security/hakurei
6
3
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases 11 Wiki Activity
1,365 Commits 3 Branches 11 Tags
87fe29f3d8a04903c223f8b046d6d28ec7b7fb0d
Commit Graph

73 Commits

Author SHA1 Message Date
Ophestra
87fe29f3d8 nix: set x-systemd options directly
Some checks failed
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 45s
Details
Test / Sandbox (race detector) (push) Successful in 46s
Details
Test / Hakurei (push) Successful in 52s
Details
Test / Hpkg (push) Successful in 50s
Details
Test / Hakurei (race detector) (push) Successful in 54s
Details
Test / ShareFS (push) Successful in 1m58s
Details
Test / Flake checks (push) Failing after 1m39s
Details 
NixOS generates two x-systemd.requires-mounts-for options for some reason, and there seems to be no knob for configuring ordering.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-28 09:41:13 +09:00
Ophestra
e42ea32dbe nix: configure sharefs via fileSystems
All checks were successful
Test / ShareFS (push) Successful in 41s
Details
Test / Sandbox (race detector) (push) Successful in 45s
Details
Test / Create distribution (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 47s
Details
Test / Hpkg (push) Successful in 50s
Details
Test / Hakurei (push) Successful in 56s
Details
Test / Hakurei (race detector) (push) Successful in 56s
Details
Test / Flake checks (push) Successful in 1m35s
Details 
Turns out this did not work because in the vm test harness, virtualisation.fileSystems completely and silently overrides fileSystems, causing its contents to not even be evaluated anymore. This is not documented as far as I can tell, and is not obvious by any stretch of the imagination. The current hack is cargo culted from nix-community/impermanence and hopefully lasts until this project fully replaces nix.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-27 23:14:08 +09:00
Ophestra
e7982b4ee9 cmd/sharefs: create directory as root
All checks were successful
Test / Create distribution (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 2m20s
Details
Test / Hakurei (push) Successful in 3m30s
Details
Test / Sandbox (race detector) (push) Successful in 4m42s
Details
Test / Flake checks (push) Successful in 1m36s
Details
Test / ShareFS (push) Successful in 3m26s
Details
Test / Hpkg (push) Successful in 4m19s
Details
Test / Hakurei (race detector) (push) Successful in 5m30s
Details 
This optional behaviour is required on NixOS as it is otherwise impossible to set this up: systemd.mounts breaks startup order somehow even though my unit looks identical to generated ones, fileSystems does not support any kind of initialisation or ordering other than against other mount points.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-27 22:14:33 +09:00
Ophestra
2f8ca83376 cmd/sharefs: containerise filesystem daemon
All checks were successful
Test / Create distribution (push) Successful in 44s
Details
Test / Sandbox (push) Successful in 2m30s
Details
Test / Hakurei (push) Successful in 3m26s
Details
Test / ShareFS (push) Successful in 3m26s
Details
Test / Hpkg (push) Successful in 4m20s
Details
Test / Sandbox (race detector) (push) Successful in 4m41s
Details
Test / Hakurei (race detector) (push) Successful in 5m31s
Details
Test / Flake checks (push) Successful in 1m36s
Details 
This replaces the forking daemonise libfuse function which prevents Go callbacks from calling into the runtime. This also enforces least privilege on the daemon process.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-27 10:16:35 +09:00
Ophestra
54712e0426 nix: set noatime on sharefs
All checks were successful
Test / Create distribution (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 47s
Details
Test / Sandbox (race detector) (push) Successful in 46s
Details
Test / Hakurei (push) Successful in 55s
Details
Test / Hpkg (push) Successful in 50s
Details
Test / Hakurei (race detector) (push) Successful in 55s
Details
Test / ShareFS (push) Successful in 2m27s
Details
Test / Flake checks (push) Successful in 1m38s
Details 
Could improve performance, atime is not useful for this filesystem anyway.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-26 05:34:05 +09:00
Ophestra
dce5839a79 nix: do not restart sharefs
All checks were successful
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 47s
Details
Test / Sandbox (race detector) (push) Successful in 47s
Details
Test / Hpkg (push) Successful in 50s
Details
Test / Hakurei (race detector) (push) Successful in 54s
Details
Test / Hakurei (push) Successful in 56s
Details
Test / ShareFS (push) Successful in 2m29s
Details
Test / Flake checks (push) Successful in 1m44s
Details 
This avoids disrupting running containers.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-26 04:12:14 +09:00
Ophestra
7bfbd59810 cmd/sharefs: implement shared filesystem
All checks were successful
Test / Create distribution (push) Successful in 46s
Details
Test / Sandbox (push) Successful in 2m40s
Details
Test / Hakurei (push) Successful in 3m41s
Details
Test / Hpkg (push) Successful in 4m42s
Details
Test / Sandbox (race detector) (push) Successful in 4m53s
Details
Test / Hakurei (race detector) (push) Successful in 5m53s
Details
Test / ShareFS (push) Successful in 38m10s
Details
Test / Flake checks (push) Successful in 1m46s
Details 
This is for passing files between applications, similar to android /sdcard.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-25 05:13:02 +09:00
Ophestra
54610aaddc internal/outcome: expose pipewire via pipewire-pulse
All checks were successful
Test / Create distribution (push) Successful in 28s
Details
Test / Sandbox (push) Successful in 42s
Details
Test / Hakurei (push) Successful in 3m20s
Details
Test / Hpkg (push) Successful in 2m13s
Details
Test / Sandbox (race detector) (push) Successful in 4m25s
Details
Test / Hakurei (race detector) (push) Successful in 3m21s
Details
Test / Flake checks (push) Successful in 1m30s
Details 
This no longer exposes the pipewire socket to the container, and instead mediates access via pipewire-pulse. This makes insecure parts of the protocol inaccessible as explained in the doc comment in hst.

Closes #29.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-15 12:57:06 +09:00
Ophestra
d5fb179012 cmd/hakurei: exec instead of fork/exec from shell
All checks were successful
Test / Create distribution (push) Successful in 36s
Details
Test / Sandbox (push) Successful in 2m44s
Details
Test / Sandbox (race detector) (push) Successful in 4m40s
Details
Test / Hakurei (push) Successful in 4m53s
Details
Test / Hpkg (push) Successful in 5m5s
Details
Test / Hakurei (race detector) (push) Successful in 6m26s
Details
Test / Flake checks (push) Successful in 1m27s
Details 
There is no reason to keep the shell process around.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-08 22:29:41 +09:00
Ophestra
87781c7658 treewide: include PipeWire op and enforce PulseAudio check
All checks were successful
Test / Create distribution (push) Successful in 29s
Details
Test / Sandbox (push) Successful in 40s
Details
Test / Sandbox (race detector) (push) Successful in 41s
Details
Test / Hakurei (push) Successful in 44s
Details
Test / Hpkg (push) Successful in 41s
Details
Test / Hakurei (race detector) (push) Successful in 45s
Details
Test / Flake checks (push) Successful in 1m29s
Details 
This fully replaces PulseAudio with PipeWire and enforces the PulseAudio check and error message. The pipewire-pulse daemon is handled in the NixOS module.

Closes #26.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-12-08 08:53:04 +09:00
Ophestra
b1a1e73238 nix: update names to reflect new terminology
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 40s
Details
Test / Sandbox (race detector) (push) Successful in 39s
Details
Test / Hakurei (race detector) (push) Successful in 44s
Details
Test / Hakurei (push) Successful in 46s
Details
Test / Hpkg (push) Successful in 41s
Details
Test / Flake checks (push) Successful in 1m30s
Details 
These are terminology from way early days. Update them now to be less confusing.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-09 01:48:31 +09:00
Ophestra
cb9ebf0e15 hst/grp_pwd: specify new uid format
All checks were successful
Test / Create distribution (push) Successful in 27s
Details
Test / Sandbox (push) Successful in 41s
Details
Test / Sandbox (race detector) (push) Successful in 41s
Details
Test / Hpkg (push) Successful in 42s
Details
Test / Hakurei (push) Successful in 47s
Details
Test / Hakurei (race detector) (push) Successful in 46s
Details
Test / Flake checks (push) Successful in 1m31s
Details 
This leaves slots available for additional uid ranges in Rosa OS.

This breaks all existing installations! Users are required to fix ownership manually.

Closes #18.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-04 08:24:41 +09:00
Ophestra
23ae7822bf cmd/hakurei/parse: use new store interface
All checks were successful
Test / Create distribution (push) Successful in 35s
Details
Test / Sandbox (push) Successful in 2m21s
Details
Test / Sandbox (race detector) (push) Successful in 4m16s
Details
Test / Hpkg (push) Successful in 4m15s
Details
Test / Hakurei (race detector) (push) Successful in 4m58s
Details
Test / Hakurei (push) Successful in 2m16s
Details
Test / Flake checks (push) Successful in 1m28s
Details 
This greatly reduces overhead. The iterator also significantly cleans up the usage code.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-02 16:00:41 +09:00
Ophestra
699c19e972 hst/container: optional runtime and tmpdir sharing
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Sandbox (push) Successful in 39s
Details
Test / Sandbox (race detector) (push) Successful in 39s
Details
Test / Hakurei (push) Successful in 42s
Details
Test / Hpkg (push) Successful in 40s
Details
Test / Hakurei (race detector) (push) Successful in 44s
Details
Test / Flake checks (push) Successful in 1m23s
Details 
Sharing and persisting these directories do not always make sense. Make it optional here.

Closes #16.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-19 04:11:38 +09:00
Ophestra
5bf28901a4 cmd/hsu: check against setgid bit
All checks were successful
Test / Create distribution (push) Successful in 35s
Details
Test / Sandbox (push) Successful in 2m10s
Details
Test / Hpkg (push) Successful in 4m5s
Details
Test / Sandbox (race detector) (push) Successful in 4m33s
Details
Test / Hakurei (race detector) (push) Successful in 5m20s
Details
Test / Hakurei (push) Successful in 2m18s
Details
Test / Flake checks (push) Successful in 1m31s
Details 
The getgroups behaviour is already checked for, but it never hurts to be more careful in a setuid program.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-08 18:22:24 +09:00
Ophestra
9e48d7f562 hst/config: move container fields from toplevel
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m7s
Details
Test / Hpkg (push) Successful in 3m54s
Details
Test / Hakurei (race detector) (push) Successful in 5m18s
Details
Test / Sandbox (race detector) (push) Successful in 2m10s
Details
Test / Hakurei (push) Successful in 2m13s
Details
Test / Flake checks (push) Successful in 1m33s
Details 
This change also moves pd behaviour to cmd/hakurei, as this does not belong in the hst API.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 04:24:45 +09:00
Ophestra
c9facb746b hst/config: remove data field, rename dir to home
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 2m13s
Details
Test / Hakurei (push) Successful in 3m10s
Details
Test / Hpkg (push) Successful in 4m5s
Details
Test / Sandbox (race detector) (push) Successful in 4m27s
Details
Test / Hakurei (race detector) (push) Successful in 5m7s
Details
Test / Flake checks (push) Successful in 1m28s
Details 
There is no reason to give the home directory special treatment, as this behaviour can be quite confusing. The home directory also does not necessarily require its own mount point, it could be provided by a parent or simply be ephemeral.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-26 00:56:10 +09:00
Ophestra
9585b35d5b hst/config: remove symlink field
All checks were successful
Test / Create distribution (push) Successful in 35s
Details
Test / Sandbox (push) Successful in 2m15s
Details
Test / Hpkg (push) Successful in 4m10s
Details
Test / Sandbox (race detector) (push) Successful in 4m27s
Details
Test / Hakurei (race detector) (push) Successful in 5m12s
Details
Test / Hakurei (push) Successful in 2m11s
Details
Test / Flake checks (push) Successful in 1m29s
Details 
Closes #6.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-25 22:23:54 +09:00
Ophestra
0dcac55a0c hst/config: remove container etc field
All checks were successful
Test / Create distribution (push) Successful in 36s
Details
Test / Sandbox (push) Successful in 2m25s
Details
Test / Hakurei (push) Successful in 3m18s
Details
Test / Hpkg (push) Successful in 4m14s
Details
Test / Sandbox (race detector) (push) Successful in 4m32s
Details
Test / Hakurei (race detector) (push) Successful in 5m19s
Details
Test / Flake checks (push) Successful in 1m29s
Details 
This no longer needs special treatment since it can be specified as a generic filesystem entry.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-25 19:24:33 +09:00
Ophestra
a3988c1a77 hst: rename net and abstract fields
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 2m12s
Details
Test / Hakurei (push) Successful in 3m8s
Details
Test / Hpkg (push) Successful in 4m2s
Details
Test / Sandbox (race detector) (push) Successful in 4m25s
Details
Test / Hakurei (race detector) (push) Successful in 5m3s
Details
Test / Flake checks (push) Successful in 1m22s
Details 
This makes more sense and matches the container library.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-18 16:48:01 +09:00
Clayton Gilmer
5db0714072 container: optionally isolate host abstract UNIX domain sockets via landlock
All checks were successful
Test / Create distribution (pull_request) Successful in 33s
Details
Test / Sandbox (pull_request) Successful in 2m10s
Details
Test / Hpkg (pull_request) Successful in 4m1s
Details
Test / Sandbox (race detector) (pull_request) Successful in 4m19s
Details
Test / Hakurei (pull_request) Successful in 4m55s
Details
Test / Hakurei (race detector) (pull_request) Successful in 5m0s
Details
Test / Create distribution (push) Successful in 27s
Details
Test / Sandbox (race detector) (push) Successful in 44s
Details
Test / Sandbox (push) Successful in 44s
Details
Test / Hakurei (push) Successful in 47s
Details
Test / Hakurei (race detector) (push) Successful in 47s
Details
Test / Hpkg (push) Successful in 45s
Details
Test / Flake checks (pull_request) Successful in 1m47s
Details
Test / Flake checks (push) Successful in 1m36s
Details
2025-08-18 16:28:14 +09:00
Ophestra
4ffeec3004 hst/enablement: editor friendly enablement adaptor
All checks were successful
Test / Create distribution (push) Successful in 35s
Details
Test / Hakurei (push) Successful in 45s
Details
Test / Sandbox (push) Successful in 43s
Details
Test / Hakurei (race detector) (push) Successful in 45s
Details
Test / Sandbox (race detector) (push) Successful in 43s
Details
Test / Hpkg (push) Successful in 3m17s
Details
Test / Flake checks (push) Successful in 1m27s
Details 
Having the bit field value here (in decimal, no less) is unfriendly to text editors. Use a bunch of booleans here to improve ease of use.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-15 05:16:51 +09:00
Ophestra
4433c993fa nix: check config via hakurei
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Hpkg (push) Successful in 40s
Details
Test / Sandbox (push) Successful in 1m28s
Details
Test / Sandbox (race detector) (push) Successful in 2m20s
Details
Test / Hakurei (push) Successful in 2m26s
Details
Test / Hakurei (race detector) (push) Successful in 3m5s
Details
Test / Flake checks (push) Successful in 1m24s
Details 
This is unfortunately the only feasible way of doing this in nix.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-15 03:27:54 +09:00
Ophestra
99ac96511b hst/fs: interface filesystem config
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m14s
Details
Test / Hakurei (push) Successful in 3m37s
Details
Test / Sandbox (race detector) (push) Successful in 4m23s
Details
Test / Hpkg (push) Successful in 4m27s
Details
Test / Hakurei (race detector) (push) Successful in 5m22s
Details
Test / Flake checks (push) Successful in 1m22s
Details 
This allows mount points to be represented by different underlying structs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-14 04:52:49 +09:00
Ophestra
e99d7affb0 container: use absolute for pathname
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 1m59s
Details
Test / Hakurei (push) Successful in 2m58s
Details
Test / Hpkg (push) Successful in 3m45s
Details
Test / Sandbox (race detector) (push) Successful in 4m11s
Details
Test / Hakurei (race detector) (push) Successful in 4m47s
Details
Test / Flake checks (push) Successful in 1m26s
Details 
This is simultaneously more efficient and less error-prone. This change caused minor API changes in multiple other packages.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-11 04:56:42 +09:00
Ophestra
ec33061c92 nix: remove nscd cover
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Hpkg (push) Successful in 40s
Details
Test / Sandbox (push) Successful in 1m30s
Details
Test / Hakurei (push) Successful in 2m18s
Details
Test / Sandbox (race detector) (push) Successful in 2m21s
Details
Test / Hakurei (race detector) (push) Successful in 2m50s
Details
Test / Flake checks (push) Successful in 1m15s
Details 
This is a pd workaround that does nothing in the nixos module.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 22:04:58 +09:00
Ophestra
f7bd28118c hst: configurable wait delay
All checks were successful
Test / Create distribution (push) Successful in 32s
Details
Test / Sandbox (push) Successful in 1m58s
Details
Test / Hakurei (push) Successful in 2m47s
Details
Test / Sandbox (race detector) (push) Successful in 3m56s
Details
Test / Planterette (push) Successful in 3m58s
Details
Test / Hakurei (race detector) (push) Successful in 4m31s
Details
Test / Flake checks (push) Successful in 1m17s
Details 
This is useful for programs that take a long time to clean up.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-29 03:06:49 +09:00
Ophestra
b43d104680 app: integrate interrupt forwarding
All checks were successful
Test / Create distribution (push) Successful in 32s
Details
Test / Sandbox (push) Successful in 1m58s
Details
Test / Hakurei (push) Successful in 2m53s
Details
Test / Sandbox (race detector) (push) Successful in 3m53s
Details
Test / Planterette (push) Successful in 3m53s
Details
Test / Hakurei (race detector) (push) Successful in 4m31s
Details
Test / Flake checks (push) Successful in 1m19s
Details 
This significantly increases usability of command line tools running through hakurei.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-29 02:23:06 +09:00
Ophestra
625632c593 nix: update flake lock
All checks were successful
Test / Create distribution (push) Successful in 39s
Details
Test / Sandbox (race detector) (push) Successful in 50s
Details
Test / Sandbox (push) Successful in 52s
Details
Test / Planterette (push) Successful in 50s
Details
Test / Hakurei (race detector) (push) Successful in 57s
Details
Test / Hakurei (push) Successful in 59s
Details
Test / Flake checks (push) Successful in 1m53s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-26 18:57:54 +09:00
Ophestra
87e008d56d treewide: rename to hakurei
All checks were successful
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 2m18s
Details
Test / Hakurei (push) Successful in 3m10s
Details
Test / Sandbox (race detector) (push) Successful in 3m30s
Details
Test / Hakurei (race detector) (push) Successful in 4m43s
Details
Test / Fpkg (push) Successful in 5m4s
Details
Test / Flake checks (push) Successful in 1m12s
Details 
Fortify makes little sense for a container tool.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-25 04:57:41 +09:00
Ophestra
bf5772bd8a nix: deduplicate home-manager merging
All checks were successful
Test / Create distribution (push) Successful in 44s
Details
Test / Sandbox (push) Successful in 55s
Details
Test / Sandbox (race detector) (push) Successful in 53s
Details
Test / Fortify (race detector) (push) Successful in 50s
Details
Test / Fpkg (push) Successful in 54s
Details
Test / Fortify (push) Successful in 2m8s
Details
Test / Flake checks (push) Successful in 1m7s
Details 
This becomes a problem when extraHomeConfig defines nixos module options.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-08 01:12:18 +09:00
Ophestra
2ffca6984a nix: use reverse-DNS style id as unique identifier
All checks were successful
Test / Create distribution (push) Successful in 19s
Details
Test / Sandbox (push) Successful in 31s
Details
Test / Fortify (push) Successful in 35s
Details
Test / Sandbox (race detector) (push) Successful in 31s
Details
Test / Fortify (race detector) (push) Successful in 35s
Details
Test / Fpkg (push) Successful in 33s
Details
Test / Flake checks (push) Successful in 1m7s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-05-25 20:12:30 +09:00
Ophestra
f30a439bcd nix: improve common usability
All checks were successful
Test / Create distribution (push) Successful in 19s
Details
Test / Sandbox (push) Successful in 31s
Details
Test / Fortify (push) Successful in 35s
Details
Test / Sandbox (race detector) (push) Successful in 31s
Details
Test / Fortify (race detector) (push) Successful in 35s
Details
Test / Fpkg (push) Successful in 33s
Details
Test / Flake checks (push) Successful in 1m7s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-05-16 04:40:12 +09:00
Ophestra
31b7ddd122 fst: improve config
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Sandbox (push) Successful in 1m50s
Details
Test / Fortify (push) Successful in 2m46s
Details
Test / Sandbox (race detector) (push) Successful in 2m59s
Details
Test / Fortify (race detector) (push) Successful in 4m23s
Details
Test / Fpkg (push) Successful in 5m25s
Details
Test / Flake checks (push) Successful in 1m1s
Details 
The config struct more or less "grew" to what it is today. This change moves things around to make more sense and fixes nonsensical comments describing obsolete behaviour.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-13 03:30:19 +09:00
Ophestra
2f4f21fb18 fst: rename device field
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Sandbox (push) Successful in 1m46s
Details
Test / Fortify (push) Successful in 2m39s
Details
Test / Sandbox (race detector) (push) Successful in 3m1s
Details
Test / Fpkg (push) Successful in 3m38s
Details
Test / Fortify (race detector) (push) Successful in 4m10s
Details
Test / Flake checks (push) Successful in 1m5s
Details 
Dev is very ambiguous. Rename it here alongside upcoming config changes.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 19:32:15 +09:00
Ophestra
72c59f9229 nix: check share/applications in share package
All checks were successful
Test / Create distribution (push) Successful in 27s
Details
Test / Fpkg (push) Successful in 37s
Details
Test / Data race detector (push) Successful in 3m9s
Details
Test / Fortify (push) Successful in 2m2s
Details
Test / Flake checks (push) Successful in 56s
Details 
This allows share directories without share/applications/ to build correctly.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-29 19:28:20 +09:00
Ophestra
32c90ef4e7 nix: pass through exec arguments
All checks were successful
Test / Create distribution (push) Successful in 19s
Details
Test / Fpkg (push) Successful in 34s
Details
Test / Fortify (push) Successful in 41s
Details
Test / Data race detector (push) Successful in 41s
Details
Test / Flake checks (push) Successful in 56s
Details 
This is useful for when a wrapper script is unnecessary.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 03:04:46 +09:00
Ophestra
371dd5b938 nix: create current-system symlink
All checks were successful
Test / Create distribution (push) Successful in 20s
Details
Release / Create release (push) Successful in 27s
Details
Test / Fpkg (push) Successful in 35s
Details
Test / Fortify (push) Successful in 40s
Details
Test / Data race detector (push) Successful in 40s
Details
Test / Flake checks (push) Successful in 58s
Details 
This is copied at runtime because it appears to be impossible to obtain this path in nix.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 02:06:11 +09:00
Ophestra
67eb28466d nix: create opengl-driver symlink
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fpkg (push) Successful in 33s
Details
Test / Fortify (push) Successful in 2m18s
Details
Test / Data race detector (push) Successful in 3m3s
Details
Test / Flake checks (push) Successful in 53s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 20:52:20 +09:00
Ophestra
5c4058d5ac app: run in native sandbox
All checks were successful
Test / Create distribution (push) Successful in 20s
Details
Test / Fortify (push) Successful in 2m5s
Details
Test / Fpkg (push) Successful in 3m0s
Details
Test / Data race detector (push) Successful in 4m12s
Details
Test / Flake checks (push) Successful in 1m4s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 01:52:49 +09:00
Ophestra
3385538142 nix: clean up flake outputs
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fpkg (push) Successful in 32s
Details
Test / Fortify (push) Successful in 2m0s
Details
Test / Data race detector (push) Successful in 2m32s
Details
Test / Flake checks (push) Successful in 48s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-17 12:26:19 +09:00
Ophestra
2d4cabe786 nix: increase nixfmt max width
All checks were successful
Test / Create distribution (push) Successful in 30s
Details
Test / Fpkg (push) Successful in 36s
Details
Test / Data race detector (push) Successful in 35s
Details
Test / Fortify (push) Successful in 39s
Details
Test / Flake checks (push) Successful in 50s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-28 14:43:46 +09:00
Ophestra
8bf162820b nix: separate fsu from package
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Run NixOS test (push) Successful in 7m25s
Details 
This appears to be the only way to build them with different configuration. This enables static linking in the main package.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-23 18:13:37 +09:00
Ophestra
6ae02e72fa nix: test direct_wayland behaviour
All checks were successful
Test / Create distribution (push) Successful in 47s
Details
Test / Run NixOS test (push) Successful in 3m35s
Details 
This should never be used outside tests unless you absolutely know what you're doing or are using GNOME.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 10:45:27 +09:00
Ophestra
989fb5395f nix: remove unused configuration
All checks were successful
Test / Create distribution (push) Successful in 49s
Details
Test / Run NixOS test (push) Successful in 3m30s
Details 
User setup no longer depends on userdb.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-15 10:10:42 +09:00
Ophestra
8d04dd72f1 nix: mount nvidia devices
All checks were successful
Test / Create distribution (push) Successful in 1m43s
Details
Test / Run NixOS test (push) Successful in 3m33s
Details 
These non-standard paths are required in the sandbox for nvidia drivers to work.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-25 18:05:18 +09:00
Ophestra
016da20443 nix: expose compat flag in nixos module
All checks were successful
Test / Create distribution (push) Successful in 1m55s
Details
Test / Run NixOS test (push) Successful in 4m6s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-25 12:42:48 +09:00
Ophestra
efacaa40fa nix: set deny_devel correctly
All checks were successful
Test / Create distribution (push) Successful in 1m55s
Details
Test / Run NixOS test (push) Successful in 3m51s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-24 00:50:35 +09:00
Ophestra
96d5d8a396 nix: apply shared home config to reserved aid
All checks were successful
Build / Create distribution (push) Successful in 2m16s
Details
Test / Run NixOS test (push) Successful in 5m43s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-23 20:48:04 +09:00
Ophestra
8a00a83c71 nix: expose syscall filter policy
All checks were successful
Build / Create distribution (push) Successful in 1m31s
Details
Test / Run NixOS test (push) Successful in 1m52s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-01-23 17:24:42 +09:00