Merge branch 'main' of ssh://grimmauld.de:2222/Grimmauld/grimm-nixos-laptop

2025-02-25 12:55:29 +01:00 · 2025-02-25 12:55:29 +01:00 · a45ab655d6
commit a45ab655d6
parent e7f90a6c44 3fe3e74c71
36 changed files with 286 additions and 107 deletions
--- a/common/firefox.nix
+++ b/common/firefox.nix
@ -25,7 +25,23 @@ in
      ++ optionals config.services.desktopManager.plasma6.enable [ pkgs.plasma-browser-integration ];

    programs.firefox = {
-      #      package = pkgs.firefox-beta;
+      package = pkgs.firefox.override {
+        extraPrefsFiles = [
+          "${pkgs.arkenfox-userjs}/user.cfg"
+
+          (pkgs.writeText "arkenfox-userjs-overrides.cfg" # javascript
+            ''
+              /// arkenfox user.js overrides.
+              // We want session restore to work, for that we need to save history:
+              // https://github.com/arkenfox/user.js/issues/1080#issue-774750296
+              lockPref("privacy.clearOnShutdown.history", false);
+              lockPref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", false);
+              lockPref("privacy.clearOnShutdown.offlineApps", false); // Site Data
+              lockPref("privacy.clearOnShutdown_v2.cookiesAndStorage", false); // Cookies, Site Data, Active Logins [FF128+]
+            ''
+          )
+        ];
+      };
      enable = true;
      languagePacks = optionals locale [
        "de"
@ -56,19 +72,99 @@ in
        OverrideFirstRunPage = "";
        OverridePostUpdatePage = "";
        DontCheckDefaultBrowser = true;
+
+      FirefoxHome = {
+        TopSites = true;
+        SponsoredTopSites = false;
+
+        Pocket = false;
+        Snippets = false;
+        Highlights = false;
+        Locked = true;
+      };
+
+      FirefoxSuggest = {
+        WebSuggestions = false;
+        SponsoredSuggestions = false;
+        ImproveSuggest = false;
+        Locked = true;
+      };
+
+      SearchEngines = {
+         # Default = "DuckDuckGo";
+         Remove = ["Bing" "Amazon.ca" "eBay"];
+         Add = [
+           {
+             Name = "Nix Package Search";
+             URLTemplate = "https://search.nixos.org/packages?channel=unstable&query={searchTerms}";
+             IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg";
+             Alias = "np";
+           }
+           {
+             Name = "NixOS Option Search";
+             URLTemplate = "https://search.nixos.org/options?channel=unstable&query={searchTerms}";
+             IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg";
+             Alias = "no";
+           }
+           {
+             Name = "NixOS Wiki";
+             URLTemplate = "https://nixos.wiki/index.php?search={searchTerms}";
+             IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg";
+             Alias = "nw";
+           }
+           {
+             Name = "Home Manager Option Search";
+             URLTemplate = "https://mipmip.github.io/home-manager-option-search?query={searchTerms}";
+             IconURL = "https://github.com/NixOS/nixos-artwork/raw/refs/heads/master/logo/nix-snowflake-white.svg";
+             Alias = "hm";
+           }
+         ];
+       };
+        
        Preferences = {
          "pdfjs.enableScripting" = false;
+          "signon.rememberSignons" = false;

          "media.hardware-video-decoding.enabled" = true;
          "media.ffmpeg.vaapi.enabled" = true;
-          "network.dns.disableIPv6" = true;
-          # "network.dns.DNS_HTTPS.domain" = "::1";
-          "network.connectivity-service.DNSv4.domain" = "127.0.0.1";
-          "network.connectivity-service.DNSv6.domain" = "::1";
-          network.dns.localDomains = "::1";
-          network.dns.forceResolve = true;
          "media.rdd-ffmpeg.enabled" = true;
          "media.navigator.mediadatadecoder_vpx_enabled" = true;
+          "media.eme.enabled" = true;
+          # "media.peerconnection.enabled" = false;
+          
+          "browser.startup.homepage" = "about:home";
+          "browser.startup.page" = 1;
+          "browser.newtabpage.enabled" = true;
+          "browser.toolbars.bookmarks.visibility" = "newtab";
+          "browser.download.useDownloadDir" = true;
+
+          # "general.useragent.override" = "";
+          # "permissions.memory_only" = true;
+          "privacy.resistFingerprinting" = true;
+          "privacy.resistFingerprinting.block_mozAddonManager" = true;
+          "network.http.referer.XOriginPolicy" = 1;
+          "network.http.referer.XOriginTrimmingPolicy" = 1;
+          "network.http.sendRefererHeader" = 0;
+
+          "network.proxy.socks" = builtins.head (builtins.split ":" config.services.tor.torsocks.server);
+          "network.proxy.socks_port" = lib.last (builtins.split ":" config.services.tor.torsocks.server);
+          "network.connectivity-service.DNSv4.domain" = "127.0.0.1";
+          "network.connectivity-service.DNSv6.domain" = "::1";
+          "network.dns.localDomains" = "::1";
+          "network.dns.forceResolve" = true;
+          "network.dns.disableIPv6" = true;
+
+          "extensions.formautofill.addresses.enabled" = false;
+          "extensions.formautofill.creditCards.enabled" = false;
+
+          "permissions.default.geo" = 2;
+          "permissions.default.xr" = 2;
+          "privacy.fingerprintingProtection" = true;
+          "privacy.globalprivacycontrol.enabled" = true;
+          "signon.firefoxRelay.feature" = "disabled";
+          "browser.display.use_document_fonts" = 0;
+          
+          # "network.dns.DNS_HTTPS.domain" = "::1";
        } // optionalAttrs sway.enable { "browser.tabs.inTitlebar" = 0; };
      };
    };
--- a/common/printing.nix
+++ b/common/printing.nix
@ -10,8 +10,8 @@ in
 {
  config = lib.mkIf (enable && config.services.printing.enable) {
    services.printing.drivers = with pkgs; [
-      brgenml1lpr
-      brgenml1cupswrapper
+#      brgenml1lpr
+#      brgenml1cupswrapper
    ];
    services.avahi = {
      # enable = true;
--- a/common/tooling/default.nix
+++ b/common/tooling/default.nix
@ -63,6 +63,7 @@ in

        undollar
        openssl
+        android-tools
      ]
      ++ optionals graphical [
        wev
@ -90,6 +91,12 @@ in

    boot.tmp.cleanOnBoot = true;
    # zramSwap.enable = false;
+
+    services.udev.packages = [
+      pkgs.android-udev-rules
+    ];
+    programs.adb.enable = true;
+    
  };

  options.grimmShared.tooling = {
--- a/common/tooling/rust.nix
+++ b/common/tooling/rust.nix
@ -22,8 +22,9 @@ in
      [
        pkg-config
        cargo
+        rustup
      ]
-      ++ optionals graphical [ jetbrains.clion ];
+      ++ optionals graphical [ jetbrains.clion jetbrains.rust-rover ];

    grimmShared.tooling.lang_servers = [
      {
--- a/configuration.nix
+++ b/configuration.nix
@ -5,6 +5,7 @@
    ./common
    #    ./fake_flake.nix
    ./users.nix
+    ./custom
  ];

  # Bootloader.
@ -15,6 +16,8 @@

  nix.package = pkgs.lix;
  nixpkgs.config.allowUnfree = true;
+  zramSwap.enable = true;
+#  zramSwap.memoryPercent = 50;

  grimmShared = {
    enable = true;
--- a/custom/confwhich/package.nix
+++ b/custom/confwhich/package.nix
@ -15,7 +15,8 @@ rustPlatform.buildRustPackage {
    hash = "sha256-dMkUJMQjlKzmSsgtH0xOZ5Bk654+h84M1cTx8hVM5SQ=";
  };

-  cargoHash = "sha256-cn9vtRO+negpIVs0rnp2y5q7L4w554dfBK9MtbWd8FA=";
+  useFetchCargoVendor = true;
+  cargoHash = "sha256-YSi7sObmclTR6BSQPSN54/2aurXxCl/q2i8hutlJXkw=";

  meta = {
    description = "tool to find the path of xdg config files";
--- a/custom/default.nix
+++ b/custom/default.nix
@ -0,0 +1,11 @@
+{ lib, ... }: {
+  nixpkgs.overlays = lib.singleton (final: prev: {
+    confwhich = prev.callPackage ./confwhich/package.nix { };
+      deskwhich = prev.callPackage ./deskwhich/package.nix { };
+        linux-bench = prev.callPackage ./linux-bench/package.nix { };
+          ooye = prev.callPackage ./ooye/package.nix { };
+            rfindup = prev.callPackage ./rfindup/package.nix { };
+              searchclip = prev.callPackage ./searchclip/package.nix { };
+                tlpui = prev.callPackage ./tlpui/package.nix { };
+  });
+}
--- a/custom/deskwhich/package.nix
+++ b/custom/deskwhich/package.nix
@ -15,7 +15,8 @@ rustPlatform.buildRustPackage {
    hash = "sha256-uSXxUehZY1Sp08X3khSQtQc8AT00jJTAsQ+OfTTTkss=";
  };

-  cargoHash = "sha256-x0ARqeMdmnjMF0o2oZlxHnUUj9hEdqg4a+Z/WYax2Co=";
+  useFetchCargoVendor = true;
+  cargoHash = "sha256-e4wWQ0QOl0vDRbOFs7eN49sQJXBiJGsHiDLE68NiK8Y=";

  meta = {
    description = "tool to find the path of desktop entries";
--- a/custom/rfindup/package.nix
+++ b/custom/rfindup/package.nix
@ -15,7 +15,8 @@ rustPlatform.buildRustPackage {
    hash = "sha256-nbC/nM6orM19Qh/1bpN6gxOqvhCO4cVBumgEFl9G4Rs=";
  };

-  cargoHash = "sha256-l7uRTGV2iYbWbJSvs+YHwMSYmVW3FHa7sgbO2mub7a0=";
+  useFetchCargoVendor = true;
+  cargoHash = "sha256-S+NpQti2fgaz1UogqXbo+1mgkmetf/brQFcDrW00ZiU=";

  meta = {
    description = "tool to find files by name in parent directories";
--- a/flake.lock
+++ b/flake.lock
@ -10,11 +10,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1737538029,
-        "narHash": "sha256-I4mWZEWV1c+sPb5f8liQxYdEjRxMR0UzY6dgP5zj2Kc=",
+        "lastModified": 1739727446,
+        "narHash": "sha256-t+KH1NoR/HauQlYgKaNKkxCoSQ4PwPdp5r6nGc3K/tE=",
        "owner": "LordGrimmauld",
        "repo": "aa-alias-manager",
-        "rev": "14b4d3f64c06f6c4457a1d117bb201410422009d",
+        "rev": "cf56427c87bf93537f0c4f9896beef2da146860b",
        "type": "github"
      },
      "original": {
@ -141,11 +141,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1737973837,
-        "narHash": "sha256-LrM+QVWUZhPKbjm2I5EkypupivGHjr/AM4rCaNbCFfE=",
+        "lastModified": 1740016447,
+        "narHash": "sha256-96hBRGwuG+CFI5+inRIDCh0Za4LOt1dlbO3pFOokw6Y=",
        "owner": "chaotic-cx",
        "repo": "nyx",
-        "rev": "f19af140dacd0e211a25cf907be46356347e190f",
+        "rev": "ed7900391a1969bb0bde432fd3952a6dda37114c",
        "type": "github"
      },
      "original": {
@ -202,11 +202,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1737268357,
-        "narHash": "sha256-J3At8JDKpQGDeDUcz1eh0h5yFwNH7fPfm+N95TxiOq4=",
+        "lastModified": 1739946876,
+        "narHash": "sha256-ek0u5FT5yjqYKjF/0HQKwDH2ISZzyvYwu+My5hmSwbU=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "f9662e6ea6020671e1e17102bd20d6692bb38aba",
+        "rev": "95c1eab59767a3dbb11d6616d4ff736813ce41d2",
        "type": "github"
      },
      "original": {
@ -365,11 +365,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1737221749,
-        "narHash": "sha256-igllW0yG+UbetvhT11jnt9RppSHXYgMykYhZJeqfHs0=",
+        "lastModified": 1739913864,
+        "narHash": "sha256-WhzgQjadrwnwPJQLLxZUUEIxojxa7UWDkf7raAkB1Lw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "97d7946b5e107dd03cc82f21165251d4e0159655",
+        "rev": "97ac0801d187b2911e8caa45316399de12f6f199",
        "type": "github"
      },
      "original": {
@ -407,11 +407,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1737126697,
-        "narHash": "sha256-k1YhjONkiKBHzbjNy4ZsjysBac5UJSolCVq9cTKLeKM=",
+        "lastModified": 1739952453,
+        "narHash": "sha256-+tyFW6nNj1fJ1VTtLeqe1PMp5F7Fb9zIkT6mUvdQHrM=",
        "owner": "Jovian-Experiments",
        "repo": "Jovian-NixOS",
-        "rev": "27a0ddac1a14e10ba98530f59db728951495f2ce",
+        "rev": "b2ed82d3ff837960df4518308dfe409dda3ae406",
        "type": "github"
      },
      "original": {
@ -495,11 +495,11 @@
        "nixpkgs-24_11": "nixpkgs-24_11"
      },
      "locked": {
-        "lastModified": 1737736848,
-        "narHash": "sha256-VrUfCXBXYV+YmQ2OvVTeML9EnmaPRtH+POrNIcJp6yo=",
+        "lastModified": 1739121270,
+        "narHash": "sha256-EmJhpy9U8sVlepl2QPjG019VfG67HcucsQNItTqW6cA=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "6b425d13f5a9d73cb63973d3609acacef4d1e261",
+        "rev": "8c1c4640b878c692dd3d8055e8cdea0a2bbd8cf3",
        "type": "gitlab"
      },
      "original": {
@ -531,11 +531,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1738142207,
-        "narHash": "sha256-NGqpVVxNAHwIicXpgaVqJEJWeyqzoQJ9oc8lnK9+WC4=",
+        "lastModified": 1739866667,
+        "narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9d3ae807ebd2981d593cddd0080856873139aa40",
+        "rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680",
        "type": "github"
      },
      "original": {
@ -599,11 +599,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1737215993,
-        "narHash": "sha256-W8xioeq+h9dzGvtXPlQAn2nXtgNDN6C8uA1/9F2JP5I=",
+        "lastModified": 1739913186,
+        "narHash": "sha256-7MSzs64dLDgq1wFw2eujZ01qdj9K+TwIlQMyWebotE8=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "248bd511aee2c1c1cb2d5314649521d6d93b854a",
+        "rev": "3028f844c5898dcf115f6bc67a5ce793989b04a1",
        "type": "github"
      },
      "original": {
--- a/hardening/apparmor/apparmor-d-package.nix
+++ b/hardening/apparmor/apparmor-d-package.nix
@ -6,18 +6,19 @@
 }:
 buildGoModule {
  pname = "apparmor-d";
-  version = "unstable-2025-01-19";
+  version = "unstable-2025-02-18";

  src = fetchFromGitHub {
-    rev = "e41c5f6055197b3ad0985f5af735b7d272148360";
+    rev = "af85db9148b17bb37b4d73454e78d4efec4c2db9";
    owner = "roddhjav";
    repo = "apparmor.d";
-    hash = "sha256-Dyn8aMh63VIBb7mhyP/bEp3NhmIlDZs1WHse8jgi5o4=";
+    hash = "sha256-mCc1DQXQvzeeA+sq67zK5o18tKByaB5dITmC77j9uEM=";
  };

  vendorHash = null;

  doCheck = false;
+  dontCheckForBrokenSymlinks = true;

  patches = [
    ./apparmor-d-prebuild.patch
--- a/hardening/apparmor/default.nix
+++ b/hardening/apparmor/default.nix
@ -42,7 +42,7 @@ in
        spotify = "enforce";
        "thunderbird.apparmor.d" = "enforce";
        xdg-open = "enforce";
-        child-open-any = "enforce";
+        # child-open-any = "enforce";
        child-open = "enforce";
        firefox-glxtest = "enforce";
        firefox-vaapitest = "enforce";
--- a/hardening/default.nix
+++ b/hardening/default.nix
@ -68,10 +68,10 @@
  systemd.tpm2.enable = false;
  systemd.enableEmergencyMode = false;
  virtualisation.vswitch.enable = false;
-  services.resolved.enable = false;
  security.unprivilegedUsernsClone = true;
  security.apparmor.enable = true;
  security.allowSimultaneousMultithreading = true;
+  security.pam.services.systemd-run0 = {};
  environment.defaultPackages = lib.mkForce [ ];
  environment.systemPackages = with pkgs; [ nano clamav linux-bench ];
 }
--- a/hardening/encrypt-dns.nix
+++ b/hardening/encrypt-dns.nix
@ -2,11 +2,23 @@
 {
  networking = {
    nameservers = lib.mkForce [ "127.0.0.1" "::1" ];
+    # nameservers = lib.mkForce [ "127.0.0.1:8053" "[::1]:8053" ];
    dhcpcd.extraConfig = "nohook resolv.conf"; # dhcp
    networkmanager.dns = "none"; # nm
    resolvconf.useLocalResolver = true; # resoved
  };

+  services.tor = {
+    enable = true;
+    client.enable = true;
+    torsocks = {
+      enable = true;
+      allowInbound = false;
+    };
+    settings.SafeSocks = true;
+    settings.TestSocks = true;
+  };
+
  services.dnscrypt-proxy2 = {
    enable = true;
    settings = {
@ -18,20 +30,22 @@
      odoh_servers = false;
      require_nolog = true;
      require_nofilter = true;
+      listen_addresses = [ "127.0.0.1:53" ];
+      proxy = "socks5://${config.services.tor.torsocks.server}";
+      force_tcp = true;

      sources.public-resolvers = let
        serverList = pkgs.fetchurl {
          # fetching during build prevents issues e.g. when the certificate can't be validated if the clock is wrong
          url = "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md";
-          hash = "sha256-NrcMn57GS38qrE7f6GYcdUJCMAr9drl57omVnuS6oEU=";
+          hash = "sha256-2Pjs37mMolfWaaTf2c+tTbc1mzjCncK9qLyyZJn0LgA=";
        };
      in {
        urls = [
          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
-          # "file://${serverList}"
        ];
-        cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
+        cache_file = serverList;
        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
      };

--- a/hardening/opensnitch/block_lists.nix
+++ b/hardening/opensnitch/block_lists.nix
@ -5,13 +5,13 @@
 }:
 stdenv.mkDerivation rec {
  pname = "stevenblack_block";
-  version = "3.14.116";
+  version = "3.15.19";

  src = fetchFromGitHub {
    owner = "StevenBlack";
    repo = "hosts";
    rev = version;
-    hash = "sha256-MATJK6QO//6z5CXS3zVo/s/Bz6c2z0g8C+InM5iiv2o=";
+    hash = "sha256-hcvOs96apLZFVv1Fn9FUxS3VQQeP7h/IC2E3xOqcrZY=";
  };

  installPhase = ''
--- a/hardening/opensnitch/default.nix
+++ b/hardening/opensnitch/default.nix
@ -30,6 +30,7 @@ in
    ./firefox.nix
    ./tooling.nix
    ./dns.nix
+    ./tor.nix
  ];

  config = mkIf (enable && tooling.enable && network) {
--- a/hardening/opensnitch/nix.nix
+++ b/hardening/opensnitch/nix.nix
@ -72,13 +72,6 @@ in
              operand = "dest.port";
              data = "443";
            }
-            {
-              type = "regexp";
-              sensitive = false;
-              operand = "dest.host";
-              data = "(channels|cache)\\.nixos\\.org";
-            }
-
          ];
        };
      };
--- a/hardening/opensnitch/tor.nix
+++ b/hardening/opensnitch/tor.nix
@ -0,0 +1,37 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.grimmShared)
+    enable
+    tooling
+    network
+    ;
+  inherit (lib)
+    mkIf
+    ;
+
+  created = "1970-01-01T00:00:00.0+00:00";
+in
+{
+
+  config = mkIf (enable && tooling.enable && network) {
+    services.opensnitch.rules = {
+      tor = mkIf (config.services.tor.enable) {
+        name = "tor";
+        enabled = true;
+        action = "allow";
+        duration = "always";
+        inherit created;
+        operator = {
+          type = "simple";
+          sensitive = false;
+          operand = "process.path";
+          data = lib.getExe' config.services.tor.package "tor";
+        };
+      };
+    };
+  };
+}
--- a/hardening/opensnitch/vesktop.nix
+++ b/hardening/opensnitch/vesktop.nix
@ -33,7 +33,7 @@ in
          type = "regexp";
          sensitive = false;
          operand = "process.command";
-          data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
+          data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
        };
      };

@ -52,7 +52,7 @@ in
              type = "regexp";
              sensitive = false;
              operand = "process.command";
-              data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
+              data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
            }
            {
              type = "lists";
@ -78,7 +78,7 @@ in
              type = "regexp";
              sensitive = false;
              operand = "process.command";
-              data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
+              data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
            }
            {
              type = "simple";
@ -105,7 +105,7 @@ in
          type = "regexp";
          sensitive = false;
          operand = "process.command";
-          data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
+          data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
        };
      };

@ -124,7 +124,7 @@ in
              type = "regexp";
              sensitive = false;
              operand = "process.command";
-              data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
+              data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
            }
            {
              type = "lists";
--- a/hardening/systemd/default.nix
+++ b/hardening/systemd/default.nix
@ -13,11 +13,11 @@ let
 in
 {
  imports = [
-    ./NetworkManager.nix
+    # ./NetworkManager.nix
    ./wpa_supplicant.nix
    ./auditd.nix
    ./acpid.nix
-    ./cups.nix
+    # ./cups.nix
    # ./bluetooth.nix
    # ./tty.nix
    ./ask-password.nix
--- a/hardening/systemd/global/syscall_arch.nix
+++ b/hardening/systemd/global/syscall_arch.nix
@ -8,7 +8,7 @@ in
    type = types.attrsOf (
      lib.types.submodule {
        config.serviceConfig = mkIf (osConfig.specialisation != { }) {
-          SystemCallArchitectures = mkDefault "native";
+          # SystemCallArchitectures = mkDefault "native";
        };
      }

--- a/hardening/systemd/nscd.nix
+++ b/hardening/systemd/nscd.nix
@ -8,7 +8,6 @@
    nscd.serviceConfig = {
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
-      SystemCallArchitectures = "native";
      RestrictSUIDSGID = true;
      RestrictAddressFamilies = [
        "AF_UNIX"
@ -17,6 +16,7 @@
      ];
      RestrictNamespaces = true;
      SystemCallFilter = "@system-service";
+            SystemCallArchitectures = "native";

      LockPersonality = true;
      ProtectControlGroups = true;
--- a/hm/common/default.nix
+++ b/hm/common/default.nix
@ -41,10 +41,12 @@ in

      # kicad
      prusa-slicer
-      # freecad
+      freecad
      openscad
      iamb
      confy
+      authenticator
+      signal-desktop

      vlc
      # blender
--- a/overlays/confwhich.nix
+++ b/overlays/confwhich.nix
@ -1,4 +0,0 @@
-{ prev, ... }:
-{
-  confwhich = prev.callPackage ../custom/confwhich/package.nix { };
-}
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -2,16 +2,21 @@
  config,
  lib,
  inputs,
+  options,
  ...
 }:
 {
-  #programs.ccache.packageNames = [
-  #  "agenix"
-  #  "mcontrolcenter"
-  #];
+  programs.ccache.enable = true;
+  nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
+    systemd.tmpfiles.rules = [
+    "d! ${config.programs.ccache.cacheDir} 770 root nixbld"
+  ];
+  programs.ccache.packageNames = [
+    # "firefox-unwrapped"
+  ];

  nixpkgs.overlays =
-    map
+    (map
      (
        f:
        (
@ -30,17 +35,14 @@
      [
        ./lua_update.nix
        ./matrix-appservice-discord.nix
-        ./deskwhich.nix
-        ./tlpui.nix
-        # ./ccache-wrapper.nix
-        ./searchclip.nix
-        ./confwhich.nix
-        ./rfindup.nix
-        ./ooye.nix
+        ./ccache-wrapper.nix
        ./factorio.nix
        ./ranger.nix
        ./vesktop.nix
-        ./linux-bench.nix
+        ./firefox-search.nix
        # ./grpcio-tools.nix
-      ];
+      ]
+    )
+    ++ [ (import ./global/overlays.nix) ];
+  nix.nixPath = options.nix.nixPath.default ++ [ "nixpkgs-overlays=${./global}" ];
 }
--- a/overlays/deskwhich.nix
+++ b/overlays/deskwhich.nix
@ -1,4 +0,0 @@
-{ prev, ... }:
-{
-  deskwhich = prev.callPackage ../custom/deskwhich/package.nix { };
-}
--- a/overlays/firefox-search.nix
+++ b/overlays/firefox-search.nix
@ -0,0 +1,21 @@
+{ prev, final, ... }:
+{
+  firefox = prev.firefox.overrideAttrs (old: {
+    nativeBuildInputs = (old.nativeBuildInputs or []) ++ (with prev; [ zip unzip gnused ] );
+    buildCommand = ''
+      export buildRoot="$(pwd)"
+    '' + old.buildCommand + ''
+      pushd $buildRoot
+      unzip $out/lib/firefox/browser/omni.ja -d patched_omni || ret=$?
+      if [[ $ret && $ret -ne 2 ]]; then
+        echo "unzip exited with unexpected error"
+        exit $ret
+      fi
+      rm $out/lib/firefox/browser/omni.ja
+      cd patched_omni
+      sed -i 's/"enterprise_only"\s*:\s*true,//' modules/policies/schema.sys.mjs
+      zip -0DXqr $out/lib/firefox/browser/omni.ja * # potentially qr9XD
+      popd
+    '';
+  });
+}
--- a/overlays/global/overlays.nix
+++ b/overlays/global/overlays.nix
@ -0,0 +1,3 @@
+final: prev: {
+  devenv = builtins.throw "no devenv for you!";
+}
--- a/overlays/linux-bench.nix
+++ b/overlays/linux-bench.nix
@ -1,4 +0,0 @@
-{ prev, ... }:
-{
-  linux-bench = prev.callPackage ../custom/linux-bench/package.nix { };
-}
--- a/overlays/ooye.nix
+++ b/overlays/ooye.nix
@ -1,4 +0,0 @@
-{ prev, ... }:
-{
-  ooye = prev.callPackage ../custom/ooye/package.nix { };
-}
--- a/overlays/rfindup.nix
+++ b/overlays/rfindup.nix
@ -1,4 +0,0 @@
-{ prev, ... }:
-{
-  rfindup = prev.callPackage ../custom/rfindup/package.nix { };
-}
--- a/overlays/searchclip.nix
+++ b/overlays/searchclip.nix
@ -1,4 +0,0 @@
-{ prev, ... }:
-{
-  searchclip = prev.callPackage ../custom/searchclip/package.nix { };
-}
--- a/overlays/tlpui.nix
+++ b/overlays/tlpui.nix
@ -1,4 +0,0 @@
-{ prev, ... }:
-{
-  tlpui = prev.callPackage ../custom/tlpui/package.nix { };
-}
--- a/specific/grimm-nixos-ssd/configuration.nix
+++ b/specific/grimm-nixos-ssd/configuration.nix
@ -40,6 +40,7 @@
        "{b9db16a4-6edc-47ec-a1f4-b86292ed211d}" = "video-downloadhelper";
        "{1526fba1-ac33-4dfc-99d8-163e6129f7b9}" = "reveye-ris";
        "shinigamieyes@shinigamieyes" = "shinigami-eyes";
+        "{6787c9e3-c787-4e21-9449-92e301642b34}" = "proxyswitcheroo";
      };
    };
    spotify.enable = true;
--- a/specific/grimm-nixos-ssd/filesystems.nix
+++ b/specific/grimm-nixos-ssd/filesystems.nix
@ -48,7 +48,7 @@ in
      "rw"
      "relatime"
      "mode=1777"
-      "noexec"
+    #  "noexec"
      "nosuid"
      "nodev"
    ];
@ -97,6 +97,16 @@ in
    ];
  };

+  fileSystems."/etc/NetworkManager/vpn-certs" = {
+    device = "${persist}/etc/NetworkManager/vpn-certs";
+    options = [
+      "bind"
+      "noexec"
+      "nosuid"
+      "nodev"
+    ];
+  };
+
  fileSystems."/nix" = {
    device = "zpool/nix";
    fsType = "zfs";
--- a/users.nix
+++ b/users.nix
@ -29,6 +29,7 @@
      "gamemode"
      "systemd-journal"
      "i2c"
+      "adbusers"
    ]; # only add to groups that actually exist on this system

    #    syncPaths = [