internal/outcome: expose pipewire via pipewire-pulse

This no longer exposes the pipewire socket to the container, and instead mediates access via pipewire-pulse. This makes insecure parts of the protocol inaccessible as explained in the doc comment in hst. Closes #29. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-12-15 12:43:58 +09:00
parent 2e80660169
commit 54610aaddc
14 changed files with 113 additions and 77 deletions
--- a/options.nix
+++ b/options.nix
@@ -242,19 +242,11 @@ in
                  type = nullOr bool;
                  default = true;
                  description = ''
-                    Whether to share the PipeWire server via SecurityContext.
+                    Whether to share the PipeWire server via pipewire-pulse on a SecurityContext socket.
                  '';
                };
              };

-              pulse = mkOption {
-                type = nullOr bool;
-                default = true;
-                description = ''
-                  Whether to run the PulseAudio compatibility daemon.
-                '';
-              };
-
              share = mkOption {
                type = nullOr package;
                default = null;