cleanup and integration fixes

2024-09-21 09:43:57 +02:00 · 2024-09-21 09:43:57 +02:00 · c37a6082d3
commit c37a6082d3
parent 967f556eac
12 changed files with 95 additions and 60 deletions
--- a/common/cloudsync.nix
+++ b/common/cloudsync.nix
@ -9,6 +9,7 @@ let
    types
    mkOption
    concatStrings
+    getExe'
    mkIf
    mkEnableOption
    ;
@ -36,7 +37,7 @@ in
 {
  config = mkIf (enable && cloudSync.enable) (
    let
-      cloud_cmd = ''${nextcloud-client}/bin/nextcloudcmd -u ${cloudSync.username} -p "$(cat ${cloudSync.passwordFile})" -h -n --path'';
+      cloud_cmd = ''${getExe' nextcloud-client "nextcloudcmd"} -u ${cloudSync.username} -p "$(${getExe' pkgs.coreutils-full "cat"} ${cloudSync.passwordFile})" -h -n --path'';
      sync_server = "https://${cloudSync.server}";
    in
    {
--- a/common/firefox.nix
+++ b/common/firefox.nix
@ -37,19 +37,12 @@ in
      ];
      policies = {
        ExtensionSettings =
-          (mkIf firefox.disableUserPlugins { "*".installation_mode = "blocked"; })
-          // (mapAttrs (guid: shortId: {
+          # (mkIf firefox.disableUserPlugins { "*".installation_mode = "blocked"; }) // 
+          (mapAttrs (guid: shortId: {
            # explicit plugins by config 
            install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi";
            installation_mode = "force_installed";
-          }) firefox.plugins)
-          // (mkIf (tooling.enable && tooling.pass) {
-            # password-store support
-            "passff@invicem.pro" = {
-              install_url = "https://addons.mozilla.org/firefox/downloads/latest/passff/latest.xpi";
-              installation_mode = "force_installed";
-            };
-          });
+          }) config.grimmShared.firefox.plugins);
        DisableTelemetry = true;
        DisableFirefoxStudies = true;
        EnableTrackingProtection = {
@ -70,6 +63,7 @@ in

          "media.hardware-video-decoding.enabled" = true;
          "media.ffmpeg.vaapi.enabled" = true;
+          "network.dns.disableIPv6" = true;
          "media.rdd-ffmpeg.enabled" = true;
          "media.navigator.mediadatadecoder_vpx_enabled" = true;
        } // optionalAttrs sway.enable { "browser.tabs.inTitlebar" = 0; };
--- a/common/graphics/sway.nix
+++ b/common/graphics/sway.nix
@ -18,6 +18,7 @@ let
    max
    foldl'
    getExe
+    getExe'
    isPath
    isDerivation
    concatLines
@ -79,13 +80,13 @@ let
      ) screens;
    in
    ''
-      for pid in $(${pkgs.procps}/bin/pgrep sway -x)
+      for pid in $(${getExe' pkgs.procps "pgrep"} sway -x)
      do
-        uid=$(id -u $(${pkgs.procps}/bin/ps -o user= -p $pid))
+        uid=$(id -u $(${getExe' pkgs.procps "ps"} -o user= -p $pid))
        export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock"
        if [[ -e "$SWAYSOCK" ]] ; then
          echo "sock is $SWAYSOCK"
-          ${config.programs.sway.package}/bin/swaymsg '${concatMapStrings (s: s + " ; ") output_def}'
+          ${getExe' config.programs.sway.package "swaymsg"} '${concatMapStrings (s: s + " ; ") output_def}'
        fi
      done
    '';
@ -184,13 +185,13 @@ in

        serviceConfig.Type = "oneshot";
        script = ''
-          for pid in $(${pkgs.procps}/bin/pgrep sway -x)
+          for pid in $(${getExe' pkgs.procps "pgrep"} sway -x)
          do
-            uid=$(id -u $(${pkgs.procps}/bin/ps -o user= -p $pid))
+            uid=$(id -u $(${getExe' pkgs.procps "ps"} -o user= -p $pid))
            export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock"
            if [[ -e "$SWAYSOCK" ]] ; then
              echo "sock is $SWAYSOCK"
-              ${config.programs.sway.package}/bin/swaymsg reload
+              ${getExe' config.programs.sway.package "swaymsg"} reload
            fi
          done

@ -199,7 +200,7 @@ in
        reloadTriggers = [ config.environment.etc."${conf_path}".source ];
      };

-      programs.waybar.enable = true;
+      # programs.waybar.enable = true;

      programs.dconf.enable = true;

@ -212,7 +213,7 @@ in
        };

        extraPackages = with pkgs; [
-          swaylock
+#          swaylock
          swayidle
          wl-clipboard
          wf-recorder
--- a/common/hardware/laptop.nix
+++ b/common/hardware/laptop.nix
@ -50,7 +50,7 @@ in
        echo Trying to attach ddcci to $1
        i=0
        id=$(echo $1 | cut -d "-" -f 2)
-        if ${pkgs.ddcutil}/bin/ddcutil getvcp 10 -b $id; then
+        if ${lib.getExe' pkgs.ddcutil "ddcutil"} getvcp 10 -b $id; then
          echo ddcci 0x37 > /sys/bus/i2c/devices/$1/new_device
        fi
      '';
--- a/common/hardware/tlp.nix
+++ b/common/hardware/tlp.nix
@ -11,6 +11,7 @@ let
    optional
    concatLines
    getExe
+    getExe'
    elem
    mkIf
    ;
@ -52,8 +53,8 @@ let
    )
  );
  auto = writeShellScriptBin "auto-mode" ''
-    ${tlp}/bin/run-on-ac ${getExe performance}
-    ${tlp}/bin/run-on-bat ${getExe powersave}
+    ${getExe' tlp "run-on-ac"} ${getExe performance}
+    ${getExe' tlp "run-on-bat"} ${getExe powersave}
  '';
 in
 {
--- a/common/network/bluetooth.nix
+++ b/common/network/bluetooth.nix
@ -25,7 +25,7 @@ in
        "sound.target"
      ];
      wantedBy = [ "default.target" ];
-      serviceConfig.ExecStart = "${pkgs.bluez}/bin/mpris-proxy";
+      serviceConfig.ExecStart = lib.getExe' pkgs.bluez "mpris-proxy";
    };
  };
 }
--- a/common/sound/spotifyd.nix
+++ b/common/sound/spotifyd.nix
@ -61,9 +61,9 @@ in
        password_cmd =
          let
            pass = spotify.spotifyd.pass;
-            inherit (lib) isPath isString getExe;
+            inherit (lib) isPath isString getExe getExe';
          in
-          if (isPath pass || isString pass) then "${pkgs.coreutils-full}/bin/cat ${pass}" else (getExe pass);
+          if (isPath pass || isString pass) then "${getExe' pkgs.coreutils-full "cat"} ${pass}" else (getExe pass);
        device_type = "computer";
        dbus_type = "system";
        device = "default";
--- a/common/tooling/security.nix
+++ b/common/tooling/security.nix
@ -26,11 +26,12 @@ in
      id = [ "26681512" ];
      # debug = true;
      mode = "challenge-response";
-      control = "sufficient";
+      control = lib.mkDefault "sufficient";
    };

-    security.doas.enable = true;
-    security.sudo.enable = false;
+    # security.doas.enable = true;
+    security.sudo.enable = true;
+    
    security.doas.extraRules = [
      {
        users = attrNames (filterAttrs (n: v: v.isNormalUser) config.users.users);
@ -45,18 +46,18 @@ in
        gnupg
        libsecret
        vulnix
-        doas-sudo-shim # muscle memory
        agenix

        yubikey-manager
        yubico-pam
        yubikey-personalization
      ])
-      ++ optionals (tooling.enable && tooling.pass) [
+      ++ (optionals (tooling.enable && tooling.pass) [
        pkgs.pass
        (pkgs.writeShellScriptBin "passw" "pass $@")
-      ]
-      ++ optional graphical pkgs.lxqt.lxqt-policykit;
+      ])
+      ++ (optional config.security.doas.enable pkgs.sudo-doas-shim)
+      ++ (optional graphical pkgs.lxqt.lxqt-policykit);

    services.passSecretService.enable = mkIf (tooling.enable && tooling.pass) true;
    services.openssh.settings.LoginGraceTime = 0;
@ -68,6 +69,8 @@ in
      enable = true;
      enableSSHSupport = true;
    };
+
+    grimmShared.firefox.plugins = mkIf (tooling.enable && tooling.pass) { "passff@invicem.pro" = "passff"; };
  };

  options.grimmShared.tooling.pass = mkEnableOption "Enables password-store, gnupg and such secret handling";
--- a/common/xdg/portals.nix
+++ b/common/xdg/portals.nix
@ -50,10 +50,19 @@ in

    environment.sessionVariables = {
      XDG_CONFIG_HOME = "$HOME/.config";
+      XDG_DESKTOP_DIR="$HOME/Desktop";
+      XDG_DOCUMENTS_DIR="$HOME/Documents";
+      XDG_DOWNLOAD_DIR="$HOME/Downloads";
+      XDG_MUSIC_DIR="$HOME/Music";
+      XDG_PICTURES_DIR="$HOME/Pictures";
+      XDG_PUBLICSHARE_DIR="$HOME/Public";
+      XDG_TEMPLATES_DIR="$HOME/Templates";
+      XDG_VIDEOS_DIR="$HOME/Videos";
    };

    environment.systemPackages = with pkgs; [
      xwaylandvideobridge
+      xdg-user-dirs
      confwhich
    ];
  };
--- a/nix/sources.json
+++ b/nix/sources.json
@ -5,10 +5,10 @@
        "homepage": null,
        "owner": "ezKEa",
        "repo": "aagl-gtk-on-nix",
-        "rev": "49e1dd54d3ac9b858d3be597a2fbc48ab67fa6e8",
-        "sha256": "1275gl2ly0iaqapxwimsbnky9fzwa0x3miscz372qa74gcc0wjwv",
+        "rev": "bcaea0865985eb3e24ce978e2ca5bb4f680f150b",
+        "sha256": "15fgkb32cqkzb9z03akbaz2qv6i3h1zs9rwy94fkp78cr2yxfizb",
        "type": "tarball",
-        "url": "https://github.com/ezKEa/aagl-gtk-on-nix/archive/49e1dd54d3ac9b858d3be597a2fbc48ab67fa6e8.tar.gz",
+        "url": "https://github.com/ezKEa/aagl-gtk-on-nix/archive/bcaea0865985eb3e24ce978e2ca5bb4f680f150b.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "agenix": {
@ -29,10 +29,10 @@
        "homepage": "",
        "owner": "nix-community",
        "repo": "authentik-nix",
-        "rev": "f1bd855c23e73e04597695ca37ae54671a7e07b1",
-        "sha256": "1dkp86mr2n0h4hq74wj3b0b9ka8x2xkwv8pcbwk5knhrv26qajwb",
+        "rev": "0fd076529b40e7fc7304a398618cab76ff7e96c3",
+        "sha256": "1ax3rvw66s246dyrcgpshr7bj78qv73db8s6sd3hzvbmn56kwixr",
        "type": "tarball",
-        "url": "https://github.com/nix-community/authentik-nix/archive/f1bd855c23e73e04597695ca37ae54671a7e07b1.tar.gz",
+        "url": "https://github.com/nix-community/authentik-nix/archive/0fd076529b40e7fc7304a398618cab76ff7e96c3.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "chaotic": {
@ -41,10 +41,10 @@
        "homepage": "https://nyx.chaotic.cx",
        "owner": "chaotic-cx",
        "repo": "nyx",
-        "rev": "38451822a144faa53a7ee96d4f0478d94945b67a",
-        "sha256": "08rcfarlda0fxgc02xdfyk8dsp18bmiyf0n39sfd5nq1s5513awy",
+        "rev": "93e6cdc6335d9c7652e89466b5e05a3cce836906",
+        "sha256": "11d9jyd8yw0xnpimgwsi0vw2i63f5hkw9x0g7pmnk0542k50xms6",
        "type": "tarball",
-        "url": "https://github.com/chaotic-cx/nyx/archive/38451822a144faa53a7ee96d4f0478d94945b67a.tar.gz",
+        "url": "https://github.com/chaotic-cx/nyx/archive/93e6cdc6335d9c7652e89466b5e05a3cce836906.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "glibc-eac": {
@ -53,22 +53,22 @@
        "homepage": "",
        "owner": "Frogging-Family",
        "repo": "glibc-eac",
-        "rev": "1dc68d1d0c6105035c659f1eb574191d67ab1b7e",
-        "sha256": "1jsi4g8324kxpx28wh3i65476djryj65v4zs0x9cv8jqamqvnhay",
+        "rev": "de5df722493768cb02e23ce0703429636458befb",
+        "sha256": "1yx3hal1kwj28ij688inaww169rj74iv3l3bwa74r3y4msdfnl80",
        "type": "tarball",
-        "url": "https://github.com/Frogging-Family/glibc-eac/archive/1dc68d1d0c6105035c659f1eb574191d67ab1b7e.tar.gz",
+        "url": "https://github.com/Frogging-Family/glibc-eac/archive/de5df722493768cb02e23ce0703429636458befb.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "lix-module": {
        "branch": "main",
        "repo": "https://git.lix.systems/lix-project/nixos-module.git",
-        "rev": "cecf70b77539c1a593f60ec9d0305b5e537ab6a9",
+        "rev": "353b25f0b6da5ede15206d416345a2ec4195b5c8",
        "type": "git"
    },
    "lix-pkg": {
        "branch": "main",
        "repo": "https://git.lix.systems/lix-project/lix.git",
-        "rev": "f2a49032a698bd96b37e8df8f02ec403fd0bed0f",
+        "rev": "80202e3ca314c21547c48f3a23d3f629cd9ddb87",
        "type": "git"
    },
    "nixos-mailserver": {
@ -95,10 +95,10 @@
        "homepage": null,
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
-        "sha256": "0s6h7r9jin9sd8l85hdjwl3jsvzkddn3blggy78w4f21qa3chymz",
+        "rev": "345c263f2f53a3710abe117f28a5cb86d0ba4059",
+        "sha256": "1llzyzw7a0jqdn7p3px0sqa35jg24v5pklwxdybwbmbyr2q8cf5j",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/574d1eac1c200690e27b8eb4e24887f8df7ac27c.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/345c263f2f53a3710abe117f28a5cb86d0ba4059.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "ranger_udisk_menu": {
--- a/specific/grimm-nixos-ssd/configuration.nix
+++ b/specific/grimm-nixos-ssd/configuration.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 {
  imports = [
    # Include the results of the hardware scan.
@ -11,6 +11,32 @@

  services.zfs.trim.enable = true;
  boot.supportedFilesystems.zfs = true;
+  
+  # security.pam.yubico.control = "required";
+
+  services.udev.extraRules = let 
+    inherit (lib) getExe' getExe;
+    inherit (pkgs) procps writeShellScriptBin;
+    exitSway = writeShellScriptBin "kill-sway" ''
+      for pid in $(${getExe' procps "pgrep"} sway -x)
+      do
+        uid=$(id -u $(${getExe' procps "ps"} -o user= -p $pid))
+        export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock"
+        if [[ -e "$SWAYSOCK" ]] ; then
+          echo "sock is $SWAYSOCK"
+          ${getExe' config.programs.sway.package "swaymsg"} exit
+        fi
+      done
+    '';
+  in ''
+      ACTION=="remove",\
+       ENV{SUBSYSTEM}=="usb",\
+       ENV{PRODUCT}=="1050/407/543",\
+       RUN+="${lib.getExe exitSway}"
+#  '';
+
+       # RUN+="${lib.getExe' pkgs.systemd "loginctl"} lock-sessions"
+  
 #  networking.hostId = "2ea79333";
 #  boot.kernelPackages = lib.mkForce config.boot.zfs.package.latestCompatibleLinuxPackages;

--- a/sway/default.nix
+++ b/sway/default.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{ pkgs, lib, config, ... }:
 {
  imports = [ ./bar ];

@ -20,7 +20,7 @@
    enable = true;
    config =
      let
-        inherit (lib) getExe;
+        inherit (lib) getExe getExe';
        inherit (pkgs)
          rmenu
          xdg-terminal-exec
@ -158,15 +158,15 @@
          "$mod+${toString n}" = "workspace number ${toString n}";
          "$mod+Shift+${toString n}" = "move container to workspace number ${toString n}";
        }) (lib.range 0 9)));
-        autolaunch = with pkgs; [
-          # fixme: absolute paths
-          "blueman-applet"
-          "lxqt-policykit-agent"
-          "otd-daemon"
-          swaynotificationcenter
-          networkmanagerapplet
+        autolaunch = [
+          (getExe' pkgs.dbus "dbus-update-activation-environment")
+          (getExe' pkgs.xdg-user-dirs "xdg-user-dirs-update")
+          ''${getExe' pkgs.coreutils-full "sleep"} 5 && ${getExe' pkgs.blueman "blueman-applet"}''
+          (getExe' pkgs.lxqt.lxqt-policykit "lxqt-policykit-agent")
+          (getExe' config.hardware.opentabletdriver.package "otd-daemon")
+          pkgs.swaynotificationcenter
+          pkgs.networkmanagerapplet
          # (pkgs.writeShellScriptBin "rmenu-cache-clear" "rm -r $HOME/.cache/rmenu") # invalidate rmenu cache on sway restart 
-          "dbus-update-activation-environment"
        ];
        extraConfig = ''
          output * bg ${./wallpapers/switzerland.jpg} fill