2ada436634
home: remove ~/private symlink; move to .persist/private and add related aliases
2024-02-23 07:06:29 +00:00
e5ad0862fb
refactor: move ~/ fs definitions into hosts/common/home, not users/
2024-02-23 07:06:29 +00:00
057b9e3fed
replace links/references to ~/private/FOO with just ~/FOO
2024-02-23 07:06:29 +00:00
1bcfccf7e3
refactor: persist ~/knowledge formally instead of relying on the symlink
2024-02-23 07:06:29 +00:00
170eeeacc4
programs: dereference not just the leaf, but any part of the path, when determining a program's sandbox closure
2024-02-23 07:06:29 +00:00
a402822084
move "private" store to /mnt/persist/private instead of ~/private
...
this will allow me to add all of ~ to a sandbox without giving all of ~/private
2024-02-23 07:06:29 +00:00
80ecdcc4f9
persist: plaintext: consider "/mnt/persist/plaintext" as the logical root, and abstract away "/nix/persist"
2024-02-23 07:06:29 +00:00
0864790bb7
docs: modules/persist: document the "origin" store parameter
2024-02-23 07:06:29 +00:00
478747a96e
modules/persist: change default mounting method to symlink
...
this changes the plaintext and cryptClearOnBoot stores: private was already symlink-based.
this isn't strictly necessary: the rationale is:
1. `mount` syscall *requires* CAP_SYS_ADMIN (i.e. superuser/suid).
that's causing problems with sandboxing, particularly ~/private.
that doesn't affect other stores *yet*, but it may in the future.
2. visibility. i.e. it makes *clear* where anything is persisted.
if `realpath` doesn't evaluate to `/nix/persist`, then it's not
persisted.
2024-02-23 07:06:29 +00:00
771dc2e1ce
fs: allow common /mnt points to be mounted by me without sudo
2024-02-23 07:06:29 +00:00
4a316d4b91
bonsai: lift out of sxmo
2024-02-23 07:06:29 +00:00
0ff8154e96
icu: fix cross compilation
2024-02-23 07:04:39 +00:00
af03b3f6e8
xwayland: sandbox
2024-02-23 01:05:24 +00:00
5819f07181
programs: xwayland: sandbox
2024-02-22 22:12:03 +00:00
122f3fa5cc
sway: remove xwayland-specific placement of Signal
...
it breaks non-xwayland sway config parsing, and Signal is native Wayland now anyway even with Xwayland running'
2024-02-22 22:01:48 +00:00
ece612ea70
nixpkgs: 2024-02-21 -> 2024-02-22
...
```
• Updated input 'nixpkgs-next-unpatched':
'github:nixos/nixpkgs/97c19bdc7ecbe44755084a52acf38e17bdf2bc71' (2024-02-21)
→ 'github:nixos/nixpkgs/024149d718e25378f4decfeeb614b88208c2f700' (2024-02-22)
• Updated input 'nixpkgs-unpatched':
'github:nixos/nixpkgs/0e74ca98a74bc7270d28838369593635a5db3260' (2024-02-21)
→ 'github:nixos/nixpkgs/a7fa133a1e973c127e9c83e2c8e3407ae3797099' (2024-02-22)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/acfcce2a36da17ebb724d2e100d47881880c2e48' (2024-02-20)
→ 'github:Mic92/sops-nix/f6b80ab6cd25e57f297fe466ad689d8a77057c11' (2024-02-21)
```
2024-02-22 07:07:29 +00:00
f27f994090
systemd: fix the timeout for the user service manager
2024-02-22 00:24:05 +00:00
473999c001
sway: re-enable networkmanager
2024-02-21 23:46:25 +00:00
d1de9efde1
sway: port xwayland use to sane.programs API
2024-02-21 23:32:10 +00:00
50c3f04714
pipewire: remove dead alsa comments
2024-02-21 23:26:40 +00:00
49bad8f186
sway: split pipewire persisted file into pipewire.nix
2024-02-21 23:26:25 +00:00
fd9f500e97
sway: split pipewire config into separate sane.programs.pipewire
2024-02-21 23:23:52 +00:00
386651044e
sway: port to sane.programs API
2024-02-21 23:18:57 +00:00
55a6c828f2
sway: lift portal/menu reset into polyunfill.nix
2024-02-21 22:09:53 +00:00
7ecebd7521
sway: treat fontconfig as an ordinary sane.programs
2024-02-21 22:08:45 +00:00
7b299176e3
sway: simplify the wrapper
2024-02-21 22:06:10 +00:00
4da9cb5ac8
sway: simplify the wrapper... slightly
2024-02-21 21:42:48 +00:00
f068da709f
sway: compile with xwayland only if we plan to use it at runtime
...
else it's just extra weight
2024-02-21 21:05:41 +00:00
5b21257e4f
gui: sway: remove useGreeter
option (provide a greeter always, via suggestedPrograms)
2024-02-21 20:59:34 +00:00
d77a12ce7b
unl0kr: remove the "afterLogin" option and choose automatically which desktop to launch
2024-02-21 20:47:48 +00:00
153d2a1047
GSK_RENDERER: don't set globally, but just for the apps which _actually_ require it
...
this way i can avoid conflicts around apps which don't expect this to be set (e.g. delfin)
2024-02-21 16:56:56 +00:00
2a528a5d8e
sane-sandboxed: leave a note about future mount work
2024-02-21 16:08:42 +00:00
b8f090be93
programs: delfin: add required mpris permissions
2024-02-21 13:27:19 +00:00
b16902bec1
delfin: downgrade 0.4.1 -> 0.4.0
...
0.4.1 doesn't cross compile because of rust requirement. 0.4.0 does
2024-02-21 13:26:54 +00:00
c919372324
delfin: add option to build in debug mode, and with debug patches
2024-02-21 12:09:48 +00:00
60371585e4
delfin: 0.4.0 -> 0.4.1
2024-02-21 09:04:49 +00:00
20cb850fb5
nixpkgs: 2024-02-18 -> 2024-02-21
...
```
• Updated input 'nixpkgs-next-unpatched':
'github:nixos/nixpkgs/d076cde70cbceca9315a11bdc609ddfcec9dfbca' (2024-02-18)
→ 'github:nixos/nixpkgs/97c19bdc7ecbe44755084a52acf38e17bdf2bc71' (2024-02-21)
• Updated input 'nixpkgs-unpatched':
'github:nixos/nixpkgs/9511a7b219df1f8d8f5c2a58c4870fde169fe397' (2024-02-18)
→ 'github:nixos/nixpkgs/0e74ca98a74bc7270d28838369593635a5db3260' (2024-02-21)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/ffed177a9d2c685901781c3c6c9024ae0ffc252b' (2024-02-18)
→ 'github:Mic92/sops-nix/acfcce2a36da17ebb724d2e100d47881880c2e48' (2024-02-20)
```
2024-02-21 00:35:14 +00:00
c6470918de
types.string -> types.str
2024-02-21 00:25:44 +00:00
c0f374bd80
programs: sane-secrets-dump: don't leak secrets onto proc/cmdline
2024-02-21 00:24:31 +00:00
5a0760a571
programs: sandbox oathtools
2024-02-21 00:03:48 +00:00
757ab79724
programs: dconf: sandbox
2024-02-20 23:43:25 +00:00
81148b7b42
programs: explicitly depend on dconf instead of manually persisting dconf's dirs
2024-02-20 23:39:27 +00:00
429d0c53e7
programs: ripgrep: sandbox with bwrap instead of landlock
...
this provides network isolation
2024-02-20 23:32:54 +00:00
6cf1bc5a28
programs: grep: sandbox
2024-02-20 23:32:28 +00:00
768b340c93
findutils: sandbox
...
use bwrap instead of landlock for the dumb preference that i can disable
net
2024-02-20 23:31:58 +00:00
d9901aa161
programs: sane-secrets-*: sandbox
2024-02-20 23:31:39 +00:00
be2098c18a
programs: sane-vpn: sandbox
2024-02-20 23:05:24 +00:00
ee7d99289a
sane-vpn: allow shorthands like "sane-vpn up us" instead of full ovpnd-us
2024-02-20 23:01:53 +00:00
bb569b1668
sane-vpn: port away from systemd so that i can use it as an ordinary user (no sudo)
2024-02-20 22:21:02 +00:00
34524ea3e4
modules/vpn: fix the vpn-* systemd services
2024-02-20 20:40:46 +00:00