From 31e1aba73f80652be18eacb48a9308dfdf80c9c9 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Wed, 19 Feb 2025 23:30:28 +0100 Subject: [PATCH] update --- common/printing.nix | 4 +- common/tooling/default.nix | 7 ++++ common/tooling/rust.nix | 3 +- custom/deskwhich/package.nix | 3 +- flake.lock | 48 +++++++++++------------ hardening/apparmor/apparmor-d-package.nix | 7 ++-- hardening/default.nix | 1 + hardening/systemd/default.nix | 2 +- hm/common/default.nix | 4 +- overlays/default.nix | 8 +++- overlays/global/overlays.nix | 3 ++ specific/grimm-nixos-ssd/filesystems.nix | 12 +++++- users.nix | 1 + 13 files changed, 67 insertions(+), 36 deletions(-) create mode 100644 overlays/global/overlays.nix diff --git a/common/printing.nix b/common/printing.nix index 1e804ec..bb076f7 100644 --- a/common/printing.nix +++ b/common/printing.nix @@ -10,8 +10,8 @@ in { config = lib.mkIf (enable && config.services.printing.enable) { services.printing.drivers = with pkgs; [ - brgenml1lpr - brgenml1cupswrapper +# brgenml1lpr +# brgenml1cupswrapper ]; services.avahi = { # enable = true; diff --git a/common/tooling/default.nix b/common/tooling/default.nix index d7e6900..88ce154 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -63,6 +63,7 @@ in undollar openssl + android-tools ] ++ optionals graphical [ wev @@ -90,6 +91,12 @@ in boot.tmp.cleanOnBoot = true; # zramSwap.enable = false; + + services.udev.packages = [ + pkgs.android-udev-rules + ]; + programs.adb.enable = true; + }; options.grimmShared.tooling = { diff --git a/common/tooling/rust.nix b/common/tooling/rust.nix index 3e0c601..56ecbad 100644 --- a/common/tooling/rust.nix +++ b/common/tooling/rust.nix @@ -22,8 +22,9 @@ in [ pkg-config cargo + rustup ] - ++ optionals graphical [ jetbrains.clion ]; + ++ optionals graphical [ jetbrains.clion jetbrains.rust-rover ]; grimmShared.tooling.lang_servers = [ { diff --git a/custom/deskwhich/package.nix b/custom/deskwhich/package.nix index a11e683..7223f30 100644 --- a/custom/deskwhich/package.nix +++ b/custom/deskwhich/package.nix @@ -15,7 +15,8 @@ rustPlatform.buildRustPackage { hash = "sha256-uSXxUehZY1Sp08X3khSQtQc8AT00jJTAsQ+OfTTTkss="; }; - cargoHash = "sha256-x0ARqeMdmnjMF0o2oZlxHnUUj9hEdqg4a+Z/WYax2Co="; + useFetchCargoVendor = true; + cargoHash = "sha256-e4wWQ0QOl0vDRbOFs7eN49sQJXBiJGsHiDLE68NiK8Y="; meta = { description = "tool to find the path of desktop entries"; diff --git a/flake.lock b/flake.lock index 195ad1c..6ec4209 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1737538029, - "narHash": "sha256-I4mWZEWV1c+sPb5f8liQxYdEjRxMR0UzY6dgP5zj2Kc=", + "lastModified": 1739727446, + "narHash": "sha256-t+KH1NoR/HauQlYgKaNKkxCoSQ4PwPdp5r6nGc3K/tE=", "owner": "LordGrimmauld", "repo": "aa-alias-manager", - "rev": "14b4d3f64c06f6c4457a1d117bb201410422009d", + "rev": "cf56427c87bf93537f0c4f9896beef2da146860b", "type": "github" }, "original": { @@ -141,11 +141,11 @@ ] }, "locked": { - "lastModified": 1737973837, - "narHash": "sha256-LrM+QVWUZhPKbjm2I5EkypupivGHjr/AM4rCaNbCFfE=", + "lastModified": 1739809963, + "narHash": "sha256-h591Geqwg7uum8gj06OUZqbu9PGwUixDqgTRTcAkPxc=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "f19af140dacd0e211a25cf907be46356347e190f", + "rev": "fed54798c45c0729877c5e5b9091da83ab509fa7", "type": "github" }, "original": { @@ -202,11 +202,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1737268357, - "narHash": "sha256-J3At8JDKpQGDeDUcz1eh0h5yFwNH7fPfm+N95TxiOq4=", + "lastModified": 1739687593, + "narHash": "sha256-K7+n5+W2OrqEjeVb4422YxwNw1m4lCfnd+QWCnm+Dgs=", "owner": "nix-community", "repo": "fenix", - "rev": "f9662e6ea6020671e1e17102bd20d6692bb38aba", + "rev": "a712b739a49e10fe73de366a42a43b2714e41bfc", "type": "github" }, "original": { @@ -365,11 +365,11 @@ ] }, "locked": { - "lastModified": 1737221749, - "narHash": "sha256-igllW0yG+UbetvhT11jnt9RppSHXYgMykYhZJeqfHs0=", + "lastModified": 1739802995, + "narHash": "sha256-kZv0upOigS/4sUEgZuZd6/uO6s8X8oYOLk9/sGMsl+c=", "owner": "nix-community", "repo": "home-manager", - "rev": "97d7946b5e107dd03cc82f21165251d4e0159655", + "rev": "9d0d48f4c3d2fb1a8c8607da143bb567a741d914", "type": "github" }, "original": { @@ -407,11 +407,11 @@ ] }, "locked": { - "lastModified": 1737126697, - "narHash": "sha256-k1YhjONkiKBHzbjNy4ZsjysBac5UJSolCVq9cTKLeKM=", + "lastModified": 1739640234, + "narHash": "sha256-+o3AWAC0GICcvdn+vXGmQ5hXJSALdD3rgnt+SZLRQKU=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "27a0ddac1a14e10ba98530f59db728951495f2ce", + "rev": "dc10b4ba56665c66562a5e993c9734fe89c29c65", "type": "github" }, "original": { @@ -495,11 +495,11 @@ "nixpkgs-24_11": "nixpkgs-24_11" }, "locked": { - "lastModified": 1737736848, - "narHash": "sha256-VrUfCXBXYV+YmQ2OvVTeML9EnmaPRtH+POrNIcJp6yo=", + "lastModified": 1739121270, + "narHash": "sha256-EmJhpy9U8sVlepl2QPjG019VfG67HcucsQNItTqW6cA=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "6b425d13f5a9d73cb63973d3609acacef4d1e261", + "rev": "8c1c4640b878c692dd3d8055e8cdea0a2bbd8cf3", "type": "gitlab" }, "original": { @@ -531,11 +531,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1738142207, - "narHash": "sha256-NGqpVVxNAHwIicXpgaVqJEJWeyqzoQJ9oc8lnK9+WC4=", + "lastModified": 1739736696, + "narHash": "sha256-zON2GNBkzsIyALlOCFiEBcIjI4w38GYOb+P+R4S8Jsw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9d3ae807ebd2981d593cddd0080856873139aa40", + "rev": "d74a2335ac9c133d6bbec9fc98d91a77f1604c1f", "type": "github" }, "original": { @@ -599,11 +599,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1737215993, - "narHash": "sha256-W8xioeq+h9dzGvtXPlQAn2nXtgNDN6C8uA1/9F2JP5I=", + "lastModified": 1739512757, + "narHash": "sha256-QfmtsyySvQSEKLuB850AmyqpNQRP+T57vuZnGIpmGD4=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "248bd511aee2c1c1cb2d5314649521d6d93b854a", + "rev": "40e4f9130f4e44f20961a7cf4ade46325126698b", "type": "github" }, "original": { diff --git a/hardening/apparmor/apparmor-d-package.nix b/hardening/apparmor/apparmor-d-package.nix index cbbed8d..cc17701 100644 --- a/hardening/apparmor/apparmor-d-package.nix +++ b/hardening/apparmor/apparmor-d-package.nix @@ -6,18 +6,19 @@ }: buildGoModule { pname = "apparmor-d"; - version = "unstable-2025-01-19"; + version = "unstable-2025-02-18"; src = fetchFromGitHub { - rev = "e41c5f6055197b3ad0985f5af735b7d272148360"; + rev = "af85db9148b17bb37b4d73454e78d4efec4c2db9"; owner = "roddhjav"; repo = "apparmor.d"; - hash = "sha256-Dyn8aMh63VIBb7mhyP/bEp3NhmIlDZs1WHse8jgi5o4="; + hash = "sha256-mCc1DQXQvzeeA+sq67zK5o18tKByaB5dITmC77j9uEM="; }; vendorHash = null; doCheck = false; + dontCheckForBrokenSymlinks = true; patches = [ ./apparmor-d-prebuild.patch diff --git a/hardening/default.nix b/hardening/default.nix index 09f54a8..d88c28e 100644 --- a/hardening/default.nix +++ b/hardening/default.nix @@ -72,6 +72,7 @@ security.unprivilegedUsernsClone = true; security.apparmor.enable = true; security.allowSimultaneousMultithreading = true; + security.pam.services.systemd-run0 = {}; environment.defaultPackages = lib.mkForce [ ]; environment.systemPackages = with pkgs; [ nano clamav linux-bench ]; } diff --git a/hardening/systemd/default.nix b/hardening/systemd/default.nix index a8dd538..407e75a 100644 --- a/hardening/systemd/default.nix +++ b/hardening/systemd/default.nix @@ -13,7 +13,7 @@ let in { imports = [ - ./NetworkManager.nix + # ./NetworkManager.nix ./wpa_supplicant.nix ./auditd.nix ./acpid.nix diff --git a/hm/common/default.nix b/hm/common/default.nix index ab18b24..9ad943e 100644 --- a/hm/common/default.nix +++ b/hm/common/default.nix @@ -41,10 +41,12 @@ in # kicad prusa-slicer - # freecad + freecad openscad iamb confy + authenticator + signal-desktop vlc # blender diff --git a/overlays/default.nix b/overlays/default.nix index ed64e7e..14423bb 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -2,6 +2,7 @@ config, lib, inputs, + options, ... }: { @@ -11,7 +12,7 @@ #]; nixpkgs.overlays = - map + (map ( f: ( @@ -35,5 +36,8 @@ ./ranger.nix ./vesktop.nix # ./grpcio-tools.nix - ]; + ] + ) + ++ [ (import ./global/overlays.nix) ]; + nix.nixPath = options.nix.nixPath.default ++ [ "nixpkgs-overlays=${./global}" ]; } diff --git a/overlays/global/overlays.nix b/overlays/global/overlays.nix new file mode 100644 index 0000000..f7d6170 --- /dev/null +++ b/overlays/global/overlays.nix @@ -0,0 +1,3 @@ +final: prev: { + devenv = builtins.throw "no devenv for you!"; +} diff --git a/specific/grimm-nixos-ssd/filesystems.nix b/specific/grimm-nixos-ssd/filesystems.nix index 986a3bd..49f6fe7 100644 --- a/specific/grimm-nixos-ssd/filesystems.nix +++ b/specific/grimm-nixos-ssd/filesystems.nix @@ -48,7 +48,7 @@ in "rw" "relatime" "mode=1777" - "noexec" + # "noexec" "nosuid" "nodev" ]; @@ -97,6 +97,16 @@ in ]; }; + fileSystems."/etc/NetworkManager/vpn-certs" = { + device = "${persist}/etc/NetworkManager/vpn-certs"; + options = [ + "bind" + "noexec" + "nosuid" + "nodev" + ]; + }; + fileSystems."/nix" = { device = "zpool/nix"; fsType = "zfs"; diff --git a/users.nix b/users.nix index 4a0adca..234bd99 100644 --- a/users.nix +++ b/users.nix @@ -29,6 +29,7 @@ "gamemode" "systemd-journal" "i2c" + "adbusers" ]; # only add to groups that actually exist on this system # syncPaths = [