rosa/hakurei
6
4
Fork 2
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 19 Wiki Activity
2,458 Commits 3 Branches 19 Tags
e192fca762c2a44743474db33e5c807aab68ce6b
Commit Graph

77 Commits

Author SHA1 Message Date
cat 016da20443 nix: expose compat flag in nixos module
Test / Create distribution (push) Successful in 1m55s
Details
Test / Run NixOS test (push) Successful in 4m6s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-25 12:42:48 +09:00
cat efacaa40fa nix: set deny_devel correctly
Test / Create distribution (push) Successful in 1m55s
Details
Test / Run NixOS test (push) Successful in 3m51s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-24 00:50:35 +09:00
cat 96d5d8a396 nix: apply shared home config to reserved aid
Build / Create distribution (push) Successful in 2m16s
Details
Test / Run NixOS test (push) Successful in 5m43s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-23 20:48:04 +09:00
cat 8a00a83c71 nix: expose syscall filter policy
Build / Create distribution (push) Successful in 1m31s
Details
Test / Run NixOS test (push) Successful in 1m52s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-23 17:24:42 +09:00
cat 134247b57d nix: configure target users via nixos
Build / Create distribution (push) Successful in 2m0s
Details
Test / Run NixOS test (push) Successful in 3m46s
Details 
This makes patching home-manager no longer necessary.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-23 17:04:19 +09:00
cat 4d3bd5338f nix: implement flake checks
test / test (push) Successful in 36s
Details 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-12-16 20:54:28 +09:00
cat 39e3ac3ccd nix: require /etc/userdb nix-daemon
test / test (push) Successful in 36s
Details 
There seems to be some kind of credential caching in nix-daemon.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-12-07 21:07:57 +09:00
cat 40cc8a68d1 nix: rename home directories
test / test (push) Successful in 38s
Details 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-12-07 20:15:37 +09:00
cat 95668ac998 nix: expose no_new_session in module
test / test (push) Successful in 14s
Details 
Useful for shells and terminal programs like chat clients.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-28 00:19:06 +09:00
cat 653d69da0a nix: module descriptions
test / test (push) Successful in 24s
Details 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-19 18:10:57 +09:00
cat f8256137ae nix: separate module options from implementation
test / test (push) Successful in 25s
Details 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-19 17:08:22 +09:00
cat 54b47b0315 nix: copy pixmaps directory to share package
test / test (push) Successful in 21s
Details 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-18 14:46:08 +09:00
cat 8f3f0c7bbf nix: integrate dynamic users
test / test (push) Successful in 21s
Details 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-18 02:49:48 +09:00
cat 1a09b55bd4 nix: remove portal paths from default
test / test (push) Successful in 27s
Details 
Despite presenting itself as a generic desktop integration interface, xdg-desktop portal is highly flatpak-centric and only supports flatpak and snap in practice. It is a significant attack surface to begin with as it is a privileged process which accepts input from unprivileged processes, and the lack of support for anything other than fortify also introduces various information leaks when exposed to fortify as it treats fortified programs as unsandboxed, privileged programs in many cases.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-10 22:24:17 +09:00
cat 9a13b311ac app/config: rename map_real_uid from use_real_uid
test / test (push) Successful in 19s
Details 
This option only changes mapped uid in the user namespace.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-09 12:01:34 +09:00
cat 431aa32291 nix: remove absolute Exec paths
test / test (push) Successful in 26s
Details 
Absolute paths set for Exec causes the program to be launched as the privileged user.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-08 02:05:47 +09:00
cat ad80be721b nix: improve start script
test / test (push) Successful in 23s
Details 
Zsh store path in shebang. Replace writeShellScript with writeScript since runtimeShell is not overridable.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-06 14:09:41 +09:00
cat 4d90e73366 nix: generate strict sandbox configuration
test / test (push) Successful in 22s
Details 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-11-06 04:25:15 +09:00
cat b9d5fe49cb nix: pass $SHELL for shell interpreter 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-12 23:01:06 +09:00
cat 8f03ddc3fa app: remove bubblewrap launch method 
Launch methods serve the primary purpose of setting UID in the init namespace, which bubblewrap does not do. Furthermore, all applications will start within a bubblewrap sandbox once it has been implemented.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-10-10 00:11:04 +09:00
cat 3d963b9f67 nix: include package buildInputs in devShells 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-09-17 23:15:33 +09:00
cat d49b97b1d4 nix: pass method string directly 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-09-13 11:58:45 +09:00
cat 88ac05be6d nix: fix typo in nixos module implementation previously missed due to lazy eval 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-09-09 23:29:16 +09:00
cat 396066de7b nix: implement dbus-system option in nixos module 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-09-09 21:26:14 +09:00
cat 0e5b85fd42 nix: implement new dbus options in nixos module 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-09-09 04:58:25 +09:00
cat 60e4846542 nix: provide options for capability flags 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-09-08 02:45:00 +09:00
cat 945cce2f5e nix: implement nixos module 
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
 2024-09-04 17:03:21 +09:00