eaeb8380dc
fs: enable @basic-api everywhere, since its required by systemd restart logic
2024-08-02 09:13:55 +00:00
cf20230d96
sane.fs: cleanup
...
plumb systemd.{mounts,services} instead of the less detailed 'systemd'
2024-08-02 08:01:38 +00:00
9dbb2a6266
sane.fs: take in the role of generating systemd.mounts files
2024-08-02 07:33:21 +00:00
113b107d73
persist: fix ordering so stores arent required by local-fs.target
...
maybe they should be, but then there's weird stuff about getty depending on sysinit.target, and that being blocked by the private store...
2024-08-02 06:20:39 +00:00
96dfe79a8c
fs: persist/private: harden systemd mount file
2024-08-02 05:17:44 +00:00
6e5bde17aa
cleanup: persist/private: simplify
2024-08-02 05:00:55 +00:00
3eb66c098b
trust-dns: make it a dependency of "network-online.target"
2024-08-02 04:54:58 +00:00
515aab5370
cleanup: persist/private: encode the dependencies more precisely, rather than just having it all depend on default.target
2024-08-02 04:50:33 +00:00
f925dd9a20
fs: isolate /mnt/servo/* and /mnt/persist/ephemeral a bit more
2024-08-02 04:45:14 +00:00
6a7dd31755
vpn: fix warning about missing /32 syntax
2024-08-02 00:37:58 +00:00
2197951e12
NetworkManager-dispatcher: cleanup an ordering cycle between it and trust-dns-localhost
2024-08-02 00:36:54 +00:00
efc16a9e80
persist: harden the "ephemeral" store mount environment
...
there's only so much this can actually achieve. it's still quite possible for someone who knows what they're doing to do large amounts of damage
2024-08-01 22:40:55 +00:00
6aa6c0020c
lightning-cli: fix sandboxing
2024-08-01 19:59:23 +00:00
acd46940e4
clightning: lift the build fix into pkgs/default.nix
...
this lets me apply it outside the context of a nixos module
2024-08-01 19:53:05 +00:00
00a25f1533
feeds: fix complex systems URL
2024-08-01 19:52:22 +00:00
bc0a1eb1b3
feeds: sub to Complex Systems Podcast
2024-08-01 18:58:39 +00:00
33efbeda8a
link manpages into all linkIntoOwnPackage users
2024-08-01 17:43:58 +00:00
b53f376d70
servo: clightning: tighten sandboxing for bitcoin-cli interaction
2024-07-30 12:41:33 +00:00
621c147483
clightning: remove /var/lib/bitcond-mainnet from the service paths -- again
2024-07-30 11:17:10 +00:00
841076fd9e
clightning: move /var/lib/bitcoind-mainnet from ReadWritePaths -> ReadOnlyPaths
...
i think i can go further, remote it altogether
2024-07-29 23:19:26 +00:00
43232ff569
kiwix-serve: harden
2024-07-29 03:42:52 +00:00
dc2d46b9c0
servo: cryptocurrencies: get clightning back into a state where i can see its working
2024-07-29 03:42:52 +00:00
666744bda3
bitcoin-cli,lightning-cli: ship as own package instead of shipping the whole daemon
2024-07-29 03:42:52 +00:00
eb3651ce59
refactor: assorted: python: logger.warn -> logger.warning
...
the former is deprecated
2024-07-28 03:41:30 +00:00
ace03bb0e9
persist/private: actually do enable "auto", for servo where i dont auto-tty-login as colin
...
this doesn't seem to block the boot
2024-07-26 22:02:57 +00:00
8819142128
modules/users: use = instead of -eq for comparison to fix warning which XDG_VTNR is unset
2024-07-26 20:57:23 +00:00
3b8d6c8587
refactor: s6/unl0kr/profile: put more shell init stuff directly in modules/users/default.nix when it doesnt benefit from being pluggable
2024-07-26 15:58:59 +00:00
f4df121e3d
persist/private: s6: use systemd to explicitly start the mount, rather than assume it's already been initiated
2024-07-26 14:01:31 +00:00
96f786de20
persist/private: fix so systemd actually knows when the mount has completed
2024-07-26 12:44:32 +00:00
fcbbfc4a65
fix s6 service ordering: unl0kr -> (wait for mount) -> sway
...
note that the systemd-aware mount never completes -- it's stuck in 'activating' forever. that's the next challenge
2024-07-26 12:18:14 +00:00
4daf5452e8
unl0kr: dont echo password to terminal
2024-07-26 09:36:06 +00:00
af905a2f58
unl0kr: split the gocryptfs unlocking into its own separate service
...
/mnt/persist/private can be depended on by both s6 user services and systemd system services (which will become useful for servo)
/mnt/persist/private can be unlocked by dropping the key in remotely, however that won't kill unl0kr
TODO: fix unl0kr to not also output text to the tty
TODO: ensure gocryptfs mount can handle being fed a wrong password
2024-07-26 08:08:21 +00:00
8ef5920d84
unl0kr: port to an s6 service
...
this has some drawbacks in its current form and will be tidied
it writes the password also to the consold. it requires 'sudo'.
2024-07-25 18:45:01 +00:00
b554d32133
fix permissions of /nix/persist/private, to be user-writable
...
this is important for my rsync-net backup scripts, which need to record timestamps in there
2024-07-25 18:42:45 +00:00
2203d6db59
cleanup: remove XDG_SESSION_TYPE, XDG_VTNR from global environment
2024-07-25 15:26:24 +00:00
874b7aecfa
persist: rename "cryptClearOnBoot" to "ephemeral"
2024-07-25 12:11:46 +00:00
cf8e9f798d
persist/crypt: simplify the fileSystems definitions
...
turns out you can just declare your own fs type, that's cool
2024-07-25 12:11:46 +00:00
70d4925483
gps-share: dont launch until after the modem is actually powered on
2024-07-24 11:15:44 +00:00
225c8de7a2
trust-dns: fix dyn-dns reactor (trust-dns-lan does not exist)
2024-07-24 07:18:29 +00:00
34e770c5f5
sanebox: fix missing dependency on iptables/iproute2
2024-07-24 03:32:12 +00:00
db292850b0
modules/programs: fix sandbox.net = "vpn" option
2024-07-19 12:44:09 +00:00
8e6272bafd
static-nix-shell: better enforce that all nix-shell deps are specified
2024-07-19 12:21:10 +00:00
a1de7a4afd
users: configure XDG_SESSION_TYPE during shell setup
2024-07-18 00:15:29 +00:00
0b7d8310df
trust-dns: patch resolver to handle more edge-case domains (api.mangadex.org., m.wikipedia.org., ...)
2024-07-17 15:28:41 +00:00
8472320629
sane-vpn: route DNS through the VPN's server
2024-07-17 02:00:05 +00:00
132798be23
sanebox: ensure sanebox is always on the PATH of sandboxed binaries
2024-07-16 07:24:42 +00:00
514cfe7b0b
feeds: subscribe to "Better Offline" podcast
2024-07-12 01:20:00 +00:00
46bf7c5ac9
nixpkgs: 2024-07-06 -> 2024-07-07
2024-07-08 05:38:44 +00:00
6824080f6b
avahi: fix broken sandboxing
2024-07-06 03:08:36 +00:00
3c53bca156
vpn: log a message whenever the endpoint is updated
...
only as i'm actively working in this area. hopefully this log message can be less noisy in the future
2024-07-06 03:03:38 +00:00
