workstation

work in progress, a plan if you will

i have some ideas about organizing my computer.

why?

its possible that i can run illumos on my laptop so it can be inside of me😳. i worry about compat, but i might as well try. would need to have graphcal lx zones to be workable. i imagine graphics should be possible via x.

admin

hardened_malloc

i occasionally work as a contractor or as a consultant. this set up makes it easy to create new environments that i can use for specific projects.

for easy cleanup, i could keep each environment on a disk with its own encryption key. when the envirionment is destroyed i can simply shred the key and the data is gone.

services

minimal services are run in the "global zone" only because they have to. minimalism is good for security and saves the majority of the system's resources for actually doing stuff.

chrony

ntpd

haveged

this is a precaution against exhausting the entropy available for the system. i should do some actual mesurements to see if this is needed.

zram

this has saved my bacon a bunch of times when doing memory heavy work. its a nice buffer against swapping.

greetd(tuigreeter)

sadly, these are written in rust. i do like them though. a replacement of some kind is in order.

jack

jack is the system sound server, depending on the container either ALSA or PulseAudio compatibility hacks are used.

playing nice with alsa

PulseAudio through JACK

toasted-yggdrasil

mesh-only containers could be limited to a 300:: prefix. uses ~toast's optimized builds.

wayland

wio-based desktop envirionment. can lxd applications be caged? no xwayland in the "global zone" please.

dnsmasq

lxd

the container filesystems are stored on an encrypted zpool. these are unlocked during the login process.

{distro}-{label}

wayland inside lxd

 ----------------------------------------------------
| host                                                |
|  -------------------------------------------------  |
| | wayland                                         | |
| |  ---------------------------------------------  | |
| | | container: {env}-{distro}-{org}             | | |
| | | waylandsocket:                              | | |
| | |   bind: container                           | | |
| | |   connect: unix:/run/user/1000/wayland-0    | | |
| | |   listen: unix:/mnt/wayland1/wayland-0      | | |
| | |   security.gid: "1000"                      | | |
| | |   security.uid: "1000"                      | | |
| | |   type: proxy                               | | |
| | |   uid: "1000"                               | | |
| | |   gid: "1000"                               | | |
| |  ---------------------------------------------  | |
|  -------------------------------------------------  |
 -----------------------------------------------------