This commit is contained in:
Grimmauld 2024-10-22 22:05:22 +02:00
parent 9c7828fae6
commit 247489518d
Signed by: Grimmauld
GPG key ID: C2946668769F91FB
17 changed files with 592 additions and 548 deletions

75
aa_mod.patch Normal file
View file

@ -0,0 +1,75 @@
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
index a4b3807e4e0f..c7c879c39d12 100644
--- a/nixos/modules/security/apparmor.nix
+++ b/nixos/modules/security/apparmor.nix
@@ -3,15 +3,11 @@
with lib;
let
- inherit (builtins) attrNames head map match readFile;
+ inherit (builtins) attrNames map match;
inherit (lib) types;
inherit (config.environment) etc;
cfg = config.security.apparmor;
- mkDisableOption = name: mkEnableOption name // {
- default = true;
- example = false;
- };
- enabledPolicies = filterAttrs (n: p: p.enable) cfg.policies;
+ enabledPolicies = filterAttrs (n: p: p.state != "disable") cfg.policies;
in
{
@@ -47,13 +43,30 @@ in
'';
type = types.attrsOf (types.submodule ({ name, config, ... }: {
options = {
- enable = mkDisableOption "loading of the profile into the kernel";
- enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
+ state = mkOption {
+ description =
+ "The state of the profile as applied to the system by nix";
+ type = types.enum [ "disable" "complain" "enforce" ];
+ # should enforce really be the default?
+ # the docs state that this should only be used once one is REALLY sure nothing's gonna break
+ default = "enforce";
+ };
+
profile = mkOption {
- description = "The policy of the profile.";
+ description = "The policy of the profile. Incompatible with path.";
type = types.lines;
- apply = pkgs.writeText name;
};
+
+ path = mkOption {
+ type = types.nullOr types.path;
+ default = null;
+ description = "A path of a profile to include. Incompatible with profile.";
+ apply = p: let
+ inherit (config) profile;
+ in assert (assertMsg ((p != null && profile == "") || (p == null && profile != ""))
+ "`security.apparmor.policies.\"${name}\"` must define exactly one of either path or profile.");
+ (if (p != null) then p else (pkgs.writeText name profile));
+ };
};
}));
default = {};
@@ -108,7 +121,7 @@ in
environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
# It's important to put only enabledPolicies here and not all cfg.policies
# because aa-remove-unknown reads profiles from all /etc/apparmor.d/*
- mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++
+ mapAttrsToList (name: p: { inherit name; path = p.path; }) enabledPolicies ++
mapAttrsToList (name: path: { inherit name path; }) cfg.includes
);
environment.etc."apparmor/parser.conf".text = ''
@@ -187,7 +200,7 @@ in
xargs --verbose --no-run-if-empty --delimiter='\n' \
kill
'';
- commonOpts = p: "--verbose --show-cache ${optionalString (!p.enforce) "--complain "}${p.profile}";
+ commonOpts = p: "--verbose --show-cache ${optionalString (p.state == "complain") "--complain "}${p.path}";
in {
Type = "oneshot";
RemainAfterExit = "yes";

View file

@ -12,7 +12,7 @@ in
fonts = {
packages = with pkgs; [
noto-fonts
noto-fonts-cjk
noto-fonts-cjk-sans
font-awesome
# noto-fonts-emoji
noto-fonts-monochrome-emoji

View file

@ -5,7 +5,7 @@
...
}:
let
inherit (lib) mkIf mapAttrs assertMsg pathIsRegularFile;
inherit (lib) mkIf mapAttrs assertMsg pathIsRegularFile mkForce;
cfg = config.security.apparmor_d;
apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {};
@ -23,15 +23,18 @@ let
config = mkIf (cfg.enable) {
security.apparmor.packages = [ apparmor-d ];
security.apparmor.policies = mapAttrs (name: value: {
enable = value != "disable";
enforce = value == "enforce";
security.apparmor.policies = mapAttrs (name: state: {
inherit state;
profile = let
file = "${apparmor-d}/etc/apparmor.d/${name}";
in
assert assertMsg (pathIsRegularFile file) "profile ${name} not found in apparmor.d path (${file})";
''include "${file}"'';
}) cfg.profiles;
specialisation.no-apparmor.configuration = {
security.apparmor.enable = mkForce false;
};
environment.systemPackages = [ apparmor-d ];
};

View file

@ -1,4 +1,4 @@
{ buildGoModule, fetchFromGitHub, git, lib }:
{ buildGoModule, fetchFromGitHub, git, lib, unstableGitUpdater }:
buildGoModule {
pname = "apparmor-d";
version = "unstable-2024-10-12";
@ -13,7 +13,6 @@ buildGoModule {
vendorHash = "sha256-YkOcpzn5AKFMDWUYbKY8DzGMiIMSyaDfexFmXv5HNQI=";
doCheck = false;
#dontBuild = true;
nativeBuildInputs = [ git ];
@ -26,10 +25,12 @@ buildGoModule {
"cmd/aa-log"
];
passthru.updateScript = unstableGitUpdater { };
postInstall = ''
mkdir -p $out/etc
DISTRIBUTION=opensuse $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available
DISTRIBUTION=arch $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available
mv .build/apparmor.d $out/etc
rm $out/bin/prebuild

View file

@ -32,6 +32,7 @@ in
child-open-any = "enforce";
child-open = "enforce";
firefox-glxtest = "enforce";
firefox-vaapitest = "enforce";
gamemoded = "disable";
pkexec = "complain";
xdg-mime = "complain";
@ -59,7 +60,7 @@ in
"local/speech-dispatcher" = ''
${pkgs.speechd}/libexec/speech-dispatcher-modules/* rix,
@{nix_store}/libexec/speech-dispatcher-modules/* ix,
@{PROC}/@{pid}/stat r,
@{bin}/mbrola rix,
'';
@ -74,6 +75,10 @@ in
owner /run/user/*/gnupg/S.keyboxd wr,
'';
"local/xdg-mime" = ''
/dev/tty* rw,
'';
"abstractions/app/udevadm.d/udevadm_is_exec" = ''
@{bin}/udevadm mrix,
'';
@ -100,8 +105,8 @@ in
include <abstractions/app/bus>
@{bin}/grep ix,
/@{PROC}/version r,
# @{bin}/gdbus Cx -> bus,
@{bin}/gdbus Ux,
@{bin}/gdbus Cx -> bus,
# @{bin}/gdbus Ux,
'';
"local/vesktop" = ''
@ -125,8 +130,9 @@ in
security.apparmor.policies = {
passff = {
enable = true;
enforce = true;
state = "enforce";
# enable = true;
# enforce = true;
profile = ''
abi <abi/4.0>,
include <tunables/global>
@ -139,8 +145,9 @@ in
};
swaymux = {
enable = true;
enforce = true;
state = "enforce";
# enable = true;
# enforce = true;
profile = ''
abi <abi/4.0>,
include <tunables/global>
@ -153,9 +160,46 @@ in
'';
};
# speech-dispatcher-test = {
# enable = true;
# enforce = true;
# profile = ''#
#
#abi <abi/4.0>,
#
#include <tunables/global>
#
#@{exec_path} = @{bin}/speech-dispatcher
#profile speech-dispatcher ${getExe' pkgs.speechd "speech-dispatcher"} flags=(complain) {
# include <abstractions/base>
# include <abstractions/audio-client>
# include <abstractions/bus-session>
# include <abstractions/consoles>
# include <abstractions/nameservice-strict>
# network inet stream,
# network inet6 stream,
# @{exec_path} mr,
# @{sh_path} ix,
# @{lib}/speech-dispatcher/** r,
# @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix,
# /etc/machine-id r,
# /etc/speech-dispatcher/{,**} r,
# owner @{run}/user/@{uid}/speech-dispatcher/ rw,
# owner @{run}/user/@{uid}/speech-dispatcher/** rwk,
# include if exists <local/speech-dispatcher>
#} '';
# };
osu-lazer = {
enable = true;
enforce = true;
state = "enforce";
# enable = true;
# enforce = true;
profile = ''
abi <abi/4.0>,
include <tunables/global>
@ -203,6 +247,7 @@ in
@{bin}/gawk ix,
@{bin}/xdg-mime Px,
/usr/bin/xdg-mime Px,
${getExe' pkgs.gamemode "gamemoderun"} ix,
owner @{HOME}/@{XDG_DATA_DIR}/osu/** rwkm,

View file

@ -54,7 +54,7 @@ in
p7zip
fbcat
gomuks
# gomuks
imagemagick
nmap

View file

@ -14,7 +14,14 @@ let
attrNames
;
plugins = {
ranger_udisk_menu = inputs.ranger_udisk_menu;
ranger_udisk_menu = pkgs.fetchFromGitea {
domain = "git.grimmauld.de";
owner = "grimmauld";
repo = "ranger_udisk_menu";
rev = "981756147834bb485ebcfa0e41ad60d05ccc4351";
hash = "sha256-5nFpEO/54MO6Esvkcqcyw2TI37ham70LkHtOXrYXfbY=";
};
# inputs.ranger_udisk_menu;
};
in
{

View file

@ -46,7 +46,7 @@ in
gnupg
libsecret
vulnix
agenix
# agenix
yubikey-manager
yubico-pam

View file

@ -3,7 +3,7 @@
imports = [
./overlays
./common
./fake_flake.nix
# ./fake_flake.nix
./users.nix
];
@ -15,6 +15,9 @@
services.logrotate.checkConfig = false; # fixme: actually needed?
nix.package = pkgs.lix;
nixpkgs.config.allowUnfree = true;
grimmShared = {
enable = true;
locale = true;

View file

@ -1,148 +0,0 @@
{
pkgs,
lib,
config,
system,
...
}:
let
nivSources = import ./nix/sources.nix;
asGithubRef = src: "github:${src.owner}/${src.repo}/${src.rev}";
build_target =
let
env_host = builtins.getEnv "NIXOS_TARGET_HOST";
in
if env_host != "" then
env_host
else
builtins.replaceStrings [ "\n" ] [ "" ] (lib.toLower (builtins.readFile /proc/sys/kernel/hostname));
host_modules = {
grimmauld-nixos = [ ./specific/grimm-nixos-laptop/configuration.nix ];
grimm-nixos-ssd = [ ./specific/grimm-nixos-ssd/configuration.nix ];
grimmauld-nixos-server = [
./specific/grimmauld-nixos-server/configuration.nix
./modules
];
};
nixpkgs_patches = [
#{
# # xonsh update
# url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/305316.patch";
# hash = "sha256-W3jh6qRA/7V1fImLm3vRmaT6h6gL5rlNBUuIidZHaZc=";
#}
];
in
# enable ccache for lix if ccache is enabled
# enable_lix_ccache = true;
{
imports = [
"${nivSources.agenix}/modules/age.nix"
"${nivSources.nixos-mailserver}/default.nix"
"${nivSources.nixos-matrix-modules}/module.nix"
(builtins.getFlake (asGithubRef nivSources.aagl-gtk-on-nix)).nixosModules.default
# fixme: ideally we'd not rely on the flake syntax to load the module
(builtins.getFlake (asGithubRef nivSources.chaotic)).nixosModules.default
# (builtins.getFlake (asGithubRef nivSources.nixos-matrix-modules)).nixosModules.default
# (builtins.getFlake "git+${nivSources.nixos-mailserver.repo}").nixosModules.default
] ++ lib.optionals (builtins.hasAttr build_target host_modules) host_modules.${build_target};
system.nixos = {
distroId = "lixos";
distroName = "LixOS";
};
environment.sessionVariables =
let
inherit (config.system.nixos) distroName version codeName;
in
{
distro = "${distroName} ${version} (${codeName}) ${system}";
};
documentation.doc.enable = false;
# nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
# programs.ccache.enable = true;
environment.systemPackages =
let
inherit (lib)
getExe
attrNames
optionalString
elem
concatLines
;
inherit (pkgs) writeShellScriptBin nix-output-monitor;
in
[
(writeShellScriptBin "nixos-build-all" (
concatLines (
map (
n:
"NIXOS_TARGET_HOST=${n} nixos-rebuild build --show-trace --upgrade"
+ optionalString (elem nix-output-monitor config.environment.systemPackages) " |& ${getExe nix-output-monitor}"
) (attrNames host_modules)
)
))
];
nixpkgs =
let
src = nivSources.nixpkgs;
unpatched = import src { inherit config system; };
inherit (unpatched) applyPatches fetchpatch;
config = {
allowUnfree = true;
permittedInsecurePackages = [
"olm-3.2.16"
"jitsi-meet-1.0.8043"
];
};
in
{
hostPlatform = system;
pkgs =
if (nixpkgs_patches != [ ]) then
(import (applyPatches {
name = "nixpkgs-patched";
inherit src;
patches = map fetchpatch nixpkgs_patches;
}) { inherit config; })
else
unpatched;
overlays = [
# (import "${nivSources.lix-module}/overlay.nix" { lix = nivSources.lix-pkg; })
(final: prev: { agenix = final.callPackage "${nivSources.agenix}/pkgs/agenix.nix" { }; })
];
};
_module.args = {
system = "x86_64-linux";
inputs = nivSources;
};
nix.package = pkgs.lix;
nix.settings.extra-substituters = [
# "https://cache.lix.systems"
"https://nyx.chaotic.cx/"
"https://ezkea.cachix.org"
];
nix.settings.trusted-public-keys = [
# "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
"nyx.chaotic.cx-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
"chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
"ezkea.cachix.org-1:ioBmUbJTZIKsHmWWXPe1FSFbeVe+afhfgqgTSNd34eI="
];
}

345
flake.lock Normal file
View file

@ -0,0 +1,345 @@
{
"nodes": {
"aagl-gtk-on-nix": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1728524457,
"narHash": "sha256-R+GJ3H1PvRUHLm45muY1KEezhfgIl8l7HJ36DySZMu0=",
"owner": "ezKEa",
"repo": "aagl-gtk-on-nix",
"rev": "5611dd61df02e0bc5d62bb3f5388821d8854faff",
"type": "github"
},
"original": {
"owner": "ezKEa",
"repo": "aagl-gtk-on-nix",
"type": "github"
}
},
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"chaotic": {
"inputs": {
"flake-schemas": "flake-schemas",
"home-manager": "home-manager_2",
"jovian": "jovian",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1729599319,
"narHash": "sha256-e/4JPcIRte5zkwqmGFrFo3763e0iHURX6N0apz4jbI0=",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "1b86b304c8eb1437d9337a760e7f930826fc4d6d",
"type": "github"
},
"original": {
"owner": "chaotic-cx",
"ref": "nyxpkgs-unstable",
"repo": "nyx",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-schemas": {
"locked": {
"lastModified": 1721999734,
"narHash": "sha256-G5CxYeJVm4lcEtaO87LKzOsVnWeTcHGKbKxNamNWgOw=",
"rev": "0a5c42297d870156d9c57d8f99e476b738dcd982",
"revCount": 75,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/flake-schemas/0.1.5/0190ef2f-61e0-794b-ba14-e82f225e55e6/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%3D0.1.5.tar.gz"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"chaotic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729414726,
"narHash": "sha256-Dtmm1OU8Ymiy9hVWn/a2B8DhRYo9Eoyx9veERdOBR4o=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "fe56302339bb28e3471632379d733547caec8103",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"jovian": {
"inputs": {
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"chaotic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729177642,
"narHash": "sha256-DdKal+ZhB9QD/tnEwFg4cZ4j4YnrkvSljBxnyG+3eE0=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "bb69165ff372ddbd3228a03513922acd783040e8",
"type": "github"
},
"original": {
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"chaotic",
"jovian",
"nixpkgs"
]
},
"locked": {
"lastModified": 1690328911,
"narHash": "sha256-fxtExYk+aGf2YbjeWQ8JY9/n9dwuEt+ma1eUFzF8Jeo=",
"owner": "zhaofengli",
"repo": "nix-github-actions",
"rev": "96df4a39c52f53cb7098b923224d8ce941b64747",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"ref": "matrix-name",
"repo": "nix-github-actions",
"type": "github"
}
},
"nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat_2",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-24_05": "nixpkgs-24_05"
},
"locked": {
"lastModified": 1722877200,
"narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "master",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"nixos-matrix-modules": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1727410897,
"narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
"type": "github"
},
"original": {
"owner": "dali99",
"repo": "nixos-matrix-modules",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1729413321,
"narHash": "sha256-I4tuhRpZFa6Fu6dcH9Dlo5LlH17peT79vx1y1SpeKt0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1997e4aa514312c1af7e2bda7fad1644e778ff26",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-24_05": {
"locked": {
"lastModified": 1717144377,
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "805a384895c696f802a9bf5bf4720f37385df547",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-24.05",
"type": "indirect"
}
},
"root": {
"inputs": {
"aagl-gtk-on-nix": "aagl-gtk-on-nix",
"agenix": "agenix",
"chaotic": "chaotic",
"nixos-mailserver": "nixos-mailserver",
"nixos-matrix-modules": "nixos-matrix-modules",
"nixpkgs": "nixpkgs"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

90
flake.nix Normal file
View file

@ -0,0 +1,90 @@
{
description = "grimmauld-nixos";
inputs = {
nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable";
# url = "git+file:///home/grimmauld/coding/nixpkgs";
};
chaotic = {
url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-matrix-modules = {
url = "github:dali99/nixos-matrix-modules";
inputs.nixpkgs.follows = "nixpkgs";
};
# ranger_udisk_menu.url = "git+https://git.grimmauld.de/Grimmauld/ranger_udisk_menu";
# glibc-eac.url = "github:Frogging-Family/glibc-eac";
aagl-gtk-on-nix = {
url = "github:ezKEa/aagl-gtk-on-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = inputs @ { self, agenix, nixpkgs, chaotic, aagl-gtk-on-nix, nixos-mailserver, nixos-matrix-modules, ... }:
let
patches = [
./aa_mod.patch
];
customNixosSystem = system: definitions:
let
unpatched = nixpkgs.legacyPackages.${system};
patched = unpatched.applyPatches {
name = "nixpkgs-patched";
src = inputs.nixpkgs;
patches = map (p: if (builtins.isPath p) then p else (unpatched.fetchpatch p)) patches;
};
nixosSystem = import (patched + "/nixos/lib/eval-config.nix");
in
nixosSystem ({
inherit system;
specialArgs = { inherit inputs system; };
} // definitions);
in
{
nixosConfigurations = {
grimmauld-nixos = customNixosSystem "x86_64-linux" {
modules = [
agenix.nixosModules.default
chaotic.nixosModules.default
aagl-gtk-on-nix.nixosModules.default
./configuration.nix
./specific/grimm-nixos-laptop/configuration.nix
];
};
grimm-nixos-ssd = customNixosSystem "x86_64-linux" {
modules = [
agenix.nixosModules.default
chaotic.nixosModules.default
aagl-gtk-on-nix.nixosModules.default
./configuration.nix
./specific/grimm-nixos-ssd/configuration.nix
];
};
grimmauld-nixos-server = customNixosSystem "x86_64-linux" {
modules = [
agenix.nixosModules.default
nixos-matrix-modules.nixosModules.default
nixos-mailserver.nixosModules.default
./configuration.nix
./specific/grimmauld-nixos-server/configuration.nix
./modules
];
};
};
};
}

View file

@ -1,110 +0,0 @@
{
"aagl-gtk-on-nix": {
"branch": "main",
"description": "Run an-anime-game-launcher GTK version on Nix/NixOS!",
"homepage": null,
"owner": "ezKEa",
"repo": "aagl-gtk-on-nix",
"rev": "5611dd61df02e0bc5d62bb3f5388821d8854faff",
"sha256": "1v9jk4j0zylx3ixwk5q8z22v6ir86pk9lfbf5q3ibgaggpf8kqa7",
"type": "tarball",
"url": "https://github.com/ezKEa/aagl-gtk-on-nix/archive/5611dd61df02e0bc5d62bb3f5388821d8854faff.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"agenix": {
"branch": "main",
"description": "age-encrypted secrets for NixOS and Home manager",
"homepage": "https://matrix.to/#/#agenix:nixos.org",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"sha256": "1x8nd8hvsq6mvzig122vprwigsr3z2skanig65haqswn7z7amsvg",
"type": "tarball",
"url": "https://github.com/ryantm/agenix/archive/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"authentik-nix": {
"branch": "main",
"description": "Nix flake with package, NixOS module and basic VM test for authentik. Trying to provide an alternative deployment mode to the officially supported docker-compose approach. Not affiliated with or officially supported by the authentik project [maintainer=@willibutz]",
"homepage": "",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "31128721a9f879777870adb88ebc6166112ff172",
"sha256": "19ba00nl39lmdi58y70l9l0llviqjsv1ligh2ihzsrzb795z0dw7",
"type": "tarball",
"url": "https://github.com/nix-community/authentik-nix/archive/31128721a9f879777870adb88ebc6166112ff172.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"chaotic": {
"branch": "main",
"description": "Nix flake for \"too much bleeding-edge\" and unreleased packages (e.g., mesa_git, linux_cachyos, firefox_nightly, sway_git, gamescope_git). And experimental modules (e.g., HDR, duckdns).",
"homepage": "https://nyx.chaotic.cx",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "0fff4bd8bce411eddb86756a66e89cecda16e0a4",
"sha256": "1iynss5f8dcrhxgy334df70pvaj7a0661whiwajy0s2lfgpw0kjs",
"type": "tarball",
"url": "https://github.com/chaotic-cx/nyx/archive/0fff4bd8bce411eddb86756a66e89cecda16e0a4.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"glibc-eac": {
"branch": "main",
"description": "Arch glibc with the commit breaking eos-eac reverted - https://github.com/archlinux/svntogit-packages/tree/4da6c3e804e21c39908aa8a3cb597f19e6d764ef/trunk",
"homepage": "",
"owner": "Frogging-Family",
"repo": "glibc-eac",
"rev": "de5df722493768cb02e23ce0703429636458befb",
"sha256": "1yx3hal1kwj28ij688inaww169rj74iv3l3bwa74r3y4msdfnl80",
"type": "tarball",
"url": "https://github.com/Frogging-Family/glibc-eac/archive/de5df722493768cb02e23ce0703429636458befb.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"lix-module": {
"branch": "main",
"repo": "https://git.lix.systems/lix-project/nixos-module.git",
"rev": "fd186f535a4ac7ae35d98c1dd5d79f0a81b7976d",
"type": "git"
},
"lix-pkg": {
"branch": "main",
"repo": "https://git.lix.systems/lix-project/lix.git",
"rev": "f6077314fa6aff862758095bb55fe844e9162a1d",
"type": "git"
},
"nixos-mailserver": {
"branch": "master",
"repo": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git",
"rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2",
"type": "git"
},
"nixos-matrix-modules": {
"branch": "master",
"description": "NixOS modules for matrix related services",
"homepage": null,
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
"sha256": "150nvzdrmvyy47pyv44rpmv96mwvgcsq4n22b6g5inzqyz334sxm",
"type": "tarball",
"url": "https://github.com/dali99/nixos-matrix-modules/archive/ff787d410cba17882cd7b6e2e22cc88d4064193c.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixpkgs": {
"branch": "nixos-unstable",
"description": "Nix Packages collection",
"homepage": null,
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a3c0b3b21515f74fd2665903d4ce6bc4dc81c77c",
"sha256": "1wn29537l343lb0id0byk0699fj0k07m1n2d7jx2n0ssax55vhwy",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/a3c0b3b21515f74fd2665903d4ce6bc4dc81c77c.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"ranger_udisk_menu": {
"branch": "master",
"repo": "https://git.grimmauld.de/Grimmauld/ranger_udisk_menu.git",
"rev": "981756147834bb485ebcfa0e41ad60d05ccc4351",
"type": "git"
}
}

View file

@ -1,249 +0,0 @@
# This file has been generated by Niv.
let
#
# The fetchers. fetch_<type> fetches specs of type <type>.
#
fetch_file =
pkgs: name: spec:
let
name' = sanitizeName name + "-src";
in
if spec.builtin or true then
builtins_fetchurl {
inherit (spec) url sha256;
name = name';
}
else
pkgs.fetchurl {
inherit (spec) url sha256;
name = name';
};
fetch_tarball =
pkgs: name: spec:
let
name' = sanitizeName name + "-src";
in
if spec.builtin or true then
builtins_fetchTarball {
name = name';
inherit (spec) url sha256;
}
else
pkgs.fetchzip {
name = name';
inherit (spec) url sha256;
};
fetch_git =
name: spec:
let
ref =
spec.ref or (
if spec ? branch then
"refs/heads/${spec.branch}"
else if spec ? tag then
"refs/tags/${spec.tag}"
else
abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"
);
submodules = spec.submodules or false;
submoduleArg =
let
nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0;
emptyArgWithWarning =
if submodules then
builtins.trace (
"The niv input \"${name}\" uses submodules "
+ "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
+ "does not support them"
) { }
else
{ };
in
if nixSupportsSubmodules then { inherit submodules; } else emptyArgWithWarning;
in
builtins.fetchGit (
{
url = spec.repo;
inherit (spec) rev;
inherit ref;
}
// submoduleArg
);
fetch_local = spec: spec.path;
fetch_builtin-tarball =
name:
throw ''
[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
$ niv modify ${name} -a type=tarball -a builtin=true'';
fetch_builtin-url =
name:
throw ''
[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
$ niv modify ${name} -a type=file -a builtin=true'';
#
# Various helpers
#
# https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
sanitizeName =
name:
(concatMapStrings (s: if builtins.isList s then "-" else s) (
builtins.split "[^[:alnum:]+._?=-]+" ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
));
# The set of packages used when specs are fetched using non-builtins.
mkPkgs =
sources: system:
let
sourcesNixpkgs = import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) {
inherit system;
};
hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
hasThisAsNixpkgsPath = <nixpkgs> == ./.;
in
if builtins.hasAttr "nixpkgs" sources then
sourcesNixpkgs
else if hasNixpkgsPath && !hasThisAsNixpkgsPath then
import <nixpkgs> { }
else
abort ''
Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
add a package called "nixpkgs" to your sources.json.
'';
# The actual fetching function.
fetch =
pkgs: name: spec:
if !builtins.hasAttr "type" spec then
abort "ERROR: niv spec ${name} does not have a 'type' attribute"
else if spec.type == "file" then
fetch_file pkgs name spec
else if spec.type == "tarball" then
fetch_tarball pkgs name spec
else if spec.type == "git" then
fetch_git name spec
else if spec.type == "local" then
fetch_local spec
else if spec.type == "builtin-tarball" then
fetch_builtin-tarball name
else if spec.type == "builtin-url" then
fetch_builtin-url name
else
abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
# If the environment variable NIV_OVERRIDE_${name} is set, then use
# the path directly as opposed to the fetched source.
replace =
name: drv:
let
saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
in
if ersatz == "" then
drv
else
# this turns the string into an actual Nix path (for both absolute and
# relative paths)
if builtins.substring 0 1 ersatz == "/" then
/. + ersatz
else
/. + builtins.getEnv "PWD" + "/${ersatz}";
# Ports of functions for older nix versions
# a Nix version of mapAttrs if the built-in doesn't exist
mapAttrs =
builtins.mapAttrs or (
f: set:
with builtins;
listToAttrs (
map (attr: {
name = attr;
value = f attr set.${attr};
}) (attrNames set)
)
);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
range =
first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
concatMapStrings = f: list: concatStrings (map f list);
concatStrings = builtins.concatStringsSep "";
# https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
optionalAttrs = cond: as: if cond then as else { };
# fetchTarball version that is compatible between all the versions of Nix
builtins_fetchTarball =
{
url,
name ? null,
sha256,
}@attrs:
let
inherit (builtins) lessThan nixVersion fetchTarball;
in
if lessThan nixVersion "1.12" then
fetchTarball ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
else
fetchTarball attrs;
# fetchurl version that is compatible between all the versions of Nix
builtins_fetchurl =
{
url,
name ? null,
sha256,
}@attrs:
let
inherit (builtins) lessThan nixVersion fetchurl;
in
if lessThan nixVersion "1.12" then
fetchurl ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
else
fetchurl attrs;
# Create the final "sources" from the config
mkSources =
config:
mapAttrs (
name: spec:
if builtins.hasAttr "outPath" spec then
abort "The values in sources.json should not have an 'outPath' attribute"
else
spec // { outPath = replace name (fetch config.pkgs name spec); }
) config.sources;
# The "config" used by the fetchers
mkConfig =
{
sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null,
sources ? if sourcesFile == null then { } else builtins.fromJSON (builtins.readFile sourcesFile),
system ? builtins.currentSystem,
pkgs ? mkPkgs sources system,
}:
rec {
# The sources, i.e. the attribute set of spec name to spec
inherit sources;
# The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
inherit pkgs;
};
in
mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); }

View file

@ -35,7 +35,6 @@
./searchclip.nix
./confwhich.nix
./rfindup.nix
./glibc-eac.nix
./factorio.nix
./ranger.nix
./ncspot.nix

View file

@ -1,17 +0,0 @@
{ prev, inputs, ... }:
let
glibc_patches = [ "rogue_company_reverts.patch" ];
in
{
glibc-eac = prev.glibc.overrideAttrs (old: {
patches =
(
let
oldPatches = old.patches or [ ];
in
if oldPatches == null then [ ] else oldPatches
)
++ (map (p: "${inputs.glibc-eac}/${p}") glibc_patches);
doCheck = false;
});
}

View file

@ -40,8 +40,8 @@
[
vesktop
obs-studio
element-desktop
ghidra
# element-desktop
# ghidra
rmview
]
);