Commits
Closes TAN-515
Signed-off-by: eti <eti@eti.tf>
Lewis: May this revision serve well! <lewis@tangled.org>
Signed-off-by: dawn <dawn@tangled.org>
Signed-off-by: Jens Rømer Hesselbjerg <jh.roemer@gmail.com>
Signed-off-by: dawn <dawn@tangled.org>
Signed-off-by: dawn <dawn@tangled.org>
Lewis: May this revision serve well! <lewis@tangled.org>
Signed-off-by: dawn <dawn@tangled.org>
Signed-off-by: dawn <dawn@tangled.org>
Lewis: May this revision serve well! <lewis@tangled.org>
in mobile view, hide the focus button in the notifications page.
Signed-off-by: oppiliappan <me@oppi.li>
in the topbar, on smaller devices, shrink the full logotype to just the
logo.
Signed-off-by: oppiliappan <me@oppi.li>
Lewis: May this revision serve well! <lewis@tangled.org>
Signed-off-by: dawn <dawn@tangled.org>
Signed-off-by: dawn <dawn@tangled.org>
slirp4netns has a bug where it will break host devices on root user
if this is enabled. so to avoid this, let's disable it. the sandboxing
doesn't matter here because slirp4netns runs next to spindle anyway
so if slirp is compromised you have bigger issues, and seccomp is still
enabled, and if you really care your spindle should be a hardened
systemd service anyway.
Signed-off-by: dawn <dawn@tangled.org>
Signed-off-by: dawn <dawn@tangled.org>
Signed-off-by: dawn <dawn@tangled.org>
Signed-off-by: dawn <dawn@tangled.org>
Signed-off-by: dawn <dawn@tangled.org>
We can't trust `content-length` since blob might be gzipped. use `size`
from `getEntry` output instead.
Signed-off-by: Seongmin Lee <git@boltless.me>
Signed-off-by: Seongmin Lee <git@boltless.me>
Signed-off-by: Seongmin Lee <git@boltless.me>
Signed-off-by: Seongmin Lee <git@boltless.me>
spindle,shuttle,nix: add an alpine microvm image
spindle/microvm: allow user defined binary caches in workflows
shuttle,nix/microvm: get rid of the hacky nix config parsing / rendering, use nix directly so we can access module options
spindle/engine: generalize scheduler out of microvm, make it work-conserving with aging and per-user fairness
spindle/microvm: add resource budget limits and optional cgroup enforcement
Signed-off-by: dawn <dawn@tangled.org>
Lewis: May this revision serve well! <lewis@tangled.org>
Signed-off-by: Anirudh Oppiliappan <x@icyphox.sh>
Signed-off-by: eti <eti@eti.tf>
Lewis: May this revision serve well! <lewis@tangled.org>
Lewis: May this revision serve well! <lewis@tangled.org>
Signed-off-by: Seongmin Lee <git@boltless.me>
Lewis: May this revision serve well! <lewis@tangled.org>
Lewis: May this revision serve well! <lewis@tangled.org>
Signed-off-by: oppiliappan <me@oppi.li>
- move pages.ParseWith to blog.parseLayout
- blog now builds against a new layouts/blogbase instead of inheriting
appview's base layout
Signed-off-by: oppiliappan <me@oppi.li>
- Add unit and integration tests for sandbox and path behavior
- Define a RuleSpec to construct Landlock ruleset
- Enforce $HOME/.config/git/config for git config (was previously
granting the entirety of $HOME)
Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>
Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.org>
Lewis: May this revision serve well! <lewis@tangled.org>
Lewis: May this revision serve well! <lewis@tangled.org>
Lewis: May this revision serve well! <lewis@tangled.org>
Lewis: May this revision serve well! <lewis@tangled.org>
Lewis: May this revision serve well! <lewis@tangled.org>
Lewis: May this revision serve well! <lewis@tangled.org>
Lewis: May this revision serve well! <lewis@tangled.org>
Lewis: May this revision serve well! <lewis@tangled.org>
Lewis: May this revision serve well! <lewis@tangled.org>
Lewis: May this revision serve well! <lewis@tangled.org>
Lewis: May this revision serve well! <lewis@tangled.org>
Closes TAN-515
Signed-off-by: eti <eti@eti.tf>
slirp4netns has a bug where it will break host devices on root user
if this is enabled. so to avoid this, let's disable it. the sandboxing
doesn't matter here because slirp4netns runs next to spindle anyway
so if slirp is compromised you have bigger issues, and seccomp is still
enabled, and if you really care your spindle should be a hardened
systemd service anyway.
Signed-off-by: dawn <dawn@tangled.org>
spindle,shuttle,nix: add an alpine microvm image
spindle/microvm: allow user defined binary caches in workflows
shuttle,nix/microvm: get rid of the hacky nix config parsing / rendering, use nix directly so we can access module options
spindle/engine: generalize scheduler out of microvm, make it work-conserving with aging and per-user fairness
spindle/microvm: add resource budget limits and optional cgroup enforcement
Signed-off-by: dawn <dawn@tangled.org>
Signed-off-by: Seongmin Lee <git@boltless.me>
Lewis: May this revision serve well! <lewis@tangled.org>