This combined with su makes it possible to automatically start a user
environment with sakaya-server running, thus eliminating the need to
spawn a shell with machinectl.
This works, which is pretty cool. One unfortunate consequence is that
networking with the host is required, thus an alternative approach needs
to be considered if one still wants to eliminate internet access from
certain wine applications.
Although this was cool, it created some inconveniences that I'd rather
not have to deal with. For example, opening a document required manually
copying the file to the container mount first.
Instead of containerizing a subset of GUI applications, it's likely much
easier and more effective to spin up a virtual machine of the current
system. That way all GUI applications benefit from virtualization and
not simply containerization, which caused issues when certain programs
detected that they were already open from the wayland socket.
A final benefit of this change is that which container an application is
running in is no longer ambiguous. Although it was possible to use
custom GTK themes depending on which container an application belonged
to, containers for system-installed applications tend to bring a large
amount of overhead. Only using containers for applications that deal
with untrusted inputs and have a large attack surface seems better in
this case.
After using Logseq for a few months, using Obsidian for just a little
bit is quite repulsive. Taking notes that aren't in outliner form feels
alien and not worth it for me personally.
wineWowPackages.stagingFull has better compatibility than waylandFull
and runs more applications without black screens. The difference between
stagingFull and wine-ge is that wine-ge doesn't crash when encountering
an error like ELFCLASS64 and usually opens windows larger and
fullscreen-like.
The reason stagingFull is preferred over wine-ge in this case is that
stagingFull is a part of nixpkgs and doesn't suffer from a black screen
bug when a hidden menu pushes the content in the window viewport down.
Additionally, although wine-ge avoids crashes in more cases, this
results in applications running that may or may not fully work, and
sometimes results in black screens where there should be graphics
instead.
This was a different wine version that let me achieve better
compatibility with Unity3D programs. Although it doesn't crash when
encountering a ELFCLASS64 error, for example, it does have other issues
like a black screen flash when opening a hidden menu (the kind that
become available with the alt key on a keyboard).
Now I don't have to wait for anything to be included in nixos-unstable
and can simply merge whatever I want whenever I want. This also has the
advantage of not having to specify which input is needed to get a
package from.
Mainly a proof of concept. Eventually I'll devise an easy way to view
notes in a pretty way and edit them with neovim (likely through your
typical web framework tools).
Unfortunately, some files may require the use of document editing
software like libreoffice. Fortunately, systemd-nspawn containers enable
us to ensure that these documents do not have access to the internet.
Previously I decided against using srb2 in a container due to the poor
performance I experienced. Since I figured out how to use the graphics
from the host inside of the container, performance is no longer an
issue.
Note that this container uses home-manager from the Nix flake on the
host system, which is pretty cool.
Currently modules in this repository *don't* differentiate between
home-manager and nixos, but this could be changed in the future to
support e.g. my home-manager neovim config on a non-nixos system.
This fixes an issue where containers caused the boot process to slow
down, especially those that relied on mounting directories only
available once a graphical session has already started.
I figured out how to get wine working on Nix, and it works surprisingly
well, however I'd like to avoid programs from writing wherever they want
and don't want to rely on a solution like firejail.
As it turns out, systemd-nspawn containers enable us to run wine applications
in a reasonably private container without access to neither the files of the
host nor its internet connection.