00f995aec9
fixup landlock-sandboxer to work well for all systems
...
downgrade lappy/desko/servo back to default linux; zfs doesn't support latest
build landlock-sandboxer against the specific kernel being deployed; it's less noisy that way
2024-01-31 21:19:10 +00:00
368eb2c29b
programs: git: whitelist more repo roots
2024-01-31 21:17:48 +00:00
5f793523d1
ship linux 6.7 to lappy/desko/servo
2024-01-31 20:33:15 +00:00
33bee7ac2e
unl0kr: be a little more robust against bad password entry
2024-01-31 20:32:26 +00:00
84af8aca3c
unl0kr: remove debugging code
2024-01-31 20:10:57 +00:00
a0f00313a7
moby: disable signal-desktop autostart
2024-01-31 20:09:03 +00:00
6603115192
moby: disable getty auto-login
...
i think this interacts badly with unl0kr style logins, though
honestly kinda hard to tell if that was a fluke or real.
2024-01-31 19:47:24 +00:00
ac968e1589
sxmo: allow the option to disable greeter entirely
2024-01-31 19:46:37 +00:00
1d72e13a98
sxmo: launch via unl0kr by default
2024-01-31 17:40:36 +00:00
d9667653e7
docs: sway: point out that one can launch sway directly from a TTY
2024-01-31 16:29:27 +00:00
13be5a1731
unl0kr: fix LOGIN_TIMEOUT to be infinite
2024-01-31 15:43:30 +00:00
30288cd67f
user: add CAP_NET_ADMIN,CAP_NET_RAW even outside of systemd session
...
in fact, *only* outside of systemd session because they broke ambient caps in 255
2024-01-31 15:42:43 +00:00
8736ca478b
programs: firefox: allow access to servo image-macros
2024-01-31 15:36:09 +00:00
cb3960fb21
programs: git: fix access to ~/private/knowledge
2024-01-31 15:35:21 +00:00
6e24a1ff28
programs: re-enable sops
2024-01-31 15:30:15 +00:00
91eae95b32
modules.gui.gnome: fix build
2024-01-31 15:29:49 +00:00
f5c88853ee
sway: replace "greetd" with "unl0kr"-based login process
2024-01-31 15:20:27 +00:00
0009e5ca4c
programs: sandboxing: use wrapperType="wrappedDerivation" where applicable
2024-01-29 15:21:16 +00:00
db6ba61429
programs: sandbox more apps with wrapperType=wrappedDerivation
2024-01-29 13:45:57 +00:00
d3f7a036ce
ripgrep: move options out of assorted.nix into its own file
2024-01-29 12:57:56 +00:00
0454abacd9
komikku: sandbox
2024-01-29 12:56:08 +00:00
1cb2c5225f
programs: use wrapperType=wrappedDerivation where possible
2024-01-29 12:07:04 +00:00
6f86e61a00
firefox: fix build
...
zip was giving some complaints... i'm not sure why, i think it still works
2024-01-29 09:57:35 +00:00
c1a1f51ca2
git: fix git-upload-pack (used on the remote when doing git pull)
2024-01-29 09:57:27 +00:00
381da74e6c
users: enable pam_cap for "login" program
2024-01-28 17:55:19 +00:00
24c70c3683
feeds: switch acoup.blog to the database type feed
...
at some point my feed script became capable of understanding his RSS :)
2024-01-28 12:37:38 +00:00
bfec531fa2
sandbox a bunch more apps
2024-01-28 11:43:05 +00:00
de11edffa5
programs/assorted: remove more unused programs
2024-01-28 11:34:33 +00:00
e536e3c718
programs/assorted.nix: remove unused tree-sitter package
2024-01-28 11:03:09 +00:00
17d14dbac2
programs/assorted.nix: uninstall some programs i don't frequently use
2024-01-28 10:40:57 +00:00
94981ef335
vim: sandbox
2024-01-28 10:39:08 +00:00
3cd244be76
git: sandbox with bwrap
2024-01-28 10:36:19 +00:00
7da979503b
bubblewrap: explicitly disable sandboxing
2024-01-27 17:20:40 +00:00
3b32c26026
zsh: explicitly disable sandboxing
2024-01-27 17:20:24 +00:00
cad25306e7
alacritty: explicitly disable sandbox
2024-01-27 17:20:11 +00:00
4d7414c941
programs: introduce and use "autodetectCliPaths" nix config
2024-01-27 17:19:48 +00:00
b29b8bdec7
wireshark: specify capabilities via sandbox.capabilities config
2024-01-27 17:12:40 +00:00
02b6e17449
nicotine-plus: disable
...
now i have no firejail programs; no more setuid wrapper in /run/wrappers :)
2024-01-27 15:37:43 +00:00
770db96ec6
go2tv: sandbox with bwrap
2024-01-27 15:31:08 +00:00
ff356fdd49
playerctl: sandbox with bwrap
2024-01-27 15:18:56 +00:00
eec89e2cc1
librewolf: sandbox with bwrap
2024-01-27 15:16:53 +00:00
d69d8f64f3
tor-browser: sandbox with bwrap; remove useHardenedMalloc patch
2024-01-27 15:04:22 +00:00
4ee2562202
programs: tidy: prefer "sandbox.extraHomePaths" over "fs" for external deps
2024-01-27 14:54:17 +00:00
08b1ece56e
programs: gnome-weather: sandbox with bwrap
2024-01-27 14:53:38 +00:00
b22c2e094c
koreader: sandbox with bwrap
2024-01-27 14:39:22 +00:00
b40775f97c
koreader-from-src: document FTP configuration
2024-01-27 14:39:02 +00:00
100ddad40e
wike: link to issue about state directory
2024-01-27 14:27:02 +00:00
1bde38bf72
cozy: sandbox with bwrap
2024-01-27 13:11:22 +00:00
0a25ef544f
wike: sandbox with bwrap
2024-01-27 12:29:58 +00:00
79ee47bada
firefox: get away with linking slightly less into the sandbox
2024-01-27 11:41:18 +00:00
be06e61bfb
programs: geary: fix sandboxing
...
this is an UGLY one. geary itself uses bwrap, and that fails if it's sandboxed AT ALL in landlock (i.e. even with just / landlocked as RW).
maybe this has to do with what landlock-sandboxer considers 'read/write' to be, and there's actually more file ops i need to enable on /
2024-01-27 11:28:08 +00:00
dae7785ee2
wireshark: remove dead code
2024-01-27 09:04:08 +00:00
27f3b2bd76
firefox: allow ~/tmp and ~/Pictures access
2024-01-27 06:00:46 +00:00
3e6278fa21
wireshark: sandbox with landlock instead of firejail
...
and remove the SUID wrapper, yay!
2024-01-27 04:44:21 +00:00
8ecb17ed3e
programs: enable libcap_ng/netcap
2024-01-26 09:13:20 +00:00
c4874c85b1
bubblewrap: debugging
2024-01-26 09:13:00 +00:00
563a75e9b2
users: launch entire systemd --user namespace with cap_net_admin, cap_net_raw
...
this should make sandboxing wireshark *much* easier, and same with things which require net namespaces, in the future
2024-01-25 15:05:35 +00:00
79e2bd2913
epiphany: sandbox with bwrap
...
this is the first app which *requires* DRI/DRM to function correctly. maybe this effects anything webkitgtk (like wike)?
2024-01-24 06:25:20 +00:00
95161b55cd
spot: sandbox with bwrap
2024-01-24 05:47:04 +00:00
d91759068c
element-desktop: sandbox with bwrap
2024-01-24 05:37:46 +00:00
c23c496066
programs: tuba: sandbox with bwrap
...
it complains "Fontconfig error: No writable cache directories"
seeeeeveral times. not sure if that's new or not. no obvious
consequences.
2024-01-24 05:34:10 +00:00
f8e8d23857
vlc: sandbox with bwrap instead of firejail
2024-01-24 05:19:20 +00:00
8484bb7978
docs: mime: document how to show the nix mime associations
2024-01-24 05:00:35 +00:00
0e99b296bc
animatch: remove the (unused) .config directory
2024-01-24 02:18:58 +00:00
d0e1241bd1
animatch: fix to run on wayland w/o Xwayland, and enable bwrap sandbox
2024-01-24 01:43:33 +00:00
c1a0a08b76
gtkcord4: sandbox with bwrap
2024-01-24 00:12:12 +00:00
e8748ce0a0
servo: lemmy: pict-rs: port the media-enable-full-video -> media-video-allow-audio CLI flag
2024-01-23 17:12:13 +00:00
7cf9b342cc
gpodder: fixup GPODDER_DOWNLOAD_DIR to be more friendly to sandboxing
2024-01-23 16:44:47 +00:00
8739851f48
evince: port sandbox from firejail to bwrap
2024-01-23 16:44:13 +00:00
d945b43f6b
signal-desktop: switch sandbox from firejail -> bwrap
2024-01-23 16:42:48 +00:00
7722acecee
sway: obtain deps via "config.sane.programs", so that i get the sandboxed version of e.g. splatmoji
2024-01-23 16:32:42 +00:00
571a0a9d06
gui: disable unused abaddon app
2024-01-23 16:30:06 +00:00
ccf4f66dd9
programs: dialect: sandbox with bubblewrap
2024-01-23 16:23:14 +00:00
b38e5403a5
splatmoji: sandbox
2024-01-23 16:01:27 +00:00
09af041745
g4music: ensure it can access the Music dir in its sandbox
2024-01-23 16:00:21 +00:00
cb5131746f
programs: audacity: sandbox with bubblewrap
2024-01-23 15:59:50 +00:00
bfd5630e21
programs: sandbox: omit media dirs by default, and implement --sane-sandbox-autodetect for programs which are liable to load data from paths
2024-01-23 15:48:12 +00:00
026f5dee4d
programs: g4music: sandbox with bwrap
2024-01-23 15:06:45 +00:00
b59be8338a
firefox: fix up sandboxing of ssh/sops
2024-01-23 14:57:57 +00:00
ab4bbc2224
programs: remove explicit firejail installation; let sane.programs decide when to install it sys-wide
2024-01-23 14:57:33 +00:00
156fcd1bf2
aerc: enable bwrap sandbox
2024-01-23 14:57:33 +00:00
bb63a594ab
conky: fixup needed paths for bwrap
2024-01-23 14:57:33 +00:00
f148334b58
programs: port extraFirejailConfig to extraConfig
2024-01-23 14:57:33 +00:00
da537ea8ea
fractal: switch from firejail -> bwrap
2024-01-23 14:13:09 +00:00
18d224dc34
dino: switch from firejail to bwrap
2024-01-23 14:12:52 +00:00
38fd171713
spotify: sandbox with bwrap instead of firejail
2024-01-23 12:12:56 +00:00
84c78d9256
conky: sandbox with bwrap instead of firejail
2024-01-23 12:11:22 +00:00
973203d85e
programs: mpv: sandbox with bwrap instead of firejail
2024-01-23 11:37:37 +00:00
f9174dd2aa
programs: firefox: sandbox with bwrap instead of firejail
2024-01-23 11:37:19 +00:00
0bed4d0ada
mpv: disable firejail sandboxing (it fails on moby)
2024-01-23 01:01:21 +00:00
f3e8af3fdb
doc: libreoffice: mention "still" v.s. "fresh" variants
2024-01-23 01:00:34 +00:00
af542ec05f
docs: gnome-keyring: point out that system gnome-keyring doesn't inherit my sandboxing
2024-01-23 01:00:06 +00:00
399a1d2052
steam: use wrapped package as system steam
2024-01-23 00:59:23 +00:00
bb6e5611d4
docs: conky: point out that un-sandboxed conky is used by sxmo-utils
2024-01-23 00:58:56 +00:00
c11f5a1401
wireshark: fix security.wrappers when wireshark is disabled
2024-01-22 23:58:04 +00:00
5b220f3fec
wireshark: enable firejail isolation
2024-01-22 13:12:10 +00:00
df861a3ef0
programs: firejail: inject custom firejail config through /etc/firejail
...
this improves rebuild times, and makes it easier for packages to inject their own free-form config
2024-01-22 11:12:18 +00:00
d6754b6cac
evince: sandbox with firejail
2024-01-22 10:20:29 +00:00
b03d7f7fb0
geary: test the firejail profile; it's not ready
2024-01-22 10:04:18 +00:00
008b186479
audacity: test the firejail profile; it's not ready
2024-01-22 10:04:03 +00:00
914f9b3703
vlc: sandbox with firejail
2024-01-22 09:47:24 +00:00
ed7ec4a371
conky: sandbox with firejail
2024-01-22 09:31:00 +00:00
2d338201a5
signal-desktop: sandbox with firejail
...
TODO: fix URL opening / xdg-open
2024-01-22 09:30:34 +00:00
a8aad1f98f
dino: sandbox with firejail
...
TODO: fix URL opening / xdg-open
2024-01-22 09:30:13 +00:00
2d06b93118
fractal: sandbox with firejail
...
TODO: seems this broke link opening? (xdg-open?)
2024-01-22 09:28:50 +00:00
60547204a8
sane.programs: firejail: support wrapping "runCommand" packages
2024-01-22 09:16:25 +00:00
3d763a0021
tor-browser-bundle-bin -> tor-browser
...
upstream nixpgs just has tor-browser-bundle-bin as an alias for tor-browser
2024-01-22 08:13:37 +00:00
ad474873e2
dovecot: fix unparseable config
...
upstream/nixpkgs is doing some shit, ugh
2024-01-22 08:09:37 +00:00
0f3f0933b1
mpv: sandbox with firejail
2024-01-22 03:50:28 +00:00
f8440e3811
go2tv: allow more ports through the firewall
2024-01-22 03:50:04 +00:00
9ecd0adcbe
firefox: sandbox with firejail
...
TODO: get it so open-in-mpv launches an mpv that has access to ~/.config/mpv
i guess this is the 'firejail url problem'
2024-01-21 23:59:15 +00:00
cf475c4696
nicotine-plus: remove distro-specific symlink
2024-01-21 03:56:33 +00:00
ce35330923
vpn.nix: factor into a proper module
...
this will allow for better integration with 'sane.programs'
2024-01-21 00:49:34 +00:00
59187a0ec0
programs: allow running binaries in a netns-style firejail
2024-01-20 11:11:12 +00:00
03fbf42680
servo: lemmy: pict-rs: fix broken CLI argument
2024-01-20 03:15:06 +00:00
7d670facd4
feeds: sort
2024-01-19 21:38:45 +00:00
61e5704fd6
feeds: unsub LW
...
too verbose, and too many of y'all turned into authoritarians
2024-01-19 21:38:14 +00:00
fd0723169f
nix-serve: fix coredump loop
2024-01-19 21:34:45 +00:00
a725d42bf5
ip_forward: consolidate the options to fix servo build
2024-01-19 21:34:18 +00:00
c03cea2d4e
net/vpn.nix: cleanup dead code
2024-01-19 09:58:13 +00:00
f43d6bff92
route VPN traffic such that i can configure any app to selectively use the VPN
...
e.g. firejail --net=br-ovpnd-us-mi --noprofile --dns=46.227.67.134 getent ahostsv4 uninsane.org
2024-01-19 09:54:01 +00:00
43a8ca90a7
feeds: add Cat and Girl
2024-01-16 19:12:25 +00:00
7d504892be
servo: dovecot: fix broken sieve
2024-01-16 06:28:25 +00:00
d7a2bf9d26
servo: remove networking.useDHCP=false override
...
seems likely that the change to systemd-networkd renamed the ethernet interface, and so eth0.useDHCP wasn't right. this change seems to restore networking
2024-01-16 06:09:19 +00:00
851c15aa6d
vpn: port ovpnd connections to use systemd-network
...
this should allow better integration with e.g. systemd-run, in future
2024-01-16 03:20:40 +00:00
c45898f903
WIP: wg-dev
2024-01-15 04:15:17 +00:00
0efec20904
hosts/common/net/vpn: remove unused "extraOptions" argument
2024-01-15 03:52:31 +00:00
5b9c58dbc6
hosts/common: use servo-style dns on all machines
...
it'll be handy as i want to place individual applications inside VPNs/namespaces
2024-01-15 01:16:22 +00:00
a7964c4f0c
hosts/common: net: split upnp config into own file
2024-01-15 01:12:09 +00:00
006a7e9f72
consolidate net-related stuff into hosts/common/net/ directory
2024-01-15 01:11:13 +00:00
3856710faf
net: annotate the UPNP rule
2024-01-15 01:08:10 +00:00
6cbc0bedf3
ddns-he (HurricaneElectric): remove
...
it's unused for a year
2024-01-15 00:55:10 +00:00
fbc0c7615a
ddns-afraid (afraid.org): remove
...
it's unused for a year
2024-01-15 00:54:41 +00:00
34bcdb5128
firefox: disable kinetic scrolling
2024-01-14 20:34:14 +00:00
a5c6e41622
feeds: subscribe to POD OF JAKE
2024-01-14 05:20:28 +00:00
02e03227d8
servo: try to integrate peerswap with clightning, but it fails
2024-01-14 04:33:12 +00:00
812a02bc6b
feeds: add The Dollop podcast
2024-01-14 00:49:29 +00:00
27898ecdc8
feeds: unsubscribe from Louis Rossman
...
his channel is kinda just the same idea played over and over
2024-01-14 00:36:52 +00:00
1c2324cca4
servo: clightning-sane: status command: show profits from fees
2024-01-13 16:43:49 +00:00
70f059eaac
feeds: subscribe to Jack Stauber
2024-01-13 16:43:41 +00:00
bac72be730
servo: clightning-sane: status command: show in/out payment sums
2024-01-13 15:53:48 +00:00
99858c1384
servo: clightning-sane: centralize metric reporting, fix so we blacklist our own channels less frequently
2024-01-13 04:47:20 +00:00
103a300e77
servo: clightning-sane: implement an autobalance subcommand
2024-01-13 03:04:24 +00:00
6b5cdd7508
servo: clightning-sane: log before we give up
2024-01-13 01:10:52 +00:00
2f1e354400
servo: clightning-sane: drop caches after so many failures
2024-01-12 23:54:06 +00:00
585a87130c
servo: clightning-sane: remove unused loop_once_with_retries method
2024-01-12 23:31:30 +00:00
0e68533776
servo: clightning-sane: introduce parallelism
2024-01-12 23:30:52 +00:00
882cc5bfd0
servo: clightning-sane: rename Balancer -> LoopRouter
2024-01-12 21:36:20 +00:00
91847a9a8e
servo: clightning-sane: factor "loop" action into own subroutine
2024-01-12 21:28:20 +00:00
5c649ff216
servo: clightning-sane: include peer_id in status --full
2024-01-12 20:56:00 +00:00
