please go away cis man. your queerphobia is Really Showing. a ...

2026-05-06T05:22:10Z

In reply to nevent1q…mfps
_________________________

please go away cis man. your queerphobia is Really Showing. a random wiki is not the all mighty source of truth for the entirety of queer folks.

so please block me if i seriously upset you that much over our consenting, loving relationship with my sister instead of making yourself look like a fool more and trying to derail my thread here

i dont need to be mansplained either so yeah please go away ...

2026-05-06T05:07:23Z

In reply to nevent1q…jf0z
_________________________

i dont need to be mansplained either so yeah please go away

consang isnt bad either btw <3

this doesnt really explain or help anything other than making a ...

2026-05-06T04:36:30Z

In reply to nevent1q…33yf
_________________________

this doesnt really explain or help anything other than making a blind assumption that bubblewrap can do everything there, and there still isnt an example.

one thing i really like about systemd is the unit sandboxing ...

2026-05-06T01:37:47Z

one thing i *really* like about systemd is the unit sandboxing capabilities and how convenient it is

https://wiki.archlinux.org/title/Systemd/Sandboxing

heres an example from my tuwunel matrix systemd unit

```
[Unit]
Description=Tuwunel Matrix homeserver
#Requires=tuwunel.socket
Wants=network-online.target
After=network-online.target
Documentation=https://tuwunel.chat/

[Service]
User=tuwunel
Group=tuwunel
Type=notify
ReloadSignal=SIGUSR1
WatchdogSec=30

TTYPath=/dev/tty25
DeviceAllow=char-tty
StandardInput=tty-force
StandardOutput=tty
StandardError=journal+console
TTYReset=yes
# uncomment to allow buffer to be cleared every restart
TTYVTDisallocate=no

TTYColumns=120
TTYRows=40

Environment="TUWUNEL_CONFIG=/etc/tuwunel/tuwunel.toml"

ExecStart=/usr/sbin/tuwunel

ReadWritePaths=/var/lib/tuwunel /etc/tuwunel

AmbientCapabilities=
CapabilityBoundingSet=

ManagedOOMPreference=avoid

MemoryHigh=3G
MemoryMax=4G

DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
#ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
PrivateUsers=yes
PrivateIPC=yes
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service @resources
SystemCallFilter=~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc
SystemCallErrorNumber=EPERM
#StateDirectory=tuwunel

RuntimeDirectory=tuwunel
RuntimeDirectoryMode=0750

Restart=on-failure
RestartSec=5

TimeoutStopSec=2m
TimeoutStartSec=2m

StartLimitInterval=1m
StartLimitBurst=5

[Install]
WantedBy=multi-user.target
Alias=matrix-tuwunel.service
```

how can i replicate that kind of stuff with openrc?

Nostr notes by june ✿ (6a756e65)

please go away cis man. your queerphobia is Really Showing. a ...

i dont need to be mansplained either so yeah please go away ...

this doesnt really explain or help anything other than making a ...

one thing i *really* like about systemd is the unit sandboxing ...

one thing i really like about systemd is the unit sandboxing ...