internal/outcome: expose pipewire via pipewire-pulse
Some checks failed
Test / Create distribution (push) Successful in 35s
Test / Sandbox (push) Successful in 41s
Test / Sandbox (race detector) (push) Successful in 41s
Test / Hakurei (race detector) (push) Successful in 44s
Test / Hakurei (push) Successful in 44s
Test / Hpkg (push) Successful in 42s
Test / Flake checks (push) Has been cancelled
Some checks failed
Test / Create distribution (push) Successful in 35s
Test / Sandbox (push) Successful in 41s
Test / Sandbox (race detector) (push) Successful in 41s
Test / Hakurei (race detector) (push) Successful in 44s
Test / Hakurei (push) Successful in 44s
Test / Hpkg (push) Successful in 42s
Test / Flake checks (push) Has been cancelled
This no longer exposes the pipewire socket to the container, and instead mediates access via pipewire-pulse. This makes insecure parts of the protocol inaccessible as explained in the doc comment in hst. Closes #29. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
11
nixos.nix
11
nixos.nix
@@ -68,7 +68,7 @@ in
|
||||
|
||||
home-manager =
|
||||
let
|
||||
privPackages = mapAttrs (username: userid: {
|
||||
privPackages = mapAttrs (_: userid: {
|
||||
home.packages = foldlAttrs (
|
||||
acc: id: app:
|
||||
[
|
||||
@@ -196,15 +196,6 @@ in
|
||||
}
|
||||
]
|
||||
)
|
||||
++ optional (app.enablements.pipewire && app.pulse) {
|
||||
type = "daemon";
|
||||
dst = if app.mapRealUid then "/run/user/${toString config.users.users.${username}.uid}/pulse/native" else "/run/user/65534/pulse/native";
|
||||
path = cfg.shell;
|
||||
args = [
|
||||
"-lc"
|
||||
"exec pipewire-pulse"
|
||||
];
|
||||
}
|
||||
++ [
|
||||
{
|
||||
type = "bind";
|
||||
|
||||
Reference in New Issue
Block a user