diff --git a/aa_mod.patch b/aa_mod.patch new file mode 100644 index 0000000..ae0eb7b --- /dev/null +++ b/aa_mod.patch @@ -0,0 +1,75 @@ +diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix +index a4b3807e4e0f..c7c879c39d12 100644 +--- a/nixos/modules/security/apparmor.nix ++++ b/nixos/modules/security/apparmor.nix +@@ -3,15 +3,11 @@ + with lib; + + let +- inherit (builtins) attrNames head map match readFile; ++ inherit (builtins) attrNames map match; + inherit (lib) types; + inherit (config.environment) etc; + cfg = config.security.apparmor; +- mkDisableOption = name: mkEnableOption name // { +- default = true; +- example = false; +- }; +- enabledPolicies = filterAttrs (n: p: p.enable) cfg.policies; ++ enabledPolicies = filterAttrs (n: p: p.state != "disable") cfg.policies; + in + + { +@@ -47,13 +43,30 @@ in + ''; + type = types.attrsOf (types.submodule ({ name, config, ... }: { + options = { +- enable = mkDisableOption "loading of the profile into the kernel"; +- enforce = mkDisableOption "enforcing of the policy or only complain in the logs"; ++ state = mkOption { ++ description = ++ "The state of the profile as applied to the system by nix"; ++ type = types.enum [ "disable" "complain" "enforce" ]; ++ # should enforce really be the default? ++ # the docs state that this should only be used once one is REALLY sure nothing's gonna break ++ default = "enforce"; ++ }; ++ + profile = mkOption { +- description = "The policy of the profile."; ++ description = "The policy of the profile. Incompatible with path."; + type = types.lines; +- apply = pkgs.writeText name; + }; ++ ++ path = mkOption { ++ type = types.nullOr types.path; ++ default = null; ++ description = "A path of a profile to include. Incompatible with profile."; ++ apply = p: let ++ inherit (config) profile; ++ in assert (assertMsg ((p != null && profile == "") || (p == null && profile != "")) ++ "`security.apparmor.policies.\"${name}\"` must define exactly one of either path or profile."); ++ (if (p != null) then p else (pkgs.writeText name profile)); ++ }; + }; + })); + default = {}; +@@ -108,7 +121,7 @@ in + environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" ( + # It's important to put only enabledPolicies here and not all cfg.policies + # because aa-remove-unknown reads profiles from all /etc/apparmor.d/* +- mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++ ++ mapAttrsToList (name: p: { inherit name; path = p.path; }) enabledPolicies ++ + mapAttrsToList (name: path: { inherit name path; }) cfg.includes + ); + environment.etc."apparmor/parser.conf".text = '' +@@ -187,7 +200,7 @@ in + xargs --verbose --no-run-if-empty --delimiter='\n' \ + kill + ''; +- commonOpts = p: "--verbose --show-cache ${optionalString (!p.enforce) "--complain "}${p.profile}"; ++ commonOpts = p: "--verbose --show-cache ${optionalString (p.state == "complain") "--complain "}${p.path}"; + in { + Type = "oneshot"; + RemainAfterExit = "yes"; diff --git a/common/graphics/fonts.nix b/common/graphics/fonts.nix index 5519d95..aebdf5f 100644 --- a/common/graphics/fonts.nix +++ b/common/graphics/fonts.nix @@ -12,7 +12,7 @@ in fonts = { packages = with pkgs; [ noto-fonts - noto-fonts-cjk + noto-fonts-cjk-sans font-awesome # noto-fonts-emoji noto-fonts-monochrome-emoji diff --git a/common/tooling/apparmor/apparmor-d-module.nix b/common/tooling/apparmor/apparmor-d-module.nix index 1aaf3a7..11ce76c 100644 --- a/common/tooling/apparmor/apparmor-d-module.nix +++ b/common/tooling/apparmor/apparmor-d-module.nix @@ -5,7 +5,7 @@ ... }: let - inherit (lib) mkIf mapAttrs assertMsg pathIsRegularFile; + inherit (lib) mkIf mapAttrs assertMsg pathIsRegularFile mkForce; cfg = config.security.apparmor_d; apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {}; @@ -23,15 +23,18 @@ let config = mkIf (cfg.enable) { security.apparmor.packages = [ apparmor-d ]; - security.apparmor.policies = mapAttrs (name: value: { - enable = value != "disable"; - enforce = value == "enforce"; + security.apparmor.policies = mapAttrs (name: state: { + inherit state; profile = let file = "${apparmor-d}/etc/apparmor.d/${name}"; in assert assertMsg (pathIsRegularFile file) "profile ${name} not found in apparmor.d path (${file})"; ''include "${file}"''; }) cfg.profiles; + + specialisation.no-apparmor.configuration = { + security.apparmor.enable = mkForce false; + }; environment.systemPackages = [ apparmor-d ]; }; diff --git a/common/tooling/apparmor/apparmor-d-package.nix b/common/tooling/apparmor/apparmor-d-package.nix index ee34ca3..65105a0 100644 --- a/common/tooling/apparmor/apparmor-d-package.nix +++ b/common/tooling/apparmor/apparmor-d-package.nix @@ -1,4 +1,4 @@ -{ buildGoModule, fetchFromGitHub, git, lib }: +{ buildGoModule, fetchFromGitHub, git, lib, unstableGitUpdater }: buildGoModule { pname = "apparmor-d"; version = "unstable-2024-10-12"; @@ -13,7 +13,6 @@ buildGoModule { vendorHash = "sha256-YkOcpzn5AKFMDWUYbKY8DzGMiIMSyaDfexFmXv5HNQI="; doCheck = false; - #dontBuild = true; nativeBuildInputs = [ git ]; @@ -26,10 +25,12 @@ buildGoModule { "cmd/aa-log" ]; + passthru.updateScript = unstableGitUpdater { }; + postInstall = '' mkdir -p $out/etc - DISTRIBUTION=opensuse $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available + DISTRIBUTION=arch $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available mv .build/apparmor.d $out/etc rm $out/bin/prebuild diff --git a/common/tooling/apparmor/default.nix b/common/tooling/apparmor/default.nix index 1ce8bbe..be7e1df 100644 --- a/common/tooling/apparmor/default.nix +++ b/common/tooling/apparmor/default.nix @@ -32,6 +32,7 @@ in child-open-any = "enforce"; child-open = "enforce"; firefox-glxtest = "enforce"; + firefox-vaapitest = "enforce"; gamemoded = "disable"; pkexec = "complain"; xdg-mime = "complain"; @@ -59,7 +60,7 @@ in "local/speech-dispatcher" = '' - ${pkgs.speechd}/libexec/speech-dispatcher-modules/* rix, + @{nix_store}/libexec/speech-dispatcher-modules/* ix, @{PROC}/@{pid}/stat r, @{bin}/mbrola rix, ''; @@ -74,6 +75,10 @@ in owner /run/user/*/gnupg/S.keyboxd wr, ''; + "local/xdg-mime" = '' + /dev/tty* rw, + ''; + "abstractions/app/udevadm.d/udevadm_is_exec" = '' @{bin}/udevadm mrix, ''; @@ -100,8 +105,8 @@ in include @{bin}/grep ix, /@{PROC}/version r, -# @{bin}/gdbus Cx -> bus, - @{bin}/gdbus Ux, + @{bin}/gdbus Cx -> bus, +# @{bin}/gdbus Ux, ''; "local/vesktop" = '' @@ -125,8 +130,9 @@ in security.apparmor.policies = { passff = { - enable = true; - enforce = true; + state = "enforce"; +# enable = true; +# enforce = true; profile = '' abi , include @@ -139,8 +145,9 @@ in }; swaymux = { - enable = true; - enforce = true; + state = "enforce"; +# enable = true; +# enforce = true; profile = '' abi , include @@ -153,9 +160,46 @@ in ''; }; +# speech-dispatcher-test = { +# enable = true; +# enforce = true; +# profile = ''# +# +#abi , +# +#include +# +#@{exec_path} = @{bin}/speech-dispatcher +#profile speech-dispatcher ${getExe' pkgs.speechd "speech-dispatcher"} flags=(complain) { +# include +# include +# include +# include +# include + +# network inet stream, +# network inet6 stream, + +# @{exec_path} mr, + +# @{sh_path} ix, +# @{lib}/speech-dispatcher/** r, +# @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, + +# /etc/machine-id r, +# /etc/speech-dispatcher/{,**} r, + +# owner @{run}/user/@{uid}/speech-dispatcher/ rw, +# owner @{run}/user/@{uid}/speech-dispatcher/** rwk, + +# include if exists +#} ''; +# }; + osu-lazer = { - enable = true; - enforce = true; + state = "enforce"; +# enable = true; +# enforce = true; profile = '' abi , include @@ -203,6 +247,7 @@ in @{bin}/gawk ix, @{bin}/xdg-mime Px, + /usr/bin/xdg-mime Px, ${getExe' pkgs.gamemode "gamemoderun"} ix, owner @{HOME}/@{XDG_DATA_DIR}/osu/** rwkm, diff --git a/common/tooling/default.nix b/common/tooling/default.nix index 353b4c8..36368b6 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -54,7 +54,7 @@ in p7zip fbcat - gomuks +# gomuks imagemagick nmap diff --git a/common/tooling/ranger.nix b/common/tooling/ranger.nix index 4eedc03..6a199f4 100644 --- a/common/tooling/ranger.nix +++ b/common/tooling/ranger.nix @@ -14,7 +14,14 @@ let attrNames ; plugins = { - ranger_udisk_menu = inputs.ranger_udisk_menu; + ranger_udisk_menu = pkgs.fetchFromGitea { + domain = "git.grimmauld.de"; + owner = "grimmauld"; + repo = "ranger_udisk_menu"; + rev = "981756147834bb485ebcfa0e41ad60d05ccc4351"; + hash = "sha256-5nFpEO/54MO6Esvkcqcyw2TI37ham70LkHtOXrYXfbY="; + }; +# inputs.ranger_udisk_menu; }; in { diff --git a/common/tooling/security.nix b/common/tooling/security.nix index 7b95b32..076502d 100644 --- a/common/tooling/security.nix +++ b/common/tooling/security.nix @@ -46,7 +46,7 @@ in gnupg libsecret vulnix - agenix +# agenix yubikey-manager yubico-pam diff --git a/configuration.nix b/configuration.nix index 453b2ec..5f7c26e 100644 --- a/configuration.nix +++ b/configuration.nix @@ -3,7 +3,7 @@ imports = [ ./overlays ./common - ./fake_flake.nix +# ./fake_flake.nix ./users.nix ]; @@ -15,6 +15,9 @@ services.logrotate.checkConfig = false; # fixme: actually needed? + nix.package = pkgs.lix; + nixpkgs.config.allowUnfree = true; + grimmShared = { enable = true; locale = true; diff --git a/fake_flake.nix b/fake_flake.nix deleted file mode 100644 index 6366435..0000000 --- a/fake_flake.nix +++ /dev/null @@ -1,148 +0,0 @@ -{ - pkgs, - lib, - config, - system, - ... -}: -let - nivSources = import ./nix/sources.nix; - asGithubRef = src: "github:${src.owner}/${src.repo}/${src.rev}"; - - build_target = - let - env_host = builtins.getEnv "NIXOS_TARGET_HOST"; - in - if env_host != "" then - env_host - else - builtins.replaceStrings [ "\n" ] [ "" ] (lib.toLower (builtins.readFile /proc/sys/kernel/hostname)); - - host_modules = { - grimmauld-nixos = [ ./specific/grimm-nixos-laptop/configuration.nix ]; - grimm-nixos-ssd = [ ./specific/grimm-nixos-ssd/configuration.nix ]; - - grimmauld-nixos-server = [ - ./specific/grimmauld-nixos-server/configuration.nix - ./modules - ]; - }; - - nixpkgs_patches = [ - #{ - # # xonsh update - # url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/305316.patch"; - # hash = "sha256-W3jh6qRA/7V1fImLm3vRmaT6h6gL5rlNBUuIidZHaZc="; - #} - ]; - -in -# enable ccache for lix if ccache is enabled -# enable_lix_ccache = true; -{ - imports = [ - "${nivSources.agenix}/modules/age.nix" - "${nivSources.nixos-mailserver}/default.nix" - "${nivSources.nixos-matrix-modules}/module.nix" - - (builtins.getFlake (asGithubRef nivSources.aagl-gtk-on-nix)).nixosModules.default - - # fixme: ideally we'd not rely on the flake syntax to load the module - (builtins.getFlake (asGithubRef nivSources.chaotic)).nixosModules.default - # (builtins.getFlake (asGithubRef nivSources.nixos-matrix-modules)).nixosModules.default - # (builtins.getFlake "git+${nivSources.nixos-mailserver.repo}").nixosModules.default - ] ++ lib.optionals (builtins.hasAttr build_target host_modules) host_modules.${build_target}; - - system.nixos = { - distroId = "lixos"; - distroName = "LixOS"; - }; - - environment.sessionVariables = - let - inherit (config.system.nixos) distroName version codeName; - in - { - distro = "${distroName} ${version} (${codeName}) ${system}"; - }; - - documentation.doc.enable = false; - - # nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; - # programs.ccache.enable = true; - - environment.systemPackages = - let - inherit (lib) - getExe - attrNames - optionalString - elem - concatLines - ; - inherit (pkgs) writeShellScriptBin nix-output-monitor; - in - [ - (writeShellScriptBin "nixos-build-all" ( - concatLines ( - map ( - n: - "NIXOS_TARGET_HOST=${n} nixos-rebuild build --show-trace --upgrade" - + optionalString (elem nix-output-monitor config.environment.systemPackages) " |& ${getExe nix-output-monitor}" - ) (attrNames host_modules) - ) - )) - ]; - - nixpkgs = - let - src = nivSources.nixpkgs; - unpatched = import src { inherit config system; }; - inherit (unpatched) applyPatches fetchpatch; - - config = { - allowUnfree = true; - permittedInsecurePackages = [ - "olm-3.2.16" - "jitsi-meet-1.0.8043" - ]; - }; - in - { - hostPlatform = system; - pkgs = - if (nixpkgs_patches != [ ]) then - (import (applyPatches { - name = "nixpkgs-patched"; - inherit src; - patches = map fetchpatch nixpkgs_patches; - }) { inherit config; }) - else - unpatched; - - overlays = [ - # (import "${nivSources.lix-module}/overlay.nix" { lix = nivSources.lix-pkg; }) - (final: prev: { agenix = final.callPackage "${nivSources.agenix}/pkgs/agenix.nix" { }; }) - ]; - }; - - _module.args = { - system = "x86_64-linux"; - inputs = nivSources; - }; - - nix.package = pkgs.lix; - - nix.settings.extra-substituters = [ - # "https://cache.lix.systems" - "https://nyx.chaotic.cx/" - "https://ezkea.cachix.org" - ]; - - nix.settings.trusted-public-keys = [ - # "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" - "nyx.chaotic.cx-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8=" - "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8=" - "ezkea.cachix.org-1:ioBmUbJTZIKsHmWWXPe1FSFbeVe+afhfgqgTSNd34eI=" - ]; -} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..a2138d2 --- /dev/null +++ b/flake.lock @@ -0,0 +1,345 @@ +{ + "nodes": { + "aagl-gtk-on-nix": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1728524457, + "narHash": "sha256-R+GJ3H1PvRUHLm45muY1KEezhfgIl8l7HJ36DySZMu0=", + "owner": "ezKEa", + "repo": "aagl-gtk-on-nix", + "rev": "5611dd61df02e0bc5d62bb3f5388821d8854faff", + "type": "github" + }, + "original": { + "owner": "ezKEa", + "repo": "aagl-gtk-on-nix", + "type": "github" + } + }, + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "owner": "ryantm", + "repo": "agenix", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, + "chaotic": { + "inputs": { + "flake-schemas": "flake-schemas", + "home-manager": "home-manager_2", + "jovian": "jovian", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729599319, + "narHash": "sha256-e/4JPcIRte5zkwqmGFrFo3763e0iHURX6N0apz4jbI0=", + "owner": "chaotic-cx", + "repo": "nyx", + "rev": "1b86b304c8eb1437d9337a760e7f930826fc4d6d", + "type": "github" + }, + "original": { + "owner": "chaotic-cx", + "ref": "nyxpkgs-unstable", + "repo": "nyx", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-schemas": { + "locked": { + "lastModified": 1721999734, + "narHash": "sha256-G5CxYeJVm4lcEtaO87LKzOsVnWeTcHGKbKxNamNWgOw=", + "rev": "0a5c42297d870156d9c57d8f99e476b738dcd982", + "revCount": 75, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/flake-schemas/0.1.5/0190ef2f-61e0-794b-ba14-e82f225e55e6/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%3D0.1.5.tar.gz" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "chaotic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729414726, + "narHash": "sha256-Dtmm1OU8Ymiy9hVWn/a2B8DhRYo9Eoyx9veERdOBR4o=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "fe56302339bb28e3471632379d733547caec8103", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "jovian": { + "inputs": { + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "chaotic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729177642, + "narHash": "sha256-DdKal+ZhB9QD/tnEwFg4cZ4j4YnrkvSljBxnyG+3eE0=", + "owner": "Jovian-Experiments", + "repo": "Jovian-NixOS", + "rev": "bb69165ff372ddbd3228a03513922acd783040e8", + "type": "github" + }, + "original": { + "owner": "Jovian-Experiments", + "repo": "Jovian-NixOS", + "type": "github" + } + }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "chaotic", + "jovian", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1690328911, + "narHash": "sha256-fxtExYk+aGf2YbjeWQ8JY9/n9dwuEt+ma1eUFzF8Jeo=", + "owner": "zhaofengli", + "repo": "nix-github-actions", + "rev": "96df4a39c52f53cb7098b923224d8ce941b64747", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "ref": "matrix-name", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat_2", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-24_05": "nixpkgs-24_05" + }, + "locked": { + "lastModified": 1722877200, + "narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "master", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, + "nixos-matrix-modules": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1727410897, + "narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=", + "owner": "dali99", + "repo": "nixos-matrix-modules", + "rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c", + "type": "github" + }, + "original": { + "owner": "dali99", + "repo": "nixos-matrix-modules", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1729413321, + "narHash": "sha256-I4tuhRpZFa6Fu6dcH9Dlo5LlH17peT79vx1y1SpeKt0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1997e4aa514312c1af7e2bda7fad1644e778ff26", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-24_05": { + "locked": { + "lastModified": 1717144377, + "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "805a384895c696f802a9bf5bf4720f37385df547", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.05", + "type": "indirect" + } + }, + "root": { + "inputs": { + "aagl-gtk-on-nix": "aagl-gtk-on-nix", + "agenix": "agenix", + "chaotic": "chaotic", + "nixos-mailserver": "nixos-mailserver", + "nixos-matrix-modules": "nixos-matrix-modules", + "nixpkgs": "nixpkgs" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..c278ca7 --- /dev/null +++ b/flake.nix @@ -0,0 +1,90 @@ +{ + description = "grimmauld-nixos"; + + inputs = { + nixpkgs = { + url = "github:NixOS/nixpkgs/nixos-unstable"; + # url = "git+file:///home/grimmauld/coding/nixpkgs"; + }; + chaotic = { + url = "github:chaotic-cx/nyx/nyxpkgs-unstable"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nixos-mailserver = { + url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nixos-matrix-modules = { + url = "github:dali99/nixos-matrix-modules"; + inputs.nixpkgs.follows = "nixpkgs"; + }; +# ranger_udisk_menu.url = "git+https://git.grimmauld.de/Grimmauld/ranger_udisk_menu"; +# glibc-eac.url = "github:Frogging-Family/glibc-eac"; + aagl-gtk-on-nix = { + url = "github:ezKEa/aagl-gtk-on-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = inputs @ { self, agenix, nixpkgs, chaotic, aagl-gtk-on-nix, nixos-mailserver, nixos-matrix-modules, ... }: + let + patches = [ + ./aa_mod.patch + ]; + + customNixosSystem = system: definitions: + let + unpatched = nixpkgs.legacyPackages.${system}; + patched = unpatched.applyPatches { + name = "nixpkgs-patched"; + src = inputs.nixpkgs; + patches = map (p: if (builtins.isPath p) then p else (unpatched.fetchpatch p)) patches; + }; + nixosSystem = import (patched + "/nixos/lib/eval-config.nix"); + in + nixosSystem ({ + inherit system; + specialArgs = { inherit inputs system; }; + } // definitions); + in + { + nixosConfigurations = { + grimmauld-nixos = customNixosSystem "x86_64-linux" { + modules = [ + agenix.nixosModules.default + chaotic.nixosModules.default + aagl-gtk-on-nix.nixosModules.default + ./configuration.nix + + ./specific/grimm-nixos-laptop/configuration.nix + ]; + }; + grimm-nixos-ssd = customNixosSystem "x86_64-linux" { + modules = [ + agenix.nixosModules.default + chaotic.nixosModules.default + aagl-gtk-on-nix.nixosModules.default + ./configuration.nix + + ./specific/grimm-nixos-ssd/configuration.nix + ]; + }; + grimmauld-nixos-server = customNixosSystem "x86_64-linux" { + modules = [ + agenix.nixosModules.default + nixos-matrix-modules.nixosModules.default + nixos-mailserver.nixosModules.default + + ./configuration.nix + + ./specific/grimmauld-nixos-server/configuration.nix + ./modules + ]; + }; + }; + }; +} diff --git a/nix/sources.json b/nix/sources.json deleted file mode 100644 index 998554a..0000000 --- a/nix/sources.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "aagl-gtk-on-nix": { - "branch": "main", - "description": "Run an-anime-game-launcher GTK version on Nix/NixOS!", - "homepage": null, - "owner": "ezKEa", - "repo": "aagl-gtk-on-nix", - "rev": "5611dd61df02e0bc5d62bb3f5388821d8854faff", - "sha256": "1v9jk4j0zylx3ixwk5q8z22v6ir86pk9lfbf5q3ibgaggpf8kqa7", - "type": "tarball", - "url": "https://github.com/ezKEa/aagl-gtk-on-nix/archive/5611dd61df02e0bc5d62bb3f5388821d8854faff.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - }, - "agenix": { - "branch": "main", - "description": "age-encrypted secrets for NixOS and Home manager", - "homepage": "https://matrix.to/#/#agenix:nixos.org", - "owner": "ryantm", - "repo": "agenix", - "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", - "sha256": "1x8nd8hvsq6mvzig122vprwigsr3z2skanig65haqswn7z7amsvg", - "type": "tarball", - "url": "https://github.com/ryantm/agenix/archive/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - }, - "authentik-nix": { - "branch": "main", - "description": "Nix flake with package, NixOS module and basic VM test for authentik. Trying to provide an alternative deployment mode to the officially supported docker-compose approach. Not affiliated with or officially supported by the authentik project [maintainer=@willibutz]", - "homepage": "", - "owner": "nix-community", - "repo": "authentik-nix", - "rev": "31128721a9f879777870adb88ebc6166112ff172", - "sha256": "19ba00nl39lmdi58y70l9l0llviqjsv1ligh2ihzsrzb795z0dw7", - "type": "tarball", - "url": "https://github.com/nix-community/authentik-nix/archive/31128721a9f879777870adb88ebc6166112ff172.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - }, - "chaotic": { - "branch": "main", - "description": "Nix flake for \"too much bleeding-edge\" and unreleased packages (e.g., mesa_git, linux_cachyos, firefox_nightly, sway_git, gamescope_git). And experimental modules (e.g., HDR, duckdns).", - "homepage": "https://nyx.chaotic.cx", - "owner": "chaotic-cx", - "repo": "nyx", - "rev": "0fff4bd8bce411eddb86756a66e89cecda16e0a4", - "sha256": "1iynss5f8dcrhxgy334df70pvaj7a0661whiwajy0s2lfgpw0kjs", - "type": "tarball", - "url": "https://github.com/chaotic-cx/nyx/archive/0fff4bd8bce411eddb86756a66e89cecda16e0a4.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - }, - "glibc-eac": { - "branch": "main", - "description": "Arch glibc with the commit breaking eos-eac reverted - https://github.com/archlinux/svntogit-packages/tree/4da6c3e804e21c39908aa8a3cb597f19e6d764ef/trunk", - "homepage": "", - "owner": "Frogging-Family", - "repo": "glibc-eac", - "rev": "de5df722493768cb02e23ce0703429636458befb", - "sha256": "1yx3hal1kwj28ij688inaww169rj74iv3l3bwa74r3y4msdfnl80", - "type": "tarball", - "url": "https://github.com/Frogging-Family/glibc-eac/archive/de5df722493768cb02e23ce0703429636458befb.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - }, - "lix-module": { - "branch": "main", - "repo": "https://git.lix.systems/lix-project/nixos-module.git", - "rev": "fd186f535a4ac7ae35d98c1dd5d79f0a81b7976d", - "type": "git" - }, - "lix-pkg": { - "branch": "main", - "repo": "https://git.lix.systems/lix-project/lix.git", - "rev": "f6077314fa6aff862758095bb55fe844e9162a1d", - "type": "git" - }, - "nixos-mailserver": { - "branch": "master", - "repo": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git", - "rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2", - "type": "git" - }, - "nixos-matrix-modules": { - "branch": "master", - "description": "NixOS modules for matrix related services", - "homepage": null, - "owner": "dali99", - "repo": "nixos-matrix-modules", - "rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c", - "sha256": "150nvzdrmvyy47pyv44rpmv96mwvgcsq4n22b6g5inzqyz334sxm", - "type": "tarball", - "url": "https://github.com/dali99/nixos-matrix-modules/archive/ff787d410cba17882cd7b6e2e22cc88d4064193c.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - }, - "nixpkgs": { - "branch": "nixos-unstable", - "description": "Nix Packages collection", - "homepage": null, - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a3c0b3b21515f74fd2665903d4ce6bc4dc81c77c", - "sha256": "1wn29537l343lb0id0byk0699fj0k07m1n2d7jx2n0ssax55vhwy", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/a3c0b3b21515f74fd2665903d4ce6bc4dc81c77c.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - }, - "ranger_udisk_menu": { - "branch": "master", - "repo": "https://git.grimmauld.de/Grimmauld/ranger_udisk_menu.git", - "rev": "981756147834bb485ebcfa0e41ad60d05ccc4351", - "type": "git" - } -} diff --git a/nix/sources.nix b/nix/sources.nix deleted file mode 100644 index f7930e5..0000000 --- a/nix/sources.nix +++ /dev/null @@ -1,249 +0,0 @@ -# This file has been generated by Niv. - -let - - # - # The fetchers. fetch_ fetches specs of type . - # - - fetch_file = - pkgs: name: spec: - let - name' = sanitizeName name + "-src"; - in - if spec.builtin or true then - builtins_fetchurl { - inherit (spec) url sha256; - name = name'; - } - else - pkgs.fetchurl { - inherit (spec) url sha256; - name = name'; - }; - - fetch_tarball = - pkgs: name: spec: - let - name' = sanitizeName name + "-src"; - in - if spec.builtin or true then - builtins_fetchTarball { - name = name'; - inherit (spec) url sha256; - } - else - pkgs.fetchzip { - name = name'; - inherit (spec) url sha256; - }; - - fetch_git = - name: spec: - let - ref = - spec.ref or ( - if spec ? branch then - "refs/heads/${spec.branch}" - else if spec ? tag then - "refs/tags/${spec.tag}" - else - abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!" - ); - submodules = spec.submodules or false; - submoduleArg = - let - nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0; - emptyArgWithWarning = - if submodules then - builtins.trace ( - "The niv input \"${name}\" uses submodules " - + "but your nix's (${builtins.nixVersion}) builtins.fetchGit " - + "does not support them" - ) { } - else - { }; - in - if nixSupportsSubmodules then { inherit submodules; } else emptyArgWithWarning; - in - builtins.fetchGit ( - { - url = spec.repo; - inherit (spec) rev; - inherit ref; - } - // submoduleArg - ); - - fetch_local = spec: spec.path; - - fetch_builtin-tarball = - name: - throw '' - [${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`. - $ niv modify ${name} -a type=tarball -a builtin=true''; - - fetch_builtin-url = - name: - throw '' - [${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`. - $ niv modify ${name} -a type=file -a builtin=true''; - - # - # Various helpers - # - - # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695 - sanitizeName = - name: - (concatMapStrings (s: if builtins.isList s then "-" else s) ( - builtins.split "[^[:alnum:]+._?=-]+" ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name) - )); - - # The set of packages used when specs are fetched using non-builtins. - mkPkgs = - sources: system: - let - sourcesNixpkgs = import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { - inherit system; - }; - hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; - hasThisAsNixpkgsPath = == ./.; - in - if builtins.hasAttr "nixpkgs" sources then - sourcesNixpkgs - else if hasNixpkgsPath && !hasThisAsNixpkgsPath then - import { } - else - abort '' - Please specify either (through -I or NIX_PATH=nixpkgs=...) or - add a package called "nixpkgs" to your sources.json. - ''; - - # The actual fetching function. - fetch = - pkgs: name: spec: - - if !builtins.hasAttr "type" spec then - abort "ERROR: niv spec ${name} does not have a 'type' attribute" - else if spec.type == "file" then - fetch_file pkgs name spec - else if spec.type == "tarball" then - fetch_tarball pkgs name spec - else if spec.type == "git" then - fetch_git name spec - else if spec.type == "local" then - fetch_local spec - else if spec.type == "builtin-tarball" then - fetch_builtin-tarball name - else if spec.type == "builtin-url" then - fetch_builtin-url name - else - abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; - - # If the environment variable NIV_OVERRIDE_${name} is set, then use - # the path directly as opposed to the fetched source. - replace = - name: drv: - let - saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name; - ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; - in - if ersatz == "" then - drv - else - # this turns the string into an actual Nix path (for both absolute and - # relative paths) - if builtins.substring 0 1 ersatz == "/" then - /. + ersatz - else - /. + builtins.getEnv "PWD" + "/${ersatz}"; - - # Ports of functions for older nix versions - - # a Nix version of mapAttrs if the built-in doesn't exist - mapAttrs = - builtins.mapAttrs or ( - f: set: - with builtins; - listToAttrs ( - map (attr: { - name = attr; - value = f attr set.${attr}; - }) (attrNames set) - ) - ); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 - range = - first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 - stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 - stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); - concatMapStrings = f: list: concatStrings (map f list); - concatStrings = builtins.concatStringsSep ""; - - # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 - optionalAttrs = cond: as: if cond then as else { }; - - # fetchTarball version that is compatible between all the versions of Nix - builtins_fetchTarball = - { - url, - name ? null, - sha256, - }@attrs: - let - inherit (builtins) lessThan nixVersion fetchTarball; - in - if lessThan nixVersion "1.12" then - fetchTarball ({ inherit url; } // (optionalAttrs (name != null) { inherit name; })) - else - fetchTarball attrs; - - # fetchurl version that is compatible between all the versions of Nix - builtins_fetchurl = - { - url, - name ? null, - sha256, - }@attrs: - let - inherit (builtins) lessThan nixVersion fetchurl; - in - if lessThan nixVersion "1.12" then - fetchurl ({ inherit url; } // (optionalAttrs (name != null) { inherit name; })) - else - fetchurl attrs; - - # Create the final "sources" from the config - mkSources = - config: - mapAttrs ( - name: spec: - if builtins.hasAttr "outPath" spec then - abort "The values in sources.json should not have an 'outPath' attribute" - else - spec // { outPath = replace name (fetch config.pkgs name spec); } - ) config.sources; - - # The "config" used by the fetchers - mkConfig = - { - sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null, - sources ? if sourcesFile == null then { } else builtins.fromJSON (builtins.readFile sourcesFile), - system ? builtins.currentSystem, - pkgs ? mkPkgs sources system, - }: - rec { - # The sources, i.e. the attribute set of spec name to spec - inherit sources; - - # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers - inherit pkgs; - }; -in -mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); } diff --git a/overlays/default.nix b/overlays/default.nix index 4909c9d..78e2a3e 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -35,7 +35,6 @@ ./searchclip.nix ./confwhich.nix ./rfindup.nix - ./glibc-eac.nix ./factorio.nix ./ranger.nix ./ncspot.nix diff --git a/overlays/glibc-eac.nix b/overlays/glibc-eac.nix deleted file mode 100644 index e897ee7..0000000 --- a/overlays/glibc-eac.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ prev, inputs, ... }: -let - glibc_patches = [ "rogue_company_reverts.patch" ]; -in -{ - glibc-eac = prev.glibc.overrideAttrs (old: { - patches = - ( - let - oldPatches = old.patches or [ ]; - in - if oldPatches == null then [ ] else oldPatches - ) - ++ (map (p: "${inputs.glibc-eac}/${p}") glibc_patches); - doCheck = false; - }); -} diff --git a/users.nix b/users.nix index 073bdf1..df44380 100644 --- a/users.nix +++ b/users.nix @@ -40,8 +40,8 @@ [ vesktop obs-studio - element-desktop - ghidra +# element-desktop +# ghidra rmview ] );