aa-alias-manager flake dependency
This commit is contained in:
parent
cf90fea47a
commit
c18468c958
10 changed files with 189 additions and 114 deletions
|
@ -27,19 +27,20 @@ in
|
|||
];
|
||||
|
||||
services.udev.packages = with pkgs; [ yubikey-personalization ];
|
||||
boot.bcache.enable = false;
|
||||
|
||||
hardware.i2c.enable = true;
|
||||
# hardware.i2c.enable = true;
|
||||
services.libinput.enable = true;
|
||||
hardware.opentabletdriver.enable = true;
|
||||
services.udisks2.enable = true;
|
||||
|
||||
services.udev.extraRules = ''
|
||||
SUBSYSTEM=="i2c-dev", ACTION=="add",\
|
||||
ATTR{name}=="NVIDIA i2c adapter*",\
|
||||
TAG+="ddcci",\
|
||||
TAG+="systemd",\
|
||||
ENV{SYSTEMD_WANTS}+="ddcci@$kernel.service"
|
||||
'';
|
||||
#services.udev.extraRules = ''
|
||||
# SUBSYSTEM=="i2c-dev", ACTION=="add",\
|
||||
# ATTR{name}=="NVIDIA i2c adapter*",\
|
||||
# TAG+="ddcci",\
|
||||
# TAG+="systemd",\
|
||||
# ENV{SYSTEMD_WANTS}+="ddcci@$kernel.service"
|
||||
#'';
|
||||
|
||||
systemd.services."ddcci@" = {
|
||||
scriptArgs = "%i";
|
||||
|
|
|
@ -1,30 +0,0 @@
|
|||
{ lib, rustPlatform, fetchFromGitHub, makeWrapper, nix }:
|
||||
rustPlatform.buildRustPackage {
|
||||
pname = "aa-alias-manager";
|
||||
version = "unstable-2024-10-25";
|
||||
src = fetchFromGitHub {
|
||||
owner = "LordGrimmauld";
|
||||
repo = "aa-alias-manager";
|
||||
rev = "23a0bb9ac822c80aefba4211b426d0550769f87a";
|
||||
hash = "sha256-yo+EaXZgc3BNYgoQZ/ixrJj6mllwn2YYdCtxS7T4khc=";
|
||||
};
|
||||
|
||||
cargoHash = "sha256-nKAUOITYZJx9fte6qH6t9FbofTK8alhLb4A5YqRq3eA=";
|
||||
|
||||
nativeBuildInputs = [ makeWrapper ];
|
||||
buildInputs = [ nix ];
|
||||
|
||||
postInstall = ''
|
||||
wrapProgram $out/bin/aa-alias-manager \
|
||||
--suffix PATH : "${nix}/bin/"
|
||||
'';
|
||||
|
||||
meta = {
|
||||
description = "Tool to generate a file of aliases for apparmor based on current nixos generation";
|
||||
homepage = "https://github.com/LordGrimmauld/aa-alias-manager";
|
||||
license = lib.licenses.gpl3Only;
|
||||
mainProgram = "aa-alias-manager";
|
||||
maintainers = with lib.maintainers; [ grimmauld ];
|
||||
platforms = lib.platforms.linux;
|
||||
};
|
||||
}
|
|
@ -1,37 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (lib) getExe mkIf;
|
||||
aa-alias-manager = pkgs.callPackage ./aa-alias-manager-package.nix { };
|
||||
alias_dir = "/run/aliases.d";
|
||||
in
|
||||
{
|
||||
config = mkIf config.security.apparmor.enable {
|
||||
security.apparmor.includes."tunables/alias.d/store" = ''
|
||||
include if exists "${alias_dir}"
|
||||
'';
|
||||
|
||||
systemd.services.aa-alias-setup = {
|
||||
after = [ "local-fs.target" ];
|
||||
before = [ "apparmor.service" ];
|
||||
requiredBy = [ "apparmor.service" ];
|
||||
|
||||
path = [ config.nix.package ]; # respect the users choice to use alternative nix implementations
|
||||
|
||||
unitConfig = {
|
||||
Description = "Initialize alias rules required for AppArmor policies";
|
||||
DefaultDependencies = "no";
|
||||
ConditionSecurity = "apparmor";
|
||||
};
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
ExecStart = "${getExe aa-alias-manager} -o ${alias_dir} -p ${./aa-alias-patterns.json}";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,16 +0,0 @@
|
|||
[
|
||||
{
|
||||
"name": "bin",
|
||||
"target": "/bin",
|
||||
"pattern": [
|
||||
"bin",
|
||||
"libexec",
|
||||
"sbin",
|
||||
"usr/bin",
|
||||
"usr/sbin"
|
||||
],
|
||||
"individual": true,
|
||||
"only_exe": true,
|
||||
"disallowed_strings": [ "!" ]
|
||||
}
|
||||
]
|
|
@ -35,7 +35,7 @@ index a887d4b9..606b4643 100644
|
|||
Preamble: Rules{
|
||||
&Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true},
|
||||
- &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
|
||||
+ &Variable{Name: "bin", Values: []string{"/{nix/store/*/,}{,usr/}{,s}bin"}, Define: true},
|
||||
+ &Variable{Name: "bin", Values: []string{"/bin"}, Define: true},
|
||||
&Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true},
|
||||
&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},
|
||||
&Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true},
|
||||
|
|
|
@ -9,7 +9,7 @@ let
|
|||
inherit (lib) mkIf getExe' getExe;
|
||||
in
|
||||
{
|
||||
imports = [ ./apparmor-d-module.nix ./aa-alias-module.nix ];
|
||||
imports = [ ./apparmor-d-module.nix ]; # ./aa-alias-module.nix ];
|
||||
|
||||
config = mkIf (enable && tooling.enable) {
|
||||
services.dbus.apparmor = "enabled";
|
||||
|
@ -18,6 +18,12 @@ in
|
|||
security.apparmor.enable = true;
|
||||
# security.apparmor.enableCache = true;
|
||||
|
||||
security.apparmor.includes."tunables/alias.d/programs" = ''
|
||||
alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify,
|
||||
'';
|
||||
|
||||
security.audit.backlogLimit = 512;
|
||||
|
||||
security.apparmor_d = {
|
||||
enable = true;
|
||||
profiles = {
|
||||
|
@ -76,6 +82,10 @@ in
|
|||
'';
|
||||
|
||||
"local/xdg-mime" = ''
|
||||
# include <abstractions/app/bus>
|
||||
/bin/grep rix,
|
||||
/bin/gawk rix,
|
||||
# /bin/dbus-send Cx -> bus,
|
||||
/dev/tty* rw,
|
||||
'';
|
||||
|
||||
|
@ -101,6 +111,10 @@ in
|
|||
capability sys_ptrace,
|
||||
'';
|
||||
|
||||
"local/xdg-open" = ''
|
||||
@{bin}/grep rix,
|
||||
'';
|
||||
|
||||
"local/child-open" = ''
|
||||
include <abstractions/app/bus>
|
||||
@{bin}/grep ix,
|
||||
|
@ -127,6 +141,10 @@ in
|
|||
/run/wrappers/wrappers.*/unix_chkpwd rix,
|
||||
@{bin}/unix_chkpwd rix,
|
||||
'';
|
||||
|
||||
# "local/spotify" = ''
|
||||
# @{bin}/
|
||||
# '';
|
||||
};
|
||||
|
||||
security.apparmor.policies = {
|
||||
|
@ -197,6 +215,18 @@ in
|
|||
#} '';
|
||||
# };
|
||||
|
||||
|
||||
sleep = {
|
||||
state = "enforce";
|
||||
profile = ''
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
profile sleep ${getExe' pkgs.coreutils-full "sleep"} {
|
||||
include <abstractions/base>
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
osu-lazer = {
|
||||
state = "enforce";
|
||||
# enable = true;
|
||||
|
|
|
@ -23,7 +23,7 @@ in
|
|||
./lsp.nix
|
||||
./helix.nix
|
||||
./git.nix
|
||||
./wine.nix
|
||||
# ./wine.nix
|
||||
./c.nix
|
||||
./java.nix
|
||||
./opensnitch
|
||||
|
|
158
flake.lock
158
flake.lock
|
@ -1,8 +1,30 @@
|
|||
{
|
||||
"nodes": {
|
||||
"aa-alias-manager": {
|
||||
"inputs": {
|
||||
"nix-github-actions": "nix-github-actions",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"pre-commit-hooks": "pre-commit-hooks"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1730472722,
|
||||
"narHash": "sha256-/ut+TH7jZwgZEREMOZp/Wx7zXl6hgBJGGxQHU0KO6yY=",
|
||||
"owner": "LordGrimmauld",
|
||||
"repo": "aa-alias-manager",
|
||||
"rev": "f2ef05f2af456e247d2b37a0b3bf09edbe1788a9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "LordGrimmauld",
|
||||
"repo": "aa-alias-manager",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"aagl-gtk-on-nix": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"flake-compat": "flake-compat_2",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
|
@ -70,11 +92,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1729599319,
|
||||
"narHash": "sha256-e/4JPcIRte5zkwqmGFrFo3763e0iHURX6N0apz4jbI0=",
|
||||
"lastModified": 1730390431,
|
||||
"narHash": "sha256-M+rMhDB69Y35IlhmAMN4ErDige+wKPwhb6HDqpF14Rw=",
|
||||
"owner": "chaotic-cx",
|
||||
"repo": "nyx",
|
||||
"rev": "1b86b304c8eb1437d9337a760e7f930826fc4d6d",
|
||||
"rev": "40388a7427ee32af175c5169ae7587ffd2dec125",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -138,6 +160,22 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat_3": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-schemas": {
|
||||
"locked": {
|
||||
"lastModified": 1721999734,
|
||||
|
@ -152,6 +190,28 @@
|
|||
"url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%3D0.1.5.tar.gz"
|
||||
}
|
||||
},
|
||||
"gitignore": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"aa-alias-manager",
|
||||
"pre-commit-hooks",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1709087332,
|
||||
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "gitignore.nix",
|
||||
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "gitignore.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"home-manager": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
@ -181,11 +241,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1729414726,
|
||||
"narHash": "sha256-Dtmm1OU8Ymiy9hVWn/a2B8DhRYo9Eoyx9veERdOBR4o=",
|
||||
"lastModified": 1730016908,
|
||||
"narHash": "sha256-bFCxJco7d8IgmjfNExNz9knP8wvwbXU4s/d53KOK6U0=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "fe56302339bb28e3471632379d733547caec8103",
|
||||
"rev": "e83414058edd339148dc142a8437edb9450574c8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -196,18 +256,18 @@
|
|||
},
|
||||
"jovian": {
|
||||
"inputs": {
|
||||
"nix-github-actions": "nix-github-actions",
|
||||
"nix-github-actions": "nix-github-actions_2",
|
||||
"nixpkgs": [
|
||||
"chaotic",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1729177642,
|
||||
"narHash": "sha256-DdKal+ZhB9QD/tnEwFg4cZ4j4YnrkvSljBxnyG+3eE0=",
|
||||
"lastModified": 1730248099,
|
||||
"narHash": "sha256-Fl7BSdpLk0uTXF6ol/MR0q1EB4XQ8tn0ftig0pyYh5Y=",
|
||||
"owner": "Jovian-Experiments",
|
||||
"repo": "Jovian-NixOS",
|
||||
"rev": "bb69165ff372ddbd3228a03513922acd783040e8",
|
||||
"rev": "c11bab124fc55a37cbd854ed28ea121ed609231f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -217,6 +277,27 @@
|
|||
}
|
||||
},
|
||||
"nix-github-actions": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"aa-alias-manager",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1729742964,
|
||||
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-github-actions",
|
||||
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-github-actions",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-github-actions_2": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"chaotic",
|
||||
|
@ -225,11 +306,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1690328911,
|
||||
"narHash": "sha256-fxtExYk+aGf2YbjeWQ8JY9/n9dwuEt+ma1eUFzF8Jeo=",
|
||||
"lastModified": 1729697500,
|
||||
"narHash": "sha256-VFTWrbzDlZyFHHb1AlKRiD/qqCJIripXKiCSFS8fAOY=",
|
||||
"owner": "zhaofengli",
|
||||
"repo": "nix-github-actions",
|
||||
"rev": "96df4a39c52f53cb7098b923224d8ce941b64747",
|
||||
"rev": "e418aeb728b6aa5ca8c5c71974e7159c2df1d8cf",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -242,7 +323,7 @@
|
|||
"nixos-mailserver": {
|
||||
"inputs": {
|
||||
"blobs": "blobs",
|
||||
"flake-compat": "flake-compat_2",
|
||||
"flake-compat": "flake-compat_3",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
|
@ -285,11 +366,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1729413321,
|
||||
"narHash": "sha256-I4tuhRpZFa6Fu6dcH9Dlo5LlH17peT79vx1y1SpeKt0=",
|
||||
"lastModified": 1730200266,
|
||||
"narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "1997e4aa514312c1af7e2bda7fad1644e778ff26",
|
||||
"rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -314,8 +395,49 @@
|
|||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1720386169,
|
||||
"narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-24.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"pre-commit-hooks": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"gitignore": "gitignore",
|
||||
"nixpkgs": [
|
||||
"aa-alias-manager",
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1730302582,
|
||||
"narHash": "sha256-W1MIJpADXQCgosJZT8qBYLRuZls2KSiKdpnTVdKBuvU=",
|
||||
"owner": "cachix",
|
||||
"repo": "git-hooks.nix",
|
||||
"rev": "af8a16fe5c264f5e9e18bcee2859b40a656876cf",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "cachix",
|
||||
"repo": "git-hooks.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"aa-alias-manager": "aa-alias-manager",
|
||||
"aagl-gtk-on-nix": "aagl-gtk-on-nix",
|
||||
"agenix": "agenix",
|
||||
"chaotic": "chaotic",
|
||||
|
|
|
@ -28,9 +28,13 @@
|
|||
url = "github:ezKEa/aagl-gtk-on-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
aa-alias-manager = {
|
||||
url = "github:LordGrimmauld/aa-alias-manager";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = inputs @ { self, agenix, nixpkgs, chaotic, aagl-gtk-on-nix, nixos-mailserver, nixos-matrix-modules, ... }:
|
||||
outputs = inputs @ { self, agenix, nixpkgs, chaotic, aagl-gtk-on-nix, nixos-mailserver, nixos-matrix-modules, aa-alias-manager, ... }:
|
||||
let
|
||||
patches = [
|
||||
./aa_mod.patch
|
||||
|
@ -69,6 +73,7 @@
|
|||
chaotic.nixosModules.default
|
||||
aagl-gtk-on-nix.nixosModules.default
|
||||
./configuration.nix
|
||||
aa-alias-manager.nixosModules.default
|
||||
|
||||
./specific/grimm-nixos-ssd/configuration.nix
|
||||
];
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
boot.supportedFilesystems.zfs = true;
|
||||
networking.hostId = "40fa5ea8";
|
||||
# boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
||||
boot.kernelPackages = pkgs.linuxPackages_6_10;
|
||||
boot.kernelPackages = pkgs.linuxPackages_6_6;
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.kernelParams = [ "mds=full,nosmt" ];
|
||||
services.homed.enable = true;
|
||||
|
|
Loading…
Reference in a new issue