diff --git a/common/cloudsync.nix b/common/cloudsync.nix index f302ce5..e5ec0bb 100644 --- a/common/cloudsync.nix +++ b/common/cloudsync.nix @@ -9,6 +9,7 @@ let types mkOption concatStrings + getExe' mkIf mkEnableOption ; @@ -36,7 +37,7 @@ in { config = mkIf (enable && cloudSync.enable) ( let - cloud_cmd = ''${nextcloud-client}/bin/nextcloudcmd -u ${cloudSync.username} -p "$(cat ${cloudSync.passwordFile})" -h -n --path''; + cloud_cmd = ''${getExe' nextcloud-client "nextcloudcmd"} -u ${cloudSync.username} -p "$(${getExe' pkgs.coreutils-full "cat"} ${cloudSync.passwordFile})" -h -n --path''; sync_server = "https://${cloudSync.server}"; in { diff --git a/common/firefox.nix b/common/firefox.nix index e874bbf..c425860 100644 --- a/common/firefox.nix +++ b/common/firefox.nix @@ -37,19 +37,12 @@ in ]; policies = { ExtensionSettings = - (mkIf firefox.disableUserPlugins { "*".installation_mode = "blocked"; }) - // (mapAttrs (guid: shortId: { + # (mkIf firefox.disableUserPlugins { "*".installation_mode = "blocked"; }) // + (mapAttrs (guid: shortId: { # explicit plugins by config install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi"; installation_mode = "force_installed"; - }) firefox.plugins) - // (mkIf (tooling.enable && tooling.pass) { - # password-store support - "passff@invicem.pro" = { - install_url = "https://addons.mozilla.org/firefox/downloads/latest/passff/latest.xpi"; - installation_mode = "force_installed"; - }; - }); + }) config.grimmShared.firefox.plugins); DisableTelemetry = true; DisableFirefoxStudies = true; EnableTrackingProtection = { @@ -70,6 +63,7 @@ in "media.hardware-video-decoding.enabled" = true; "media.ffmpeg.vaapi.enabled" = true; + "network.dns.disableIPv6" = true; "media.rdd-ffmpeg.enabled" = true; "media.navigator.mediadatadecoder_vpx_enabled" = true; } // optionalAttrs sway.enable { "browser.tabs.inTitlebar" = 0; }; diff --git a/common/graphics/sway.nix b/common/graphics/sway.nix index 23e1353..bfe1768 100644 --- a/common/graphics/sway.nix +++ b/common/graphics/sway.nix @@ -18,6 +18,7 @@ let max foldl' getExe + getExe' isPath isDerivation concatLines @@ -79,13 +80,13 @@ let ) screens; in '' - for pid in $(${pkgs.procps}/bin/pgrep sway -x) + for pid in $(${getExe' pkgs.procps "pgrep"} sway -x) do - uid=$(id -u $(${pkgs.procps}/bin/ps -o user= -p $pid)) + uid=$(id -u $(${getExe' pkgs.procps "ps"} -o user= -p $pid)) export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock" if [[ -e "$SWAYSOCK" ]] ; then echo "sock is $SWAYSOCK" - ${config.programs.sway.package}/bin/swaymsg '${concatMapStrings (s: s + " ; ") output_def}' + ${getExe' config.programs.sway.package "swaymsg"} '${concatMapStrings (s: s + " ; ") output_def}' fi done ''; @@ -184,13 +185,13 @@ in serviceConfig.Type = "oneshot"; script = '' - for pid in $(${pkgs.procps}/bin/pgrep sway -x) + for pid in $(${getExe' pkgs.procps "pgrep"} sway -x) do - uid=$(id -u $(${pkgs.procps}/bin/ps -o user= -p $pid)) + uid=$(id -u $(${getExe' pkgs.procps "ps"} -o user= -p $pid)) export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock" if [[ -e "$SWAYSOCK" ]] ; then echo "sock is $SWAYSOCK" - ${config.programs.sway.package}/bin/swaymsg reload + ${getExe' config.programs.sway.package "swaymsg"} reload fi done @@ -199,7 +200,7 @@ in reloadTriggers = [ config.environment.etc."${conf_path}".source ]; }; - programs.waybar.enable = true; + # programs.waybar.enable = true; programs.dconf.enable = true; @@ -212,7 +213,7 @@ in }; extraPackages = with pkgs; [ - swaylock +# swaylock swayidle wl-clipboard wf-recorder diff --git a/common/hardware/laptop.nix b/common/hardware/laptop.nix index 386d67e..2927477 100644 --- a/common/hardware/laptop.nix +++ b/common/hardware/laptop.nix @@ -50,7 +50,7 @@ in echo Trying to attach ddcci to $1 i=0 id=$(echo $1 | cut -d "-" -f 2) - if ${pkgs.ddcutil}/bin/ddcutil getvcp 10 -b $id; then + if ${lib.getExe' pkgs.ddcutil "ddcutil"} getvcp 10 -b $id; then echo ddcci 0x37 > /sys/bus/i2c/devices/$1/new_device fi ''; diff --git a/common/hardware/tlp.nix b/common/hardware/tlp.nix index cb2dfe2..67c54de 100644 --- a/common/hardware/tlp.nix +++ b/common/hardware/tlp.nix @@ -11,6 +11,7 @@ let optional concatLines getExe + getExe' elem mkIf ; @@ -52,8 +53,8 @@ let ) ); auto = writeShellScriptBin "auto-mode" '' - ${tlp}/bin/run-on-ac ${getExe performance} - ${tlp}/bin/run-on-bat ${getExe powersave} + ${getExe' tlp "run-on-ac"} ${getExe performance} + ${getExe' tlp "run-on-bat"} ${getExe powersave} ''; in { diff --git a/common/network/bluetooth.nix b/common/network/bluetooth.nix index afafc49..ad3c7d1 100644 --- a/common/network/bluetooth.nix +++ b/common/network/bluetooth.nix @@ -25,7 +25,7 @@ in "sound.target" ]; wantedBy = [ "default.target" ]; - serviceConfig.ExecStart = "${pkgs.bluez}/bin/mpris-proxy"; + serviceConfig.ExecStart = lib.getExe' pkgs.bluez "mpris-proxy"; }; }; } diff --git a/common/sound/spotifyd.nix b/common/sound/spotifyd.nix index 263b57a..dcef235 100644 --- a/common/sound/spotifyd.nix +++ b/common/sound/spotifyd.nix @@ -61,9 +61,9 @@ in password_cmd = let pass = spotify.spotifyd.pass; - inherit (lib) isPath isString getExe; + inherit (lib) isPath isString getExe getExe'; in - if (isPath pass || isString pass) then "${pkgs.coreutils-full}/bin/cat ${pass}" else (getExe pass); + if (isPath pass || isString pass) then "${getExe' pkgs.coreutils-full "cat"} ${pass}" else (getExe pass); device_type = "computer"; dbus_type = "system"; device = "default"; diff --git a/common/tooling/security.nix b/common/tooling/security.nix index 49c9928..7b95b32 100644 --- a/common/tooling/security.nix +++ b/common/tooling/security.nix @@ -26,11 +26,12 @@ in id = [ "26681512" ]; # debug = true; mode = "challenge-response"; - control = "sufficient"; + control = lib.mkDefault "sufficient"; }; - security.doas.enable = true; - security.sudo.enable = false; + # security.doas.enable = true; + security.sudo.enable = true; + security.doas.extraRules = [ { users = attrNames (filterAttrs (n: v: v.isNormalUser) config.users.users); @@ -45,18 +46,18 @@ in gnupg libsecret vulnix - doas-sudo-shim # muscle memory agenix yubikey-manager yubico-pam yubikey-personalization ]) - ++ optionals (tooling.enable && tooling.pass) [ + ++ (optionals (tooling.enable && tooling.pass) [ pkgs.pass (pkgs.writeShellScriptBin "passw" "pass $@") - ] - ++ optional graphical pkgs.lxqt.lxqt-policykit; + ]) + ++ (optional config.security.doas.enable pkgs.sudo-doas-shim) + ++ (optional graphical pkgs.lxqt.lxqt-policykit); services.passSecretService.enable = mkIf (tooling.enable && tooling.pass) true; services.openssh.settings.LoginGraceTime = 0; @@ -68,6 +69,8 @@ in enable = true; enableSSHSupport = true; }; + + grimmShared.firefox.plugins = mkIf (tooling.enable && tooling.pass) { "passff@invicem.pro" = "passff"; }; }; options.grimmShared.tooling.pass = mkEnableOption "Enables password-store, gnupg and such secret handling"; diff --git a/common/xdg/portals.nix b/common/xdg/portals.nix index 20b1d01..a4110c6 100644 --- a/common/xdg/portals.nix +++ b/common/xdg/portals.nix @@ -50,10 +50,19 @@ in environment.sessionVariables = { XDG_CONFIG_HOME = "$HOME/.config"; + XDG_DESKTOP_DIR="$HOME/Desktop"; + XDG_DOCUMENTS_DIR="$HOME/Documents"; + XDG_DOWNLOAD_DIR="$HOME/Downloads"; + XDG_MUSIC_DIR="$HOME/Music"; + XDG_PICTURES_DIR="$HOME/Pictures"; + XDG_PUBLICSHARE_DIR="$HOME/Public"; + XDG_TEMPLATES_DIR="$HOME/Templates"; + XDG_VIDEOS_DIR="$HOME/Videos"; }; environment.systemPackages = with pkgs; [ xwaylandvideobridge + xdg-user-dirs confwhich ]; }; diff --git a/nix/sources.json b/nix/sources.json index 239c38c..32feb1f 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -5,10 +5,10 @@ "homepage": null, "owner": "ezKEa", "repo": "aagl-gtk-on-nix", - "rev": "49e1dd54d3ac9b858d3be597a2fbc48ab67fa6e8", - "sha256": "1275gl2ly0iaqapxwimsbnky9fzwa0x3miscz372qa74gcc0wjwv", + "rev": "bcaea0865985eb3e24ce978e2ca5bb4f680f150b", + "sha256": "15fgkb32cqkzb9z03akbaz2qv6i3h1zs9rwy94fkp78cr2yxfizb", "type": "tarball", - "url": "https://github.com/ezKEa/aagl-gtk-on-nix/archive/49e1dd54d3ac9b858d3be597a2fbc48ab67fa6e8.tar.gz", + "url": "https://github.com/ezKEa/aagl-gtk-on-nix/archive/bcaea0865985eb3e24ce978e2ca5bb4f680f150b.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "agenix": { @@ -29,10 +29,10 @@ "homepage": "", "owner": "nix-community", "repo": "authentik-nix", - "rev": "f1bd855c23e73e04597695ca37ae54671a7e07b1", - "sha256": "1dkp86mr2n0h4hq74wj3b0b9ka8x2xkwv8pcbwk5knhrv26qajwb", + "rev": "0fd076529b40e7fc7304a398618cab76ff7e96c3", + "sha256": "1ax3rvw66s246dyrcgpshr7bj78qv73db8s6sd3hzvbmn56kwixr", "type": "tarball", - "url": "https://github.com/nix-community/authentik-nix/archive/f1bd855c23e73e04597695ca37ae54671a7e07b1.tar.gz", + "url": "https://github.com/nix-community/authentik-nix/archive/0fd076529b40e7fc7304a398618cab76ff7e96c3.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "chaotic": { @@ -41,10 +41,10 @@ "homepage": "https://nyx.chaotic.cx", "owner": "chaotic-cx", "repo": "nyx", - "rev": "38451822a144faa53a7ee96d4f0478d94945b67a", - "sha256": "08rcfarlda0fxgc02xdfyk8dsp18bmiyf0n39sfd5nq1s5513awy", + "rev": "93e6cdc6335d9c7652e89466b5e05a3cce836906", + "sha256": "11d9jyd8yw0xnpimgwsi0vw2i63f5hkw9x0g7pmnk0542k50xms6", "type": "tarball", - "url": "https://github.com/chaotic-cx/nyx/archive/38451822a144faa53a7ee96d4f0478d94945b67a.tar.gz", + "url": "https://github.com/chaotic-cx/nyx/archive/93e6cdc6335d9c7652e89466b5e05a3cce836906.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "glibc-eac": { @@ -53,22 +53,22 @@ "homepage": "", "owner": "Frogging-Family", "repo": "glibc-eac", - "rev": "1dc68d1d0c6105035c659f1eb574191d67ab1b7e", - "sha256": "1jsi4g8324kxpx28wh3i65476djryj65v4zs0x9cv8jqamqvnhay", + "rev": "de5df722493768cb02e23ce0703429636458befb", + "sha256": "1yx3hal1kwj28ij688inaww169rj74iv3l3bwa74r3y4msdfnl80", "type": "tarball", - "url": "https://github.com/Frogging-Family/glibc-eac/archive/1dc68d1d0c6105035c659f1eb574191d67ab1b7e.tar.gz", + "url": "https://github.com/Frogging-Family/glibc-eac/archive/de5df722493768cb02e23ce0703429636458befb.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "lix-module": { "branch": "main", "repo": "https://git.lix.systems/lix-project/nixos-module.git", - "rev": "cecf70b77539c1a593f60ec9d0305b5e537ab6a9", + "rev": "353b25f0b6da5ede15206d416345a2ec4195b5c8", "type": "git" }, "lix-pkg": { "branch": "main", "repo": "https://git.lix.systems/lix-project/lix.git", - "rev": "f2a49032a698bd96b37e8df8f02ec403fd0bed0f", + "rev": "80202e3ca314c21547c48f3a23d3f629cd9ddb87", "type": "git" }, "nixos-mailserver": { @@ -95,10 +95,10 @@ "homepage": null, "owner": "NixOS", "repo": "nixpkgs", - "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c", - "sha256": "0s6h7r9jin9sd8l85hdjwl3jsvzkddn3blggy78w4f21qa3chymz", + "rev": "345c263f2f53a3710abe117f28a5cb86d0ba4059", + "sha256": "1llzyzw7a0jqdn7p3px0sqa35jg24v5pklwxdybwbmbyr2q8cf5j", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/574d1eac1c200690e27b8eb4e24887f8df7ac27c.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/345c263f2f53a3710abe117f28a5cb86d0ba4059.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "ranger_udisk_menu": { diff --git a/specific/grimm-nixos-ssd/configuration.nix b/specific/grimm-nixos-ssd/configuration.nix index 7ed4006..f37c522 100644 --- a/specific/grimm-nixos-ssd/configuration.nix +++ b/specific/grimm-nixos-ssd/configuration.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: { imports = [ # Include the results of the hardware scan. @@ -11,6 +11,32 @@ services.zfs.trim.enable = true; boot.supportedFilesystems.zfs = true; + + # security.pam.yubico.control = "required"; + + services.udev.extraRules = let + inherit (lib) getExe' getExe; + inherit (pkgs) procps writeShellScriptBin; + exitSway = writeShellScriptBin "kill-sway" '' + for pid in $(${getExe' procps "pgrep"} sway -x) + do + uid=$(id -u $(${getExe' procps "ps"} -o user= -p $pid)) + export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock" + if [[ -e "$SWAYSOCK" ]] ; then + echo "sock is $SWAYSOCK" + ${getExe' config.programs.sway.package "swaymsg"} exit + fi + done + ''; + in '' + ACTION=="remove",\ + ENV{SUBSYSTEM}=="usb",\ + ENV{PRODUCT}=="1050/407/543",\ + RUN+="${lib.getExe exitSway}" +# ''; + + # RUN+="${lib.getExe' pkgs.systemd "loginctl"} lock-sessions" + # networking.hostId = "2ea79333"; # boot.kernelPackages = lib.mkForce config.boot.zfs.package.latestCompatibleLinuxPackages; diff --git a/sway/default.nix b/sway/default.nix index ff2949b..f515702 100644 --- a/sway/default.nix +++ b/sway/default.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, ... }: +{ pkgs, lib, config, ... }: { imports = [ ./bar ]; @@ -20,7 +20,7 @@ enable = true; config = let - inherit (lib) getExe; + inherit (lib) getExe getExe'; inherit (pkgs) rmenu xdg-terminal-exec @@ -158,15 +158,15 @@ "$mod+${toString n}" = "workspace number ${toString n}"; "$mod+Shift+${toString n}" = "move container to workspace number ${toString n}"; }) (lib.range 0 9))); - autolaunch = with pkgs; [ - # fixme: absolute paths - "blueman-applet" - "lxqt-policykit-agent" - "otd-daemon" - swaynotificationcenter - networkmanagerapplet + autolaunch = [ + (getExe' pkgs.dbus "dbus-update-activation-environment") + (getExe' pkgs.xdg-user-dirs "xdg-user-dirs-update") + ''${getExe' pkgs.coreutils-full "sleep"} 5 && ${getExe' pkgs.blueman "blueman-applet"}'' + (getExe' pkgs.lxqt.lxqt-policykit "lxqt-policykit-agent") + (getExe' config.hardware.opentabletdriver.package "otd-daemon") + pkgs.swaynotificationcenter + pkgs.networkmanagerapplet # (pkgs.writeShellScriptBin "rmenu-cache-clear" "rm -r $HOME/.cache/rmenu") # invalidate rmenu cache on sway restart - "dbus-update-activation-environment" ]; extraConfig = '' output * bg ${./wallpapers/switzerland.jpg} fill