Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: Grimmauld:7fd47c51c033c956ff99b91b0bd0c2524ae87455
Branches Tags
Grimmauld:main
Grimmauld:server-migration
...
compare: Grimmauld:06b37c6d92ce93d09555de9d0bf3f48e45eb5c97
Branches Tags
Grimmauld:main
Grimmauld:server-migration

2 commits
7fd47c51c0 ... 06b37c6d92

Author SHA1 Message Date
Grimmauld
06b37c6d92
nixfmt 2024-11-26 19:20:10 +01:00
Grimmauld
f28a475cfb
cleanup 2024-11-26 19:18:50 +01:00
32 changed files with 651 additions and 515 deletions
Show stats Expand all files Collapse all files

2
common/cloudsync.nix
View file

@ -57,7 +57,7 @@ in
let let
remote_clean = lib.strings.concatStrings (builtins.match "/*(.+)" remote); remote_clean = lib.strings.concatStrings (builtins.match "/*(.+)" remote);
in in
"${cloud_cmd} /${remote_clean} ${local} ${sync_server}" "${cloud_cmd} /${remote_clean} ${local} ${sync_server} 1> /dev/null"
) paths ) paths
); );
in in

12
common/firefox.nix
View file

@ -38,11 +38,13 @@ in
policies = { policies = {
ExtensionSettings = ExtensionSettings =
# (mkIf firefox.disableUserPlugins { "*".installation_mode = "blocked"; }) // # (mkIf firefox.disableUserPlugins { "*".installation_mode = "blocked"; }) //
(mapAttrs (guid: shortId: { (
# explicit plugins by config mapAttrs (guid: shortId: {
install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi"; # explicit plugins by config
installation_mode = "force_installed"; install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi";
}) config.grimmShared.firefox.plugins); installation_mode = "force_installed";
}) config.grimmShared.firefox.plugins
);
DisableTelemetry = true; DisableTelemetry = true;
DisableFirefoxStudies = true; DisableFirefoxStudies = true;
EnableTrackingProtection = { EnableTrackingProtection = {

8
common/graphics/opengl.nix
View file

@ -43,16 +43,18 @@ in
enable = true; enable = true;
#driSupport = true; #driSupport = true;
#driSupport32Bit = true; #driSupport32Bit = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD intel-media-driver # LIBVA_DRIVER_NAME=iHD
# intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) # intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
# libvdpau-va-gl # libvdpau-va-gl
]; ];
}; };
environment.sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; }; # Force intel-media-driver environment.sessionVariables = {
LIBVA_DRIVER_NAME = "iHD";
}; # Force intel-media-driver
# chaotic.mesa-git.enable = true; # chaotic.mesa-git.enable = true;
boot.kernelParams = [ "nouveau.config=NvGspRm=1" ]; boot.kernelParams = [ "nouveau.config=NvGspRm=1" ];
environment.sessionVariables = { environment.sessionVariables = {

10
common/graphics/qt.nix
View file

@ -19,10 +19,10 @@ in
with pkgs; with pkgs;
with kdePackages; with kdePackages;
[ [
# qtstyleplugin-kvantum # qtstyleplugin-kvantum
catppuccin-sddm-corners catppuccin-sddm-corners
libsForQt5.qtgraphicaleffects libsForQt5.qtgraphicaleffects
# catppuccin-kvantum # catppuccin-kvantum
breeze breeze
kdePackages.audiocd-kio kdePackages.audiocd-kio
kdePackages.kio-extras kdePackages.kio-extras
@ -33,7 +33,7 @@ in
qtwayland qtwayland
]; ];
# environment.pathsToLink = [ "/share/Kvantum" ]; # environment.pathsToLink = [ "/share/Kvantum" ];
services.displayManager = { services.displayManager = {
sddm = { sddm = {
@ -46,8 +46,8 @@ in
}; };
xdg.portal.lxqt.styles = with pkgs; [ xdg.portal.lxqt.styles = with pkgs; [
kdePackages.breeze-qt5 kdePackages.breeze-qt5
]; ];
boot.plymouth = { boot.plymouth = {
themePackages = with pkgs; [ catppuccin-plymouth ]; themePackages = with pkgs; [ catppuccin-plymouth ];

8
common/graphics/sway.nix
View file

@ -87,7 +87,9 @@ let
export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock" export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock"
if [[ -e "$SWAYSOCK" ]] ; then if [[ -e "$SWAYSOCK" ]] ; then
echo "sock is $SWAYSOCK" echo "sock is $SWAYSOCK"
${getExe' config.programs.sway.package "swaymsg"} '${concatMapStrings (s: s + " ; ") output_def}' ${getExe' config.programs.sway.package "swaymsg"} '${
concatMapStrings (s: s + " ; ") output_def
}'
fi fi
done done
''; '';
@ -191,7 +193,7 @@ in
rm -rf /home/*/.cache/rmenu rm -rf /home/*/.cache/rmenu
''; '';
reloadTriggers = [ reloadTriggers = [
# config.environment.etc."${conf_path}".source # config.environment.etc."${conf_path}".source
config.environment.etc."sway/config".source config.environment.etc."sway/config".source
]; ];
@ -210,7 +212,7 @@ in
}; };
extraPackages = with pkgs; [ extraPackages = with pkgs; [
# swaylock # swaylock
swayidle swayidle
wl-clipboard wl-clipboard
wf-recorder wf-recorder

43
common/hardware/laptop.nix
View file

@ -32,6 +32,9 @@ in
# hardware.i2c.enable = true; # hardware.i2c.enable = true;
services.libinput.enable = true; services.libinput.enable = true;
hardware.opentabletdriver.enable = true; hardware.opentabletdriver.enable = true;
systemd.user.services.opentabletdriver.after = [ "local-fs.target" ];
services.udisks2.enable = true; services.udisks2.enable = true;
#services.udev.extraRules = '' #services.udev.extraRules = ''
@ -42,25 +45,29 @@ in
# ENV{SYSTEMD_WANTS}+="ddcci@$kernel.service" # ENV{SYSTEMD_WANTS}+="ddcci@$kernel.service"
#''; #'';
systemd.services."ddcci@" = { # systemd.services."ddcci@" = {
scriptArgs = "%i"; # scriptArgs = "%i";
script = '' # script = ''
sleep 20 # sleep 20
echo Trying to attach ddcci to $1 # echo Trying to attach ddcci to $1
i=0 # i=0
id=$(echo $1 | cut -d "-" -f 2) # id=$(echo $1 | cut -d "-" -f 2)
if ${lib.getExe' pkgs.ddcutil "ddcutil"} getvcp 10 -b $id; then # if ${lib.getExe' pkgs.ddcutil "ddcutil"} getvcp 10 -b $id; then
echo ddcci 0x37 > /sys/bus/i2c/devices/$1/new_device # echo ddcci 0x37 > /sys/bus/i2c/devices/$1/new_device
fi # fi
''; # '';
serviceConfig.Type = "oneshot"; # serviceConfig.Type = "oneshot";
}; #};
systemd.enableCgroupAccounting = true; systemd.enableCgroupAccounting = true;
# systemd.enableUnifiedCgroupHierarchy = false; # systemd.enableUnifiedCgroupHierarchy = false;
boot = { boot = {
kernelParams = [ "intel_iommu=on" "nohibernate" ]; kernelParams = [
"intel_iommu=on"
"nohibernate"
"pcie_aspm=off"
];
loader.efi.canTouchEfiVariables = true; loader.efi.canTouchEfiVariables = true;
initrd.availableKernelModules = [ initrd.availableKernelModules = [
"xhci_pci" "xhci_pci"
@ -70,12 +77,12 @@ in
"usb_storage" "usb_storage"
"sd_mod" "sd_mod"
]; ];
# initrd.systemd.enable = true; # initrd.systemd.enable = true;
loader.systemd-boot.enable = true; loader.systemd-boot.enable = true;
# extraModulePackages = [ config.boot.kernelPackages.ddcci-driver ]; # extraModulePackages = [ config.boot.kernelPackages.ddcci-driver ];
kernelModules = [ kernelModules = [
"ddcci_backlight" # "ddcci_backlight"
"i2c-dev" # "i2c-dev"
"ec_sys" "ec_sys"
]; ];
}; };

2
common/network/default.nix
View file

@ -11,7 +11,7 @@ in
config = lib.mkIf (enable && network) { config = lib.mkIf (enable && network) {
networking.networkmanager = { networking.networkmanager = {
enable = true; enable = true;
plugins = with pkgs; [ networkmanager-openvpn ]; plugins = with pkgs; [ networkmanager-openvpn ];
}; };
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;

12
common/sound/spotifyd.nix
View file

@ -61,9 +61,17 @@ in
password_cmd = password_cmd =
let let
pass = spotify.spotifyd.pass; pass = spotify.spotifyd.pass;
inherit (lib) isPath isString getExe getExe'; inherit (lib)
isPath
isString
getExe
getExe'
;
in in
if (isPath pass || isString pass) then "${getExe' pkgs.coreutils-full "cat"} ${pass}" else (getExe pass); if (isPath pass || isString pass) then
"${getExe' pkgs.coreutils-full "cat"} ${pass}"
else
(getExe pass);
device_type = "computer"; device_type = "computer";
dbus_type = "system"; dbus_type = "system";
device = "default"; device = "default";

33
common/tooling/apparmor/apparmor-d-module.nix
View file

@ -5,18 +5,30 @@
... ...
}: }:
let let
inherit (lib) mkIf mapAttrs assertMsg pathIsRegularFile mkForce; inherit (lib)
mkIf
mapAttrs
assertMsg
pathIsRegularFile
mkForce
;
cfg = config.security.apparmor_d; cfg = config.security.apparmor_d;
apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {}; apparmor-d = pkgs.callPackage ./apparmor-d-package.nix { };
in in
{ {
options.security.apparmor_d = with lib; { options.security.apparmor_d = with lib; {
enable = mkEnableOption "enable apparmor.d support"; enable = mkEnableOption "enable apparmor.d support";
profiles = mkOption { profiles = mkOption {
type = types.attrsOf (types.enum [ "disable" "complain" "enforce" ]); type = types.attrsOf (
default = {}; types.enum [
"disable"
"complain"
"enforce"
]
);
default = { };
description = "set of apparmor profiles to include from apparmor.d"; description = "set of apparmor profiles to include from apparmor.d";
}; };
}; };
@ -25,9 +37,10 @@ let
security.apparmor.packages = [ apparmor-d ]; security.apparmor.packages = [ apparmor-d ];
security.apparmor.policies = mapAttrs (name: state: { security.apparmor.policies = mapAttrs (name: state: {
inherit state; inherit state;
path = let path =
file = "${apparmor-d}/etc/apparmor.d/${name}"; let
in file = "${apparmor-d}/etc/apparmor.d/${name}";
in
assert assertMsg (pathIsRegularFile file) "profile ${name} not found in apparmor.d path (${file})"; assert assertMsg (pathIsRegularFile file) "profile ${name} not found in apparmor.d path (${file})";
file; file;
}) cfg.profiles; }) cfg.profiles;
@ -40,7 +53,7 @@ let
@{package16}=@{package8}@{package8} @{package16}=@{package8}@{package8}
@{package32}=@{package16}@{package16} @{package32}=@{package16}@{package16}
@{package64}=@{package32}@{package32} @{package64}=@{package32}@{package32}
@{nix_package_name}={@{package32},}{@{package16},}{@{package8},}{@{package4},}{@{package2},}{@{package1},} @{nix_package_name}={@{package32},}{@{package16},}{@{package8},}{@{package4},}{@{package2},}{@{package1},}
@{nix_store}=/nix/store/@{rand32}-@{nix_package_name} @{nix_store}=/nix/store/@{rand32}-@{nix_package_name}
''; '';
@ -48,7 +61,7 @@ let
specialisation.no-apparmor.configuration = { specialisation.no-apparmor.configuration = {
security.apparmor.enable = mkForce false; security.apparmor.enable = mkForce false;
}; };
environment.systemPackages = [ apparmor-d ]; environment.systemPackages = [ apparmor-d ];
}; };
} }

16
common/tooling/apparmor/apparmor-d-package.nix
View file

@ -1,4 +1,10 @@
{ buildGoModule, fetchFromGitHub, git, lib, unstableGitUpdater }: {
buildGoModule,
fetchFromGitHub,
git,
lib,
unstableGitUpdater,
}:
buildGoModule { buildGoModule {
pname = "apparmor-d"; pname = "apparmor-d";
version = "unstable-2024-10-12"; version = "unstable-2024-10-12";
@ -10,8 +16,8 @@ buildGoModule {
hash = "sha256-3qVSMLIzVd9hcvj2V2eaacNOjOFTUHkTslaTETYYg4U="; hash = "sha256-3qVSMLIzVd9hcvj2V2eaacNOjOFTUHkTslaTETYYg4U=";
}; };
vendorHash = null; vendorHash = null;
doCheck = false; doCheck = false;
nativeBuildInputs = [ git ]; nativeBuildInputs = [ git ];
@ -29,9 +35,9 @@ buildGoModule {
postInstall = '' postInstall = ''
mkdir -p $out/etc mkdir -p $out/etc
DISTRIBUTION=nixos $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available DISTRIBUTION=nixos $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available
mv .build/apparmor.d $out/etc mv .build/apparmor.d $out/etc
rm $out/bin/prebuild rm $out/bin/prebuild
''; '';

131
common/tooling/apparmor/default.nix
View file

@ -10,11 +10,11 @@ let
in in
{ {
imports = [ ./apparmor-d-module.nix ]; # ./aa-alias-module.nix ]; imports = [ ./apparmor-d-module.nix ]; # ./aa-alias-module.nix ];
config = mkIf (enable && tooling.enable) { config = mkIf (enable && tooling.enable) {
services.dbus.apparmor = "enabled"; services.dbus.apparmor = "enabled";
security.auditd.enable = true; security.auditd.enable = true;
security.apparmor.enable = true; security.apparmor.enable = true;
security.apparmor.enableCache = true; security.apparmor.enableCache = true;
@ -23,7 +23,7 @@ in
alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify, alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify,
''; '';
# security.apparmor.aa-alias-manager.enable = false; # security.apparmor.aa-alias-manager.enable = false;
security.audit.backlogLimit = 512; security.audit.backlogLimit = 512;
@ -50,7 +50,6 @@ in
"unix-chkpwd.apparmor.d" = "complain"; "unix-chkpwd.apparmor.d" = "complain";
}; };
}; };
security.apparmor.includes = { security.apparmor.includes = {
"abstractions/base" = '' "abstractions/base" = ''
@ -61,12 +60,11 @@ in
${getExe' pkgs.coreutils-full "coreutils"} rix, ${getExe' pkgs.coreutils-full "coreutils"} rix,
''; '';
# "tunables/alias.d/store" = '' # "tunables/alias.d/store" = ''
# include <tunables/global> # include <tunables/global>
# alias /bin -> @{bin}, # alias /bin -> @{bin},
# alias /bin/ -> /nix/store/*/bin/, # alias /bin/ -> /nix/store/*/bin/,
# ''; # '';
"local/speech-dispatcher" = '' "local/speech-dispatcher" = ''
@{nix_store}/libexec/speech-dispatcher-modules/* ix, @{nix_store}/libexec/speech-dispatcher-modules/* ix,
@ -85,11 +83,11 @@ in
''; '';
"local/xdg-mime" = '' "local/xdg-mime" = ''
# include <abstractions/app/bus> # include <abstractions/app/bus>
/bin/grep rix, /bin/grep rix,
/bin/gawk rix, /bin/gawk rix,
# /bin/dbus-send Cx -> bus, # /bin/dbus-send Cx -> bus,
/dev/tty* rw, /dev/tty* rw,
''; '';
"abstractions/app/udevadm.d/udevadm_is_exec" = '' "abstractions/app/udevadm.d/udevadm_is_exec" = ''
@ -119,11 +117,11 @@ in
''; '';
"local/child-open" = '' "local/child-open" = ''
include <abstractions/app/bus> include <abstractions/app/bus>
@{bin}/grep ix, @{bin}/grep ix,
/@{PROC}/version r, /@{PROC}/version r,
@{bin}/gdbus Cx -> bus, @{bin}/gdbus Cx -> bus,
# @{bin}/gdbus Ux, # @{bin}/gdbus Ux,
''; '';
"local/vesktop" = '' "local/vesktop" = ''
@ -145,16 +143,16 @@ in
@{bin}/unix_chkpwd rix, @{bin}/unix_chkpwd rix,
''; '';
# "local/spotify" = '' # "local/spotify" = ''
# @{bin}/ # @{bin}/
# ''; # '';
}; };
security.apparmor.policies = { security.apparmor.policies = {
passff = { passff = {
state = "enforce"; state = "enforce";
# enable = true; # enable = true;
# enforce = true; # enforce = true;
profile = '' profile = ''
abi <abi/4.0>, abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@ -165,11 +163,11 @@ in
} }
''; '';
}; };
swaymux = { swaymux = {
state = "enforce"; state = "enforce";
# enable = true; # enable = true;
# enforce = true; # enforce = true;
profile = '' profile = ''
abi <abi/4.0>, abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@ -182,58 +180,57 @@ in
''; '';
}; };
# speech-dispatcher-test = { # speech-dispatcher-test = {
# enable = true; # enable = true;
# enforce = true; # enforce = true;
# profile = ''# # profile = ''#
# #
#abi <abi/4.0>, #abi <abi/4.0>,
# #
#include <tunables/global> #include <tunables/global>
# #
#@{exec_path} = @{bin}/speech-dispatcher #@{exec_path} = @{bin}/speech-dispatcher
#profile speech-dispatcher ${getExe' pkgs.speechd "speech-dispatcher"} flags=(complain) { #profile speech-dispatcher ${getExe' pkgs.speechd "speech-dispatcher"} flags=(complain) {
# include <abstractions/base> # include <abstractions/base>
# include <abstractions/audio-client> # include <abstractions/audio-client>
# include <abstractions/bus-session> # include <abstractions/bus-session>
# include <abstractions/consoles> # include <abstractions/consoles>
# include <abstractions/nameservice-strict> # include <abstractions/nameservice-strict>
# network inet stream, # network inet stream,
# network inet6 stream, # network inet6 stream,
# @{exec_path} mr, # @{exec_path} mr,
# @{sh_path} ix, # @{sh_path} ix,
# @{lib}/speech-dispatcher/** r, # @{lib}/speech-dispatcher/** r,
# @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, # @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix,
# /etc/machine-id r, # /etc/machine-id r,
# /etc/speech-dispatcher/{,**} r, # /etc/speech-dispatcher/{,**} r,
# owner @{run}/user/@{uid}/speech-dispatcher/ rw, # owner @{run}/user/@{uid}/speech-dispatcher/ rw,
# owner @{run}/user/@{uid}/speech-dispatcher/** rwk, # owner @{run}/user/@{uid}/speech-dispatcher/** rwk,
# include if exists <local/speech-dispatcher>
#} '';
# };
# include if exists <local/speech-dispatcher>
#} '';
# };
sleep = { sleep = {
state = "enforce"; state = "enforce";
profile = '' profile = ''
abi <abi/4.0>, abi <abi/4.0>,
include <tunables/global> include <tunables/global>
profile sleep ${getExe' pkgs.coreutils-full "sleep"} { profile sleep ${getExe' pkgs.coreutils-full "sleep"} {
include <abstractions/base> include <abstractions/base>
} }
''; '';
}; };
osu-lazer = { osu-lazer = {
state = "disable"; state = "disable";
# enable = true; # enable = true;
# enforce = true; # enforce = true;
profile = '' profile = ''
abi <abi/4.0>, abi <abi/4.0>,
include <tunables/global> include <tunables/global>

2
common/tooling/default.nix
View file

@ -54,7 +54,7 @@ in
p7zip p7zip
fbcat fbcat
# gomuks # gomuks
imagemagick imagemagick
nmap nmap

2
common/tooling/helix.nix
View file

@ -43,7 +43,7 @@ let
'') '')
]; ];
}; };
helix-wrapped = pkgs.symlinkJoin { helix-wrapped = pkgs.symlinkJoin {
name = helix.pname; name = helix.pname;

1
common/tooling/nix.nix
View file

@ -11,6 +11,7 @@
nix-output-monitor nix-output-monitor
nix-search-cli nix-search-cli
niv niv
nvd
vulnix vulnix
nix-init nix-init
]; ];

8
common/tooling/opensnitch/block_lists.nix
View file

@ -1,8 +1,12 @@
{ stdenv, fetchFromGitHub, lib }: {
stdenv,
fetchFromGitHub,
lib,
}:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "stevenblack_block"; pname = "stevenblack_block";
version = "3.14.116"; version = "3.14.116";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "StevenBlack"; owner = "StevenBlack";
repo = "hosts"; repo = "hosts";

2
common/tooling/ranger.nix
View file

@ -21,7 +21,7 @@ let
rev = "981756147834bb485ebcfa0e41ad60d05ccc4351"; rev = "981756147834bb485ebcfa0e41ad60d05ccc4351";
hash = "sha256-5nFpEO/54MO6Esvkcqcyw2TI37ham70LkHtOXrYXfbY="; hash = "sha256-5nFpEO/54MO6Esvkcqcyw2TI37ham70LkHtOXrYXfbY=";
}; };
# inputs.ranger_udisk_menu; # inputs.ranger_udisk_menu;
}; };
in in
{ {

8
common/tooling/security.nix
View file

@ -31,7 +31,7 @@ in
# security.doas.enable = true; # security.doas.enable = true;
security.sudo.enable = true; security.sudo.enable = true;
security.doas.extraRules = [ security.doas.extraRules = [
{ {
users = attrNames (filterAttrs (n: v: v.isNormalUser) config.users.users); users = attrNames (filterAttrs (n: v: v.isNormalUser) config.users.users);
@ -46,7 +46,7 @@ in
gnupg gnupg
libsecret libsecret
vulnix vulnix
# agenix # agenix
yubikey-manager yubikey-manager
yubico-pam yubico-pam
@ -70,7 +70,9 @@ in
enableSSHSupport = true; enableSSHSupport = true;
}; };
grimmShared.firefox.plugins = mkIf (tooling.enable && tooling.pass) { "passff@invicem.pro" = "passff"; }; grimmShared.firefox.plugins = mkIf (tooling.enable && tooling.pass) {
"passff@invicem.pro" = "passff";
};
}; };
options.grimmShared.tooling.pass = mkEnableOption "Enables password-store, gnupg and such secret handling"; options.grimmShared.tooling.pass = mkEnableOption "Enables password-store, gnupg and such secret handling";

24
common/tooling/wine.nix
View file

@ -1,4 +1,9 @@
{ pkgs, config, lib, ... }: {
pkgs,
config,
lib,
...
}:
let let
inherit (config.grimmShared) enable tooling; inherit (config.grimmShared) enable tooling;
inherit (lib) inherit (lib)
@ -11,25 +16,24 @@ in
{ {
config = mkIf (enable && tooling.enable) { config = mkIf (enable && tooling.enable) {
virtualisation.libvirtd.enable = true; virtualisation.libvirtd.enable = true;
programs.virt-manager.enable = true; programs.virt-manager.enable = true;
virtualisation.spiceUSBRedirection.enable = true; virtualisation.spiceUSBRedirection.enable = true;
# dconf.settings = { # dconf.settings = {
# "org/virt-manager/virt-manager/connections" = { # "org/virt-manager/virt-manager/connections" = {
# autoconnect = ["qemu:///system"]; # autoconnect = ["qemu:///system"];
# uris = ["qemu:///system"]; # uris = ["qemu:///system"];
# }; # };
# }; # };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
winetricks winetricks
wineWow64Packages.stagingFull wineWow64Packages.stagingFull
dotnetCorePackages.dotnet_9.sdk dotnetCorePackages.dotnet_9.sdk
# jetbrains.rider # jetbrains.rider
mono4 mono4
# (mono4.overrideAttrs { version="4.6.1"; sha256=""; }) # (mono4.overrideAttrs { version="4.6.1"; sha256=""; })
tesseract4 tesseract4
]; ];
}; };

16
common/xdg/portals.nix
View file

@ -51,14 +51,14 @@ in
environment.sessionVariables = { environment.sessionVariables = {
XDG_CONFIG_HOME = "$HOME/.config"; XDG_CONFIG_HOME = "$HOME/.config";
XDG_DESKTOP_DIR="$HOME/Desktop"; XDG_DESKTOP_DIR = "$HOME/Desktop";
XDG_DOCUMENTS_DIR="$HOME/Documents"; XDG_DOCUMENTS_DIR = "$HOME/Documents";
XDG_DOWNLOAD_DIR="$HOME/Downloads"; XDG_DOWNLOAD_DIR = "$HOME/Downloads";
XDG_MUSIC_DIR="$HOME/Music"; XDG_MUSIC_DIR = "$HOME/Music";
XDG_PICTURES_DIR="$HOME/Pictures"; XDG_PICTURES_DIR = "$HOME/Pictures";
XDG_PUBLICSHARE_DIR="$HOME/Public"; XDG_PUBLICSHARE_DIR = "$HOME/Public";
XDG_TEMPLATES_DIR="$HOME/Templates"; XDG_TEMPLATES_DIR = "$HOME/Templates";
XDG_VIDEOS_DIR="$HOME/Videos"; XDG_VIDEOS_DIR = "$HOME/Videos";
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

2
configuration.nix
View file

@ -3,7 +3,7 @@
imports = [ imports = [
./overlays ./overlays
./common ./common
# ./fake_flake.nix # ./fake_flake.nix
./users.nix ./users.nix
]; ];

57
custom/ncspot/package.nix
View file

@ -1,22 +1,32 @@
{ stdenv {
, lib stdenv,
, fetchFromGitHub lib,
, rustPlatform fetchFromGitHub,
, pkg-config rustPlatform,
, ncurses pkg-config,
, openssl ncurses,
, darwin openssl,
, withALSA ? stdenv.isLinux, alsa-lib darwin,
, withClipboard ? true, libxcb, python3 withALSA ? stdenv.isLinux,
, withCover ? false, ueberzug alsa-lib,
, withPulseAudio ? stdenv.isLinux, libpulseaudio withClipboard ? true,
, withPortAudio ? stdenv.isDarwin, portaudio libxcb,
, withMPRIS ? stdenv.isLinux, withNotify ? true, dbus python3,
, withCrossterm ? true withCover ? false,
, nix-update-script ueberzug,
, testers withPulseAudio ? stdenv.isLinux,
, ncspot libpulseaudio,
}: let withPortAudio ? stdenv.isDarwin,
portaudio,
withMPRIS ? stdenv.isLinux,
withNotify ? true,
dbus,
withCrossterm ? true,
nix-update-script,
testers,
ncspot,
}:
let
inherit (darwin.apple_sdk.frameworks) Cocoa; inherit (darwin.apple_sdk.frameworks) Cocoa;
in in
rustPlatform.buildRustPackage rec { rustPlatform.buildRustPackage rec {
@ -37,10 +47,10 @@ rustPlatform.buildRustPackage rec {
}; };
}; };
nativeBuildInputs = [ pkg-config ] nativeBuildInputs = [ pkg-config ] ++ lib.optional withClipboard python3;
++ lib.optional withClipboard python3;
buildInputs = [ ncurses ] buildInputs =
[ ncurses ]
++ lib.optional stdenv.isLinux openssl ++ lib.optional stdenv.isLinux openssl
++ lib.optional withALSA alsa-lib ++ lib.optional withALSA alsa-lib
++ lib.optional withClipboard libxcb ++ lib.optional withClipboard libxcb
@ -54,7 +64,8 @@ rustPlatform.buildRustPackage rec {
buildNoDefaultFeatures = true; buildNoDefaultFeatures = true;
buildFeatures = [ "cursive/pancurses-backend" ] buildFeatures =
[ "cursive/pancurses-backend" ]
++ lib.optional withALSA "alsa_backend" ++ lib.optional withALSA "alsa_backend"
++ lib.optional withClipboard "share_clipboard" ++ lib.optional withClipboard "share_clipboard"
++ lib.optional withCover "cover" ++ lib.optional withCover "cover"

45
flake.nix
View file

@ -18,12 +18,12 @@
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixos-matrix-modules = { nixos-matrix-modules = {
url = "github:dali99/nixos-matrix-modules"; url = "github:dali99/nixos-matrix-modules";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# ranger_udisk_menu.url = "git+https://git.grimmauld.de/Grimmauld/ranger_udisk_menu"; # ranger_udisk_menu.url = "git+https://git.grimmauld.de/Grimmauld/ranger_udisk_menu";
# glibc-eac.url = "github:Frogging-Family/glibc-eac"; # glibc-eac.url = "github:Frogging-Family/glibc-eac";
aagl-gtk-on-nix = { aagl-gtk-on-nix = {
url = "github:ezKEa/aagl-gtk-on-nix"; url = "github:ezKEa/aagl-gtk-on-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -34,7 +34,18 @@
}; };
}; };
outputs = inputs @ { self, agenix, nixpkgs, chaotic, aagl-gtk-on-nix, nixos-mailserver, nixos-matrix-modules, aa-alias-manager, ... }: outputs =
inputs@{
self,
agenix,
nixpkgs,
chaotic,
aagl-gtk-on-nix,
nixos-mailserver,
nixos-matrix-modules,
aa-alias-manager,
...
}:
let let
patches = [ patches = [
./aa_mod.patch ./aa_mod.patch
@ -44,20 +55,26 @@
} }
]; ];
customNixosSystem = system: definitions: customNixosSystem =
system: definitions:
let let
unpatched = nixpkgs.legacyPackages.${system}; unpatched = nixpkgs.legacyPackages.${system};
patched = unpatched.applyPatches { patched = unpatched.applyPatches {
name = "nixpkgs-patched"; name = "nixpkgs-patched";
src = inputs.nixpkgs; src = inputs.nixpkgs;
patches = map (p: if (builtins.isPath p) then p else (unpatched.fetchpatch p)) patches; patches = map (p: if (builtins.isPath p) then p else (unpatched.fetchpatch p)) patches;
}; };
nixosSystem = import (patched + "/nixos/lib/eval-config.nix"); nixosSystem = import (patched + "/nixos/lib/eval-config.nix");
in in
nixosSystem ({ nixosSystem (
inherit system; {
specialArgs = { inherit inputs system; }; inherit system;
} // definitions); specialArgs = {
inherit inputs system;
};
}
// definitions
);
in in
{ {
nixosConfigurations = { nixosConfigurations = {
@ -67,7 +84,7 @@
chaotic.nixosModules.default chaotic.nixosModules.default
aagl-gtk-on-nix.nixosModules.default aagl-gtk-on-nix.nixosModules.default
./configuration.nix ./configuration.nix
./specific/grimm-nixos-laptop/configuration.nix ./specific/grimm-nixos-laptop/configuration.nix
]; ];
}; };
@ -78,7 +95,7 @@
aagl-gtk-on-nix.nixosModules.default aagl-gtk-on-nix.nixosModules.default
./configuration.nix ./configuration.nix
aa-alias-manager.nixosModules.default aa-alias-manager.nixosModules.default
./specific/grimm-nixos-ssd/configuration.nix ./specific/grimm-nixos-ssd/configuration.nix
]; ];
}; };
@ -87,11 +104,11 @@
agenix.nixosModules.default agenix.nixosModules.default
nixos-matrix-modules.nixosModules.default nixos-matrix-modules.nixosModules.default
nixos-mailserver.nixosModules.default nixos-mailserver.nixosModules.default
./configuration.nix ./configuration.nix
./specific/grimmauld-nixos-server/configuration.nix ./specific/grimmauld-nixos-server/configuration.nix
./modules ./modules
]; ];
}; };
}; };

2
modules/default.nix
View file

@ -13,7 +13,7 @@ in
./nextcloud.nix ./nextcloud.nix
./prometheus.nix ./prometheus.nix
# ./mjolnir.nix # ./mjolnir.nix
# ./fail2ban.nix # ./fail2ban.nix
./email.nix ./email.nix
# ./discord-matrix-bridge.nix # ./discord-matrix-bridge.nix
./mastodon.nix ./mastodon.nix

291
modules/matrix_legacy.nix
View file

@ -11,7 +11,9 @@ let
fqdn = vhosts.matrix_host.host; fqdn = vhosts.matrix_host.host;
base_url = "https://${fqdn}"; base_url = "https://${fqdn}";
clientConfig."m.homeserver" = {inherit base_url; }; # = "https://${vhosts.matrix_host.host}"; clientConfig."m.homeserver" = {
inherit base_url;
}; # = "https://${vhosts.matrix_host.host}";
serverConfig."m.server" = "${vhosts.matrix_host.host}:443"; serverConfig."m.server" = "${vhosts.matrix_host.host}:443";
mkWellKnown = data: '' mkWellKnown = data: ''
default_type application/json; default_type application/json;
@ -33,7 +35,6 @@ in
]; ];
}; };
services.matrix-synapse = { services.matrix-synapse = {
enable = true; enable = true;
settings.server_name = domain; settings.server_name = domain;
@ -43,21 +44,30 @@ in
# in client applications. # in client applications.
settings.public_baseurl = base_url; settings.public_baseurl = base_url;
settings.listeners = [ settings.listeners = [
{ port = 8008; {
port = 8008;
bind_addresses = [ "::1" ]; bind_addresses = [ "::1" ];
type = "http"; type = "http";
tls = false; tls = false;
x_forwarded = true; x_forwarded = true;
resources = [ { resources = [
names = [ "client" "federation" ]; {
compress = true; names = [
} ]; "client"
"federation"
];
compress = true;
}
];
} }
]; ];
settings.database = { settings.database = {
name = "psycopg2"; name = "psycopg2";
args = { user="synapse"; database= "synapse"; }; args = {
user = "synapse";
database = "synapse";
};
}; };
settings.log_config = ./matrix_synapse_log_config.yaml; settings.log_config = ./matrix_synapse_log_config.yaml;
settings.enable_registration = false; settings.enable_registration = false;
@ -75,47 +85,47 @@ in
]; ];
}; };
# services.matrix-synapse-next = { # services.matrix-synapse-next = {
# enable = true; # enable = true;
# #
# workers.federationSenders = 1; # workers.federationSenders = 1;
# workers.federationReceivers = 1; # workers.federationReceivers = 1;
# workers.initialSyncers = 1; # workers.initialSyncers = 1;
# workers.normalSyncers = 1; # workers.normalSyncers = 1;
# workers.eventPersisters = 2; # workers.eventPersisters = 2;
# workers.useUserDirectoryWorker = true; # workers.useUserDirectoryWorker = true;
# mainLogConfig = ./matrix_synapse_log_config.yaml; # mainLogConfig = ./matrix_synapse_log_config.yaml;
# #
# enableNginx = true; # enableNginx = true;
# enableSlidingSync = false; # enableSlidingSync = false;
# #
# settings = { # settings = {
# suppress_key_server_warning = true; # suppress_key_server_warning = true;
# server_name = domain; # server_name = domain;
# public_baseurl = "https://${domain}"; # public_baseurl = "https://${domain}";
# enable_registration = true; # enable_registration = true;
# registration_requires_token = true; # registration_requires_token = true;
# registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path; # registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path;
# # enable_registration_without_verification = true; # # enable_registration_without_verification = true;
# # mainLogConfig = ./matrix_synapse_log_config.yaml; # # mainLogConfig = ./matrix_synapse_log_config.yaml;
# #
# # registrations_require_3pid = [ "email" ]; # # registrations_require_3pid = [ "email" ];
# #
# database = { # database = {
# name = "psycopg2"; # name = "psycopg2";
# args = { # args = {
# host = "localhost"; # host = "localhost";
# port = config.services.postgresql.settings.port; # port = config.services.postgresql.settings.port;
# dbname = "synapse"; # dbname = "synapse";
# user = "synapse"; # user = "synapse";
# cp_min = 5; # cp_min = 5;
# cp_max = 10; # cp_max = 10;
# client_encoding = "auto"; # client_encoding = "auto";
# passfile = config.age.secrets.synapse_db_pass_prepared.path; # passfile = config.age.secrets.synapse_db_pass_prepared.path;
# }; # };
# }; # };
# }; # };
# }; # };
services.redis.servers."".enable = true; services.redis.servers."".enable = true;
age.secrets.synapse_db_pass = { age.secrets.synapse_db_pass = {
@ -141,100 +151,99 @@ in
matrix-synapse matrix-synapse
]; ];
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
services.nginx = { virtualHosts."${domain}" = {
enable = true; enableACME = true;
recommendedTlsSettings = true; forceSSL = true;
recommendedOptimisation = true; # This section is not needed if the server_name of matrix-synapse is equal to
recommendedGzipSettings = true; # the domain (i.e. example.org from @foo:example.org) and the federation port
recommendedProxySettings = true; # is 8448.
# Further reference can be found in the docs about delegation under
virtualHosts."${domain}" = { # https://element-hq.github.io/synapse/latest/delegate.html
enableACME = true; locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
forceSSL = true; # This is usually needed for homeserver discovery (from e.g. other Matrix clients).
# This section is not needed if the server_name of matrix-synapse is equal to # Further reference can be found in the upstream docs at
# the domain (i.e. example.org from @foo:example.org) and the federation port # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
# is 8448. locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
# Further reference can be found in the docs about delegation under
# https://element-hq.github.io/synapse/latest/delegate.html
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
# This is usually needed for homeserver discovery (from e.g. other Matrix clients).
# Further reference can be found in the upstream docs at
# https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
virtualHosts."${fqdn}" = {
enableACME = true;
forceSSL = true;
locations."/_matrix" = {
proxyPass = synapse_backend;
#extraConfig = ''
# add_header X-debug-backend ${synapse_backend};
# add_header X-debug-group $synapse_uri_group;
# client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size};
# proxy_read_timeout 10m;
#'';
};
locations."/_synapse/client".proxyPass = synapse_backend;
};
}; };
# services.nginx = { virtualHosts."${fqdn}" = {
# enable = true; enableACME = true;
# virtualHosts."${domain}" = { forceSSL = true;
# forceSSL = true;
# enableACME = lib.mkForce false; # use the cert above, not some weird one that matrix-synapse module supplies locations."/_matrix" = {
# useACMEHost = domain; proxyPass = synapse_backend;
# locations."/.well-known/matrix/server" = { #extraConfig = ''
# return = "200 '{\"m.server\":\"${vhosts.matrix_host.host}:443\"}'"; # add_header X-debug-backend ${synapse_backend};
# extraConfig = '' # add_header X-debug-group $synapse_uri_group;
# default_type application/json; # client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size};
# add_header Access-Control-Allow-Origin *; # proxy_read_timeout 10m;
# add_header Accept-Ranges bytes;''; #'';
# }; };
# locations."/.well-known/matrix/client" = { locations."/_synapse/client".proxyPass = synapse_backend;
# return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${vhosts.matrix_host.host}\"}}'"; };
# extraConfig = '' };
# add_header Access-Control-Allow-Origin *;
# default_type application/json; # services.nginx = {
# ''; # enable = true;
# }; # virtualHosts."${domain}" = {
# locations."/_matrix" = { # forceSSL = true;
# proxyPass = "http://$synapse_backend"; # enableACME = lib.mkForce false; # use the cert above, not some weird one that matrix-synapse module supplies
# extraConfig = '' # useACMEHost = domain;
# add_header X-debug-backend $synapse_backend; # locations."/.well-known/matrix/server" = {
# add_header X-debug-group $synapse_uri_group; # return = "200 '{\"m.server\":\"${vhosts.matrix_host.host}:443\"}'";
# client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size}; # extraConfig = ''
# proxy_read_timeout 10m; # default_type application/json;
# ''; # add_header Access-Control-Allow-Origin *;
# }; # add_header Accept-Ranges bytes;'';
# locations."/_synapse/client" = { # };
# proxyPass = "http://$synapse_backend"; # locations."/.well-known/matrix/client" = {
# }; # return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${vhosts.matrix_host.host}\"}}'";
# locations."~ ^/_matrix/client/(r0|v3)/sync$" = { # extraConfig = ''
# proxyPass = "http://$synapse_backend"; # add_header Access-Control-Allow-Origin *;
# extraConfig = '' # default_type application/json;
# proxy_read_timeout 1h; # '';
# ''; # };
# }; # locations."/_matrix" = {
# locations."~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$" = { # proxyPass = "http://$synapse_backend";
# proxyPass = "http://synapse_worker_initial_sync"; # extraConfig = ''
# extraConfig = '' # add_header X-debug-backend $synapse_backend;
# proxy_read_timeout 1h; # add_header X-debug-group $synapse_uri_group;
# ''; # client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size};
# }; # proxy_read_timeout 10m;
# locations."~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = { # '';
# proxyPass = "http://synapse_worker_initial_sync"; # };
# extraConfig = '' # locations."/_synapse/client" = {
# proxy_read_timeout 1h; # proxyPass = "http://$synapse_backend";
# ''; # };
# }; # locations."~ ^/_matrix/client/(r0|v3)/sync$" = {
# # locations."/.well-known/matrix" = { # proxyPass = "http://$synapse_backend";
# proxyPass = "http://$synapse_backend"; # extraConfig = ''
# }; # proxy_read_timeout 1h;
# }; # '';
# }; # };
# locations."~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$" = {
# proxyPass = "http://synapse_worker_initial_sync";
# extraConfig = ''
# proxy_read_timeout 1h;
# '';
# };
# locations."~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = {
# proxyPass = "http://synapse_worker_initial_sync";
# extraConfig = ''
# proxy_read_timeout 1h;
# '';
# };
# # locations."/.well-known/matrix" = {
# proxyPass = "http://$synapse_backend";
# };
# };
# };
# networking.firewall.allowedTCPPorts = [ 8448 8008 ]; # networking.firewall.allowedTCPPorts = [ 8448 8008 ];
} }

24
modules/wireguard.nix
View file

@ -1,7 +1,10 @@
{pkgs, ...}: { { pkgs, ... }:
{
# enable NAT # enable NAT
networking.nat.enable = true; networking.nat.externalInterface = "eth0"; networking.nat.enable = true;
networking.nat.internalInterfaces = [ "wg0" ]; networking.firewall = { networking.nat.externalInterface = "eth0";
networking.nat.internalInterfaces = [ "wg0" ];
networking.firewall = {
allowedUDPPorts = [ 51820 ]; allowedUDPPorts = [ 51820 ];
}; };
@ -18,18 +21,21 @@
# This allows the wireguard server to route your traffic to the internet and # This allows the wireguard server to route your traffic to the internet and
# hence be like a VPN For this to work you have to set the dnsserver IP of # hence be like a VPN For this to work you have to set the dnsserver IP of
# your router (or dnsserver of choice) in your clients # your router (or dnsserver of choice) in your clients
postSetup = '' ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE
''; '';
# This undoes the above command # This undoes the above command
postShutdown = '' ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE
''; '';
generatePrivateKeyFile = true; generatePrivateKeyFile = true;
peers = [ peers = [
{ {
publicKey="2aANdnPYtf78iXfwNVAtYjIlE5k/yDWvbdXZ2jw0hXk="; publicKey = "2aANdnPYtf78iXfwNVAtYjIlE5k/yDWvbdXZ2jw0hXk=";
allowedIPs = [ "10.100.0.2/32" ]; allowedIPs = [ "10.100.0.2/32" ];
} ]; }
];
}; };
}; };
environment.systemPackages = with pkgs; [ wireguard-tools ]; environment.systemPackages = with pkgs; [ wireguard-tools ];

5
overlays/factorio.nix
View file

@ -4,6 +4,9 @@ let
in in
{ {
factorio = prev.factorio.override ( factorio = prev.factorio.override (
{ versionsJson = ./versions.json; } // lib.optionalAttrs (builtins.pathExists loginFile) (import loginFile) {
versionsJson = ./versions.json;
}
// lib.optionalAttrs (builtins.pathExists loginFile) (import loginFile)
); );
} }

2
overlays/ncspot.nix
View file

@ -1,4 +1,4 @@
{ prev, config, ... }: { prev, config, ... }:
{ {
ncspot = prev.callPackage ../custom/ncspot/package.nix { }; ncspot = prev.callPackage ../custom/ncspot/package.nix { };
} }

1
specific/grimm-nixos-laptop/configuration.nix
View file

@ -9,7 +9,6 @@
age.identityPaths = [ "/home/grimmauld/.ssh/id_ed25519" ]; age.identityPaths = [ "/home/grimmauld/.ssh/id_ed25519" ];
services.zfs.trim.enable = true; services.zfs.trim.enable = true;
boot.supportedFilesystems.zfs = true; boot.supportedFilesystems.zfs = true;
networking.hostId = "2ea79333"; networking.hostId = "2ea79333";

59
specific/grimm-nixos-ssd/configuration.nix
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
{ {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
@ -11,34 +16,36 @@
services.zfs.trim.enable = true; services.zfs.trim.enable = true;
boot.supportedFilesystems.zfs = true; boot.supportedFilesystems.zfs = true;
# security.pam.yubico.control = "required"; # security.pam.yubico.control = "required";
services.udev.extraRules = let services.udev.extraRules =
inherit (lib) getExe' getExe; let
inherit (pkgs) procps writeShellScriptBin; inherit (lib) getExe' getExe;
exitSway = writeShellScriptBin "kill-sway" '' inherit (pkgs) procps writeShellScriptBin;
for pid in $(${getExe' procps "pgrep"} sway -x) exitSway = writeShellScriptBin "kill-sway" ''
do for pid in $(${getExe' procps "pgrep"} sway -x)
uid=$(id -u $(${getExe' procps "ps"} -o user= -p $pid)) do
export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock" uid=$(id -u $(${getExe' procps "ps"} -o user= -p $pid))
if [[ -e "$SWAYSOCK" ]] ; then export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock"
echo "sock is $SWAYSOCK" if [[ -e "$SWAYSOCK" ]] ; then
${getExe' config.programs.sway.package "swaymsg"} exit echo "sock is $SWAYSOCK"
fi ${getExe' config.programs.sway.package "swaymsg"} exit
done fi
''; done
in '' '';
ACTION=="remove",\ in
ENV{SUBSYSTEM}=="usb",\ ''
ENV{PRODUCT}=="1050/407/543",\ ACTION=="remove",\
RUN+="${lib.getExe exitSway}" ENV{SUBSYSTEM}=="usb",\
# ''; ENV{PRODUCT}=="1050/407/543",\
RUN+="${lib.getExe exitSway}"
# '';
# RUN+="${lib.getExe' pkgs.systemd "loginctl"} lock-sessions" # RUN+="${lib.getExe' pkgs.systemd "loginctl"} lock-sessions"
# networking.hostId = "2ea79333"; # networking.hostId = "2ea79333";
# boot.kernelPackages = lib.mkForce config.boot.zfs.package.latestCompatibleLinuxPackages; # boot.kernelPackages = lib.mkForce config.boot.zfs.package.latestCompatibleLinuxPackages;
grimmShared = { grimmShared = {
tooling = { tooling = {

127
specific/grimm-nixos-ssd/hardware-configuration.nix
View file

@ -1,24 +1,45 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: {
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = imports = [
[ (modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "uas" "sd_mod" "kvm-intel" ]; boot.initrd.availableKernelModules = [
boot.initrd.kernelModules = [ "zfs" "nls_cp437" "nls_iso8859-1" "usbhid" "usb_storage" "nvme" ]; "xhci_pci"
"ahci"
"nvme"
"usbhid"
"uas"
"sd_mod"
"kvm-intel"
];
boot.initrd.kernelModules = [
"zfs"
"nls_cp437"
"nls_iso8859-1"
"usbhid"
"usb_storage"
"nvme"
];
boot.zfs = { boot.zfs = {
forceImportRoot = false; forceImportRoot = false;
requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later. requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
# [ # [
# "zpool/home" # "zpool/home"
# "zpool/root" # "zpool/root"
# "zpool/nix" # "zpool/nix"
# "zpool/var" # "zpool/var"
# ]; # ];
}; };
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.supportedFilesystems.zfs = true; boot.supportedFilesystems.zfs = true;
@ -29,38 +50,41 @@
boot.kernelParams = [ "mds=full,nosmt" ]; boot.kernelParams = [ "mds=full,nosmt" ];
services.homed.enable = true; services.homed.enable = true;
fileSystems."/" = fileSystems."/" = {
{ device = "zpool/root"; device = "zpool/root";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/nix" = fileSystems."/nix" = {
{ device = "zpool/nix"; device = "zpool/nix";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var" = fileSystems."/var" = {
{ device = "zpool/var"; device = "zpool/var";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/etc/nixos" =
{ device = "zpool/nix_conf";
fsType = "zfs";
options = [ "noacl" ];
};
# fileSystems."/home" = fileSystems."/etc/nixos" = {
# { device = "zpool/home"; device = "zpool/nix_conf";
# fsType = "zfs"; fsType = "zfs";
# }; options = [ "noacl" ];
};
fileSystems."/boot" = # fileSystems."/home" =
{ device = "/dev/disk/by-uuid/12CE-A600"; # { device = "zpool/home";
fsType = "vfat"; # fsType = "zfs";
options = [ "fmask=0022" "dmask=0022" "umask=077" ]; # };
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
"umask=077"
];
};
grimmShared = { grimmShared = {
screens = { screens = {
@ -80,17 +104,16 @@
laptop_hardware.enable = true; laptop_hardware.enable = true;
}; };
# fileSystems."/crypt-storage" =
# { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb";
# fsType = "ext4";
# options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless.
# };
# fileSystems."/crypt-storage" = # fileSystems."/home/grimmauld" =
# { device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # { device = "zpool/home/grimmauld";
# fsType = "ext4"; # fsType = "zfs";
# options = [ "umask=077" ]; # read only so a fat-finger can't accidentially bonk our salts, rendering the disk useless. # };
# };
# fileSystems."/home/grimmauld" =
# { device = "zpool/home/grimmauld";
# fsType = "zfs";
# };
security.pam = { security.pam = {
zfs = { zfs = {
@ -105,14 +128,14 @@
device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3 device = "/dev/disk/by-uuid/6e6ca6b4-cfd5-4384-955b-bad9c48fa9d6"; # /dev/sda3
preLVM = true; preLVM = true;
allowDiscards = true; allowDiscards = true;
yubikey = { yubikey = {
slot = 2; slot = 2;
twoFactor = true; # Set to false for 1FA twoFactor = true; # Set to false for 1FA
gracePeriod = 30; # Time in seconds to wait for Yubikey to be inserted gracePeriod = 30; # Time in seconds to wait for Yubikey to be inserted
keyLength = 64; # Set to $KEY_LENGTH/8 keyLength = 64; # Set to $KEY_LENGTH/8
saltLength = 16; # Set to $SALT_LENGTH saltLength = 16; # Set to $SALT_LENGTH
storage = { storage = {
device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # same ID as the crypt-storage mount earlier device = "/dev/disk/by-uuid/6f0d65a8-24f0-439d-b5ee-03c0ef051fcb"; # same ID as the crypt-storage mount earlier
fsType = "ext4"; fsType = "ext4";
@ -123,7 +146,7 @@
swapDevices = [ swapDevices = [
#{ #{
# device = "zpool/swap"; # device = "zpool/swap";
# device = "/dev/zvol/zpool/swap"; # device = "/dev/zvol/zpool/swap";
#} #}
]; ];

206
sway/default.nix
View file

@ -1,4 +1,9 @@
{ pkgs, lib, config, ... }: {
pkgs,
lib,
config,
...
}:
{ {
imports = [ ./bar ]; imports = [ ./bar ];
@ -51,113 +56,122 @@
urgentcol = "#9e3c3c"; urgentcol = "#9e3c3c";
realwhite = "#C7D3E3"; realwhite = "#C7D3E3";
}; };
keybinds = { keybinds =
"$mod+d" = "exec $menu"; {
"$mod+Shift+d" = "exec $menu_run"; "$mod+d" = "exec $menu";
"$mod+Shift+s" = ''exec ${getExe grim} -g "$(${getExe slurp} -d)" - | wl-copy''; "$mod+Shift+d" = "exec $menu_run";
"$mod+Shift+Return" = "exec ${getExe xdg-terminal-exec} xonsh"; "$mod+Shift+s" = ''exec ${getExe grim} -g "$(${getExe slurp} -d)" - | wl-copy'';
"$mod+Return" = "exec ${getExe xdg-terminal-exec}"; "$mod+Shift+Return" = "exec ${getExe xdg-terminal-exec} xonsh";
"$mod+Shift+q" = "kill"; "$mod+Return" = "exec ${getExe xdg-terminal-exec}";
"$mod+Shift+c" = "reload"; "$mod+Shift+q" = "kill";
"$mod+Shift+e" = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -B 'Yes, exit sway' 'swaymsg exit'"; "$mod+Shift+c" = "reload";
"$mod+Shift+e" = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -B 'Yes, exit sway' 'swaymsg exit'";
# Move your focus around # Move your focus around
"$mod+$left" = "focus left"; "$mod+$left" = "focus left";
"$mod+$down" = "focus down"; "$mod+$down" = "focus down";
"$mod+$up" = "focus up"; "$mod+$up" = "focus up";
"$mod+$right" = "focus right"; "$mod+$right" = "focus right";
# Or use $mod+[up|down|left|right] # Or use $mod+[up|down|left|right]
"$mod+Left" = "focus left"; "$mod+Left" = "focus left";
"$mod+Down" = "focus down"; "$mod+Down" = "focus down";
"$mod+Up" = "focus up"; "$mod+Up" = "focus up";
"$mod+Right" = "focus right"; "$mod+Right" = "focus right";
# Move the focused window with the same, but add Shift # Move the focused window with the same, but add Shift
"$mod+Shift+$left" = "move left"; "$mod+Shift+$left" = "move left";
"$mod+Shift+$down" = "move down"; "$mod+Shift+$down" = "move down";
"$mod+Shift+$up" = "move up"; "$mod+Shift+$up" = "move up";
"$mod+Shift+$right" = "move right"; "$mod+Shift+$right" = "move right";
# Ditto, with arrow keys # Ditto, with arrow keys
"$mod+Shift+Left" = "move left"; "$mod+Shift+Left" = "move left";
"$mod+Shift+Down" = "move down"; "$mod+Shift+Down" = "move down";
"$mod+Shift+Up" = "move up"; "$mod+Shift+Up" = "move up";
"$mod+Shift+Right" = "move right"; "$mod+Shift+Right" = "move right";
# Layout stuff:
#
# You can "split" the current object of your focus with
# $mod+b or $mod+v, for horizontal and vertical splits
# respectively.
"$mod+b" = "splith";
"$mod+v" = "splitv";
# Switch the current container between different layout styles # Layout stuff:
"$mod+s" = "layout stacking"; #
"$mod+w" = "layout tabbed"; # You can "split" the current object of your focus with
"$mod+e" = "layout toggle split"; # $mod+b or $mod+v, for horizontal and vertical splits
# respectively.
"$mod+b" = "splith";
"$mod+v" = "splitv";
# Make the current focus fullscreen # Switch the current container between different layout styles
"$mod+f" = "fullscreen"; "$mod+s" = "layout stacking";
"$mod+w" = "layout tabbed";
"$mod+e" = "layout toggle split";
# Toggle the current focus between tiling and floating mode # Make the current focus fullscreen
"$mod+Shift+space" = "floating toggle"; "$mod+f" = "fullscreen";
# Swap focus between the tiling area and the floating area # Toggle the current focus between tiling and floating mode
"$mod+space" = "focus mode_toggle"; "$mod+Shift+space" = "floating toggle";
# Move focus to the parent container # Swap focus between the tiling area and the floating area
"$mod+a" = "focus parent"; "$mod+space" = "focus mode_toggle";
"$mod+Shift+minus" = "move scratchpad"; # Move focus to the parent container
"$mod+minus" = "scratchpad show"; "$mod+a" = "focus parent";
"$mod+r" = "mode \"resize\""; "$mod+Shift+minus" = "move scratchpad";
"$mod+minus" = "scratchpad show";
XF86AudioRaiseVolume = "exec pactl set-sink-volume @DEFAULT_SINK@ +5%"; "$mod+r" = "mode \"resize\"";
XF86AudioLowerVolume = "exec pactl set-sink-volume @DEFAULT_SINK@ -5%";
"Shift+XF86AudioLowerVolume" = "exec pactl set-source-volume @DEFAULT_SOURCE@ -5%"; XF86AudioRaiseVolume = "exec pactl set-sink-volume @DEFAULT_SINK@ +5%";
"Shift+XF86AudioRaiseVolume" = "exec pactl set-source-volume @DEFAULT_SOURCE@ +5%"; XF86AudioLowerVolume = "exec pactl set-sink-volume @DEFAULT_SINK@ -5%";
XF86AudioMute = "exec pactl set-sink-mute @DEFAULT_SINK@ toggle"; "Shift+XF86AudioLowerVolume" = "exec pactl set-source-volume @DEFAULT_SOURCE@ -5%";
XF86AudioPlay = "exec playerctl play-pause"; "Shift+XF86AudioRaiseVolume" = "exec pactl set-source-volume @DEFAULT_SOURCE@ +5%";
XF86AudioNext = "exec playerctl next"; XF86AudioMute = "exec pactl set-sink-mute @DEFAULT_SINK@ toggle";
XF86AudioPrev = "exec playerctl previous"; XF86AudioPlay = "exec playerctl play-pause";
"$mod+c" = "exec ${getExe swaymux}"; XF86AudioNext = "exec playerctl next";
XF86MonBrightnessUp = "exec ${getExe brightnessctl} s 10+%"; XF86AudioPrev = "exec playerctl previous";
XF86MonBrightnessDown = "exec ${getExe brightnessctl} s 10-%"; "$mod+c" = "exec ${getExe swaymux}";
XF86Explorer = "exec ${getExe xdg-terminal-exec} ${getExe ranger}"; XF86MonBrightnessUp = "exec ${getExe brightnessctl} s 10+%";
XF86Search = "exec ${getExe searchclip}"; XF86MonBrightnessDown = "exec ${getExe brightnessctl} s 10-%";
XF86HomePage = XF86Explorer = "exec ${getExe xdg-terminal-exec} ${getExe ranger}";
XF86Search = "exec ${getExe searchclip}";
XF86HomePage =
let
open = pkgs.writeShellScriptBin "open_or_switch_browser" ''
browser=$(xdg-settings get default-web-browser | sed "s/\.desktop//")
swaymsg [app_id="$browser"] focus || ${getExe deskwhich} $browser | xargs gio launch
'';
in
"exec ${getExe open}";
XF86Tools =
let
open = pkgs.writeShellScriptBin "open_or_switch_spotify" ''
# FIXME: spotify is being weird
while IFS= read -r pid; do
swaymsg [pid=$pid] focus && exit 0
done <<< $(pgrep spotify -u "$(whoami)")
${getExe deskwhich} spotify | xargs gio launch
'';
in
"exec ${getExe open}"; # for some reason tools = audio media on my keyboard??
XF86Mail =
let
open = pkgs.writeShellScriptBin "open_or_switch_mail" ''
desk=$(xdg-settings get default-url-scheme-handler mailto | sed "s/\.desktop//")
swaymsg [app_id="$desk"] focus || ${getExe deskwhich} $desk | xargs gio launch
'';
in
"exec ${getExe open}";
# XF86Bluetooth = "exec blueman-manager";
}
// (
let let
open = pkgs.writeShellScriptBin "open_or_switch_browser" '' inherit (builtins) toString;
browser=$(xdg-settings get default-web-browser | sed "s/\.desktop//")
swaymsg [app_id="$browser"] focus || ${getExe deskwhich} $browser | xargs gio launch
'';
in in
"exec ${getExe open}"; lib.mergeAttrsList (
XF86Tools = map (n: {
let "$mod+${toString n}" = "workspace number ${toString n}";
open = pkgs.writeShellScriptBin "open_or_switch_spotify" '' "$mod+Shift+${toString n}" = "move container to workspace number ${toString n}";
# FIXME: spotify is being weird }) (lib.range 0 9)
while IFS= read -r pid; do )
swaymsg [pid=$pid] focus && exit 0 );
done <<< $(pgrep spotify -u "$(whoami)")
${getExe deskwhich} spotify | xargs gio launch
'';
in
"exec ${getExe open}"; # for some reason tools = audio media on my keyboard??
XF86Mail =
let
open = pkgs.writeShellScriptBin "open_or_switch_mail" ''
desk=$(xdg-settings get default-url-scheme-handler mailto | sed "s/\.desktop//")
swaymsg [app_id="$desk"] focus || ${getExe deskwhich} $desk | xargs gio launch
'';
in
"exec ${getExe open}";
# XF86Bluetooth = "exec blueman-manager";
} // (let inherit (builtins) toString; in lib.mergeAttrsList (map (n: {
"$mod+${toString n}" = "workspace number ${toString n}";
"$mod+Shift+${toString n}" = "move container to workspace number ${toString n}";
}) (lib.range 0 9)));
autolaunch = [ autolaunch = [
(getExe' pkgs.dbus "dbus-update-activation-environment") (getExe' pkgs.dbus "dbus-update-activation-environment")
(getExe' pkgs.xdg-user-dirs "xdg-user-dirs-update") (getExe' pkgs.xdg-user-dirs "xdg-user-dirs-update")

5
users.nix
View file

@ -10,7 +10,6 @@
# shell = pkgs.xonsh; # shell = pkgs.xonsh;
description = "grimmauld"; description = "grimmauld";
openssh.authorizedKeys.keys = (import ./authorizedKeys.nix); openssh.authorizedKeys.keys = (import ./authorizedKeys.nix);
extraGroups = lib.intersectLists (lib.attrNames config.users.groups) [ extraGroups = lib.intersectLists (lib.attrNames config.users.groups) [
"networkmanager" "networkmanager"
@ -41,8 +40,8 @@
[ [
vesktop vesktop
obs-studio obs-studio
# element-desktop # element-desktop
# ghidra # ghidra
rmview rmview
] ]
); );