From 06b37c6d92ce93d09555de9d0bf3f48e45eb5c97 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Tue, 26 Nov 2024 19:20:10 +0100 Subject: [PATCH] nixfmt --- common/firefox.nix | 12 +- common/graphics/opengl.nix | 8 +- common/graphics/qt.nix | 10 +- common/graphics/sway.nix | 8 +- common/hardware/laptop.nix | 16 +- common/network/default.nix | 2 +- common/sound/spotifyd.nix | 12 +- common/tooling/apparmor/apparmor-d-module.nix | 33 +- .../tooling/apparmor/apparmor-d-package.nix | 16 +- common/tooling/apparmor/default.nix | 131 ++++---- common/tooling/default.nix | 2 +- common/tooling/helix.nix | 2 +- common/tooling/opensnitch/block_lists.nix | 8 +- common/tooling/ranger.nix | 2 +- common/tooling/security.nix | 8 +- common/tooling/wine.nix | 24 +- common/xdg/portals.nix | 16 +- configuration.nix | 2 +- custom/ncspot/package.nix | 57 ++-- flake.nix | 45 ++- modules/default.nix | 2 +- modules/matrix_legacy.nix | 291 +++++++++--------- modules/wireguard.nix | 24 +- overlays/factorio.nix | 5 +- overlays/ncspot.nix | 2 +- specific/grimm-nixos-laptop/configuration.nix | 1 - specific/grimm-nixos-ssd/configuration.nix | 59 ++-- .../hardware-configuration.nix | 127 ++++---- sway/default.nix | 206 +++++++------ users.nix | 5 +- 30 files changed, 634 insertions(+), 502 deletions(-) diff --git a/common/firefox.nix b/common/firefox.nix index c425860..f5967ea 100644 --- a/common/firefox.nix +++ b/common/firefox.nix @@ -38,11 +38,13 @@ in policies = { ExtensionSettings = # (mkIf firefox.disableUserPlugins { "*".installation_mode = "blocked"; }) // - (mapAttrs (guid: shortId: { - # explicit plugins by config - install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi"; - installation_mode = "force_installed"; - }) config.grimmShared.firefox.plugins); + ( + mapAttrs (guid: shortId: { + # explicit plugins by config + install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi"; + installation_mode = "force_installed"; + }) config.grimmShared.firefox.plugins + ); DisableTelemetry = true; DisableFirefoxStudies = true; EnableTrackingProtection = { diff --git a/common/graphics/opengl.nix b/common/graphics/opengl.nix index 7d8a21f..74ad66b 100644 --- a/common/graphics/opengl.nix +++ b/common/graphics/opengl.nix @@ -43,16 +43,18 @@ in enable = true; #driSupport = true; #driSupport32Bit = true; - extraPackages = with pkgs; [ + extraPackages = with pkgs; [ intel-media-driver # LIBVA_DRIVER_NAME=iHD # intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) # libvdpau-va-gl ]; }; - environment.sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; }; # Force intel-media-driver + environment.sessionVariables = { + LIBVA_DRIVER_NAME = "iHD"; + }; # Force intel-media-driver -# chaotic.mesa-git.enable = true; + # chaotic.mesa-git.enable = true; boot.kernelParams = [ "nouveau.config=NvGspRm=1" ]; environment.sessionVariables = { diff --git a/common/graphics/qt.nix b/common/graphics/qt.nix index 23efd9e..cda30b7 100644 --- a/common/graphics/qt.nix +++ b/common/graphics/qt.nix @@ -19,10 +19,10 @@ in with pkgs; with kdePackages; [ -# qtstyleplugin-kvantum + # qtstyleplugin-kvantum catppuccin-sddm-corners libsForQt5.qtgraphicaleffects -# catppuccin-kvantum + # catppuccin-kvantum breeze kdePackages.audiocd-kio kdePackages.kio-extras @@ -33,7 +33,7 @@ in qtwayland ]; -# environment.pathsToLink = [ "/share/Kvantum" ]; + # environment.pathsToLink = [ "/share/Kvantum" ]; services.displayManager = { sddm = { @@ -46,8 +46,8 @@ in }; xdg.portal.lxqt.styles = with pkgs; [ - kdePackages.breeze-qt5 - ]; + kdePackages.breeze-qt5 + ]; boot.plymouth = { themePackages = with pkgs; [ catppuccin-plymouth ]; diff --git a/common/graphics/sway.nix b/common/graphics/sway.nix index d98d6ad..1a04007 100644 --- a/common/graphics/sway.nix +++ b/common/graphics/sway.nix @@ -87,7 +87,9 @@ let export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock" if [[ -e "$SWAYSOCK" ]] ; then echo "sock is $SWAYSOCK" - ${getExe' config.programs.sway.package "swaymsg"} '${concatMapStrings (s: s + " ; ") output_def}' + ${getExe' config.programs.sway.package "swaymsg"} '${ + concatMapStrings (s: s + " ; ") output_def + }' fi done ''; @@ -191,7 +193,7 @@ in rm -rf /home/*/.cache/rmenu ''; - reloadTriggers = [ + reloadTriggers = [ # config.environment.etc."${conf_path}".source config.environment.etc."sway/config".source ]; @@ -210,7 +212,7 @@ in }; extraPackages = with pkgs; [ -# swaylock + # swaylock swayidle wl-clipboard wf-recorder diff --git a/common/hardware/laptop.nix b/common/hardware/laptop.nix index d5ac3a0..dc4f3a7 100644 --- a/common/hardware/laptop.nix +++ b/common/hardware/laptop.nix @@ -34,7 +34,7 @@ in hardware.opentabletdriver.enable = true; systemd.user.services.opentabletdriver.after = [ "local-fs.target" ]; - + services.udisks2.enable = true; #services.udev.extraRules = '' @@ -61,9 +61,13 @@ in systemd.enableCgroupAccounting = true; # systemd.enableUnifiedCgroupHierarchy = false; - + boot = { - kernelParams = [ "intel_iommu=on" "nohibernate" "pcie_aspm=off" ]; + kernelParams = [ + "intel_iommu=on" + "nohibernate" + "pcie_aspm=off" + ]; loader.efi.canTouchEfiVariables = true; initrd.availableKernelModules = [ "xhci_pci" @@ -73,12 +77,12 @@ in "usb_storage" "sd_mod" ]; -# initrd.systemd.enable = true; + # initrd.systemd.enable = true; loader.systemd-boot.enable = true; # extraModulePackages = [ config.boot.kernelPackages.ddcci-driver ]; kernelModules = [ -# "ddcci_backlight" -# "i2c-dev" + # "ddcci_backlight" + # "i2c-dev" "ec_sys" ]; }; diff --git a/common/network/default.nix b/common/network/default.nix index 417be6f..cd1e238 100644 --- a/common/network/default.nix +++ b/common/network/default.nix @@ -11,7 +11,7 @@ in config = lib.mkIf (enable && network) { networking.networkmanager = { enable = true; - plugins = with pkgs; [ networkmanager-openvpn ]; + plugins = with pkgs; [ networkmanager-openvpn ]; }; networking.useDHCP = lib.mkDefault true; diff --git a/common/sound/spotifyd.nix b/common/sound/spotifyd.nix index dcef235..8dd67df 100644 --- a/common/sound/spotifyd.nix +++ b/common/sound/spotifyd.nix @@ -61,9 +61,17 @@ in password_cmd = let pass = spotify.spotifyd.pass; - inherit (lib) isPath isString getExe getExe'; + inherit (lib) + isPath + isString + getExe + getExe' + ; in - if (isPath pass || isString pass) then "${getExe' pkgs.coreutils-full "cat"} ${pass}" else (getExe pass); + if (isPath pass || isString pass) then + "${getExe' pkgs.coreutils-full "cat"} ${pass}" + else + (getExe pass); device_type = "computer"; dbus_type = "system"; device = "default"; diff --git a/common/tooling/apparmor/apparmor-d-module.nix b/common/tooling/apparmor/apparmor-d-module.nix index 3aa51ed..6230dfb 100644 --- a/common/tooling/apparmor/apparmor-d-module.nix +++ b/common/tooling/apparmor/apparmor-d-module.nix @@ -5,18 +5,30 @@ ... }: let - inherit (lib) mkIf mapAttrs assertMsg pathIsRegularFile mkForce; + inherit (lib) + mkIf + mapAttrs + assertMsg + pathIsRegularFile + mkForce + ; cfg = config.security.apparmor_d; - apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {}; - in + apparmor-d = pkgs.callPackage ./apparmor-d-package.nix { }; +in { options.security.apparmor_d = with lib; { enable = mkEnableOption "enable apparmor.d support"; profiles = mkOption { - type = types.attrsOf (types.enum [ "disable" "complain" "enforce" ]); - default = {}; + type = types.attrsOf ( + types.enum [ + "disable" + "complain" + "enforce" + ] + ); + default = { }; description = "set of apparmor profiles to include from apparmor.d"; }; }; @@ -25,9 +37,10 @@ let security.apparmor.packages = [ apparmor-d ]; security.apparmor.policies = mapAttrs (name: state: { inherit state; - path = let - file = "${apparmor-d}/etc/apparmor.d/${name}"; - in + path = + let + file = "${apparmor-d}/etc/apparmor.d/${name}"; + in assert assertMsg (pathIsRegularFile file) "profile ${name} not found in apparmor.d path (${file})"; file; }) cfg.profiles; @@ -40,7 +53,7 @@ let @{package16}=@{package8}@{package8} @{package32}=@{package16}@{package16} @{package64}=@{package32}@{package32} - + @{nix_package_name}={@{package32},}{@{package16},}{@{package8},}{@{package4},}{@{package2},}{@{package1},} @{nix_store}=/nix/store/@{rand32}-@{nix_package_name} ''; @@ -48,7 +61,7 @@ let specialisation.no-apparmor.configuration = { security.apparmor.enable = mkForce false; }; - + environment.systemPackages = [ apparmor-d ]; }; } diff --git a/common/tooling/apparmor/apparmor-d-package.nix b/common/tooling/apparmor/apparmor-d-package.nix index 523d796..e9555de 100644 --- a/common/tooling/apparmor/apparmor-d-package.nix +++ b/common/tooling/apparmor/apparmor-d-package.nix @@ -1,4 +1,10 @@ -{ buildGoModule, fetchFromGitHub, git, lib, unstableGitUpdater }: +{ + buildGoModule, + fetchFromGitHub, + git, + lib, + unstableGitUpdater, +}: buildGoModule { pname = "apparmor-d"; version = "unstable-2024-10-12"; @@ -10,8 +16,8 @@ buildGoModule { hash = "sha256-3qVSMLIzVd9hcvj2V2eaacNOjOFTUHkTslaTETYYg4U="; }; - vendorHash = null; - + vendorHash = null; + doCheck = false; nativeBuildInputs = [ git ]; @@ -29,9 +35,9 @@ buildGoModule { postInstall = '' mkdir -p $out/etc - + DISTRIBUTION=nixos $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available - + mv .build/apparmor.d $out/etc rm $out/bin/prebuild ''; diff --git a/common/tooling/apparmor/default.nix b/common/tooling/apparmor/default.nix index 7d146a0..67e7879 100644 --- a/common/tooling/apparmor/default.nix +++ b/common/tooling/apparmor/default.nix @@ -10,11 +10,11 @@ let in { imports = [ ./apparmor-d-module.nix ]; # ./aa-alias-module.nix ]; - + config = mkIf (enable && tooling.enable) { services.dbus.apparmor = "enabled"; security.auditd.enable = true; - + security.apparmor.enable = true; security.apparmor.enableCache = true; @@ -23,7 +23,7 @@ in alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify, ''; -# security.apparmor.aa-alias-manager.enable = false; + # security.apparmor.aa-alias-manager.enable = false; security.audit.backlogLimit = 512; @@ -50,7 +50,6 @@ in "unix-chkpwd.apparmor.d" = "complain"; }; }; - security.apparmor.includes = { "abstractions/base" = '' @@ -61,12 +60,11 @@ in ${getExe' pkgs.coreutils-full "coreutils"} rix, ''; -# "tunables/alias.d/store" = '' -# include -# alias /bin -> @{bin}, -# alias /bin/ -> /nix/store/*/bin/, -# ''; - + # "tunables/alias.d/store" = '' + # include + # alias /bin -> @{bin}, + # alias /bin/ -> /nix/store/*/bin/, + # ''; "local/speech-dispatcher" = '' @{nix_store}/libexec/speech-dispatcher-modules/* ix, @@ -85,11 +83,11 @@ in ''; "local/xdg-mime" = '' -# include - /bin/grep rix, - /bin/gawk rix, -# /bin/dbus-send Cx -> bus, - /dev/tty* rw, + # include + /bin/grep rix, + /bin/gawk rix, + # /bin/dbus-send Cx -> bus, + /dev/tty* rw, ''; "abstractions/app/udevadm.d/udevadm_is_exec" = '' @@ -119,11 +117,11 @@ in ''; "local/child-open" = '' - include - @{bin}/grep ix, - /@{PROC}/version r, - @{bin}/gdbus Cx -> bus, -# @{bin}/gdbus Ux, + include + @{bin}/grep ix, + /@{PROC}/version r, + @{bin}/gdbus Cx -> bus, + # @{bin}/gdbus Ux, ''; "local/vesktop" = '' @@ -145,16 +143,16 @@ in @{bin}/unix_chkpwd rix, ''; -# "local/spotify" = '' -# @{bin}/ -# ''; + # "local/spotify" = '' + # @{bin}/ + # ''; }; - + security.apparmor.policies = { passff = { state = "enforce"; -# enable = true; -# enforce = true; + # enable = true; + # enforce = true; profile = '' abi , include @@ -165,11 +163,11 @@ in } ''; }; - + swaymux = { state = "enforce"; -# enable = true; -# enforce = true; + # enable = true; + # enforce = true; profile = '' abi , include @@ -182,58 +180,57 @@ in ''; }; -# speech-dispatcher-test = { -# enable = true; -# enforce = true; -# profile = ''# -# -#abi , -# -#include -# -#@{exec_path} = @{bin}/speech-dispatcher -#profile speech-dispatcher ${getExe' pkgs.speechd "speech-dispatcher"} flags=(complain) { -# include -# include -# include -# include -# include + # speech-dispatcher-test = { + # enable = true; + # enforce = true; + # profile = ''# + # + #abi , + # + #include + # + #@{exec_path} = @{bin}/speech-dispatcher + #profile speech-dispatcher ${getExe' pkgs.speechd "speech-dispatcher"} flags=(complain) { + # include + # include + # include + # include + # include -# network inet stream, -# network inet6 stream, + # network inet stream, + # network inet6 stream, -# @{exec_path} mr, + # @{exec_path} mr, -# @{sh_path} ix, -# @{lib}/speech-dispatcher/** r, -# @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, + # @{sh_path} ix, + # @{lib}/speech-dispatcher/** r, + # @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, -# /etc/machine-id r, -# /etc/speech-dispatcher/{,**} r, + # /etc/machine-id r, + # /etc/speech-dispatcher/{,**} r, -# owner @{run}/user/@{uid}/speech-dispatcher/ rw, -# owner @{run}/user/@{uid}/speech-dispatcher/** rwk, - -# include if exists -#} ''; -# }; + # owner @{run}/user/@{uid}/speech-dispatcher/ rw, + # owner @{run}/user/@{uid}/speech-dispatcher/** rwk, + # include if exists + #} ''; + # }; sleep = { state = "enforce"; profile = '' - abi , - include - profile sleep ${getExe' pkgs.coreutils-full "sleep"} { - include - } - ''; + abi , + include + profile sleep ${getExe' pkgs.coreutils-full "sleep"} { + include + } + ''; }; osu-lazer = { state = "disable"; -# enable = true; -# enforce = true; + # enable = true; + # enforce = true; profile = '' abi , include diff --git a/common/tooling/default.nix b/common/tooling/default.nix index 9f0fca8..e285ff0 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -54,7 +54,7 @@ in p7zip fbcat -# gomuks + # gomuks imagemagick nmap diff --git a/common/tooling/helix.nix b/common/tooling/helix.nix index 05cabd7..90bde39 100644 --- a/common/tooling/helix.nix +++ b/common/tooling/helix.nix @@ -43,7 +43,7 @@ let '') ]; }; - + helix-wrapped = pkgs.symlinkJoin { name = helix.pname; diff --git a/common/tooling/opensnitch/block_lists.nix b/common/tooling/opensnitch/block_lists.nix index 0cc31dc..41e0079 100644 --- a/common/tooling/opensnitch/block_lists.nix +++ b/common/tooling/opensnitch/block_lists.nix @@ -1,8 +1,12 @@ -{ stdenv, fetchFromGitHub, lib }: +{ + stdenv, + fetchFromGitHub, + lib, +}: stdenv.mkDerivation rec { pname = "stevenblack_block"; version = "3.14.116"; - + src = fetchFromGitHub { owner = "StevenBlack"; repo = "hosts"; diff --git a/common/tooling/ranger.nix b/common/tooling/ranger.nix index 6a199f4..d2ddb0c 100644 --- a/common/tooling/ranger.nix +++ b/common/tooling/ranger.nix @@ -21,7 +21,7 @@ let rev = "981756147834bb485ebcfa0e41ad60d05ccc4351"; hash = "sha256-5nFpEO/54MO6Esvkcqcyw2TI37ham70LkHtOXrYXfbY="; }; -# inputs.ranger_udisk_menu; + # inputs.ranger_udisk_menu; }; in { diff --git a/common/tooling/security.nix b/common/tooling/security.nix index 076502d..70f36ec 100644 --- a/common/tooling/security.nix +++ b/common/tooling/security.nix @@ -31,7 +31,7 @@ in # security.doas.enable = true; security.sudo.enable = true; - + security.doas.extraRules = [ { users = attrNames (filterAttrs (n: v: v.isNormalUser) config.users.users); @@ -46,7 +46,7 @@ in gnupg libsecret vulnix -# agenix + # agenix yubikey-manager yubico-pam @@ -70,7 +70,9 @@ in enableSSHSupport = true; }; - grimmShared.firefox.plugins = mkIf (tooling.enable && tooling.pass) { "passff@invicem.pro" = "passff"; }; + grimmShared.firefox.plugins = mkIf (tooling.enable && tooling.pass) { + "passff@invicem.pro" = "passff"; + }; }; options.grimmShared.tooling.pass = mkEnableOption "Enables password-store, gnupg and such secret handling"; diff --git a/common/tooling/wine.nix b/common/tooling/wine.nix index 842ecde..bb68b60 100644 --- a/common/tooling/wine.nix +++ b/common/tooling/wine.nix @@ -1,4 +1,9 @@ -{ pkgs, config, lib, ... }: +{ + pkgs, + config, + lib, + ... +}: let inherit (config.grimmShared) enable tooling; inherit (lib) @@ -11,25 +16,24 @@ in { config = mkIf (enable && tooling.enable) { virtualisation.libvirtd.enable = true; - + programs.virt-manager.enable = true; virtualisation.spiceUSBRedirection.enable = true; -# dconf.settings = { -# "org/virt-manager/virt-manager/connections" = { -# autoconnect = ["qemu:///system"]; -# uris = ["qemu:///system"]; -# }; -# }; + # dconf.settings = { + # "org/virt-manager/virt-manager/connections" = { + # autoconnect = ["qemu:///system"]; + # uris = ["qemu:///system"]; + # }; + # }; - environment.systemPackages = with pkgs; [ winetricks wineWow64Packages.stagingFull dotnetCorePackages.dotnet_9.sdk # jetbrains.rider mono4 -# (mono4.overrideAttrs { version="4.6.1"; sha256=""; }) + # (mono4.overrideAttrs { version="4.6.1"; sha256=""; }) tesseract4 ]; }; diff --git a/common/xdg/portals.nix b/common/xdg/portals.nix index c63b85f..3d93c06 100644 --- a/common/xdg/portals.nix +++ b/common/xdg/portals.nix @@ -51,14 +51,14 @@ in environment.sessionVariables = { XDG_CONFIG_HOME = "$HOME/.config"; - XDG_DESKTOP_DIR="$HOME/Desktop"; - XDG_DOCUMENTS_DIR="$HOME/Documents"; - XDG_DOWNLOAD_DIR="$HOME/Downloads"; - XDG_MUSIC_DIR="$HOME/Music"; - XDG_PICTURES_DIR="$HOME/Pictures"; - XDG_PUBLICSHARE_DIR="$HOME/Public"; - XDG_TEMPLATES_DIR="$HOME/Templates"; - XDG_VIDEOS_DIR="$HOME/Videos"; + XDG_DESKTOP_DIR = "$HOME/Desktop"; + XDG_DOCUMENTS_DIR = "$HOME/Documents"; + XDG_DOWNLOAD_DIR = "$HOME/Downloads"; + XDG_MUSIC_DIR = "$HOME/Music"; + XDG_PICTURES_DIR = "$HOME/Pictures"; + XDG_PUBLICSHARE_DIR = "$HOME/Public"; + XDG_TEMPLATES_DIR = "$HOME/Templates"; + XDG_VIDEOS_DIR = "$HOME/Videos"; }; environment.systemPackages = with pkgs; [ diff --git a/configuration.nix b/configuration.nix index 34ac5ba..4e45193 100644 --- a/configuration.nix +++ b/configuration.nix @@ -3,7 +3,7 @@ imports = [ ./overlays ./common -# ./fake_flake.nix + # ./fake_flake.nix ./users.nix ]; diff --git a/custom/ncspot/package.nix b/custom/ncspot/package.nix index 4b98bb8..bb2f026 100644 --- a/custom/ncspot/package.nix +++ b/custom/ncspot/package.nix @@ -1,22 +1,32 @@ -{ stdenv -, lib -, fetchFromGitHub -, rustPlatform -, pkg-config -, ncurses -, openssl -, darwin -, withALSA ? stdenv.isLinux, alsa-lib -, withClipboard ? true, libxcb, python3 -, withCover ? false, ueberzug -, withPulseAudio ? stdenv.isLinux, libpulseaudio -, withPortAudio ? stdenv.isDarwin, portaudio -, withMPRIS ? stdenv.isLinux, withNotify ? true, dbus -, withCrossterm ? true -, nix-update-script -, testers -, ncspot -}: let +{ + stdenv, + lib, + fetchFromGitHub, + rustPlatform, + pkg-config, + ncurses, + openssl, + darwin, + withALSA ? stdenv.isLinux, + alsa-lib, + withClipboard ? true, + libxcb, + python3, + withCover ? false, + ueberzug, + withPulseAudio ? stdenv.isLinux, + libpulseaudio, + withPortAudio ? stdenv.isDarwin, + portaudio, + withMPRIS ? stdenv.isLinux, + withNotify ? true, + dbus, + withCrossterm ? true, + nix-update-script, + testers, + ncspot, +}: +let inherit (darwin.apple_sdk.frameworks) Cocoa; in rustPlatform.buildRustPackage rec { @@ -37,10 +47,10 @@ rustPlatform.buildRustPackage rec { }; }; - nativeBuildInputs = [ pkg-config ] - ++ lib.optional withClipboard python3; + nativeBuildInputs = [ pkg-config ] ++ lib.optional withClipboard python3; - buildInputs = [ ncurses ] + buildInputs = + [ ncurses ] ++ lib.optional stdenv.isLinux openssl ++ lib.optional withALSA alsa-lib ++ lib.optional withClipboard libxcb @@ -54,7 +64,8 @@ rustPlatform.buildRustPackage rec { buildNoDefaultFeatures = true; - buildFeatures = [ "cursive/pancurses-backend" ] + buildFeatures = + [ "cursive/pancurses-backend" ] ++ lib.optional withALSA "alsa_backend" ++ lib.optional withClipboard "share_clipboard" ++ lib.optional withCover "cover" diff --git a/flake.nix b/flake.nix index b56a23f..30d8ebd 100644 --- a/flake.nix +++ b/flake.nix @@ -18,12 +18,12 @@ url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; inputs.nixpkgs.follows = "nixpkgs"; }; - nixos-matrix-modules = { + nixos-matrix-modules = { url = "github:dali99/nixos-matrix-modules"; inputs.nixpkgs.follows = "nixpkgs"; }; -# ranger_udisk_menu.url = "git+https://git.grimmauld.de/Grimmauld/ranger_udisk_menu"; -# glibc-eac.url = "github:Frogging-Family/glibc-eac"; + # ranger_udisk_menu.url = "git+https://git.grimmauld.de/Grimmauld/ranger_udisk_menu"; + # glibc-eac.url = "github:Frogging-Family/glibc-eac"; aagl-gtk-on-nix = { url = "github:ezKEa/aagl-gtk-on-nix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -34,7 +34,18 @@ }; }; - outputs = inputs @ { self, agenix, nixpkgs, chaotic, aagl-gtk-on-nix, nixos-mailserver, nixos-matrix-modules, aa-alias-manager, ... }: + outputs = + inputs@{ + self, + agenix, + nixpkgs, + chaotic, + aagl-gtk-on-nix, + nixos-mailserver, + nixos-matrix-modules, + aa-alias-manager, + ... + }: let patches = [ ./aa_mod.patch @@ -44,20 +55,26 @@ } ]; - customNixosSystem = system: definitions: + customNixosSystem = + system: definitions: let unpatched = nixpkgs.legacyPackages.${system}; patched = unpatched.applyPatches { name = "nixpkgs-patched"; src = inputs.nixpkgs; - patches = map (p: if (builtins.isPath p) then p else (unpatched.fetchpatch p)) patches; + patches = map (p: if (builtins.isPath p) then p else (unpatched.fetchpatch p)) patches; }; nixosSystem = import (patched + "/nixos/lib/eval-config.nix"); in - nixosSystem ({ - inherit system; - specialArgs = { inherit inputs system; }; - } // definitions); + nixosSystem ( + { + inherit system; + specialArgs = { + inherit inputs system; + }; + } + // definitions + ); in { nixosConfigurations = { @@ -67,7 +84,7 @@ chaotic.nixosModules.default aagl-gtk-on-nix.nixosModules.default ./configuration.nix - + ./specific/grimm-nixos-laptop/configuration.nix ]; }; @@ -78,7 +95,7 @@ aagl-gtk-on-nix.nixosModules.default ./configuration.nix aa-alias-manager.nixosModules.default - + ./specific/grimm-nixos-ssd/configuration.nix ]; }; @@ -87,11 +104,11 @@ agenix.nixosModules.default nixos-matrix-modules.nixosModules.default nixos-mailserver.nixosModules.default - + ./configuration.nix ./specific/grimmauld-nixos-server/configuration.nix - ./modules + ./modules ]; }; }; diff --git a/modules/default.nix b/modules/default.nix index 234f264..3a0a726 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -13,7 +13,7 @@ in ./nextcloud.nix ./prometheus.nix # ./mjolnir.nix -# ./fail2ban.nix + # ./fail2ban.nix ./email.nix # ./discord-matrix-bridge.nix ./mastodon.nix diff --git a/modules/matrix_legacy.nix b/modules/matrix_legacy.nix index 974fecd..44b60e7 100644 --- a/modules/matrix_legacy.nix +++ b/modules/matrix_legacy.nix @@ -11,7 +11,9 @@ let fqdn = vhosts.matrix_host.host; base_url = "https://${fqdn}"; - clientConfig."m.homeserver" = {inherit base_url; }; # = "https://${vhosts.matrix_host.host}"; + clientConfig."m.homeserver" = { + inherit base_url; + }; # = "https://${vhosts.matrix_host.host}"; serverConfig."m.server" = "${vhosts.matrix_host.host}:443"; mkWellKnown = data: '' default_type application/json; @@ -33,7 +35,6 @@ in ]; }; - services.matrix-synapse = { enable = true; settings.server_name = domain; @@ -43,21 +44,30 @@ in # in client applications. settings.public_baseurl = base_url; settings.listeners = [ - { port = 8008; + { + port = 8008; bind_addresses = [ "::1" ]; type = "http"; tls = false; x_forwarded = true; - resources = [ { - names = [ "client" "federation" ]; - compress = true; - } ]; + resources = [ + { + names = [ + "client" + "federation" + ]; + compress = true; + } + ]; } ]; settings.database = { name = "psycopg2"; - args = { user="synapse"; database= "synapse"; }; + args = { + user = "synapse"; + database = "synapse"; + }; }; settings.log_config = ./matrix_synapse_log_config.yaml; settings.enable_registration = false; @@ -75,47 +85,47 @@ in ]; }; -# services.matrix-synapse-next = { -# enable = true; -# -# workers.federationSenders = 1; -# workers.federationReceivers = 1; -# workers.initialSyncers = 1; -# workers.normalSyncers = 1; -# workers.eventPersisters = 2; -# workers.useUserDirectoryWorker = true; -# mainLogConfig = ./matrix_synapse_log_config.yaml; -# -# enableNginx = true; -# enableSlidingSync = false; -# -# settings = { -# suppress_key_server_warning = true; -# server_name = domain; -# public_baseurl = "https://${domain}"; -# enable_registration = true; -# registration_requires_token = true; -# registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path; -# # enable_registration_without_verification = true; -# # mainLogConfig = ./matrix_synapse_log_config.yaml; -# -# # registrations_require_3pid = [ "email" ]; -# -# database = { -# name = "psycopg2"; -# args = { -# host = "localhost"; -# port = config.services.postgresql.settings.port; -# dbname = "synapse"; -# user = "synapse"; -# cp_min = 5; -# cp_max = 10; -# client_encoding = "auto"; -# passfile = config.age.secrets.synapse_db_pass_prepared.path; -# }; -# }; -# }; -# }; + # services.matrix-synapse-next = { + # enable = true; + # + # workers.federationSenders = 1; + # workers.federationReceivers = 1; + # workers.initialSyncers = 1; + # workers.normalSyncers = 1; + # workers.eventPersisters = 2; + # workers.useUserDirectoryWorker = true; + # mainLogConfig = ./matrix_synapse_log_config.yaml; + # + # enableNginx = true; + # enableSlidingSync = false; + # + # settings = { + # suppress_key_server_warning = true; + # server_name = domain; + # public_baseurl = "https://${domain}"; + # enable_registration = true; + # registration_requires_token = true; + # registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path; + # # enable_registration_without_verification = true; + # # mainLogConfig = ./matrix_synapse_log_config.yaml; + # + # # registrations_require_3pid = [ "email" ]; + # + # database = { + # name = "psycopg2"; + # args = { + # host = "localhost"; + # port = config.services.postgresql.settings.port; + # dbname = "synapse"; + # user = "synapse"; + # cp_min = 5; + # cp_max = 10; + # client_encoding = "auto"; + # passfile = config.age.secrets.synapse_db_pass_prepared.path; + # }; + # }; + # }; + # }; services.redis.servers."".enable = true; age.secrets.synapse_db_pass = { @@ -141,100 +151,99 @@ in matrix-synapse ]; + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; - services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - - virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - # This section is not needed if the server_name of matrix-synapse is equal to - # the domain (i.e. example.org from @foo:example.org) and the federation port - # is 8448. - # Further reference can be found in the docs about delegation under - # https://element-hq.github.io/synapse/latest/delegate.html - locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; - # This is usually needed for homeserver discovery (from e.g. other Matrix clients). - # Further reference can be found in the upstream docs at - # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient - locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; - }; - - virtualHosts."${fqdn}" = { - enableACME = true; - forceSSL = true; - - locations."/_matrix" = { - proxyPass = synapse_backend; - #extraConfig = '' - # add_header X-debug-backend ${synapse_backend}; - # add_header X-debug-group $synapse_uri_group; - # client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size}; - # proxy_read_timeout 10m; - #''; - }; - locations."/_synapse/client".proxyPass = synapse_backend; - }; + virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + # This section is not needed if the server_name of matrix-synapse is equal to + # the domain (i.e. example.org from @foo:example.org) and the federation port + # is 8448. + # Further reference can be found in the docs about delegation under + # https://element-hq.github.io/synapse/latest/delegate.html + locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + # This is usually needed for homeserver discovery (from e.g. other Matrix clients). + # Further reference can be found in the upstream docs at + # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient + locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; }; -# services.nginx = { -# enable = true; -# virtualHosts."${domain}" = { -# forceSSL = true; -# enableACME = lib.mkForce false; # use the cert above, not some weird one that matrix-synapse module supplies -# useACMEHost = domain; -# locations."/.well-known/matrix/server" = { -# return = "200 '{\"m.server\":\"${vhosts.matrix_host.host}:443\"}'"; -# extraConfig = '' -# default_type application/json; -# add_header Access-Control-Allow-Origin *; -# add_header Accept-Ranges bytes;''; -# }; -# locations."/.well-known/matrix/client" = { -# return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${vhosts.matrix_host.host}\"}}'"; -# extraConfig = '' -# add_header Access-Control-Allow-Origin *; -# default_type application/json; -# ''; -# }; -# locations."/_matrix" = { -# proxyPass = "http://$synapse_backend"; -# extraConfig = '' -# add_header X-debug-backend $synapse_backend; -# add_header X-debug-group $synapse_uri_group; -# client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size}; -# proxy_read_timeout 10m; -# ''; -# }; -# locations."/_synapse/client" = { -# proxyPass = "http://$synapse_backend"; -# }; -# locations."~ ^/_matrix/client/(r0|v3)/sync$" = { -# proxyPass = "http://$synapse_backend"; -# extraConfig = '' -# proxy_read_timeout 1h; -# ''; -# }; -# locations."~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$" = { -# proxyPass = "http://synapse_worker_initial_sync"; -# extraConfig = '' -# proxy_read_timeout 1h; -# ''; -# }; -# locations."~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = { -# proxyPass = "http://synapse_worker_initial_sync"; -# extraConfig = '' -# proxy_read_timeout 1h; -# ''; -# }; -# # locations."/.well-known/matrix" = { -# proxyPass = "http://$synapse_backend"; -# }; -# }; -# }; + virtualHosts."${fqdn}" = { + enableACME = true; + forceSSL = true; + + locations."/_matrix" = { + proxyPass = synapse_backend; + #extraConfig = '' + # add_header X-debug-backend ${synapse_backend}; + # add_header X-debug-group $synapse_uri_group; + # client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size}; + # proxy_read_timeout 10m; + #''; + }; + locations."/_synapse/client".proxyPass = synapse_backend; + }; + }; + + # services.nginx = { + # enable = true; + # virtualHosts."${domain}" = { + # forceSSL = true; + # enableACME = lib.mkForce false; # use the cert above, not some weird one that matrix-synapse module supplies + # useACMEHost = domain; + # locations."/.well-known/matrix/server" = { + # return = "200 '{\"m.server\":\"${vhosts.matrix_host.host}:443\"}'"; + # extraConfig = '' + # default_type application/json; + # add_header Access-Control-Allow-Origin *; + # add_header Accept-Ranges bytes;''; + # }; + # locations."/.well-known/matrix/client" = { + # return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${vhosts.matrix_host.host}\"}}'"; + # extraConfig = '' + # add_header Access-Control-Allow-Origin *; + # default_type application/json; + # ''; + # }; + # locations."/_matrix" = { + # proxyPass = "http://$synapse_backend"; + # extraConfig = '' + # add_header X-debug-backend $synapse_backend; + # add_header X-debug-group $synapse_uri_group; + # client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size}; + # proxy_read_timeout 10m; + # ''; + # }; + # locations."/_synapse/client" = { + # proxyPass = "http://$synapse_backend"; + # }; + # locations."~ ^/_matrix/client/(r0|v3)/sync$" = { + # proxyPass = "http://$synapse_backend"; + # extraConfig = '' + # proxy_read_timeout 1h; + # ''; + # }; + # locations."~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$" = { + # proxyPass = "http://synapse_worker_initial_sync"; + # extraConfig = '' + # proxy_read_timeout 1h; + # ''; + # }; + # locations."~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = { + # proxyPass = "http://synapse_worker_initial_sync"; + # extraConfig = '' + # proxy_read_timeout 1h; + # ''; + # }; + # # locations."/.well-known/matrix" = { + # proxyPass = "http://$synapse_backend"; + # }; + # }; + # }; # networking.firewall.allowedTCPPorts = [ 8448 8008 ]; } diff --git a/modules/wireguard.nix b/modules/wireguard.nix index 96f617d..e682c1d 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -1,7 +1,10 @@ - {pkgs, ...}: { +{ pkgs, ... }: +{ # enable NAT - networking.nat.enable = true; networking.nat.externalInterface = "eth0"; - networking.nat.internalInterfaces = [ "wg0" ]; networking.firewall = { + networking.nat.enable = true; + networking.nat.externalInterface = "eth0"; + networking.nat.internalInterfaces = [ "wg0" ]; + networking.firewall = { allowedUDPPorts = [ 51820 ]; }; @@ -18,18 +21,21 @@ # This allows the wireguard server to route your traffic to the internet and # hence be like a VPN For this to work you have to set the dnsserver IP of # your router (or dnsserver of choice) in your clients - postSetup = '' ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE ''; # This undoes the above command - postShutdown = '' ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE ''; - + generatePrivateKeyFile = true; peers = [ { -publicKey="2aANdnPYtf78iXfwNVAtYjIlE5k/yDWvbdXZ2jw0hXk="; - allowedIPs = [ "10.100.0.2/32" ]; - } ]; + publicKey = "2aANdnPYtf78iXfwNVAtYjIlE5k/yDWvbdXZ2jw0hXk="; + allowedIPs = [ "10.100.0.2/32" ]; + } + ]; }; }; environment.systemPackages = with pkgs; [ wireguard-tools ]; diff --git a/overlays/factorio.nix b/overlays/factorio.nix index d8989dd..fd92610 100644 --- a/overlays/factorio.nix +++ b/overlays/factorio.nix @@ -4,6 +4,9 @@ let in { factorio = prev.factorio.override ( - { versionsJson = ./versions.json; } // lib.optionalAttrs (builtins.pathExists loginFile) (import loginFile) + { + versionsJson = ./versions.json; + } + // lib.optionalAttrs (builtins.pathExists loginFile) (import loginFile) ); } diff --git a/overlays/ncspot.nix b/overlays/ncspot.nix index 556df1e..ad572ea 100644 --- a/overlays/ncspot.nix +++ b/overlays/ncspot.nix @@ -1,4 +1,4 @@ { prev, config, ... }: { - ncspot = prev.callPackage ../custom/ncspot/package.nix { }; + ncspot = prev.callPackage ../custom/ncspot/package.nix { }; } diff --git a/specific/grimm-nixos-laptop/configuration.nix b/specific/grimm-nixos-laptop/configuration.nix index 646e2be..414d785 100644 --- a/specific/grimm-nixos-laptop/configuration.nix +++ b/specific/grimm-nixos-laptop/configuration.nix @@ -9,7 +9,6 @@ age.identityPaths = [ "/home/grimmauld/.ssh/id_ed25519" ]; - services.zfs.trim.enable = true; boot.supportedFilesystems.zfs = true; networking.hostId = "2ea79333"; diff --git a/specific/grimm-nixos-ssd/configuration.nix b/specific/grimm-nixos-ssd/configuration.nix index 89aad43..817f73d 100644 --- a/specific/grimm-nixos-ssd/configuration.nix +++ b/specific/grimm-nixos-ssd/configuration.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: { imports = [ # Include the results of the hardware scan. @@ -11,34 +16,36 @@ services.zfs.trim.enable = true; boot.supportedFilesystems.zfs = true; - + # security.pam.yubico.control = "required"; - services.udev.extraRules = let - inherit (lib) getExe' getExe; - inherit (pkgs) procps writeShellScriptBin; - exitSway = writeShellScriptBin "kill-sway" '' - for pid in $(${getExe' procps "pgrep"} sway -x) - do - uid=$(id -u $(${getExe' procps "ps"} -o user= -p $pid)) - export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock" - if [[ -e "$SWAYSOCK" ]] ; then - echo "sock is $SWAYSOCK" - ${getExe' config.programs.sway.package "swaymsg"} exit - fi - done - ''; - in '' - ACTION=="remove",\ - ENV{SUBSYSTEM}=="usb",\ - ENV{PRODUCT}=="1050/407/543",\ - RUN+="${lib.getExe exitSway}" -# ''; + services.udev.extraRules = + let + inherit (lib) getExe' getExe; + inherit (pkgs) procps writeShellScriptBin; + exitSway = writeShellScriptBin "kill-sway" '' + for pid in $(${getExe' procps "pgrep"} sway -x) + do + uid=$(id -u $(${getExe' procps "ps"} -o user= -p $pid)) + export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock" + if [[ -e "$SWAYSOCK" ]] ; then + echo "sock is $SWAYSOCK" + ${getExe' config.programs.sway.package "swaymsg"} exit + fi + done + ''; + in + '' + ACTION=="remove",\ + ENV{SUBSYSTEM}=="usb",\ + ENV{PRODUCT}=="1050/407/543",\ + RUN+="${lib.getExe exitSway}" + # ''; - # RUN+="${lib.getExe' pkgs.systemd "loginctl"} lock-sessions" - -# networking.hostId = "2ea79333"; -# boot.kernelPackages = lib.mkForce config.boot.zfs.package.latestCompatibleLinuxPackages; + # RUN+="${lib.getExe' pkgs.systemd "loginctl"} lock-sessions" + + # networking.hostId = "2ea79333"; + # boot.kernelPackages = lib.mkForce config.boot.zfs.package.latestCompatibleLinuxPackages; grimmShared = { tooling = { diff --git a/specific/grimm-nixos-ssd/hardware-configuration.nix b/specific/grimm-nixos-ssd/hardware-configuration.nix index 4ee43f9..98fb981 100644 --- a/specific/grimm-nixos-ssd/hardware-configuration.nix +++ b/specific/grimm-nixos-ssd/hardware-configuration.nix @@ -1,24 +1,45 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "uas" "sd_mod" "kvm-intel" ]; - boot.initrd.kernelModules = [ "zfs" "nls_cp437" "nls_iso8859-1" "usbhid" "usb_storage" "nvme" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "nvme" + "usbhid" + "uas" + "sd_mod" + "kvm-intel" + ]; + boot.initrd.kernelModules = [ + "zfs" + "nls_cp437" + "nls_iso8859-1" + "usbhid" + "usb_storage" + "nvme" + ]; boot.zfs = { forceImportRoot = false; requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later. -# [ -# "zpool/home" -# "zpool/root" -# "zpool/nix" -# "zpool/var" -# ]; + # [ + # "zpool/home" + # "zpool/root" + # "zpool/nix" + # "zpool/var" + # ]; }; boot.kernelModules = [ "kvm-intel" ]; boot.supportedFilesystems.zfs = true; @@ -29,38 +50,41 @@ boot.kernelParams = [ "mds=full,nosmt" ]; services.homed.enable = true; - fileSystems."/" = - { device = "zpool/root"; - fsType = "zfs"; - }; + fileSystems."/" = { + device = "zpool/root"; + fsType = "zfs"; + }; - fileSystems."/nix" = - { device = "zpool/nix"; - fsType = "zfs"; - }; + fileSystems."/nix" = { + device = "zpool/nix"; + fsType = "zfs"; + }; - fileSystems."/var" = - { device = "zpool/var"; - fsType = "zfs"; - }; - - fileSystems."/etc/nixos" = - { device = "zpool/nix_conf"; - fsType = "zfs"; - options = [ "noacl" ]; - }; + fileSystems."/var" = { + device = "zpool/var"; + fsType = "zfs"; + }; -# fileSystems."/home" = -# { device = "zpool/home"; -# fsType = "zfs"; -# }; + fileSystems."/etc/nixos" = { + device = "zpool/nix_conf"; + fsType = "zfs"; + options = [ "noacl" ]; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/12CE-A600"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" "umask=077" ]; - }; + # fileSystems."/home" = + # { device = "zpool/home"; + # fsType = "zfs"; + # }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/12CE-A600"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + "umask=077" + ]; + }; grimmShared = { screens = { @@ -80,17 +104,16 @@ laptop_hardware.enable = true; }; + # fileSystems."/crypt-storage" = + # { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; + # fsType = "ext4"; + # options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless. + # }; -# fileSystems."/crypt-storage" = -# { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; -# fsType = "ext4"; -# options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless. -# }; - -# fileSystems."/home/grimmauld" = -# { device = "zpool/home/grimmauld"; -# fsType = "zfs"; -# }; + # fileSystems."/home/grimmauld" = + # { device = "zpool/home/grimmauld"; + # fsType = "zfs"; + # }; security.pam = { zfs = { @@ -105,14 +128,14 @@ device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3 preLVM = true; allowDiscards = true; - + yubikey = { slot = 2; twoFactor = true; # Set to false for 1FA gracePeriod = 30; # Time in seconds to wait for Yubikey to be inserted keyLength = 64; # Set to $KEY_LENGTH/8 saltLength = 16; # Set to $SALT_LENGTH - + storage = { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # same ID as the crypt-storage mount earlier fsType = "ext4"; @@ -123,7 +146,7 @@ swapDevices = [ #{ - # device = "zpool/swap"; + # device = "zpool/swap"; # device = "/dev/zvol/zpool/swap"; #} ]; diff --git a/sway/default.nix b/sway/default.nix index ad79184..00713d6 100644 --- a/sway/default.nix +++ b/sway/default.nix @@ -1,4 +1,9 @@ -{ pkgs, lib, config, ... }: +{ + pkgs, + lib, + config, + ... +}: { imports = [ ./bar ]; @@ -51,113 +56,122 @@ urgentcol = "#9e3c3c"; realwhite = "#C7D3E3"; }; - keybinds = { - "$mod+d" = "exec $menu"; - "$mod+Shift+d" = "exec $menu_run"; - "$mod+Shift+s" = ''exec ${getExe grim} -g "$(${getExe slurp} -d)" - | wl-copy''; - "$mod+Shift+Return" = "exec ${getExe xdg-terminal-exec} xonsh"; - "$mod+Return" = "exec ${getExe xdg-terminal-exec}"; - "$mod+Shift+q" = "kill"; - "$mod+Shift+c" = "reload"; - "$mod+Shift+e" = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -B 'Yes, exit sway' 'swaymsg exit'"; + keybinds = + { + "$mod+d" = "exec $menu"; + "$mod+Shift+d" = "exec $menu_run"; + "$mod+Shift+s" = ''exec ${getExe grim} -g "$(${getExe slurp} -d)" - | wl-copy''; + "$mod+Shift+Return" = "exec ${getExe xdg-terminal-exec} xonsh"; + "$mod+Return" = "exec ${getExe xdg-terminal-exec}"; + "$mod+Shift+q" = "kill"; + "$mod+Shift+c" = "reload"; + "$mod+Shift+e" = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -B 'Yes, exit sway' 'swaymsg exit'"; - # Move your focus around - "$mod+$left" = "focus left"; - "$mod+$down" = "focus down"; - "$mod+$up" = "focus up"; - "$mod+$right" = "focus right"; - # Or use $mod+[up|down|left|right] - "$mod+Left" = "focus left"; - "$mod+Down" = "focus down"; - "$mod+Up" = "focus up"; - "$mod+Right" = "focus right"; + # Move your focus around + "$mod+$left" = "focus left"; + "$mod+$down" = "focus down"; + "$mod+$up" = "focus up"; + "$mod+$right" = "focus right"; + # Or use $mod+[up|down|left|right] + "$mod+Left" = "focus left"; + "$mod+Down" = "focus down"; + "$mod+Up" = "focus up"; + "$mod+Right" = "focus right"; - # Move the focused window with the same, but add Shift - "$mod+Shift+$left" = "move left"; - "$mod+Shift+$down" = "move down"; - "$mod+Shift+$up" = "move up"; - "$mod+Shift+$right" = "move right"; - # Ditto, with arrow keys - "$mod+Shift+Left" = "move left"; - "$mod+Shift+Down" = "move down"; - "$mod+Shift+Up" = "move up"; - "$mod+Shift+Right" = "move right"; - - # Layout stuff: - # - # You can "split" the current object of your focus with - # $mod+b or $mod+v, for horizontal and vertical splits - # respectively. - "$mod+b" = "splith"; - "$mod+v" = "splitv"; + # Move the focused window with the same, but add Shift + "$mod+Shift+$left" = "move left"; + "$mod+Shift+$down" = "move down"; + "$mod+Shift+$up" = "move up"; + "$mod+Shift+$right" = "move right"; + # Ditto, with arrow keys + "$mod+Shift+Left" = "move left"; + "$mod+Shift+Down" = "move down"; + "$mod+Shift+Up" = "move up"; + "$mod+Shift+Right" = "move right"; - # Switch the current container between different layout styles - "$mod+s" = "layout stacking"; - "$mod+w" = "layout tabbed"; - "$mod+e" = "layout toggle split"; + # Layout stuff: + # + # You can "split" the current object of your focus with + # $mod+b or $mod+v, for horizontal and vertical splits + # respectively. + "$mod+b" = "splith"; + "$mod+v" = "splitv"; - # Make the current focus fullscreen - "$mod+f" = "fullscreen"; + # Switch the current container between different layout styles + "$mod+s" = "layout stacking"; + "$mod+w" = "layout tabbed"; + "$mod+e" = "layout toggle split"; - # Toggle the current focus between tiling and floating mode - "$mod+Shift+space" = "floating toggle"; + # Make the current focus fullscreen + "$mod+f" = "fullscreen"; - # Swap focus between the tiling area and the floating area - "$mod+space" = "focus mode_toggle"; + # Toggle the current focus between tiling and floating mode + "$mod+Shift+space" = "floating toggle"; - # Move focus to the parent container - "$mod+a" = "focus parent"; + # Swap focus between the tiling area and the floating area + "$mod+space" = "focus mode_toggle"; - "$mod+Shift+minus" = "move scratchpad"; - "$mod+minus" = "scratchpad show"; + # Move focus to the parent container + "$mod+a" = "focus parent"; - "$mod+r" = "mode \"resize\""; + "$mod+Shift+minus" = "move scratchpad"; + "$mod+minus" = "scratchpad show"; - XF86AudioRaiseVolume = "exec pactl set-sink-volume @DEFAULT_SINK@ +5%"; - XF86AudioLowerVolume = "exec pactl set-sink-volume @DEFAULT_SINK@ -5%"; - "Shift+XF86AudioLowerVolume" = "exec pactl set-source-volume @DEFAULT_SOURCE@ -5%"; - "Shift+XF86AudioRaiseVolume" = "exec pactl set-source-volume @DEFAULT_SOURCE@ +5%"; - XF86AudioMute = "exec pactl set-sink-mute @DEFAULT_SINK@ toggle"; - XF86AudioPlay = "exec playerctl play-pause"; - XF86AudioNext = "exec playerctl next"; - XF86AudioPrev = "exec playerctl previous"; - "$mod+c" = "exec ${getExe swaymux}"; - XF86MonBrightnessUp = "exec ${getExe brightnessctl} s 10+%"; - XF86MonBrightnessDown = "exec ${getExe brightnessctl} s 10-%"; - XF86Explorer = "exec ${getExe xdg-terminal-exec} ${getExe ranger}"; - XF86Search = "exec ${getExe searchclip}"; - XF86HomePage = + "$mod+r" = "mode \"resize\""; + + XF86AudioRaiseVolume = "exec pactl set-sink-volume @DEFAULT_SINK@ +5%"; + XF86AudioLowerVolume = "exec pactl set-sink-volume @DEFAULT_SINK@ -5%"; + "Shift+XF86AudioLowerVolume" = "exec pactl set-source-volume @DEFAULT_SOURCE@ -5%"; + "Shift+XF86AudioRaiseVolume" = "exec pactl set-source-volume @DEFAULT_SOURCE@ +5%"; + XF86AudioMute = "exec pactl set-sink-mute @DEFAULT_SINK@ toggle"; + XF86AudioPlay = "exec playerctl play-pause"; + XF86AudioNext = "exec playerctl next"; + XF86AudioPrev = "exec playerctl previous"; + "$mod+c" = "exec ${getExe swaymux}"; + XF86MonBrightnessUp = "exec ${getExe brightnessctl} s 10+%"; + XF86MonBrightnessDown = "exec ${getExe brightnessctl} s 10-%"; + XF86Explorer = "exec ${getExe xdg-terminal-exec} ${getExe ranger}"; + XF86Search = "exec ${getExe searchclip}"; + XF86HomePage = + let + open = pkgs.writeShellScriptBin "open_or_switch_browser" '' + browser=$(xdg-settings get default-web-browser | sed "s/\.desktop//") + swaymsg [app_id="$browser"] focus || ${getExe deskwhich} $browser | xargs gio launch + ''; + in + "exec ${getExe open}"; + XF86Tools = + let + open = pkgs.writeShellScriptBin "open_or_switch_spotify" '' + # FIXME: spotify is being weird + while IFS= read -r pid; do + swaymsg [pid=$pid] focus && exit 0 + done <<< $(pgrep spotify -u "$(whoami)") + ${getExe deskwhich} spotify | xargs gio launch + ''; + in + "exec ${getExe open}"; # for some reason tools = audio media on my keyboard?? + XF86Mail = + let + open = pkgs.writeShellScriptBin "open_or_switch_mail" '' + desk=$(xdg-settings get default-url-scheme-handler mailto | sed "s/\.desktop//") + swaymsg [app_id="$desk"] focus || ${getExe deskwhich} $desk | xargs gio launch + ''; + in + "exec ${getExe open}"; + # XF86Bluetooth = "exec blueman-manager"; + } + // ( let - open = pkgs.writeShellScriptBin "open_or_switch_browser" '' - browser=$(xdg-settings get default-web-browser | sed "s/\.desktop//") - swaymsg [app_id="$browser"] focus || ${getExe deskwhich} $browser | xargs gio launch - ''; + inherit (builtins) toString; in - "exec ${getExe open}"; - XF86Tools = - let - open = pkgs.writeShellScriptBin "open_or_switch_spotify" '' - # FIXME: spotify is being weird - while IFS= read -r pid; do - swaymsg [pid=$pid] focus && exit 0 - done <<< $(pgrep spotify -u "$(whoami)") - ${getExe deskwhich} spotify | xargs gio launch - ''; - in - "exec ${getExe open}"; # for some reason tools = audio media on my keyboard?? - XF86Mail = - let - open = pkgs.writeShellScriptBin "open_or_switch_mail" '' - desk=$(xdg-settings get default-url-scheme-handler mailto | sed "s/\.desktop//") - swaymsg [app_id="$desk"] focus || ${getExe deskwhich} $desk | xargs gio launch - ''; - in - "exec ${getExe open}"; - # XF86Bluetooth = "exec blueman-manager"; - } // (let inherit (builtins) toString; in lib.mergeAttrsList (map (n: { - "$mod+${toString n}" = "workspace number ${toString n}"; - "$mod+Shift+${toString n}" = "move container to workspace number ${toString n}"; - }) (lib.range 0 9))); + lib.mergeAttrsList ( + map (n: { + "$mod+${toString n}" = "workspace number ${toString n}"; + "$mod+Shift+${toString n}" = "move container to workspace number ${toString n}"; + }) (lib.range 0 9) + ) + ); autolaunch = [ (getExe' pkgs.dbus "dbus-update-activation-environment") (getExe' pkgs.xdg-user-dirs "xdg-user-dirs-update") diff --git a/users.nix b/users.nix index 0229c98..010cf19 100644 --- a/users.nix +++ b/users.nix @@ -10,7 +10,6 @@ # shell = pkgs.xonsh; description = "grimmauld"; - openssh.authorizedKeys.keys = (import ./authorizedKeys.nix); extraGroups = lib.intersectLists (lib.attrNames config.users.groups) [ "networkmanager" @@ -41,8 +40,8 @@ [ vesktop obs-studio -# element-desktop -# ghidra + # element-desktop + # ghidra rmview ] );