they require fundamentally different sandboxing approaches. the daemon *can't* always use bwrap if it wants to run as non-root. meanwhile the CLI tools would mostly *prefer* to run under bwrap. in the long term i'll maybe upstream the systemd sandboxing into nixpkgs, where there looks to be desire for it
163 lines
3.0 KiB
Nix
163 lines
3.0 KiB
Nix
{ pkgs, ... }:
|
|
|
|
{
|
|
imports = [
|
|
./abaddon.nix
|
|
./aerc.nix
|
|
./alacritty.nix
|
|
./alsa-ucm-conf
|
|
./animatch.nix
|
|
./assorted.nix
|
|
./audacity.nix
|
|
./bemenu.nix
|
|
./blast-ugjka
|
|
./bonsai.nix
|
|
./brave.nix
|
|
./bubblewrap.nix
|
|
./callaudiod.nix
|
|
./calls.nix
|
|
./cantata.nix
|
|
./catt.nix
|
|
./celeste64.nix
|
|
./chatty.nix
|
|
./conky
|
|
./cozy.nix
|
|
./cups.nix
|
|
./curlftpfs.nix
|
|
./dbus.nix
|
|
./dconf.nix
|
|
./deadd-notification-center
|
|
./dialect.nix
|
|
./dino.nix
|
|
./dissent.nix
|
|
./dtrx.nix
|
|
./eg25-control.nix
|
|
./element-desktop.nix
|
|
./engrampa.nix
|
|
./epiphany.nix
|
|
./errno.nix
|
|
./evince.nix
|
|
./fcitx5.nix
|
|
./feedbackd.nix
|
|
./firefox.nix
|
|
./flare-signal.nix
|
|
./fontconfig.nix
|
|
./fractal.nix
|
|
./frozen-bubble.nix
|
|
./fwupd.nix
|
|
./g4music.nix
|
|
./gajim.nix
|
|
./gdbus.nix
|
|
./geary.nix
|
|
./git.nix
|
|
./gnome-clocks.nix
|
|
./gnome-feeds.nix
|
|
./gnome-keyring
|
|
./gnome-maps.nix
|
|
./gnome-weather.nix
|
|
./go2tv.nix
|
|
./gpodder.nix
|
|
./grimshot.nix
|
|
./gst-device-monitor.nix
|
|
./gthumb.nix
|
|
./gvfs.nix
|
|
./handbrake.nix
|
|
./helix.nix
|
|
./htop
|
|
./imagemagick.nix
|
|
./jellyfin-media-player.nix
|
|
./kdenlive.nix
|
|
./komikku.nix
|
|
./koreader
|
|
./less.nix
|
|
./lftp.nix
|
|
./libreoffice.nix
|
|
./lemoa.nix
|
|
./loupe.nix
|
|
./mako.nix
|
|
./megapixels.nix
|
|
./mepo.nix
|
|
./mimeo
|
|
./mmcli.nix
|
|
./modemmanager.nix
|
|
./mopidy.nix
|
|
./mpv
|
|
./msmtp.nix
|
|
./nautilus.nix
|
|
./neovim.nix
|
|
./networkmanager.nix
|
|
./newsflash.nix
|
|
./nheko.nix
|
|
./nicotine-plus.nix
|
|
./nix-index.nix
|
|
./nmcli.nix
|
|
./notejot.nix
|
|
./ntfy-sh.nix
|
|
./objdump.nix
|
|
./obsidian.nix
|
|
./offlineimap.nix
|
|
./open-in-mpv.nix
|
|
./pipewire.nix
|
|
./planify.nix
|
|
./portfolio-filemanager.nix
|
|
./playerctl.nix
|
|
./rhythmbox.nix
|
|
./ripgrep.nix
|
|
./rofi
|
|
./rtkit.nix
|
|
./s6-rc.nix
|
|
./sane-input-handler
|
|
./sane-open.nix
|
|
./sane-screenshot.nix
|
|
./sane-scripts.nix
|
|
./sane-theme.nix
|
|
./sanebox.nix
|
|
./schlock.nix
|
|
./seatd.nix
|
|
./sfeed.nix
|
|
./shadow.nix
|
|
./signal-desktop.nix
|
|
./splatmoji.nix
|
|
./spot.nix
|
|
./spotify.nix
|
|
./steam.nix
|
|
./stepmania.nix
|
|
./strings.nix
|
|
./sublime-music.nix
|
|
./supertuxkart.nix
|
|
./sway
|
|
./sway-autoscaler
|
|
./swayidle.nix
|
|
./swaylock.nix
|
|
./swaynotificationcenter
|
|
./sysvol.nix
|
|
./tangram.nix
|
|
./tor-browser.nix
|
|
./tuba.nix
|
|
./unl0kr
|
|
./vlc.nix
|
|
./waybar
|
|
./waylock.nix
|
|
./wike.nix
|
|
./wine.nix
|
|
./wireplumber.nix
|
|
./wireshark.nix
|
|
./wpa_supplicant.nix
|
|
./wvkbd.nix
|
|
./xarchiver.nix
|
|
./xdg-desktop-portal.nix
|
|
./xdg-desktop-portal-gtk.nix
|
|
./xdg-desktop-portal-wlr.nix
|
|
./xdg-terminal-exec.nix
|
|
./xdg-utils.nix
|
|
./zathura.nix
|
|
./zeal.nix
|
|
./zecwallet-lite.nix
|
|
./zulip.nix
|
|
./zsh
|
|
];
|
|
|
|
# XXX: this might not be necessary. try removing this and cacert.unbundled (servo)?
|
|
environment.etc."ssl/certs".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
|
|
}
|