Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: Grimmauld:main
Branches Tags
Grimmauld:main
Grimmauld:server-migration
..
compare: Grimmauld:server-migration
Branches Tags
Grimmauld:main
Grimmauld:server-migration

No commits in common. "main" and "server-migration" have entirely different histories.
main ... server-mig

203 changed files with 2441 additions and 9047 deletions
Show stats Expand all files Collapse all files

1
authorizedKeys.nix
View file

@ -4,5 +4,4 @@
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClLZhya2A7SoRSX2DNNM6OWgnGhtOFUor/WdyY59L0l6u5tEo9VyX5bCR84eo+uN4jyahSiGD1WC3RGIoNtHuSkKPxr0rqQhlbuyxraHGj7hOLhcGWRd2eIdsntbma7uPsn4zC0skKjpVNR7PU4LfSxti0gBhgq6uQhMtlfywwJshmwt55q7oT/zC449Uz2vyviy7sQ53R9YoOWEjB/+vU8jHxGlqLatXhOGKlBtrQxKm8PZ6jBYxAC6sGA4APIHWC3KC0S0X7wlmi42Dx9bbBm0rUjy095vRZ22fkE8x9OSTKDY/vFTLw5vwVMa8dACfA1Kc0+EpgOK77lZddeTvD grimmauld.de" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClLZhya2A7SoRSX2DNNM6OWgnGhtOFUor/WdyY59L0l6u5tEo9VyX5bCR84eo+uN4jyahSiGD1WC3RGIoNtHuSkKPxr0rqQhlbuyxraHGj7hOLhcGWRd2eIdsntbma7uPsn4zC0skKjpVNR7PU4LfSxti0gBhgq6uQhMtlfywwJshmwt55q7oT/zC449Uz2vyviy7sQ53R9YoOWEjB/+vU8jHxGlqLatXhOGKlBtrQxKm8PZ6jBYxAC6sGA4APIHWC3KC0S0X7wlmi42Dx9bbBm0rUjy095vRZ22fkE8x9OSTKDY/vFTLw5vwVMa8dACfA1Kc0+EpgOK77lZddeTvD grimmauld.de"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos"
(builtins.readFile ./ssh/id_ed25519_sk.pub)
] ]

214
common/cloudsync.nix
View file

@ -5,121 +5,117 @@
... ...
}: }:
let let
inherit (lib) cfg = config.grimmShared;
types sync_mod =
mkOption with lib;
concatStrings types.submodule (
getExe' { config, ... }:
mkIf {
mkEnableOption
;
inherit (config.grimmShared) enable cloudSync;
inherit (pkgs) nextcloud-client writeShellScriptBin;
sync_mod = types.submodule (
{ config, ... }:
{
options = {
remote = mkOption {
type = types.nonEmptyStr;
description = "path on the cloud server";
};
local = mkOption {
type = types.nonEmptyStr;
default = "$HOME/" + (concatStrings (builtins.match "/*(.+)" config.remote));
description = "local path to sync";
};
};
}
);
in
{
config = mkIf (enable && cloudSync.enable) (
let
cloud_cmd = ''${getExe' nextcloud-client "nextcloudcmd"} -u ${cloudSync.username} -p "$(${getExe' pkgs.coreutils-full "cat"} ${cloudSync.passwordFile})" -h -n --path'';
sync_server = "https://${cloudSync.server}";
in
{
environment.systemPackages = [
(writeShellScriptBin "cloudsync-cmd" (cloud_cmd + " $@ " + sync_server))
nextcloud-client
];
systemd.services = lib.mkMerge (
lib.mapAttrsToList (
local_user: user_conf:
let
paths = user_conf.syncPaths;
sync_script = lib.strings.concatLines (
map (
{ local, remote }:
let
remote_clean = lib.strings.concatStrings (builtins.match "/*(.+)" remote);
in
"${cloud_cmd} /${remote_clean} ${local} ${sync_server} 1> /dev/null"
) paths
);
in
{
# user-specific sync jobs
"nextcloud-autosync-${local_user}" = lib.mkIf (paths != [ ]) {
description = "Auto sync Nextcloud";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig.Type = "simple";
serviceConfig.User = local_user;
serviceConfig.Group = "users";
script = sync_script;
# TimeoutStopSec = "180";
# KillMode = "process";
# KillSignal = "SIGINT";
wantedBy = [ "multi-user.target" ];
enable = true;
};
}
) config.users.users
);
systemd.timers = lib.mkMerge (
lib.mapAttrsToList (
local_user: user_conf:
let
paths = user_conf.syncPaths;
in
{
# user-specific sync jobs
"nextcloud-autosync-${local_user}" = lib.mkIf (paths != [ ]) {
description = "Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 60 minutes";
timerConfig.OnBootSec = "5min";
timerConfig.OnUnitActiveSec = "60min";
wantedBy = [
"multi-user.target"
"timers.target"
];
enable = true;
};
}
) config.users.users
);
}
);
options.users.users = mkOption {
type = types.attrsOf (
types.submodule {
options = { options = {
syncPaths = mkOption { remote = mkOption {
type = types.listOf sync_mod; type = types.nonEmptyStr;
default = [ ]; description = "path on the cloud server";
description = "paths to sync via nextcloud"; };
local = mkOption {
type = types.nonEmptyStr;
default = "$HOME/" + (concatStrings (builtins.match "/*(.+)" config.remote));
description = "local path to sync";
}; };
}; };
} }
); );
}; in
{
config =
with cfg;
lib.mkIf (enable && cloudSync.enable) (
let
cloud_cmd = ''${pkgs.nextcloud-client}/bin/nextcloudcmd -u ${config.grimmShared.cloudSync.username} -p "$(cat ${config.grimmShared.cloudSync.passwordFile})" -h -n --path'';
sync_server = "https://${config.grimmShared.cloudSync.server}";
in
{
environment.systemPackages = with pkgs; [
(writeShellScriptBin "cloudsync-cmd" (cloud_cmd + " $@ " + sync_server))
nextcloud-client
];
options.grimmShared.cloudSync = { systemd.services = lib.mkMerge (
lib.mapAttrsToList (
local_user: user_conf:
let
paths = user_conf.syncPaths;
sync_script = lib.strings.concatLines (
map (
{ local, remote }:
let
remote_clean = lib.strings.concatStrings (builtins.match "/*(.+)" remote);
in
"${cloud_cmd} /${remote_clean} ${local} ${sync_server}"
) paths
);
in
{
# user-specific sync jobs
"nextcloud-autosync-${local_user}" = lib.mkIf (paths != [ ]) {
description = "Auto sync Nextcloud";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig.Type = "simple";
serviceConfig.User = local_user;
serviceConfig.Group = "users";
script = sync_script;
# TimeoutStopSec = "180";
# KillMode = "process";
# KillSignal = "SIGINT";
wantedBy = [ "multi-user.target" ];
enable = true;
};
}
) config.users.users
);
systemd.timers = lib.mkMerge (
lib.mapAttrsToList (
local_user: user_conf:
let
paths = user_conf.syncPaths;
in
{
# user-specific sync jobs
"nextcloud-autosync-${local_user}" = lib.mkIf (paths != [ ]) {
description = "Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 60 minutes";
timerConfig.OnBootSec = "5min";
timerConfig.OnUnitActiveSec = "60min";
wantedBy = [
"multi-user.target"
"timers.target"
];
enable = true;
};
}
) config.users.users
);
}
);
options.users.users =
with lib;
mkOption {
type = types.attrsOf (
types.submodule {
options = {
syncPaths = mkOption {
type = types.listOf sync_mod;
default = [ ];
description = "paths to sync via nextcloud";
};
};
}
);
};
options.grimmShared.cloudSync = with lib; {
enable = mkEnableOption "cloud_sync"; enable = mkEnableOption "cloud_sync";
username = mkOption { username = mkOption {

1
common/databases/default.nix
View file

@ -1 +0,0 @@
{ imports = [ ./postgres.nix ]; }

72
common/databases/postgres.nix
View file

@ -1,72 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (lib)
types
concatLines
optionalString
mkOption
;
createPasswords = pkgs.writeText "psql-password-def" (
concatLines (
map (
s:
optionalString (!isNull s.passFile) ''
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${s.passFile}'), E'\n', '''));
EXECUTE format('ALTER ROLE ${s.name} WITH PASSWORD '''%s''';', password);
END $$;
''
) config.services.postgresql.ensureUsers
)
);
in
{
config = {
systemd.services.postgresql.postStart = "$PSQL -tA -f ${createPasswords}";
services.postgresql = {
package = pkgs.postgresql_15;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all peer map=superuser_map
local all all peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
local replication all peer
host replication all 127.0.0.1/32 md5
host replication all ::1/128 md5
'';
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map matrix-synapse synapse
superuser_map postgres-exporter postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
};
};
options.services.postgresql.ensureUsers = mkOption {
type = types.listOf (
types.submodule {
options = {
passFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "path to a password file containing the password to be set";
};
};
}
);
};
}

10
common/default.nix
View file

@ -1,4 +1,9 @@
{ lib, ... }: {
config,
lib,
pkgs,
...
}:
with lib; with lib;
{ {
options.grimmShared = { options.grimmShared = {
@ -15,8 +20,7 @@ with lib;
./graphics ./graphics
./gaming.nix ./gaming.nix
./firefox.nix ./firefox.nix
# ./cloudsync.nix ./cloudsync.nix
./hardware ./hardware
./databases
]; ];
} }

117
common/firefox.nix
View file

@ -5,75 +5,68 @@
... ...
}: }:
let let
inherit (config.grimmShared) cfg = config.grimmShared;
enable
firefox
locale
sway
;
inherit (lib)
mkIf
optionals
mapAttrs
optionalAttrs
;
in in
{ {
config = mkIf (enable && firefox.enable) { config =
environment.systemPackages = with cfg;
[ ] lib.mkIf (enable && firefox.enable) {
++ optionals config.services.desktopManager.plasma6.enable [ pkgs.plasma-browser-integration ]; environment.systemPackages =
[ ]
++ lib.optionals config.services.desktopManager.plasma6.enable [ pkgs.plasma-browser-integration ];
programs.firefox = { programs.firefox = {
# package = pkgs.firefox-beta; package = pkgs.firefox-beta;
enable = true; enable = true;
languagePacks = optionals locale [ nativeMessagingHosts.packages =
"de" [ ]
"en-US" ++ lib.optionals (cfg.tooling.enable && cfg.tooling.pass) [ pkgs.passff-host ];
]; languagePacks = lib.optionals cfg.locale [
policies = { "de"
ExtensionSettings = "en-US"
# (mkIf firefox.disableUserPlugins { "*".installation_mode = "blocked"; }) // ];
( policies = {
mapAttrs (guid: shortId: { ExtensionSettings = lib.mkMerge [
# explicit plugins by config (lib.mkIf cfg.firefox.disableUserPlugins { "*".installation_mode = "blocked"; })
(lib.mapAttrs (guid: shortId: {
# explicit plugins by config
install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi"; install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi";
installation_mode = "force_installed"; installation_mode = "force_installed";
}) config.grimmShared.firefox.plugins }) cfg.firefox.plugins)
); (lib.mkIf (cfg.tooling.enable && cfg.tooling.pass) {
DisableTelemetry = true; # password-store support
DisableFirefoxStudies = true; "passff@invicem.pro" = {
EnableTrackingProtection = { install_url = "https://addons.mozilla.org/firefox/downloads/latest/passff/latest.xpi";
Value = true; installation_mode = "force_installed";
Locked = true; };
Cryptomining = true; })
Fingerprinting = true; ];
}; DisableTelemetry = true;
DisablePocket = true; DisableFirefoxStudies = true;
DisableFirefoxAccounts = true; EnableTrackingProtection = {
DisableAccounts = true; Value = true;
DisableFirefoxScreenshots = true; Locked = true;
OverrideFirstRunPage = ""; Cryptomining = true;
OverridePostUpdatePage = ""; Fingerprinting = true;
DontCheckDefaultBrowser = true; };
Preferences = { DisablePocket = true;
"pdfjs.enableScripting" = false; DisableFirefoxAccounts = true;
DisableAccounts = true;
DisableFirefoxScreenshots = true;
OverrideFirstRunPage = "";
OverridePostUpdatePage = "";
DontCheckDefaultBrowser = true;
Preferences = {
"pdfjs.enableScripting" = false;
"media.hardware-video-decoding.enabled" = true; "media.hardware-video-decoding.enabled" = true;
"media.ffmpeg.vaapi.enabled" = true; "media.ffmpeg.vaapi.enabled" = true;
"network.dns.disableIPv6" = true; "media.rdd-ffmpeg.enabled" = true;
# "network.dns.DNS_HTTPS.domain" = "::1"; "media.navigator.mediadatadecoder_vpx_enabled" = true;
"network.connectivity-service.DNSv4.domain" = "127.0.0.1"; } // lib.optionalAttrs cfg.sway.enable { "browser.tabs.inTitlebar" = 0; };
"network.connectivity-service.DNSv6.domain" = "::1"; };
network.dns.localDomains = "::1";
network.dns.forceResolve = true;
"media.peerconnection.enabled" = false;
"media.rdd-ffmpeg.enabled" = true;
"media.navigator.mediadatadecoder_vpx_enabled" = true;
} // optionalAttrs sway.enable { "browser.tabs.inTitlebar" = 0; };
}; };
}; };
};
options.grimmShared.firefox = with lib; { options.grimmShared.firefox = with lib; {
enable = mkEnableOption "grimm-firefox"; enable = mkEnableOption "grimm-firefox";
@ -84,6 +77,6 @@ in
description = "set of plugins to install. Format: guid = short-id"; description = "set of plugins to install. Format: guid = short-id";
}; };
disableUserPlugins = mkEnableOption "disables user controlled plugins"; disableUserPlugins = lib.mkEnableOption "disables user controlled plugins";
}; };
} }

99
common/gaming.nix
View file

@ -5,63 +5,58 @@
... ...
}: }:
let let
inherit (config.grimmShared) enable gaming; cfg = config.grimmShared;
inherit (lib)
mkIf
getExe
mkEnableOption
optional
;
in in
{ {
config = mkIf (enable && gaming) { config =
programs.steam = { with cfg;
enable = true; lib.mkIf (enable && gaming) {
gamescopeSession.env = { programs.steam = {
DRI_PRIME = "1"; enable = true;
}; gamescopeSession.enable = true;
extraCompatPackages = with pkgs; [ proton-ge-bin ]; gamescopeSession.env = {
# extest.enable = true; DRI_PRIME = "1";
};
programs.gamemode = {
enable = true;
settings = {
general = {
inhibit_screensaver = 0;
renice = 10;
}; };
custom = { extraCompatPackages = with pkgs; [ proton-ge-bin ];
start = "${lib.getExe pkgs.libnotify} 'GameMode started'"; # extest.enable = true;
end = "${lib.getExe pkgs.libnotify} 'GameMode ended'"; };
programs.gamemode = {
enable = true;
settings = {
general = {
inhibit_screensaver = 0;
renice = 10;
};
custom = {
start = "${lib.getExe pkgs.libnotify} 'GameMode started'";
end = "${lib.getExe pkgs.libnotify} 'GameMode ended'";
};
}; };
}; };
services.udev.packages = [ pkgs.wooting-udev-rules ];
environment.sessionVariables = {
GAMEMODERUNEXEC = "env DRI_PRIME=1";
};
environment.systemPackages = with pkgs; [
heroic
prismlauncher
mangohud
the-powder-toy
(pkgs.symlinkJoin {
name = "osu";
paths = [
(pkgs.writeShellScriptBin "osu!" ''
exec gamemoderun ${lib.getExe pkgs.osu-lazer-bin}
'')
pkgs.osu-lazer-bin
];
})
];
}; };
# programs.honkers-railway-launcher.enable = true; options.grimmShared.gaming = lib.mkEnableOption "enables steam, heroic, prism and gamemoded";
services.udev.packages = [ pkgs.wooting-udev-rules ];
environment.sessionVariables = {
GAMEMODERUNEXEC = "env DRI_PRIME=1";
};
environment.systemPackages = with pkgs; [
# heroic
prismlauncher
mangohud
the-powder-toy
(symlinkJoin {
name = "osu";
paths = [
(writeShellScriptBin "osu!" ''
exec gamemoderun ${getExe osu-lazer-bin}
'')
osu-lazer-bin
];
})
];
};
options.grimmShared.gaming = mkEnableOption "enables steam, heroic, prism and gamemoded";
} }

37
common/graphics/fonts.nix
View file

@ -4,27 +4,24 @@
config, config,
... ...
}: }:
let
inherit (config.grimmShared) enable graphical;
in
{ {
config = lib.mkIf (enable && graphical) { config =
fonts = { with config.grimmShared;
packages = with pkgs; [ lib.mkIf (enable && graphical) {
noto-fonts fonts = {
noto-fonts-cjk-sans packages = with pkgs; [
font-awesome noto-fonts
# noto-fonts-emoji noto-fonts-cjk
noto-fonts-monochrome-emoji font-awesome
roboto noto-fonts-emoji
liberation_ttf roboto
# nerdfonts liberation_ttf
]; ];
fontDir.enable = true; fontDir.enable = true;
};
environment.sessionVariables = {
FREETYPE_PROPERTIES = "cff:no-stem-darkening=0 autofitter:no-stem-darkening=0";
};
}; };
environment.sessionVariables = {
FREETYPE_PROPERTIES = "cff:no-stem-darkening=0 autofitter:no-stem-darkening=0";
};
};
} }

118
common/graphics/opengl.nix
View file

@ -5,80 +5,74 @@
... ...
}: }:
let let
inherit (config.grimmShared) enable graphical screens; cfg = config.grimmShared;
inherit (lib) types mkOption mkIf; screen =
with lib;
types.submodule {
options = {
fps = mkOption {
type = types.either types.int (types.nonEmptyListOf types.int);
default = 60;
description = "max framerate of screen";
};
screen = types.submodule { mode = mkOption {
options = { type = types.nonEmptyStr;
fps = mkOption { default = "1920x1080";
type = types.either types.int (types.nonEmptyListOf types.int); description = "pixel format of the screen";
default = 60; };
description = "max framerate of screen";
};
mode = mkOption { id = mkOption {
type = types.nonEmptyStr; type = types.nonEmptyStr;
default = "1920x1080"; description = "ID of the screen";
description = "pixel format of the screen"; };
};
id = mkOption { pos = mkOption {
type = types.nonEmptyStr; type = types.nullOr types.nonEmptyStr;
description = "ID of the screen"; default = null;
}; example = "0,0";
description = "position where to place the screen";
pos = mkOption { };
type = types.nullOr types.nonEmptyStr;
default = null;
example = "0,0";
description = "position where to place the screen";
}; };
}; };
};
in in
{ {
config = mkIf (enable && graphical) { config =
# Enable OpenGL with cfg;
hardware.graphics = { lib.mkIf (enable && graphical) {
enable = true; # Enable OpenGL
#driSupport = true; hardware.opengl = {
#driSupport32Bit = true; enable = true;
extraPackages = with pkgs; [ driSupport = true;
intel-media-driver # LIBVA_DRIVER_NAME=iHD driSupport32Bit = true;
# intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) extraPackages = with pkgs; [ ];
# libvdpau-va-gl };
chaotic.mesa-git.enable = true;
boot.kernelParams = [ "nouveau.config=NvGspRm=1" ];
environment.sessionVariables = {
__GL_LOG_MAX_ANISO = "0";
__GL_SHADER_DISK_CACHE = "1";
__GL_SYNC_TO_VBLANK = "0";
__GL_THREADED_OPTIMIZATIONS = "1";
__GL_VRR_ALLOWED = "1";
# MESA_LOADER_DRIVER_OVERRIDE="zink";
# FLATPAK_GL_DRIVERS="mesa-git";
};
environment.systemPackages = with pkgs; [
glfw
glxinfo
vulkan-tools
mangohud
]; ];
}; };
environment.sessionVariables = { options.grimmShared = with lib; {
LIBVA_DRIVER_NAME = "iHD";
}; # Force intel-media-driver
# chaotic.mesa-git.enable = true;
boot.kernelParams = [ "nouveau.config=NvGspRm=1" ];
environment.sessionVariables = {
__GL_LOG_MAX_ANISO = "0";
__GL_SHADER_DISK_CACHE = "1";
__GL_SYNC_TO_VBLANK = "0";
__GL_THREADED_OPTIMIZATIONS = "1";
__GL_VRR_ALLOWED = "1";
# MESA_LOADER_DRIVER_OVERRIDE="zink";
# FLATPAK_GL_DRIVERS="mesa-git";
};
environment.systemPackages = with pkgs; [
glfw
glxinfo
vulkan-tools
mangohud
];
};
options.grimmShared = {
graphical = mkOption { graphical = mkOption {
type = types.bool; type = types.bool;
default = screens != { }; default = cfg.screens != { };
description = "whether to force enable graphical components"; description = "whether to force enable graphical components";
}; };

87
common/graphics/qt.nix
View file

@ -5,54 +5,51 @@
... ...
}: }:
let let
inherit (config.grimmShared) enable graphical sway; cfg = config.grimmShared;
in in
{ {
config = lib.mkIf (enable && graphical) { config =
qt = { with cfg;
enable = true; lib.mkIf (enable && graphical) {
style = "breeze"; qt = {
platformTheme = "lxqt"; enable = true;
}; style = "kvantum";
platformTheme = "qt5ct";
environment.systemPackages = };
with pkgs;
with kdePackages; environment.systemPackages =
[ with pkgs;
# qtstyleplugin-kvantum with kdePackages;
catppuccin-sddm-corners [
libsForQt5.qtgraphicaleffects qtstyleplugin-kvantum
# catppuccin-kvantum catppuccin-sddm-corners
breeze libsForQt5.qtgraphicaleffects
kdePackages.audiocd-kio catppuccin-kvantum
kdePackages.kio-extras kdePackages.audiocd-kio
kdePackages.kio kdePackages.kio-extras
xcb-util-cursor kdePackages.kio
qt6ct xcb-util-cursor
kdePackages.dolphin qt6ct
qtwayland kdePackages.dolphin
]; qtwayland
];
# environment.pathsToLink = [ "/share/Kvantum" ];
environment.pathsToLink = [ "/share/Kvantum" ];
services.displayManager = {
sddm = { services.displayManager = {
sddm = {
enable = true;
theme = "catppuccin-sddm-corners";
wayland.enable = true;
wayland.compositor = "weston";
};
defaultSession = lib.optionalString cfg.sway.enable "sway";
};
boot.plymouth = {
themePackages = with pkgs; [ catppuccin-plymouth ];
theme = "catppuccin-macchiato";
enable = true; enable = true;
theme = "catppuccin-sddm-corners";
wayland.enable = true;
wayland.compositor = "weston";
}; };
defaultSession = lib.optionalString sway.enable "sway";
}; };
xdg.portal.lxqt.styles = with pkgs; [
kdePackages.breeze-qt5
];
#boot.plymouth = {
# themePackages = with pkgs; [ catppuccin-plymouth ];
# theme = "catppuccin-macchiato";
# enable = true;
#};
};
} }

188
common/graphics/sway.nix
View file

@ -5,113 +5,97 @@
... ...
}: }:
let let
inherit (config.grimmShared) enable sway screens; cfg = config.grimmShared;
inherit (lib) sway_conf =
types with lib;
mkOption types.submodule (
mkEnableOption { config, ... }:
mapAttrsToList rec {
optionalString options = {
concatMapStrings keybinds = mkOption {
isInt type = types.attrsOf types.str;
min default = { };
max description = "set of keybinds assigning key combo to action";
foldl' };
getExe
getExe'
isPath
isDerivation
concatLines
optional
singleton
mkIf
;
inherit (pkgs) writeShellScriptBin;
sway_conf = types.submodule ( autolaunch = mkOption {
{ ... }: type = types.listOf (types.either types.nonEmptyStr types.package);
{ default = [ ];
options = { description = "set of commands to be run at sway startup";
keybinds = mkOption { };
type = types.attrsOf types.str;
default = { };
description = "set of keybinds assigning key combo to action";
};
autolaunch = mkOption { execAlways = mkOption {
type = types.listOf (types.either types.nonEmptyStr types.package); type = types.listOf (types.either types.nonEmptyStr types.package);
default = [ ]; default = [ ];
description = "set of commands to be run at sway startup"; description = "set of commands to be run at sway reload";
}; };
execAlways = mkOption { extraConfig = mkOption {
type = types.listOf (types.either types.nonEmptyStr types.package); type = types.str;
default = [ ]; default = "";
description = "set of commands to be run at sway reload"; description = "additional sway config to be included";
}; };
extraConfig = mkOption { definitions = mkOption {
type = types.str; type = types.attrsOf types.str;
default = ""; default = { };
description = "additional sway config to be included"; description = "set of definitions assigning variable to value";
}; };
definitions = mkOption { modes = mkOption {
type = types.attrsOf types.str; type = types.attrsOf sway_conf;
default = { }; default = { };
description = "set of definitions assigning variable to value"; description = "possible modes to switch to, e.g. resize";
};
}; };
}
modes = mkOption { );
type = types.attrsOf sway_conf;
default = { };
description = "possible modes to switch to, e.g. resize";
};
};
}
);
build_screen_def = build_screen_def =
fps_func: fps_func:
with lib;
let let
output_def = mapAttrsToList ( output_def = mapAttrsToList (
name: value: name: value:
"output ${value.id} mode ${value.mode}@${toString (fps_func value.fps)}Hz" "output ${value.id} mode ${value.mode}@${toString (fps_func value.fps)}Hz"
+ (optionalString (value.pos != null) " position ${value.pos}") + (optionalString (value.pos != null) " position ${value.pos}")
) screens; ) cfg.screens;
in in
'' ''
for pid in $(${getExe' pkgs.procps "pgrep"} sway -x) for pid in $(${pkgs.procps}/bin/pgrep sway -x)
do do
uid=$(id -u $(${getExe' pkgs.procps "ps"} -o user= -p $pid)) uid=$(id -u $(${pkgs.procps}/bin/ps -o user= -p $pid))
export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock" export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock"
if [[ -e "$SWAYSOCK" ]] ; then if [[ -e "$SWAYSOCK" ]] ; then
echo "sock is $SWAYSOCK" echo "sock is $SWAYSOCK"
${getExe' config.programs.sway.package "swaymsg"} '${ ${config.programs.sway.package}/bin/swaymsg '${concatMapStrings (s: s + " ; ") output_def}'
concatMapStrings (s: s + " ; ") output_def
}'
fi fi
done done
''; '';
inherit (lib) getExe;
fps_min = fps: if isInt fps then fps else (foldl' min 2147483647 fps); fps_min = fps: with lib; if isInt fps then fps else (foldl' min 2147483647 fps);
fps_max = fps: if isInt fps then fps else (foldl' max 0 fps); fps_max = fps: with lib; if isInt fps then fps else (foldl' max 0 fps);
init_screens_min_fps = writeShellScriptBin "init-screens-min" (build_screen_def fps_min); init_screens_min_fps =
init_screens_max_fps = writeShellScriptBin "init-screens-max" (build_screen_def fps_max); with lib;
init_screens_auto = writeShellScriptBin "init-screens-auto" "which run-on-ac && which run-on-bat && run-on-ac ${getExe init_screens_max_fps} && run-on-bat ${getExe init_screens_min_fps} || ${getExe init_screens_max_fps}"; pkgs.writeShellScriptBin "init-screens-min" (build_screen_def fps_min);
init_screens_max_fps =
with lib;
pkgs.writeShellScriptBin "init-screens-max" (build_screen_def fps_max);
init_screens_auto = pkgs.writeShellScriptBin "init-screens-auto" "which run-on-ac && which run-on-bat && run-on-ac ${getExe init_screens_max_fps} && run-on-bat ${getExe init_screens_min_fps} || ${getExe init_screens_max_fps}";
in in
{ {
config = config =
let let
bar_conf_file = bar_conf_file =
if (isPath sway.bar.config) then if (lib.isPath cfg.sway.bar.config) then
sway.bar.config cfg.sway.bar.config
else else
pkgs.writers.writeJSON "config.json" sway.bar.config; pkgs.writers.writeJSON "config.json" cfg.sway.bar.config;
waybar_full = writeShellScriptBin "waybar-full" ( waybar_full = pkgs.writeShellScriptBin "waybar-full" (
(getExe config.programs.waybar.package) (lib.getExe config.programs.waybar.package)
+ (optionalString (!isNull sway.bar.config) " -c ${bar_conf_file}") + (lib.optionalString (!isNull cfg.sway.bar.config) " -c ${bar_conf_file}")
+ (optionalString (!isNull sway.bar.style) " -s ${sway.bar.style}") + (lib.optionalString (!isNull cfg.sway.bar.style) " -s ${cfg.sway.bar.style}")
); );
bar_config = '' bar_config = ''
@ -120,7 +104,14 @@ in
} }
''; '';
dbus-sway-environment = pkgs.writeShellScriptBin "dbus-sway-environment" ''
dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP=sway
systemctl --user stop xdg-desktop-portal xdg-desktop-portal-wlr
systemctl --user start xdg-desktop-portal xdg-desktop-portal-wlr
'';
build_conf = build_conf =
with lib;
sway_conf: sway_conf:
let let
build_definition_lines = mapAttrsToList (name: value: "set \$${name} ${value}"); build_definition_lines = mapAttrsToList (name: value: "set \$${name} ${value}");
@ -136,35 +127,37 @@ in
[ ] [ ]
++ (build_definition_lines sway_conf.definitions) ++ (build_definition_lines sway_conf.definitions)
++ (build_keybind_lines sway_conf.keybinds) ++ (build_keybind_lines sway_conf.keybinds)
++ (build_exec_lines "exec_always" sway_conf.execAlways)
++ (build_exec_lines "exec" sway_conf.autolaunch) ++ (build_exec_lines "exec" sway_conf.autolaunch)
++ (build_exec_lines "exec_always" sway_conf.execAlways)
++ (build_mode_lines sway_conf.modes) ++ (build_mode_lines sway_conf.modes)
++ optional (sway_conf.extraConfig != "") sway_conf.extraConfig ++ optional (sway_conf.extraConfig != "") sway_conf.extraConfig
); );
sway_conf = concatLines ( sway_conf = lib.concatLines (
(optional sway.bar.enable bar_config) (build_conf cfg.sway.config)
++ (build_conf sway.config) ++ lib.optional cfg.sway.bar.enable bar_config
++ (mapAttrsToList ( ++ (lib.mapAttrsToList (
name: value: name: value:
"output ${value.id} mode ${value.mode}" "output ${value.id} mode ${value.mode}"
+ (optionalString (value.pos != null) " position ${value.pos}") + (lib.optionalString (value.pos != null) " position ${value.pos}")
) screens) ) cfg.screens)
++ (singleton "include /etc/sway/config.d/*")
); );
conf_path = "sway.conf"; conf_path = "sway.conf";
in in
mkIf (enable && sway.enable) { with cfg;
environment.etc."sway/config".source = lib.mkForce (pkgs.writeText conf_path sway_conf); lib.mkIf (enable && sway.enable) {
environment.etc."${conf_path}".text = sway_conf;
grimmShared.sway.config.execAlways = [ grimmShared.sway.config.execAlways = [
dbus-sway-environment
init_screens_auto init_screens_auto
]; ];
environment.systemPackages = environment.systemPackages =
[ [
waybar_full waybar_full
dbus-sway-environment
init_screens_min_fps init_screens_min_fps
init_screens_max_fps init_screens_max_fps
init_screens_auto init_screens_auto
@ -181,25 +174,22 @@ in
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
script = '' script = ''
for pid in $(${getExe' pkgs.procps "pgrep"} sway -x) for pid in $(${pkgs.procps}/bin/pgrep sway -x)
do do
uid=$(id -u $(${getExe' pkgs.procps "ps"} -o user= -p $pid)) uid=$(id -u $(${pkgs.procps}/bin/ps -o user= -p $pid))
export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock" export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock"
if [[ -e "$SWAYSOCK" ]] ; then if [[ -e "$SWAYSOCK" ]] ; then
echo "sock is $SWAYSOCK" echo "sock is $SWAYSOCK"
${getExe' config.programs.sway.package "swaymsg"} reload ${config.programs.sway.package}/bin/swaymsg reload
fi fi
done done
rm -rf /home/*/.cache/rmenu rm -rf /home/*/.cache/rmenu
''; '';
reloadTriggers = [ reloadTriggers = [ config.environment.etc."${conf_path}".source ];
# config.environment.etc."${conf_path}".source
config.environment.etc."sway/config".source
];
}; };
# programs.waybar.enable = true; programs.waybar.enable = true;
programs.dconf.enable = true; programs.dconf.enable = true;
@ -212,7 +202,7 @@ in
}; };
extraPackages = with pkgs; [ extraPackages = with pkgs; [
# swaylock swaylock
swayidle swayidle
wl-clipboard wl-clipboard
wf-recorder wf-recorder
@ -220,6 +210,10 @@ in
wmenu wmenu
waybar-mpris waybar-mpris
]; ];
extraOptions = [
"--config"
"/etc/${conf_path}"
];
extraSessionCommands = '' extraSessionCommands = ''
# source /etc/profile # source /etc/profile
# test -f $HOME/.profile && source $HOME/.profile # test -f $HOME/.profile && source $HOME/.profile
@ -238,7 +232,7 @@ in
}; };
}; };
options.grimmShared.sway = { options.grimmShared.sway = with lib; {
enable = mkEnableOption "grimm-sway"; enable = mkEnableOption "grimm-sway";
bar = { bar = {

113
common/hardware/laptop.nix
View file

@ -5,52 +5,85 @@
... ...
}: }:
let let
inherit (config.grimmShared) enable laptop_hardware graphical; cfg = config.grimmShared;
in in
{ {
config = lib.mkIf (enable && laptop_hardware.enable) { config =
environment.systemPackages = with cfg;
with pkgs; lib.mkIf (enable && laptop_hardware.enable) {
[ environment.systemPackages =
lm_sensors with pkgs;
lshw [
pciutils lm_sensors
usbutils lshw
ddcutil pciutils
python312Packages.py-cpuinfo usbutils
(writeShellScriptBin "lsiommu" ./lsiommu) ddcutil
] python312Packages.py-cpuinfo
++ lib.optionals graphical [ (writeShellScriptBin "lsiommu" ./lsiommu)
opentabletdriver ]
ddcui ++ lib.optionals graphical [
wootility opentabletdriver
]; ddcui
wootility
];
services.udev.packages = with pkgs; [ yubikey-personalization ]; hardware.i2c.enable = true;
boot.bcache.enable = false; services.libinput.enable = true;
hardware.opentabletdriver.enable = true;
services.udisks2.enable = true;
services.libinput.enable = true; services.udev.extraRules = ''
SUBSYSTEM=="i2c-dev", ACTION=="add",\
# hardware.opentabletdriver.enable = true; ATTR{name}=="NVIDIA i2c adapter*",\
# systemd.user.services.opentabletdriver.after = [ "local-fs.target" ]; TAG+="ddcci",\
TAG+="systemd",\
ENV{SYSTEMD_WANTS}+="ddcci@$kernel.service"
'';
services.udisks2.enable = true; systemd.services."ddcci@" = {
boot = { scriptArgs = "%i";
kernelParams = [ script = ''
"nohibernate" sleep 20
]; echo Trying to attach ddcci to $1
loader.efi.canTouchEfiVariables = true; i=0
initrd.availableKernelModules = [ id=$(echo $1 | cut -d "-" -f 2)
"xhci_pci" if ${pkgs.ddcutil}/bin/ddcutil getvcp 10 -b $id; then
"ahci" echo ddcci 0x37 > /sys/bus/i2c/devices/$1/new_device
"nvme" fi
"usbhid" '';
"usb_storage" serviceConfig.Type = "oneshot";
"sd_mod" };
];
loader.systemd-boot.enable = true; boot = {
kernelParams = [ "quiet" ];
loader.efi.canTouchEfiVariables = true;
initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
loader.systemd-boot.enable = true;
extraModulePackages = [
(config.boot.kernelPackages.ddcci-driver.overrideAttrs (old: {
patches = [
(pkgs.fetchpatch {
url = "https://gitlab.com/Sweenu/ddcci-driver-linux/-/commit/7f851f5fb8fbcd7b3a93aaedff90b27124e17a7e.patch";
hash = "sha256-Y1ktYaJTd9DtT/mwDqtjt/YasW9cVm0wI43wsQhl7Bg=";
})
];
}))
];
kernelModules = [
"ddcci_backlight"
"i2c-dev"
"ec_sys"
];
};
}; };
};
options.grimmShared.laptop_hardware = { options.grimmShared.laptop_hardware = {
enable = lib.mkEnableOption "grimm-laptop"; enable = lib.mkEnableOption "grimm-laptop";

143
common/hardware/tlp.nix
View file

@ -6,40 +6,34 @@
... ...
}: }:
let let
cfg = config.grimmShared;
inherit (lib) inherit (lib)
optionals optionals
optional optional
optionalString
concatLines concatLines
getExe getExe
getExe'
elem
mkIf
;
inherit (pkgs) writeShellScriptBin tlp tlpui;
inherit (config.grimmShared)
enable
laptop_hardware
graphical
sway
; ;
inherit (config.boot.kernelPackages) x86_energy_perf_policy cpupower; inherit (config.boot.kernelPackages) x86_energy_perf_policy cpupower;
enable_perf_policy = false; # (elem system x86_energy_perf_policy.meta.platforms); enable_perf_policy = (lib.elem system x86_energy_perf_policy.meta.platforms);
powersave = writeShellScriptBin "powersave-mode" ( powersave =
concatLines ( with pkgs;
[ writeShellScriptBin "powersave-mode" (
"${getExe cpupower} frequency-set -g powersave -u 2000000" # clock speed concatLines (
"${getExe pkgs.brightnessctl} s 20%" # display brightness [
] "${getExe cpupower} frequency-set -g powersave -u 2000000" # clock speed
++ optionals enable_perf_policy [ "${getExe pkgs.brightnessctl} s 20%" # display brightness
"${getExe x86_energy_perf_policy} 15" # power save preference ]
"${getExe x86_energy_perf_policy} --turbo-enable 0" # disable turbo ++ optionals enable_perf_policy [
] "${getExe x86_energy_perf_policy} 15" # power save preference
++ optional sway.enable "init-screens-min" "${getExe x86_energy_perf_policy} --turbo-enable 0" # disable turbo
) ]
); ++ optional cfg.sway.enable "init-screens-min"
)
);
performance = writeShellScriptBin "performance-mode" ( performance = pkgs.writeShellScriptBin "performance-mode" (
concatLines ( concatLines (
[ [
"${getExe cpupower} frequency-set frequency-set -g performance -u 5000000" # clock speed "${getExe cpupower} frequency-set frequency-set -g performance -u 5000000" # clock speed
@ -49,61 +43,66 @@ let
"${getExe x86_energy_perf_policy} 0" # performance preference "${getExe x86_energy_perf_policy} 0" # performance preference
"${getExe x86_energy_perf_policy} --turbo-enable 1" # enable turbo "${getExe x86_energy_perf_policy} --turbo-enable 1" # enable turbo
] ]
++ optional sway.enable "init-screens-max" ++ optional cfg.sway.enable "init-screens-max"
) )
); );
auto = writeShellScriptBin "auto-mode" '' auto =
${getExe' tlp "run-on-ac"} ${getExe performance} let
${getExe' tlp "run-on-bat"} ${getExe powersave} inherit (pkgs) tlp;
''; in
pkgs.writeShellScriptBin "auto-mode" ''
${tlp}/bin/run-on-ac ${getExe performance}
${tlp}/bin/run-on-bat ${getExe powersave}
'';
in in
{ {
config = mkIf (enable && laptop_hardware.enable) { config =
environment.systemPackages = with cfg;
(with pkgs; [ lib.mkIf (enable && laptop_hardware.enable) {
acpi environment.systemPackages =
powertop with pkgs;
brightnessctl [
]) acpi
++ [ powertop
cpupower brightnessctl
powersave cpupower
performance powersave
auto performance
] auto
++ optionals graphical [ tlpui ] ]
++ optional enable_perf_policy x86_energy_perf_policy; ++ optionals graphical [ tlpui ]
++ optional enable_perf_policy x86_energy_perf_policy;
services.acpid = { services.acpid = {
enable = true; enable = true;
acEventCommands = getExe auto; acEventCommands = getExe auto;
}; };
powerManagement.scsiLinkPolicy = lib.mkIf (!config.services.tlp.enable) "min_power"; powerManagement.scsiLinkPolicy = lib.mkIf (!config.services.tlp.enable) "min_power";
# powerManagement.cpuFreqGovernor = lib.mkDefault "normal"; powerManagement.cpuFreqGovernor = lib.mkDefault "normal";
services.power-profiles-daemon.enable = false; services.power-profiles-daemon.enable = false;
services.upower.enable = true; services.upower.enable = true;
boot.extraModulePackages = [ cpupower ] ++ optional enable_perf_policy x86_energy_perf_policy; boot.extraModulePackages = [ cpupower ] ++ optional enable_perf_policy x86_energy_perf_policy;
services.tlp = { services.tlp = {
enable = true; enable = true;
settings = { settings = {
USB_AUTOSUSPEND = 1; USB_AUTOSUSPEND = 1;
USB_EXCLUDE_BTUSB = 1; USB_EXCLUDE_BTUSB = 1;
USB_EXCLUDE_PHONE = 1; USB_EXCLUDE_PHONE = 1;
SOUND_POWER_SAVE_ON_AC = 0; SOUND_POWER_SAVE_ON_AC = 0;
SOUND_POWER_SAVE_ON_BAT = 1; SOUND_POWER_SAVE_ON_BAT = 1;
SATA_LINKPWR_ON_AC = "max_performance"; SATA_LINKPWR_ON_AC = "max_performance";
SATA_LINKPWR_ON_BAT = "min_power"; SATA_LINKPWR_ON_BAT = "min_power";
MAX_LOST_WORK_SECS_ON_BAT = 15; MAX_LOST_WORK_SECS_ON_BAT = 15;
CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
CPU_ENERGY_PERF_POLICY_ON_BAT = "power"; CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
CPU_BOOST_ON_AC = 1; CPU_BOOST_ON_AC = 1;
CPU_BOOST_ON_BAT = 0; CPU_BOOST_ON_BAT = 0;
RUNTIME_PM_ON_AC = "on"; RUNTIME_PM_ON_AC = "on";
RUNTIME_PM_ON_BAT = "auto"; RUNTIME_PM_ON_BAT = "auto";
};
}; };
}; };
};
} }

48
common/localisation.nix
View file

@ -1,33 +1,35 @@
{ config, lib, ... }: { config, lib, ... }:
let let
inherit (config.grimmShared) enable locale; cfg = config.grimmShared;
in in
{ {
config = lib.mkIf (enable && locale) { config =
time.timeZone = "Europe/Berlin"; with cfg;
lib.mkIf (enable && locale) {
time.timeZone = "Europe/Berlin";
# Select internationalisation properties. # Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = { i18n.extraLocaleSettings = {
LC_ADDRESS = "de_DE.UTF-8"; LC_ADDRESS = "de_DE.UTF-8";
LC_IDENTIFICATION = "de_DE.UTF-8"; LC_IDENTIFICATION = "de_DE.UTF-8";
LC_MEASUREMENT = "de_DE.UTF-8"; LC_MEASUREMENT = "de_DE.UTF-8";
LC_MONETARY = "de_DE.UTF-8"; LC_MONETARY = "de_DE.UTF-8";
LC_NAME = "de_DE.UTF-8"; LC_NAME = "de_DE.UTF-8";
LC_NUMERIC = "de_DE.UTF-8"; LC_NUMERIC = "de_DE.UTF-8";
LC_PAPER = "de_DE.UTF-8"; LC_PAPER = "de_DE.UTF-8";
LC_TELEPHONE = "de_DE.UTF-8"; LC_TELEPHONE = "de_DE.UTF-8";
LC_TIME = "de_DE.UTF-8"; LC_TIME = "de_DE.UTF-8";
};
console.keyMap = "de";
services.xserver.xkb = {
layout = "de";
variant = "";
};
}; };
console.keyMap = "de";
services.xserver.xkb = {
layout = "de";
variant = "";
};
};
options.grimmShared.locale = lib.mkEnableOption "Sets german units but english language"; options.grimmShared.locale = lib.mkEnableOption "Sets german units but english language";
} }

27
common/network/bluetooth.nix
View file

@ -5,17 +5,24 @@
... ...
}: }:
let let
inherit (config.grimmShared) cfg = config.grimmShared;
enable
network
graphical
sound
;
in in
{ {
config = lib.mkIf (enable && network && config.hardware.bluetooth.enable) { config =
services.blueman.enable = lib.mkIf graphical true; with cfg;
lib.mkIf (enable && network && config.hardware.bluetooth.enable) {
services.blueman.enable = lib.mkIf graphical true;
environment.systemPackages = [ pkgs.bluetuith ] ++ lib.optional sound.enable pkgs.bluez; environment.systemPackages = with pkgs; [ bluetuith ] ++ lib.optional sound.enable pkgs.bluez;
};
systemd.user.services.mpris-proxy = lib.mkIf sound.enable {
description = "Mpris proxy";
after = [
"network.target"
"sound.target"
];
wantedBy = [ "default.target" ];
serviceConfig.ExecStart = "${pkgs.bluez}/bin/mpris-proxy";
};
};
} }

46
common/network/default.nix
View file

@ -5,37 +5,27 @@
... ...
}: }:
let let
inherit (config.grimmShared) enable network laptop_hardware; cfg = config.grimmShared;
in in
{ {
config = lib.mkIf (enable && network) { config =
networking.networkmanager = { with cfg;
enable = true; lib.mkIf (enable && network) {
plugins = with pkgs; [ networkmanager-openvpn ]; networking.networkmanager.enable = true;
networking.useDHCP = lib.mkDefault true;
hardware.bluetooth.enable = lib.mkDefault laptop_hardware.enable;
environment.systemPackages = with pkgs; [
wireguard-tools
openconnect
];
networking.firewall = {
enable = true;
allowPing = true;
};
}; };
networking.useDHCP = lib.mkDefault true;
hardware.bluetooth.enable = lib.mkDefault laptop_hardware.enable;
environment.systemPackages = with pkgs; [
wireguard-tools
openconnect
];
users.users.nscd.uid = 997;
networking.firewall = {
enable = true;
allowPing = true;
};
networking.nameservers = [
"1.1.1.1"
"9.9.9.9"
];
environment.etc."NetworkManager/certs/telekom-root.crt".source = ./telekom-root.crt;
};
imports = [ ./bluetooth.nix ]; imports = [ ./bluetooth.nix ];

BIN
common/network/telekom-root.crt
View file

Binary file not shown.

46
common/printing.nix
View file

@ -5,27 +5,33 @@
... ...
}: }:
let let
inherit (config.grimmShared) enable graphical; cfg = config.grimmShared;
in in
{ {
config = lib.mkIf (enable && config.services.printing.enable) { config =
services.printing.drivers = with pkgs; [ with cfg;
# brgenml1lpr lib.mkIf (enable && printing) {
# brgenml1cupswrapper # Enable CUPS to print documents.
]; services.printing.enable = true;
services.avahi = { services.printing.drivers = with pkgs; [
# enable = true; brgenml1lpr
nssmdns4 = true; brgenml1cupswrapper
openFirewall = true; ];
}; services.avahi = {
# services.printing.cups-pdf.enable = true; enable = true;
hardware.sane.brscan4.enable = true; # enables support for SANE scanners nssmdns4 = true;
openFirewall = true;
};
services.printing.cups-pdf.enable = true;
hardware.sane.brscan4.enable = true; # enables support for SANE scanners
environment.systemPackages = ( environment.systemPackages =
lib.optionals graphical [ with pkgs;
pkgs.kdePackages.skanpage (lib.optionals cfg.graphical [
# libsForQt5.skanpage kdePackages.skanpage
] # libsForQt5.skanpage
); ]);
}; };
options.grimmShared.printing = lib.mkEnableOption "Enables print and scan related options";
} }

39
common/sound/default.nix
View file

@ -5,29 +5,32 @@
... ...
}: }:
let let
inherit (config.grimmShared) enable sound; cfg = config.grimmShared;
in in
{ {
config = lib.mkIf (enable && sound.enable) { config =
services.pulseaudio.enable = false; with cfg;
lib.mkIf (enable && sound.enable) {
sound.enable = true;
hardware.pulseaudio.enable = false;
services.pipewire = { services.pipewire = {
enable = true; enable = true;
alsa.enable = true; alsa.enable = true;
alsa.support32Bit = true; alsa.support32Bit = true;
pulse.enable = true; pulse.enable = true;
jack.enable = true; # osu uses jack jack.enable = true; # osu uses jack
lowLatency.enable = true; lowLatency.enable = true;
};
environment.systemPackages = with pkgs; [
pwvucontrol
playerctl
openal
pulseaudio
];
}; };
environment.systemPackages = with pkgs; [
pwvucontrol
playerctl
openal
pulseaudio
];
};
imports = [ imports = [
./spotify.nix ./spotify.nix
./midi.nix ./midi.nix

20
common/sound/midi.nix
View file

@ -5,24 +5,24 @@
... ...
}: }:
let let
cfg = config.grimmShared;
sound_font = pkgs.soundfont-fluid; sound_font = pkgs.soundfont-fluid;
inherit (config.grimmShared) enable sound;
in in
{ {
config = lib.mkIf (enable && sound.midi) { config =
environment.systemPackages = with cfg;
(with pkgs; [ lib.mkIf (enable && sound.midi) {
environment.systemPackages = with pkgs; [
mpv mpv
timidity timidity
ffmpeg-full ffmpeg-full
]) sound_font
++ [ sound_font ]; ];
environment.pathsToLink = [ "/share/soundfonts" ]; environment.pathsToLink = [ "/share/soundfonts" ];
environment.etc."timidity/timidity.cfg".text = environment.etc."timidity/timidity.cfg".text = "soundfont ${sound_font}/share/soundfonts/FluidR3_GM2-2.sf2";
"soundfont ${sound_font}/share/soundfonts/FluidR3_GM2-2.sf2"; };
};
options.grimmShared.sound.midi = lib.mkEnableOption "enable midi"; options.grimmShared.sound.midi = lib.mkEnableOption "enable midi";
} }

18
common/sound/spotify.nix
View file

@ -5,21 +5,23 @@
... ...
}: }:
let let
inherit (config.grimmShared) enable spotify graphical; cfg = config.grimmShared;
in in
{ {
config = lib.mkIf (enable && spotify.enable) { config =
environment.systemPackages = [ pkgs.ncspot ] ++ lib.optional graphical pkgs.spotify; with cfg;
lib.mkIf (enable && spotify.enable) {
environment.systemPackages = [ pkgs.ncspot ] ++ lib.optional graphical pkgs.spotify;
grimmShared = { grimmShared = {
sound.enable = true; sound.enable = true;
network = true; network = true;
};
}; };
};
options.grimmShared.spotify = { options.grimmShared.spotify = {
enable = lib.mkEnableOption "grimm-spotify"; enable = lib.mkEnableOption "grimm-spotify";
}; };
# imports = [ ./spotifyd.nix ]; imports = [ ./spotifyd.nix ];
} }

141
common/sound/spotifyd.nix
View file

@ -6,7 +6,7 @@
}: }:
let let
spotifyd_cache_dir = "/tmp/spotifyd"; spotifyd_cache_dir = "/tmp/spotifyd";
inherit (config.grimmShared) enable spotify; cfg = config.grimmShared;
spotifyd-dbus = pkgs.writeTextDir "share/dbus-1/system.d/org.mpris.MediaPlayer2.spotifyd.conf" '' spotifyd-dbus = pkgs.writeTextDir "share/dbus-1/system.d/org.mpris.MediaPlayer2.spotifyd.conf" ''
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- --> <?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
@ -27,79 +27,76 @@ let
''; '';
in in
{ {
config = lib.mkIf (enable && spotify.spotifyd.enable) { config =
environment.systemPackages = [ with cfg;
pkgs.spotifyd lib.mkIf (enable && spotify.spotifyd.enable) {
spotifyd-dbus environment.systemPackages = with pkgs; [
]; spotifyd
spotifyd-dbus
systemd.services.init-spotifyd-cache-dir = {
description = "Create the spotifyd cache dir";
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script = ''
mkdir -p ${spotifyd_cache_dir}
chown spotifyd:spotifyd -R ${spotifyd_cache_dir}
'';
};
grimmShared = {
sound.enable = true;
network = true;
};
services.pipewire.systemWide = true; # required for spotifyd as spotifyd runs as the spotifyd user
# spotifyd config
services.spotifyd = {
enable = true;
settings.global = {
bitrate = 320;
username = spotify.spotifyd.username;
device_name = "grimm_laptop";
password_cmd =
let
pass = spotify.spotifyd.pass;
inherit (lib)
isPath
isString
getExe
getExe'
;
in
if (isPath pass || isString pass) then
"${getExe' pkgs.coreutils-full "cat"} ${pass}"
else
(getExe pass);
device_type = "computer";
dbus_type = "system";
device = "default";
control = "default";
volume_controller = "softvol";
# no_audio_cache = true;
spotifyd_cache_dir = spotifyd_cache_dir;
max_cache_size = 10000000000;
initial_volume = "90";
backend = "alsa"; # fixme
};
};
services.dbus.packages = [ spotifyd-dbus ];
# spotifyd has access to global pipewire
users.users.spotifyd = {
isSystemUser = true;
group = "spotifyd";
extraGroups = [
"audio"
"pipewire"
]; ];
};
# spotifyd is also a group systemd.services.init-spotifyd-cache-dir = {
users.groups.spotifyd = { }; description = "Create the spotifyd cache dir";
}; wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script = ''
mkdir -p ${spotifyd_cache_dir}
chown spotifyd:spotifyd -R ${spotifyd_cache_dir}
'';
};
grimmShared = {
sound.enable = true;
network = true;
};
services.pipewire.systemWide = true; # required for spotifyd as spotifyd runs as the spotifyd user
# spotifyd config
services.spotifyd = {
enable = true;
settings.global = {
bitrate = 320;
username = cfg.spotify.spotifyd.username;
device_name = "grimm_laptop";
password_cmd =
let
pass = cfg.spotify.spotifyd.pass;
in
with lib;
if (lib.isPath pass || lib.isString pass) then
"${pkgs.coreutils-full}/bin/cat ${pass}"
else
(getExe pass);
device_type = "computer";
dbus_type = "system";
device = "default";
control = "default";
volume_controller = "softvol";
# no_audio_cache = true;
spotifyd_cache_dir = spotifyd_cache_dir;
max_cache_size = 10000000000;
initial_volume = "90";
backend = "alsa"; # fixme
};
};
services.dbus.packages = with pkgs; [ spotifyd-dbus ];
# spotifyd has access to global pipewire
users.users.spotifyd = {
isSystemUser = true;
group = "spotifyd";
extraGroups = [
"audio"
"pipewire"
];
};
# spotifyd is also a group
users.groups.spotifyd = { };
};
options.grimmShared.spotify.spotifyd = with lib; { options.grimmShared.spotify.spotifyd = with lib; {
enable = mkEnableOption "grimm-spotify-tui"; enable = mkEnableOption "grimm-spotify-tui";

68
common/tooling/c.nix
View file

@ -1,68 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
lang_support_id = "c";
inherit (config.grimmShared) enable tooling graphical;
inherit (lib)
optionals
mkIf
getExe'
types
mkOption
elem
;
in
{
config = mkIf (enable && tooling.enable && (elem lang_support_id tooling.supportedLangs)) {
environment.systemPackages =
with pkgs;
[
util-linux
linuxPackages.perf
pkg-config
glib
glibc
clang
clang-tools
cmake
stdman
valgrind
]
++ optionals graphical [
libva-utils
jetbrains.clion
];
environment.sessionVariables.CMAKE_EXPORT_COMPILE_COMMANDS = "1";
grimmShared.tooling.lang_servers = [
{
lsp = {
package = pkgs.clang-tools;
};
fmt = rec {
package = pkgs.clang-tools;
command = getExe' package "clang-format";
includes = [
"*.c"
"*.h"
"*.cpp"
"*.hpp"
];
};
}
{
lsp = {
package = pkgs.cmake-language-server;
};
}
];
};
options.grimmShared.tooling.supportedLangs = mkOption {
type = types.listOf (types.enum [ lang_support_id ]);
};
}

235
common/tooling/default.nix
View file

@ -5,101 +5,180 @@
... ...
}: }:
let let
inherit (config.grimmShared) enable tooling graphical; cfg = config.grimmShared;
inherit (lib)
mkEnableOption
getExe
optionals
mkIf
;
in in
{ {
imports = [ imports = [
# ./lilypond.nix ./lilypond.nix
./nix.nix ./nix.nix
./security.nix
./python.nix ./python.nix
./rust.nix
./lsp.nix
./git.nix
# ./wine.nix
./c.nix
./java.nix
./ranger.nix
./nix-index.nix
# ./defaultProtectHome.nix
]; ];
config = mkIf (enable && tooling.enable) { config =
environment.systemPackages = with cfg;
with pkgs; lib.mkIf (enable && tooling.enable) {
[ environment.systemPackages =
(writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@") with pkgs;
(writeShellScriptBin "tree" "${getExe eza} -T --git -lh --no-permissions --no-user --no-filesize --no-time") [
(writeShellScriptBin "spawn" ''exec "$@" &> /dev/null &'') (writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@")
(writeShellScriptBin "tree" "${lib.getExe pkgs.eza} -T --git -lh --no-permissions --no-user --no-filesize --no-time")
(writeShellScriptBin "spawn" ''exec "$@" &> /dev/null &'')
(writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@")
urlencode urlencode
wget pstree
bat dos2unix
fastfetch treefmt
file
wget
hyfetch
util-linux
btop
neovim-remote
linuxPackages.perf
eza
eza gcc
starship jdk17
fd pkg-config
ripgrep unzip
file p7zip
pstree
rfindup
btop
unzip tea
fbcat
expect fbcat
gptfdisk gomuks
qrencode ranger
man-pages visualvm
man-pages-posix imagemagick
nmap
undollar parted
openssl glib
android-tools glibc
] expect
++ optionals graphical [ ]
wev ++ lib.optionals cfg.graphical [
k4dirstat wev
libva-utils qdirstat
gparted libva-utils
bottles gparted
wlvncc jetbrains.clion
jetbrains.idea-community
];
programs.git = {
enable = true;
lfs.enable = true;
config = {
init.defaultBranch = "main";
credential.username = cfg.tooling.git_user;
core.editor = lib.getExe pkgs.neovim;
user.name = cfg.tooling.git_user;
user.email = cfg.tooling.git_email;
push.autoSetupRemote = true;
core.autocrlf = "input";
commit.gpgsign = true;
pull.rebase = true;
alias = {
pfusch = "push --force-with-lease --force-if-includes";
fuck = "reset HEAD~1";
fixup = "commit --fixup";
};
};
};
environment.shellAliases = {
":q" = "exit";
"ls" = "eza";
"lix" = "nix";
};
programs.tmux = {
enable = true;
historyLimit = 42000;
#keyMode = "vi";
};
# virtualisation.docker.enable = true;
# services.dbus.implementation = "broker";
grimmShared.tooling.nvim.plugins = with pkgs.vimPlugins; [
vim-scala
fugitive
]; ];
environment.sessionVariables = { boot.tmp.cleanOnBoot = true;
MANPAGER = "sh -c 'col -bx | ${getExe pkgs.bat} -l man -p'"; zramSwap.enable = true;
MANROFFOPT = "-c";
SYSTEMD_PAGER = getExe pkgs.bat; programs.neovim = {
SYSTEMD_PAGERSECURE = "true"; enable = true;
viAlias = true;
defaultEditor = true;
configure = {
customRC =
let
luarc = pkgs.writeText "init.lua" (lib.concatLines tooling.nvim.extraLuaRC);
in
''
set number
set hidden
set fileencodings=utf-8
set nocompatible
set clipboard+=unnamedplus
set ff=unix
luafile ${luarc}
if filereadable($HOME . "/.vimrc")
source ~/.vimrc
endif
'';
packages.myVimPackage = {
start = tooling.nvim.plugins;
opt = [ ];
};
};
};
programs.ssh = {
startAgent = true;
enableAskPassword = graphical;
askPassword = lib.mkIf graphical (lib.getExe pkgs.lxqt.lxqt-openssh-askpass);
};
programs.thefuck.enable = true;
}; };
programs.command-not-found.enable = true; options.grimmShared.tooling = with lib; {
documentation.dev.enable = true;
# virtualisation.docker.enable = true;
services.dbus.implementation = "broker";
boot.tmp.cleanOnBoot = true;
# zramSwap.enable = false;
services.udev.packages = [
pkgs.android-udev-rules
];
programs.adb.enable = true;
};
options.grimmShared.tooling = {
enable = mkEnableOption "grimm-tooling"; enable = mkEnableOption "grimm-tooling";
nvim = {
plugins = mkOption {
type = types.listOf types.package;
default = [ ];
description = "Extra vim plugins to include";
};
extraLuaRC = mkOption {
type = types.listOf types.nonEmptyStr;
default = [ ];
description = "Extra init LUA scripts";
};
};
git_user = mkOption {
type = types.str;
default = "Grimmauld";
description = "Username for git to use";
};
git_email = mkOption {
type = types.str;
default = "${config.grimmShared.tooling.git_user}@grimmauld.de";
description = "Email for git to use";
};
}; };
} }

93
common/tooling/git.nix
View file

@ -1,93 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib)
mkOption
types
getExe
mkIf
;
inherit (builtins) toString readFile;
in
{
config = mkIf (enable && tooling.enable) {
environment.systemPackages = [
(pkgs.writeShellScriptBin "silent-add" "${getExe config.programs.git.package} add --intent-to-add $@ ; ${getExe config.programs.git.package} update-index --assume-unchanged $@")
pkgs.urlencode
pkgs.tea
pkgs.delta
pkgs.gh
];
programs.git = {
enable = true;
lfs.enable = true;
config =
let
key_file = ../../ssh/id_ed25519_sk.pub;
allowed_signers_file = pkgs.writeText "allowed_signers" ''${tooling.git_email} namespaces="git" ${readFile key_file}'';
in
{
init.defaultBranch = "main";
credential.username = tooling.git_user;
gpg.format = "ssh";
user.signingkey = toString key_file;
gpg.ssh.allowedSignersFile = toString allowed_signers_file;
user.name = tooling.git_user;
user.email = tooling.git_email;
push.autoSetupRemote = true;
core.autocrlf = "input";
commit.gpgsign = true;
safe.directory = "/etc/nixos";
core.excludesfile = (
pkgs.writeText ".gitignore" ''
.idea
.obsidian
*~
result
''
);
pull.rebase = false;
include.path = "${pkgs.delta.src}/themes.gitconfig";
core.pager = "delta";
interactive.diffFilter = "delta --color-only";
delta = {
navigate = true;
features = "mantis-shrimp";
};
merge.conflictstyle = "diff3";
diff.colorMoved = "default";
alias = {
pfusch = "push --force-with-lease --force-if-includes";
fuck = "reset HEAD~1";
fixup = "commit --fixup";
};
};
};
};
options.grimmShared.tooling = {
git_user = mkOption {
type = types.str;
default = "Grimmauld";
description = "Username for git to use";
};
git_email = mkOption {
type = types.str;
default = "${config.grimmShared.tooling.git_user}@grimmauld.de";
description = "Email for git to use";
};
};
}

77
common/tooling/helix.nix
View file

@ -1,77 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib)
mkOption
types
getExe
getExe'
mkIf
;
inherit (pkgs)
helix
symlinkJoin
writeTextDir
concatTextFile
makeWrapper
;
inherit (pkgs.writers) writeTOML;
conf-file-name = "config.toml";
lang-file-name = "languages.toml";
helix-conf = symlinkJoin {
name = "helix-conf";
paths = [
(concatTextFile {
name = "helix-conf-partial";
destination = "/${conf-file-name}";
files = [ (writeTOML conf-file-name config.programs.helix.config) ];
})
(writeTextDir lang-file-name ''
[[language]]
language-servers = ["nixd"]
name = "nix"
[language-server.nixd]
command = "${getExe pkgs.nixd}"
'')
];
};
helix-wrapped = pkgs.symlinkJoin {
name = helix.pname;
paths = [ helix ];
buildInputs = [ makeWrapper ];
postBuild = ''
wrapProgram $out/bin/${helix.meta.mainProgram} --add-flags "-c ${helix-conf}/${conf-file-name}"
'';
};
in
{
config = mkIf (enable && tooling.enable) {
environment.systemPackages = [ helix-wrapped ];
environment.sessionVariables.EDITOR = getExe' helix-wrapped "hx";
programs.helix.config = {
editor.cursor-shape.insert = "bar";
theme = "base16_transparent";
# editor.commands.git = ":sh git";
# keys.normal.Delete = "delete_selection";
};
};
options.programs.helix = {
config = mkOption {
type = types.attrs;
default = { };
description = "Helix configuration";
};
};
}

44
common/tooling/java.nix
View file

@ -1,44 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
lang_support_id = "java";
inherit (config.grimmShared) enable tooling graphical;
inherit (lib)
optionals
mkIf
types
mkOption
elem
;
in
{
config = mkIf (enable && tooling.enable && (elem lang_support_id tooling.supportedLangs)) {
environment.systemPackages = [
pkgs.jdk17
pkgs.visualvm
pkgs.gradle_7
] ++ optionals graphical [ pkgs.jetbrains.idea-community ];
environment.sessionVariables.JAVA_HOME = pkgs.jdk17.home;
grimmShared.tooling.lang_servers = [
{
lsp = {
package = pkgs.jdt-language-server;
};
fmt = {
package = pkgs.google-java-format;
includes = [ "*.java" ];
};
}
];
};
options.grimmShared.tooling.supportedLangs = mkOption {
type = types.listOf (types.enum [ lang_support_id ]);
};
}

72
common/tooling/lilypond.nix
View file

@ -5,53 +5,49 @@
... ...
}: }:
let let
inherit (config.grimmShared) enable tooling graphical; cfg = config.grimmShared;
inherit (lib)
getExe
optional
mkIf
optionalString
mkEnableOption
;
viewer_pkg = pkgs.zathura; viewer_pkg = pkgs.zathura;
viewer_def = optionalString graphical ''pdf_viewer = "${lib.getExe pkgs.zathura}",''; viewer_def = lib.optionalString cfg.graphical ''pdf_viewer = "${lib.getExe pkgs.zathura}",'';
in in
{ {
config = mkIf (enable && tooling.enable && tooling.lilypond) { config =
environment.systemPackages = [ pkgs.lilypond-with-fonts ] ++ optional graphical viewer_pkg; with cfg;
environment.sessionVariables = { lib.mkIf (enable && tooling.enable && tooling.lilypond) {
LYEDITOR = "${getExe pkgs.neovim-remote} -s +:'dr %(file)s | call cursor(%(line)s,%(char)s+1)'"; environment.systemPackages =
}; with pkgs;
[ lilypond-with-fonts ] ++ lib.optional graphical viewer_pkg;
environment.sessionVariables = {
LYEDITOR = "${lib.getExe pkgs.neovim-remote} -s +:'dr %(file)s | call cursor(%(line)s,%(char)s+1)'";
};
grimmShared.sound.midi = true; grimmShared.sound.midi = true;
grimmShared.tooling.nvim = { grimmShared.tooling.nvim = {
extraLuaRC = lib.singleton '' extraLuaRC = lib.singleton ''
require('nvls').setup({ require('nvls').setup({
lilypond = { lilypond = {
options = { options = {
${viewer_def} ${viewer_def}
},
}, },
}, latex = {
latex = { options = {
options = { ${viewer_def}
${viewer_def} },
}, },
}, player = {
player = { options = {
options = { fluidsynth_flags = {
fluidsynth_flags = { "/run/current-system/sw/share/soundfonts/FluidR3_GM2-2.sf2"
"/run/current-system/sw/share/soundfonts/FluidR3_GM2-2.sf2" }
} }
} }
} })
}) '';
''; };
grimmShared.tooling.nvim.plugins = with pkgs.vimPlugins; [ nvim-lilypond-suite ];
}; };
grimmShared.tooling.nvim.plugins = with pkgs.vimPlugins; [ nvim-lilypond-suite ]; options.grimmShared.tooling.lilypond = lib.mkEnableOption "enable lilypond tooling";
};
options.grimmShared.tooling.lilypond = mkEnableOption "enable lilypond tooling";
} }

113
common/tooling/lsp.nix
View file

@ -1,113 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib)
mkOption
types
mkIf
getName
getExe
filter
optionalString
concatLines
;
conf_def =
fmt:
(
''
[formatter.${getName fmt.package}]
command = "${fmt.command}"
includes = ${builtins.toJSON fmt.includes}
''
+ (optionalString (fmt.options != [ ]) "options = ${builtins.toJSON fmt.options}\n")
);
treefmt_conf = pkgs.writeText "treefmt.toml" (
concatLines (map (v: (conf_def v.fmt)) (filter (v: !isNull v.fmt) tooling.lang_servers))
);
find_conf = pkgs.writeShellScriptBin "find-treefmt-conf" "(${getExe pkgs.rfindup} treefmt.toml -e 2>/dev/null || echo ${treefmt_conf}) | tr -d '\n'";
in
{
config = mkIf (enable && tooling.enable) {
environment.systemPackages =
[ pkgs.treefmt ]
++ (map (v: v.lsp.package) (filter (v: !isNull v.lsp) tooling.lang_servers))
++ (map (v: v.fmt.package) (filter (v: !isNull v.fmt) tooling.lang_servers));
environment.shellAliases."treefmt" = "${getExe pkgs.treefmt} --config-file $(${getExe find_conf})";
};
options.grimmShared.tooling = {
supportedLangs = mkOption {
type = types.listOf (types.enum [ ]);
default = [ ];
description = "Languages for which to enable support";
};
lang_servers = mkOption {
type = types.listOf (
types.submodule {
options = {
lsp = mkOption {
type = types.nullOr (
types.submodule (
{ config, ... }:
{
options = {
package = mkOption {
type = types.package;
default = null;
description = "LSP package";
};
};
}
)
);
};
fmt = mkOption {
default = null;
type = types.nullOr (
types.submodule (
{ config, ... }:
{
options = {
package = mkOption {
type = types.package;
description = "FMT package";
};
options = mkOption {
type = types.listOf types.nonEmptyStr;
default = [ ];
};
includes = mkOption {
type = types.listOf types.nonEmptyStr;
default = [ ];
};
command = mkOption {
type = types.nonEmptyStr;
default = getExe config.package;
};
};
}
)
);
};
};
}
);
default = { };
description = "Language servers available on the system";
};
};
}

79
common/tooling/nix-index.nix
View file

@ -1,79 +0,0 @@
{
pkgs,
lib,
config,
...
}:
let
db_path = "/var/nix-index/current";
mode = "755";
user = "nix-index";
in
{
users.users."${user}" = {
isSystemUser = true;
group = user;
};
users.groups."${user}" = { };
# programs.nix-index.enable = true;
# programs.nix-index.enableBashIntegration = true;
nix.settings.allowed-users = [ user ];
environment.systemPackages = with pkgs; [
nix-index
];
systemd.tmpfiles.rules = [
"d /var/nix-index 0${mode} ${user} ${user} 14d"
];
environment.sessionVariables.NIX_INDEX_DATABASE = db_path;
systemd.services.nix-index-update = {
description = "update nix-index database";
after = [
"network-online.target"
"nix-daemon.service"
];
wants = [
"network-online.target"
"nix-daemon.service"
];
serviceConfig = {
Type = "simple";
Nice = 19;
# UMask = mode;
# DynamicUser = true;
ReadWritePaths = "/var/nix-index/";
CacheDirectory = "index-cache";
User = user;
Group = user;
};
environment.NIX_PATH = lib.concatStringsSep ":" config.nix.nixPath;
script = ''
platform="$(uname -m | sed 's/^arm64$/aarch64/')-$(uname | tr "[:upper:]" "[:lower:]")"
path="/var/nix-index/index-$platform-$(date -I)"
mkdir -p "$path" -m ${mode}
XDG_CACHE_HOME=$CACHE_DIRECTORY ${lib.getExe' pkgs.nix-index "nix-index"} --show-trace -c 0 -s $platform --db "$path" || exit 1
rm -f ${db_path}
ln -s "$path" ${db_path}
# && chmod ${mode} ${db_path}
echo "link success"
'';
enable = true;
};
systemd.timers.nix-index-update = {
description = "regularly update nix-index database";
timerConfig.Persistent = true;
timerConfig.OnCalendar = "Mon *-*-* 00:00:00";
wantedBy = [
"multi-user.target"
"timers.target"
];
enable = true;
};
}

47
common/tooling/nix.nix
View file

@ -1,73 +1,46 @@
{ {
pkgs, pkgs,
config,
lib, lib,
inputs, inputs,
system,
... ...
}: }:
let
cfg = config.grimmShared;
in
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
(writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@") (writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@")
(writeShellScriptBin "nixpkgs-review-head" "nixpkgs-review rev HEAD") (writeShellScriptBin "nixpkgs-review-head" "nixpkgs-review rev HEAD")
(writeShellScriptBin "rebuild" "bash -c \"nixos-rebuild switch |& nom\"")
nixpkgs-review nixpkgs-review
nixpkgs-fmt
nixfmt-rfc-style nixfmt-rfc-style
nixd nixd
nixpkgs-hammering nixpkgs-hammering
nix-output-monitor nix-output-monitor
nix-search-cli nix-search-cli
nix-update niv
# niv
nvd
vulnix vulnix
nix-init
# inputs.nixpkgs-update.packages."${system}".default
]; ];
environment.sessionVariables = environment.sessionVariables = lib.mkIf pkgs.config.allowUnfree { NIXPKGS_ALLOW_UNFREE = "1"; };
(lib.mkIf pkgs.config.allowUnfree { NIXPKGS_ALLOW_UNFREE = "1"; })
// {
NH_NOM = 1;
};
environment.shellAliases."rebuild" = "nixos-rebuild switch |& nom"; grimmShared.tooling.nvim.plugins = with pkgs.vimPlugins; [ vim-nix ];
grimmShared.tooling.lang_servers = [
{
lsp.package = pkgs.nil;
fmt = {
package = pkgs.nixpkgs-fmt;
includes = [ "*.nix" ];
};
}
];
nix.settings = { nix.settings = {
experimental-features = [ experimental-features = [
"nix-command" "nix-command"
"flakes" "flakes"
"pipe-operator"
]; ];
warn-dirty = false; warn-dirty = false;
allowed-users = [
"@wheel"
"grimmauld"
];
}; };
programs.nh = {
enable = true;
# clean.enable = true;
clean.extraArgs = "--keep-since 14d --keep 16";
flake = "/etc/nixos";
};
nix.gc = { nix.gc = {
automatic = true; automatic = true;
dates = "weekly"; dates = "weekly";
options = "--delete-older-than 30d"; options = "--delete-older-than 30d";
}; };
# nix.package = pkgs.nixVersions.latest; # nix.package = pkgs.nixVersions.latest;
# nix.optimise.automatic = true; nix.optimise.automatic = true;
} }

83
common/tooling/python.nix
View file

@ -5,70 +5,33 @@
... ...
}: }:
let let
lang_support_id = "python"; cfg = config.grimmShared;
inherit (config.grimmShared) enable tooling graphical;
pyLibs =
python-pkgs: with python-pkgs; [
requests
matplotlib
numpy
scipy
pygobject3
pandas
];
inherit (lib)
mkIf
types
mkOption
mapAttrsToList
concatLines
getExe
elem
;
in in
{ {
config = mkIf (enable && tooling.enable && (elem lang_support_id tooling.supportedLangs)) { config =
environment.systemPackages = [ with cfg;
(pkgs.python3.withPackages pyLibs) lib.mkIf (enable && tooling.enable) {
]; # ++ lib.optionals graphical (with pkgs; [ jetbrains.pycharm-community ]); environment.systemPackages =
with pkgs;
[ python3 ] ++ lib.optionals cfg.graphical [ jetbrains.pycharm-community ];
programs.xonsh = { programs.xonsh = {
enable = true; enable = true;
config = config = lib.concatLines (
( lib.mapAttrsToList (
let name: value: ''aliases["${name}"] = "${value}"''
cfg = config.programs.starship;
settingsFormat = pkgs.formats.toml { };
settingsFile = settingsFormat.generate "starship.toml" cfg.settings;
in
''
$STARSHIP_CONFIG="${settingsFile}"
$SHELL="${getExe config.programs.xonsh.package}"
execx($(${getExe pkgs.starship} init xonsh))
''
)
+ concatLines (
mapAttrsToList (
name: value: "aliases[\"${name}\"] = '''${value}'''"
) config.environment.shellAliases ) config.environment.shellAliases
); );
package = pkgs.xonsh.override { extraPackages = pyLibs; }; package = pkgs.xonsh.override {
}; extraPackages =
ps: with ps; [
grimmShared.tooling.lang_servers = [ requests
{ matplotlib
lsp.package = pkgs.python311Packages.python-lsp-server; numpy
fmt = { scipy
package = pkgs.yapf; pygobject3
includes = [ "*.py" ]; ];
options = [ "-i" ];
}; };
} };
]; };
};
options.grimmShared.tooling.supportedLangs = mkOption {
type = types.listOf (types.enum [ lang_support_id ]);
};
} }

44
common/tooling/ranger.nix
View file

@ -1,44 +0,0 @@
{
pkgs,
config,
inputs,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib)
mkIf
mapAttrs'
concatLines
attrNames
;
plugins = {
ranger_udisk_menu = pkgs.fetchFromGitea {
domain = "git.grimmauld.de";
owner = "grimmauld";
repo = "ranger_udisk_menu";
rev = "981756147834bb485ebcfa0e41ad60d05ccc4351";
hash = "sha256-5nFpEO/54MO6Esvkcqcyw2TI37ham70LkHtOXrYXfbY=";
};
# inputs.ranger_udisk_menu;
};
in
{
config = mkIf (enable && tooling.enable) {
services.gvfs = {
enable = true;
package = pkgs.gvfs;
};
environment.systemPackages = [ pkgs.ranger ];
environment.etc =
(mapAttrs' (n: v: {
name = "ranger/plugins/${n}";
value.source = v;
}) plugins)
// {
"ranger/commands.py".text = concatLines (map (n: "from plugins.${n} import *") (attrNames plugins));
};
};
}

45
common/tooling/rust.nix
View file

@ -1,45 +0,0 @@
{
pkgs,
lib,
config,
...
}:
let
lang_support_id = "rust";
inherit (lib)
optionals
mkIf
types
mkOption
elem
;
inherit (config.grimmShared) enable tooling graphical;
in
{
config = mkIf (enable && tooling.enable && (elem lang_support_id tooling.supportedLangs)) {
environment.systemPackages =
with pkgs;
[
pkg-config
cargo
rustup
]
++ optionals graphical [ jetbrains.clion jetbrains.rust-rover ];
grimmShared.tooling.lang_servers = [
{
lsp = {
package = pkgs.rust-analyzer;
};
fmt = {
package = pkgs.rustfmt;
includes = [ "*.rs" ];
};
}
];
};
options.grimmShared.tooling.supportedLangs = mkOption {
type = types.listOf (types.enum [ lang_support_id ]);
};
}

54
common/tooling/security.nix Normal file
View file

@ -0,0 +1,54 @@
{
pkgs,
config,
lib,
...
}:
let
cfg = config.grimmShared;
in
{
config =
with cfg;
lib.mkIf enable {
security.polkit.enable = true;
security.rtkit.enable = true;
security.doas.enable = true;
security.sudo.enable = false;
security.doas.extraRules = [
{
users = lib.attrNames (lib.filterAttrs (n: v: v.isNormalUser) config.users.users);
keepEnv = true;
persist = true;
}
];
environment.systemPackages =
with pkgs;
[
mkpasswd
gnupg
libsecret
vulnix
doas-sudo-shim # muscle memory
agenix
]
++ lib.optionals (tooling.enable && tooling.pass) [
pass
(writeShellScriptBin "passw" "pass $@")
]
++ lib.optional graphical lxqt.lxqt-policykit;
services.passSecretService.enable = lib.mkIf (tooling.enable && tooling.pass) true;
programs.gnupg.agent = {
settings = {
# default-cache-ttl = 6000;
};
pinentryPackage = with pkgs; lib.mkForce (if graphical then pinentry-qt else pinentry-tty);
enable = true;
};
};
options.grimmShared.tooling.pass = lib.mkEnableOption "Enables password-store, gnupg and such secret handling";
}

40
common/tooling/wine.nix
View file

@ -1,40 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib)
mkOption
types
getExe
mkIf
;
in
{
config = mkIf (enable && tooling.enable) {
virtualisation.libvirtd.enable = true;
programs.virt-manager.enable = true;
virtualisation.spiceUSBRedirection.enable = true;
# dconf.settings = {
# "org/virt-manager/virt-manager/connections" = {
# autoconnect = ["qemu:///system"];
# uris = ["qemu:///system"];
# };
# };
environment.systemPackages = with pkgs; [
winetricks
wineWow64Packages.stagingFull
dotnetCorePackages.dotnet_9.sdk
# jetbrains.rider
mono4
# (mono4.overrideAttrs { version="4.6.1"; sha256=""; })
tesseract4
];
};
}

15
common/xdg/default.nix
View file

@ -1,19 +1,6 @@
{ {
imports = [ imports = [
./portals.nix ./portals.nix
# ./mime.nix ./mime.nix
]; ];
xdg.terminal-exec = {
enable = true;
settings = {
default = [
"Alacritty.desktop"
"kitty.desktop"
];
};
};
xdg.icons.enable = true;
} }

145
common/xdg/mime.nix Normal file
View file

@ -0,0 +1,145 @@
{
pkgs,
config,
lib,
...
}:
let
cfg = config.grimmShared;
browsers = [
"firefox-beta.desktop"
"firefox.desktop"
];
text_editors = [
"nvim.desktop"
"geany.desktop"
"imhex.desktop"
];
image_viewers = [
"org.nomacs.ImageLounge.desktop"
"org.kde.krita.desktop"
"draw.desktop"
];
audio_players = [ "vlc.desktop" ];
video_viewers = [ "vlc.desktop" ];
document_viewers = [
"org.pwmt.zathura-pdf-mupdf.desktop"
"com.github.jeromerobert.pdfarranger.desktop"
] ++ browsers;
cad = [
"org.freecadweb.FreeCAD.desktop"
"PrusaSlicer.desktop"
"openscad.desktop"
"blender.desktop"
];
tex_editors = [ ] ++ text_editors;
in
{
config =
with cfg;
lib.mkIf (enable && portals && graphical) {
environment.systemPackages = with pkgs; [
deskwhich
zathura
alacritty
imhex
libreoffice-qt
filezilla
obsidian
nomacs
pdfarranger
geany
krita
weasis
kicad
prusa-slicer
freecad
openscad
vlc
blender
thunderbird
xdg-terminal-exec
xdg-utils
];
xdg.terminal-exec = {
enable = true;
settings = {
default = [
"Alacritty.desktop"
"kitty.desktop"
];
};
};
xdg.mime.enable = true;
xdg.mime.addedAssociations = {
"application/java-vm" = [
"idea-community.desktop"
"imhex.desktop"
];
"application/json" = text_editors ++ [ "firefox-beta.desktop" ];
"application/mp4" = video_viewers;
"application/ogg" = audio_players;
"application/octet-stream" = "imhex.desktop";
"application/pdf" = document_viewers;
"application/rss+xml" = text_editors;
"application/x-chess-pgn" = [ ] ++ text_editors; # fixme
"application/x-krita" = "org.kde.krita.desktop";
"application/x-latex" = tex_editors;
"application/x-tex" = tex_editors;
"application/x-texinfo" = tex_editors;
"application/xml" = text_editors;
"image/svg+xml" = image_viewers ++ browsers ++ text_editors;
"image/*" = image_viewers;
"image/vnd.dwg" = cad;
"model/*" = cad;
"gcode" = [
"PrusaGcodeviewer.desktop"
"PrusaSlicer.desktop"
];
"audio/*" = audio_players;
"text/*" = text_editors;
"text/plain" = text_editors;
"text/markdown" = [ "obsidian.desktop" ] ++ text_editors;
"text/csv" = [ "calc.desktop" ] ++ text_editors;
"text/html" = browsers ++ text_editors;
"text/x-python" = [ "pycharm-community.desktop" ] ++ text_editors;
"text/x-c" = [ "clion.desktop" ] ++ text_editors;
"text/x-java-source" = [ "idea-community.desktop" ] ++ text_editors;
"video/*" = video_viewers;
"inode/directory" = [
"ranger.desktop"
"dolphin.desktop"
];
"x-scheme-handler/mailto" = "thunderbird.desktop";
"application/vnd.oasis.opendocument.chart" = "calc.desktop";
"application/vnd.oasis.opendocument.chart-template" = "calc.desktop";
"application/vnd.oasis.opendocument.database" = "base.desktop";
"application/vnd.oasis.opendocument.formula" = "math.desktop";
"application/vnd.oasis.opendocument.formula-template" = "math.desktop";
"application/vnd.oasis.opendocument.graphics" = "draw.desktop";
"application/vnd.oasis.opendocument.graphics-template" = "draw.desktop";
"application/vnd.oasis.opendocument.image" = "draw.desktop";
"application/vnd.oasis.opendocument.image-template" = "draw.desktop";
"application/vnd.oasis.opendocument.presentation" = "impress.desktop";
"application/vnd.oasis.opendocument.presentation-template" = "impress.desktop";
"application/vnd.oasis.opendocument.spreadsheet" = "calc.desktop";
"application/vnd.oasis.opendocument.spreadsheet-template" = "calc.desktop";
"application/vnd.oasis.opendocument.text" = "writer.desktop";
"application/vnd.oasis.opendocument.text-master" = "writer.desktop";
"application/vnd.oasis.opendocument.text-template" = "writer.desktop";
"application/vnd.oasis.opendocument.text-web" = "writer.desktop";
"application/vnd.openxmlformats-officedocument.presentationml.presentation" = "impress.desktop";
"application/vnd.openxmlformats-officedocument.presentationml.slide" = "impress.desktop";
"application/vnd.openxmlformats-officedocument.presentationml.slideshow" = "impress.desktop";
"application/vnd.openxmlformats-officedocument.presentationml.template" = "impress.desktop";
"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" = "calc.desktop";
"application/vnd.openxmlformats-officedocument.spreadsheetml.template" = "calc.desktop";
"application/vnd.openxmlformats-officedocument.wordprocessingml.document" = "writer.desktop";
"application/vnd.openxmlformats-officedocument.wordprocessingml.template" = "writer.desktop";
};
};
}

92
common/xdg/portals.nix
View file

@ -5,68 +5,44 @@
... ...
}: }:
let let
inherit (config.grimmShared) cfg = config.grimmShared;
enable
portals
sound
screens
;
inherit (lib)
mkIf
mkEnableOption
mapAttrs'
foldl'
min
getExe
isInt
nameValuePair
;
in in
{ {
config = mkIf (enable && portals) { config =
xdg.icons.enable = true; with cfg;
xdg.sounds.enable = lib.mkIf sound.enable true; lib.mkIf (enable && portals) {
xdg.icons.enable = true;
xdg.sounds.enable = lib.mkIf sound.enable true;
xdg.portal = { xdg.portal = {
enable = true; enable = true;
xdgOpenUsePortal = true; xdgOpenUsePortal = true;
extraPortals = with pkgs; [ extraPortals = with pkgs; [
xdg-desktop-portal-wlr xdg-desktop-portal-wlr
# xdg-desktop-portal-kde xdg-desktop-portal-kde
# xdg-desktop-portal-gtk xdg-desktop-portal-gtk
# lxqt.xdg-desktop-portal-lxqt ];
];
wlr.enable = true; wlr.enable = true;
wlr.settings = mapAttrs' ( wlr.settings =
name: value: with lib;
nameValuePair ("screencast_" + name) { mapAttrs' (
output_name = value.id; name: value:
max_fps = if isInt value.fps then value.fps else (foldl' min 2147483647 value.fps); nameValuePair ("screencast_" + name) {
chooser_type = "simple"; output_name = value.id;
chooser_cmd = "${getExe pkgs.slurp} -f %o -or"; max_fps = if isInt value.fps then value.fps else (foldl' min 2147483647 value.fps);
} chooser_type = "simple";
) screens; chooser_cmd = "${getExe pkgs.slurp} -f %o -or";
}
) cfg.screens;
};
environment.sessionVariables = {
XDG_CONFIG_HOME = "$HOME/.config";
};
environment.systemPackages = with pkgs; [ xwaylandvideobridge ];
}; };
environment.sessionVariables = { options.grimmShared.portals = lib.mkEnableOption "Enables portals for wlr, gtk and kde as well as fixes fonts";
XDG_CONFIG_HOME = "$HOME/.config";
XDG_DESKTOP_DIR = "$HOME/Desktop";
XDG_DOCUMENTS_DIR = "$HOME/Documents";
XDG_DOWNLOAD_DIR = "$HOME/Downloads";
XDG_MUSIC_DIR = "$HOME/Music";
XDG_PICTURES_DIR = "$HOME/Pictures";
XDG_PUBLICSHARE_DIR = "$HOME/Public";
XDG_TEMPLATES_DIR = "$HOME/Templates";
XDG_VIDEOS_DIR = "$HOME/Videos";
};
environment.systemPackages = with pkgs; [
xwaylandvideobridge
xdg-user-dirs
confwhich
];
};
options.grimmShared.portals = mkEnableOption "Enables portals for wlr, gtk and kde as well as fixes fonts";
} }

15
configuration.nix
View file

@ -1,33 +1,24 @@
{ pkgs, ... }: { config, pkgs, ... }:
{ {
imports = [ imports = [
./overlays ./overlays
./common ./common
# ./fake_flake.nix ./fake_flake.nix
./users.nix ./users.nix
./custom
]; ];
# Bootloader. # Bootloader.
boot = { boot = {
loader.efi.canTouchEfiVariables = true; loader.efi.canTouchEfiVariables = true;
# kernelPackages = lib.mkDefault pkgs.linuxPackages_zen;
}; };
nix.package = pkgs.lix; services.logrotate.checkConfig = false; # fixme: actually needed?
nixpkgs.config.allowUnfree = true;
grimmShared = { grimmShared = {
enable = true; enable = true;
locale = true; locale = true;
network = true; network = true;
tooling = { tooling = {
supportedLangs = [
"rust"
"c"
"java"
"python"
];
enable = true; enable = true;
}; };
}; };

29
custom/confwhich/package.nix
View file

@ -1,29 +0,0 @@
{
lib,
rustPlatform,
fetchFromGitea,
}:
rustPlatform.buildRustPackage {
pname = "confwhich";
version = "unstable-2024-05-14";
src = fetchFromGitea {
domain = "git.grimmauld.de";
owner = "Grimmauld";
repo = "confwhich";
rev = "e561b82d1e2b0d0998ccbef316014297f3468fb6";
hash = "sha256-dMkUJMQjlKzmSsgtH0xOZ5Bk654+h84M1cTx8hVM5SQ=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-YSi7sObmclTR6BSQPSN54/2aurXxCl/q2i8hutlJXkw=";
meta = {
description = "tool to find the path of xdg config files";
homepage = "https://git.grimmauld.de/Grimmauld/confwhich";
license = lib.licenses.bsd3;
mainProgram = "confwhich";
maintainers = with lib.maintainers; [ grimmauld ];
platforms = lib.platforms.linux;
};
}

11
custom/default.nix
View file

@ -1,11 +0,0 @@
{ lib, ... }: {
nixpkgs.overlays = lib.singleton (final: prev: {
confwhich = prev.callPackage ./confwhich/package.nix { };
deskwhich = prev.callPackage ./deskwhich/package.nix { };
linux-bench = prev.callPackage ./linux-bench/package.nix { };
ooye = prev.callPackage ./ooye/package.nix { };
rfindup = prev.callPackage ./rfindup/package.nix { };
searchclip = prev.callPackage ./searchclip/package.nix { };
tlpui = prev.callPackage ./tlpui/package.nix { };
});
}

13
custom/deskwhich/package.nix
View file

@ -3,20 +3,19 @@
lib, lib,
rustPlatform, rustPlatform,
}: }:
rustPlatform.buildRustPackage { rustPlatform.buildRustPackage rec {
pname = "deskwhich"; pname = "deskwhich";
version = "unstable-2024-04-30"; version = "unstable-2024-04-30";
src = fetchFromGitea { src = fetchFromGitea {
domain = "git.grimmauld.de"; domain = "codeberg.org";
owner = "grimmauld"; owner = "axtlos";
repo = "deskwhich"; repo = "deskwhich";
rev = "ed412216666a6a22918e57c5dd1fde3855eb0f5f"; rev = "cbe8a0cdf4bdbb26faecb028e79ad6c409376051";
hash = "sha256-uSXxUehZY1Sp08X3khSQtQc8AT00jJTAsQ+OfTTTkss="; hash = "sha256-c0Q0oYIB/1eutV7tkqYXvDMw8A7YsT+5+CmmwbGvcNk=";
}; };
useFetchCargoVendor = true; cargoHash = "sha256-fBC3UBf9oLswlR6Kgw3nSwjqAtn7VQGzvbUJaYnOid4=";
cargoHash = "sha256-e4wWQ0QOl0vDRbOFs7eN49sQJXBiJGsHiDLE68NiK8Y=";
meta = { meta = {
description = "tool to find the path of desktop entries"; description = "tool to find the path of desktop entries";

48
custom/linux-bench/package.nix
View file

@ -1,48 +0,0 @@
{
lib,
buildGoModule,
fetchFromGitea,
makeWrapper,
gnugrep,
iptables,
}:
buildGoModule rec {
pname = "linux-bench";
version = "0-unstable-2025-01-31";
# src = fetchFromGitHub {
# owner = "aquasecurity";
# repo = "linux-bench";
# rev = "ce039756a6211beca47a23220c31998a9a891ad0";
# hash = "sha256-wprsaIe6hgH28yHkSqdHQdFyQMvObQY6hChsfBTviTA=";
# };
src = fetchFromGitea {
owner = "grimmauld";
repo = "linux-bench";
rev = "a936791cd0f4b4c02eb6294a3156ee784bf23c6a";
hash = "sha256-8V0PUZJgNYPM81EH14nw4JpNH4StR1u1PbM+6GVpXVk=";
domain = "git.grimmauld.de";
};
nativeBuildInputs = [
makeWrapper
];
vendorHash = "sha256-dlynz7mOiN+5ndYkmCUQu/Z31AwmJ+J2S3EBjQG5nWI=";
postInstall = ''
wrapProgram $out/bin/linux-bench \
--add-flags "--config-dir ${src}/cfg" \
--prefix PATH : ${lib.makeBinPath [ gnugrep iptables ]}
'';
meta = {
description = "Checks whether a Linux server according to security best practices as defined in the CIS Distribution-Independent Linux Benchmark";
homepage = "https://github.com/aquasecurity/linux-bench";
license = lib.licenses.asl20;
maintainers = with lib.maintainers; [ grimmauld ];
mainProgram = "linux-bench";
};
}

41
custom/ooye/package.nix
View file

@ -1,41 +0,0 @@
{
buildNpmPackage,
lib,
nodejs,
fetchgit,
}:
buildNpmPackage rec {
pname = "out-of-your-element";
version = "3.0.5";
src = fetchgit {
url = "https://gitdab.com/cadence/out-of-your-element";
rev = "v3.0-beta5";
hash = "sha256-3Y6s9pNKKeqF6s4I2Rd4TpxXPCwqizXeil/sTDVnpr0=";
};
npmDepsHash = "sha256-1STam+Sjy2MQcK5TmRacoxmgErd2sNqw0yIFX2M+iZk=";
dontNpmBuild = true;
postInstall = ''
# create wrapper
makeWrapper "${lib.getExe nodejs}" "$out/bin/ooye-setup" \
--add-flags "$out/lib/node_modules/out-of-your-element/scripts/setup.js"
makeWrapper "${lib.getExe nodejs}" "$out/bin/ooye-addbot" \
--add-flags "$out/lib/node_modules/out-of-your-element/addbot.js"
makeWrapper "${lib.getExe nodejs}" "$out/bin/ooye-start" \
--add-flags "$out/lib/node_modules/out-of-your-element/start.js"
'';
meta = {
description = "";
homepage = "https://gitdab.com/cadence/out-of-your-element";
license = lib.licenses.agpl3Only;
maintainers = with lib.maintainers; [ grimmauld ];
mainProgram = "out-of-your-element";
platforms = lib.platforms.all;
};
}

29
custom/rfindup/package.nix
View file

@ -1,29 +0,0 @@
{
lib,
rustPlatform,
fetchFromGitea,
}:
rustPlatform.buildRustPackage {
pname = "rfindup";
version = "unstable-2024-09-24";
src = fetchFromGitea {
domain = "git.grimmauld.de";
owner = "Grimmauld";
repo = "rfindup";
rev = "ee4d9997702d6e7c6735436f2b33e15e20669745";
hash = "sha256-nbC/nM6orM19Qh/1bpN6gxOqvhCO4cVBumgEFl9G4Rs=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-S+NpQti2fgaz1UogqXbo+1mgkmetf/brQFcDrW00ZiU=";
meta = {
description = "tool to find files by name in parent directories";
homepage = "https://git.grimmauld.de/Grimmauld/rfindup";
license = lib.licenses.bsd3;
mainProgram = "rfindup";
maintainers = with lib.maintainers; [ grimmauld ];
platforms = lib.platforms.linux;
};
}

16
custom/searchclip/package.nix
View file

@ -1,16 +0,0 @@
{
writeShellScriptBin,
lib,
urlencode,
}:
let
inherit (lib) getExe;
in
writeShellScriptBin "searchclip" ''
xdg-open https://www.google.com/search?q=$(wl-paste -p | ${getExe urlencode})
browser=$(xdg-settings get default-web-browser | sed "s/\.desktop//")
if [[ -v SWAYSOCK ]]; then
sleep .1
swaymsg [app_id="$browser" urgent="newest"] focus
fi
''

69
custom/tlpui/package.nix
View file

@ -1,69 +0,0 @@
{
fetchFromGitHub,
gobject-introspection,
gtk3,
lib,
pciutils,
python3Packages,
substituteAll,
tlp,
usbutils,
wrapGAppsHook,
}:
python3Packages.buildPythonPackage rec {
pname = "tlpui";
version = "1.6.5";
pyproject = true;
src = fetchFromGitHub {
owner = "d4nj1";
repo = "TLPUI";
rev = "refs/tags/tlpui-${version}";
hash = "sha256-pgzGhf2WDRNQ2z0hPapUJA5MLTKq92UlgjC+G78T/4s=";
};
patches = [
(substituteAll {
src = ./path.patch;
inherit tlp;
})
];
# ignore test/test_tlp_settings.py asit relies on opening a gui which is non-trivial
pytestFlagsArray = [ "--ignore=test/test_tlp_settings.py" ];
nativeCheckInputs = [
gobject-introspection
python3Packages.pytestCheckHook
];
build-system = [
wrapGAppsHook
python3Packages.poetry-core
];
buildInputs = [ tlp ];
dependencies = [
gobject-introspection
gtk3
pciutils
python3Packages.pycairo
python3Packages.pygobject3
python3Packages.pyyaml
usbutils
];
meta = {
changelog = "https://github.com/d4nj1/TLPUI/releases/tag/tlpui-${version}";
description = "A GTK user interface for TLP written in Python";
homepage = "https://github.com/d4nj1/TLPUI";
license = lib.licenses.gpl2Only;
longDescription = ''
The Python scripts in this project generate a GTK-UI to change TLP configuration files easily.
It has the aim to protect users from setting bad configuration and to deliver a basic overview of all the valid configuration values.
'';
platforms = lib.platforms.linux;
mainProgram = "tlpui";
maintainers = with lib.maintainers; [ grimmauld ];
};
}

57
custom/tlpui/path.patch
View file

@ -1,57 +0,0 @@
diff --git a/tlpui/file.py b/tlpui/file.py
index f0f3ecb..a9ad7f8 100644
--- a/tlpui/file.py
+++ b/tlpui/file.py
@@ -26,7 +26,7 @@ def get_tlp_config_defaults(tlpversion: str):
tlpconfig_defaults = extract_default_tlp_configs(f"{settings.workdir}/defaults/tlp-{tlpversion}.conf")
# update default values with intrinsic ones
- intrinsic_defaults_path = f"{settings.FOLDER_PREFIX}/usr/share/tlp/defaults.conf"
+ intrinsic_defaults_path = f"@tlp@/share/tlp/defaults.conf"
tlpconfig_defaults.update(extract_default_tlp_configs(intrinsic_defaults_path))
return tlpconfig_defaults
@@ -124,7 +124,10 @@ def create_tmp_tlp_config_file(changedproperties: dict) -> str:
filehandler, tmpfilename = mkstemp(dir=settings.TMP_FOLDER)
newfile = open(tmpfilename, mode='w', encoding='utf-8')
- oldfile = open(settings.tlpconfigfile, encoding='utf-8')
+ try:
+ oldfile = open(settings.tlpconfigfile, encoding='utf-8')
+ except FileNotFoundError:
+ oldfile = open("@tlp@/etc/tlp.conf", encoding='utf-8')
lines = oldfile.readlines()
oldfile.close()
diff --git a/tlpui/mainui.py b/tlpui/mainui.py
index 0242514..da59046 100644
--- a/tlpui/mainui.py
+++ b/tlpui/mainui.py
@@ -115,8 +115,12 @@ def changed_items_dialog(window, tmpfilename: str, dialogtitle: str, message: st
scrolledwindow.set_hexpand(True)
scrolledwindow.set_vexpand(True)
- with open(settings.tlpconfigfile, encoding='utf-8') as fromfile:
- fromfilecontent = fromfile.readlines()
+ try:
+ with open(settings.tlpconfigfile, encoding='utf-8') as fromfile:
+ fromfilecontent = fromfile.readlines()
+ except FileNotFoundError:
+ with open("@tlp@/etc/tlp.conf", encoding='utf-8') as fromfile:
+ fromfilecontent = fromfile.readlines()
with open(tmpfilename, encoding='utf-8') as tofile:
tofilecontent = tofile.readlines()
diff = settings.tlpbaseconfigfile + '\n\n'
diff --git a/tlpui/settingshelper.py b/tlpui/settingshelper.py
index 69481c0..d769029 100644
--- a/tlpui/settingshelper.py
+++ b/tlpui/settingshelper.py
@@ -20,7 +20,7 @@ def exec_command(commands: [str]):
def get_tlp_config_file(prefix: str) -> str:
"""Select tlp config file by prefix."""
- return f"{prefix}/etc/tlp.conf"
+ return f"{prefix}/etc/tlp.d/30-tlpui.conf"
def check_binaries_exist(flatpak_folder_prefix: str) -> None:

73
dual_monitor_otd.json
View file

@ -1,73 +0,0 @@
{
"Profiles": [
{
"Tablet": "Wacom PTH-660",
"OutputMode": {
"Path": "OpenTabletDriver.Desktop.Output.AbsoluteMode",
"Settings": [],
"Enable": true
},
"Filters": [],
"AbsoluteModeSettings": {
"Display": {
"Width": 3840.0,
"Height": 1080.0,
"X": 1920.0,
"Y": 540.0,
"Rotation": 0.0
},
"Tablet": {
"Width": 148.0,
"Height": 42.0,
"X": 112.0,
"Y": 74.0,
"Rotation": 90.0
},
"EnableClipping": true,
"EnableAreaLimiting": false,
"LockAspectRatio": false
},
"RelativeModeSettings": {
"XSensitivity": 10.0,
"YSensitivity": 10.0,
"RelativeRotation": 0.0,
"RelativeResetDelay": "00:00:00.1000000"
},
"Bindings": {
"TipActivationThreshold": 0.0,
"TipButton": {
"Path": "OpenTabletDriver.Desktop.Binding.MouseBinding",
"Settings": [
{
"Property": "Button",
"Value": "Left"
}
],
"Enable": true
},
"EraserActivationThreshold": 0.0,
"EraserButton": null,
"PenButtons": [
null,
null
],
"AuxButtons": [
null,
null,
null,
null,
null,
null,
null,
null
],
"MouseButtons": [],
"MouseScrollUp": null,
"MouseScrollDown": null
}
}
],
"LockUsableAreaDisplay": true,
"LockUsableAreaTablet": true,
"Tools": []
}

107
fake_flake.nix Normal file
View file

@ -0,0 +1,107 @@
{
pkgs,
lib,
config,
system,
...
}:
let
nivSources = import ./nix/sources.nix;
asGithubRef = src: "github:${src.owner}/${src.repo}/${src.rev}";
build_target =
let
env_host = builtins.getEnv "NIXOS_TARGET_HOST";
in
if env_host != "" then
env_host
else
builtins.replaceStrings [ "\n" ] [ "" ] (lib.toLower (builtins.readFile /proc/sys/kernel/hostname));
host_modules = {
grimmauld-nixos = [ ./specific/grimm-nixos-laptop/configuration.nix ];
grimmauld-nixos-server = [
./specific/grimmauld-nixos-server/configuration.nix
./modules/letsencrypt.nix
./modules/matrix.nix
./modules/puffer.nix
./modules/gitea.nix
./modules/grafana.nix
./modules/nextcloud.nix
./modules/prometheus.nix
# ./modules/mjolnir.nix
./modules/fail2ban.nix
./modules/email.nix
./modules/discord-matrix-bridge.nix
./modules/mastodon.nix
];
};
nixpkgs_patches = [
{
# tlpui
url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/305278.patch";
hash = "sha256-vmzj7gF8jwHdqxN+dQiJ4MRxKpHvBTzbrUvFgt1DK8I=";
}
];
in
{
imports = [
"${nivSources.agenix}/modules/age.nix"
(import "${nivSources.lix-module}/module.nix" { lix = nivSources.lix-pkg; })
"${nivSources.nixos-mailserver}/default.nix"
"${nivSources.nixos-matrix-modules}/module.nix"
# fixme: ideally we'd not rely on the flake syntax to load the module
(builtins.getFlake (asGithubRef nivSources.chaotic)).nixosModules.default
# (builtins.getFlake (asGithubRef nivSources.nixos-matrix-modules)).nixosModules.default
# (builtins.getFlake "git+${nivSources.nixos-mailserver.repo}").nixosModules.default
] ++ lib.optionals (builtins.hasAttr build_target host_modules) host_modules.${build_target};
nixpkgs.hostPlatform = system;
# system.nixos = {
# distroId = "lixos";
# distroName = "LixOS";
# };
environment.sessionVariables = with config.system.nixos; {
distro = "${distroName} ${version} (${codeName}) ${system}";
};
nixpkgs.pkgs =
let
src = nivSources.nixpkgs;
config = {
allowUnfree = true;
};
unpatched = import src { inherit config system; };
inherit (unpatched) applyPatches fetchpatch;
in
import (applyPatches {
name = "nixpkgs-patched";
inherit src;
patches = map fetchpatch nixpkgs_patches;
}) { inherit config; };
nixpkgs.overlays = lib.singleton (
final: prev: { agenix = final.callPackage "${nivSources.agenix}/pkgs/agenix.nix" { }; }
);
_module.args = {
system = "x86_64-linux";
};
nix.settings.extra-substituters = [
"https://cache.lix.systems"
"https://nyx.chaotic.cx/"
];
nix.settings.trusted-public-keys = [
"cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
"nyx.chaotic.cx-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
"chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
];
}

706
flake.lock generated
View file

@ -1,706 +0,0 @@
{
"nodes": {
"aa-alias-manager": {
"inputs": {
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks": "pre-commit-hooks",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1739727446,
"narHash": "sha256-t+KH1NoR/HauQlYgKaNKkxCoSQ4PwPdp5r6nGc3K/tE=",
"owner": "LordGrimmauld",
"repo": "aa-alias-manager",
"rev": "cf56427c87bf93537f0c4f9896beef2da146860b",
"type": "github"
},
"original": {
"owner": "LordGrimmauld",
"repo": "aa-alias-manager",
"type": "github"
}
},
"aagl-gtk-on-nix": {
"inputs": {
"flake-compat": "flake-compat_2",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1736877444,
"narHash": "sha256-K25atZ9alRsGb6TW+rRcpJTbtP5tnb3qusd762B2qWw=",
"owner": "ezKEa",
"repo": "aagl-gtk-on-nix",
"rev": "a1f0ce3bfbe9f0cc81e8b7def5e652a021e95c98",
"type": "github"
},
"original": {
"owner": "ezKEa",
"repo": "aagl-gtk-on-nix",
"type": "github"
}
},
"agenix": {
"inputs": {
"agenix": "agenix_2",
"crane": "crane",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1726755133,
"narHash": "sha256-03XIEjHeZEjHXctsXYUB+ZLQmM0WuhR6qWQjwekFk/M=",
"owner": "yaxitech",
"repo": "ragenix",
"rev": "687ee92114bce9c4724376cf6b21235abe880bfa",
"type": "github"
},
"original": {
"owner": "yaxitech",
"repo": "ragenix",
"type": "github"
}
},
"agenix_2": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"agenix",
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"apparmor-dev": {
"inputs": {
"flake-utils": "flake-utils_2",
"nix-github-actions": "nix-github-actions_2",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1734881868,
"narHash": "sha256-ONpu806E6j/23ZCgvfAR7bNusDjC5bVThTOjNkUMIqQ=",
"owner": "LordGrimmauld",
"repo": "apparmor-dev",
"rev": "032cb3469176411d5bda5642049abc468073e18a",
"type": "github"
},
"original": {
"owner": "LordGrimmauld",
"repo": "apparmor-dev",
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"chaotic": {
"inputs": {
"fenix": "fenix",
"flake-schemas": "flake-schemas",
"home-manager": "home-manager_2",
"jovian": "jovian",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1740016447,
"narHash": "sha256-96hBRGwuG+CFI5+inRIDCh0Za4LOt1dlbO3pFOokw6Y=",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "ed7900391a1969bb0bde432fd3952a6dda37114c",
"type": "github"
},
"original": {
"owner": "chaotic-cx",
"ref": "nyxpkgs-unstable",
"repo": "nyx",
"type": "github"
}
},
"crane": {
"locked": {
"lastModified": 1725409566,
"narHash": "sha256-PrtLmqhM6UtJP7v7IGyzjBFhbG4eOAHT6LPYOFmYfbk=",
"owner": "ipetkov",
"repo": "crane",
"rev": "7e4586bad4e3f8f97a9271def747cf58c4b68f3c",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"fenix": {
"inputs": {
"nixpkgs": [
"chaotic",
"nixpkgs"
],
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1739946876,
"narHash": "sha256-ek0u5FT5yjqYKjF/0HQKwDH2ISZzyvYwu+My5hmSwbU=",
"owner": "nix-community",
"repo": "fenix",
"rev": "95c1eab59767a3dbb11d6616d4ff736813ce41d2",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-schemas": {
"locked": {
"lastModified": 1721999734,
"narHash": "sha256-G5CxYeJVm4lcEtaO87LKzOsVnWeTcHGKbKxNamNWgOw=",
"rev": "0a5c42297d870156d9c57d8f99e476b738dcd982",
"revCount": 75,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/flake-schemas/0.1.5/0190ef2f-61e0-794b-ba14-e82f225e55e6/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%3D0.1.5.tar.gz"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"aa-alias-manager",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"chaotic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1739913864,
"narHash": "sha256-WhzgQjadrwnwPJQLLxZUUEIxojxa7UWDkf7raAkB1Lw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "97ac0801d187b2911e8caa45316399de12f6f199",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_3": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1736941558,
"narHash": "sha256-Q7o9lUoKqw94IhmlhwguhPZX9AJNLnkVb56XHa0W5/I=",
"ref": "refs/heads/master",
"rev": "1ffbc5166cf74f9e5342fca7e3f2257c8d96b5df",
"revCount": 3997,
"type": "git",
"url": "https://git.grimmauld.de/Grimmauld/home-manager"
},
"original": {
"type": "git",
"url": "https://git.grimmauld.de/Grimmauld/home-manager"
}
},
"jovian": {
"inputs": {
"nix-github-actions": "nix-github-actions_3",
"nixpkgs": [
"chaotic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1739952453,
"narHash": "sha256-+tyFW6nNj1fJ1VTtLeqe1PMp5F7Fb9zIkT6mUvdQHrM=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "b2ed82d3ff837960df4518308dfe409dda3ae406",
"type": "github"
},
"original": {
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"aa-alias-manager",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731952509,
"narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "7b5f051df789b6b20d259924d349a9ba3319b226",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-github-actions_2": {
"inputs": {
"nixpkgs": [
"apparmor-dev",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731952509,
"narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "7b5f051df789b6b20d259924d349a9ba3319b226",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-github-actions_3": {
"inputs": {
"nixpkgs": [
"chaotic",
"jovian",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729697500,
"narHash": "sha256-VFTWrbzDlZyFHHb1AlKRiD/qqCJIripXKiCSFS8fAOY=",
"owner": "zhaofengli",
"repo": "nix-github-actions",
"rev": "e418aeb728b6aa5ca8c5c71974e7159c2df1d8cf",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"ref": "matrix-name",
"repo": "nix-github-actions",
"type": "github"
}
},
"nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat_3",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-24_11": "nixpkgs-24_11"
},
"locked": {
"lastModified": 1739121270,
"narHash": "sha256-EmJhpy9U8sVlepl2QPjG019VfG67HcucsQNItTqW6cA=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "8c1c4640b878c692dd3d8055e8cdea0a2bbd8cf3",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "master",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"nixos-matrix-modules": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1735857245,
"narHash": "sha256-AKLLPrgXTxgzll3DqVUMa4QlPlRN3QceutgFBmEf8Nk=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "da9dc0479ffe22362793c87dc089035facf6ec4d",
"type": "github"
},
"original": {
"owner": "dali99",
"repo": "nixos-matrix-modules",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1739866667,
"narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-24_11": {
"locked": {
"lastModified": 1734083684,
"narHash": "sha256-5fNndbndxSx5d+C/D0p/VF32xDiJCJzyOqorOYW4JEo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "314e12ba369ccdb9b352a4db26ff419f7c49fa84",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-24.11",
"type": "indirect"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat",
"gitignore": "gitignore",
"nixpkgs": [
"aa-alias-manager",
"nixpkgs"
]
},
"locked": {
"lastModified": 1735882644,
"narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "a5a961387e75ae44cc20f0a57ae463da5e959656",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"aa-alias-manager": "aa-alias-manager",
"aagl-gtk-on-nix": "aagl-gtk-on-nix",
"agenix": "agenix",
"apparmor-dev": "apparmor-dev",
"chaotic": "chaotic",
"home-manager": "home-manager_3",
"nixos-mailserver": "nixos-mailserver",
"nixos-matrix-modules": "nixos-matrix-modules",
"nixpkgs": "nixpkgs"
}
},
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1739913186,
"narHash": "sha256-7MSzs64dLDgq1wFw2eujZ01qdj9K+TwIlQMyWebotE8=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "3028f844c5898dcf115f6bc67a5ce793989b04a1",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"aa-alias-manager",
"nixpkgs"
]
},
"locked": {
"lastModified": 1736572187,
"narHash": "sha256-it8mU8UkbaeVup7GpCI6n2cWPJ/O4U980CxKAMKUGF0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "06871d5c5f78b0ae846c5758702531b4cabfab9b",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725675754,
"narHash": "sha256-hXW3csqePOcF2e/PYnpXj72KEYyNj2HzTrVNmS/F7Ug=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "8cc45e678e914a16c8e224c3237fb07cf21e5e54",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

174
flake.nix
View file

@ -1,174 +0,0 @@
{
description = "grimmauld-nixos";
inputs = {
nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable";
# url = "git+file:///home/grimmauld/coding/nixpkgs";
};
chaotic = {
url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = {
url = "github:yaxitech/ragenix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-matrix-modules = {
url = "github:dali99/nixos-matrix-modules";
inputs.nixpkgs.follows = "nixpkgs";
};
# ranger_udisk_menu.url = "git+https://git.grimmauld.de/Grimmauld/ranger_udisk_menu";
# glibc-eac.url = "github:Frogging-Family/glibc-eac";
aagl-gtk-on-nix = {
url = "github:ezKEa/aagl-gtk-on-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
aa-alias-manager = {
url = "github:LordGrimmauld/aa-alias-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
# nixpkgs-update = {
# url = "github:nix-community/nixpkgs-update";
# # inputs.nixpkgs.follows = "nixpkgs";
# };
apparmor-dev = {
url = "github:LordGrimmauld/apparmor-dev";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = {
# https://github.com/nix-community/home-manager/issues/3415
# https://github.com/nix-community/home-manager/pull/2548
# url = "github:nix-community/home-manager";
# url = "git+file:///home/grimmauld/coding/home-manager";
url = "git+https://git.grimmauld.de/Grimmauld/home-manager";
# url = "github:pasqui23/home-manager/nixos-late-start";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
inputs@{
self,
agenix,
nixpkgs,
chaotic,
aagl-gtk-on-nix,
nixos-mailserver,
nixos-matrix-modules,
aa-alias-manager,
# nixpkgs-update,
apparmor-dev,
home-manager,
...
}:
let
patches = [
{
url = "https://github.com/NixOS/nixpkgs/pull/377927.patch?full_index=1";
hash = "sha256-5nFQs0fcU50I6gdmDzCggH2wzaJgM1kwurkS1HHuxnE=";
}
];
customNixosSystem =
system: definitions:
let
unpatched = nixpkgs.legacyPackages.${system};
patched = unpatched.applyPatches {
name = "nixpkgs-patched";
src = inputs.nixpkgs;
patches = map (p: if (builtins.isPath p) then p else (unpatched.fetchpatch p)) patches;
};
nixosSystem =
if patches == [ ] then nixpkgs.lib.nixosSystem else import (patched + "/nixos/lib/eval-config.nix");
in
nixosSystem (
{
inherit system;
specialArgs = {
inherit inputs system;
};
}
// definitions
);
systems = [
"x86_64-linux"
"aarch64-linux"
];
forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
in
{
formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.nixfmt-rfc-style);
nixosConfigurations = {
grimmauld-nixos = customNixosSystem "x86_64-linux" {
modules = [
agenix.nixosModules.default
chaotic.nixosModules.default
aagl-gtk-on-nix.nixosModules.default
./configuration.nix
./specific/grimm-nixos-laptop/configuration.nix
];
};
grimm-nixos-ssd = customNixosSystem "x86_64-linux" {
modules = [
agenix.nixosModules.default
# chaotic.nixosModules.default
aagl-gtk-on-nix.nixosModules.default
./configuration.nix
aa-alias-manager.nixosModules.default
# apparmor-dev.nixosModules.default
./perlless.nix
./specific/grimm-nixos-ssd/configuration.nix
(
{ modulesPath, ... }:
{
imports = [
"${modulesPath}/profiles/hardened.nix"
# "${modulesPath}/profiles/perlless.nix"
];
}
)
home-manager.nixosModules.home-manager
./hm
./hardening
];
};
grimmauld-nixos-server = customNixosSystem "x86_64-linux" {
modules = [
agenix.nixosModules.default
nixos-matrix-modules.nixosModules.default
nixos-mailserver.nixosModules.default
./configuration.nix
./specific/grimmauld-nixos-server/configuration.nix
./modules
];
};
grimm-nixos-server-2 = customNixosSystem "x86_64-linux" {
modules = [
agenix.nixosModules.default
# nixos-matrix-modules.nixosModules.default
nixos-mailserver.nixosModules.default
./configuration.nix
./specific/grimm-nixos-server-2/configuration.nix
./modules2
home-manager.nixosModules.home-manager
./hm
];
};
};
};
}

67
hardening/apparmor/apparmor-d-module.nix
View file

@ -1,67 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (lib)
mkIf
mapAttrs
assertMsg
pathIsRegularFile
mkForce
;
cfg = config.security.apparmor_d;
apparmor-d = pkgs.callPackage ./apparmor-d-package.nix { };
in
{
options.security.apparmor_d = with lib; {
enable = mkEnableOption "enable apparmor.d support";
profiles = mkOption {
type = types.attrsOf (
types.enum [
"disable"
"complain"
"enforce"
]
);
default = { };
description = "set of apparmor profiles to include from apparmor.d";
};
};
config = mkIf (cfg.enable) {
security.apparmor.packages = [ apparmor-d ];
security.apparmor.policies = mapAttrs (name: state: {
inherit state;
path =
let
file = "${apparmor-d}/etc/apparmor.d/${name}";
in
assert assertMsg (pathIsRegularFile file) "profile ${name} not found in apparmor.d path (${file})";
file;
}) cfg.profiles;
security.apparmor.includes."tunables/global.d/store" = ''
@{package1}={@{w},.,-}
@{package2}=@{package1}@{package1}
@{package4}=@{package2}@{package2}
@{package8}=@{package4}@{package4}
@{package16}=@{package8}@{package8}
@{package32}=@{package16}@{package16}
@{package64}=@{package32}@{package32}
@{nix_package_name}={@{package32},}{@{package16},}{@{package8},}{@{package4},}{@{package2},}{@{package1},}
@{nix_store}=/nix/store/@{rand32}-@{nix_package_name}
'';
specialisation.no-apparmor.configuration = {
security.apparmor.enable = mkForce false;
};
environment.systemPackages = [ apparmor-d ];
};
}

51
hardening/apparmor/apparmor-d-package.nix
View file

@ -1,51 +0,0 @@
{
buildGoModule,
fetchFromGitHub,
lib,
unstableGitUpdater,
}:
buildGoModule {
pname = "apparmor-d";
version = "unstable-2025-02-18";
src = fetchFromGitHub {
rev = "af85db9148b17bb37b4d73454e78d4efec4c2db9";
owner = "roddhjav";
repo = "apparmor.d";
hash = "sha256-mCc1DQXQvzeeA+sq67zK5o18tKByaB5dITmC77j9uEM=";
};
vendorHash = null;
doCheck = false;
dontCheckForBrokenSymlinks = true;
patches = [
./apparmor-d-prebuild.patch
];
subPackages = [
"cmd/prebuild"
"cmd/aa-log"
];
passthru.updateScript = unstableGitUpdater { };
postInstall = ''
mkdir -p $out/etc
DISTRIBUTION=nixos $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available
mv .build/apparmor.d $out/etc
rm $out/bin/prebuild
'';
meta = {
description = "Full set of AppArmor profiles (~ 1500 profiles) ";
homepage = "https://github.com/roddhjav/apparmor.d";
license = lib.licenses.gpl2Only;
mainProgram = "aa-log";
maintainers = with lib.maintainers; [ grimmauld ];
platforms = lib.platforms.linux;
};
}

61
hardening/apparmor/apparmor-d-prebuild.patch
View file

@ -1,61 +0,0 @@
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 0a95d183..4e15d5e3 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -106,8 +106,8 @@
@{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
# Common places for binaries and libraries across distributions
-@{bin}=/{,usr/}{,s}bin
-@{lib}=/{,usr/}lib{,exec,32,64}
+@{bin}=/{nix/store/*/,}{,usr/}bin
+@{lib}=/{nix/store/*/,/run/wrappers,}{,usr/}lib{,exec,32,64}
# Common places for temporary files
@{tmp}=/tmp/ /tmp/user/@{uid}/
diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
index 3f2dd9f4..39a8b64a 100644
--- a/cmd/prebuild/main.go
+++ b/cmd/prebuild/main.go
@@ -37,7 +37,7 @@ func init() {
// Compatibility with AppArmor 3
switch prebuild.Distribution {
- case "arch":
+ case "arch", "nixos":
case "ubuntu":
if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) {
diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go
index a887d4b9..eb0cc2ef 100644
--- a/pkg/aa/apparmor.go
+++ b/pkg/aa/apparmor.go
@@ -33,13 +33,13 @@ func DefaultTunables() *AppArmorProfileFile {
return &AppArmorProfileFile{
Preamble: Rules{
&Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true},
- &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
+ &Variable{Name: "bin", Values: []string{"/{nix/store/*/,/run/wrappers,}{,usr/}{,s}bin"}, Define: true},
&Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true},
&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},
&Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true},
&Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true},
&Variable{Name: "int2", Values: []string{"[0-9][0-9]"}, Define: true},
- &Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true},
+ &Variable{Name: "lib", Values: []string{"/{nix/store/*/,}{,usr/}lib{,exec,32,64}"}, Define: true},
&Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true},
&Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true},
&Variable{Name: "rand", Values: []string{"@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}"}, Define: true}, // Up to 10 characters
diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go
index 4b8e11ec..11eab5f7 100644
--- a/pkg/prebuild/prepare/configure.go
+++ b/pkg/prebuild/prepare/configure.go
@@ -28,7 +28,7 @@ func (p Configure) Apply() ([]string, error) {
res := []string{}
switch prebuild.Distribution {
- case "arch", "opensuse":
+ case "arch", "opensuse", "nixos":
case "ubuntu":
if err := prebuild.DebianHide.Init(); err != nil {

25
hardening/apparmor/bare.nix
View file

@ -1,25 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib) mkIf;
in
{
config = mkIf (enable && tooling.enable && config.security.apparmor.enable) {
services.dbus.apparmor = "enabled";
security.auditd.enable = true;
security.apparmor.enableCache = true;
environment.systemPackages = with pkgs; [ apparmor-parser ];
# security.apparmor.aa-alias-manager.enable = false;
security.audit.backlogLimit = 512;
};
}

299
hardening/apparmor/default.nix
View file

@ -1,299 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib) mkIf getExe' getExe;
in
{
imports = [ ./apparmor-d-module.nix ]; # ./aa-alias-module.nix ];
config = mkIf (enable && tooling.enable && config.security.apparmor.enable) {
services.dbus.apparmor = "enabled";
security.auditd.enable = true;
security.apparmor.enableCache = true;
security.apparmor.killUnconfinedConfinables = false;
security.apparmor.includes."tunables/alias.d/programs" = ''
# alias / -> /nix/store/*/,
alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify,
alias /bin/spotify -> ${pkgs.spotify}/share/spotify/.spotify-wrapped,
alias /bin/firefox -> /nix/store/*/bin/.firefox-wrapped,
'';
environment.systemPackages = with pkgs; [ apparmor-parser ];
# security.apparmor.aa-alias-manager.enable = false;
security.audit.backlogLimit = 8192;
security.apparmor_d = {
enable = true;
profiles = {
vesktop = "enforce";
speech-dispatcher = "enforce";
thunderbird-glxtest = "enforce";
"firefox.apparmor.d" = "enforce";
pass = "enforce";
spotify = "enforce";
"thunderbird.apparmor.d" = "enforce";
xdg-open = "enforce";
# child-open-any = "enforce";
child-open = "enforce";
firefox-glxtest = "enforce";
firefox-vaapitest = "enforce";
gamemoded = "disable";
# pkexec = "complain";
xdg-mime = "complain";
mimetype = "complain";
# sudo = "complain";
"unix-chkpwd.apparmor.d" = "complain";
};
};
security.apparmor.includes = {
"abstractions/base" = ''
/nix/store/*/bin/** mr,
/nix/store/*/lib/** mr,
/nix/store/** r,
${getExe' pkgs.coreutils "coreutils"} rix,
${getExe' pkgs.coreutils-full "coreutils"} rix,
'';
# "tunables/alias.d/store" = ''
# include <tunables/global>
# alias /bin -> @{bin},
# alias /bin/ -> /nix/store/*/bin/,
# '';
"local/speech-dispatcher" = ''
@{nix_store}/libexec/speech-dispatcher-modules/* ix,
@{PROC}/@{pid}/stat r,
@{bin}/mbrola rix,
'';
"local/pass" = ''
${getExe' pkgs.pass ".pass-wrapped"} rix,
@{nix_store}/wl-copy rUx,
@{nix_store}/wl-paste rUx,
'';
"local/pass_gpg" = ''
@{PROC}/@{pid}/fd/ r,
/nix/store/*/libexec/keyboxd ix,
owner /run/user/*/gnupg/S.keyboxd wr,
'';
"local/xdg-mime" = ''
# include <abstractions/app/bus>
/bin/grep rix,
/bin/gawk rix,
# /bin/dbus-send Cx -> bus,
/dev/tty* rw,
'';
"abstractions/app/udevadm.d/udevadm_is_exec" = ''
@{bin}/udevadm mrix,
'';
"local/firefox" = ''
${pkgs.passff-host}/share/passff-host/passff.py rPx -> passff,
@{HOME}/.mozilla/firefox/** mr,
'';
"local/thunderbird" = ''
${getExe' pkgs.thunderbird ".thunderbird-wrapped_"} rix,
/dev/urandom w,
'';
"abstractions/common/electron.d/libexec" = ''
/nix/store/*/libexec/electron/** rix,
'';
"local/pkexec" = ''
capability sys_ptrace,
'';
"local/xdg-open" = ''
/** r,
'';
"local/child-open" = ''
# include <abstractions/app/bus>
@{bin}/grep ix,
/@{PROC}/version r,
# @{bin}/gdbus Cx -> bus,
@{bin}/gdbus Ux,
'';
"local/vesktop" = ''
/etc/machine-id r,
/dev/udmabuf rw,
/sys/devices/@{pci}/boot_vga r,
/sys/devices/@{pci}/**/id{Vendor,Product} r,
/dev/ r,
# @{bin}/xdg-open rPx,
/bin/electron rix,
'';
"local/sudo" = ''
/run/wrappers/wrappers.*/unix_chkpwd rPx -> unix-chkpwd,
'';
"local/unix-chkpwd" = ''
capability dac_read_search,
'';
# "local/spotify" = ''
# @{bin}/
# '';
};
security.apparmor.policies = {
passff = {
state = "enforce";
profile = ''
abi <abi/4.0>,
include <tunables/global>
profile passff ${pkgs.passff-host}/share/passff-host/passff.py {
include <abstractions/base> # read access to /nix/store, basic presets for most apps
include <abstractions/python>
@{bin}/pass Px -> pass,
}
'';
};
swaymux = {
state = "enforce";
profile = ''
abi <abi/4.0>,
include <tunables/global>
profile swaymux ${getExe pkgs.swaymux} {
include <abstractions/base> # read access to /nix/store, basic presets for most apps
${pkgs.swaymux}/bin/* rix, # wrapping
/dev/tty r,
owner @{user_config_dirs}/** r,
}
'';
};
# speech-dispatcher-test = {
# profile = ''#
#
#abi <abi/4.0>,
#
#include <tunables/global>
#
#@{exec_path} = @{bin}/speech-dispatcher
#profile speech-dispatcher ${getExe' pkgs.speechd "speech-dispatcher"} flags=(complain) {
# include <abstractions/base>
# include <abstractions/audio-client>
# include <abstractions/bus-session>
# include <abstractions/consoles>
# include <abstractions/nameservice-strict>
# network inet stream,
# network inet6 stream,
# @{exec_path} mr,
# @{sh_path} ix,
# @{lib}/speech-dispatcher/** r,
# @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix,
# /etc/machine-id r,
# /etc/speech-dispatcher/{,**} r,
# owner @{run}/user/@{uid}/speech-dispatcher/ rw,
# owner @{run}/user/@{uid}/speech-dispatcher/** rwk,
# include if exists <local/speech-dispatcher>
#} '';
# };
osu-lazer = {
state = "disable";
profile = ''
abi <abi/4.0>,
include <tunables/global>
profile osu-lazer @{bin}/osu\! flags=(attach_disconnected) {
include <abstractions/base> # read access to /nix/store, basic presets for most apps
include <abstractions/common/bwrap>
include <abstractions/devices-usb>
include <abstractions/nameservice-strict>
include <abstractions/app/udevadm>
include <abstractions/app/bus>
include <abstractions/common/game>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
owner @{PROC}/@{pid}/net/dev r,
owner @{PROC}/@{pid}/net/if_inet6 r,
owner @{PROC}/@{pid}/net/ipv6_route r,
owner @{PROC}/@{pid}/net/route r,
capability mknod,
/dev/tty{@{d},} rw,
${pkgs.osu-lazer-bin}/bin/osu? ix,
${getExe pkgs.bubblewrap} rix,
/nix/store/*-osu-lazer-bin-*-bwrap ix,
/nix/store/*-osu-lazer-bin-*-init ix,
/nix/store/*-container-init ix,
/nix/store/*-osu-lazer-bin-*-extracted/** rk,
/nix/store/*-osu-lazer-bin-*-extracted/AppRun ix,
/nix/store/*-osu-lazer-bin-*-extracted/usr/bin/** ix,
@{bin}/ldconfig ix,
@{bin}/appimage-exec.sh ix,
@{bin}/rev ix,
@{bin}/bash ix,
@{bin}/grep ix,
@{bin}/lsblk ix,
@{bin}/awk ix,
@{bin}/gawk ix,
@{bin}/xdg-mime Px,
/usr/bin/xdg-mime Px,
${getExe' pkgs.gamemode "gamemoderun"} ix,
owner @{HOME}/@{XDG_DATA_DIR}/osu/** rwkm,
owner @{HOME}/.dotnet/** rwkm,
owner @{HOME}/@{XDG_DATA_DIR}/Sentry/** rwk,
owner @{HOME}/@{XDG_CONFIG_DIR}/mimeapps* rwk,
owner @{HOME}/@{XDG_DATA_DIR}/applications/discord-*.desktop rwk,
/nix/store/*-etc-os-release rk,
/nix/store/*/share/zoneinfo/** rk,
owner /tmp/** rwk,
/usr/lib/ r,
owner /var/cache/ldconfig/ rw,
owner /etc/ld.so* rw,
owner @{PROC}/@{pid}/{maps,stat} rk,
@{PROC}/sys/kernel/os{type,release} rk,
/dev/snd/** rw,
/dev/udmabuf wr,
/.host-etc/alsa/conf.d/{,**} r,
/.host-etc/ssl/certs/{,**} r,
/.host-etc/resolv.conf rk,
}
'';
};
};
};
}

77
hardening/default.nix
View file

@ -1,77 +0,0 @@
{
lib,
pkgs,
config,
...
}:
{
imports = [
./systemd
./ssh-as-sudo.nix
./apparmor
./opensnitch
./security.nix
./encrypt-dns.nix
./filesystem-deny-mount.nix
];
specialisation.unhardened.configuration = {
services.opensnitch.enable = lib.mkForce false;
security.apparmor.enable = lib.mkForce false;
};
systemd.oomd.enable = false;
boot.kernel.sysctl = {
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.default.accept_ra" = 0;
"net.ipv4.conf.all.send_redirects"=0;
"net.ipv4.conf.default.accept_source_route"=0;
"net.ipv4.conf.all.accept_redirects"=0;
"net.ipv4.conf.default.accept_redirects"=0;
"net.ipv6.conf.all.accept_redirects"=0;
"net.ipv6.conf.default.accept_redirects"=0;
"net.ipv4.conf.all.secure_redirects"=0;
"net.ipv4.conf.default.secure_redirects"=0;
"net.ipv4.conf.all.log_martians"=1;
"net.ipv4.conf.default.log_martians"=1;
"net.ipv4.icmp_echo_ignore_broadcasts"=1;
"net.ipv4.conf.all.rp_filter"=1;
"net.ipv4.conf.default.rp_filter"=1;
"fs.suid_dumpable" = 0;
};
environment.etc."motd" = { text = config.users.motd; mode = "644"; };
environment.etc."limits.conf".text = "* hard core 0";
environment.etc."hosts.allow" = { text = "ALL: LOCAL"; mode = "644"; };
environment.etc."hosts.deny" = { text = ""; mode = "644"; };
environment.etc."issue" = { text = "Authorized uses only. All activity may be monitored and reported."; mode = "644"; };
environment.etc."issue.net" = { text = "Authorized uses only. All activity may be monitored and reported."; mode = "644"; };
# systemd.tmpfiles.rules = [
# "L+ /etc/passwd- 0644 root root - /etc/passwd"
# "L+ /etc/shadow- 0644 root root - /etc/shadow"
# "L+ /etc/group- 0644 root root - /etc/group"
# "L+ /etc/gshadow- 0644 root root - /etc/gshadow"
# ];
users.motd = "welcome to grimms paranoid box";
security.loginDefs.settings = {
# PASS_MAX_DAYS = 365;
PASS_MIN_DAYS = 7;
PASS_WARN_AGE = 14;
ENCRYPT_METHOD = "SHA512";
};
systemd.tpm2.enable = false;
systemd.enableEmergencyMode = false;
virtualisation.vswitch.enable = false;
security.unprivilegedUsernsClone = true;
security.apparmor.enable = true;
security.allowSimultaneousMultithreading = true;
security.pam.services.systemd-run0 = {};
environment.defaultPackages = lib.mkForce [ ];
environment.systemPackages = with pkgs; [ nano clamav linux-bench ];
}

60
hardening/encrypt-dns.nix
View file

@ -1,60 +0,0 @@
{ pkgs, config, lib, ... }:
{
networking = {
nameservers = lib.mkForce [ "127.0.0.1" "::1" ];
# nameservers = lib.mkForce [ "127.0.0.1:8053" "[::1]:8053" ];
dhcpcd.extraConfig = "nohook resolv.conf"; # dhcp
networkmanager.dns = "none"; # nm
resolvconf.useLocalResolver = true; # resoved
};
services.tor = {
enable = true;
client.enable = true;
torsocks = {
enable = true;
allowInbound = false;
};
settings.SafeSocks = true;
settings.TestSocks = true;
};
services.dnscrypt-proxy2 = {
enable = true;
settings = {
ipv6_servers = config.networking.enableIPv6;
ipv4_servers = true;
require_dnssec = true;
dnscrypt_servers = true;
doh_servers = true;
odoh_servers = false;
require_nolog = true;
require_nofilter = true;
listen_addresses = [ "127.0.0.1:53" ];
proxy = "socks5://${config.services.tor.torsocks.server}";
force_tcp = true;
sources.public-resolvers = let
serverList = pkgs.fetchurl {
# fetching during build prevents issues e.g. when the certificate can't be validated if the clock is wrong
url = "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md";
hash = "sha256-2Pjs37mMolfWaaTf2c+tTbc1mzjCncK9qLyyZJn0LgA=";
};
in {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = serverList;
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
# You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
# server_names = [ ... ];
};
};
systemd.services.dnscrypt-proxy2.serviceConfig = {
StateDirectory = "dnscrypt-proxy";
};
}

46
hardening/filesystem-deny-mount.nix
View file

@ -1,46 +0,0 @@
{ pkgs,... }:
{
# copied from https://github.com/NixOS/nixpkgs/issues/11790#issuecomment-2409053332
# Create a symlink from /bin/true to the Nix-managed true binary.
environment.etc."bin/true".source = "${pkgs.coreutils}/bin/true";
# CIS 1.1.1.1.a Ensure mounting of cramfs filesystems is disabled
environment.etc."modprobe.d/cramfs.conf".text = ''
install cramfs /bin/true
'';
# CIS 1.1.1.2.a Ensure mounting of freevxfs filesystems is disabled
environment.etc."modprobe.d/freevxfs.conf".text = ''
install freevxfs /bin/true
'';
# CIS 1.1.1.3.a Ensure mounting of jffs2 filesystems is disabled
environment.etc."modprobe.d/jffs2.conf".text = ''
install jffs2 /bin/true
'';
# CIS 1.1.1.4.a Ensure mounting of hfs filesystems is disabled
environment.etc."modprobe.d/hfs.conf".text = ''
install hfs /bin/true
'';
# CIS 1.1.1.5.a Ensure mounting of hfsplus filesystems is disabled
environment.etc."modprobe.d/hfsplus.conf".text = ''
install hfsplus /bin/true
'';
# CIS 1.1.1.6.a Ensure mounting of squashfs filesystems is disabled
environment.etc."modprobe.d/squashfs.conf".text = ''
install squashfs /bin/true
'';
# CIS 1.1.1.7.a Ensure mounting of udf filesystems is disabled
environment.etc."modprobe.d/udf.conf".text = ''
install udf /bin/true
'';
# CIS 1.1.1.8.a Ensure mounting of FAT filesystems is disabled
# environment.etc."modprobe.d/fat.conf".text = ''
# install fat /bin/true
# '';
environment.etc."modprobe.d/CIS.conf".text = ''
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
'';
}

30
hardening/opensnitch/block_lists.nix
View file

@ -1,30 +0,0 @@
{
stdenv,
fetchFromGitHub,
lib,
}:
stdenv.mkDerivation rec {
pname = "stevenblack_block";
version = "3.14.116";
src = fetchFromGitHub {
owner = "StevenBlack";
repo = "hosts";
rev = version;
hash = "sha256-MATJK6QO//6z5CXS3zVo/s/Bz6c2z0g8C+InM5iiv2o=";
};
installPhase = ''
mkdir $out
# cp $src/hosts $out/hosts.list
grep 0\.0\.0\.0 $src/hosts > $out/hosts.list
'';
meta = {
description = "Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.";
homepage = "https://github.com/StevenBlack/hosts";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ grimmauld ];
platforms = lib.platforms.all;
};
}

92
hardening/opensnitch/cups.nix
View file

@ -1,92 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
concatLines
getExe'
mkIf
;
local_network = [
"192.168.0.0/16"
"10.0.0.0/8"
"172.16.0.0/12"
"fc00::/7"
];
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
avahi = mkIf (config.services.avahi.enable) {
name = "avahi";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' config.services.avahi.package "avahi-daemon";
}
{
type = "regexp";
operand = "dest.port";
data = "5353";
}
{
type = "simple";
operand = "user.id";
data = "996";
}
];
};
};
cups-filters = mkIf (config.services.printing.enable) {
name = "cups-filters";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.cups-filters "cups-browsed";
}
{
type = "regexp";
operand = "dest.port";
data = "631|80";
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
}
];
};
};
};
};
}

56
hardening/opensnitch/default.nix
View file

@ -1,56 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
graphical
network
;
inherit (lib)
optional
mkIf
;
in
{
imports = [
./vesktop.nix
./nix.nix
./spotify.nix
./global.nix
./time.nix
./osu.nix
./cups.nix
./network_support.nix
./firefox.nix
./tooling.nix
./dns.nix
./tor.nix
];
config = mkIf (enable && tooling.enable && network) {
environment.systemPackages = optional graphical pkgs.opensnitch-ui;
grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
networking.nftables.enable = true;
# security.audit.enable = true;
systemd.services.opensnitchd.path = lib.optional (
config.services.opensnitch.settings.ProcMonitorMethod == "audit"
) pkgs.audit.bin;
services.opensnitch = {
enable = true;
settings = {
DefaultAction = "deny";
Firewall = if config.networking.nftables.enable then "nftables" else "iptables";
ProcMonitorMethod = "ftrace";
# ProcMonitorMethod = "audit";
};
};
};
}

15
hardening/opensnitch/discord_hosts/hosts.list
View file

@ -1,15 +0,0 @@
cloudflare.com
discordapp.com
discordapp.net
discord.gg
discord.com
vencord.dev
discord-attachments-uploads-prd.storage.googleapis.com
github.com
githubusercontent.com
scdn.co
spotify.com
discord.media
media.tenor.co
media.tenor.com

76
hardening/opensnitch/dns.nix
View file

@ -1,76 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
getExe
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
dnscrypt_proxy_user = "dnscrypt-proxy2";
in
{
config = mkIf (enable && tooling.enable && network) {
users.users."${dnscrypt_proxy_user}" = {
isSystemUser = true;
group = dnscrypt_proxy_user;
uid = 991;
};
users.groups."${dnscrypt_proxy_user}" = { };
systemd.services.dnscrypt-proxy2.serviceConfig = {
User = dnscrypt_proxy_user;
Group = dnscrypt_proxy_user;
};
services.opensnitch.rules = {
dnscrypt-proxy = mkIf (config.services.dnscrypt-proxy2.enable) {
name = "dnscrypt-proxy";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe pkgs.dnscrypt-proxy;
}
{
type = "regexp";
operand = "dest.port";
data = "53|443|4434|5443|4343";
}
# {
# type = "lists";
# operand = "lists.nets";
# data = pkgs.writeTextDir "cidr_dns.list" (
# concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
# );
# }
{
type = "simple";
operand = "user.id";
data = builtins.toString (config.users.users."${dnscrypt_proxy_user}".uid);
}
];
};
};
};
};
}

54
hardening/opensnitch/firefox.nix
View file

@ -1,54 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
getBin
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
firefox =
let
cfg = config.programs.firefox;
pkg = (
cfg.package.override (old: {
extraPrefsFiles =
old.extraPrefsFiles or [ ]
++ cfg.autoConfigFiles
++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ];
nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages;
cfg = (old.cfg or { }) // cfg.wrapperConfig;
})
);
in
# pkg = pkgs.firefox-unwrapped;
mkIf (config.programs.firefox.enable) {
name = "firefox";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${getBin pkg}/lib/firefox/firefox";
};
};
};
};
}

62
hardening/opensnitch/global.nix
View file

@ -1,62 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib) mkIf;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
block-list = {
name = "block-list";
action = "deny";
enabled = true;
duration = "always";
inherit created;
operator = {
type = "lists";
operand = "lists.domains";
data = pkgs.callPackage ./block_lists.nix { };
};
};
localhost = {
name = "localhost";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "dest.ip";
data = "^(127\\.0\\.0\\.1|::1)$";
};
};
icmp = {
name = "icmp";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
operand = "protocol";
sensitive = false;
data = "icmp(4|6)?";
};
};
};
};
}

55
hardening/opensnitch/network_support.nix
View file

@ -1,55 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
getExe'
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
network-manager = mkIf (config.networking.networkmanager.enable) {
name = "network-manager";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.networkmanager "networkmanager";
}
{
type = "regexp";
operand = "dest.port";
data = "547|67";
}
# {
# type ="simple";
# operand = "dest.network";
# data = "ff02::1:2";
# }
];
};
};
};
};
}

80
hardening/opensnitch/nix.nix
View file

@ -1,80 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
getExe
getExe'
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
nix-index = {
name = "nix-index";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nix-index-unwrapped "nix-index";
}
{
type = "regexp";
operand = "dest.port";
data = "443";
}
{
type = "simple";
sensitive = false;
operand = "dest.host";
data = "cache.nixos.org";
}
];
};
};
nix = {
name = "nix";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe config.nix.package;
}
{
type = "regexp";
operand = "dest.port";
data = "443";
}
];
};
};
};
};
}

73
hardening/opensnitch/osu.nix
View file

@ -1,73 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
graphical
network
;
inherit (lib)
escapeRegex
getVersion
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
osu_deny = mkIf (config.grimmShared.gaming && graphical) {
name = "osu-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
};
};
osu_allow = mkIf (config.grimmShared.gaming && graphical) {
name = "osu-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443";
}
{
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = "(api\.github\.com)|((.+\.)?ppy\.sh)";
}
];
};
};
};
};
}

135
hardening/opensnitch/spotify.nix
View file

@ -1,135 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
graphical
network
;
inherit (lib)
concatLines
mkIf
;
local_network = [
"192.168.0.0/16"
"10.0.0.0/8"
"172.16.0.0/12"
"fc00::/7"
];
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
};
};
ncspot = mkIf (config.grimmShared.spotify.enable) {
name = "ncspot";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|4070";
}
{
type = "simple";
sensitive = false;
operand = "process.path";
data = lib.getExe pkgs.ncspot;
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./spotify_hosts;
}
];
};
};
spotify_allow = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|4070";
}
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./spotify_hosts;
}
];
};
};
spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow-local";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
}
];
};
};
};
};
}

3
hardening/opensnitch/spotify_hosts/hosts.list
View file

@ -1,3 +0,0 @@
scdn.co
spotifycdn.com
spotify.com

60
hardening/opensnitch/time.nix
View file

@ -1,60 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
systemd-timesyncd = mkIf (config.services.timesyncd.enable) {
name = "systemd-timesyncd";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
}
{
type = "regexp";
operand = "dest.port";
data = "123|37";
}
# {
# type = "regexp";
# sensitive = false;
# operand = "dest.host";
# data = ".*\.nixos\.pool\.ntp\.org";
# }
{
type = "simple";
operand = "user.id";
data = "154";
}
];
};
};
};
};
}

52
hardening/opensnitch/tooling.nix
View file

@ -1,52 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
git = {
name = "git-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.git.outPath}/.*";
};
};
ssh = {
name = "ssh-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.openssh.outPath}/.*";
};
};
};
};
}

37
hardening/opensnitch/tor.nix
View file

@ -1,37 +0,0 @@
{
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
tor = mkIf (config.services.tor.enable) {
name = "tor";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = lib.getExe' config.services.tor.package "tor";
};
};
};
};
}

140
hardening/opensnitch/vesktop.nix
View file

@ -1,140 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
graphical
network
;
inherit (lib)
escapeRegex
getVersion
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
vesktop_deny = mkIf graphical {
name = "vesktop-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.command";
data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
};
};
vesktop_allow = mkIf graphical {
name = "vesktop-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./discord_hosts;
}
];
};
};
vesktop_daemon_allow_udp = mkIf graphical {
name = "vesktop-allow-udp";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "simple";
operand = "protocol";
data = "udp";
}
{
type = "regexp";
operand = "dest.port";
data = "500[0-9]{2}";
}
];
};
};
vesktop_daemon_deny = mkIf graphical {
name = "vesktop-daemon-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.command";
data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
};
};
vesktop_daemon_allow = mkIf graphical {
name = "vesktop-daemon-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./discord_hosts;
}
];
};
};
};
};
}

97
hardening/security.nix
View file

@ -1,97 +0,0 @@
{
pkgs,
config,
lib,
inputs,
system,
...
}:
let
inherit (lib)
optional
filterAttrs
mkDefault
attrNames
;
age_plugins = with pkgs; [ age-plugin-yubikey ];
in
{
config = {
security.polkit.enable = mkDefault true;
security.rtkit.enable = true;
security.pam.yubico = {
enable = true;
id = [ "26681512" ];
# debug = true;
mode = "challenge-response";
control = lib.mkDefault "sufficient";
};
# security.doas.enable = true;
security.sudo.enable = mkDefault true;
security.sudo.execWheelOnly = true;
security.doas.extraRules = [
{
users = attrNames (filterAttrs (n: v: v.isNormalUser) config.users.users);
keepEnv = true;
persist = true;
}
];
# services.pcscd.enable = true;
age.ageBin =
let
rage_wrapped = pkgs.symlinkJoin {
name = "rage";
paths = [ pkgs.rage ];
buildInputs = [ pkgs.makeWrapper ];
postBuild = ''
wrapProgram $out/bin/rage \
--prefix PATH : ${lib.makeBinPath age_plugins}
'';
};
in
lib.getExe' rage_wrapped "rage";
programs.yubikey-touch-detector.enable = config.programs.sway.enable;
services.yubikey-agent.enable = true;
environment.systemPackages =
(with pkgs; [
mkpasswd
# gnupg
libsecret
vulnix
(inputs.agenix.packages."${system}".default.override { plugins = age_plugins; })
yubikey-manager
yubico-pam
yubikey-personalization
pkgs.pass
])
++ age_plugins
++ (optional config.security.doas.enable pkgs.sudo-doas-shim);
# ++ (optional graphical pkgs.lxqt.lxqt-policykit);
services.passSecretService.enable = true;
services.openssh.settings.LoginGraceTime = 0;
# programs.gnupg.agent = {
# settings = {
# # default-cache-ttl = 6000;
# };
# pinentryPackage = mkForce (if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty);
# enable = true;
# enableSSHSupport = true;
# };
grimmShared.firefox.plugins = {
"passff@invicem.pro" = "passff";
};
programs.firefox.nativeMessagingHosts.packages = [ pkgs.passff-host ];
};
}

49
hardening/ssh-as-sudo.nix
View file

@ -1,49 +0,0 @@
{ pkgs, lib, ... }:
{
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
challengeResponseAuthentication = false;
# PermitRootLogin = "no";
KbdInteractiveAuthentication = false;
};
# settings.UsePAM = false;
openFirewall = lib.mkDefault false;
allowSFTP = lib.mkDefault false;
# startWhenNeeded = true;
extraConfig = ''
allowtcpforwarding no
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
Protocol 2
MaxAuthTries 4
PermitEmptyPasswords no
PermitUserEnvironment no
MaxSessions 4
LoginGraceTime 60
ClientAliveCountMax 3
ClientAliveInterval 15
HostbasedAuthentication no
IgnoreRhosts yes
banner /etc/issue.net
maxstartups 10:30:60
'';
};
users.users.root = {
# isSystemUser = true;
# isNormalUser = true;
uid = 0;
openssh.authorizedKeys.keyFiles = [ ../ssh/id_ed25519_sk.pub ];
# home = "/root";
hashedPassword = null;
createHome = lib.mkForce true;
};
programs.ssh.startAgent = true;
# security.sudo.enable = false;
# services.yubikey-agent.enable = true;
}

61
hardening/systemd/NetworkManager.nix
View file

@ -1,61 +0,0 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
NetworkManager.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
])
];
NoNewPrivileges = true;
RestrictNamespaces = "net uts";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
PrivateDevices = true;
LockPersonality = true;
# PrivateUsers = true; # BAD
# ProtectKernelTunables = true; # BAD
ProcSubset = "pid";
ProtectSystem = true;
};
NetworkManager-dispatcher.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
])
];
UMask = "0700";
NoNewPrivileges = true;
RestrictNamespaces = "net uts";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
PrivateDevices = true;
LockPersonality = true;
# PrivateUsers = true; # BAD
# ProtectKernelTunables = true; # BAD
ProcSubset = "pid";
ProtectSystem = true;
};
};
}

45
hardening/systemd/acpid.nix
View file

@ -1,45 +0,0 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
acpid.serviceConfig = {
CapabilityBoundingSet = [
""
];
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
ProtectSystem = "strict";
PrivateUsers = true;
RestrictRealtime = true;
PrivateTmp = true;
ProtectHome = true;
ProtectProc = "invisible";
ProtectKernelLogs = true;
IPAddressAllow = [ ];
PrivateDevices = false; # acpi needs device access
PrivateNetwork = false; # required for netlink to work properly
NoNewPrivileges = false; # acpi hooks might want to execute things at higher/different access
ProcSubset = "all"; # requires access to /proc/acpi
RestrictAddressFamilies = [
"AF_NETLINK"
"AF_UNIX"
];
};
};
}

41
hardening/systemd/ask-password.nix
View file

@ -1,41 +0,0 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
systemd-ask-password-console.serviceConfig = {
CapabilityBoundingSet = [
""
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
PrivateUsers = true;
};
systemd-ask-password-wall.serviceConfig = {
CapabilityBoundingSet = [
""
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
PrivateUsers = true;
};
};
}

23
hardening/systemd/auditd.nix
View file

@ -1,23 +0,0 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
auditd.serviceConfig = {
# CapabilityBoundingSet = [ "CAP_AUDIT_*" "CAP_SYSLOG" "CAP_SYS_NICE" "CAP_SYS_PACCT" "CAP_SYS_PTRACE" ];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
ProtectSystem = true;
# PrivateUsers=true;
# PrivateNetwork=true;
RestrictRealtime = true;
IPAddressAllow = [ ];
RestrictAddressFamilies = "AF_NETLINK";
};
};
}

57
hardening/systemd/bluetooth.nix
View file

@ -1,57 +0,0 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
bluetooth.serviceConfig = {
CapabilityBoundingSet = [
"CAP_NET_BIND_SERVICE" # sockets and tethering
];
NoNewPrivileges = true;
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
ProtectControlGroups = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateUsers = false;
# loading hardware modules
ProtectKernelModules = false;
ProtectKernelTunables = false;
PrivateNetwork = false; # tethering
};
blueman-mechanism.serviceConfig = {
CapabilityBoundingSet = [
""
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
PrivateUsers = true;
};
};
}

30
hardening/systemd/cups.nix
View file

@ -1,30 +0,0 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
cups.serviceConfig = {
CapabilityBoundingSet = [
"CAP_LEASE CAP_MKNOD CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN"
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service @privileged";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
ReadWritePaths = "/var/run/cups";
# PrivateUsers=true;
PrivateNetwork = true;
RestrictAddressFamilies = "AF_UNIX";
# ProtectSystem=true;
};
};
}

62
hardening/systemd/dbus-broker.nix
View file

@ -1,62 +0,0 @@
{
lib,
config,
...
}:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
dbus-broker.serviceConfig = {
DevicePolicy = "closed";
KeyringMode = "private";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = "read-only";
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
RestrictAddressFamilies = [
# "AF_INET"
# "AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
SystemCallFilter = [
"@system-service"
"@privileged"
];
PrivateMounts = true;
# CapabilityBoundingSet = [
# "CAP_NET_BIND_SERVICE"
# "CAP_SETGID"
# "CAP_SETUID"
# "CAP_SYS_CHROOT"
# "cap_dac_override"
# ];
# PrivateUsers = false; # important
# PrivateNetwork = false; # important
};
};
}

32
hardening/systemd/default.nix
View file

@ -1,32 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) mkDefault types mkIf;
eq = a: b: a == b;
noPred =
preds: x:
if preds == [ ] then
true
else if (lib.head preds) x then
false
else
noPred (lib.tail preds) x;
in
{
imports = [
# ./NetworkManager.nix
./wpa_supplicant.nix
./auditd.nix
./acpid.nix
# ./cups.nix
# ./bluetooth.nix
# ./tty.nix
./ask-password.nix
# ./nix-daemon.nix
./nscd.nix
./rtkit.nix
./sshd.nix
./dbus-broker.nix
./global
];
}

37
hardening/systemd/global/clock.nix
View file

@ -1,37 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) mkDefault types mkIf;
in
{
options.systemd.services = lib.mkOption {
type =
let
osConfig = config;
in
types.attrsOf (
lib.types.submodule (
{ config, name, ... }:
{
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
ProtectClock = mkDefault true;
};
}
)
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
systemd-timesyncd.serviceConfig = {
ProtectClock = false;
SystemCallFilter = "@system-service @clock";
};
save-hwclock.serviceConfig = {
ProtectClock = false;
SystemCallFilter = "@system-service @clock";
};
};
};
}

9
hardening/systemd/global/default.nix
View file

@ -1,9 +0,0 @@
{
imports = [
./hostname.nix
./clock.nix
./realtime.nix
./syscall_arch.nix
./suidsgid.nix
];
}

29
hardening/systemd/global/hostname.nix
View file

@ -1,29 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) types mkIf mkDefault;
in
{
options.systemd.services = lib.mkOption {
type =
let
osConfig = config;
in
types.attrsOf (
lib.types.submodule (
{ config, name, ... }:
{
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
ProtectHostname = mkDefault true;
};
}
)
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
systemd-hostnamed.serviceConfig.ProtectHostname = false;
nix-daemon.serviceConfig.ProtectHostname = false;
};
};
}

27
hardening/systemd/global/realtime.nix
View file

@ -1,27 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) mkDefault types mkIf;
in
{
options.systemd.services = lib.mkOption {
type =
let
osConfig = config;
in
types.attrsOf (
lib.types.submodule {
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
RestrictRealtime = mkDefault true;
};
}
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
rtkit-daemon.serviceConfig.RestrictRealtime = false;
};
};
}

26
hardening/systemd/global/suidsgid.nix
View file

@ -1,26 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) types mkIf mkDefault;
in
{
options.systemd.services = lib.mkOption {
type =
let
osConfig = config;
in
types.attrsOf (
lib.types.submodule {
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
RestrictSUIDSGID = mkDefault true;
};
}
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
suid-sgid-wrappers.serviceConfig.RestrictSUIDSGID = false;
};
};
}

22
hardening/systemd/global/syscall_arch.nix
View file

@ -1,22 +0,0 @@
{ lib, config, ... }:
let
inherit (lib) types mkIf mkDefault;
osConfig = config;
in
{
options.systemd.services = lib.mkOption {
type = types.attrsOf (
lib.types.submodule {
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
SystemCallArchitectures = mkDefault "native";
};
}
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
};
};
}

77
hardening/systemd/nix-daemon.nix
View file

@ -1,77 +0,0 @@
{
lib,
config,
...
}:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
nix-daemon.serviceConfig = {
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true; # good, somehow???
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
# "AF_NETLINK" # needed for some checks
]; # needed to download sources and caches
RestrictNamespaces = [
"user"
"net"
"uts"
"mnt"
"ipc"
"pid"
]; # namespaces needed for sandboxing
SystemCallFilter = [
"@system-service"
"@cpu-emulation"
"@mount"
"@privileged"
];
LockPersonality = true;
ProtectControlGroups = true;
ProtectKernelModules = true; # todo: does kvm need a modprobe here?
PrivateMounts = true;
ProtectProc = "invisible";
ProtectClock = true;
# file system
# PrivateTmp = true; # breaks --keep-failed
ProtectSystem = "strict";
ReadWritePaths = [
"/nix"
"/tmp"
];
# Scheduling: only do as much as resources are available
LimitNICE = 1;
Nice = 19;
RestrictRealtime = true;
# devices
DevicePolicy = "closed"; # allow pseudo-devices like /dev/null, but no real devices
DeviceAllow = "/dev/kvm"; # kvm is needed for VM tests
CapabilityBoundingSet = [
"CAP_FOWNER"
"CAP_CHOWN"
"CAP_SETUID"
"CAP_SETGID"
"CAP_SYS_ADMIN"
"CAP_DAC_OVERRIDE"
];
NoNewPrivileges = false; # build processes might need more
# ProtectKernelLogs=true; # BAD
# ProtectKernelTunables = true; # BAD
# PrivateUsers=true; BAD
# ProtectHome = "read-only"; # BAD
# ProtectHostname = true; # BAD!
# PrivateNetwork = true; # BAD!
};
};
}

47
hardening/systemd/nscd.nix
View file

@ -1,47 +0,0 @@
{
lib,
config,
...
}:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
nscd.serviceConfig = {
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
SystemCallFilter = "@system-service";
LockPersonality = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
PrivateMounts = true;
ProtectProc = "invisible";
ProtectClock = true;
# file system
PrivateTmp = true;
ProtectSystem = "strict";
RestrictRealtime = true;
PrivateUsers = true;
PrivateDevices = true;
CapabilityBoundingSet = [
"CAP_SETGID"
"CAP_SETUID"
"cap_dac_override"
];
ProtectKernelLogs = true;
ProtectKernelTunables = true;
ProtectHostname = true;
};
};
}

56
hardening/systemd/rtkit.nix
View file

@ -1,56 +0,0 @@
{
lib,
config,
...
}:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
rtkit-daemon.serviceConfig = {
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true;
RestrictAddressFamilies = "AF_UNIX";
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
SystemCallFilter = [
"@system-service"
"@chroot"
"@mount"
];
LockPersonality = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
PrivateMounts = true;
ProtectClock = true;
PrivateTmp = true;
ProtectSystem = "strict";
RestrictRealtime = false; # important
PrivateDevices = true;
ProcSubset = "pid";
CapabilityBoundingSet = [
"CAP_SYS_NICE"
"CAP_DAC_READ_SEARCH"
"CAP_SYS_CHROOT"
"CAP_SETGID"
"CAP_SETUID"
];
ProtectKernelLogs = true;
ProtectKernelTunables = true;
ProtectHome = true;
ProtectHostname = true;
PrivateNetwork = true;
};
};
}

62
hardening/systemd/sshd.nix
View file

@ -1,62 +0,0 @@
{
lib,
config,
...
}:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
sshd.serviceConfig = {
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
SystemCallFilter = [
"@system-service"
"@privileged"
];
LockPersonality = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
PrivateMounts = true;
ProtectProc = "invisible";
ProtectClock = true;
ProtectHostname = true;
# file system
PrivateTmp = true;
ProtectSystem = "strict";
ReadWritePaths = "/etc/ssh";
RestrictRealtime = true;
DevicePolicy = "closed"; # allow pseudo-devices like /dev/null, but no real devices
CapabilityBoundingSet = [
"CAP_NET_BIND_SERVICE"
"CAP_SETGID"
"CAP_SETUID"
"CAP_SYS_CHROOT"
"cap_dac_override"
];
ProtectKernelLogs = true;
ProtectKernelTunables = true;
PrivateUsers = false; # important
ProtectHome = false; # important
NoNewPrivileges = false; # IMPORTANT: allow new privileges for spawned shells
PrivateNetwork = false; # important
};
};
}

47
hardening/systemd/tty.nix
View file

@ -1,47 +0,0 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
"getty@".serviceConfig = {
CapabilityBoundingSet = [
"CAP_CHOWN"
"CAP_FOWNER"
"CAP_FSETID"
"CAP_SETGID"
"CAP_SETUID"
"CAP_SYS_NICE"
"CAP_SYS_RESOURCE"
"CAP_SYS_TTY_CONFIG"
];
# NoNewPrivileges = true;
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
ProtectControlGroups = true;
ProtectHome = false;
# ProtectClock = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
# RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = lib.mkForce "@system-service";
LockPersonality = true;
ProtectProc = "invisible";
# PrivateUsers=true;
PrivateNetwork = true;
RestrictAddressFamilies = "AF_UNIX";
# ProtectSystem=true;
};
};
}

29
hardening/systemd/wpa_supplicant.nix
View file

@ -1,29 +0,0 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
wpa_supplicant.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
"cap_net_broadcast"
])
];
NoNewPrivileges = true;
RestrictNamespaces = "net";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
ProcSubset = "pid";
ProtectSystem = true;
};
};
}

181
hm/common/default.nix
View file

@ -1,181 +0,0 @@
{
pkgs,
config,
osConfig,
lib,
...
}:
let
getIfHas =
path: attrs:
if path == [ ] then
attrs
else if builtins.hasAttr (builtins.head path) attrs then
getIfHas (builtins.tail path) (builtins.getAttr (builtins.head path) attrs)
else
null;
osConfigGetIfHasOrFalse = path: lib.defaultTo false (getIfHas (lib.splitString "." path) osConfig);
user = config.home.username;
homedir = config.home.homeDirectory;
graphical = osConfigGetIfHasOrFalse "grimmShared.graphical";
in
{
home.preferXdgDirectories = true;
home.packages =
with pkgs;
[
deskwhich
]
++ lib.optionals graphical [
# imhex
# libreoffice-qt
filezilla
obsidian
nomacs
pdfarranger
krita
# weasis
# kicad
prusa-slicer
freecad
openscad
iamb
confy
authenticator
signal-desktop
vlc
# blender
];
home.shellAliases = {
":q" = "exit";
"ls" = "eza";
"lix" = "nix";
"l" = "eza -hla";
"vi" = "hx";
"bat" = "bat --theme=Dracula";
};
programs.thunderbird = {
enable = graphical;
profiles.default = {
isDefault = true;
};
};
programs.zathura.enable = graphical;
programs.bash = {
enable = true;
enableCompletion = true;
};
services.mpris-proxy.enable = true;
# services.ssh-agent.enable = true;
programs.alacritty = {
enable = graphical;
settings = {
font.size = 16;
font.normal = {
family = "Noto Sans Mono";
};
window.opacity = 0.85;
};
};
programs.starship = {
enable = true;
enableBashIntegration = true;
settings = {
format = "$all$directory$character";
nodejs.disabled = true;
cmake.symbol = "cmake ";
custom.shell = {
command = "basename $SHELL";
when = "test -v SHELL";
format = " in [$output]($style)";
# ignore_timeout = true;
};
# env_var.SHELL = {variable = "SHELL"; default = ""; };
};
};
programs.fzf.enable = true;
programs.fzf.tmux.enableShellIntegration = true;
programs.thefuck = {
enable = true;
enableBashIntegration = true;
};
programs.helix = {
enable = true;
defaultEditor = true;
settings = {
editor.cursor-shape.insert = "bar";
theme = "base16_transparent";
};
extraPackages = with pkgs; [
marksman
nixd
];
};
gtk.iconTheme = {
package = pkgs.adwaita-icon-theme;
name = "Adwaita";
};
gtk.theme = {
package = pkgs.adw-gtk3;
name = "adw-gtk3-dark";
};
gtk.enable = true;
programs.tmux = {
enable = true;
clock24 = true;
historyLimit = 50000;
newSession = true;
};
systemd.user.enable = true;
systemd.user.tmpfiles.rules = lib.optional (osConfigGetIfHasOrFalse "services.printing.cups-pdf.enable") "L ${homedir}/PDF - - - - /var/spool/cups-pdf-pdf/users/${user}";
xdg.userDirs = {
enable = true;
createDirectories = true;
};
programs.gradle = {
enable = true;
settings = {
# "org.gradle.java.home" = "${pkgs.openjdk}/lib/openjdk";
"org.gradle.java.installations.auto-detect" = false;
};
};
programs.gpg = {
enable = true;
mutableKeys = true;
publicKeys = [
{
source = ./grimmauld.gpg;
trust = 5;
}
];
};
services.gpg-agent = {
enable = true;
enableBashIntegration = true;
pinentryPackage = if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty;
};
# xdg.mimeApps.enable = true;
}

Some files were not shown because too many files have changed in this diff Show more