
feeds: add Hard Fork podcast
|
2023-11-23 05:57:23 +00:00 |
|
|
e0a1dcd51f
|
refactor: remove modules/data/keys.nix
|
2023-11-23 03:56:00 +00:00 |
|
|
758281f772
|
modules/feeds: remove unused parameter
|
2023-11-23 03:37:18 +00:00 |
|
|
23f4b2e2e4
|
nixserve: dependency-inject the pubkey
this is in modules/ dir; shouldn't have that kind of data in it
|
2023-11-23 02:14:18 +00:00 |
|
|
2d65282643
|
nixremote: define the user as part of the nixserve module
|
2023-11-23 02:08:45 +00:00 |
|
|
77a0a36bb8
|
enable remote-building for lappy/moby
|
2023-11-23 01:59:37 +00:00 |
|
|
3ff9c0ad0c
|
add a "nixremote" user for remote bulding (experimental; builds arent actually enabled yet)
|
2023-11-23 01:27:28 +00:00 |
|
|
52b59bcde8
|
feeds: add Mic92 (nix dev)
|
2023-11-19 10:55:51 +00:00 |
|
|
91c2f6fc95
|
implement sane.programs.slowToBuild and {moby,desko,lappy}-light targets
i'm not sure this is the exact right abstraction, but it's a starting point
|
2023-11-18 22:06:42 +00:00 |
|
|
ad495301c0
|
feeds: add Jeff Geerling
|
2023-11-18 00:23:58 +00:00 |
|
|
cd79be5414
|
feeds: remove unused fields
|
2023-11-10 17:27:51 +00:00 |
|
|
6acd363f55
|
sane.persist.root-on-tmpfs -> sane.root-on-tmpfs
|
2023-11-09 00:15:04 +00:00 |
|
|
23c46079a9
|
image: allow configuring the sector size
|
2023-11-08 16:42:25 +00:00 |
|
|
28d4a4b065
|
persistence: move stores behind a byStore attr to support disabling persistence altogether (for e.g. rescue image)
|
2023-11-08 15:33:15 +00:00 |
|
|
25e314c02e
|
blogs: follow artemis.sh
|
2023-11-01 04:38:04 +00:00 |
|
|
6191542805
|
nix-serve: port 5000 -> 5001; prosody: enable proxy65 on port 5000
|
2023-10-20 04:48:30 +00:00 |
|
|
3942ae0f1b
|
feeds: subscribe to Benjamin Mako
|
2023-10-18 21:57:56 +00:00 |
|
|
fa65b0b92e
|
feeds: add Samana Harihareswara
|
2023-10-18 21:53:51 +00:00 |
|
|
697ae02797
|
podcasts: The Daily: port to db
|
2023-10-18 21:37:12 +00:00 |
|
|
ab35a46e5f
|
podcasts: sub Tech Wont Save Us, Trash Future
|
2023-10-18 21:35:36 +00:00 |
|
|
90b1215a89
|
s/types.string/types.str/
|
2023-10-17 22:46:02 +00:00 |
|
|
827d9626d6
|
ports: actually forward ovpns ports into the root namespace
|
2023-10-17 09:42:13 +00:00 |
|
|
5cfde63d5d
|
wowlan: document theory on wake failure
|
2023-10-11 10:01:15 +00:00 |
|
|
6dd1d5759b
|
wowlan: document a new failure mode/workaround
|
2023-10-10 21:33:34 +00:00 |
|
|
2de947d96e
|
wowlan: move the implementation into sxmo_suspend.sh instead of a systemd service
|
2023-10-10 09:26:48 +00:00 |
|
|
85e5d30b0f
|
wowlan module: port to rtl8723cs-wowlan python script
|
2023-10-10 08:34:02 +00:00 |
|