aa-alias-manager flake dependency

This commit is contained in:
Grimmauld 2024-11-01 16:33:26 +01:00
parent cf90fea47a
commit c18468c958
Signed by: Grimmauld
GPG Key ID: C2946668769F91FB
10 changed files with 189 additions and 114 deletions

View File

@ -27,19 +27,20 @@ in
]; ];
services.udev.packages = with pkgs; [ yubikey-personalization ]; services.udev.packages = with pkgs; [ yubikey-personalization ];
boot.bcache.enable = false;
hardware.i2c.enable = true; # hardware.i2c.enable = true;
services.libinput.enable = true; services.libinput.enable = true;
hardware.opentabletdriver.enable = true; hardware.opentabletdriver.enable = true;
services.udisks2.enable = true; services.udisks2.enable = true;
services.udev.extraRules = '' #services.udev.extraRules = ''
SUBSYSTEM=="i2c-dev", ACTION=="add",\ # SUBSYSTEM=="i2c-dev", ACTION=="add",\
ATTR{name}=="NVIDIA i2c adapter*",\ # ATTR{name}=="NVIDIA i2c adapter*",\
TAG+="ddcci",\ # TAG+="ddcci",\
TAG+="systemd",\ # TAG+="systemd",\
ENV{SYSTEMD_WANTS}+="ddcci@$kernel.service" # ENV{SYSTEMD_WANTS}+="ddcci@$kernel.service"
''; #'';
systemd.services."ddcci@" = { systemd.services."ddcci@" = {
scriptArgs = "%i"; scriptArgs = "%i";

View File

@ -1,30 +0,0 @@
{ lib, rustPlatform, fetchFromGitHub, makeWrapper, nix }:
rustPlatform.buildRustPackage {
pname = "aa-alias-manager";
version = "unstable-2024-10-25";
src = fetchFromGitHub {
owner = "LordGrimmauld";
repo = "aa-alias-manager";
rev = "23a0bb9ac822c80aefba4211b426d0550769f87a";
hash = "sha256-yo+EaXZgc3BNYgoQZ/ixrJj6mllwn2YYdCtxS7T4khc=";
};
cargoHash = "sha256-nKAUOITYZJx9fte6qH6t9FbofTK8alhLb4A5YqRq3eA=";
nativeBuildInputs = [ makeWrapper ];
buildInputs = [ nix ];
postInstall = ''
wrapProgram $out/bin/aa-alias-manager \
--suffix PATH : "${nix}/bin/"
'';
meta = {
description = "Tool to generate a file of aliases for apparmor based on current nixos generation";
homepage = "https://github.com/LordGrimmauld/aa-alias-manager";
license = lib.licenses.gpl3Only;
mainProgram = "aa-alias-manager";
maintainers = with lib.maintainers; [ grimmauld ];
platforms = lib.platforms.linux;
};
}

View File

@ -1,37 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) getExe mkIf;
aa-alias-manager = pkgs.callPackage ./aa-alias-manager-package.nix { };
alias_dir = "/run/aliases.d";
in
{
config = mkIf config.security.apparmor.enable {
security.apparmor.includes."tunables/alias.d/store" = ''
include if exists "${alias_dir}"
'';
systemd.services.aa-alias-setup = {
after = [ "local-fs.target" ];
before = [ "apparmor.service" ];
requiredBy = [ "apparmor.service" ];
path = [ config.nix.package ]; # respect the users choice to use alternative nix implementations
unitConfig = {
Description = "Initialize alias rules required for AppArmor policies";
DefaultDependencies = "no";
ConditionSecurity = "apparmor";
};
serviceConfig = {
Type = "oneshot";
ExecStart = "${getExe aa-alias-manager} -o ${alias_dir} -p ${./aa-alias-patterns.json}";
};
};
};
}

View File

@ -1,16 +0,0 @@
[
{
"name": "bin",
"target": "/bin",
"pattern": [
"bin",
"libexec",
"sbin",
"usr/bin",
"usr/sbin"
],
"individual": true,
"only_exe": true,
"disallowed_strings": [ "!" ]
}
]

View File

@ -35,7 +35,7 @@ index a887d4b9..606b4643 100644
Preamble: Rules{ Preamble: Rules{
&Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true}, &Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true},
- &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}, - &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
+ &Variable{Name: "bin", Values: []string{"/{nix/store/*/,}{,usr/}{,s}bin"}, Define: true}, + &Variable{Name: "bin", Values: []string{"/bin"}, Define: true},
&Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true}, &Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true},
&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true}, &Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},
&Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true}, &Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true},

View File

@ -9,7 +9,7 @@ let
inherit (lib) mkIf getExe' getExe; inherit (lib) mkIf getExe' getExe;
in in
{ {
imports = [ ./apparmor-d-module.nix ./aa-alias-module.nix ]; imports = [ ./apparmor-d-module.nix ]; # ./aa-alias-module.nix ];
config = mkIf (enable && tooling.enable) { config = mkIf (enable && tooling.enable) {
services.dbus.apparmor = "enabled"; services.dbus.apparmor = "enabled";
@ -18,6 +18,12 @@ in
security.apparmor.enable = true; security.apparmor.enable = true;
# security.apparmor.enableCache = true; # security.apparmor.enableCache = true;
security.apparmor.includes."tunables/alias.d/programs" = ''
alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify,
'';
security.audit.backlogLimit = 512;
security.apparmor_d = { security.apparmor_d = {
enable = true; enable = true;
profiles = { profiles = {
@ -76,6 +82,10 @@ in
''; '';
"local/xdg-mime" = '' "local/xdg-mime" = ''
# include <abstractions/app/bus>
/bin/grep rix,
/bin/gawk rix,
# /bin/dbus-send Cx -> bus,
/dev/tty* rw, /dev/tty* rw,
''; '';
@ -101,6 +111,10 @@ in
capability sys_ptrace, capability sys_ptrace,
''; '';
"local/xdg-open" = ''
@{bin}/grep rix,
'';
"local/child-open" = '' "local/child-open" = ''
include <abstractions/app/bus> include <abstractions/app/bus>
@{bin}/grep ix, @{bin}/grep ix,
@ -127,6 +141,10 @@ in
/run/wrappers/wrappers.*/unix_chkpwd rix, /run/wrappers/wrappers.*/unix_chkpwd rix,
@{bin}/unix_chkpwd rix, @{bin}/unix_chkpwd rix,
''; '';
# "local/spotify" = ''
# @{bin}/
# '';
}; };
security.apparmor.policies = { security.apparmor.policies = {
@ -197,6 +215,18 @@ in
#} ''; #} '';
# }; # };
sleep = {
state = "enforce";
profile = ''
abi <abi/4.0>,
include <tunables/global>
profile sleep ${getExe' pkgs.coreutils-full "sleep"} {
include <abstractions/base>
}
'';
};
osu-lazer = { osu-lazer = {
state = "enforce"; state = "enforce";
# enable = true; # enable = true;

View File

@ -23,7 +23,7 @@ in
./lsp.nix ./lsp.nix
./helix.nix ./helix.nix
./git.nix ./git.nix
./wine.nix # ./wine.nix
./c.nix ./c.nix
./java.nix ./java.nix
./opensnitch ./opensnitch

View File

@ -1,8 +1,30 @@
{ {
"nodes": { "nodes": {
"aa-alias-manager": {
"inputs": {
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1730472722,
"narHash": "sha256-/ut+TH7jZwgZEREMOZp/Wx7zXl6hgBJGGxQHU0KO6yY=",
"owner": "LordGrimmauld",
"repo": "aa-alias-manager",
"rev": "f2ef05f2af456e247d2b37a0b3bf09edbe1788a9",
"type": "github"
},
"original": {
"owner": "LordGrimmauld",
"repo": "aa-alias-manager",
"type": "github"
}
},
"aagl-gtk-on-nix": { "aagl-gtk-on-nix": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
@ -70,11 +92,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1729599319, "lastModified": 1730390431,
"narHash": "sha256-e/4JPcIRte5zkwqmGFrFo3763e0iHURX6N0apz4jbI0=", "narHash": "sha256-M+rMhDB69Y35IlhmAMN4ErDige+wKPwhb6HDqpF14Rw=",
"owner": "chaotic-cx", "owner": "chaotic-cx",
"repo": "nyx", "repo": "nyx",
"rev": "1b86b304c8eb1437d9337a760e7f930826fc4d6d", "rev": "40388a7427ee32af175c5169ae7587ffd2dec125",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -138,6 +160,22 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-schemas": { "flake-schemas": {
"locked": { "locked": {
"lastModified": 1721999734, "lastModified": 1721999734,
@ -152,6 +190,28 @@
"url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%3D0.1.5.tar.gz" "url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%3D0.1.5.tar.gz"
} }
}, },
"gitignore": {
"inputs": {
"nixpkgs": [
"aa-alias-manager",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -181,11 +241,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1729414726, "lastModified": 1730016908,
"narHash": "sha256-Dtmm1OU8Ymiy9hVWn/a2B8DhRYo9Eoyx9veERdOBR4o=", "narHash": "sha256-bFCxJco7d8IgmjfNExNz9knP8wvwbXU4s/d53KOK6U0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "fe56302339bb28e3471632379d733547caec8103", "rev": "e83414058edd339148dc142a8437edb9450574c8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -196,18 +256,18 @@
}, },
"jovian": { "jovian": {
"inputs": { "inputs": {
"nix-github-actions": "nix-github-actions", "nix-github-actions": "nix-github-actions_2",
"nixpkgs": [ "nixpkgs": [
"chaotic", "chaotic",
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1729177642, "lastModified": 1730248099,
"narHash": "sha256-DdKal+ZhB9QD/tnEwFg4cZ4j4YnrkvSljBxnyG+3eE0=", "narHash": "sha256-Fl7BSdpLk0uTXF6ol/MR0q1EB4XQ8tn0ftig0pyYh5Y=",
"owner": "Jovian-Experiments", "owner": "Jovian-Experiments",
"repo": "Jovian-NixOS", "repo": "Jovian-NixOS",
"rev": "bb69165ff372ddbd3228a03513922acd783040e8", "rev": "c11bab124fc55a37cbd854ed28ea121ed609231f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -217,6 +277,27 @@
} }
}, },
"nix-github-actions": { "nix-github-actions": {
"inputs": {
"nixpkgs": [
"aa-alias-manager",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-github-actions_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"chaotic", "chaotic",
@ -225,11 +306,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1690328911, "lastModified": 1729697500,
"narHash": "sha256-fxtExYk+aGf2YbjeWQ8JY9/n9dwuEt+ma1eUFzF8Jeo=", "narHash": "sha256-VFTWrbzDlZyFHHb1AlKRiD/qqCJIripXKiCSFS8fAOY=",
"owner": "zhaofengli", "owner": "zhaofengli",
"repo": "nix-github-actions", "repo": "nix-github-actions",
"rev": "96df4a39c52f53cb7098b923224d8ce941b64747", "rev": "e418aeb728b6aa5ca8c5c71974e7159c2df1d8cf",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -242,7 +323,7 @@
"nixos-mailserver": { "nixos-mailserver": {
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_3",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@ -285,11 +366,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1729413321, "lastModified": 1730200266,
"narHash": "sha256-I4tuhRpZFa6Fu6dcH9Dlo5LlH17peT79vx1y1SpeKt0=", "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1997e4aa514312c1af7e2bda7fad1644e778ff26", "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -314,8 +395,49 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1720386169,
"narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat",
"gitignore": "gitignore",
"nixpkgs": [
"aa-alias-manager",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1730302582,
"narHash": "sha256-W1MIJpADXQCgosJZT8qBYLRuZls2KSiKdpnTVdKBuvU=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "af8a16fe5c264f5e9e18bcee2859b40a656876cf",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"aa-alias-manager": "aa-alias-manager",
"aagl-gtk-on-nix": "aagl-gtk-on-nix", "aagl-gtk-on-nix": "aagl-gtk-on-nix",
"agenix": "agenix", "agenix": "agenix",
"chaotic": "chaotic", "chaotic": "chaotic",

View File

@ -28,9 +28,13 @@
url = "github:ezKEa/aagl-gtk-on-nix"; url = "github:ezKEa/aagl-gtk-on-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
aa-alias-manager = {
url = "github:LordGrimmauld/aa-alias-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = inputs @ { self, agenix, nixpkgs, chaotic, aagl-gtk-on-nix, nixos-mailserver, nixos-matrix-modules, ... }: outputs = inputs @ { self, agenix, nixpkgs, chaotic, aagl-gtk-on-nix, nixos-mailserver, nixos-matrix-modules, aa-alias-manager, ... }:
let let
patches = [ patches = [
./aa_mod.patch ./aa_mod.patch
@ -69,6 +73,7 @@
chaotic.nixosModules.default chaotic.nixosModules.default
aagl-gtk-on-nix.nixosModules.default aagl-gtk-on-nix.nixosModules.default
./configuration.nix ./configuration.nix
aa-alias-manager.nixosModules.default
./specific/grimm-nixos-ssd/configuration.nix ./specific/grimm-nixos-ssd/configuration.nix
]; ];

View File

@ -24,7 +24,7 @@
boot.supportedFilesystems.zfs = true; boot.supportedFilesystems.zfs = true;
networking.hostId = "40fa5ea8"; networking.hostId = "40fa5ea8";
# boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.kernelPackages = pkgs.linuxPackages_6_10; boot.kernelPackages = pkgs.linuxPackages_6_6;
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
boot.kernelParams = [ "mds=full,nosmt" ]; boot.kernelParams = [ "mds=full,nosmt" ];
services.homed.enable = true; services.homed.enable = true;