colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
4,906 Commits 125 Branches 1 Tag 12 MiB
bfc0eadfaa
Commit Graph

1033 Commits

Author SHA1 Message Date
Colin
57105c6861 sane-sandboxed: autodetect: handle file:/// URIs 2024-01-24 05:00:08 +00:00
Colin
3758044e7b sane-sandboxed: better handle "--" 2024-01-24 04:59:24 +00:00
Colin
bfaf098c31 sane-sandboxed: fix handling of -- (which previously smushed arguments) 2024-01-24 02:52:01 +00:00
Colin
089f86d5e4 programs: make /usr/bin/env available in the sandbox 
enables KOReader to run
 2024-01-24 01:48:02 +00:00
Colin
bdd70f8fa2 sane-sandboxed: ignore the executable path when autodetecting media 2024-01-23 16:32:06 +00:00
Colin
bfd5630e21 programs: sandbox: omit media dirs by default, and implement --sane-sandbox-autodetect for programs which are liable to load data from paths 2024-01-23 15:48:12 +00:00
Colin
576d2c32f0 programs: support secrets even when sandboxed 2024-01-23 14:57:33 +00:00
Colin
25739ec2ba programs: sane-sandboxed: avoid reading firejail profiles when the backend isnt firejail 
this should provide a marginal perf gain
 2024-01-23 14:57:33 +00:00
Colin
f148334b58 programs: port extraFirejailConfig to extraConfig 2024-01-23 14:57:33 +00:00
Colin
3a6ee8708e programs: sane-sandboxed: dont error if network mountpoints are offline 2024-01-23 13:13:31 +00:00
Colin
983bf93d8f programs: sane-sandboxed: make the profile handle arguments with spaces 2024-01-23 12:47:25 +00:00
Colin
40cc8f5d1c programs: sane-sandboxed: make more debuggable 2024-01-23 12:27:23 +00:00
Colin
cce03a5dc8 programs: sandbox: use --dev-bind-try for root paths; fixes mpv on moby 2024-01-23 12:18:32 +00:00
Colin
98dfc3aa5a programs: sandbox: allow all programs to access media 
hopefully this is just a stopgap
 2024-01-23 11:36:58 +00:00
Colin
27b56b1a12 programs: sane-sandbox: implement a cleaner debugshell and test API 2024-01-23 11:19:52 +00:00
Colin
6e9220d2bb programs: allow programs to specify "sandbox.method = "bwrap"" for bubblewrap sandboxing 2024-01-23 10:44:13 +00:00
Colin
0ddcfcaa23 sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds 2024-01-23 08:01:23 +00:00
Colin
a4cb6645b4 programs: indirect firejail access through sane-sandboxed 2024-01-23 04:02:31 +00:00
Colin
2492ed2ca7 programs: introduce a sane-sandboxed helper 
not yet used, but will be soon
 2024-01-23 02:29:33 +00:00
Colin
f49d2a1e0e programs: split "makeSandboxed" into its own file 2024-01-23 01:23:14 +00:00
Colin
0dc3f4f7f2 modules/programs: move to subdir 
this will help me factor out helpers
 2024-01-23 01:02:04 +00:00
Colin
d5901afb8e programs: firejail: specify profile via : (clarifies to firejail that its an identifier and not a path); invoke firejail via name instead of absolute path 2024-01-22 23:58:54 +00:00
Colin
8bf41ea858 programs: fix missing newline in firejail config concatenation 2024-01-22 13:11:47 +00:00
Colin
df861a3ef0 programs: firejail: inject custom firejail config through /etc/firejail 
this improves rebuild times, and makes it easier for packages to inject their own free-form config
 2024-01-22 11:12:18 +00:00
Colin
60547204a8 sane.programs: firejail: support wrapping "runCommand" packages 2024-01-22 09:16:25 +00:00
Colin
dd35136ac0 firejail: fix so /run/wrappers are available inside a jail 2024-01-22 07:18:50 +00:00
Colin
0f3f0933b1 mpv: sandbox with firejail 2024-01-22 03:50:28 +00:00
Colin
9ecd0adcbe firefox: sandbox with firejail 
TODO: get it so open-in-mpv launches an mpv that has access to ~/.config/mpv

i guess this is the 'firejail url problem'
 2024-01-21 23:59:15 +00:00
Colin
ad92a2e158 programs: abort when no firejail profile is found for a program. 
in the future, i can whitelist specific binaries to omit their firejail
profiles.
 2024-01-21 04:32:49 +00:00
Colin
5f5891d241 programs: apply firejail profile to programs which are net isolated 2024-01-21 04:28:48 +00:00
Colin
992194a1f0 programs: achieve network sandboxing without "sane-vpn do" 2024-01-21 03:51:12 +00:00
Colin
bad6a7bfee programs: implement "default vpn" with native nix code instead of sane-vpn 2024-01-21 01:04:31 +00:00
Colin
66d5e204be vpn: enforce "id" restrictions 2024-01-21 00:57:46 +00:00
Colin
ce35330923 vpn.nix: factor into a proper module 
this will allow for better integration with 'sane.programs'
 2024-01-21 00:49:34 +00:00
Colin
59187a0ec0 programs: allow running binaries in a netns-style firejail 2024-01-20 11:11:12 +00:00
Colin
fd0723169f nix-serve: fix coredump loop 2024-01-19 21:34:45 +00:00
Colin
43a8ca90a7 feeds: add Cat and Girl 2024-01-16 19:12:25 +00:00
Colin
a5c6e41622 feeds: subscribe to POD OF JAKE 2024-01-14 05:20:28 +00:00
Colin
812a02bc6b feeds: add The Dollop podcast 2024-01-14 00:49:29 +00:00
Colin
70f059eaac feeds: subscribe to Jack Stauber 2024-01-13 16:43:41 +00:00
Colin
e2a43ddfa0 servo: clightning: allow group members to run lightning-cli 2024-01-11 15:59:32 +00:00
Colin
cecb114810 clightning: harden 2024-01-04 18:47:40 +00:00
Colin
7378d6c5b2 bitcoind: host behind tor 2024-01-04 16:25:49 +00:00
Colin
43498c62f9 clightning: integrate with tor 2024-01-03 18:29:16 +00:00
Colin
41ae86f40f servo: enable clightning 2024-01-03 13:56:42 +00:00
Colin
3e52956a3a servo: clightning: integrate, but do not enable 2024-01-02 18:32:34 +00:00
Colin
28d0a72c62 define (but dont activate) a clighting bitcoin service 2024-01-02 14:29:52 +00:00
Colin
822653ec10 feeds: vitalik.ca -> vitalik.eth.limo 2024-01-01 03:48:06 +00:00
Colin
68502ca944 feeds: add webcurious.co.uk link aggregator 2024-01-01 03:46:52 +00:00
Colin
d18e94ea87 feeds: subscribe to linmob.net 2023-12-14 22:20:30 +00:00
Colin
3467a5df48 feeds: subscribe Origin Stories 2023-12-13 22:31:58 +00:00
Colin
694dd59e27 feeds: subscribe bitsaboutmoney 2023-12-13 22:29:22 +00:00
Colin
69bc219efa ports: fix systemd RandomizedDelaySec typo 2023-12-12 02:14:27 +00:00
Colin
4c5fb74c7d feeds: subscribe to kosmosghost 2023-12-11 04:55:47 +00:00
Colin
008a6192d4 mpv: associate with https://youtube.com/... 2023-12-11 04:52:49 +00:00
Colin
f7a318c937 modules/users: fix services to specify PATH with correct precedence 2023-12-10 15:18:26 +00:00
Colin
01de6f84cf feeds: subscribe to Louis Rossmann 2023-12-09 08:14:16 +00:00
Colin
2d06401f3c feeds: subscribe to Tom Scott 2023-12-06 16:19:37 +00:00
Colin
2db56f2499 feeds: subscribe to TheB1M 2023-12-06 16:18:03 +00:00
Colin
63ea6d7002 feeds: subscribe to Exurb1a 2023-12-06 16:16:29 +00:00
Colin
3e2523cc2c feeds: subscribe to Cold Fusion 2023-12-06 16:15:25 +00:00
Colin
ad3f5e305e feeds: subscribe to Vox 
don't @ me
 2023-12-06 16:13:08 +00:00
Colin
aa5b9e3db3 user services: wrap with user PATH 
notably, this alllows Fractal to open links with the preferred browser
 2023-12-06 16:09:07 +00:00
Colin
46123719e9 feeds: subscribe to Vihart 2023-12-06 16:09:07 +00:00
Colin
16bce990c6 feeds: subscribe to PolyMatter 2023-12-06 16:09:07 +00:00
Colin
d55e387187 feeds: subscribe to Vsauce 2023-12-06 16:09:06 +00:00
Colin
e75c3375dc feeds: subscribe to Channel5 News 2023-12-06 16:08:50 +00:00
Colin
b1c7cb367a feeds: subcsribe to hbomberguy 2023-12-06 15:47:39 +00:00
Colin
d63d660ec2 feeds: subscribe to ContraPoints 2023-12-06 15:45:43 +00:00
Colin
9704dcc997 feeds: add support for video; subscribe to videos in gpodder 2023-12-06 15:36:05 +00:00
Colin
80875d6312 feeds: subscribe to Technology Connections 2023-12-06 15:35:38 +00:00
Colin
4cc5eed884 feeds: subscribe to srslywrong.com 2023-12-05 04:25:25 +00:00
Colin
8f9c9efca1 feeds: econlib: update feed URL 2023-11-26 02:17:36 +00:00
Colin
1cb83032a1 feeds: postmarketOS: update feed url 2023-11-26 02:17:23 +00:00
Colin
121e86013e feeds: add Hard Fork podcast 2023-11-23 05:57:23 +00:00
Colin
e0a1dcd51f refactor: remove modules/data/keys.nix 2023-11-23 03:56:00 +00:00
Colin
758281f772 modules/feeds: remove unused parameter 2023-11-23 03:37:18 +00:00
Colin
23f4b2e2e4 nixserve: dependency-inject the pubkey 
this is in modules/ dir; shouldn't have that kind of data in it
 2023-11-23 02:14:18 +00:00
Colin
2d65282643 nixremote: define the user as part of the nixserve module 2023-11-23 02:08:45 +00:00
Colin
77a0a36bb8 enable remote-building for lappy/moby 2023-11-23 01:59:37 +00:00
Colin
3ff9c0ad0c add a "nixremote" user for remote bulding (experimental; builds arent actually enabled yet) 2023-11-23 01:27:28 +00:00
Colin
52b59bcde8 feeds: add Mic92 (nix dev) 2023-11-19 10:55:51 +00:00
Colin
91c2f6fc95 implement sane.programs.slowToBuild and {moby,desko,lappy}-light targets 
i'm not sure this is the exact right abstraction, but it's a starting point
 2023-11-18 22:06:42 +00:00
Colin
ad495301c0 feeds: add Jeff Geerling 2023-11-18 00:23:58 +00:00
Colin
cd79be5414 feeds: remove unused fields 2023-11-10 17:27:51 +00:00
Colin
6acd363f55 sane.persist.root-on-tmpfs -> sane.root-on-tmpfs 2023-11-09 00:15:04 +00:00
Colin
23c46079a9 image: allow configuring the sector size 2023-11-08 16:42:25 +00:00
Colin
28d4a4b065 persistence: move stores behind a byStore attr to support disabling persistence altogether (for e.g. rescue image) 2023-11-08 15:33:15 +00:00
Colin
25e314c02e blogs: follow artemis.sh 2023-11-01 04:38:04 +00:00
Colin
6191542805 nix-serve: port 5000 -> 5001; prosody: enable proxy65 on port 5000 2023-10-20 04:48:30 +00:00
Colin
3942ae0f1b feeds: subscribe to Benjamin Mako 2023-10-18 21:57:56 +00:00
Colin
fa65b0b92e feeds: add Samana Harihareswara 2023-10-18 21:53:51 +00:00
Colin
697ae02797 podcasts: The Daily: port to db 2023-10-18 21:37:12 +00:00
Colin
ab35a46e5f podcasts: sub Tech Wont Save Us, Trash Future 2023-10-18 21:35:36 +00:00
Colin
90b1215a89 s/types.string/types.str/ 2023-10-17 22:46:02 +00:00
Colin
827d9626d6 ports: actually forward ovpns ports into the root namespace 2023-10-17 09:42:13 +00:00
Colin
5cfde63d5d wowlan: document theory on wake failure 2023-10-11 10:01:15 +00:00
Colin
6dd1d5759b wowlan: document a new failure mode/workaround 2023-10-10 21:33:34 +00:00
Colin
2de947d96e wowlan: move the implementation into sxmo_suspend.sh instead of a systemd service 2023-10-10 09:26:48 +00:00
Colin
85e5d30b0f wowlan module: port to rtl8723cs-wowlan python script 2023-10-10 08:34:02 +00:00