Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

tooling fixes

Browse source
This commit is contained in:
Grimmauld 2024-11-23 17:06:12 +01:00
parent c18468c958
commit 573b43b8e2
Signed by: Grimmauld
GPG key ID: C2946668769F91FB
16 changed files with 193 additions and 123 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
common/gaming.nix
View file

@ -39,7 +39,7 @@ in
};
};
programs.honkers-railway-launcher.enable = true;
# programs.honkers-railway-launcher.enable = true;
services.udev.packages = [ pkgs.wooting-udev-rules ];

21
common/graphics/sway.nix
View file

@ -23,6 +23,7 @@ let
isDerivation
concatLines
optional
singleton
mkIf
;
inherit (pkgs) writeShellScriptBin;
@ -117,12 +118,6 @@ in
}
'';
dbus-sway-environment = pkgs.writeShellScriptBin "dbus-sway-environment" ''
dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP=sway
systemctl --user stop xdg-desktop-portal xdg-desktop-portal-wlr
systemctl --user start xdg-desktop-portal xdg-desktop-portal-wlr
'';
build_conf =
sway_conf:
let
@ -153,22 +148,21 @@ in
"output ${value.id} mode ${value.mode}"
+ (optionalString (value.pos != null) " position ${value.pos}")
) screens)
++ (singleton "include /etc/sway/config.d/*")
);
conf_path = "sway.conf";
in
mkIf (enable && sway.enable) {
environment.etc."${conf_path}".text = sway_conf;
environment.etc."sway/config".source = lib.mkForce (pkgs.writeText conf_path sway_conf);
grimmShared.sway.config.execAlways = [
dbus-sway-environment
init_screens_auto
];
environment.systemPackages =
[
waybar_full
dbus-sway-environment
init_screens_min_fps
init_screens_max_fps
init_screens_auto
@ -197,7 +191,10 @@ in
rm -rf /home/*/.cache/rmenu
'';
reloadTriggers = [ config.environment.etc."${conf_path}".source ];
reloadTriggers = [
# config.environment.etc."${conf_path}".source
config.environment.etc."sway/config".source
];
};
# programs.waybar.enable = true;
@ -221,10 +218,6 @@ in
wmenu
waybar-mpris
];
extraOptions = [
"--config"
"/etc/${conf_path}"
];
extraSessionCommands = ''
# source /etc/profile
# test -f $HOME/.profile && source $HOME/.profile

5
common/hardware/laptop.nix
View file

@ -56,8 +56,11 @@ in
serviceConfig.Type = "oneshot";
};
systemd.enableCgroupAccounting = true;
# systemd.enableUnifiedCgroupHierarchy = false;
boot = {
kernelParams = [ "quiet" ];
kernelParams = [ "intel_iommu=on" "nohibernate" ];
loader.efi.canTouchEfiVariables = true;
initrd.availableKernelModules = [
"xhci_pci"

9
common/tooling/apparmor/default.nix
View file

@ -16,12 +16,15 @@ in
security.auditd.enable = true;
security.apparmor.enable = true;
# security.apparmor.enableCache = true;
security.apparmor.enableCache = true;
security.apparmor.includes."tunables/alias.d/programs" = ''
# alias / -> @{nix_store}/,
alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify,
'';
# security.apparmor.aa-alias-manager.enable = false;
security.audit.backlogLimit = 512;
security.apparmor_d = {
@ -43,7 +46,7 @@ in
pkexec = "complain";
xdg-mime = "complain";
mimetype = "complain";
sudo = "complain";
# sudo = "complain";
"unix-chkpwd.apparmor.d" = "complain";
};
};
@ -228,7 +231,7 @@ in
};
osu-lazer = {
state = "enforce";
state = "disable";
# enable = true;
# enforce = true;
profile = ''

2
common/tooling/c.nix
View file

@ -29,6 +29,8 @@ in
clang
clang-tools
cmake
stdman
valgrind
]
++ optionals graphical [
libva-utils

3
common/tooling/default.nix
View file

@ -23,7 +23,7 @@ in
./lsp.nix
./helix.nix
./git.nix
# ./wine.nix
./wine.nix
./c.nix
./java.nix
./opensnitch
@ -62,6 +62,7 @@ in
parted
expect
gptfdisk
qrencode
]
++ optionals graphical [
wev

1
common/tooling/git.nix
View file

@ -21,6 +21,7 @@ in
pkgs.urlencode
pkgs.tea
pkgs.delta
pkgs.gh
];
programs.git = {

3
common/tooling/java.nix
View file

@ -20,8 +20,11 @@ in
environment.systemPackages = [
pkgs.jdk17
pkgs.visualvm
pkgs.gradle_7
] ++ optionals graphical [ pkgs.jetbrains.idea-community ];
environment.sessionVariables.JAVA_HOME = pkgs.jdk17.home;
grimmShared.tooling.lang_servers = [
{
lsp = {

176
common/tooling/opensnitch/default.nix
View file

@ -5,7 +5,12 @@
...
}:
let
inherit (config.grimmShared) enable tooling graphical network;
inherit (config.grimmShared)
enable
tooling
graphical
network
;
inherit (lib)
optional
getBin
@ -24,7 +29,12 @@ let
isString
;
local_network = [ "192.168.0.0/16" "10.0.0.0/8" "172.16.0.0/12" "fc00::/7" ];
local_network = [
"192.168.0.0/16"
"10.0.0.0/8"
"172.16.0.0/12"
"fc00::/7"
];
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
created = "1970-01-01T00:00:00.0+00:00";
@ -43,30 +53,34 @@ in
};
rules = {
firefox = let
cfg = config.programs.firefox;
pkg = (cfg.package.override (old: {
extraPrefsFiles =
old.extraPrefsFiles or [ ]
++ cfg.autoConfigFiles
++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ];
nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages;
cfg = (old.cfg or { }) // cfg.wrapperConfig;
}));
firefox =
let
cfg = config.programs.firefox;
pkg = (
cfg.package.override (old: {
extraPrefsFiles =
old.extraPrefsFiles or [ ]
++ cfg.autoConfigFiles
++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ];
nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages;
cfg = (old.cfg or { }) // cfg.wrapperConfig;
})
);
in
# pkg = pkgs.firefox-unwrapped;
in mkIf (config.programs.firefox.enable) {
name = "firefox";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type ="simple";
sensitive = false;
operand = "process.path";
data = "${getBin pkg}/lib/firefox/firefox";
mkIf (config.programs.firefox.enable) {
name = "firefox";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${getBin pkg}/lib/firefox/firefox";
};
};
};
block-list = {
name = "block-list";
@ -77,7 +91,7 @@ in
operator = {
type = "lists";
operand = "lists.domains";
data = pkgs.callPackage ./block_lists.nix {};
data = pkgs.callPackage ./block_lists.nix { };
};
};
@ -92,7 +106,7 @@ in
operand = "list";
list = [
{
type ="simple";
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe pkgs.nsncd;
@ -105,7 +119,9 @@ in
{
type = "lists";
operand = "lists.nets";
data = pkgs.writeTextDir "cidr_dns.list" (concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network));
data = pkgs.writeTextDir "cidr_dns.list" (
concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
);
}
{
type = "simple";
@ -124,7 +140,7 @@ in
precedence = true;
inherit created;
operator = {
type ="regexp";
type = "regexp";
sensitive = false;
operand = "dest.ip";
data = "^(127\\.0\\.0\\.1|::1)$";
@ -139,7 +155,7 @@ in
duration = "always";
inherit created;
operator = {
type ="simple";
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
@ -154,7 +170,7 @@ in
duration = "always";
inherit created;
operator = {
type ="regexp";
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
@ -178,7 +194,7 @@ in
data = "443|53";
}
{
type ="regexp";
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
@ -209,7 +225,7 @@ in
data = "443|4070";
}
{
type ="simple";
type = "simple";
sensitive = false;
operand = "process.path";
data = lib.getExe pkgs.ncspot;
@ -240,7 +256,7 @@ in
data = "443|4070";
}
{
type ="simple";
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
@ -254,7 +270,6 @@ in
};
};
spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow-local";
enabled = true;
@ -267,7 +282,7 @@ in
operand = "list";
list = [
{
type ="simple";
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
@ -289,7 +304,7 @@ in
duration = "always";
inherit created;
operator = {
type ="regexp";
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
@ -308,7 +323,7 @@ in
operand = "list";
list = [
{
type ="regexp";
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
@ -322,6 +337,37 @@ in
};
};
vesktop_daemon_allow_udp = mkIf (graphical) {
name = "vesktop-allow-udp";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
# inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "simple";
operand = "protocol";
data = "udp";
}
{
type = "regexp";
operand = "dest.port";
data = "500[0-9]{2}";
}
];
};
};
vesktop_daemon_deny = mkIf (graphical) {
name = "vesktop-daemon-deny";
enabled = true;
@ -330,14 +376,13 @@ in
duration = "always";
inherit created;
operator = {
type ="regexp";
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
};
};
vesktop_daemon_allow = mkIf (graphical) {
name = "vesktop-daemon-allow";
enabled = true;
@ -350,7 +395,7 @@ in
operand = "list";
list = [
{
type ="regexp";
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
@ -364,8 +409,6 @@ in
};
};
avahi = mkIf (config.services.avahi.enable) {
name = "avahi";
enabled = true;
@ -377,7 +420,7 @@ in
operand = "list";
list = [
{
type ="simple";
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' config.services.avahi.package "avahi-daemon";
@ -403,7 +446,7 @@ in
duration = "always";
inherit created;
operator = {
type ="regexp";
type = "regexp";
operand = "protocol";
sensitive = false;
data = "icmp(4|6)?";
@ -421,21 +464,21 @@ in
operand = "list";
list = [
{
type ="simple";
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.networkmanager "networkmanager";
}
{
type ="simple";
type = "simple";
operand = "dest.port";
data = "547";
}
# {
# type ="simple";
# operand = "dest.network";
# data = "ff02::1:2";
# }
# {
# type ="simple";
# operand = "dest.network";
# data = "ff02::1:2";
# }
];
};
};
@ -451,13 +494,13 @@ in
operand = "list";
list = [
{
type ="simple";
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.cups-filters "cups-browsed";
}
{
type ="regexp";
type = "regexp";
operand = "dest.port";
data = "53|631|80";
}
@ -484,18 +527,19 @@ in
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd"; }
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
}
{
type ="regexp";
type = "regexp";
operand = "dest.port";
data = "123|37|53";
}
# {
# type = "regexp";
# sensitive = false;
# operand = "dest.host";
# data = ".*\.nixos\.pool\.ntp\.org";
# }
# {
# type = "regexp";
# sensitive = false;
# operand = "dest.host";
# data = ".*\.nixos\.pool\.ntp\.org";
# }
{
type = "simple";
operand = "user.id";
@ -516,7 +560,7 @@ in
operand = "list";
list = [
{
type ="simple";
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped";
@ -525,11 +569,15 @@ in
type = "regexp";
sensitive = false;
operand = "dest.host";
data = let l = (filter isString (split "\\." config.grimmShared.cloudSync.server)); in (strings.replicate ((length l) - 1) "(") + (concatStringsSep "\\.)?" l);
data =
let
l = (filter isString (split "\\." config.grimmShared.cloudSync.server));
in
(strings.replicate ((length l) - 1) "(") + (concatStringsSep "\\.)?" l);
# config.grimmShared.cloudSync.server;
}
{
type ="regexp";
type = "regexp";
operand = "dest.port";
data = "443|53";
}

3
common/tooling/opensnitch/discord_hosts/hosts.list
View file

@ -10,3 +10,6 @@ github.com
githubusercontent.com
scdn.co
spotify.com
discord.media
media.tenor.co
media.tenor.com

5
common/tooling/wine.nix
View file

@ -11,6 +11,7 @@ in
{
config = mkIf (enable && tooling.enable) {
virtualisation.libvirtd.enable = true;
programs.virt-manager.enable = true;
virtualisation.spiceUSBRedirection.enable = true;
@ -21,13 +22,15 @@ in
# };
# };
environment.systemPackages = with pkgs; [
winetricks
wineWow64Packages.stagingFull
dotnetCorePackages.dotnet_9.sdk
jetbrains.rider
# jetbrains.rider
mono4
# (mono4.overrideAttrs { version="4.6.1"; sha256=""; })
tesseract4
];
};
}

2
common/xdg/mime.nix
View file

@ -66,7 +66,7 @@ in
freecad
openscad
vlc
blender
# blender
thunderbird
xdg-terminal-exec
xdg-utils

2
configuration.nix
View file

@ -18,6 +18,8 @@
nix.package = pkgs.lix;
nixpkgs.config.allowUnfree = true;
services.flatpak.enable = true;
grimmShared = {
enable = true;
locale = true;

49
flake.lock generated
View file

@ -9,11 +9,11 @@
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1730472722,
"narHash": "sha256-/ut+TH7jZwgZEREMOZp/Wx7zXl6hgBJGGxQHU0KO6yY=",
"lastModified": 1731942996,
"narHash": "sha256-Ohh+GmEenm4Eu1p6+u/4qIw0wbgKm7Vk/yQwRnSmrFE=",
"owner": "LordGrimmauld",
"repo": "aa-alias-manager",
"rev": "f2ef05f2af456e247d2b37a0b3bf09edbe1788a9",
"rev": "e394c4882888f9b9306b3a2dfc59df03ab766473",
"type": "github"
},
"original": {
@ -30,11 +30,11 @@
]
},
"locked": {
"lastModified": 1728524457,
"narHash": "sha256-R+GJ3H1PvRUHLm45muY1KEezhfgIl8l7HJ36DySZMu0=",
"lastModified": 1731956781,
"narHash": "sha256-AAZiAMQ2LBCY375NnbQa8HHFJc3KLyfnlGiFXDdb1pE=",
"owner": "ezKEa",
"repo": "aagl-gtk-on-nix",
"rev": "5611dd61df02e0bc5d62bb3f5388821d8854faff",
"rev": "862c5b3acd097906cd242eedd9ddcc95ac9382cb",
"type": "github"
},
"original": {
@ -92,11 +92,11 @@
]
},
"locked": {
"lastModified": 1730390431,
"narHash": "sha256-M+rMhDB69Y35IlhmAMN4ErDige+wKPwhb6HDqpF14Rw=",
"lastModified": 1732150710,
"narHash": "sha256-H6ps/jlPn3kkGtrZeduLtfMnV8htI117/qUgMtUzJBM=",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "40388a7427ee32af175c5169ae7587ffd2dec125",
"rev": "4621aec08aa50869a305e275c2b8a0c766f3b59b",
"type": "github"
},
"original": {
@ -241,11 +241,11 @@
]
},
"locked": {
"lastModified": 1730016908,
"narHash": "sha256-bFCxJco7d8IgmjfNExNz9knP8wvwbXU4s/d53KOK6U0=",
"lastModified": 1732025103,
"narHash": "sha256-qjEI64RKvDxRyEarY0jTzrZMa8ebezh2DEZmJJrpVdo=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "e83414058edd339148dc142a8437edb9450574c8",
"rev": "a46e702093a5c46e192243edbd977d5749e7f294",
"type": "github"
},
"original": {
@ -263,11 +263,11 @@
]
},
"locked": {
"lastModified": 1730248099,
"narHash": "sha256-Fl7BSdpLk0uTXF6ol/MR0q1EB4XQ8tn0ftig0pyYh5Y=",
"lastModified": 1732032028,
"narHash": "sha256-NjyfJQQxs/a2a/KwTmXM44K7XjeJwGsf4YFtebueQzo=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "c11bab124fc55a37cbd854ed28ea121ed609231f",
"rev": "65dc04371cf914c9af4f073638821e4787303005",
"type": "github"
},
"original": {
@ -366,18 +366,17 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1730200266,
"narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd",
"type": "github"
"lastModified": 1732297877,
"narHash": "sha256-OCazAn/xPjPTMo6cyMzJthmfMBuoCjcZ4O+kAkW3ixI=",
"ref": "refs/heads/apparmor_module",
"rev": "43d89bd05155f93038565672464931594b9b4fcd",
"revCount": 710089,
"type": "git",
"url": "file:///home/grimmauld/coding/nixpkgs"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
"type": "git",
"url": "file:///home/grimmauld/coding/nixpkgs"
}
},
"nixpkgs-24_05": {

10
flake.nix
View file

@ -3,8 +3,8 @@
inputs = {
nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable";
# url = "git+file:///home/grimmauld/coding/nixpkgs";
# url = "github:NixOS/nixpkgs/nixos-unstable";
url = "git+file:///home/grimmauld/coding/nixpkgs";
};
chaotic = {
url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
@ -37,7 +37,11 @@
outputs = inputs @ { self, agenix, nixpkgs, chaotic, aagl-gtk-on-nix, nixos-mailserver, nixos-matrix-modules, aa-alias-manager, ... }:
let
patches = [
./aa_mod.patch
# ./aa_mod.patch
{
url = "https://github.com/NixOS/nixpkgs/pull/357468.patch";
hash = "sha256-t+/zVO/Jyink9biD61AuDOmVt0GF3biKxR5hCAyl4Fc=";
}
];
customNixosSystem = system: definitions:

7
specific/grimm-nixos-ssd/hardware-configuration.nix
View file

@ -115,7 +115,12 @@
};
};
swapDevices = [ ];
swapDevices = [
#{
# device = "zpool/swap";
# device = "/dev/zvol/zpool/swap";
#}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's