PoolloverNathan

Relevant XKCD

OS: NixOS unstable (flaked)
WM, DE: KDE Plasma
Massaging: Varies
Don't really watch many videos / listen to music
Editor: Neovim
Programming language: Varies, mostly Nix + Rust
Browser: Firefox
Phone launcher: Niagara

Made a Nix library for this. For a simple setup you can just build this (untested) and run the result:

import ./encase.nix {
  name = "firefox";
  rw.home.nathan = /home/nathan/home-for/firefox;
  # other dependencies it might need...
  tmp = /tmp; # fresh tmpfs for this sandbox
  network = true;
  command = pkgs.firefox;
}

It doesn't have user isolation yet, so if it escapes the browser and the chroot (which doesn't have a /proc unless you set proc = /proc;, and runs in a PID namespace either way) your files are still at risk. However, this is still pretty secure, and you can run the script itself as a different user (it creates a new UID namespace so chrooting can be done without root).

Actually I want to write an app browser for NixOS now.

I'm glad Voyager puts baby icons on new accounts; it usually resembles how they look in real life.

Use *asterisks* for in-word italics: *in*famous → infamous.

I calmly remove my USB labeled “oh shit” from my pocket, insert it, and reboot.

That's why I put Linux on my house.

I just add this to my system config:

networking.wireless = {
  enable = true;
  networks = import ./networks.nix;
};

Then I define my networks in a gitignored file and I'm good to go.

The closest I've been to Windows since I've installed Linux is putting its partition in the NixOS (gen 19) filesystem list.

Nah, we shouldn't block them. When we do, they can continue to troll unnoticed and scare away new users. When we don't, we can call their bullshit every time they comment.

...and this here, folks, is the problem.