starred/nix-config-ryan4yin
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-05-31 02:30:39 +02:00
Code Issues Packages Projects Releases 10 Wiki Activity

chore: nixpaks - update dbus policies

Browse Source 
Signed-off-by: Ryan Yin <xiaoyin_c@qq.com>
This commit is contained in:
Ryan Yin
2025-11-01 21:22:52 +08:00
parent 34fdd92351
commit de05214ec5
5 changed files with 8 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files
hardening/nixpaks/firefox.nix
+1 -14
View File
@@ -34,20 +34,6 @@ let
./modules/common.nix ./modules/common.nix
]; ];
# list all dbus services:
# ls -al /run/current-system/sw/share/dbus-1/services/
# ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
dbus.policies = {
"org.mozilla.firefox.*" = "own"; # firefox
"org.mozilla.firefox_beta.*" = "own"; # firefox beta
"org.mpris.MediaPlayer2.firefox.*" = "own";
"org.gnome.Shell.Screencast" = "talk";
# System tray icon
"org.freedesktop.Notifications" = "talk";
"org.kde.StatusNotifierWatcher" = "talk";
};
bubblewrap = { bubblewrap = {
# To trace all the home files Firefox accesses, you can use the following nushell command: # To trace all the home files Firefox accesses, you can use the following nushell command:
# just trace-access firefox # just trace-access firefox
@@ -61,6 +47,7 @@ let
sloth.xdgDownloadDir sloth.xdgDownloadDir
sloth.xdgMusicDir sloth.xdgMusicDir
sloth.xdgVideosDir sloth.xdgVideosDir
sloth.xdgPicturesDir
]; ];
bind.ro = [ bind.ro = [
"/sys/bus/pci" "/sys/bus/pci"
hardening/nixpaks/modules/common.nix
+5
View File
@@ -1,5 +1,6 @@
# https://github.com/mnixry/nixos-config/blob/74913c2b90d06e31170bbbaa0074f915721da224/desktop/packages/nixpaks-common.nix # https://github.com/mnixry/nixos-config/blob/74913c2b90d06e31170bbbaa0074f915721da224/desktop/packages/nixpaks-common.nix
# https://github.com/Kraftland/portable/blob/09c4a4227538a3f42de208a6ecbdc938ac9c00dd/portable.sh # https://github.com/Kraftland/portable/blob/09c4a4227538a3f42de208a6ecbdc938ac9c00dd/portable.sh
# https://flatpak.github.io/xdg-desktop-portal/docs/api-reference.html
{ {
lib, lib,
sloth, sloth,
@@ -11,6 +12,9 @@ let
in in
{ {
config = { config = {
# list all dbus services:
# ls -al /run/current-system/sw/share/dbus-1/services/
# ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
dbus = { dbus = {
# `--see`: The bus name can be enumerated by the application. # `--see`: The bus name can be enumerated by the application.
# `--talk`: The application can send messages to, and receive replies and signals from, the bus name. # `--talk`: The application can send messages to, and receive replies and signals from, the bus name.
@@ -41,6 +45,7 @@ in
"org.freedesktop.FileManager1" = "talk"; "org.freedesktop.FileManager1" = "talk";
"org.freedesktop.Notifications" = "talk"; "org.freedesktop.Notifications" = "talk";
"org.kde.StatusNotifierWatcher" = "talk"; "org.kde.StatusNotifierWatcher" = "talk";
"org.gnome.Shell.Screencast" = "talk";
# --- Accessibility (a11y) 无障碍服务 --- # --- Accessibility (a11y) 无障碍服务 ---
"org.a11y.Bus" = "see"; "org.a11y.Bus" = "see";
hardening/nixpaks/qq.nix
+1 -13
View File
@@ -31,19 +31,6 @@ let
./modules/common.nix ./modules/common.nix
]; ];
# list all dbus services:
# ls -al /run/current-system/sw/share/dbus-1/services/
# ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
dbus.policies = {
"org.gnome.Shell.Screencast" = "talk";
# System tray icon
"org.freedesktop.Notifications" = "talk";
"org.kde.StatusNotifierWatcher" = "talk";
# File Manager
"org.freedesktop.FileManager1" = "talk";
# Uses legacy StatusNotifier implementation
"org.kde.*" = "own";
};
bubblewrap = { bubblewrap = {
# To trace all the home files QQ accesses, you can use the following nushell command: # To trace all the home files QQ accesses, you can use the following nushell command:
# just trace-access qq # just trace-access qq
@@ -53,6 +40,7 @@ let
sloth.xdgDownloadDir sloth.xdgDownloadDir
sloth.xdgMusicDir sloth.xdgMusicDir
sloth.xdgVideosDir sloth.xdgVideosDir
sloth.xdgPicturesDir
]; ];
sockets = { sockets = {
x11 = false; x11 = false;
hardening/nixpaks/telegram-desktop.nix
+1 -4
View File
@@ -24,10 +24,6 @@ let
dbus = { dbus = {
enable = true; enable = true;
policies = { policies = {
"org.gnome.Mutter.IdleMonitor" = "talk";
"org.freedesktop.Notifications" = "talk";
"org.kde.StatusNotifierWatcher" = "talk";
"com.canonical.AppMenu.Registrar" = "talk";
"com.canonical.indicator.application" = "talk"; "com.canonical.indicator.application" = "talk";
"org.ayatana.indicator.application" = "talk"; "org.ayatana.indicator.application" = "talk";
"org.sigxcpu.Feedback" = "talk"; "org.sigxcpu.Feedback" = "talk";
@@ -40,6 +36,7 @@ let
sloth.xdgDownloadDir sloth.xdgDownloadDir
sloth.xdgMusicDir sloth.xdgMusicDir
sloth.xdgVideosDir sloth.xdgVideosDir
sloth.xdgPicturesDir
]; ];
sockets = { sockets = {
x11 = false; x11 = false;
modules/nixos/base/networking/misc.nix
-5
View File
@@ -8,9 +8,4 @@
# dynamically update /etc/hosts for testing # dynamically update /etc/hosts for testing
# Note that changes made in this way will be discarded when switching configurations. # Note that changes made in this way will be discarded when switching configurations.
environment.etc.hosts.mode = "0644"; environment.etc.hosts.mode = "0644";
networking.hosts."127.0.0.1" = [
# Block this domain to prevent QQ from auto-updating.
"qqpatch.gtimg.cn"
];
} }