|
af72f312d3
|
sandbox: remove /run/wrappers: SUID wrappers dont really accomplish much inside a namespace
|
2024-05-26 01:18:30 +00:00 |
|
|
6a15434cc6
|
net/vpn: remove the bridge devices from my VPN setup
|
2024-05-26 01:18:30 +00:00 |
|
|
73f5c9608e
|
sanebox: tighter dependency handling, to not rely on @BACKEND_FALLBACK@
|
2024-05-25 10:26:36 +00:00 |
|
|
b035d312aa
|
firejail: purge
|
2024-05-25 10:21:31 +00:00 |
|
|
7b1bc210fd
|
sanebox: integrate with pasta (passt) for better net sandboxing
|
2024-05-25 09:39:18 +00:00 |
|
|
118ed5f950
|
sanebox: populate --sanebox-net-dev with the actual net device -- not the bridge
|
2024-05-25 08:17:38 +00:00 |
|
|
ffe599e5cb
|
sanebox: rename --sanebox-net to --sanebox-net-dev
|
2024-05-25 08:13:35 +00:00 |
|
|
30c677fafc
|
feeds: subscribe to weekinethereumnews.com
|
2024-05-25 00:52:39 +00:00 |
|
|
f7cc3fc5d9
|
modules/dns: support AAAA records
|
2024-05-20 05:46:25 +00:00 |
|
|
cbbddee152
|
modules/programs: add ~/.config/FOO and ~/.local/share/FOO to the sandbox where applicable
|
2024-05-18 06:32:07 +00:00 |
|
|
157af52112
|
feeds: add Grumpy.website
|
2024-05-16 19:25:22 +00:00 |
|
|
9d725a0974
|
servo: disable unused nixcache.uninsane.org
|
2024-05-16 02:46:23 +00:00 |
|
|
df4ef0ce5a
|
desko: disable nix-serve
|
2024-05-16 02:35:27 +00:00 |
|
|
b5502ea401
|
sanebox: remove --sanebox-cache-symlink flag
|
2024-05-15 23:59:38 +00:00 |
|
|
1211023c55
|
modules/programs: remove dead code from per-user profiles
|
2024-05-15 23:58:10 +00:00 |
|
|
b4229ecb1e
|
sanebox: load the link cache from a static /etc path instead of via CLI args
|
2024-05-15 23:55:15 +00:00 |
|
|
348837ff4a
|
programs: sandboxing: replace profiles with raw CLI args
|
2024-05-15 09:13:20 +00:00 |
|
|
17eaa7446a
|
sanebox: remove all profile-related features except for direct, path-based profile loading
|
2024-05-15 09:13:20 +00:00 |
|
|
530664294a
|
programs: sandbox: always specify --sanebox-profile-dir instead of loading from XDG_DATA_DIRS
|
2024-05-15 08:54:16 +00:00 |
|
|
b649071d98
|
programs: sandboxing: make the profiles be generic across users
this is a step toward making the profile not even be dynamically loaded, since its content is no longer dynamic :)
|
2024-05-15 08:48:09 +00:00 |
|
|
ea2653b7ce
|
programs: sandboxing: pass home- and runtime-relative paths to the sandboxer, instead of making absolute first
|
2024-05-15 08:20:09 +00:00 |
|
|
4c1b1282d6
|
modules/programs: sandbox: be compatible with systemd resolved again
|
2024-05-15 02:57:40 +00:00 |
|
|
adfaa7f9c1
|
sane-sandboxed -> sanebox
|
2024-05-15 01:41:40 +00:00 |
|
|
66f73c92bd
|
trust-dns: asSystemResolver: listen also on ipv6 address
|
2024-05-14 23:38:01 +00:00 |
|
|
d5e8974a4a
|
refactor: trust-dns: listenAddrs -> listenAddrsIpv4
|
2024-05-14 23:22:50 +00:00 |
|
|
f3cf9e0bed
|
trust-dns: set it to NOT be the system resolver for servo
trust-dns recursor is too beta for servo
|
2024-05-14 09:03:10 +00:00 |
|
|
3a7c9022af
|
trust-dns: bump StartLimitBurst so systemd doesnt abort the service too early
|
2024-05-14 08:50:37 +00:00 |
|
|
2a199bf373
|
trust-dns: recursor: merge DHCP DNS servers from all non-downed connections
otherwise overwriting the toml configs gets messy, when interfaces come up in unpredictable order
|
2024-05-14 08:25:59 +00:00 |
|
|
53198128e8
|
trust-dns: hook NetworkManager for state changes
there may be some edgecases to sort out around e.g. first-run,
but so far it seems to be importing the DHCP search zones :)
|
2024-05-14 07:42:41 +00:00 |
|
|
bee3eea040
|
modules/programs: sandbox: remove no-longer-needed /run/systemd/resolve from sandbox
|
2024-05-14 04:18:29 +00:00 |
|
|
39eb1d150a
|
dns: deploy trust-dns as the default recursive resolver
outstanding issues: native.uninsane.org doesn't resolve. appears possibly to be an issue with following CNAMEs
|
2024-05-14 04:18:29 +00:00 |
|
|
f3106ee316
|
programs: maxBuildCost: fix to actually build everything by default
|
2024-05-13 22:57:40 +00:00 |
|
|
43d32641f3
|
programs: buildCost: introduce a new level between min and light
|
2024-05-13 22:45:33 +00:00 |
|
|
2ae286ff75
|
nixpkgs: 2024-05-08 -> 2024-05-13, nixpkgs-wayland, sops-nix
```
• Updated input 'nixpkgs-next-unpatched':
'github:nixos/nixpkgs/c8e3f684443d7c2875ff169f6ef2533534105e7b' (2024-05-08)
→ 'github:nixos/nixpkgs/6a217e9b1d39415076c7a6cfc44be5e935e7a839' (2024-05-13)
• Updated input 'nixpkgs-unpatched':
'github:nixos/nixpkgs/a751e2faa2fc94c1337c32aaf6a6e417afe90be9' (2024-05-08)
→ 'github:nixos/nixpkgs/6bc8c8a7ac13182ee24a5e2caab7ad739f1c55c5' (2024-05-13)
• Updated input 'nixpkgs-wayland':
'github:nix-community/nixpkgs-wayland/7dc8fb2aa7db995ac1ce2a8f2f8d8784b2af591c' (2024-05-08)
→ 'github:nix-community/nixpkgs-wayland/5f7272dff81558143f93e2cb32189a52ef965892' (2024-05-13)
• Updated input 'nixpkgs-wayland/lib-aggregate':
'github:nix-community/lib-aggregate/26fabca301e1133abd3d9192b1bcb6fb45b30f1d' (2024-05-05)
→ 'github:nix-community/lib-aggregate/09883ca828e8cfaacdb09e29190a7b84ad1d9925' (2024-05-12)
• Updated input 'nixpkgs-wayland/lib-aggregate/nixpkgs-lib':
'github:nix-community/nixpkgs.lib/4b620020fd73bdd5104e32c702e65b60b6869426' (2024-05-05)
→ 'github:nix-community/nixpkgs.lib/58e03b95f65dfdca21979a081aa62db0eed6b1d8' (2024-05-12)
• Updated input 'nixpkgs-wayland/nix-eval-jobs':
'github:nix-community/nix-eval-jobs/7b6640f2a10701bf0db16aff048070f400e8ea7c' (2024-04-23)
→ 'github:nix-community/nix-eval-jobs/63154bdfb22091041b307d17863bdc0e01a32a00' (2024-05-09)
• Updated input 'nixpkgs-wayland/nix-eval-jobs/nixpkgs':
'github:NixOS/nixpkgs/1e1dc66fe68972a76679644a5577828b6a7e8be4' (2024-04-22)
→ 'github:NixOS/nixpkgs/ad7efee13e0d216bf29992311536fce1d3eefbef' (2024-05-06)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/893e3df091f6838f4f9d71c61ab079d5c5dedbd1' (2024-05-06)
→ 'github:Mic92/sops-nix/b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e' (2024-05-12)
• Updated input 'sops-nix/nixpkgs-stable':
'github:NixOS/nixpkgs/b980b91038fc4b09067ef97bbe5ad07eecca1e76' (2024-05-04)
→ 'github:NixOS/nixpkgs/8e47858badee5594292921c2668c11004c3b0142' (2024-05-11)
```
|
2024-05-13 22:45:33 +00:00 |
|
|
46d95805e9
|
programs: simplify sandbox symlink closure code
|
2024-05-13 07:49:00 +00:00 |
|
|
bd3e06982b
|
sane-sandboxed: tweak symlink caching to allow /run/current-system to be bind-mounted instead of symlinked
|
2024-05-13 02:11:47 +00:00 |
|
|
660ba94c7c
|
sane-sandboxed: introduce a symlink cache to reduce readlink calls even more
it's all a bit silly. i still do a bunch of -L tests: i just avoid the costly readlink fork :|
|
2024-05-13 01:31:30 +00:00 |
|
|
954c5c8344
|
trust-dns: fix so it starts as part of boot
|
2024-05-09 07:19:17 +00:00 |
|
|
8d8bf00a34
|
s6-rc: use s6-rc stop instead of exiting 125 in the no-restart branch of "restartCondition = on-failure"
exiting 125 stops the service, but does NOT put it in the down state, preventing it from being re-started
|
2024-05-07 15:24:14 +00:00 |
|
|
4f56acc316
|
s6-rc: implement restartCondition to allow restarting of the service only on failure
|
2024-05-07 15:01:40 +00:00 |
|
|
fdf1b20368
|
s6-rc: propagate service status out of run script
|
2024-05-07 12:50:09 +00:00 |
|
|
889b332ade
|
trust-dns: split the parts which are generalizable into their own file
i can try to build this into a recursive resolver for *all* my hosts
|
2024-04-30 14:35:56 +00:00 |
|
|
9021ab9f05
|
s6: fix oneshot service runner
the runner previously couldn't find the 'live' directory, where the service state lives. now it can
|
2024-04-27 08:05:54 +00:00 |
|
|
79bba42768
|
s6-rc: fix oneshot services to generate up , not run
|
2024-04-27 06:33:24 +00:00 |
|
|
8dd4fe06f3
|
s6: longshot -> longrun (typo)
|
2024-04-27 05:22:35 +00:00 |
|
|
19115dfb65
|
eg25-control: port to s6 (hopefully)
|
2024-04-26 21:44:13 +00:00 |
|
|
46a513b263
|
feeds: subscribe to SamuelDR
|
2024-04-26 17:19:38 +00:00 |
|
|
7843f9650a
|
feeds: subscribe to The Amp Hour (podcast)
|
2024-04-25 05:54:10 +00:00 |
|
|
82dce71b9c
|
feeds: add microarch.club podcast
|
2024-04-25 05:51:52 +00:00 |
|
|
a59a7b5346
|
feeds: podcasts: add Tech Tales
|
2024-04-19 21:46:03 +00:00 |
|