cached and updated nix-index

2025-01-14 20:37:14 +01:00 · 2025-01-14 20:37:14 +01:00 · 066bacfce8
commit 066bacfce8
parent 53795ecb66
12 changed files with 240 additions and 62 deletions
--- a/common/gaming.nix
+++ b/common/gaming.nix
@ -47,26 +47,21 @@ in
      GAMEMODERUNEXEC = "env DRI_PRIME=1";
    };

-    environment.systemPackages =
-      with pkgs;
-      [
-        # heroic
-        prismlauncher
-        mangohud
-        the-powder-toy
-        factorio
-        pactorio
-        (symlinkJoin {
-          name = "osu";
-          paths = [
-            (writeShellScriptBin "osu!" ''
-              exec gamemoderun ${getExe osu-lazer-bin}
-            '')
-            osu-lazer-bin
-          ];
-        })
-      ]
-      ++ optional (!isNull factorio.passthru.updateScript) factorio;
+    environment.systemPackages = with pkgs; [
+      # heroic
+      prismlauncher
+      mangohud
+      the-powder-toy
+      (symlinkJoin {
+        name = "osu";
+        paths = [
+          (writeShellScriptBin "osu!" ''
+            exec gamemoderun ${getExe osu-lazer-bin}
+          '')
+          osu-lazer-bin
+        ];
+      })
+    ];
  };

  options.grimmShared.gaming = mkEnableOption "enables steam, heroic, prism and gamemoded";
--- a/common/network/default.nix
+++ b/common/network/default.nix
@ -22,6 +22,8 @@ in
      openconnect
    ];

+    users.users.nscd.uid = 997;
+
    networking.firewall = {
      enable = true;
      allowPing = true;
--- a/common/tooling/default.nix
+++ b/common/tooling/default.nix
@ -25,6 +25,7 @@ in
    ./c.nix
    ./java.nix
    ./ranger.nix
+    ./nix-index.nix
    # ./defaultProtectHome.nix
  ];

@ -66,7 +67,7 @@ in
      ]
      ++ optionals graphical [
        wev
-        qdirstat
+        k4dirstat
        libva-utils
        gparted
        bottles
--- a/common/tooling/nix-index.nix
+++ b/common/tooling/nix-index.nix
@ -0,0 +1,76 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  db_path = "/var/nix-index/current";
+  mode = "755";
+  user = "nix-index";
+in
+{
+  users.users."${user}" = {
+    isSystemUser = true;
+    group = user;
+  };
+  users.groups."${user}" = { };
+
+  nix.settings.allowed-users = [ user ];
+
+  environment.systemPackages = with pkgs; [
+    nix-index
+  ];
+
+  systemd.tmpfiles.rules = [
+    "d /var/nix-index 0${mode} ${user} ${user} 14d"
+  ];
+
+  environment.sessionVariables.NIX_INDEX_DATABASE = db_path;
+
+  systemd.services.nix-index-update = {
+    description = "update nix-index database";
+    after = [
+      "network-online.target"
+      "nix-daemon.service"
+    ];
+    wants = [
+      "network-online.target"
+      "nix-daemon.service"
+    ];
+    serviceConfig = {
+      Type = "simple";
+      Nice = 19;
+      # UMask = mode;
+      # DynamicUser = true;
+      ReadWritePaths = "/var/nix-index/";
+      CacheDirectory = "index-cache";
+
+      User = user;
+      Group = user;
+    };
+    environment.NIX_PATH = lib.concatStringsSep ":" config.nix.nixPath;
+    script = ''
+      platform="$(uname -m | sed 's/^arm64$/aarch64/')-$(uname | tr "[:upper:]" "[:lower:]")"
+      path="/var/nix-index/index-$platform-$(date -I)"
+      mkdir -p "$path" -m ${mode}
+      XDG_CACHE_HOME=$CACHE_DIRECTORY ${lib.getExe' pkgs.nix-index "nix-index"} --show-trace -c 0 -s $platform --db "$path" || exit 1
+      rm -f ${db_path}
+      ln -s "$path" ${db_path}
+      # && chmod ${mode} ${db_path}
+      echo "link success"
+    '';
+    enable = true;
+  };
+
+  systemd.timers.nix-index-update = {
+    description = "regularly update nix-index database";
+    timerConfig.Persistent = true;
+    timerConfig.OnCalendar = "Mon *-*-* 00:00:00";
+    wantedBy = [
+      "multi-user.target"
+      "timers.target"
+    ];
+    enable = true;
+  };
+}
--- a/flake.lock
+++ b/flake.lock
@ -140,11 +140,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1736524793,
-        "narHash": "sha256-UEbNwGorRiNLtzhshxe/2J2BmwGI1cDCDhSYtY8qREU=",
+        "lastModified": 1736774329,
+        "narHash": "sha256-GP39XWhiD6bKidoOTfq+82VpFMxG6AcNV4ynKoFWpMU=",
        "owner": "chaotic-cx",
        "repo": "nyx",
-        "rev": "38844e9b3e17948a66b0dea0ce0bcc0355d6d876",
+        "rev": "705c09ade97041ccc9d04282498af7983874fe19",
        "type": "github"
      },
      "original": {
@ -342,11 +342,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1736421950,
-        "narHash": "sha256-RyrX0WFXxFrYvzHNLTIyuk3NcNl3UBykuYru/P0zW5E=",
+        "lastModified": 1736508663,
+        "narHash": "sha256-ZOaGwa+WnB7Zn3YXimqjmIugAnHePdXCmNu+AHkq808=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "d4aebb947a301b8da8654a804979a738c5c5da50",
+        "rev": "2532b500c3ed2b8940e831039dcec5a5ea093afc",
        "type": "github"
      },
      "original": {
@ -383,11 +383,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1736409493,
-        "narHash": "sha256-XezBEaGENmXgndx2gsVxQ0JoHUeQs9OSUZvVx/GDqyQ=",
+        "lastModified": 1736580596,
+        "narHash": "sha256-t+BygGMcg1yyyTBXCAJWx4ZnH1StDzbd8CfzQonAJp8=",
        "owner": "Jovian-Experiments",
        "repo": "Jovian-NixOS",
-        "rev": "9a958cc0aa5241ea3badf44a063a4b0389dc0110",
+        "rev": "1ddf0b3bfe076fa50b84244e42a55b9234f96083",
        "type": "github"
      },
      "original": {
@ -507,11 +507,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1736523798,
-        "narHash": "sha256-Xb8mke6UCYjge9kPR9o4P1nVrhk7QBbKv3xQ9cj7h2s=",
+        "lastModified": 1736701207,
+        "narHash": "sha256-jG/+MvjVY7SlTakzZ2fJ5dC3V1PrKKrUEOEE30jrOKA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "130595eba61081acde9001f43de3248d8888ac4a",
+        "rev": "ed4a395ea001367c1f13d34b1e01aa10290f67d6",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -120,12 +120,16 @@
            ./configuration.nix
            aa-alias-manager.nixosModules.default
            # apparmor-dev.nixosModules.default
+            ./perlless.nix

            ./specific/grimm-nixos-ssd/configuration.nix
            (
-              { modulesPath, lib, ... }:
+              { modulesPath, ... }:
              {
-                imports = lib.singleton "${modulesPath}/profiles/hardened.nix";
+                imports = [
+                  "${modulesPath}/profiles/hardened.nix"
+                  # "${modulesPath}/profiles/perlless.nix"
+                ];
              }
            )

--- a/hardening/apparmor/apparmor-d-package.nix
+++ b/hardening/apparmor/apparmor-d-package.nix
@ -1,27 +1,24 @@
 {
  buildGoModule,
  fetchFromGitHub,
-  git,
  lib,
  unstableGitUpdater,
 }:
 buildGoModule {
  pname = "apparmor-d";
-  version = "unstable-2024-10-12";
+  version = "unstable-2025-01-13";

  src = fetchFromGitHub {
-    rev = "db6c94ba5ad97112bc577cb66c2e1fa66df83a29";
+    rev = "f1182b27bb64a3bf44e92a4bafb58178ebfbf5ac";
    owner = "roddhjav";
    repo = "apparmor.d";
-    hash = "sha256-3qVSMLIzVd9hcvj2V2eaacNOjOFTUHkTslaTETYYg4U=";
+    hash = "sha256-3Ofv7Eam2/CXRNM84E0H97RrLWQEzDeSM6wYykzlLAM=";
  };

  vendorHash = null;

  doCheck = false;

-  nativeBuildInputs = [ git ];
-
  patches = [
    ./apparmor-d-prebuild.patch
  ];
--- a/hardening/default.nix
+++ b/hardening/default.nix
@ -1,4 +1,9 @@
-{ lib, config, ... }:
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
 {
  imports = [
    ./systemd
@ -16,4 +21,6 @@
  virtualisation.vswitch.enable = false;
  # services.resolved.enable = false;
  security.unprivilegedUsernsClone = true;
+  environment.defaultPackages = lib.mkForce [ ];
+  environment.systemPackages = with pkgs; [ nano ];
 }
--- a/hardening/opensnitch/default.nix
+++ b/hardening/opensnitch/default.nix
@ -161,12 +161,76 @@ in
              {
                type = "simple";
                operand = "user.id";
-                data = "998";
+                data = builtins.toString (lib.defaultTo 997 config.users.users.nscd.uid);
              }
            ];
          };
        };

+        nix-index = {
+          name = "nix-index";
+          enabled = true;
+          action = "allow";
+          duration = "always";
+          inherit created;
+          operator = {
+            type = "list";
+            operand = "list";
+            list = [
+              {
+                type = "simple";
+                sensitive = false;
+                operand = "process.path";
+                data = getExe' pkgs.nix-index-unwrapped "nix-index";
+              }
+              {
+                type = "regexp";
+                operand = "dest.port";
+                data = "53|443";
+              }
+              {
+                type = "simple";
+                sensitive = false;
+                operand = "dest.host";
+                data = "cache.nixos.org";
+              }
+
+            ];
+          };
+        };
+
+        nix = {
+          name = "nix";
+          enabled = true;
+          action = "allow";
+          duration = "always";
+          inherit created;
+          operator = {
+            type = "list";
+            operand = "list";
+            list = [
+              {
+                type = "simple";
+                sensitive = false;
+                operand = "process.path";
+                data = getExe pkgs.nix;
+              }
+              {
+                type = "regexp";
+                operand = "dest.port";
+                data = "53|443";
+              }
+              {
+                type = "regexp";
+                sensitive = false;
+                operand = "dest.host";
+                data = "(channels|cache)\\.nixos\\.org";
+              }
+
+            ];
+          };
+        };
+
        localhost = {
          name = "localhost";
          enabled = true;
@ -505,9 +569,9 @@ in
                data = getExe' pkgs.networkmanager "networkmanager";
              }
              {
-                type = "simple";
+                type = "regexp";
                operand = "dest.port";
-                data = "547";
+                data = "547|67";
              }
              #  {
              #    type ="simple";
--- a/perlless.nix
+++ b/perlless.nix
@ -0,0 +1,27 @@
+{ lib, pkgs, ... }:
+
+{
+
+  # Remove perl from activation
+  boot.initrd.systemd.enable = lib.mkDefault true;
+  system.etc.overlay.enable = lib.mkDefault true;
+  services.userborn.enable = lib.mkDefault true;
+
+  # Random perl remnants
+  system.disableInstallerTools = lib.mkDefault true;
+  programs.less.lessopen = lib.mkDefault null;
+  programs.command-not-found.enable = lib.mkDefault false;
+  boot.enableContainers = lib.mkDefault false;
+  boot.loader.grub.enable = lib.mkDefault false;
+  environment.defaultPackages = lib.mkDefault [ ];
+  documentation.info.enable = lib.mkDefault false;
+
+  # Check that the system does not contain a Nix store path that contains the
+  # string "perl".
+  # system.forbiddenDependenciesRegexes = [ "perl" ];
+
+  # Re-add nixos-rebuild to the systemPackages that was removed by the
+  # `system.disableInstallerTools` option.
+  environment.systemPackages = [ pkgs.nixos-rebuild ];
+
+}
--- a/specific/grimm-nixos-ssd/hardware-configuration.nix
+++ b/specific/grimm-nixos-ssd/hardware-configuration.nix
@ -191,22 +191,24 @@ in
      forEachUser = fn: lib.mapAttrsToList fn { inherit (config.users.users) grimmauld root; };
    in
    lib.mergeAttrsList (
-      forEachUser (name: user: {
-        "${name}".rules = [
-          # "d /home/${user}/Downloads - - - 14d"
-          "e ${user.home}/.vim/undodir - - - 7d"
-          "d ${user.home}/.cache - - - 7d"
-          "e ${user.home}/.java - - - 7d"
-          "e ${user.home}/.gradle - - - 7d"
-          "e ${user.home}/.cargo - - - 7d"
-          "e ${user.home}/.rustup - - - 7d"
-          "e ${user.home}/.templateengine - - - 7d"
-          "e ${user.home}/.sane - - - 7d"
-          "e ${user.home}/.dotnet - - - 7d"
-          "e ${user.home}/.nuget - - - 7d"
-          # "d /home/${user}/.local/state/mpv/watch_later - - - 14d"
-        ];
-      })
+      forEachUser (
+        name: user: {
+          "${name}".rules = [
+            # "d /home/${user}/Downloads - - - 14d"
+            "e ${user.home}/.vim/undodir - - - 7d"
+            "d ${user.home}/.cache - - - 7d"
+            "e ${user.home}/.java - - - 7d"
+            "e ${user.home}/.gradle - - - 7d"
+            "e ${user.home}/.cargo - - - 7d"
+            "e ${user.home}/.rustup - - - 7d"
+            "e ${user.home}/.templateengine - - - 7d"
+            "e ${user.home}/.sane - - - 7d"
+            "e ${user.home}/.dotnet - - - 7d"
+            "e ${user.home}/.nuget - - - 7d"
+            # "d /home/${user}/.local/state/mpv/watch_later - - - 14d"
+          ];
+        }
+      )
    );

  systemd.services.nix-daemon.environment.TMPDIR = nix_build;
@ -268,6 +270,9 @@ in
    };
  };

+  boot.initrd.systemd.enable = false; # breaks with luks
+  system.etc.overlay.enable = false; # requires systemd initrd1
+
  boot.initrd.luks.yubikeySupport = true; # enable yubikey support
  boot.initrd.luks.reusePassphrases = false;

--- a/sway/default.nix
+++ b/sway/default.nix
@ -194,7 +194,7 @@
            (getExe' pkgs.xdg-user-dirs "xdg-user-dirs-update")
            ''${getExe' pkgs.coreutils-full "sleep"} 3 && ${getExe' pkgs.blueman "blueman-applet"}''
            (getExe' pkgs.lxqt.lxqt-policykit "lxqt-policykit-agent")
-            (getExe' config.hardware.opentabletdriver.package "otd-daemon")
+            # (getExe' config.hardware.opentabletdriver.package "otd-daemon")
            pkgs.swaynotificationcenter
            pkgs.networkmanagerapplet
            aw-bundle