From 9f2621b6be06fe8f2a14854dda0b64f253e3017d Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sat, 21 Dec 2024 21:53:10 +0100 Subject: [PATCH] save --- common/tooling/apparmor/bare.nix | 26 ++++++ common/tooling/apparmor/default.nix | 2 + common/tooling/default.nix | 2 +- common/tooling/nix.nix | 1 + common/xdg/mime.nix | 2 +- flake.lock | 137 ++++++++++++++++++++++------ flake.nix | 18 ++-- overlays/default.nix | 2 +- sway/default.nix | 2 +- 9 files changed, 152 insertions(+), 40 deletions(-) create mode 100644 common/tooling/apparmor/bare.nix diff --git a/common/tooling/apparmor/bare.nix b/common/tooling/apparmor/bare.nix new file mode 100644 index 0000000..d3ea3c4 --- /dev/null +++ b/common/tooling/apparmor/bare.nix @@ -0,0 +1,26 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (config.grimmShared) enable tooling; + inherit (lib) mkIf; +in +{ + config = mkIf (enable && tooling.enable && config.security.apparmor.enable) { + services.dbus.apparmor = "enabled"; + security.auditd.enable = true; + + security.apparmor.enableCache = true; + + + environment.systemPackages = with pkgs; [ apparmor-parser ]; + + # security.apparmor.aa-alias-manager.enable = false; + + security.audit.backlogLimit = 512; + + }; +} diff --git a/common/tooling/apparmor/default.nix b/common/tooling/apparmor/default.nix index 1f72afd..433a985 100644 --- a/common/tooling/apparmor/default.nix +++ b/common/tooling/apparmor/default.nix @@ -22,6 +22,8 @@ in alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify, ''; + environment.systemPackages = with pkgs; [ apparmor-parser ]; + # security.apparmor.aa-alias-manager.enable = false; security.audit.backlogLimit = 512; diff --git a/common/tooling/default.nix b/common/tooling/default.nix index c44b079..8528569 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -23,7 +23,7 @@ in ./lsp.nix ./helix.nix ./git.nix - ./wine.nix + # ./wine.nix ./c.nix ./java.nix ./opensnitch diff --git a/common/tooling/nix.nix b/common/tooling/nix.nix index f46a15d..4d73c98 100644 --- a/common/tooling/nix.nix +++ b/common/tooling/nix.nix @@ -45,6 +45,7 @@ experimental-features = [ "nix-command" "flakes" + "pipe-operator" ]; warn-dirty = false; }; diff --git a/common/xdg/mime.nix b/common/xdg/mime.nix index d4be56c..d8d7c6d 100644 --- a/common/xdg/mime.nix +++ b/common/xdg/mime.nix @@ -53,7 +53,7 @@ in gnome-console alacritty_pkg imhex - libreoffice-qt + # libreoffice-qt filezilla obsidian nomacs diff --git a/flake.lock b/flake.lock index 9c98f7a..47e525d 100644 --- a/flake.lock +++ b/flake.lock @@ -31,11 +31,11 @@ ] }, "locked": { - "lastModified": 1732889580, - "narHash": "sha256-67MC0DhkRPTPy/g76sm/jzMqcmUBIlX5qoSH5B27Twk=", + "lastModified": 1734540176, + "narHash": "sha256-msxbnOw/nh8GJ87YtBEDT1jhVldOBtxHRF2KgvYPeDA=", "owner": "ezKEa", "repo": "aagl-gtk-on-nix", - "rev": "5b6ceba740feaf260ec205e41e3dde8af510a547", + "rev": "00df3ad02364a6fb8f1105dc72ae770b748c62eb", "type": "github" }, "original": { @@ -92,6 +92,28 @@ "type": "github" } }, + "apparmor-dev": { + "inputs": { + "flake-utils": "flake-utils_2", + "nix-github-actions": "nix-github-actions_2", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1734558035, + "narHash": "sha256-v45bzSPoI7q/mGeP0YyBaE5F/fFuQ75GPHRGTPNpcsw=", + "owner": "LordGrimmauld", + "repo": "apparmor-dev", + "rev": "d9d7d629c902a10e1c9986efb8b79c7d9daf02ed", + "type": "github" + }, + "original": { + "owner": "LordGrimmauld", + "repo": "apparmor-dev", + "type": "github" + } + }, "blobs": { "flake": false, "locked": { @@ -118,11 +140,11 @@ ] }, "locked": { - "lastModified": 1733072746, - "narHash": "sha256-Rds19CCMsbT+eo5HoJahl2N/wLrvGZ0Nw6Vlu+hvfmE=", + "lastModified": 1734346739, + "narHash": "sha256-Um5yY36idRodddotyBaI9sQjw/xw5SV6tt3jPRgL330=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "36d157737c1682d31721f68c812353225956471b", + "rev": "7228d7032f0316dbc69b69584ec07707efbd38c9", "type": "github" }, "original": { @@ -189,11 +211,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", "owner": "edolstra", "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", "type": "github" }, "original": { @@ -250,6 +272,24 @@ "type": "github" } }, + "flake-utils_2": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "gitignore": { "inputs": { "nixpkgs": [ @@ -302,11 +342,11 @@ ] }, "locked": { - "lastModified": 1732884235, - "narHash": "sha256-r8j6R3nrvwbT1aUp4EPQ1KC7gm0pu9VcV1aNaB+XG6Q=", + "lastModified": 1734093295, + "narHash": "sha256-hSwgGpcZtdDsk1dnzA0xj5cNaHgN9A99hRF/mxMtwS4=", "owner": "nix-community", "repo": "home-manager", - "rev": "819f682269f4e002884702b87e445c82840c68f2", + "rev": "66c5d8b62818ec4c1edb3e941f55ef78df8141a8", "type": "github" }, "original": { @@ -317,18 +357,18 @@ }, "jovian": { "inputs": { - "nix-github-actions": "nix-github-actions_2", + "nix-github-actions": "nix-github-actions_3", "nixpkgs": [ "chaotic", "nixpkgs" ] }, "locked": { - "lastModified": 1732739177, - "narHash": "sha256-iL32+TA/8geCzcL1r3uthrH/GPvbUak5QE++WJUkaiI=", + "lastModified": 1734162608, + "narHash": "sha256-m2AX+3eiVqIK6uO7GbGY7SFnkkYOlR5fQiNI0eRvWOQ=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "8d7b2149e618696d5100c2683af1ffa893f02a75", + "rev": "31bdf4c7c91204d65afbde01146deee0259a8fb7", "type": "github" }, "original": { @@ -343,7 +383,7 @@ "nixpkgs-update", "nixpkgs" ], - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1710694589, @@ -381,6 +421,27 @@ } }, "nix-github-actions_2": { + "inputs": { + "nixpkgs": [ + "apparmor-dev", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731952509, + "narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "7b5f051df789b6b20d259924d349a9ba3319b226", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nix-github-actions_3": { "inputs": { "nixpkgs": [ "chaotic", @@ -413,11 +474,11 @@ "nixpkgs-24_05": "nixpkgs-24_05" }, "locked": { - "lastModified": 1722877200, - "narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=", + "lastModified": 1734370678, + "narHash": "sha256-a8zkti1QM5Oxkdfnzr/NjrFlyqI36/kYV/X8G1jOmB4=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2", + "rev": "c43d8c4a3ce84a7bebd110b06e69365484db6208", "type": "gitlab" }, "original": { @@ -449,27 +510,27 @@ }, "nixpkgs": { "locked": { - "lastModified": 1733015953, - "narHash": "sha256-t4BBVpwG9B4hLgc6GUBuj3cjU7lP/PJfpTHuSqE+crk=", + "lastModified": 1734536697, + "narHash": "sha256-G/HnRTtU+ob8x967kjzMRqjNFbAdllrcjYc+IcaR15Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ac35b104800bff9028425fec3b6e8a41de2bbfff", + "rev": "9c40bef08a5bdc0ccc3207f4282a1ded83e77a7a", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-24_05": { "locked": { - "lastModified": 1717144377, - "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", + "lastModified": 1731797254, + "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "805a384895c696f802a9bf5bf4720f37385df547", + "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59", "type": "github" }, "original": { @@ -502,11 +563,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1732958734, - "narHash": "sha256-DY1Aq+pAU/n0loBjCRfeSbEG/ji2M+mrEkcEnsN/AHk=", + "lastModified": 1734260421, + "narHash": "sha256-vsr+9xKkirwEjvXTS2sOVIxlKQmF/QjszD+Ph0/oRgc=", "owner": "nix-community", "repo": "nixpkgs-update", - "rev": "dffb2930904b08ca8d226594b543cbae150b5f67", + "rev": "712e24bd6543801c52f6c0656a8371f8d029030e", "type": "github" }, "original": { @@ -558,6 +619,7 @@ "aa-alias-manager": "aa-alias-manager", "aagl-gtk-on-nix": "aagl-gtk-on-nix", "agenix": "agenix", + "apparmor-dev": "apparmor-dev", "chaotic": "chaotic", "nixos-mailserver": "nixos-mailserver", "nixos-matrix-modules": "nixos-matrix-modules", @@ -668,6 +730,21 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 5a703ba..02f984d 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,7 @@ inputs = { nixpkgs = { - url = "github:NixOS/nixpkgs/nixos-unstable"; + url = "github:NixOS/nixpkgs/nixos-unstable-small"; # url = "git+file:///home/grimmauld/coding/nixpkgs"; }; chaotic = { @@ -36,6 +36,10 @@ url = "github:nix-community/nixpkgs-update"; # inputs.nixpkgs.follows = "nixpkgs"; }; + apparmor-dev = { + url = "github:LordGrimmauld/apparmor-dev"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = @@ -49,14 +53,15 @@ nixos-matrix-modules, aa-alias-manager, nixpkgs-update, + apparmor-dev, ... }: let patches = [ - { - url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/356796.patch"; - hash = "sha256-nlyqFxvD6O7MDNJxs/9pCRWzo4XvG++Znc3HvDFkiiY="; - } +# { +# url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/356796.patch"; +# hash = "sha256-hiXVdMeoKYbzJ4QxtTF85huRTe4EwgD3E1qXKhJGw1U="; +# } ]; customNixosSystem = @@ -68,7 +73,7 @@ src = inputs.nixpkgs; patches = map (p: if (builtins.isPath p) then p else (unpatched.fetchpatch p)) patches; }; - nixosSystem = import (patched + "/nixos/lib/eval-config.nix"); + nixosSystem = if patches == [] then nixpkgs.lib.nixosSystem else import (patched + "/nixos/lib/eval-config.nix"); in nixosSystem ( { @@ -108,6 +113,7 @@ aagl-gtk-on-nix.nixosModules.default ./configuration.nix aa-alias-manager.nixosModules.default + # apparmor-dev.nixosModules.default ./specific/grimm-nixos-ssd/configuration.nix ]; diff --git a/overlays/default.nix b/overlays/default.nix index d6c64f1..3b81762 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -38,7 +38,7 @@ ./ooye.nix ./factorio.nix ./ranger.nix - ./ncspot.nix + # ./ncspot.nix ./grpcio-tools.nix ]; } diff --git a/sway/default.nix b/sway/default.nix index f6cedea..1f82cc9 100644 --- a/sway/default.nix +++ b/sway/default.nix @@ -196,7 +196,7 @@ (getExe' config.hardware.opentabletdriver.package "otd-daemon") pkgs.swaynotificationcenter pkgs.networkmanagerapplet - aw-bundle +# aw-bundle # (pkgs.writeShellScriptBin "rmenu-cache-clear" "rm -r $HOME/.cache/rmenu") # invalidate rmenu cache on sway restart ]; extraConfig = ''