Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge branch 'main' of ssh://grimmauld.de:2222/Grimmauld/grimm-nixos-laptop

Browse source
This commit is contained in:
Grimmauld 2024-12-02 11:05:25 +01:00
commit 7eee8fc5f4
16 changed files with 95 additions and 117 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

76
aa_mod.patch
View file

@ -1,76 +0,0 @@
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
index a4b3807e4e0f..87a2c2c81feb 100644
--- a/nixos/modules/security/apparmor.nix
+++ b/nixos/modules/security/apparmor.nix
@@ -3,15 +3,11 @@
with lib;
let
- inherit (builtins) attrNames head map match readFile;
+ inherit (builtins) attrNames map match;
inherit (lib) types;
inherit (config.environment) etc;
cfg = config.security.apparmor;
- mkDisableOption = name: mkEnableOption name // {
- default = true;
- example = false;
- };
- enabledPolicies = filterAttrs (n: p: p.enable) cfg.policies;
+ enabledPolicies = filterAttrs (n: p: p.state != "disable") cfg.policies;
in
{
@@ -45,15 +41,30 @@ in
description = ''
AppArmor policies.
'';
- type = types.attrsOf (types.submodule ({ name, config, ... }: {
+ type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
options = {
- enable = mkDisableOption "loading of the profile into the kernel";
- enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
+ state = mkOption {
+ description =
+ "The state of the profile as applied to the system by nix";
+ type = types.enum [ "disable" "complain" "enforce" ];
+ # should enforce really be the default?
+ # the docs state that this should only be used once one is REALLY sure nothing's gonna break
+ default = "enforce";
+ };
+
profile = mkOption {
- description = "The policy of the profile.";
+ description = "The policy of the profile. Incompatible with path.";
type = types.lines;
- apply = pkgs.writeText name;
};
+
+ path = mkOption {
+ type = types.nullOr types.path;
+ default = null;
+ description = "A path of a profile to include. Incompatible with profile.";
+ apply = p: assert (assertMsg ((p != null && !options.profile.isDefined) || (p == null && options.profile.isDefined))
+ "`security.apparmor.policies.\"${name}\"` must define exactly one of either path or profile.");
+ (if (p != null) then p else (pkgs.writeText name config.profile));
+ };
};
}));
default = {};
@@ -108,7 +119,7 @@ in
environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
# It's important to put only enabledPolicies here and not all cfg.policies
# because aa-remove-unknown reads profiles from all /etc/apparmor.d/*
- mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++
+ mapAttrsToList (name: p: { inherit name; path = p.path; }) enabledPolicies ++
mapAttrsToList (name: path: { inherit name path; }) cfg.includes
);
environment.etc."apparmor/parser.conf".text = ''
@@ -187,7 +198,7 @@ in
xargs --verbose --no-run-if-empty --delimiter='\n' \
kill
'';
- commonOpts = p: "--verbose --show-cache ${optionalString (!p.enforce) "--complain "}${p.profile}";
+ commonOpts = p: "--verbose --show-cache ${optionalString (p.state == "complain") "--complain "}${p.path}";
in {
Type = "oneshot";
RemainAfterExit = "yes";

2
authorizedKeys.nix
View file

@ -4,5 +4,5 @@
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClLZhya2A7SoRSX2DNNM6OWgnGhtOFUor/WdyY59L0l6u5tEo9VyX5bCR84eo+uN4jyahSiGD1WC3RGIoNtHuSkKPxr0rqQhlbuyxraHGj7hOLhcGWRd2eIdsntbma7uPsn4zC0skKjpVNR7PU4LfSxti0gBhgq6uQhMtlfywwJshmwt55q7oT/zC449Uz2vyviy7sQ53R9YoOWEjB/+vU8jHxGlqLatXhOGKlBtrQxKm8PZ6jBYxAC6sGA4APIHWC3KC0S0X7wlmi42Dx9bbBm0rUjy095vRZ22fkE8x9OSTKDY/vFTLw5vwVMa8dACfA1Kc0+EpgOK77lZddeTvD grimmauld.de"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos"
(builtins.readFile ./ssh/id_ed25519_sk.pub )
(builtins.readFile ./ssh/id_ed25519_sk.pub)
]

4
common/firefox.nix
View file

@ -37,10 +37,10 @@ in
];
policies = {
ExtensionSettings =
# (mkIf firefox.disableUserPlugins { "*".installation_mode = "blocked"; }) //
# (mkIf firefox.disableUserPlugins { "*".installation_mode = "blocked"; }) //
(
mapAttrs (guid: shortId: {
# explicit plugins by config
# explicit plugins by config
install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi";
installation_mode = "force_installed";
}) config.grimmShared.firefox.plugins

41
custom/ooye/package.nix Normal file
View file

@ -0,0 +1,41 @@
{
buildNpmPackage,
lib,
nodejs,
fetchgit,
}:
buildNpmPackage rec {
pname = "out-of-your-element";
version = "3.0.5";
src = fetchgit {
url = "https://gitdab.com/cadence/out-of-your-element";
rev = "v3.0-beta5";
hash = "sha256-3Y6s9pNKKeqF6s4I2Rd4TpxXPCwqizXeil/sTDVnpr0=";
};
npmDepsHash = "sha256-1STam+Sjy2MQcK5TmRacoxmgErd2sNqw0yIFX2M+iZk=";
dontNpmBuild = true;
postInstall = ''
# create wrapper
makeWrapper "${lib.getExe nodejs}" "$out/bin/ooye-setup" \
--add-flags "$out/lib/node_modules/out-of-your-element/scripts/setup.js"
makeWrapper "${lib.getExe nodejs}" "$out/bin/ooye-addbot" \
--add-flags "$out/lib/node_modules/out-of-your-element/addbot.js"
makeWrapper "${lib.getExe nodejs}" "$out/bin/ooye-start" \
--add-flags "$out/lib/node_modules/out-of-your-element/start.js"
'';
meta = {
description = "";
homepage = "https://gitdab.com/cadence/out-of-your-element";
license = lib.licenses.agpl3Only;
maintainers = with lib.maintainers; [ grimmauld ];
mainProgram = "out-of-your-element";
platforms = lib.platforms.all;
};
}

54
flake.lock
View file

@ -31,11 +31,11 @@
]
},
"locked": {
"lastModified": 1732848312,
"narHash": "sha256-OSkmgBPSmZJlZmZu16S3zav7vbxU7w4p6cwoi4B28PM=",
"lastModified": 1732889580,
"narHash": "sha256-67MC0DhkRPTPy/g76sm/jzMqcmUBIlX5qoSH5B27Twk=",
"owner": "ezKEa",
"repo": "aagl-gtk-on-nix",
"rev": "30492838a20837085045baffc7c796f266a0b6a6",
"rev": "5b6ceba740feaf260ec205e41e3dde8af510a547",
"type": "github"
},
"original": {
@ -118,11 +118,11 @@
]
},
"locked": {
"lastModified": 1732715105,
"narHash": "sha256-WGf8bzwNEgbWjM9aTFv9ZCGrBQEfg0fYd4FSoVa2gDs=",
"lastModified": 1733072746,
"narHash": "sha256-Rds19CCMsbT+eo5HoJahl2N/wLrvGZ0Nw6Vlu+hvfmE=",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "8f153d013632e6036e8bec6377cc5ed7d2ad14df",
"rev": "36d157737c1682d31721f68c812353225956471b",
"type": "github"
},
"original": {
@ -134,11 +134,11 @@
},
"crane": {
"locked": {
"lastModified": 1732906089,
"narHash": "sha256-NvYSSiKsC0rqn9yY0a9zglLXrFp92EwKhTFZC38voCQ=",
"lastModified": 1725409566,
"narHash": "sha256-PrtLmqhM6UtJP7v7IGyzjBFhbG4eOAHT6LPYOFmYfbk=",
"owner": "ipetkov",
"repo": "crane",
"rev": "9ed3180f45c2d1499e5af98c4ab7ffee8e886f5f",
"rev": "7e4586bad4e3f8f97a9271def747cf58c4b68f3c",
"type": "github"
},
"original": {
@ -237,11 +237,11 @@
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
@ -302,11 +302,11 @@
]
},
"locked": {
"lastModified": 1732482255,
"narHash": "sha256-GUffLwzawz5WRVfWaWCg78n/HrBJrOG7QadFY6rtV8A=",
"lastModified": 1732884235,
"narHash": "sha256-r8j6R3nrvwbT1aUp4EPQ1KC7gm0pu9VcV1aNaB+XG6Q=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "a9953635d7f34e7358d5189751110f87e3ac17da",
"rev": "819f682269f4e002884702b87e445c82840c68f2",
"type": "github"
},
"original": {
@ -324,11 +324,11 @@
]
},
"locked": {
"lastModified": 1732648910,
"narHash": "sha256-1F83DUfEHnCZpGY4UOlWaamWoDx8eZ9tHaUF51p2hng=",
"lastModified": 1732739177,
"narHash": "sha256-iL32+TA/8geCzcL1r3uthrH/GPvbUak5QE++WJUkaiI=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "e86d2ad72094354326887bd6fe156f327d63d491",
"rev": "8d7b2149e618696d5100c2683af1ffa893f02a75",
"type": "github"
},
"original": {
@ -449,11 +449,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1732521221,
"narHash": "sha256-2ThgXBUXAE1oFsVATK1ZX9IjPcS4nKFOAjhPNKuiMn0=",
"lastModified": 1733015953,
"narHash": "sha256-t4BBVpwG9B4hLgc6GUBuj3cjU7lP/PJfpTHuSqE+crk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4633a7c72337ea8fd23a4f2ba3972865e3ec685d",
"rev": "ac35b104800bff9028425fec3b6e8a41de2bbfff",
"type": "github"
},
"original": {
@ -502,11 +502,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1730338630,
"narHash": "sha256-rGp0I9m3/nDV70nRXvdCv2QiAGPOaRm92rISXDxNUJM=",
"lastModified": 1732958734,
"narHash": "sha256-DY1Aq+pAU/n0loBjCRfeSbEG/ji2M+mrEkcEnsN/AHk=",
"owner": "nix-community",
"repo": "nixpkgs-update",
"rev": "525c2e488ad26cd46878fd93337521bf42e598a9",
"rev": "dffb2930904b08ca8d226594b543cbae150b5f67",
"type": "github"
},
"original": {
@ -610,11 +610,11 @@
]
},
"locked": {
"lastModified": 1732933841,
"narHash": "sha256-dge02pUSe2QeC/B3PriA0R8eAX+EU3aDoXj9FcS3XDw=",
"lastModified": 1725675754,
"narHash": "sha256-hXW3csqePOcF2e/PYnpXj72KEYyNj2HzTrVNmS/F7Ug=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "c65e91d4a33abc3bc4a892d3c5b5b378bad64ea1",
"rev": "8cc45e678e914a16c8e224c3237fb07cf21e5e54",
"type": "github"
},
"original": {

5
flake.nix
View file

@ -53,7 +53,10 @@
}:
let
patches = [
./aa_mod.patch
{
url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/356796.patch";
hash = "sha256-nlyqFxvD6O7MDNJxs/9pCRWzo4XvG++Znc3HvDFkiiY=";
}
];
customNixosSystem =

1
modules/default.nix
View file

@ -18,6 +18,7 @@ in
# ./discord-matrix-bridge.nix
./mastodon.nix
./nix_cache.nix
./ooye.nix
# ./auth.nix
./hedgedoc.nix
# ./factorio.nix

2
modules/gitea.nix
View file

@ -15,7 +15,7 @@ in
};
dump.enable = true;
settings = {
service.DISABLE_REGISTRATION = true;
server = {

4
modules/mjolnir.nix
View file

@ -18,7 +18,7 @@ in
};
};
# global mjolnir
# global mjolnir
services.mjolnir = {
enable = true;
homeserverUrl = config.services.matrix-synapse-next.settings.public_baseurl;
@ -48,7 +48,7 @@ in
{ config, ... }:
{
system.stateVersion = "unstable";
# tle mjolnir
# tle mjolnir
services.logrotate.checkConfig = false;
services.mjolnir = {
enable = true;

4
modules/ooye.nix Normal file
View file

@ -0,0 +1,4 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [ ooye ];
}

8
modules/wireguard.nix
View file

@ -9,17 +9,17 @@
};
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface
# "wg0" is the network interface name. You can name the interface
# arbitrarily.}
wg0 = {
privateKeyFile = "/home/grimmauld/wireguard.priv";
# Determines the IP address and subnet of the server's end of the tunnel
# Determines the IP address and subnet of the server's end of the tunnel
# interface.
ips = [ "10.100.0.1/24" ];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51820;
# This allows the wireguard server to route your traffic to the internet and
# hence be like a VPN For this to work you have to set the dnsserver IP of
# This allows the wireguard server to route your traffic to the internet and
# hence be like a VPN For this to work you have to set the dnsserver IP of
# your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE

1
overlays/default.nix
View file

@ -35,6 +35,7 @@
./searchclip.nix
./confwhich.nix
./rfindup.nix
./ooye.nix
./factorio.nix
./ranger.nix
./ncspot.nix

4
overlays/ooye.nix Normal file
View file

@ -0,0 +1,4 @@
{ prev, ... }:
{
ooye = prev.callPackage ../custom/ooye/package.nix { };
}

2
specific/grimm-nixos-laptop/hardware-configuration.nix
View file

@ -14,7 +14,7 @@ in
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
# ./modules/nvidia.nix
# ./modules/nvidia.nix
];
boot.initrd.kernelModules = [ ];

2
specific/grimm-nixos-ssd/configuration.nix
View file

@ -16,7 +16,7 @@
boot.supportedFilesystems.zfs = true;
# security.pam.yubico.control = "required";
services.printing.cups-pdf.enable = true; # implies printing enable
# services.printing.enable = true;
security.apparmor.enable = true;

2
sway/default.nix
View file

@ -197,7 +197,7 @@
pkgs.swaynotificationcenter
pkgs.networkmanagerapplet
aw-bundle
# (pkgs.writeShellScriptBin "rmenu-cache-clear" "rm -r $HOME/.cache/rmenu") # invalidate rmenu cache on sway restart
# (pkgs.writeShellScriptBin "rmenu-cache-clear" "rm -r $HOME/.cache/rmenu") # invalidate rmenu cache on sway restart
];
extraConfig = ''
output * bg ${./wallpapers/switzerland.jpg} fill