diff --git a/common/hardware/laptop.nix b/common/hardware/laptop.nix index c457128..d702554 100644 --- a/common/hardware/laptop.nix +++ b/common/hardware/laptop.nix @@ -27,19 +27,20 @@ in ]; services.udev.packages = with pkgs; [ yubikey-personalization ]; + boot.bcache.enable = false; - hardware.i2c.enable = true; + # hardware.i2c.enable = true; services.libinput.enable = true; hardware.opentabletdriver.enable = true; services.udisks2.enable = true; - services.udev.extraRules = '' - SUBSYSTEM=="i2c-dev", ACTION=="add",\ - ATTR{name}=="NVIDIA i2c adapter*",\ - TAG+="ddcci",\ - TAG+="systemd",\ - ENV{SYSTEMD_WANTS}+="ddcci@$kernel.service" - ''; + #services.udev.extraRules = '' + # SUBSYSTEM=="i2c-dev", ACTION=="add",\ + # ATTR{name}=="NVIDIA i2c adapter*",\ + # TAG+="ddcci",\ + # TAG+="systemd",\ + # ENV{SYSTEMD_WANTS}+="ddcci@$kernel.service" + #''; systemd.services."ddcci@" = { scriptArgs = "%i"; diff --git a/common/tooling/apparmor/aa-alias-manager-package.nix b/common/tooling/apparmor/aa-alias-manager-package.nix deleted file mode 100644 index 75e4c68..0000000 --- a/common/tooling/apparmor/aa-alias-manager-package.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ lib, rustPlatform, fetchFromGitHub, makeWrapper, nix }: -rustPlatform.buildRustPackage { - pname = "aa-alias-manager"; - version = "unstable-2024-10-25"; - src = fetchFromGitHub { - owner = "LordGrimmauld"; - repo = "aa-alias-manager"; - rev = "23a0bb9ac822c80aefba4211b426d0550769f87a"; - hash = "sha256-yo+EaXZgc3BNYgoQZ/ixrJj6mllwn2YYdCtxS7T4khc="; - }; - - cargoHash = "sha256-nKAUOITYZJx9fte6qH6t9FbofTK8alhLb4A5YqRq3eA="; - - nativeBuildInputs = [ makeWrapper ]; - buildInputs = [ nix ]; - - postInstall = '' - wrapProgram $out/bin/aa-alias-manager \ - --suffix PATH : "${nix}/bin/" - ''; - - meta = { - description = "Tool to generate a file of aliases for apparmor based on current nixos generation"; - homepage = "https://github.com/LordGrimmauld/aa-alias-manager"; - license = lib.licenses.gpl3Only; - mainProgram = "aa-alias-manager"; - maintainers = with lib.maintainers; [ grimmauld ]; - platforms = lib.platforms.linux; - }; -} diff --git a/common/tooling/apparmor/aa-alias-module.nix b/common/tooling/apparmor/aa-alias-module.nix deleted file mode 100644 index 32cf1a6..0000000 --- a/common/tooling/apparmor/aa-alias-module.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -let - inherit (lib) getExe mkIf; - aa-alias-manager = pkgs.callPackage ./aa-alias-manager-package.nix { }; - alias_dir = "/run/aliases.d"; -in -{ - config = mkIf config.security.apparmor.enable { - security.apparmor.includes."tunables/alias.d/store" = '' - include if exists "${alias_dir}" - ''; - - systemd.services.aa-alias-setup = { - after = [ "local-fs.target" ]; - before = [ "apparmor.service" ]; - requiredBy = [ "apparmor.service" ]; - - path = [ config.nix.package ]; # respect the users choice to use alternative nix implementations - - unitConfig = { - Description = "Initialize alias rules required for AppArmor policies"; - DefaultDependencies = "no"; - ConditionSecurity = "apparmor"; - }; - - serviceConfig = { - Type = "oneshot"; - ExecStart = "${getExe aa-alias-manager} -o ${alias_dir} -p ${./aa-alias-patterns.json}"; - }; - }; - }; -} diff --git a/common/tooling/apparmor/aa-alias-patterns.json b/common/tooling/apparmor/aa-alias-patterns.json deleted file mode 100644 index dc2f277..0000000 --- a/common/tooling/apparmor/aa-alias-patterns.json +++ /dev/null @@ -1,16 +0,0 @@ -[ - { - "name": "bin", - "target": "/bin", - "pattern": [ - "bin", - "libexec", - "sbin", - "usr/bin", - "usr/sbin" - ], - "individual": true, - "only_exe": true, - "disallowed_strings": [ "!" ] - } -] diff --git a/common/tooling/apparmor/apparmor-d-prebuild.patch b/common/tooling/apparmor/apparmor-d-prebuild.patch index 4629733..7fcff4d 100644 --- a/common/tooling/apparmor/apparmor-d-prebuild.patch +++ b/common/tooling/apparmor/apparmor-d-prebuild.patch @@ -35,7 +35,7 @@ index a887d4b9..606b4643 100644 Preamble: Rules{ &Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true}, - &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}, -+ &Variable{Name: "bin", Values: []string{"/{nix/store/*/,}{,usr/}{,s}bin"}, Define: true}, ++ &Variable{Name: "bin", Values: []string{"/bin"}, Define: true}, &Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true}, &Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true}, &Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true}, diff --git a/common/tooling/apparmor/default.nix b/common/tooling/apparmor/default.nix index fa04521..19bccc7 100644 --- a/common/tooling/apparmor/default.nix +++ b/common/tooling/apparmor/default.nix @@ -9,7 +9,7 @@ let inherit (lib) mkIf getExe' getExe; in { - imports = [ ./apparmor-d-module.nix ./aa-alias-module.nix ]; + imports = [ ./apparmor-d-module.nix ]; # ./aa-alias-module.nix ]; config = mkIf (enable && tooling.enable) { services.dbus.apparmor = "enabled"; @@ -18,6 +18,12 @@ in security.apparmor.enable = true; # security.apparmor.enableCache = true; + security.apparmor.includes."tunables/alias.d/programs" = '' + alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify, + ''; + + security.audit.backlogLimit = 512; + security.apparmor_d = { enable = true; profiles = { @@ -76,6 +82,10 @@ in ''; "local/xdg-mime" = '' +# include + /bin/grep rix, + /bin/gawk rix, +# /bin/dbus-send Cx -> bus, /dev/tty* rw, ''; @@ -101,6 +111,10 @@ in capability sys_ptrace, ''; + "local/xdg-open" = '' + @{bin}/grep rix, + ''; + "local/child-open" = '' include @{bin}/grep ix, @@ -127,6 +141,10 @@ in /run/wrappers/wrappers.*/unix_chkpwd rix, @{bin}/unix_chkpwd rix, ''; + +# "local/spotify" = '' +# @{bin}/ +# ''; }; security.apparmor.policies = { @@ -197,6 +215,18 @@ in #} ''; # }; + + sleep = { + state = "enforce"; + profile = '' + abi , + include + profile sleep ${getExe' pkgs.coreutils-full "sleep"} { + include + } + ''; + }; + osu-lazer = { state = "enforce"; # enable = true; diff --git a/common/tooling/default.nix b/common/tooling/default.nix index 36368b6..a2e5708 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -23,7 +23,7 @@ in ./lsp.nix ./helix.nix ./git.nix - ./wine.nix +# ./wine.nix ./c.nix ./java.nix ./opensnitch diff --git a/flake.lock b/flake.lock index a2138d2..f3520a4 100644 --- a/flake.lock +++ b/flake.lock @@ -1,8 +1,30 @@ { "nodes": { + "aa-alias-manager": { + "inputs": { + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks": "pre-commit-hooks" + }, + "locked": { + "lastModified": 1730472722, + "narHash": "sha256-/ut+TH7jZwgZEREMOZp/Wx7zXl6hgBJGGxQHU0KO6yY=", + "owner": "LordGrimmauld", + "repo": "aa-alias-manager", + "rev": "f2ef05f2af456e247d2b37a0b3bf09edbe1788a9", + "type": "github" + }, + "original": { + "owner": "LordGrimmauld", + "repo": "aa-alias-manager", + "type": "github" + } + }, "aagl-gtk-on-nix": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "nixpkgs": [ "nixpkgs" ] @@ -70,11 +92,11 @@ ] }, "locked": { - "lastModified": 1729599319, - "narHash": "sha256-e/4JPcIRte5zkwqmGFrFo3763e0iHURX6N0apz4jbI0=", + "lastModified": 1730390431, + "narHash": "sha256-M+rMhDB69Y35IlhmAMN4ErDige+wKPwhb6HDqpF14Rw=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "1b86b304c8eb1437d9337a760e7f930826fc4d6d", + "rev": "40388a7427ee32af175c5169ae7587ffd2dec125", "type": "github" }, "original": { @@ -138,6 +160,22 @@ "type": "github" } }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-schemas": { "locked": { "lastModified": 1721999734, @@ -152,6 +190,28 @@ "url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%3D0.1.5.tar.gz" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "aa-alias-manager", + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -181,11 +241,11 @@ ] }, "locked": { - "lastModified": 1729414726, - "narHash": "sha256-Dtmm1OU8Ymiy9hVWn/a2B8DhRYo9Eoyx9veERdOBR4o=", + "lastModified": 1730016908, + "narHash": "sha256-bFCxJco7d8IgmjfNExNz9knP8wvwbXU4s/d53KOK6U0=", "owner": "nix-community", "repo": "home-manager", - "rev": "fe56302339bb28e3471632379d733547caec8103", + "rev": "e83414058edd339148dc142a8437edb9450574c8", "type": "github" }, "original": { @@ -196,18 +256,18 @@ }, "jovian": { "inputs": { - "nix-github-actions": "nix-github-actions", + "nix-github-actions": "nix-github-actions_2", "nixpkgs": [ "chaotic", "nixpkgs" ] }, "locked": { - "lastModified": 1729177642, - "narHash": "sha256-DdKal+ZhB9QD/tnEwFg4cZ4j4YnrkvSljBxnyG+3eE0=", + "lastModified": 1730248099, + "narHash": "sha256-Fl7BSdpLk0uTXF6ol/MR0q1EB4XQ8tn0ftig0pyYh5Y=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "bb69165ff372ddbd3228a03513922acd783040e8", + "rev": "c11bab124fc55a37cbd854ed28ea121ed609231f", "type": "github" }, "original": { @@ -217,6 +277,27 @@ } }, "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "aa-alias-manager", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nix-github-actions_2": { "inputs": { "nixpkgs": [ "chaotic", @@ -225,11 +306,11 @@ ] }, "locked": { - "lastModified": 1690328911, - "narHash": "sha256-fxtExYk+aGf2YbjeWQ8JY9/n9dwuEt+ma1eUFzF8Jeo=", + "lastModified": 1729697500, + "narHash": "sha256-VFTWrbzDlZyFHHb1AlKRiD/qqCJIripXKiCSFS8fAOY=", "owner": "zhaofengli", "repo": "nix-github-actions", - "rev": "96df4a39c52f53cb7098b923224d8ce941b64747", + "rev": "e418aeb728b6aa5ca8c5c71974e7159c2df1d8cf", "type": "github" }, "original": { @@ -242,7 +323,7 @@ "nixos-mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "nixpkgs": [ "nixpkgs" ], @@ -285,11 +366,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1729413321, - "narHash": "sha256-I4tuhRpZFa6Fu6dcH9Dlo5LlH17peT79vx1y1SpeKt0=", + "lastModified": 1730200266, + "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1997e4aa514312c1af7e2bda7fad1644e778ff26", + "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd", "type": "github" }, "original": { @@ -314,8 +395,49 @@ "type": "indirect" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1720386169, + "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": [ + "aa-alias-manager", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1730302582, + "narHash": "sha256-W1MIJpADXQCgosJZT8qBYLRuZls2KSiKdpnTVdKBuvU=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "af8a16fe5c264f5e9e18bcee2859b40a656876cf", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { + "aa-alias-manager": "aa-alias-manager", "aagl-gtk-on-nix": "aagl-gtk-on-nix", "agenix": "agenix", "chaotic": "chaotic", diff --git a/flake.nix b/flake.nix index c278ca7..556c053 100644 --- a/flake.nix +++ b/flake.nix @@ -28,9 +28,13 @@ url = "github:ezKEa/aagl-gtk-on-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + aa-alias-manager = { + url = "github:LordGrimmauld/aa-alias-manager"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = inputs @ { self, agenix, nixpkgs, chaotic, aagl-gtk-on-nix, nixos-mailserver, nixos-matrix-modules, ... }: + outputs = inputs @ { self, agenix, nixpkgs, chaotic, aagl-gtk-on-nix, nixos-mailserver, nixos-matrix-modules, aa-alias-manager, ... }: let patches = [ ./aa_mod.patch @@ -69,6 +73,7 @@ chaotic.nixosModules.default aagl-gtk-on-nix.nixosModules.default ./configuration.nix + aa-alias-manager.nixosModules.default ./specific/grimm-nixos-ssd/configuration.nix ]; diff --git a/specific/grimm-nixos-ssd/hardware-configuration.nix b/specific/grimm-nixos-ssd/hardware-configuration.nix index b87b834..81c82cc 100644 --- a/specific/grimm-nixos-ssd/hardware-configuration.nix +++ b/specific/grimm-nixos-ssd/hardware-configuration.nix @@ -24,7 +24,7 @@ boot.supportedFilesystems.zfs = true; networking.hostId = "40fa5ea8"; # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; - boot.kernelPackages = pkgs.linuxPackages_6_10; + boot.kernelPackages = pkgs.linuxPackages_6_6; boot.extraModulePackages = [ ]; boot.kernelParams = [ "mds=full,nosmt" ]; services.homed.enable = true;