Compare commits
14 Commits
a05fa53ee1
...
bef0099eec
Author | SHA1 | Date | |
---|---|---|---|
bef0099eec | |||
67434caf45 | |||
be84ab1f45 | |||
43d32641f3 | |||
9bf0dbabae | |||
8c7880774e | |||
5774aa4a8f | |||
6c6d11578e | |||
f33e960bdf | |||
14202a5bcc | |||
3d2babf2bb | |||
9d51b2ecc7 | |||
0b855efb5f | |||
2ae286ff75 |
52
flake.lock
52
flake.lock
|
@ -61,11 +61,11 @@
|
||||||
"nixpkgs-lib": "nixpkgs-lib"
|
"nixpkgs-lib": "nixpkgs-lib"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714910950,
|
"lastModified": 1715515815,
|
||||||
"narHash": "sha256-gaq5bphSsY+htEXFDkImOrH3MVCkxFTvCiwdCJj096E=",
|
"narHash": "sha256-yaLScMHNFCH6SbB0HSA/8DWDgK0PyOhCXoFTdHlWkhk=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "lib-aggregate",
|
"repo": "lib-aggregate",
|
||||||
"rev": "26fabca301e1133abd3d9192b1bcb6fb45b30f1d",
|
"rev": "09883ca828e8cfaacdb09e29190a7b84ad1d9925",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -99,11 +99,11 @@
|
||||||
"treefmt-nix": "treefmt-nix"
|
"treefmt-nix": "treefmt-nix"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1713858845,
|
"lastModified": 1715248291,
|
||||||
"narHash": "sha256-StJq7Zy+/iVBUAKFzhHWlsirFucZ3gNtzXhAYXAsNnw=",
|
"narHash": "sha256-npC9Swu4VIlRIiEP0XFGoIukd6vOufS/M3PdHk6rQpc=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "nix-eval-jobs",
|
"repo": "nix-eval-jobs",
|
||||||
"rev": "7b6640f2a10701bf0db16aff048070f400e8ea7c",
|
"rev": "63154bdfb22091041b307d17863bdc0e01a32a00",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -136,11 +136,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1713805509,
|
"lastModified": 1715037484,
|
||||||
"narHash": "sha256-YgSEan4CcrjivCNO5ZNzhg7/8ViLkZ4CB/GrGBVSudo=",
|
"narHash": "sha256-OUt8xQFmBU96Hmm4T9tOWTu4oCswCzoVl+pxSq/kiFc=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "1e1dc66fe68972a76679644a5577828b6a7e8be4",
|
"rev": "ad7efee13e0d216bf29992311536fce1d3eefbef",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -152,11 +152,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-lib": {
|
"nixpkgs-lib": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714870069,
|
"lastModified": 1715474941,
|
||||||
"narHash": "sha256-CNCqCGOHdxuiVnVkhTpp2WcqSSmSfeQjubhDOcgwGjU=",
|
"narHash": "sha256-CNCqCGOHdxuiVnVkhTpp2WcqSSmSfeQjubhDOcgwGjU=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "nixpkgs.lib",
|
"repo": "nixpkgs.lib",
|
||||||
"rev": "4b620020fd73bdd5104e32c702e65b60b6869426",
|
"rev": "58e03b95f65dfdca21979a081aa62db0eed6b1d8",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -167,11 +167,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-next-unpatched": {
|
"nixpkgs-next-unpatched": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1715148084,
|
"lastModified": 1715601680,
|
||||||
"narHash": "sha256-arUW5NSCMy7K8uO+1ODJqyptf71HP69XbJlSuf361rI=",
|
"narHash": "sha256-Gmz6U8NMZVVnP6AGX4sMl4X6RcQBASPl/2Gj9R5k1Pk=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "c8e3f684443d7c2875ff169f6ef2533534105e7b",
|
"rev": "eda36d7cf3391ad06097009b08822fb74acd5e00",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -183,11 +183,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-stable": {
|
"nixpkgs-stable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714858427,
|
"lastModified": 1715458492,
|
||||||
"narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
|
"narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
|
"rev": "8e47858badee5594292921c2668c11004c3b0142",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -199,11 +199,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-unpatched": {
|
"nixpkgs-unpatched": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1715156971,
|
"lastModified": 1715616096,
|
||||||
"narHash": "sha256-sEgAH6EkkQf5Aux4JT5HvdKWia0ryePYI0RhioskVS8=",
|
"narHash": "sha256-rxh2XECb5hRzgNR4Xqj3aAjg6821LmNTVRfF6sUW6fI=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "a751e2faa2fc94c1337c32aaf6a6e417afe90be9",
|
"rev": "0a949cf2618e8eab83aa008f1f8e03db137ed36c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -223,11 +223,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1715156333,
|
"lastModified": 1715609745,
|
||||||
"narHash": "sha256-8V09AxlIyKh8maX5/fAo8JuijEu9KM1DVlPscxzmKsk=",
|
"narHash": "sha256-z2lQ7G1AxljvYeqrHWjc1ctOI4QZP06vPtvLYJWfZSc=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "nixpkgs-wayland",
|
"repo": "nixpkgs-wayland",
|
||||||
"rev": "7dc8fb2aa7db995ac1ce2a8f2f8d8784b2af591c",
|
"rev": "ed18785b8816fa878bdd9df7f2e8722695401ef8",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -254,11 +254,11 @@
|
||||||
"nixpkgs-stable": "nixpkgs-stable"
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1715035358,
|
"lastModified": 1715482972,
|
||||||
"narHash": "sha256-RY6kqhpCPa/q3vbqt3iYRyjO3hJz9KZnshMjbpPon8o=",
|
"narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "893e3df091f6838f4f9d71c61ab079d5c5dedbd1",
|
"rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -121,7 +121,7 @@
|
||||||
nixpkgs.hostPlatform.system = target;
|
nixpkgs.hostPlatform.system = target;
|
||||||
})
|
})
|
||||||
(optionalAttrs (variant == "light") {
|
(optionalAttrs (variant == "light") {
|
||||||
sane.maxBuildCost = 1;
|
sane.maxBuildCost = 2;
|
||||||
})
|
})
|
||||||
(optionalAttrs (variant == "min") {
|
(optionalAttrs (variant == "min") {
|
||||||
sane.maxBuildCost = 0;
|
sane.maxBuildCost = 0;
|
||||||
|
|
|
@ -30,6 +30,8 @@
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
|
|
|
@ -215,6 +215,7 @@ in
|
||||||
|
|
||||||
backblaze-b2 = {};
|
backblaze-b2 = {};
|
||||||
|
|
||||||
|
blanket.buildCost = 1;
|
||||||
blanket.sandbox.method = "bwrap";
|
blanket.sandbox.method = "bwrap";
|
||||||
blanket.sandbox.whitelistAudio = true;
|
blanket.sandbox.whitelistAudio = true;
|
||||||
# blanket.sandbox.whitelistDbus = [ "user" ]; # TODO: untested
|
# blanket.sandbox.whitelistDbus = [ "user" ]; # TODO: untested
|
||||||
|
@ -267,13 +268,14 @@ in
|
||||||
ddrescue.sandbox.method = "landlock"; # TODO:sandbox: untested
|
ddrescue.sandbox.method = "landlock"; # TODO:sandbox: untested
|
||||||
ddrescue.sandbox.autodetectCliPaths = "existingOrParent";
|
ddrescue.sandbox.autodetectCliPaths = "existingOrParent";
|
||||||
|
|
||||||
# auth token, preferences
|
delfin.buildCost = 1;
|
||||||
delfin.sandbox.method = "bwrap";
|
delfin.sandbox.method = "bwrap";
|
||||||
delfin.sandbox.whitelistAudio = true;
|
delfin.sandbox.whitelistAudio = true;
|
||||||
delfin.sandbox.whitelistDbus = [ "user" ]; # else `mpris` plugin crashes the player
|
delfin.sandbox.whitelistDbus = [ "user" ]; # else `mpris` plugin crashes the player
|
||||||
delfin.sandbox.whitelistDri = true;
|
delfin.sandbox.whitelistDri = true;
|
||||||
delfin.sandbox.whitelistWayland = true;
|
delfin.sandbox.whitelistWayland = true;
|
||||||
delfin.sandbox.net = "clearnet";
|
delfin.sandbox.net = "clearnet";
|
||||||
|
# auth token, preferences
|
||||||
delfin.persist.byStore.private = [ ".config/delfin" ];
|
delfin.persist.byStore.private = [ ".config/delfin" ];
|
||||||
|
|
||||||
dig.sandbox.method = "bwrap";
|
dig.sandbox.method = "bwrap";
|
||||||
|
@ -314,11 +316,13 @@ in
|
||||||
|
|
||||||
eg25-control = {};
|
eg25-control = {};
|
||||||
|
|
||||||
|
electrum.buildCost = 1;
|
||||||
electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always
|
electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always
|
||||||
electrum.sandbox.whitelistWayland = true;
|
electrum.sandbox.whitelistWayland = true;
|
||||||
electrum.persist.byStore.cryptClearOnBoot = [ ".electrum" ]; #< TODO: use XDG dirs!
|
electrum.persist.byStore.cryptClearOnBoot = [ ".electrum" ]; #< TODO: use XDG dirs!
|
||||||
|
|
||||||
|
endless-sky.buildCost = 1;
|
||||||
endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
|
endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
|
||||||
endless-sky.sandbox.method = "bwrap";
|
endless-sky.sandbox.method = "bwrap";
|
||||||
endless-sky.sandbox.whitelistAudio = true;
|
endless-sky.sandbox.whitelistAudio = true;
|
||||||
|
@ -357,6 +361,7 @@ in
|
||||||
".persist/plaintext"
|
".persist/plaintext"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
ffmpeg.buildCost = 1;
|
||||||
ffmpeg.sandbox.method = "bwrap";
|
ffmpeg.sandbox.method = "bwrap";
|
||||||
ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting
|
ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting
|
||||||
|
|
||||||
|
@ -374,6 +379,7 @@ in
|
||||||
|
|
||||||
fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
|
fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
|
||||||
|
|
||||||
|
font-manager.buildCost = 1;
|
||||||
font-manager.sandbox.method = "bwrap";
|
font-manager.sandbox.method = "bwrap";
|
||||||
font-manager.sandbox.whitelistWayland = true;
|
font-manager.sandbox.whitelistWayland = true;
|
||||||
font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
|
font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
|
||||||
|
@ -410,6 +416,7 @@ in
|
||||||
# TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
|
# TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
|
||||||
gh.persist.byStore.private = [ ".config/gh" ];
|
gh.persist.byStore.private = [ ".config/gh" ];
|
||||||
|
|
||||||
|
gimp.buildCost = 1;
|
||||||
gimp.sandbox.method = "bwrap";
|
gimp.sandbox.method = "bwrap";
|
||||||
gimp.sandbox.whitelistX = true;
|
gimp.sandbox.whitelistX = true;
|
||||||
gimp.sandbox.whitelistWayland = true;
|
gimp.sandbox.whitelistWayland = true;
|
||||||
|
@ -429,18 +436,22 @@ in
|
||||||
"/tmp" # "Cannot open display:" if it can't mount /tmp 👀
|
"/tmp" # "Cannot open display:" if it can't mount /tmp 👀
|
||||||
];
|
];
|
||||||
|
|
||||||
|
"gnome.gnome-calculator".buildCost = 1;
|
||||||
"gnome.gnome-calculator".sandbox.method = "bwrap";
|
"gnome.gnome-calculator".sandbox.method = "bwrap";
|
||||||
"gnome.gnome-calculator".sandbox.whitelistWayland = true;
|
"gnome.gnome-calculator".sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
|
"gnome.gnome-calendar".buildCost = 1;
|
||||||
# gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
|
# gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
|
||||||
"gnome.gnome-calendar".sandbox.method = "bwrap";
|
"gnome.gnome-calendar".sandbox.method = "bwrap";
|
||||||
"gnome.gnome-calendar".sandbox.whitelistWayland = true;
|
"gnome.gnome-calendar".sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
|
"gnome.gnome-clocks".buildCost = 1;
|
||||||
"gnome.gnome-clocks".sandbox.method = "bwrap";
|
"gnome.gnome-clocks".sandbox.method = "bwrap";
|
||||||
"gnome.gnome-clocks".sandbox.whitelistWayland = true;
|
"gnome.gnome-clocks".sandbox.whitelistWayland = true;
|
||||||
"gnome.gnome-clocks".suggestedPrograms = [ "dconf" ];
|
"gnome.gnome-clocks".suggestedPrograms = [ "dconf" ];
|
||||||
|
|
||||||
# gnome-disks
|
# gnome-disks
|
||||||
|
"gnome.gnome-disk-utility".buildCost = 1;
|
||||||
"gnome.gnome-disk-utility".sandbox.method = "bwrap";
|
"gnome.gnome-disk-utility".sandbox.method = "bwrap";
|
||||||
"gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ];
|
"gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ];
|
||||||
"gnome.gnome-disk-utility".sandbox.whitelistWayland = true;
|
"gnome.gnome-disk-utility".sandbox.whitelistWayland = true;
|
||||||
|
@ -451,15 +462,18 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
# seahorse: dump gnome-keyring secrets.
|
# seahorse: dump gnome-keyring secrets.
|
||||||
|
"gnome.seahorse".buildCost = 1;
|
||||||
# N.B.: it can also manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
|
# N.B.: it can also manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
|
||||||
"gnome.seahorse".sandbox.method = "bwrap";
|
"gnome.seahorse".sandbox.method = "bwrap";
|
||||||
"gnome.seahorse".sandbox.whitelistDbus = [ "user" ];
|
"gnome.seahorse".sandbox.whitelistDbus = [ "user" ];
|
||||||
"gnome.seahorse".sandbox.whitelistWayland = true;
|
"gnome.seahorse".sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
|
gnome-2048.buildCost = 1;
|
||||||
gnome-2048.sandbox.method = "bwrap";
|
gnome-2048.sandbox.method = "bwrap";
|
||||||
gnome-2048.sandbox.whitelistWayland = true;
|
gnome-2048.sandbox.whitelistWayland = true;
|
||||||
gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
|
gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
|
||||||
|
|
||||||
|
gnome-frog.buildCost = 1;
|
||||||
gnome-frog.sandbox.method = "bwrap";
|
gnome-frog.sandbox.method = "bwrap";
|
||||||
gnome-frog.sandbox.whitelistWayland = true;
|
gnome-frog.sandbox.whitelistWayland = true;
|
||||||
gnome-frog.sandbox.whitelistDbus = [ "user" ];
|
gnome-frog.sandbox.whitelistDbus = [ "user" ];
|
||||||
|
@ -486,6 +500,7 @@ in
|
||||||
# 1. no number may appear unshaded more than once in the same row/column
|
# 1. no number may appear unshaded more than once in the same row/column
|
||||||
# 2. no two shaded tiles can be direct N/S/E/W neighbors
|
# 2. no two shaded tiles can be direct N/S/E/W neighbors
|
||||||
# - win once (1) and (2) are satisfied
|
# - win once (1) and (2) are satisfied
|
||||||
|
"gnome.hitori".buildCost = 1;
|
||||||
"gnome.hitori".sandbox.method = "bwrap";
|
"gnome.hitori".sandbox.method = "bwrap";
|
||||||
"gnome.hitori".sandbox.whitelistWayland = true;
|
"gnome.hitori".sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
|
@ -515,6 +530,7 @@ in
|
||||||
grim.sandbox.autodetectCliPaths = "existingOrParent";
|
grim.sandbox.autodetectCliPaths = "existingOrParent";
|
||||||
grim.sandbox.whitelistWayland = true;
|
grim.sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
|
hase.buildCost = 1;
|
||||||
hase.sandbox.method = "bwrap";
|
hase.sandbox.method = "bwrap";
|
||||||
hase.sandbox.net = "clearnet";
|
hase.sandbox.net = "clearnet";
|
||||||
hase.sandbox.whitelistAudio = true;
|
hase.sandbox.whitelistAudio = true;
|
||||||
|
@ -535,6 +551,7 @@ in
|
||||||
# N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
|
# N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
|
||||||
inetutils.sandbox.method = "landlock"; # want to keep the same netns, at least.
|
inetutils.sandbox.method = "landlock"; # want to keep the same netns, at least.
|
||||||
|
|
||||||
|
inkscape.buildCost = 1;
|
||||||
inkscape.sandbox.method = "bwrap";
|
inkscape.sandbox.method = "bwrap";
|
||||||
inkscape.sandbox.whitelistWayland = true;
|
inkscape.sandbox.whitelistWayland = true;
|
||||||
inkscape.sandbox.extraHomePaths = [
|
inkscape.sandbox.extraHomePaths = [
|
||||||
|
@ -586,6 +603,7 @@ in
|
||||||
"/proc"
|
"/proc"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
krita.buildCost = 1;
|
||||||
krita.sandbox.method = "bwrap";
|
krita.sandbox.method = "bwrap";
|
||||||
krita.sandbox.whitelistWayland = true;
|
krita.sandbox.whitelistWayland = true;
|
||||||
krita.sandbox.autodetectCliPaths = "existing";
|
krita.sandbox.autodetectCliPaths = "existing";
|
||||||
|
@ -606,6 +624,7 @@ in
|
||||||
libnotify.sandbox.method = "bwrap";
|
libnotify.sandbox.method = "bwrap";
|
||||||
libnotify.sandbox.whitelistDbus = [ "user" ]; # notify-send
|
libnotify.sandbox.whitelistDbus = [ "user" ]; # notify-send
|
||||||
|
|
||||||
|
losslesscut-bin.buildCost = 1;
|
||||||
losslesscut-bin.sandbox.method = "bwrap";
|
losslesscut-bin.sandbox.method = "bwrap";
|
||||||
losslesscut-bin.sandbox.extraHomePaths = [
|
losslesscut-bin.sandbox.extraHomePaths = [
|
||||||
"Music"
|
"Music"
|
||||||
|
@ -630,6 +649,7 @@ in
|
||||||
mercurial.sandbox.whitelistPwd = true;
|
mercurial.sandbox.whitelistPwd = true;
|
||||||
|
|
||||||
# actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
|
# actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
|
||||||
|
monero-gui.buildCost = 1;
|
||||||
# XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
|
# XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
|
||||||
monero-gui.persist.byStore.plaintext = [ ".bitmonero" ];
|
monero-gui.persist.byStore.plaintext = [ ".bitmonero" ];
|
||||||
monero-gui.sandbox.method = "bwrap";
|
monero-gui.sandbox.method = "bwrap";
|
||||||
|
@ -638,6 +658,7 @@ in
|
||||||
"records/finance/cryptocurrencies/monero"
|
"records/finance/cryptocurrencies/monero"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
mumble.buildCost = 1;
|
||||||
mumble.persist.byStore.private = [ ".local/share/Mumble" ];
|
mumble.persist.byStore.private = [ ".local/share/Mumble" ];
|
||||||
|
|
||||||
nano.sandbox.method = "bwrap";
|
nano.sandbox.method = "bwrap";
|
||||||
|
@ -741,6 +762,7 @@ in
|
||||||
pulsemixer.sandbox.method = "landlock";
|
pulsemixer.sandbox.method = "landlock";
|
||||||
pulsemixer.sandbox.whitelistAudio = true;
|
pulsemixer.sandbox.whitelistAudio = true;
|
||||||
|
|
||||||
|
pwvucontrol.buildCost = 1;
|
||||||
pwvucontrol.sandbox.method = "bwrap";
|
pwvucontrol.sandbox.method = "bwrap";
|
||||||
pwvucontrol.sandbox.whitelistAudio = true;
|
pwvucontrol.sandbox.whitelistAudio = true;
|
||||||
pwvucontrol.sandbox.whitelistDri = true; # else perf on moby is unusable
|
pwvucontrol.sandbox.whitelistDri = true; # else perf on moby is unusable
|
||||||
|
@ -758,7 +780,7 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
qemu.sandbox.enable = false; #< it's a launcher
|
qemu.sandbox.enable = false; #< it's a launcher
|
||||||
qemu.buildCost = 1;
|
qemu.buildCost = 2;
|
||||||
|
|
||||||
rsync.sandbox.method = "bwrap";
|
rsync.sandbox.method = "bwrap";
|
||||||
rsync.sandbox.net = "clearnet";
|
rsync.sandbox.net = "clearnet";
|
||||||
|
@ -776,6 +798,7 @@ in
|
||||||
sequoia.sandbox.whitelistPwd = true;
|
sequoia.sandbox.whitelistPwd = true;
|
||||||
sequoia.sandbox.autodetectCliPaths = true;
|
sequoia.sandbox.autodetectCliPaths = true;
|
||||||
|
|
||||||
|
shattered-pixel-dungeon.buildCost = 1;
|
||||||
shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
|
shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
|
||||||
shattered-pixel-dungeon.sandbox.method = "bwrap";
|
shattered-pixel-dungeon.sandbox.method = "bwrap";
|
||||||
shattered-pixel-dungeon.sandbox.whitelistAudio = true;
|
shattered-pixel-dungeon.sandbox.whitelistAudio = true;
|
||||||
|
@ -783,6 +806,7 @@ in
|
||||||
shattered-pixel-dungeon.sandbox.whitelistWayland = true;
|
shattered-pixel-dungeon.sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
# printer/filament settings
|
# printer/filament settings
|
||||||
|
slic3r.buildCost = 1;
|
||||||
slic3r.persist.byStore.plaintext = [ ".Slic3r" ];
|
slic3r.persist.byStore.plaintext = [ ".Slic3r" ];
|
||||||
|
|
||||||
slurp.sandbox.method = "bwrap";
|
slurp.sandbox.method = "bwrap";
|
||||||
|
@ -803,6 +827,7 @@ in
|
||||||
"knowledge"
|
"knowledge"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
soundconverter.buildCost = 1;
|
||||||
soundconverter.sandbox.method = "bwrap";
|
soundconverter.sandbox.method = "bwrap";
|
||||||
soundconverter.sandbox.whitelistWayland = true;
|
soundconverter.sandbox.whitelistWayland = true;
|
||||||
soundconverter.sandbox.extraHomePaths = [
|
soundconverter.sandbox.extraHomePaths = [
|
||||||
|
@ -820,6 +845,7 @@ in
|
||||||
sox.sandbox.autodetectCliPaths = "existingFileOrParent";
|
sox.sandbox.autodetectCliPaths = "existingFileOrParent";
|
||||||
sox.sandbox.whitelistAudio = true;
|
sox.sandbox.whitelistAudio = true;
|
||||||
|
|
||||||
|
space-cadet-pinball.buildCost = 1;
|
||||||
space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
|
space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
|
||||||
space-cadet-pinball.sandbox.method = "bwrap";
|
space-cadet-pinball.sandbox.method = "bwrap";
|
||||||
space-cadet-pinball.sandbox.whitelistAudio = true;
|
space-cadet-pinball.sandbox.whitelistAudio = true;
|
||||||
|
@ -840,6 +866,7 @@ in
|
||||||
subversion.sandbox.whitelistPwd = true;
|
subversion.sandbox.whitelistPwd = true;
|
||||||
sudo.sandbox.enable = false;
|
sudo.sandbox.enable = false;
|
||||||
|
|
||||||
|
superTux.buildCost = 1;
|
||||||
superTux.sandbox.method = "bwrap";
|
superTux.sandbox.method = "bwrap";
|
||||||
superTux.sandbox.wrapperType = "inplace"; # package Makefile incorrectly installs to $out/games/superTux instead of $out/share/games
|
superTux.sandbox.wrapperType = "inplace"; # package Makefile incorrectly installs to $out/games/superTux instead of $out/share/games
|
||||||
superTux.sandbox.whitelistAudio = true;
|
superTux.sandbox.whitelistAudio = true;
|
||||||
|
@ -858,12 +885,14 @@ in
|
||||||
|
|
||||||
tdesktop.persist.byStore.private = [ ".local/share/TelegramDesktop" ];
|
tdesktop.persist.byStore.private = [ ".local/share/TelegramDesktop" ];
|
||||||
|
|
||||||
|
tokodon.buildCost = 1;
|
||||||
tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
|
tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
|
||||||
|
|
||||||
tree.sandbox.method = "landlock";
|
tree.sandbox.method = "landlock";
|
||||||
tree.sandbox.autodetectCliPaths = true;
|
tree.sandbox.autodetectCliPaths = true;
|
||||||
tree.sandbox.whitelistPwd = true;
|
tree.sandbox.whitelistPwd = true;
|
||||||
|
|
||||||
|
tumiki-fighters.buildCost = 1;
|
||||||
tumiki-fighters.sandbox.method = "bwrap";
|
tumiki-fighters.sandbox.method = "bwrap";
|
||||||
tumiki-fighters.sandbox.whitelistAudio = true;
|
tumiki-fighters.sandbox.whitelistAudio = true;
|
||||||
tumiki-fighters.sandbox.whitelistDri = true; #< not strictly necessary, but triples CPU perf
|
tumiki-fighters.sandbox.whitelistDri = true; #< not strictly necessary, but triples CPU perf
|
||||||
|
@ -882,6 +911,7 @@ in
|
||||||
"/sys/bus/usb"
|
"/sys/bus/usb"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
valgrind.buildCost = 1;
|
||||||
valgrind.sandbox.enable = false; #< it's a launcher: can't sandbox
|
valgrind.sandbox.enable = false; #< it's a launcher: can't sandbox
|
||||||
|
|
||||||
visidata.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
visidata.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
|
@ -890,6 +920,7 @@ in
|
||||||
# `vulkaninfo`, `vkcube`
|
# `vulkaninfo`, `vkcube`
|
||||||
vulkan-tools.sandbox.method = "landlock";
|
vulkan-tools.sandbox.method = "landlock";
|
||||||
|
|
||||||
|
vvvvvv.buildCost = 1;
|
||||||
vvvvvv.sandbox.method = "bwrap";
|
vvvvvv.sandbox.method = "bwrap";
|
||||||
vvvvvv.sandbox.whitelistAudio = true;
|
vvvvvv.sandbox.whitelistAudio = true;
|
||||||
vvvvvv.sandbox.whitelistDri = true; #< playable without, but burns noticably more CPU
|
vvvvvv.sandbox.whitelistDri = true; #< playable without, but burns noticably more CPU
|
||||||
|
@ -910,6 +941,7 @@ in
|
||||||
wget.sandbox.net = "all";
|
wget.sandbox.net = "all";
|
||||||
wget.sandbox.whitelistPwd = true; # saves to pwd by default
|
wget.sandbox.whitelistPwd = true; # saves to pwd by default
|
||||||
|
|
||||||
|
whalebird.buildCost = 1;
|
||||||
whalebird.persist.byStore.private = [ ".config/Whalebird" ];
|
whalebird.persist.byStore.private = [ ".config/Whalebird" ];
|
||||||
|
|
||||||
# `wg`, `wg-quick`
|
# `wg`, `wg-quick`
|
||||||
|
|
|
@ -14,6 +14,8 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
{ ... }:
|
{ ... }:
|
||||||
{
|
{
|
||||||
sane.programs.celeste64 = {
|
sane.programs.celeste64 = {
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDri = true;
|
sandbox.whitelistDri = true;
|
||||||
|
|
|
@ -13,6 +13,8 @@
|
||||||
'';
|
'';
|
||||||
});
|
});
|
||||||
|
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "bwrap"; # landlock gives: _multiprocessing.SemLock: Permission Denied
|
sandbox.method = "bwrap"; # landlock gives: _multiprocessing.SemLock: Permission Denied
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||||
|
|
|
@ -1,15 +1,6 @@
|
||||||
{ pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
{
|
{
|
||||||
sane.programs.dialect = {
|
sane.programs.dialect = {
|
||||||
sandbox.method = "bwrap";
|
|
||||||
sandbox.wrapperType = "inplace"; # share/search_providers/ calls back into the binary, weird wrap semantics
|
|
||||||
sandbox.whitelistWayland = true;
|
|
||||||
sandbox.net = "clearnet";
|
|
||||||
sandbox.extraHomePaths = [
|
|
||||||
".config/dconf" # won't start without it
|
|
||||||
];
|
|
||||||
suggestedPrograms = [ "dconf" ]; #< to persist settings
|
|
||||||
|
|
||||||
packageUnwrapped = pkgs.dialect.overrideAttrs (upstream: {
|
packageUnwrapped = pkgs.dialect.overrideAttrs (upstream: {
|
||||||
# TODO: send upstream
|
# TODO: send upstream
|
||||||
# TODO: figure out how to get audio working
|
# TODO: figure out how to get audio working
|
||||||
|
@ -18,5 +9,17 @@
|
||||||
pkgs.glib-networking # for TLS
|
pkgs.glib-networking # for TLS
|
||||||
];
|
];
|
||||||
});
|
});
|
||||||
|
|
||||||
|
suggestedPrograms = [ "dconf" ]; #< to persist settings
|
||||||
|
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "inplace"; # share/search_providers/ calls back into the binary, weird wrap semantics
|
||||||
|
sandbox.whitelistWayland = true;
|
||||||
|
sandbox.net = "clearnet";
|
||||||
|
sandbox.extraHomePaths = [
|
||||||
|
".config/dconf" # won't start without it
|
||||||
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -25,6 +25,8 @@
|
||||||
"gnome-keyring"
|
"gnome-keyring"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
|
|
|
@ -23,7 +23,7 @@
|
||||||
"tmp"
|
"tmp"
|
||||||
];
|
];
|
||||||
|
|
||||||
buildCost = 1;
|
buildCost = 2;
|
||||||
|
|
||||||
# XXX(2023/07/08): running on moby without `WEBKIT_DISABLE_SANDBOX...` fails, with:
|
# XXX(2023/07/08): running on moby without `WEBKIT_DISABLE_SANDBOX...` fails, with:
|
||||||
# - `bwrap: Can't make symlink at /var/run: File exists`
|
# - `bwrap: Can't make symlink at /var/run: File exists`
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
{ ... }:
|
{ ... }:
|
||||||
{
|
{
|
||||||
sane.programs.evince = {
|
sane.programs.evince = {
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.autodetectCliPaths = true;
|
sandbox.autodetectCliPaths = true;
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
|
@ -2,11 +2,6 @@
|
||||||
{ pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
{
|
{
|
||||||
sane.programs.frozen-bubble = {
|
sane.programs.frozen-bubble = {
|
||||||
sandbox.method = "bwrap";
|
|
||||||
sandbox.net = "clearnet"; # net play
|
|
||||||
sandbox.whitelistAudio = true;
|
|
||||||
sandbox.whitelistWayland = true;
|
|
||||||
|
|
||||||
packageUnwrapped = pkgs.frozen-bubble.overrideAttrs (upstream: {
|
packageUnwrapped = pkgs.frozen-bubble.overrideAttrs (upstream: {
|
||||||
# patch so it stores its dot-files not in root ~.
|
# patch so it stores its dot-files not in root ~.
|
||||||
postPatch = (upstream.postPatch or "") + ''
|
postPatch = (upstream.postPatch or "") + ''
|
||||||
|
@ -14,6 +9,12 @@
|
||||||
--replace-fail '$FBHOME = "$ENV{HOME}/.frozen-bubble"' '$FBHOME = "$ENV{HOME}/.local/share/frozen-bubble"'
|
--replace-fail '$FBHOME = "$ENV{HOME}/.frozen-bubble"' '$FBHOME = "$ENV{HOME}/.local/share/frozen-bubble"'
|
||||||
'';
|
'';
|
||||||
});
|
});
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.net = "clearnet"; # net play
|
||||||
|
sandbox.whitelistAudio = true;
|
||||||
|
sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
persist.byStore.plaintext = [
|
persist.byStore.plaintext = [
|
||||||
".local/share/frozen-bubble" # preferences, high scores
|
".local/share/frozen-bubble" # preferences, high scores
|
||||||
|
|
|
@ -8,6 +8,8 @@
|
||||||
{ ... }:
|
{ ... }:
|
||||||
{
|
{
|
||||||
sane.programs.g4music = {
|
sane.programs.g4music = {
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||||
|
|
|
@ -37,7 +37,7 @@ in
|
||||||
# fs.".config/geary".dir = {};
|
# fs.".config/geary".dir = {};
|
||||||
# fs.".local/share/folks".dir = {};
|
# fs.".local/share/folks".dir = {};
|
||||||
|
|
||||||
buildCost = 2; # uses webkitgtk 4.1
|
buildCost = 3; # uses webkitgtk 4.1
|
||||||
persist.byStore.private = [
|
persist.byStore.private = [
|
||||||
# attachments, and email -- contained in a sqlite db
|
# attachments, and email -- contained in a sqlite db
|
||||||
".local/share/geary"
|
".local/share/geary"
|
||||||
|
|
|
@ -3,6 +3,8 @@
|
||||||
{ ... }:
|
{ ... }:
|
||||||
{
|
{
|
||||||
sane.programs."gnome.gnome-weather" = {
|
sane.programs."gnome.gnome-weather" = {
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "inplace"; #< /share/org.gnome.Weather/org.gnome.Weather file refers to bins by full path
|
sandbox.wrapperType = "inplace"; #< /share/org.gnome.Weather/org.gnome.Weather file refers to bins by full path
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
{ pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
{
|
{
|
||||||
sane.programs.handbrake = {
|
sane.programs.handbrake = {
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "landlock"; #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir
|
sandbox.method = "landlock"; #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir
|
||||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
{ pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
{
|
{
|
||||||
sane.programs.imagemagick = {
|
sane.programs.imagemagick = {
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "inplace"; # /etc/ImageMagick-7/delegates.xml refers to bins by absolute path
|
sandbox.wrapperType = "inplace"; # /etc/ImageMagick-7/delegates.xml refers to bins by absolute path
|
||||||
sandbox.whitelistPwd = true;
|
sandbox.whitelistPwd = true;
|
||||||
|
|
|
@ -1,6 +1,15 @@
|
||||||
{ pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
{
|
{
|
||||||
sane.programs.kdenlive = {
|
sane.programs.kdenlive = {
|
||||||
|
packageUnwrapped = pkgs.kdenlive.override {
|
||||||
|
ffmpeg-full = pkgs.ffmpeg-full.override {
|
||||||
|
# avoid expensive samba build for a feature i don't use
|
||||||
|
withSamba = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
"Music"
|
"Music"
|
||||||
|
@ -14,12 +23,5 @@
|
||||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||||
sandbox.whitelistDri = true;
|
sandbox.whitelistDri = true;
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
packageUnwrapped = pkgs.kdenlive.override {
|
|
||||||
ffmpeg-full = pkgs.ffmpeg-full.override {
|
|
||||||
# avoid expensive samba build for a feature i don't use
|
|
||||||
withSamba = false;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
sandbox.whitelistDri = true; #< required
|
sandbox.whitelistDri = true; #< required
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
buildCost = 1;
|
buildCost = 2;
|
||||||
|
|
||||||
secrets.".local/share/komikku/keyrings/plaintext.keyring" = ../../../secrets/common/komikku_accounts.json.bin;
|
secrets.".local/share/komikku/keyrings/plaintext.keyring" = ../../../secrets/common/komikku_accounts.json.bin;
|
||||||
# downloads end up here, and without the toplevel database komikku doesn't know they exist.
|
# downloads end up here, and without the toplevel database komikku doesn't know they exist.
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
{ ... }:
|
{ ... }:
|
||||||
{
|
{
|
||||||
sane.programs.lemoa = {
|
sane.programs.lemoa = {
|
||||||
|
buildCost = 1;
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistDbus = [ "user" ]; # for clicking links
|
sandbox.whitelistDbus = [ "user" ]; # for clicking links
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
"tmp"
|
"tmp"
|
||||||
];
|
];
|
||||||
|
|
||||||
buildCost = 2;
|
buildCost = 3;
|
||||||
|
|
||||||
# disable first-run stuff
|
# disable first-run stuff
|
||||||
fs.".config/libreoffice/4/user/registrymodifications.xcu".symlink.text = ''
|
fs.".config/libreoffice/4/user/registrymodifications.xcu".symlink.text = ''
|
||||||
|
|
|
@ -103,8 +103,8 @@ in
|
||||||
# "use"
|
# "use"
|
||||||
];
|
];
|
||||||
|
|
||||||
# packageUnwrapped = config.programs.neovim.finalPackage;
|
packageUnwrapped = let
|
||||||
packageUnwrapped = pkgs.wrapNeovimUnstable pkgs.neovim-unwrapped (pkgs.neovimUtils.makeNeovimConfig {
|
configArgs = {
|
||||||
withRuby = false; #< doesn't cross-compile w/o binfmt
|
withRuby = false; #< doesn't cross-compile w/o binfmt
|
||||||
viAlias = true;
|
viAlias = true;
|
||||||
vimAlias = true;
|
vimAlias = true;
|
||||||
|
@ -150,7 +150,14 @@ in
|
||||||
${plugin-config-lua}
|
${plugin-config-lua}
|
||||||
EOF
|
EOF
|
||||||
'';
|
'';
|
||||||
});
|
};
|
||||||
|
in pkgs.wrapNeovimUnstable
|
||||||
|
pkgs.neovim-unwrapped
|
||||||
|
# XXX(2024/05/13): manifestRc must be null for cross-compilation to work.
|
||||||
|
# wrapper invokes `neovim` with all plugins enabled at build time i guess to generate caches and stuff?
|
||||||
|
# alternative is to emulate `nvim-wrapper` during build.
|
||||||
|
((pkgs.neovimUtils.makeNeovimConfig configArgs) // { manifestRc = null; })
|
||||||
|
;
|
||||||
|
|
||||||
# private because there could be sensitive things in the swap
|
# private because there could be sensitive things in the swap
|
||||||
persist.byStore.private = [ ".cache/vim-swap" ];
|
persist.byStore.private = [ ".cache/vim-swap" ];
|
||||||
|
|
|
@ -13,7 +13,7 @@ let
|
||||||
wanted-feeds = feeds.filterByFormat [ "text" "image" "podcast" "video" ] all-feeds;
|
wanted-feeds = feeds.filterByFormat [ "text" "image" "podcast" "video" ] all-feeds;
|
||||||
in {
|
in {
|
||||||
sane.programs.newsflash = {
|
sane.programs.newsflash = {
|
||||||
buildCost = 1; # mainly for desktop: webkitgtk-6.0
|
buildCost = 2; # mainly for desktop: webkitgtk-6.0
|
||||||
persist.byStore.plaintext = [ ".local/share/news-flash" ];
|
persist.byStore.plaintext = [ ".local/share/news-flash" ];
|
||||||
fs.".config/newsflashFeeds.opml".symlink.text =
|
fs.".config/newsflashFeeds.opml".symlink.text =
|
||||||
feeds.feedsToOpml wanted-feeds
|
feeds.feedsToOpml wanted-feeds
|
||||||
|
|
|
@ -10,6 +10,6 @@
|
||||||
".local/share/io.github.alainm23.planify"
|
".local/share/io.github.alainm23.planify"
|
||||||
];
|
];
|
||||||
|
|
||||||
buildCost = 1; # webkitgtk-6.0; slow for desktop
|
buildCost = 2; # webkitgtk-6.0; slow for desktop
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
{ ... }:
|
{ ... }:
|
||||||
{
|
{
|
||||||
sane.programs.spot = {
|
sane.programs.spot = {
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
|
|
|
@ -21,6 +21,8 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sane.programs.stepmania = {
|
sane.programs.stepmania = {
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "inplace"; #< non-standard packaging; binary lives at $out/stepmania-5.1/stepmania (not even in an /opt dir)
|
sandbox.wrapperType = "inplace"; #< non-standard packaging; binary lives at $out/stepmania-5.1/stepmania (not even in an /opt dir)
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
{ ... }:
|
{ ... }:
|
||||||
{
|
{
|
||||||
sane.programs.superTuxKart = {
|
sane.programs.superTuxKart = {
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.net = "clearnet"; # net play
|
sandbox.net = "clearnet"; # net play
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
|
|
|
@ -27,7 +27,7 @@ in
|
||||||
'' + (upstream.preFixup or "");
|
'' + (upstream.preFixup or "");
|
||||||
});
|
});
|
||||||
|
|
||||||
buildCost = 1;
|
buildCost = 2;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
{ ... }:
|
{ ... }:
|
||||||
{
|
{
|
||||||
sane.programs.tuba = {
|
sane.programs.tuba = {
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
|
|
|
@ -20,7 +20,7 @@
|
||||||
"/sys/devices"
|
"/sys/devices"
|
||||||
];
|
];
|
||||||
|
|
||||||
buildCost = 1;
|
buildCost = 2;
|
||||||
|
|
||||||
# wike probably meant to put everything here in a subdir, but didn't.
|
# wike probably meant to put everything here in a subdir, but didn't.
|
||||||
# see: <https://github.com/hugolabe/Wike/issues/176>
|
# see: <https://github.com/hugolabe/Wike/issues/176>
|
||||||
|
|
|
@ -13,6 +13,6 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
fs.".config/wireshark".dir = {};
|
fs.".config/wireshark".dir = {};
|
||||||
buildCost = 1;
|
buildCost = 2;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
# unar doesn't cross compile well, so disable support for it
|
# unar doesn't cross compile well, so disable support for it
|
||||||
unar = null;
|
unar = null;
|
||||||
};
|
};
|
||||||
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
{ ... }:
|
{ ... }:
|
||||||
{
|
{
|
||||||
sane.programs.zathura = {
|
sane.programs.zathura = {
|
||||||
|
buildCost = 1;
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "inplace"; #< wrapper sets ZATHURA_PLUGINS_PATH to $out/lib/...
|
sandbox.wrapperType = "inplace"; #< wrapper sets ZATHURA_PLUGINS_PATH to $out/lib/...
|
||||||
sandbox.whitelistDri = true;
|
sandbox.whitelistDri = true;
|
||||||
|
|
|
@ -15,7 +15,7 @@ in {
|
||||||
sane.programs.zeal = {
|
sane.programs.zeal = {
|
||||||
# packageUnwrapped = pkgs.zeal-qt6; #< TODO: upgrade system to qt6 versions of everything (i.e. jellyfin-media-player, nheko)
|
# packageUnwrapped = pkgs.zeal-qt6; #< TODO: upgrade system to qt6 versions of everything (i.e. jellyfin-media-player, nheko)
|
||||||
packageUnwrapped = pkgs.zeal-qt5;
|
packageUnwrapped = pkgs.zeal-qt5;
|
||||||
buildCost = 2;
|
buildCost = 3;
|
||||||
persist.byStore.plaintext = [
|
persist.byStore.plaintext = [
|
||||||
".cache/Zeal"
|
".cache/Zeal"
|
||||||
".local/share/Zeal"
|
".local/share/Zeal"
|
||||||
|
|
|
@ -79,7 +79,7 @@ in
|
||||||
# "gnome.gnome-system-monitor"
|
# "gnome.gnome-system-monitor"
|
||||||
# "gnome.gnome-terminal" # works on phosh
|
# "gnome.gnome-terminal" # works on phosh
|
||||||
"gnome.gnome-weather"
|
"gnome.gnome-weather"
|
||||||
"gnome.seahorse" # keyring/secret manager
|
# "gnome.seahorse" # keyring/secret manager
|
||||||
"gnome-frog" # OCR/QR decoder
|
"gnome-frog" # OCR/QR decoder
|
||||||
"gpodder"
|
"gpodder"
|
||||||
# "gthumb"
|
# "gthumb"
|
||||||
|
@ -159,7 +159,7 @@ in
|
||||||
"libreoffice" # TODO: replace with an office suite that uses saner packaging?
|
"libreoffice" # TODO: replace with an office suite that uses saner packaging?
|
||||||
"losslesscut-bin" # x86-only
|
"losslesscut-bin" # x86-only
|
||||||
# "makemkv" # x86-only
|
# "makemkv" # x86-only
|
||||||
"monero-gui" # x86-only
|
# "monero-gui" # x86-only
|
||||||
# "mumble"
|
# "mumble"
|
||||||
# "nheko" # Matrix chat client
|
# "nheko" # Matrix chat client
|
||||||
# "nicotine-plus" # soulseek client. before re-enabling this, get it to run without firejail.
|
# "nicotine-plus" # soulseek client. before re-enabling this, get it to run without firejail.
|
||||||
|
@ -175,7 +175,7 @@ in
|
||||||
"wireshark" # could maybe ship the cli as sysadmin pkg
|
"wireshark" # could maybe ship the cli as sysadmin pkg
|
||||||
# "xterm" # requires Xwayland
|
# "xterm" # requires Xwayland
|
||||||
# "zecwallet-lite" # x86-only
|
# "zecwallet-lite" # x86-only
|
||||||
"zulip"
|
# "zulip"
|
||||||
]
|
]
|
||||||
);
|
);
|
||||||
|
|
||||||
|
|
|
@ -297,11 +297,15 @@ let
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
buildCost = mkOption {
|
buildCost = mkOption {
|
||||||
type = types.enum [ 0 1 2 ];
|
type = types.enum [ 0 1 2 3 ];
|
||||||
default = 0;
|
default = 0;
|
||||||
description = ''
|
description = ''
|
||||||
whether this package is very slow, or has unique dependencies which are very slow to build.
|
whether this package is very slow, or has unique dependencies which are very slow to build.
|
||||||
marking packages like this can be used to achieve faster, but limited, rebuilds/deploys (by omitting the package).
|
marking packages like this can be used to achieve faster, but limited, rebuilds/deploys (by omitting the package).
|
||||||
|
- 0: this package is necessary for baseline usability
|
||||||
|
- 1: this package is a nice-to-have, and not too costly to build
|
||||||
|
- 2: this package is a nice-to-have, but costly to build (e.g. `libreoffice`, some webkitgtk-based things)
|
||||||
|
- 3: this package is costly to build, and could go without (some lesser-used webkitgtk-based things)
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
sandbox.net = mkOption {
|
sandbox.net = mkOption {
|
||||||
|
|
|
@ -5,7 +5,6 @@
|
||||||
./dyn-dns.nix
|
./dyn-dns.nix
|
||||||
./eg25-manager.nix
|
./eg25-manager.nix
|
||||||
./kiwix-serve.nix
|
./kiwix-serve.nix
|
||||||
./mautrix-signal.nix
|
|
||||||
./nixserve.nix
|
./nixserve.nix
|
||||||
./trust-dns.nix
|
./trust-dns.nix
|
||||||
];
|
];
|
||||||
|
|
|
@ -1,207 +0,0 @@
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
with lib;
|
|
||||||
let
|
|
||||||
# TODO: upstream these "optional-dependencies"
|
|
||||||
# - search that phrase in <nixpkgs:doc/languages-frameworks/python.section.md>
|
|
||||||
pkg = pkgs.mautrix-signal.overridePythonAttrs (super: {
|
|
||||||
propagatedBuildInputs = super.propagatedBuildInputs ++ (with pkgs.python3.pkgs; [
|
|
||||||
# these optional deps come from mautrix-signal's "optional-requirements.txt"
|
|
||||||
|
|
||||||
# #/e2be
|
|
||||||
# python-olm>=3,<4
|
|
||||||
# pycryptodome>=3,<4
|
|
||||||
# unpaddedbase64>=1,<3
|
|
||||||
# XXX: ^above already included in nixpkgs package
|
|
||||||
|
|
||||||
# #/metrics
|
|
||||||
# prometheus_client>=0.6,<0.17
|
|
||||||
# XXX: ^above already included in nixpkgs package
|
|
||||||
|
|
||||||
# #/formattednumbers
|
|
||||||
# phonenumbers>=8,<9
|
|
||||||
# XXX: ^above already included in nixpkgs package
|
|
||||||
|
|
||||||
# #/qrlink
|
|
||||||
# qrcode>=6,<8
|
|
||||||
# Pillow>=4,<10
|
|
||||||
# XXX: ^above already included in nixpkgs package
|
|
||||||
|
|
||||||
# #/stickers
|
|
||||||
# signalstickers-client>=3,<4
|
|
||||||
|
|
||||||
# #/sqlite
|
|
||||||
# aiosqlite>=0.16,<0.19
|
|
||||||
aiosqlite
|
|
||||||
]);
|
|
||||||
});
|
|
||||||
dataDir = "/var/lib/mautrix-signal";
|
|
||||||
registrationFile = "${dataDir}/signal-registration.yaml";
|
|
||||||
cfg = config.services.mautrix-signal;
|
|
||||||
settingsFormat = pkgs.formats.json {};
|
|
||||||
settingsFile =
|
|
||||||
settingsFormat.generate "mautrix-signal-config.json" cfg.settings;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options = {
|
|
||||||
services.mautrix-signal = {
|
|
||||||
enable = mkEnableOption (lib.mdDoc "Mautrix-Signal, a Matrix-Signal puppeting bridge");
|
|
||||||
|
|
||||||
settings = mkOption rec {
|
|
||||||
apply = recursiveUpdate default;
|
|
||||||
inherit (settingsFormat) type;
|
|
||||||
default = {
|
|
||||||
# defaults based on this upstream example config:
|
|
||||||
# - <https://github.com/mautrix/signal/blob/master/mautrix_signal/example-config.yaml>
|
|
||||||
homeserver = {
|
|
||||||
address = "http://localhost:8008";
|
|
||||||
software = "standard";
|
|
||||||
# domain = "SETME";
|
|
||||||
};
|
|
||||||
|
|
||||||
appservice = rec {
|
|
||||||
address = "http://${hostname}:${toString port}";
|
|
||||||
hostname = "localhost";
|
|
||||||
port = 29328;
|
|
||||||
|
|
||||||
database = "sqlite:///${dataDir}/mautrix-signal.db";
|
|
||||||
database_opts = {};
|
|
||||||
bot_username = "signalbot";
|
|
||||||
};
|
|
||||||
|
|
||||||
bridge = {
|
|
||||||
username_template = "signal_{userid}";
|
|
||||||
permissions."*" = "relay";
|
|
||||||
double_puppet_server_map = {};
|
|
||||||
login_shared_secret_map = {};
|
|
||||||
};
|
|
||||||
|
|
||||||
logging = {
|
|
||||||
version = 1;
|
|
||||||
|
|
||||||
formatters.precise.format = "[%(levelname)s@%(name)s] %(message)s";
|
|
||||||
|
|
||||||
handlers.console = {
|
|
||||||
class = "logging.StreamHandler";
|
|
||||||
formatter = "precise";
|
|
||||||
};
|
|
||||||
|
|
||||||
# log to console/systemd instead of file
|
|
||||||
root = {
|
|
||||||
level = "INFO";
|
|
||||||
handlers = ["console"];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
example = literalExpression ''
|
|
||||||
{
|
|
||||||
homeserver = {
|
|
||||||
address = "http://localhost:8008";
|
|
||||||
domain = "mydomain.example";
|
|
||||||
};
|
|
||||||
|
|
||||||
bridge.permissions = {
|
|
||||||
"@admin:mydomain.example" = "admin";
|
|
||||||
"mydomain.example" = "user";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
{file}`config.yaml` configuration as a Nix attribute set.
|
|
||||||
Configuration options should match those described in
|
|
||||||
[example-config.yaml](https://github.com/mautrix/signale/blob/master/mautrix_signal/example-config.yaml).
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
environmentFile = mkOption {
|
|
||||||
type = types.nullOr types.path;
|
|
||||||
default = null;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
File containing environment variables to be passed to the mautrix-signal service,
|
|
||||||
in which secret tokens can be specified securely by defining values for e.g.
|
|
||||||
`MAUTRIX_SIGNAL_APPSERVICE_AS_TOKEN`,
|
|
||||||
`MAUTRIX_SIGNAL_APPSERVICE_HS_TOKEN`
|
|
||||||
|
|
||||||
These environment variables can also be used to set other options by
|
|
||||||
replacing hierarchy levels by `.`, converting the name to uppercase
|
|
||||||
and prepending `MAUTRIX_SIGNAL_`.
|
|
||||||
For example, the first value above maps to
|
|
||||||
{option}`settings.appservice.as_token`.
|
|
||||||
|
|
||||||
The environment variable values can be prefixed with `json::` to have
|
|
||||||
them be parsed as JSON. For example, `login_shared_secret_map` can be
|
|
||||||
set as follows:
|
|
||||||
`MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET_MAP=json::{"example.com":"secret"}`.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
serviceDependencies = mkOption {
|
|
||||||
type = with types; listOf str;
|
|
||||||
default = optional config.services.matrix-synapse.enable "matrix-synapse.service";
|
|
||||||
defaultText = literalExpression ''
|
|
||||||
optional config.services.matrix-synapse.enable "matrix-synapse.service"
|
|
||||||
'';
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
List of Systemd services to require and wait for when starting the application service.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
users.groups.mautrix-signal = {};
|
|
||||||
|
|
||||||
users.users.mautrix-signal = {
|
|
||||||
group = "mautrix-signal";
|
|
||||||
isSystemUser = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.mautrix-signal = {
|
|
||||||
description = "Mautrix-Signal, a Matrix-Signal puppeting bridge.";
|
|
||||||
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
|
|
||||||
after = [ "network-online.target" ] ++ cfg.serviceDependencies;
|
|
||||||
path = [ pkgs.ffmpeg ]; # voice messages need `ffmpeg`
|
|
||||||
|
|
||||||
# environment.HOME = dataDir;
|
|
||||||
|
|
||||||
preStart = ''
|
|
||||||
# generate the appservice's registration file if absent
|
|
||||||
if [ ! -f '${registrationFile}' ]; then
|
|
||||||
${pkg}/bin/mautrix-signal \
|
|
||||||
--generate-registration \
|
|
||||||
--no-update \
|
|
||||||
--base-config='${pkg}/${pkg.pythonModule.sitePackages}/mautrix_signal/example-config.yaml' \
|
|
||||||
--config='${settingsFile}' \
|
|
||||||
--registration='${registrationFile}'
|
|
||||||
fi
|
|
||||||
'';
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "simple";
|
|
||||||
Restart = "always";
|
|
||||||
|
|
||||||
User = "mautrix-signal";
|
|
||||||
|
|
||||||
ProtectSystem = "strict";
|
|
||||||
ProtectHome = true;
|
|
||||||
ProtectKernelTunables = true;
|
|
||||||
ProtectKernelModules = true;
|
|
||||||
ProtectControlGroups = true;
|
|
||||||
|
|
||||||
PrivateTmp = true;
|
|
||||||
WorkingDirectory = pkg;
|
|
||||||
StateDirectory = baseNameOf dataDir;
|
|
||||||
UMask = "0027";
|
|
||||||
EnvironmentFile = cfg.environmentFile;
|
|
||||||
|
|
||||||
ExecStart = ''
|
|
||||||
${pkg}/bin/mautrix-signal \
|
|
||||||
--config='${settingsFile}' \
|
|
||||||
--no-update
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -32,11 +32,32 @@ in [
|
||||||
# etc, where "date" is like "20240228181608"
|
# etc, where "date" is like "20240228181608"
|
||||||
# and can be found with `nix-repl > :lf . > lastModifiedDate`
|
# and can be found with `nix-repl > :lf . > lastModifiedDate`
|
||||||
|
|
||||||
|
(fetchpatch' {
|
||||||
|
title = "curl-impersonate: fix darwin build and make cross-compilation work";
|
||||||
|
prUrl = "https://github.com/NixOS/nixpkgs/pull/310386";
|
||||||
|
hash = "sha256-feMOgQRrY2t7sYMjqXCo2WCe/J+Kr1ah+DznajQZsDM=";
|
||||||
|
})
|
||||||
|
|
||||||
|
(fetchpatch' {
|
||||||
|
title = "hyprland: fix cross compilation";
|
||||||
|
prUrl = "https://github.com/NixOS/nixpkgs/pull/311408";
|
||||||
|
hash = "sha256-OU5XT/BEmZu1TPXSLKfEgdkoGXRETvJ9dePCeHrFl6o=";
|
||||||
|
})
|
||||||
|
|
||||||
|
(fetchpatch' {
|
||||||
|
# TODO: send upstream after successful deployment
|
||||||
|
title = "gnome.gnome-keyring: support cross compilation";
|
||||||
|
# prUrl = "https://github.com/uninsane/nixpkgs/pull/new/pr-gnome-keyring-cross";
|
||||||
|
saneCommit = "56bc064c0fa39614dfd1048daae4a59e4131df56";
|
||||||
|
hash = "sha256-LZW3CNhcOU+YPTPt/4Ltxyiqo/6SdlIOQADmni4pDM4=";
|
||||||
|
})
|
||||||
|
|
||||||
(fetchpatch' {
|
(fetchpatch' {
|
||||||
# TODO: send upstream
|
# TODO: send upstream
|
||||||
title = "python3Packages.dbus-python: fix build when doInstallCheck=false";
|
title = "python3Packages.dbus-python: fix cross";
|
||||||
saneCommit = "4d4d0310402b8a7f9273dff448522f01b722a60c";
|
prUrl = "https://github.com/NixOS/nixpkgs/pull/310609";
|
||||||
hash = "sha256-3fAobeHbM/IHZzhfAqSKhPy1l28F6MbQBp8rSVX2Lrg=";
|
hash = "sha256-QCRCotIlHgJn4lo4Qdrh2cJMqqcVGLAE9WSJ4nCQvyk=";
|
||||||
|
merged.staging = "20240510160000";
|
||||||
})
|
})
|
||||||
|
|
||||||
# branch: wip-ffado-cross
|
# branch: wip-ffado-cross
|
||||||
|
@ -55,13 +76,39 @@ in [
|
||||||
hash = "sha256-53X4ssdp02C8NOUL5mlbhR7qwE9/KWp6iLmz1ljJopE=";
|
hash = "sha256-53X4ssdp02C8NOUL5mlbhR7qwE9/KWp6iLmz1ljJopE=";
|
||||||
})
|
})
|
||||||
|
|
||||||
# 2024/02/25: still outstanding; merge conflicts
|
(fetchpatch' {
|
||||||
|
title = "libgweather: enable introspection on cross builds";
|
||||||
|
prUrl = "https://github.com/NixOS/nixpkgs/pull/251956";
|
||||||
|
hash = "sha256-IW+0u5lytIPU3xhgGtYgexXUrS2VFXAV6GC50jJS5ak=";
|
||||||
|
})
|
||||||
|
|
||||||
|
# 2024/02/25: still outstanding
|
||||||
# (fetchpatch' {
|
# (fetchpatch' {
|
||||||
# title = "hspell: remove build perl from runtime closure";
|
# title = "hspell: remove build perl from runtime closure";
|
||||||
# prUrl = "https://github.com/NixOS/nixpkgs/pull/263182";
|
# prUrl = "https://github.com/NixOS/nixpkgs/pull/263182";
|
||||||
# hash = "sha256-Wau+PB+EUQDvWX8Kycw1sNrM3GkPVjKSS4niIDI0sjM=";
|
# hash = "sha256-Wau+PB+EUQDvWX8Kycw1sNrM3GkPVjKSS4niIDI0sjM=";
|
||||||
# })
|
# })
|
||||||
|
|
||||||
|
# (fetchpatch' {
|
||||||
|
# title = "gthumb: make the webservices feature be optional";
|
||||||
|
# prUrl = "https://github.com/NixOS/nixpkgs/pull/240602";
|
||||||
|
# saneCommit = "e83130f2770c314b2a482e1792b010da66cdd5de";
|
||||||
|
# hash = "sha256-GlYWpOVZvr0oFAs4RdSUf7LJD3FmGsCaTm32GPhbBfc=";
|
||||||
|
# })
|
||||||
|
# (fetchpatch' {
|
||||||
|
# # TODO: send for review once hspell fix is merged <https://github.com/NixOS/nixpkgs/pull/263182>
|
||||||
|
# # this patch works as-is, but hspell keeps a ref to build perl and thereby pollutes this closure as well.
|
||||||
|
# title = "gtkspell2: support cross compilation";
|
||||||
|
# saneCommit = "56348833b4411e9fe2016c24c7fc4af1e3c1d28a";
|
||||||
|
# hash = "sha256-RUw88u7CI2C1IpRUhGbdYamHsPT1jBV0ROyVvzLWdv8=";
|
||||||
|
# })
|
||||||
|
# (fetchpatch' {
|
||||||
|
# # TODO: send for review (it should be unblocked as of 2024/05/08)
|
||||||
|
# title = "pidgin: support cross compilation";
|
||||||
|
# saneCommit = "caacbcc54e217f5ee9281422777a7f712765f71a";
|
||||||
|
# hash = "sha256-UyZaNNp84zKShuo6zu0nfZ2FygHGcmV63Ww4Y4CtCF0=";
|
||||||
|
# })
|
||||||
|
|
||||||
# (fetchpatch' {
|
# (fetchpatch' {
|
||||||
# title = "trust-dns: 0.23.0 -> 0.24.0";
|
# title = "trust-dns: 0.23.0 -> 0.24.0";
|
||||||
# prUrl = "https://github.com/NixOS/nixpkgs/pull/262466";
|
# prUrl = "https://github.com/NixOS/nixpkgs/pull/262466";
|
||||||
|
@ -128,36 +175,10 @@ in [
|
||||||
# hash = "sha256-eTwEbVULYjmOW7zUFcTUqvBZqUFjHTKFhvmU2m3XQeo=";
|
# hash = "sha256-eTwEbVULYjmOW7zUFcTUqvBZqUFjHTKFhvmU2m3XQeo=";
|
||||||
# })
|
# })
|
||||||
|
|
||||||
(fetchpatch' {
|
|
||||||
title = "gthumb: make the webservices feature be optional";
|
|
||||||
prUrl = "https://github.com/NixOS/nixpkgs/pull/240602";
|
|
||||||
saneCommit = "e83130f2770c314b2a482e1792b010da66cdd5de";
|
|
||||||
hash = "sha256-GlYWpOVZvr0oFAs4RdSUf7LJD3FmGsCaTm32GPhbBfc=";
|
|
||||||
})
|
|
||||||
(fetchpatch' {
|
|
||||||
# TODO: send for review once hspell fix is merged <https://github.com/NixOS/nixpkgs/pull/263182>
|
|
||||||
# this patch works as-is, but hspell keeps a ref to build perl and thereby pollutes this closure as well.
|
|
||||||
title = "gtkspell2: support cross compilation";
|
|
||||||
saneCommit = "56348833b4411e9fe2016c24c7fc4af1e3c1d28a";
|
|
||||||
hash = "sha256-RUw88u7CI2C1IpRUhGbdYamHsPT1jBV0ROyVvzLWdv8=";
|
|
||||||
})
|
|
||||||
(fetchpatch' {
|
|
||||||
# TODO: send for review (it should be unblocked as of 2024/05/08)
|
|
||||||
title = "pidgin: support cross compilation";
|
|
||||||
saneCommit = "caacbcc54e217f5ee9281422777a7f712765f71a";
|
|
||||||
hash = "sha256-UyZaNNp84zKShuo6zu0nfZ2FygHGcmV63Ww4Y4CtCF0=";
|
|
||||||
})
|
|
||||||
|
|
||||||
(fetchpatch' {
|
|
||||||
title = "libgweather: enable introspection on cross builds";
|
|
||||||
prUrl = "https://github.com/NixOS/nixpkgs/pull/251956";
|
|
||||||
hash = "sha256-IW+0u5lytIPU3xhgGtYgexXUrS2VFXAV6GC50jJS5ak=";
|
|
||||||
})
|
|
||||||
|
|
||||||
# for raspberry pi: allow building u-boot for rpi 4{,00}
|
# for raspberry pi: allow building u-boot for rpi 4{,00}
|
||||||
# TODO: remove after upstreamed: https://github.com/NixOS/nixpkgs/pull/176018
|
# TODO: remove after upstreamed: https://github.com/NixOS/nixpkgs/pull/176018
|
||||||
# (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )
|
# (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )
|
||||||
./02-rpi4-uboot.patch
|
# ./02-rpi4-uboot.patch
|
||||||
|
|
||||||
# (fetchpatch' {
|
# (fetchpatch' {
|
||||||
# title = "gnustep: remove `rec` to support `overrideScope`";
|
# title = "gnustep: remove `rec` to support `overrideScope`";
|
||||||
|
|
|
@ -387,7 +387,7 @@ in with final; {
|
||||||
# });
|
# });
|
||||||
# };
|
# };
|
||||||
|
|
||||||
# 2024/02/27: upstreaming is unblocked
|
# 2024/05/13: upstreaming is unblocked; out for review: <https://github.com/NixOS/nixpkgs/pull/305241>
|
||||||
appstream = prev.appstream.overrideAttrs (upstream: {
|
appstream = prev.appstream.overrideAttrs (upstream: {
|
||||||
# fixes: "Message: Native appstream required for cross-building"
|
# fixes: "Message: Native appstream required for cross-building"
|
||||||
# error introduced in:
|
# error introduced in:
|
||||||
|
@ -815,11 +815,12 @@ in with final; {
|
||||||
});
|
});
|
||||||
|
|
||||||
# 2024/05/08: fix: "meson.build:85:11: ERROR: Dependency "dbus-1" not found, tried pkgconfig".
|
# 2024/05/08: fix: "meson.build:85:11: ERROR: Dependency "dbus-1" not found, tried pkgconfig".
|
||||||
|
# 2024/05/13: upstreaming is bloked by dbus-python (fixed in staging), appstream (out for PR)
|
||||||
gnome-online-accounts = mvToBuildInputs [ dbus ] prev.gnome-online-accounts;
|
gnome-online-accounts = mvToBuildInputs [ dbus ] prev.gnome-online-accounts;
|
||||||
|
|
||||||
gnome = prev.gnome.overrideScope (self: super: {
|
gnome = prev.gnome.overrideScope (self: super: {
|
||||||
evolution-data-server = super.evolution-data-server.overrideAttrs (upstream: {
|
evolution-data-server = super.evolution-data-server.overrideAttrs (upstream: {
|
||||||
# 2023/12/08: upstreaming is unblocked, but depends on webkitgtk 4.1
|
# 2024/05/13: upstreaming is blocked by appstream (out for PR), libgweather (out for PR)
|
||||||
cmakeFlags = upstream.cmakeFlags ++ [
|
cmakeFlags = upstream.cmakeFlags ++ [
|
||||||
"-DCMAKE_CROSSCOMPILING_EMULATOR=${stdenv.hostPlatform.emulator buildPackages}"
|
"-DCMAKE_CROSSCOMPILING_EMULATOR=${stdenv.hostPlatform.emulator buildPackages}"
|
||||||
"-DENABLE_TESTS=no"
|
"-DENABLE_TESTS=no"
|
||||||
|
@ -872,12 +873,13 @@ in with final; {
|
||||||
# fixes "subprojects/gvc/meson.build:30:0: ERROR: Program 'glib-mkenums mkenums' not found or not executable"
|
# fixes "subprojects/gvc/meson.build:30:0: ERROR: Program 'glib-mkenums mkenums' not found or not executable"
|
||||||
# gnome-control-center = mvToNativeInputs [ glib ] super.gnome-control-center;
|
# gnome-control-center = mvToNativeInputs [ glib ] super.gnome-control-center;
|
||||||
|
|
||||||
gnome-keyring = super.gnome-keyring.overrideAttrs (orig: {
|
# gnome-keyring = super.gnome-keyring.overrideAttrs (orig: {
|
||||||
# 2024/02/27: upstreaming is unblocked
|
# # 2024/02/27: upstreaming is unblocked; implemented but not for PR
|
||||||
# this seems to work in practice, but leaves gkr with a reference to the build openssl, sqlite, xz, libxcrypt, glibc
|
# # - <https://github.com/uninsane/nixpkgs/pull/new/pr-gnome-keyring-cross>
|
||||||
# fixes "configure.ac:374: error: possibly undefined macro: AM_PATH_LIBGCRYPT"
|
# # this seems to work in practice, but leaves gkr with a reference to the build openssl, sqlite, xz, libxcrypt, glibc
|
||||||
nativeBuildInputs = orig.nativeBuildInputs ++ [ libgcrypt openssh glib ];
|
# # fixes "configure.ac:374: error: possibly undefined macro: AM_PATH_LIBGCRYPT"
|
||||||
});
|
# nativeBuildInputs = orig.nativeBuildInputs ++ [ libgcrypt openssh glib ];
|
||||||
|
# });
|
||||||
gnome-maps = super.gnome-maps.overrideAttrs (upstream: {
|
gnome-maps = super.gnome-maps.overrideAttrs (upstream: {
|
||||||
# 2023/11/21: upstreaming is blocked by libshumate, qtsvg (via pipewire/ffado)
|
# 2023/11/21: upstreaming is blocked by libshumate, qtsvg (via pipewire/ffado)
|
||||||
postPatch = (upstream.postPatch or "") + ''
|
postPatch = (upstream.postPatch or "") + ''
|
||||||
|
@ -997,6 +999,7 @@ in with final; {
|
||||||
# '';
|
# '';
|
||||||
# });
|
# });
|
||||||
|
|
||||||
|
# hyprland = mvToNativeInputs [ hwdata ] prev.hyprland;
|
||||||
# hyprland = prev.hyprland.overrideAttrs (_: {
|
# hyprland = prev.hyprland.overrideAttrs (_: {
|
||||||
# depsBuildBuild = [ pkg-config ];
|
# depsBuildBuild = [ pkg-config ];
|
||||||
# });
|
# });
|
||||||
|
@ -2072,12 +2075,12 @@ in with final; {
|
||||||
|
|
||||||
# 2024/02/29: upstreaming is blocked on libei (unless Xwayland config option is disabled in nixpkgs)
|
# 2024/02/29: upstreaming is blocked on libei (unless Xwayland config option is disabled in nixpkgs)
|
||||||
# out for PR: <https://github.com/NixOS/nixpkgs/pull/292415>
|
# out for PR: <https://github.com/NixOS/nixpkgs/pull/292415>
|
||||||
wlroots = prev.wlroots.overrideAttrs (upstream: {
|
# wlroots = prev.wlroots.overrideAttrs (upstream: {
|
||||||
nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
|
# nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
|
||||||
# incorrectly specified as `buildInputs` in nixpkgs.
|
# # incorrectly specified as `buildInputs` in nixpkgs.
|
||||||
hwdata
|
# hwdata
|
||||||
];
|
# ];
|
||||||
});
|
# });
|
||||||
|
|
||||||
# wrapFirefox = prev.wrapFirefox.override {
|
# wrapFirefox = prev.wrapFirefox.override {
|
||||||
# buildPackages = buildPackages // {
|
# buildPackages = buildPackages // {
|
||||||
|
@ -2091,15 +2094,16 @@ in with final; {
|
||||||
# };
|
# };
|
||||||
# };
|
# };
|
||||||
|
|
||||||
wrapNeovimUnstable = neovim: config: (prev.wrapNeovimUnstable neovim config).overrideAttrs (upstream: {
|
# fixes `hostPrograms.moby.neovim` (but breaks eval of `hostPkgs.moby.neovim` :o)
|
||||||
# nvim wrapper has a sanity check that the plugins will load correctly.
|
# wrapNeovimUnstable = neovim: config: (prev.wrapNeovimUnstable neovim config).overrideAttrs (upstream: {
|
||||||
# this is effectively a check phase and should be rewritten as such
|
# # nvim wrapper has a sanity check that the plugins will load correctly.
|
||||||
postBuild = lib.replaceStrings
|
# # this is effectively a check phase and should be rewritten as such
|
||||||
[ "! $out/bin/nvim-wrapper" ]
|
# postBuild = lib.replaceStrings
|
||||||
# [ "${stdenv.hostPlatform.emulator buildPackages} $out/bin/nvim-wrapper" ]
|
# [ "! $out/bin/nvim-wrapper" ]
|
||||||
[ "false && $out/bin/nvim-wrapper" ]
|
# # [ "${stdenv.hostPlatform.emulator buildPackages} $out/bin/nvim-wrapper" ]
|
||||||
upstream.postBuild;
|
# [ "false && $out/bin/nvim-wrapper" ]
|
||||||
});
|
# upstream.postBuild;
|
||||||
|
# });
|
||||||
|
|
||||||
# 2023/07/30: upstreaming is blocked on unar (gnustep), unless i also make that optional
|
# 2023/07/30: upstreaming is blocked on unar (gnustep), unless i also make that optional
|
||||||
xarchiver = mvToNativeInputs [ libxslt ] prev.xarchiver;
|
xarchiver = mvToNativeInputs [ libxslt ] prev.xarchiver;
|
||||||
|
|
23
scripts/clean
Executable file
23
scripts/clean
Executable file
|
@ -0,0 +1,23 @@
|
||||||
|
#!/bin/sh
|
||||||
|
# remove artifacts which i've accidentally left lying around
|
||||||
|
# e.g. `result -> /nix/store/...` symlinks
|
||||||
|
|
||||||
|
pushd ~/nixos
|
||||||
|
|
||||||
|
# if this exists it'll interfere with the search
|
||||||
|
rm -f result
|
||||||
|
|
||||||
|
for result in $(fd --follow result) $(fd -uuu result); do
|
||||||
|
if [[ "$(readlink "$result")" != /nix/store/* ]]; then
|
||||||
|
# not a build artifact
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
if [[ "$result" == build/* ]] || [[ "$result" == .working/* ]]; then
|
||||||
|
# intentionally preserved build artifact
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "removing: $result"
|
||||||
|
unlink "$result"
|
||||||
|
done
|
||||||
|
popd
|
Loading…
Reference in New Issue
Block a user