Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: Grimmauld:server-migration
Branches Tags
Grimmauld:main
Grimmauld:server-migration
..
compare: Grimmauld:main
Branches Tags
Grimmauld:main
Grimmauld:server-migration

149 commits
server-mig ... main

Author SHA1 Message Date
Grimmauld
c6e2036dea
update 2025-02-20 15:10:23 +01:00
Grimmauld
a8b52f5860
Merge branch 'main' of ssh://grimmauld.de:2222/Grimmauld/grimm-nixos-laptop 2025-02-20 14:51:17 +01:00
Grimmauld
acf263db0f
send dns requests through tor 2025-02-20 14:50:22 +01:00
Grimmauld
31e1aba73f
update 2025-02-19 23:30:28 +01:00
Grimmauld
9d5016f7ef Merge branch 'main' of ssh://grimmauld.de:2222/Grimmauld/grimm-nixos-laptop 2025-02-05 11:41:53 +01:00
Grimmauld
94ba633f48 add new server 2025-02-05 11:41:17 +01:00
Grimmauld
6c9de2273d
clean overlays 2025-02-04 11:52:57 +01:00
Grimmauld
c505eb8e09
CIS progress 2025-01-31 19:42:46 +01:00
Grimmauld
b9b01f1489
pull bluetooth hardening from PR 2025-01-30 23:03:43 +01:00
Grimmauld
24caa93a7c
fix bluetooth 2025-01-29 21:11:30 +01:00
Grimmauld
d021739983
cleanup 2025-01-29 18:37:35 +01:00
Grimmauld
e8e11182c2
dbus-broker hardening, acpid fixes 2025-01-28 23:59:41 +01:00
Grimmauld
d62b9c76d2
encrypted dns 2025-01-28 19:54:36 +01:00
Grimmauld
59c4d9dd11
fix child-open 2025-01-28 18:46:50 +01:00
Grimmauld
856713a61b
split opensnitch rules 2025-01-27 11:04:23 +01:00
Grimmauld
faf2aadd23
cleanup, reenable HT 2025-01-27 10:38:55 +01:00
Grimmauld
e6205dd705
fixes and qol 2025-01-26 21:43:23 +01:00
Grimmauld
d50a73ab06
updates 2025-01-21 19:27:00 +01:00
Grimmauld
e7a8f6c1f7 rekey 2025-01-16 00:03:53 +01:00
Grimmauld
3755fce6d7 matrix update 2025-01-15 15:39:04 +01:00
Grimmauld
19bedee269 Merge branch 'main' of ssh://grimmauld.de:2222/Grimmauld/grimm-nixos-laptop 2025-01-15 14:01:33 +01:00
Grimmauld
08de06ced4 add second server 2025-01-15 14:00:13 +01:00
Grimmauld
5efba3d0fe Merge branch 'main' of ssh://grimmauld.de:2222/Grimmauld/grimm-nixos-laptop 2025-01-15 13:29:26 +01:00
Grimmauld
053bad7afd matrix updates 2025-01-15 13:29:06 +01:00
Grimmauld
b0676e617a
dont harden by default 2025-01-15 12:36:53 +01:00
Grimmauld
a69684e126
ssh hardening 2025-01-15 11:01:27 +01:00
Grimmauld
066bacfce8
cached and updated nix-index 2025-01-14 20:37:14 +01:00
Grimmauld
53795ecb66
tmpfile cleanup 2025-01-12 23:00:12 +01:00
Grimmauld
c76eaacb28
update and clean /var 2025-01-12 19:10:42 +01:00
Grimmauld
dbbe60d0d2
improve getty coverage 2025-01-11 14:41:03 +01:00
Grimmauld
8e5f867252
improve hardening rules 2025-01-11 11:54:34 +01:00
Grimmauld
68529879d2
clean up hardening 2025-01-10 12:50:01 +01:00
Grimmauld
28e5a83716
nscd and rtkit hardening 2025-01-10 11:36:19 +01:00
Grimmauld
553b1863d3
update and fix opensnitch 2025-01-09 13:54:25 +01:00
Grimmauld
a8f9e7a9c2
nix-daemon confinement 2025-01-08 19:06:22 +01:00
Grimmauld
cf98a8a221
more sysd hardening 2025-01-07 11:31:43 +01:00
Grimmauld
8f68278465
more sysd hardening 2025-01-05 23:03:11 +01:00
Grimmauld
d6c70f5ae2
systemd network hardening 2025-01-05 13:27:12 +01:00
Grimmauld
35c4b42d3e
hardening WIP 2025-01-03 15:57:36 +01:00
Grimmauld
707be403d6
cleanup 2025-01-01 13:41:34 +01:00
Grimmauld
ddcbf54896
protect user home by default and more hardening 2025-01-01 13:39:44 +01:00
Grimmauld
96df3f3c9a
nosuid and nodev 2024-12-29 14:17:01 +01:00
Grimmauld
883d5edcd9
enable hardened profile 2024-12-27 22:59:07 +01:00
Grimmauld
66a59d9321
fix NM persistence 2024-12-27 15:42:56 +01:00
Grimmauld
4f4653b772
more paranoia 2024-12-27 15:25:49 +01:00
Grimmauld
aa4317d795
shared HM config 2024-12-25 13:21:07 +01:00
Grimmauld
e7c90d6176
hm updates 2024-12-23 17:45:20 +01:00
Grimmauld
d1997df806
getting started with HM 2024-12-23 12:18:12 +01:00
Grimmauld
9f2621b6be
save 2024-12-21 21:53:10 +01:00
Grimmauld
7eee8fc5f4 Merge branch 'main' of ssh://grimmauld.de:2222/Grimmauld/grimm-nixos-laptop 2024-12-02 11:05:25 +01:00
Grimmauld
86091ce867 try to fix bridge 2024-12-02 11:05:21 +01:00
Grimmauld
a8b165e957
fix aa patch 2024-12-02 10:58:45 +01:00
Grimmauld
f18654a7a5
ooye and update 2024-12-02 10:40:53 +01:00
Grimmauld
564d6b8209 Merge branch 'main' of ssh://grimmauld.de:2222/Grimmauld/grimm-nixos-laptop 2024-12-01 12:37:32 +01:00
Grimmauld
dd90defb6a forgejo migration 2024-12-01 12:37:18 +01:00
Grimmauld
4b1e60ab0a
no longer log out when yubikey is removed 2024-12-01 11:01:46 +01:00
Grimmauld
19f05aec9f
age with yubikey 2024-11-30 10:47:40 +01:00
Grimmauld
c7d9d0f802
enroll new key 2024-11-29 23:42:19 +01:00
Grimmauld
dba17de73c
fix config 2024-11-29 22:48:01 +01:00
Grimmauld
ceda4f1791
add fmt to flake, reduce abstraction layers 2024-11-27 09:47:58 +01:00
Grimmauld
06b37c6d92
nixfmt 2024-11-26 19:20:10 +01:00
Grimmauld
f28a475cfb
cleanup 2024-11-26 19:18:50 +01:00
Grimmauld
7fd47c51c0
move to dataset 2024-11-25 14:27:52 +01:00
Grimmauld
573b43b8e2
tooling fixes 2024-11-23 17:06:12 +01:00
Grimmauld
c18468c958
aa-alias-manager flake dependency 2024-11-01 16:33:26 +01:00
Grimmauld
cf90fea47a
hardware video acceleration 2024-10-30 16:39:35 +01:00
Grimmauld
48df7d2533
fix cyclic dependencies in sysd 2024-10-27 13:57:57 +01:00
Grimmauld
ec80dc24fb
fix race condition (i hope) 2024-10-25 18:13:30 +02:00
Grimmauld
b2f706bf83
aa-alias-manager, lets go! 2024-10-25 13:47:17 +02:00
Grimmauld
e841abdf9d
symlinked apparmor rules, lets gooogit add --all 2024-10-22 22:24:15 +02:00
Grimmauld
247489518d
re-flake 2024-10-22 22:05:22 +02:00
Grimmauld
9c7828fae6
Assert to catch non-existent profiles at nix build time 2024-10-18 13:59:49 +02:00
Grimmauld
0fc6f9d53b
update apparmor.d rules 2024-10-17 23:23:50 +02:00
Grimmauld
513d99ab68
fix pattern matching and sudo 2024-10-17 19:12:24 +02:00
Grimmauld
eab250f59d
fix conflicting x flag issue 2024-10-17 11:12:30 +02:00
Grimmauld
ff7e5e76c5
fix pkexec 2024-10-16 19:39:53 +02:00
Grimmauld
befdc89ae2
fix all apparmor profiles just being complain mode 2024-10-16 15:26:56 +02:00
Grimmauld
1e9f12df9f
simplify module 2024-10-16 15:20:09 +02:00
Grimmauld
e68b43a812
fix opensnitch (was completely borked) 2024-10-16 14:53:52 +02:00
Grimmauld
617a725abd
update inputs, enable apparmor caching 2024-10-16 11:28:00 +02:00
Grimmauld
e1789e9066
clean up apparmor.d submodules 2024-10-16 09:08:40 +02:00
Grimmauld
2cd93f01d9
use intended tooling: allows nixos-specific support in apparmor.d 2024-10-15 23:31:58 +02:00
Grimmauld
88457f7cbe
a little more useable apparmor.d profile integration 2024-10-15 21:35:53 +02:00
Grimmauld
f781c73d8d
osu part 2 2024-10-14 16:54:09 +02:00
Grimmauld
d718e5ac65
osu part 1 2024-10-14 14:49:17 +02:00
Grimmauld
cebee13139
firefox and pass in apparmor 2024-10-13 14:28:46 +02:00
Grimmauld
3f1d9786bf
add basic userspace apps 2024-10-13 13:44:16 +02:00
Grimmauld
d6e4ce8850
make vesktop work 2024-10-12 21:01:10 +02:00
Grimmauld
e072d9e4a5
experimental apparmor support 2024-10-12 18:19:18 +02:00
Grimmauld
b10ee3bf29
fix opensnitch logspam due to invalid creation time stamps 2024-10-12 12:27:32 +02:00
Grimmauld
76efedce92
fix up some opensnitch rules 2024-10-12 11:49:48 +02:00
Grimmauld
96d240c517
discord attachments and osu openmsnitch rules 2024-10-08 11:58:36 +02:00
Grimmauld
48cb9f9e7c
discord blocking! 2024-10-06 12:25:18 +02:00
Grimmauld
3a29e3975e
refine timesyncd rule 2024-10-06 10:47:08 +02:00
Grimmauld
8749f5c254
steve black host blocklist 2024-10-05 18:51:24 +02:00
Grimmauld
0b73857ec4
spotify opensnitch rules 2024-10-05 13:15:32 +02:00
Grimmauld
722c6f8e86
opensnitch progress 2024-10-05 12:11:14 +02:00
Grimmauld
bbc39ddae8
fix laptop config to actually build laptop 2024-10-04 22:12:18 +02:00
Grimmauld
c69cd3747c
drop unused overlay 2024-10-01 23:32:56 +02:00
Grimmauld
41483f5ffc
Merge branch 'main' of ssh://grimmauld.de:2222/Grimmauld/grimm-nixos-laptop 2024-09-29 15:01:14 +02:00
Grimmauld
bbad415a38
ssd fixes 2024-09-29 14:57:54 +02:00
Grimmauld
4be9ce6185 merge changes 2024-09-28 22:13:30 +02:00
Grimmauld
037d7fad84 server stuff 2024-09-28 22:09:24 +02:00
Grimmauld
c37a6082d3
cleanup and integration fixes 2024-09-21 09:43:57 +02:00
Grimmauld
967f556eac
alacritty config file 2024-09-09 10:32:50 +02:00
Grimmauld
294b33e5ae
add ssd 2024-09-08 21:05:56 +02:00
Grimmauld
2bff480d76
Merge branch 'main' of ssh://grimmauld.de:2222/Grimmauld/grimm-nixos-laptop 2024-09-08 15:41:49 +02:00
Grimmauld
817ddcfbae
update, prep for zfs 2024-09-08 14:57:15 +02:00
Grimmauld
e67f5a7bcb
update stuff 2024-08-15 14:59:23 +02:00
Grimmauld
9524fabb85 fix openssh 2024-07-02 20:04:55 +02:00
Grimmauld
50c5c88ed9 add hedgedoc 2024-06-14 00:09:10 +02:00
Grimmauld
018f85d1d3
update tooling 2024-06-13 22:56:30 +02:00
Grimmauld
995c410cd7
improve ranger tooling 2024-05-31 17:33:40 +02:00
Grimmauld
e64967fa76
nvim -> helix 2024-05-30 22:12:15 +02:00
Grimmauld
6fad466aca
Merge branch 'main' of ssh://grimmauld.de:2222/Grimmauld/grimm-nixos-laptop 2024-05-29 10:28:06 +02:00
Grimmauld
cf24711ace
fix nullability 2024-05-29 10:27:54 +02:00
Grimmauld
cb3fc78351 add tasks to nextcloud 2024-05-29 09:54:16 +02:00
Grimmauld
9bfa21d6ea
Merge branch 'main' of ssh://grimmauld.de:2222/Grimmauld/grimm-nixos-laptop 2024-05-29 09:52:59 +02:00
Grimmauld
53cd96dcfd
factorio overlay 2024-05-29 09:47:17 +02:00
Grimmauld
ba837aaa17 niv update 2024-05-25 23:18:29 +02:00
Grimmauld
5f06ae8950 nextcloud server encryption pt 1 2024-05-25 23:17:40 +02:00
Grimmauld
62e7db65e4
update some tooling 2024-05-25 23:15:31 +02:00
Grimmauld
21a081e2a5
temporary nvim lsp/fmt support 2024-05-25 23:15:28 +02:00
Grimmauld
65b39ce021 preliminary auth 2024-05-25 21:51:52 +02:00
Grimmauld
6cb15ad29e
bat and git-delta 2024-05-17 12:18:20 +02:00
Grimmauld
21ad9a362a
cleanup 2024-05-16 11:59:46 +02:00
Grimmauld
3d88a303bd
automaitcally select treefmt config 2024-05-16 11:59:05 +02:00
Grimmauld
a791b41455
fmt support 2024-05-15 23:24:35 +02:00
Grimmauld
7b2265b906
Add more lsp support, completions in nvim via coq 2024-05-15 17:49:05 +02:00
Grimmauld
b72e2a05bd fix misc 2024-05-12 10:39:52 +02:00
Grimmauld
8c97d5daf5 fix cache issues 2024-05-12 09:46:41 +02:00
Grimmauld
fad8e51f94
clean up some scopes 2024-05-11 22:55:59 +02:00
Grimmauld
95d2252b1e
update tooling 2024-05-11 11:37:59 +02:00
Grimmauld
5a48afaccc
tlpui patch -> overlay 2024-05-10 17:02:24 +02:00
Grimmauld
a32218ba2c
authentik part 1 2024-05-10 16:59:38 +02:00
Grimmauld
eed0de7b78
cleanup 2024-05-10 16:33:39 +02:00
Grimmauld
f64ee84771 use powder-toy from upstream, drop ccache overlay 2024-05-10 11:43:56 +02:00
Grimmauld
c984843694 nix-serve -> harmonia 2024-05-10 10:38:53 +02:00
Grimmauld
b1c4f375c1 drop kicad 2024-05-09 23:00:27 +02:00
Grimmauld
efee6588cd binary cache 2024-05-09 22:32:39 +02:00
Grimmauld
f969379666
ccache lix 2024-05-09 21:56:59 +02:00
Grimmauld
9f14173c43
add ccache 2024-05-09 20:36:33 +02:00
Grimmauld
058265c410
fix deprecation 2024-05-09 14:57:35 +02:00
Grimmauld
dca29c0156
globalized port/vhost config: move modules 2024-05-09 14:55:02 +02:00
Grimmauld
181f108308
globalized port/vhost config 2024-05-09 12:16:28 +02:00
Grimmauld
aa06c9b3e9
move server module loading to modules folder 2024-05-09 11:03:43 +02:00
Grimmauld
730195c67c
move bridge overlay to overlays 2024-05-09 10:54:00 +02:00
Grimmauld
936659300b
nixos-build-all 2024-05-09 10:43:41 +02:00
Grimmauld
432824038e
switch back to broker, put back LixOS branding 2024-05-09 00:06:53 +02:00
203 changed files with 9059 additions and 2453 deletions
Show stats Expand all files Collapse all files

1
authorizedKeys.nix
View file

@ -4,4 +4,5 @@
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClLZhya2A7SoRSX2DNNM6OWgnGhtOFUor/WdyY59L0l6u5tEo9VyX5bCR84eo+uN4jyahSiGD1WC3RGIoNtHuSkKPxr0rqQhlbuyxraHGj7hOLhcGWRd2eIdsntbma7uPsn4zC0skKjpVNR7PU4LfSxti0gBhgq6uQhMtlfywwJshmwt55q7oT/zC449Uz2vyviy7sQ53R9YoOWEjB/+vU8jHxGlqLatXhOGKlBtrQxKm8PZ6jBYxAC6sGA4APIHWC3KC0S0X7wlmi42Dx9bbBm0rUjy095vRZ22fkE8x9OSTKDY/vFTLw5vwVMa8dACfA1Kc0+EpgOK77lZddeTvD grimmauld.de" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClLZhya2A7SoRSX2DNNM6OWgnGhtOFUor/WdyY59L0l6u5tEo9VyX5bCR84eo+uN4jyahSiGD1WC3RGIoNtHuSkKPxr0rqQhlbuyxraHGj7hOLhcGWRd2eIdsntbma7uPsn4zC0skKjpVNR7PU4LfSxti0gBhgq6uQhMtlfywwJshmwt55q7oT/zC449Uz2vyviy7sQ53R9YoOWEjB/+vU8jHxGlqLatXhOGKlBtrQxKm8PZ6jBYxAC6sGA4APIHWC3KC0S0X7wlmi42Dx9bbBm0rUjy095vRZ22fkE8x9OSTKDY/vFTLw5vwVMa8dACfA1Kc0+EpgOK77lZddeTvD grimmauld.de"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos"
(builtins.readFile ./ssh/id_ed25519_sk.pub)
] ]

214
common/cloudsync.nix
View file

@ -5,117 +5,121 @@
... ...
}: }:
let let
cfg = config.grimmShared; inherit (lib)
sync_mod = types
with lib; mkOption
types.submodule ( concatStrings
{ config, ... }: getExe'
{ mkIf
options = { mkEnableOption
remote = mkOption { ;
type = types.nonEmptyStr; inherit (config.grimmShared) enable cloudSync;
description = "path on the cloud server"; inherit (pkgs) nextcloud-client writeShellScriptBin;
};
local = mkOption { sync_mod = types.submodule (
type = types.nonEmptyStr; { config, ... }:
default = "$HOME/" + (concatStrings (builtins.match "/*(.+)" config.remote)); {
description = "local path to sync"; options = {
remote = mkOption {
type = types.nonEmptyStr;
description = "path on the cloud server";
};
local = mkOption {
type = types.nonEmptyStr;
default = "$HOME/" + (concatStrings (builtins.match "/*(.+)" config.remote));
description = "local path to sync";
};
};
}
);
in
{
config = mkIf (enable && cloudSync.enable) (
let
cloud_cmd = ''${getExe' nextcloud-client "nextcloudcmd"} -u ${cloudSync.username} -p "$(${getExe' pkgs.coreutils-full "cat"} ${cloudSync.passwordFile})" -h -n --path'';
sync_server = "https://${cloudSync.server}";
in
{
environment.systemPackages = [
(writeShellScriptBin "cloudsync-cmd" (cloud_cmd + " $@ " + sync_server))
nextcloud-client
];
systemd.services = lib.mkMerge (
lib.mapAttrsToList (
local_user: user_conf:
let
paths = user_conf.syncPaths;
sync_script = lib.strings.concatLines (
map (
{ local, remote }:
let
remote_clean = lib.strings.concatStrings (builtins.match "/*(.+)" remote);
in
"${cloud_cmd} /${remote_clean} ${local} ${sync_server} 1> /dev/null"
) paths
);
in
{
# user-specific sync jobs
"nextcloud-autosync-${local_user}" = lib.mkIf (paths != [ ]) {
description = "Auto sync Nextcloud";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig.Type = "simple";
serviceConfig.User = local_user;
serviceConfig.Group = "users";
script = sync_script;
# TimeoutStopSec = "180";
# KillMode = "process";
# KillSignal = "SIGINT";
wantedBy = [ "multi-user.target" ];
enable = true;
};
}
) config.users.users
);
systemd.timers = lib.mkMerge (
lib.mapAttrsToList (
local_user: user_conf:
let
paths = user_conf.syncPaths;
in
{
# user-specific sync jobs
"nextcloud-autosync-${local_user}" = lib.mkIf (paths != [ ]) {
description = "Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 60 minutes";
timerConfig.OnBootSec = "5min";
timerConfig.OnUnitActiveSec = "60min";
wantedBy = [
"multi-user.target"
"timers.target"
];
enable = true;
};
}
) config.users.users
);
}
);
options.users.users = mkOption {
type = types.attrsOf (
types.submodule {
options = {
syncPaths = mkOption {
type = types.listOf sync_mod;
default = [ ];
description = "paths to sync via nextcloud";
}; };
}; };
} }
); );
in };
{
config =
with cfg;
lib.mkIf (enable && cloudSync.enable) (
let
cloud_cmd = ''${pkgs.nextcloud-client}/bin/nextcloudcmd -u ${config.grimmShared.cloudSync.username} -p "$(cat ${config.grimmShared.cloudSync.passwordFile})" -h -n --path'';
sync_server = "https://${config.grimmShared.cloudSync.server}";
in
{
environment.systemPackages = with pkgs; [
(writeShellScriptBin "cloudsync-cmd" (cloud_cmd + " $@ " + sync_server))
nextcloud-client
];
systemd.services = lib.mkMerge ( options.grimmShared.cloudSync = {
lib.mapAttrsToList (
local_user: user_conf:
let
paths = user_conf.syncPaths;
sync_script = lib.strings.concatLines (
map (
{ local, remote }:
let
remote_clean = lib.strings.concatStrings (builtins.match "/*(.+)" remote);
in
"${cloud_cmd} /${remote_clean} ${local} ${sync_server}"
) paths
);
in
{
# user-specific sync jobs
"nextcloud-autosync-${local_user}" = lib.mkIf (paths != [ ]) {
description = "Auto sync Nextcloud";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig.Type = "simple";
serviceConfig.User = local_user;
serviceConfig.Group = "users";
script = sync_script;
# TimeoutStopSec = "180";
# KillMode = "process";
# KillSignal = "SIGINT";
wantedBy = [ "multi-user.target" ];
enable = true;
};
}
) config.users.users
);
systemd.timers = lib.mkMerge (
lib.mapAttrsToList (
local_user: user_conf:
let
paths = user_conf.syncPaths;
in
{
# user-specific sync jobs
"nextcloud-autosync-${local_user}" = lib.mkIf (paths != [ ]) {
description = "Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 60 minutes";
timerConfig.OnBootSec = "5min";
timerConfig.OnUnitActiveSec = "60min";
wantedBy = [
"multi-user.target"
"timers.target"
];
enable = true;
};
}
) config.users.users
);
}
);
options.users.users =
with lib;
mkOption {
type = types.attrsOf (
types.submodule {
options = {
syncPaths = mkOption {
type = types.listOf sync_mod;
default = [ ];
description = "paths to sync via nextcloud";
};
};
}
);
};
options.grimmShared.cloudSync = with lib; {
enable = mkEnableOption "cloud_sync"; enable = mkEnableOption "cloud_sync";
username = mkOption { username = mkOption {

1
common/databases/default.nix Normal file
View file

@ -0,0 +1 @@
{ imports = [ ./postgres.nix ]; }

72
common/databases/postgres.nix Normal file
View file

@ -0,0 +1,72 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (lib)
types
concatLines
optionalString
mkOption
;
createPasswords = pkgs.writeText "psql-password-def" (
concatLines (
map (
s:
optionalString (!isNull s.passFile) ''
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${s.passFile}'), E'\n', '''));
EXECUTE format('ALTER ROLE ${s.name} WITH PASSWORD '''%s''';', password);
END $$;
''
) config.services.postgresql.ensureUsers
)
);
in
{
config = {
systemd.services.postgresql.postStart = "$PSQL -tA -f ${createPasswords}";
services.postgresql = {
package = pkgs.postgresql_15;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all peer map=superuser_map
local all all peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
local replication all peer
host replication all 127.0.0.1/32 md5
host replication all ::1/128 md5
'';
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map matrix-synapse synapse
superuser_map postgres-exporter postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
};
};
options.services.postgresql.ensureUsers = mkOption {
type = types.listOf (
types.submodule {
options = {
passFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "path to a password file containing the password to be set";
};
};
}
);
};
}

10
common/default.nix
View file

@ -1,9 +1,4 @@
{ { lib, ... }:
config,
lib,
pkgs,
...
}:
with lib; with lib;
{ {
options.grimmShared = { options.grimmShared = {
@ -20,7 +15,8 @@ with lib;
./graphics ./graphics
./gaming.nix ./gaming.nix
./firefox.nix ./firefox.nix
./cloudsync.nix # ./cloudsync.nix
./hardware ./hardware
./databases
]; ];
} }

117
common/firefox.nix
View file

@ -5,68 +5,75 @@
... ...
}: }:
let let
cfg = config.grimmShared; inherit (config.grimmShared)
enable
firefox
locale
sway
;
inherit (lib)
mkIf
optionals
mapAttrs
optionalAttrs
;
in in
{ {
config = config = mkIf (enable && firefox.enable) {
with cfg; environment.systemPackages =
lib.mkIf (enable && firefox.enable) { [ ]
environment.systemPackages = ++ optionals config.services.desktopManager.plasma6.enable [ pkgs.plasma-browser-integration ];
[ ]
++ lib.optionals config.services.desktopManager.plasma6.enable [ pkgs.plasma-browser-integration ];
programs.firefox = { programs.firefox = {
package = pkgs.firefox-beta; # package = pkgs.firefox-beta;
enable = true; enable = true;
nativeMessagingHosts.packages = languagePacks = optionals locale [
[ ] "de"
++ lib.optionals (cfg.tooling.enable && cfg.tooling.pass) [ pkgs.passff-host ]; "en-US"
languagePacks = lib.optionals cfg.locale [ ];
"de" policies = {
"en-US" ExtensionSettings =
]; # (mkIf firefox.disableUserPlugins { "*".installation_mode = "blocked"; }) //
policies = { (
ExtensionSettings = lib.mkMerge [ mapAttrs (guid: shortId: {
(lib.mkIf cfg.firefox.disableUserPlugins { "*".installation_mode = "blocked"; }) # explicit plugins by config
(lib.mapAttrs (guid: shortId: {
# explicit plugins by config
install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi"; install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi";
installation_mode = "force_installed"; installation_mode = "force_installed";
}) cfg.firefox.plugins) }) config.grimmShared.firefox.plugins
(lib.mkIf (cfg.tooling.enable && cfg.tooling.pass) { );
# password-store support DisableTelemetry = true;
"passff@invicem.pro" = { DisableFirefoxStudies = true;
install_url = "https://addons.mozilla.org/firefox/downloads/latest/passff/latest.xpi"; EnableTrackingProtection = {
installation_mode = "force_installed"; Value = true;
}; Locked = true;
}) Cryptomining = true;
]; Fingerprinting = true;
DisableTelemetry = true;
DisableFirefoxStudies = true;
EnableTrackingProtection = {
Value = true;
Locked = true;
Cryptomining = true;
Fingerprinting = true;
};
DisablePocket = true;
DisableFirefoxAccounts = true;
DisableAccounts = true;
DisableFirefoxScreenshots = true;
OverrideFirstRunPage = "";
OverridePostUpdatePage = "";
DontCheckDefaultBrowser = true;
Preferences = {
"pdfjs.enableScripting" = false;
"media.hardware-video-decoding.enabled" = true;
"media.ffmpeg.vaapi.enabled" = true;
"media.rdd-ffmpeg.enabled" = true;
"media.navigator.mediadatadecoder_vpx_enabled" = true;
} // lib.optionalAttrs cfg.sway.enable { "browser.tabs.inTitlebar" = 0; };
}; };
DisablePocket = true;
DisableFirefoxAccounts = true;
DisableAccounts = true;
DisableFirefoxScreenshots = true;
OverrideFirstRunPage = "";
OverridePostUpdatePage = "";
DontCheckDefaultBrowser = true;
Preferences = {
"pdfjs.enableScripting" = false;
"media.hardware-video-decoding.enabled" = true;
"media.ffmpeg.vaapi.enabled" = true;
"network.dns.disableIPv6" = true;
# "network.dns.DNS_HTTPS.domain" = "::1";
"network.connectivity-service.DNSv4.domain" = "127.0.0.1";
"network.connectivity-service.DNSv6.domain" = "::1";
network.dns.localDomains = "::1";
network.dns.forceResolve = true;
"media.peerconnection.enabled" = false;
"media.rdd-ffmpeg.enabled" = true;
"media.navigator.mediadatadecoder_vpx_enabled" = true;
} // optionalAttrs sway.enable { "browser.tabs.inTitlebar" = 0; };
}; };
}; };
};
options.grimmShared.firefox = with lib; { options.grimmShared.firefox = with lib; {
enable = mkEnableOption "grimm-firefox"; enable = mkEnableOption "grimm-firefox";
@ -77,6 +84,6 @@ in
description = "set of plugins to install. Format: guid = short-id"; description = "set of plugins to install. Format: guid = short-id";
}; };
disableUserPlugins = lib.mkEnableOption "disables user controlled plugins"; disableUserPlugins = mkEnableOption "disables user controlled plugins";
}; };
} }

103
common/gaming.nix
View file

@ -5,58 +5,63 @@
... ...
}: }:
let let
cfg = config.grimmShared; inherit (config.grimmShared) enable gaming;
inherit (lib)
mkIf
getExe
mkEnableOption
optional
;
in in
{ {
config = config = mkIf (enable && gaming) {
with cfg; programs.steam = {
lib.mkIf (enable && gaming) { enable = true;
programs.steam = { gamescopeSession.env = {
enable = true; DRI_PRIME = "1";
gamescopeSession.enable = true;
gamescopeSession.env = {
DRI_PRIME = "1";
};
extraCompatPackages = with pkgs; [ proton-ge-bin ];
# extest.enable = true;
}; };
extraCompatPackages = with pkgs; [ proton-ge-bin ];
programs.gamemode = { # extest.enable = true;
enable = true;
settings = {
general = {
inhibit_screensaver = 0;
renice = 10;
};
custom = {
start = "${lib.getExe pkgs.libnotify} 'GameMode started'";
end = "${lib.getExe pkgs.libnotify} 'GameMode ended'";
};
};
};
services.udev.packages = [ pkgs.wooting-udev-rules ];
environment.sessionVariables = {
GAMEMODERUNEXEC = "env DRI_PRIME=1";
};
environment.systemPackages = with pkgs; [
heroic
prismlauncher
mangohud
the-powder-toy
(pkgs.symlinkJoin {
name = "osu";
paths = [
(pkgs.writeShellScriptBin "osu!" ''
exec gamemoderun ${lib.getExe pkgs.osu-lazer-bin}
'')
pkgs.osu-lazer-bin
];
})
];
}; };
options.grimmShared.gaming = lib.mkEnableOption "enables steam, heroic, prism and gamemoded"; programs.gamemode = {
enable = true;
settings = {
general = {
inhibit_screensaver = 0;
renice = 10;
};
custom = {
start = "${lib.getExe pkgs.libnotify} 'GameMode started'";
end = "${lib.getExe pkgs.libnotify} 'GameMode ended'";
};
};
};
# programs.honkers-railway-launcher.enable = true;
services.udev.packages = [ pkgs.wooting-udev-rules ];
environment.sessionVariables = {
GAMEMODERUNEXEC = "env DRI_PRIME=1";
};
environment.systemPackages = with pkgs; [
# heroic
prismlauncher
mangohud
the-powder-toy
(symlinkJoin {
name = "osu";
paths = [
(writeShellScriptBin "osu!" ''
exec gamemoderun ${getExe osu-lazer-bin}
'')
osu-lazer-bin
];
})
];
};
options.grimmShared.gaming = mkEnableOption "enables steam, heroic, prism and gamemoded";
} }

37
common/graphics/fonts.nix
View file

@ -4,24 +4,27 @@
config, config,
... ...
}: }:
let
inherit (config.grimmShared) enable graphical;
in
{ {
config = config = lib.mkIf (enable && graphical) {
with config.grimmShared; fonts = {
lib.mkIf (enable && graphical) { packages = with pkgs; [
fonts = { noto-fonts
packages = with pkgs; [ noto-fonts-cjk-sans
noto-fonts font-awesome
noto-fonts-cjk # noto-fonts-emoji
font-awesome noto-fonts-monochrome-emoji
noto-fonts-emoji roboto
roboto liberation_ttf
liberation_ttf # nerdfonts
]; ];
fontDir.enable = true; fontDir.enable = true;
};
environment.sessionVariables = {
FREETYPE_PROPERTIES = "cff:no-stem-darkening=0 autofitter:no-stem-darkening=0";
};
}; };
environment.sessionVariables = {
FREETYPE_PROPERTIES = "cff:no-stem-darkening=0 autofitter:no-stem-darkening=0";
};
};
} }

118
common/graphics/opengl.nix
View file

@ -5,74 +5,80 @@
... ...
}: }:
let let
cfg = config.grimmShared; inherit (config.grimmShared) enable graphical screens;
screen = inherit (lib) types mkOption mkIf;
with lib;
types.submodule {
options = {
fps = mkOption {
type = types.either types.int (types.nonEmptyListOf types.int);
default = 60;
description = "max framerate of screen";
};
mode = mkOption { screen = types.submodule {
type = types.nonEmptyStr; options = {
default = "1920x1080"; fps = mkOption {
description = "pixel format of the screen"; type = types.either types.int (types.nonEmptyListOf types.int);
}; default = 60;
description = "max framerate of screen";
};
id = mkOption { mode = mkOption {
type = types.nonEmptyStr; type = types.nonEmptyStr;
description = "ID of the screen"; default = "1920x1080";
}; description = "pixel format of the screen";
};
pos = mkOption { id = mkOption {
type = types.nullOr types.nonEmptyStr; type = types.nonEmptyStr;
default = null; description = "ID of the screen";
example = "0,0"; };
description = "position where to place the screen";
}; pos = mkOption {
type = types.nullOr types.nonEmptyStr;
default = null;
example = "0,0";
description = "position where to place the screen";
}; };
}; };
};
in in
{ {
config = config = mkIf (enable && graphical) {
with cfg; # Enable OpenGL
lib.mkIf (enable && graphical) { hardware.graphics = {
# Enable OpenGL enable = true;
hardware.opengl = { #driSupport = true;
enable = true; #driSupport32Bit = true;
driSupport = true; extraPackages = with pkgs; [
driSupport32Bit = true; intel-media-driver # LIBVA_DRIVER_NAME=iHD
extraPackages = with pkgs; [ ]; # intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
}; # libvdpau-va-gl
chaotic.mesa-git.enable = true;
boot.kernelParams = [ "nouveau.config=NvGspRm=1" ];
environment.sessionVariables = {
__GL_LOG_MAX_ANISO = "0";
__GL_SHADER_DISK_CACHE = "1";
__GL_SYNC_TO_VBLANK = "0";
__GL_THREADED_OPTIMIZATIONS = "1";
__GL_VRR_ALLOWED = "1";
# MESA_LOADER_DRIVER_OVERRIDE="zink";
# FLATPAK_GL_DRIVERS="mesa-git";
};
environment.systemPackages = with pkgs; [
glfw
glxinfo
vulkan-tools
mangohud
]; ];
}; };
options.grimmShared = with lib; { environment.sessionVariables = {
LIBVA_DRIVER_NAME = "iHD";
}; # Force intel-media-driver
# chaotic.mesa-git.enable = true;
boot.kernelParams = [ "nouveau.config=NvGspRm=1" ];
environment.sessionVariables = {
__GL_LOG_MAX_ANISO = "0";
__GL_SHADER_DISK_CACHE = "1";
__GL_SYNC_TO_VBLANK = "0";
__GL_THREADED_OPTIMIZATIONS = "1";
__GL_VRR_ALLOWED = "1";
# MESA_LOADER_DRIVER_OVERRIDE="zink";
# FLATPAK_GL_DRIVERS="mesa-git";
};
environment.systemPackages = with pkgs; [
glfw
glxinfo
vulkan-tools
mangohud
];
};
options.grimmShared = {
graphical = mkOption { graphical = mkOption {
type = types.bool; type = types.bool;
default = cfg.screens != { }; default = screens != { };
description = "whether to force enable graphical components"; description = "whether to force enable graphical components";
}; };

91
common/graphics/qt.nix
View file

@ -5,51 +5,54 @@
... ...
}: }:
let let
cfg = config.grimmShared; inherit (config.grimmShared) enable graphical sway;
in in
{ {
config = config = lib.mkIf (enable && graphical) {
with cfg; qt = {
lib.mkIf (enable && graphical) { enable = true;
qt = { style = "breeze";
enable = true; platformTheme = "lxqt";
style = "kvantum";
platformTheme = "qt5ct";
};
environment.systemPackages =
with pkgs;
with kdePackages;
[
qtstyleplugin-kvantum
catppuccin-sddm-corners
libsForQt5.qtgraphicaleffects
catppuccin-kvantum
kdePackages.audiocd-kio
kdePackages.kio-extras
kdePackages.kio
xcb-util-cursor
qt6ct
kdePackages.dolphin
qtwayland
];
environment.pathsToLink = [ "/share/Kvantum" ];
services.displayManager = {
sddm = {
enable = true;
theme = "catppuccin-sddm-corners";
wayland.enable = true;
wayland.compositor = "weston";
};
defaultSession = lib.optionalString cfg.sway.enable "sway";
};
boot.plymouth = {
themePackages = with pkgs; [ catppuccin-plymouth ];
theme = "catppuccin-macchiato";
enable = true;
};
}; };
environment.systemPackages =
with pkgs;
with kdePackages;
[
# qtstyleplugin-kvantum
catppuccin-sddm-corners
libsForQt5.qtgraphicaleffects
# catppuccin-kvantum
breeze
kdePackages.audiocd-kio
kdePackages.kio-extras
kdePackages.kio
xcb-util-cursor
qt6ct
kdePackages.dolphin
qtwayland
];
# environment.pathsToLink = [ "/share/Kvantum" ];
services.displayManager = {
sddm = {
enable = true;
theme = "catppuccin-sddm-corners";
wayland.enable = true;
wayland.compositor = "weston";
};
defaultSession = lib.optionalString sway.enable "sway";
};
xdg.portal.lxqt.styles = with pkgs; [
kdePackages.breeze-qt5
];
#boot.plymouth = {
# themePackages = with pkgs; [ catppuccin-plymouth ];
# theme = "catppuccin-macchiato";
# enable = true;
#};
};
} }

196
common/graphics/sway.nix
View file

@ -5,97 +5,113 @@
... ...
}: }:
let let
cfg = config.grimmShared; inherit (config.grimmShared) enable sway screens;
sway_conf = inherit (lib)
with lib; types
types.submodule ( mkOption
{ config, ... }: mkEnableOption
rec { mapAttrsToList
options = { optionalString
keybinds = mkOption { concatMapStrings
type = types.attrsOf types.str; isInt
default = { }; min
description = "set of keybinds assigning key combo to action"; max
}; foldl'
getExe
getExe'
isPath
isDerivation
concatLines
optional
singleton
mkIf
;
inherit (pkgs) writeShellScriptBin;
autolaunch = mkOption { sway_conf = types.submodule (
type = types.listOf (types.either types.nonEmptyStr types.package); { ... }:
default = [ ]; {
description = "set of commands to be run at sway startup"; options = {
}; keybinds = mkOption {
type = types.attrsOf types.str;
execAlways = mkOption { default = { };
type = types.listOf (types.either types.nonEmptyStr types.package); description = "set of keybinds assigning key combo to action";
default = [ ];
description = "set of commands to be run at sway reload";
};
extraConfig = mkOption {
type = types.str;
default = "";
description = "additional sway config to be included";
};
definitions = mkOption {
type = types.attrsOf types.str;
default = { };
description = "set of definitions assigning variable to value";
};
modes = mkOption {
type = types.attrsOf sway_conf;
default = { };
description = "possible modes to switch to, e.g. resize";
};
}; };
}
); autolaunch = mkOption {
type = types.listOf (types.either types.nonEmptyStr types.package);
default = [ ];
description = "set of commands to be run at sway startup";
};
execAlways = mkOption {
type = types.listOf (types.either types.nonEmptyStr types.package);
default = [ ];
description = "set of commands to be run at sway reload";
};
extraConfig = mkOption {
type = types.str;
default = "";
description = "additional sway config to be included";
};
definitions = mkOption {
type = types.attrsOf types.str;
default = { };
description = "set of definitions assigning variable to value";
};
modes = mkOption {
type = types.attrsOf sway_conf;
default = { };
description = "possible modes to switch to, e.g. resize";
};
};
}
);
build_screen_def = build_screen_def =
fps_func: fps_func:
with lib;
let let
output_def = mapAttrsToList ( output_def = mapAttrsToList (
name: value: name: value:
"output ${value.id} mode ${value.mode}@${toString (fps_func value.fps)}Hz" "output ${value.id} mode ${value.mode}@${toString (fps_func value.fps)}Hz"
+ (optionalString (value.pos != null) " position ${value.pos}") + (optionalString (value.pos != null) " position ${value.pos}")
) cfg.screens; ) screens;
in in
'' ''
for pid in $(${pkgs.procps}/bin/pgrep sway -x) for pid in $(${getExe' pkgs.procps "pgrep"} sway -x)
do do
uid=$(id -u $(${pkgs.procps}/bin/ps -o user= -p $pid)) uid=$(id -u $(${getExe' pkgs.procps "ps"} -o user= -p $pid))
export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock" export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock"
if [[ -e "$SWAYSOCK" ]] ; then if [[ -e "$SWAYSOCK" ]] ; then
echo "sock is $SWAYSOCK" echo "sock is $SWAYSOCK"
${config.programs.sway.package}/bin/swaymsg '${concatMapStrings (s: s + " ; ") output_def}' ${getExe' config.programs.sway.package "swaymsg"} '${
concatMapStrings (s: s + " ; ") output_def
}'
fi fi
done done
''; '';
inherit (lib) getExe;
fps_min = fps: with lib; if isInt fps then fps else (foldl' min 2147483647 fps); fps_min = fps: if isInt fps then fps else (foldl' min 2147483647 fps);
fps_max = fps: with lib; if isInt fps then fps else (foldl' max 0 fps); fps_max = fps: if isInt fps then fps else (foldl' max 0 fps);
init_screens_min_fps = init_screens_min_fps = writeShellScriptBin "init-screens-min" (build_screen_def fps_min);
with lib; init_screens_max_fps = writeShellScriptBin "init-screens-max" (build_screen_def fps_max);
pkgs.writeShellScriptBin "init-screens-min" (build_screen_def fps_min); init_screens_auto = writeShellScriptBin "init-screens-auto" "which run-on-ac && which run-on-bat && run-on-ac ${getExe init_screens_max_fps} && run-on-bat ${getExe init_screens_min_fps} || ${getExe init_screens_max_fps}";
init_screens_max_fps =
with lib;
pkgs.writeShellScriptBin "init-screens-max" (build_screen_def fps_max);
init_screens_auto = pkgs.writeShellScriptBin "init-screens-auto" "which run-on-ac && which run-on-bat && run-on-ac ${getExe init_screens_max_fps} && run-on-bat ${getExe init_screens_min_fps} || ${getExe init_screens_max_fps}";
in in
{ {
config = config =
let let
bar_conf_file = bar_conf_file =
if (lib.isPath cfg.sway.bar.config) then if (isPath sway.bar.config) then
cfg.sway.bar.config sway.bar.config
else else
pkgs.writers.writeJSON "config.json" cfg.sway.bar.config; pkgs.writers.writeJSON "config.json" sway.bar.config;
waybar_full = pkgs.writeShellScriptBin "waybar-full" ( waybar_full = writeShellScriptBin "waybar-full" (
(lib.getExe config.programs.waybar.package) (getExe config.programs.waybar.package)
+ (lib.optionalString (!isNull cfg.sway.bar.config) " -c ${bar_conf_file}") + (optionalString (!isNull sway.bar.config) " -c ${bar_conf_file}")
+ (lib.optionalString (!isNull cfg.sway.bar.style) " -s ${cfg.sway.bar.style}") + (optionalString (!isNull sway.bar.style) " -s ${sway.bar.style}")
); );
bar_config = '' bar_config = ''
@ -104,14 +120,7 @@ in
} }
''; '';
dbus-sway-environment = pkgs.writeShellScriptBin "dbus-sway-environment" ''
dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP=sway
systemctl --user stop xdg-desktop-portal xdg-desktop-portal-wlr
systemctl --user start xdg-desktop-portal xdg-desktop-portal-wlr
'';
build_conf = build_conf =
with lib;
sway_conf: sway_conf:
let let
build_definition_lines = mapAttrsToList (name: value: "set \$${name} ${value}"); build_definition_lines = mapAttrsToList (name: value: "set \$${name} ${value}");
@ -127,37 +136,35 @@ in
[ ] [ ]
++ (build_definition_lines sway_conf.definitions) ++ (build_definition_lines sway_conf.definitions)
++ (build_keybind_lines sway_conf.keybinds) ++ (build_keybind_lines sway_conf.keybinds)
++ (build_exec_lines "exec" sway_conf.autolaunch)
++ (build_exec_lines "exec_always" sway_conf.execAlways) ++ (build_exec_lines "exec_always" sway_conf.execAlways)
++ (build_exec_lines "exec" sway_conf.autolaunch)
++ (build_mode_lines sway_conf.modes) ++ (build_mode_lines sway_conf.modes)
++ optional (sway_conf.extraConfig != "") sway_conf.extraConfig ++ optional (sway_conf.extraConfig != "") sway_conf.extraConfig
); );
sway_conf = lib.concatLines ( sway_conf = concatLines (
(build_conf cfg.sway.config) (optional sway.bar.enable bar_config)
++ lib.optional cfg.sway.bar.enable bar_config ++ (build_conf sway.config)
++ (lib.mapAttrsToList ( ++ (mapAttrsToList (
name: value: name: value:
"output ${value.id} mode ${value.mode}" "output ${value.id} mode ${value.mode}"
+ (lib.optionalString (value.pos != null) " position ${value.pos}") + (optionalString (value.pos != null) " position ${value.pos}")
) cfg.screens) ) screens)
++ (singleton "include /etc/sway/config.d/*")
); );
conf_path = "sway.conf"; conf_path = "sway.conf";
in in
with cfg; mkIf (enable && sway.enable) {
lib.mkIf (enable && sway.enable) { environment.etc."sway/config".source = lib.mkForce (pkgs.writeText conf_path sway_conf);
environment.etc."${conf_path}".text = sway_conf;
grimmShared.sway.config.execAlways = [ grimmShared.sway.config.execAlways = [
dbus-sway-environment
init_screens_auto init_screens_auto
]; ];
environment.systemPackages = environment.systemPackages =
[ [
waybar_full waybar_full
dbus-sway-environment
init_screens_min_fps init_screens_min_fps
init_screens_max_fps init_screens_max_fps
init_screens_auto init_screens_auto
@ -174,22 +181,25 @@ in
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
script = '' script = ''
for pid in $(${pkgs.procps}/bin/pgrep sway -x) for pid in $(${getExe' pkgs.procps "pgrep"} sway -x)
do do
uid=$(id -u $(${pkgs.procps}/bin/ps -o user= -p $pid)) uid=$(id -u $(${getExe' pkgs.procps "ps"} -o user= -p $pid))
export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock" export SWAYSOCK="/run/user/$uid/sway-ipc.$uid.$pid.sock"
if [[ -e "$SWAYSOCK" ]] ; then if [[ -e "$SWAYSOCK" ]] ; then
echo "sock is $SWAYSOCK" echo "sock is $SWAYSOCK"
${config.programs.sway.package}/bin/swaymsg reload ${getExe' config.programs.sway.package "swaymsg"} reload
fi fi
done done
rm -rf /home/*/.cache/rmenu rm -rf /home/*/.cache/rmenu
''; '';
reloadTriggers = [ config.environment.etc."${conf_path}".source ]; reloadTriggers = [
# config.environment.etc."${conf_path}".source
config.environment.etc."sway/config".source
];
}; };
programs.waybar.enable = true; # programs.waybar.enable = true;
programs.dconf.enable = true; programs.dconf.enable = true;
@ -202,7 +212,7 @@ in
}; };
extraPackages = with pkgs; [ extraPackages = with pkgs; [
swaylock # swaylock
swayidle swayidle
wl-clipboard wl-clipboard
wf-recorder wf-recorder
@ -210,10 +220,6 @@ in
wmenu wmenu
waybar-mpris waybar-mpris
]; ];
extraOptions = [
"--config"
"/etc/${conf_path}"
];
extraSessionCommands = '' extraSessionCommands = ''
# source /etc/profile # source /etc/profile
# test -f $HOME/.profile && source $HOME/.profile # test -f $HOME/.profile && source $HOME/.profile
@ -232,7 +238,7 @@ in
}; };
}; };
options.grimmShared.sway = with lib; { options.grimmShared.sway = {
enable = mkEnableOption "grimm-sway"; enable = mkEnableOption "grimm-sway";
bar = { bar = {

113
common/hardware/laptop.nix
View file

@ -5,85 +5,52 @@
... ...
}: }:
let let
cfg = config.grimmShared; inherit (config.grimmShared) enable laptop_hardware graphical;
in in
{ {
config = config = lib.mkIf (enable && laptop_hardware.enable) {
with cfg; environment.systemPackages =
lib.mkIf (enable && laptop_hardware.enable) { with pkgs;
environment.systemPackages = [
with pkgs; lm_sensors
[ lshw
lm_sensors pciutils
lshw usbutils
pciutils ddcutil
usbutils python312Packages.py-cpuinfo
ddcutil (writeShellScriptBin "lsiommu" ./lsiommu)
python312Packages.py-cpuinfo ]
(writeShellScriptBin "lsiommu" ./lsiommu) ++ lib.optionals graphical [
] opentabletdriver
++ lib.optionals graphical [ ddcui
opentabletdriver wootility
ddcui ];
wootility
];
hardware.i2c.enable = true; services.udev.packages = with pkgs; [ yubikey-personalization ];
services.libinput.enable = true; boot.bcache.enable = false;
hardware.opentabletdriver.enable = true;
services.udisks2.enable = true;
services.udev.extraRules = '' services.libinput.enable = true;
SUBSYSTEM=="i2c-dev", ACTION=="add",\
ATTR{name}=="NVIDIA i2c adapter*",\ # hardware.opentabletdriver.enable = true;
TAG+="ddcci",\ # systemd.user.services.opentabletdriver.after = [ "local-fs.target" ];
TAG+="systemd",\
ENV{SYSTEMD_WANTS}+="ddcci@$kernel.service"
'';
systemd.services."ddcci@" = { services.udisks2.enable = true;
scriptArgs = "%i"; boot = {
script = '' kernelParams = [
sleep 20 "nohibernate"
echo Trying to attach ddcci to $1 ];
i=0 loader.efi.canTouchEfiVariables = true;
id=$(echo $1 | cut -d "-" -f 2) initrd.availableKernelModules = [
if ${pkgs.ddcutil}/bin/ddcutil getvcp 10 -b $id; then "xhci_pci"
echo ddcci 0x37 > /sys/bus/i2c/devices/$1/new_device "ahci"
fi "nvme"
''; "usbhid"
serviceConfig.Type = "oneshot"; "usb_storage"
}; "sd_mod"
];
boot = { loader.systemd-boot.enable = true;
kernelParams = [ "quiet" ];
loader.efi.canTouchEfiVariables = true;
initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
loader.systemd-boot.enable = true;
extraModulePackages = [
(config.boot.kernelPackages.ddcci-driver.overrideAttrs (old: {
patches = [
(pkgs.fetchpatch {
url = "https://gitlab.com/Sweenu/ddcci-driver-linux/-/commit/7f851f5fb8fbcd7b3a93aaedff90b27124e17a7e.patch";
hash = "sha256-Y1ktYaJTd9DtT/mwDqtjt/YasW9cVm0wI43wsQhl7Bg=";
})
];
}))
];
kernelModules = [
"ddcci_backlight"
"i2c-dev"
"ec_sys"
];
};
}; };
};
options.grimmShared.laptop_hardware = { options.grimmShared.laptop_hardware = {
enable = lib.mkEnableOption "grimm-laptop"; enable = lib.mkEnableOption "grimm-laptop";

143
common/hardware/tlp.nix
View file

@ -6,34 +6,40 @@
... ...
}: }:
let let
cfg = config.grimmShared;
inherit (lib) inherit (lib)
optionals optionals
optional optional
optionalString
concatLines concatLines
getExe getExe
getExe'
elem
mkIf
;
inherit (pkgs) writeShellScriptBin tlp tlpui;
inherit (config.grimmShared)
enable
laptop_hardware
graphical
sway
; ;
inherit (config.boot.kernelPackages) x86_energy_perf_policy cpupower; inherit (config.boot.kernelPackages) x86_energy_perf_policy cpupower;
enable_perf_policy = (lib.elem system x86_energy_perf_policy.meta.platforms); enable_perf_policy = false; # (elem system x86_energy_perf_policy.meta.platforms);
powersave = powersave = writeShellScriptBin "powersave-mode" (
with pkgs; concatLines (
writeShellScriptBin "powersave-mode" ( [
concatLines ( "${getExe cpupower} frequency-set -g powersave -u 2000000" # clock speed
[ "${getExe pkgs.brightnessctl} s 20%" # display brightness
"${getExe cpupower} frequency-set -g powersave -u 2000000" # clock speed ]
"${getExe pkgs.brightnessctl} s 20%" # display brightness ++ optionals enable_perf_policy [
] "${getExe x86_energy_perf_policy} 15" # power save preference
++ optionals enable_perf_policy [ "${getExe x86_energy_perf_policy} --turbo-enable 0" # disable turbo
"${getExe x86_energy_perf_policy} 15" # power save preference ]
"${getExe x86_energy_perf_policy} --turbo-enable 0" # disable turbo ++ optional sway.enable "init-screens-min"
] )
++ optional cfg.sway.enable "init-screens-min" );
)
);
performance = pkgs.writeShellScriptBin "performance-mode" ( performance = writeShellScriptBin "performance-mode" (
concatLines ( concatLines (
[ [
"${getExe cpupower} frequency-set frequency-set -g performance -u 5000000" # clock speed "${getExe cpupower} frequency-set frequency-set -g performance -u 5000000" # clock speed
@ -43,66 +49,61 @@ let
"${getExe x86_energy_perf_policy} 0" # performance preference "${getExe x86_energy_perf_policy} 0" # performance preference
"${getExe x86_energy_perf_policy} --turbo-enable 1" # enable turbo "${getExe x86_energy_perf_policy} --turbo-enable 1" # enable turbo
] ]
++ optional cfg.sway.enable "init-screens-max" ++ optional sway.enable "init-screens-max"
) )
); );
auto = auto = writeShellScriptBin "auto-mode" ''
let ${getExe' tlp "run-on-ac"} ${getExe performance}
inherit (pkgs) tlp; ${getExe' tlp "run-on-bat"} ${getExe powersave}
in '';
pkgs.writeShellScriptBin "auto-mode" ''
${tlp}/bin/run-on-ac ${getExe performance}
${tlp}/bin/run-on-bat ${getExe powersave}
'';
in in
{ {
config = config = mkIf (enable && laptop_hardware.enable) {
with cfg; environment.systemPackages =
lib.mkIf (enable && laptop_hardware.enable) { (with pkgs; [
environment.systemPackages = acpi
with pkgs; powertop
[ brightnessctl
acpi ])
powertop ++ [
brightnessctl cpupower
cpupower powersave
powersave performance
performance auto
auto ]
] ++ optionals graphical [ tlpui ]
++ optionals graphical [ tlpui ] ++ optional enable_perf_policy x86_energy_perf_policy;
++ optional enable_perf_policy x86_energy_perf_policy;
services.acpid = { services.acpid = {
enable = true; enable = true;
acEventCommands = getExe auto; acEventCommands = getExe auto;
}; };
powerManagement.scsiLinkPolicy = lib.mkIf (!config.services.tlp.enable) "min_power"; powerManagement.scsiLinkPolicy = lib.mkIf (!config.services.tlp.enable) "min_power";
powerManagement.cpuFreqGovernor = lib.mkDefault "normal"; # powerManagement.cpuFreqGovernor = lib.mkDefault "normal";
services.power-profiles-daemon.enable = false; services.power-profiles-daemon.enable = false;
services.upower.enable = true; services.upower.enable = true;
boot.extraModulePackages = [ cpupower ] ++ optional enable_perf_policy x86_energy_perf_policy; boot.extraModulePackages = [ cpupower ] ++ optional enable_perf_policy x86_energy_perf_policy;
services.tlp = { services.tlp = {
enable = true; enable = true;
settings = { settings = {
USB_AUTOSUSPEND = 1; USB_AUTOSUSPEND = 1;
USB_EXCLUDE_BTUSB = 1; USB_EXCLUDE_BTUSB = 1;
USB_EXCLUDE_PHONE = 1; USB_EXCLUDE_PHONE = 1;
SOUND_POWER_SAVE_ON_AC = 0; SOUND_POWER_SAVE_ON_AC = 0;
SOUND_POWER_SAVE_ON_BAT = 1; SOUND_POWER_SAVE_ON_BAT = 1;
SATA_LINKPWR_ON_AC = "max_performance"; SATA_LINKPWR_ON_AC = "max_performance";
SATA_LINKPWR_ON_BAT = "min_power"; SATA_LINKPWR_ON_BAT = "min_power";
MAX_LOST_WORK_SECS_ON_BAT = 15; MAX_LOST_WORK_SECS_ON_BAT = 15;
CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
CPU_ENERGY_PERF_POLICY_ON_BAT = "power"; CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
CPU_BOOST_ON_AC = 1; CPU_BOOST_ON_AC = 1;
CPU_BOOST_ON_BAT = 0; CPU_BOOST_ON_BAT = 0;
RUNTIME_PM_ON_AC = "on"; RUNTIME_PM_ON_AC = "on";
RUNTIME_PM_ON_BAT = "auto"; RUNTIME_PM_ON_BAT = "auto";
};
}; };
}; };
};
} }

48
common/localisation.nix
View file

@ -1,35 +1,33 @@
{ config, lib, ... }: { config, lib, ... }:
let let
cfg = config.grimmShared; inherit (config.grimmShared) enable locale;
in in
{ {
config = config = lib.mkIf (enable && locale) {
with cfg; time.timeZone = "Europe/Berlin";
lib.mkIf (enable && locale) {
time.timeZone = "Europe/Berlin";
# Select internationalisation properties. # Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = { i18n.extraLocaleSettings = {
LC_ADDRESS = "de_DE.UTF-8"; LC_ADDRESS = "de_DE.UTF-8";
LC_IDENTIFICATION = "de_DE.UTF-8"; LC_IDENTIFICATION = "de_DE.UTF-8";
LC_MEASUREMENT = "de_DE.UTF-8"; LC_MEASUREMENT = "de_DE.UTF-8";
LC_MONETARY = "de_DE.UTF-8"; LC_MONETARY = "de_DE.UTF-8";
LC_NAME = "de_DE.UTF-8"; LC_NAME = "de_DE.UTF-8";
LC_NUMERIC = "de_DE.UTF-8"; LC_NUMERIC = "de_DE.UTF-8";
LC_PAPER = "de_DE.UTF-8"; LC_PAPER = "de_DE.UTF-8";
LC_TELEPHONE = "de_DE.UTF-8"; LC_TELEPHONE = "de_DE.UTF-8";
LC_TIME = "de_DE.UTF-8"; LC_TIME = "de_DE.UTF-8";
};
console.keyMap = "de";
services.xserver.xkb = {
layout = "de";
variant = "";
};
}; };
console.keyMap = "de";
services.xserver.xkb = {
layout = "de";
variant = "";
};
};
options.grimmShared.locale = lib.mkEnableOption "Sets german units but english language"; options.grimmShared.locale = lib.mkEnableOption "Sets german units but english language";
} }

27
common/network/bluetooth.nix
View file

@ -5,24 +5,17 @@
... ...
}: }:
let let
cfg = config.grimmShared; inherit (config.grimmShared)
enable
network
graphical
sound
;
in in
{ {
config = config = lib.mkIf (enable && network && config.hardware.bluetooth.enable) {
with cfg; services.blueman.enable = lib.mkIf graphical true;
lib.mkIf (enable && network && config.hardware.bluetooth.enable) {
services.blueman.enable = lib.mkIf graphical true;
environment.systemPackages = with pkgs; [ bluetuith ] ++ lib.optional sound.enable pkgs.bluez; environment.systemPackages = [ pkgs.bluetuith ] ++ lib.optional sound.enable pkgs.bluez;
};
systemd.user.services.mpris-proxy = lib.mkIf sound.enable {
description = "Mpris proxy";
after = [
"network.target"
"sound.target"
];
wantedBy = [ "default.target" ];
serviceConfig.ExecStart = "${pkgs.bluez}/bin/mpris-proxy";
};
};
} }

46
common/network/default.nix
View file

@ -5,27 +5,37 @@
... ...
}: }:
let let
cfg = config.grimmShared; inherit (config.grimmShared) enable network laptop_hardware;
in in
{ {
config = config = lib.mkIf (enable && network) {
with cfg; networking.networkmanager = {
lib.mkIf (enable && network) { enable = true;
networking.networkmanager.enable = true; plugins = with pkgs; [ networkmanager-openvpn ];
networking.useDHCP = lib.mkDefault true;
hardware.bluetooth.enable = lib.mkDefault laptop_hardware.enable;
environment.systemPackages = with pkgs; [
wireguard-tools
openconnect
];
networking.firewall = {
enable = true;
allowPing = true;
};
}; };
networking.useDHCP = lib.mkDefault true;
hardware.bluetooth.enable = lib.mkDefault laptop_hardware.enable;
environment.systemPackages = with pkgs; [
wireguard-tools
openconnect
];
users.users.nscd.uid = 997;
networking.firewall = {
enable = true;
allowPing = true;
};
networking.nameservers = [
"1.1.1.1"
"9.9.9.9"
];
environment.etc."NetworkManager/certs/telekom-root.crt".source = ./telekom-root.crt;
};
imports = [ ./bluetooth.nix ]; imports = [ ./bluetooth.nix ];

BIN
common/network/telekom-root.crt Normal file
View file

Binary file not shown.

44
common/printing.nix
View file

@ -5,33 +5,27 @@
... ...
}: }:
let let
cfg = config.grimmShared; inherit (config.grimmShared) enable graphical;
in in
{ {
config = config = lib.mkIf (enable && config.services.printing.enable) {
with cfg; services.printing.drivers = with pkgs; [
lib.mkIf (enable && printing) { # brgenml1lpr
# Enable CUPS to print documents. # brgenml1cupswrapper
services.printing.enable = true; ];
services.printing.drivers = with pkgs; [ services.avahi = {
brgenml1lpr # enable = true;
brgenml1cupswrapper nssmdns4 = true;
]; openFirewall = true;
services.avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
services.printing.cups-pdf.enable = true;
hardware.sane.brscan4.enable = true; # enables support for SANE scanners
environment.systemPackages =
with pkgs;
(lib.optionals cfg.graphical [
kdePackages.skanpage
# libsForQt5.skanpage
]);
}; };
# services.printing.cups-pdf.enable = true;
hardware.sane.brscan4.enable = true; # enables support for SANE scanners
options.grimmShared.printing = lib.mkEnableOption "Enables print and scan related options"; environment.systemPackages = (
lib.optionals graphical [
pkgs.kdePackages.skanpage
# libsForQt5.skanpage
]
);
};
} }

39
common/sound/default.nix
View file

@ -5,32 +5,29 @@
... ...
}: }:
let let
cfg = config.grimmShared; inherit (config.grimmShared) enable sound;
in in
{ {
config = config = lib.mkIf (enable && sound.enable) {
with cfg; services.pulseaudio.enable = false;
lib.mkIf (enable && sound.enable) {
sound.enable = true;
hardware.pulseaudio.enable = false;
services.pipewire = { services.pipewire = {
enable = true; enable = true;
alsa.enable = true; alsa.enable = true;
alsa.support32Bit = true; alsa.support32Bit = true;
pulse.enable = true; pulse.enable = true;
jack.enable = true; # osu uses jack jack.enable = true; # osu uses jack
lowLatency.enable = true; lowLatency.enable = true;
};
environment.systemPackages = with pkgs; [
pwvucontrol
playerctl
openal
pulseaudio
];
}; };
environment.systemPackages = with pkgs; [
pwvucontrol
playerctl
openal
pulseaudio
];
};
imports = [ imports = [
./spotify.nix ./spotify.nix
./midi.nix ./midi.nix

20
common/sound/midi.nix
View file

@ -5,24 +5,24 @@
... ...
}: }:
let let
cfg = config.grimmShared;
sound_font = pkgs.soundfont-fluid; sound_font = pkgs.soundfont-fluid;
inherit (config.grimmShared) enable sound;
in in
{ {
config = config = lib.mkIf (enable && sound.midi) {
with cfg; environment.systemPackages =
lib.mkIf (enable && sound.midi) { (with pkgs; [
environment.systemPackages = with pkgs; [
mpv mpv
timidity timidity
ffmpeg-full ffmpeg-full
sound_font ])
]; ++ [ sound_font ];
environment.pathsToLink = [ "/share/soundfonts" ]; environment.pathsToLink = [ "/share/soundfonts" ];
environment.etc."timidity/timidity.cfg".text = "soundfont ${sound_font}/share/soundfonts/FluidR3_GM2-2.sf2"; environment.etc."timidity/timidity.cfg".text =
}; "soundfont ${sound_font}/share/soundfonts/FluidR3_GM2-2.sf2";
};
options.grimmShared.sound.midi = lib.mkEnableOption "enable midi"; options.grimmShared.sound.midi = lib.mkEnableOption "enable midi";
} }

18
common/sound/spotify.nix
View file

@ -5,23 +5,21 @@
... ...
}: }:
let let
cfg = config.grimmShared; inherit (config.grimmShared) enable spotify graphical;
in in
{ {
config = config = lib.mkIf (enable && spotify.enable) {
with cfg; environment.systemPackages = [ pkgs.ncspot ] ++ lib.optional graphical pkgs.spotify;
lib.mkIf (enable && spotify.enable) {
environment.systemPackages = [ pkgs.ncspot ] ++ lib.optional graphical pkgs.spotify;
grimmShared = { grimmShared = {
sound.enable = true; sound.enable = true;
network = true; network = true;
};
}; };
};
options.grimmShared.spotify = { options.grimmShared.spotify = {
enable = lib.mkEnableOption "grimm-spotify"; enable = lib.mkEnableOption "grimm-spotify";
}; };
imports = [ ./spotifyd.nix ]; # imports = [ ./spotifyd.nix ];
} }

139
common/sound/spotifyd.nix
View file

@ -6,7 +6,7 @@
}: }:
let let
spotifyd_cache_dir = "/tmp/spotifyd"; spotifyd_cache_dir = "/tmp/spotifyd";
cfg = config.grimmShared; inherit (config.grimmShared) enable spotify;
spotifyd-dbus = pkgs.writeTextDir "share/dbus-1/system.d/org.mpris.MediaPlayer2.spotifyd.conf" '' spotifyd-dbus = pkgs.writeTextDir "share/dbus-1/system.d/org.mpris.MediaPlayer2.spotifyd.conf" ''
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- --> <?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
@ -27,77 +27,80 @@ let
''; '';
in in
{ {
config = config = lib.mkIf (enable && spotify.spotifyd.enable) {
with cfg; environment.systemPackages = [
lib.mkIf (enable && spotify.spotifyd.enable) { pkgs.spotifyd
environment.systemPackages = with pkgs; [ spotifyd-dbus
spotifyd ];
spotifyd-dbus
];
systemd.services.init-spotifyd-cache-dir = { systemd.services.init-spotifyd-cache-dir = {
description = "Create the spotifyd cache dir"; description = "Create the spotifyd cache dir";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
script = '' script = ''
mkdir -p ${spotifyd_cache_dir} mkdir -p ${spotifyd_cache_dir}
chown spotifyd:spotifyd -R ${spotifyd_cache_dir} chown spotifyd:spotifyd -R ${spotifyd_cache_dir}
''; '';
};
grimmShared = {
sound.enable = true;
network = true;
};
services.pipewire.systemWide = true; # required for spotifyd as spotifyd runs as the spotifyd user
# spotifyd config
services.spotifyd = {
enable = true;
settings.global = {
bitrate = 320;
username = cfg.spotify.spotifyd.username;
device_name = "grimm_laptop";
password_cmd =
let
pass = cfg.spotify.spotifyd.pass;
in
with lib;
if (lib.isPath pass || lib.isString pass) then
"${pkgs.coreutils-full}/bin/cat ${pass}"
else
(getExe pass);
device_type = "computer";
dbus_type = "system";
device = "default";
control = "default";
volume_controller = "softvol";
# no_audio_cache = true;
spotifyd_cache_dir = spotifyd_cache_dir;
max_cache_size = 10000000000;
initial_volume = "90";
backend = "alsa"; # fixme
};
};
services.dbus.packages = with pkgs; [ spotifyd-dbus ];
# spotifyd has access to global pipewire
users.users.spotifyd = {
isSystemUser = true;
group = "spotifyd";
extraGroups = [
"audio"
"pipewire"
];
};
# spotifyd is also a group
users.groups.spotifyd = { };
}; };
grimmShared = {
sound.enable = true;
network = true;
};
services.pipewire.systemWide = true; # required for spotifyd as spotifyd runs as the spotifyd user
# spotifyd config
services.spotifyd = {
enable = true;
settings.global = {
bitrate = 320;
username = spotify.spotifyd.username;
device_name = "grimm_laptop";
password_cmd =
let
pass = spotify.spotifyd.pass;
inherit (lib)
isPath
isString
getExe
getExe'
;
in
if (isPath pass || isString pass) then
"${getExe' pkgs.coreutils-full "cat"} ${pass}"
else
(getExe pass);
device_type = "computer";
dbus_type = "system";
device = "default";
control = "default";
volume_controller = "softvol";
# no_audio_cache = true;
spotifyd_cache_dir = spotifyd_cache_dir;
max_cache_size = 10000000000;
initial_volume = "90";
backend = "alsa"; # fixme
};
};
services.dbus.packages = [ spotifyd-dbus ];
# spotifyd has access to global pipewire
users.users.spotifyd = {
isSystemUser = true;
group = "spotifyd";
extraGroups = [
"audio"
"pipewire"
];
};
# spotifyd is also a group
users.groups.spotifyd = { };
};
options.grimmShared.spotify.spotifyd = with lib; { options.grimmShared.spotify.spotifyd = with lib; {
enable = mkEnableOption "grimm-spotify-tui"; enable = mkEnableOption "grimm-spotify-tui";

68
common/tooling/c.nix Normal file
View file

@ -0,0 +1,68 @@
{
pkgs,
config,
lib,
...
}:
let
lang_support_id = "c";
inherit (config.grimmShared) enable tooling graphical;
inherit (lib)
optionals
mkIf
getExe'
types
mkOption
elem
;
in
{
config = mkIf (enable && tooling.enable && (elem lang_support_id tooling.supportedLangs)) {
environment.systemPackages =
with pkgs;
[
util-linux
linuxPackages.perf
pkg-config
glib
glibc
clang
clang-tools
cmake
stdman
valgrind
]
++ optionals graphical [
libva-utils
jetbrains.clion
];
environment.sessionVariables.CMAKE_EXPORT_COMPILE_COMMANDS = "1";
grimmShared.tooling.lang_servers = [
{
lsp = {
package = pkgs.clang-tools;
};
fmt = rec {
package = pkgs.clang-tools;
command = getExe' package "clang-format";
includes = [
"*.c"
"*.h"
"*.cpp"
"*.hpp"
];
};
}
{
lsp = {
package = pkgs.cmake-language-server;
};
}
];
};
options.grimmShared.tooling.supportedLangs = mkOption {
type = types.listOf (types.enum [ lang_support_id ]);
};
}

235
common/tooling/default.nix
View file

@ -5,180 +5,101 @@
... ...
}: }:
let let
cfg = config.grimmShared; inherit (config.grimmShared) enable tooling graphical;
inherit (lib)
mkEnableOption
getExe
optionals
mkIf
;
in in
{ {
imports = [ imports = [
./lilypond.nix # ./lilypond.nix
./nix.nix ./nix.nix
./security.nix
./python.nix ./python.nix
./rust.nix
./lsp.nix
./git.nix
# ./wine.nix
./c.nix
./java.nix
./ranger.nix
./nix-index.nix
# ./defaultProtectHome.nix
]; ];
config = config = mkIf (enable && tooling.enable) {
with cfg; environment.systemPackages =
lib.mkIf (enable && tooling.enable) { with pkgs;
environment.systemPackages = [
with pkgs; (writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@")
[ (writeShellScriptBin "tree" "${getExe eza} -T --git -lh --no-permissions --no-user --no-filesize --no-time")
(writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@") (writeShellScriptBin "spawn" ''exec "$@" &> /dev/null &'')
(writeShellScriptBin "tree" "${lib.getExe pkgs.eza} -T --git -lh --no-permissions --no-user --no-filesize --no-time")
(writeShellScriptBin "spawn" ''exec "$@" &> /dev/null &'')
(writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@")
urlencode urlencode
pstree wget
dos2unix bat
treefmt fastfetch
file
wget
hyfetch
util-linux
btop
neovim-remote
linuxPackages.perf
eza
gcc eza
jdk17 starship
pkg-config fd
unzip ripgrep
p7zip file
pstree
rfindup
btop
tea unzip
fbcat
fbcat expect
gomuks gptfdisk
ranger qrencode
visualvm man-pages
imagemagick man-pages-posix
nmap
parted undollar
glib openssl
glibc android-tools
expect ]
] ++ optionals graphical [
++ lib.optionals cfg.graphical [ wev
wev k4dirstat
qdirstat libva-utils
libva-utils gparted
gparted bottles
jetbrains.clion wlvncc
jetbrains.idea-community
];
programs.git = {
enable = true;
lfs.enable = true;
config = {
init.defaultBranch = "main";
credential.username = cfg.tooling.git_user;
core.editor = lib.getExe pkgs.neovim;
user.name = cfg.tooling.git_user;
user.email = cfg.tooling.git_email;
push.autoSetupRemote = true;
core.autocrlf = "input";
commit.gpgsign = true;
pull.rebase = true;
alias = {
pfusch = "push --force-with-lease --force-if-includes";
fuck = "reset HEAD~1";
fixup = "commit --fixup";
};
};
};
environment.shellAliases = {
":q" = "exit";
"ls" = "eza";
"lix" = "nix";
};
programs.tmux = {
enable = true;
historyLimit = 42000;
#keyMode = "vi";
};
# virtualisation.docker.enable = true;
# services.dbus.implementation = "broker";
grimmShared.tooling.nvim.plugins = with pkgs.vimPlugins; [
vim-scala
fugitive
]; ];
boot.tmp.cleanOnBoot = true; environment.sessionVariables = {
zramSwap.enable = true; MANPAGER = "sh -c 'col -bx | ${getExe pkgs.bat} -l man -p'";
MANROFFOPT = "-c";
programs.neovim = { SYSTEMD_PAGER = getExe pkgs.bat;
enable = true; SYSTEMD_PAGERSECURE = "true";
viAlias = true;
defaultEditor = true;
configure = {
customRC =
let
luarc = pkgs.writeText "init.lua" (lib.concatLines tooling.nvim.extraLuaRC);
in
''
set number
set hidden
set fileencodings=utf-8
set nocompatible
set clipboard+=unnamedplus
set ff=unix
luafile ${luarc}
if filereadable($HOME . "/.vimrc")
source ~/.vimrc
endif
'';
packages.myVimPackage = {
start = tooling.nvim.plugins;
opt = [ ];
};
};
};
programs.ssh = {
startAgent = true;
enableAskPassword = graphical;
askPassword = lib.mkIf graphical (lib.getExe pkgs.lxqt.lxqt-openssh-askpass);
};
programs.thefuck.enable = true;
}; };
options.grimmShared.tooling = with lib; { programs.command-not-found.enable = true;
documentation.dev.enable = true;
# virtualisation.docker.enable = true;
services.dbus.implementation = "broker";
boot.tmp.cleanOnBoot = true;
# zramSwap.enable = false;
services.udev.packages = [
pkgs.android-udev-rules
];
programs.adb.enable = true;
};
options.grimmShared.tooling = {
enable = mkEnableOption "grimm-tooling"; enable = mkEnableOption "grimm-tooling";
nvim = {
plugins = mkOption {
type = types.listOf types.package;
default = [ ];
description = "Extra vim plugins to include";
};
extraLuaRC = mkOption {
type = types.listOf types.nonEmptyStr;
default = [ ];
description = "Extra init LUA scripts";
};
};
git_user = mkOption {
type = types.str;
default = "Grimmauld";
description = "Username for git to use";
};
git_email = mkOption {
type = types.str;
default = "${config.grimmShared.tooling.git_user}@grimmauld.de";
description = "Email for git to use";
};
}; };
} }

93
common/tooling/git.nix Normal file
View file

@ -0,0 +1,93 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib)
mkOption
types
getExe
mkIf
;
inherit (builtins) toString readFile;
in
{
config = mkIf (enable && tooling.enable) {
environment.systemPackages = [
(pkgs.writeShellScriptBin "silent-add" "${getExe config.programs.git.package} add --intent-to-add $@ ; ${getExe config.programs.git.package} update-index --assume-unchanged $@")
pkgs.urlencode
pkgs.tea
pkgs.delta
pkgs.gh
];
programs.git = {
enable = true;
lfs.enable = true;
config =
let
key_file = ../../ssh/id_ed25519_sk.pub;
allowed_signers_file = pkgs.writeText "allowed_signers" ''${tooling.git_email} namespaces="git" ${readFile key_file}'';
in
{
init.defaultBranch = "main";
credential.username = tooling.git_user;
gpg.format = "ssh";
user.signingkey = toString key_file;
gpg.ssh.allowedSignersFile = toString allowed_signers_file;
user.name = tooling.git_user;
user.email = tooling.git_email;
push.autoSetupRemote = true;
core.autocrlf = "input";
commit.gpgsign = true;
safe.directory = "/etc/nixos";
core.excludesfile = (
pkgs.writeText ".gitignore" ''
.idea
.obsidian
*~
result
''
);
pull.rebase = false;
include.path = "${pkgs.delta.src}/themes.gitconfig";
core.pager = "delta";
interactive.diffFilter = "delta --color-only";
delta = {
navigate = true;
features = "mantis-shrimp";
};
merge.conflictstyle = "diff3";
diff.colorMoved = "default";
alias = {
pfusch = "push --force-with-lease --force-if-includes";
fuck = "reset HEAD~1";
fixup = "commit --fixup";
};
};
};
};
options.grimmShared.tooling = {
git_user = mkOption {
type = types.str;
default = "Grimmauld";
description = "Username for git to use";
};
git_email = mkOption {
type = types.str;
default = "${config.grimmShared.tooling.git_user}@grimmauld.de";
description = "Email for git to use";
};
};
}

77
common/tooling/helix.nix Normal file
View file

@ -0,0 +1,77 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib)
mkOption
types
getExe
getExe'
mkIf
;
inherit (pkgs)
helix
symlinkJoin
writeTextDir
concatTextFile
makeWrapper
;
inherit (pkgs.writers) writeTOML;
conf-file-name = "config.toml";
lang-file-name = "languages.toml";
helix-conf = symlinkJoin {
name = "helix-conf";
paths = [
(concatTextFile {
name = "helix-conf-partial";
destination = "/${conf-file-name}";
files = [ (writeTOML conf-file-name config.programs.helix.config) ];
})
(writeTextDir lang-file-name ''
[[language]]
language-servers = ["nixd"]
name = "nix"
[language-server.nixd]
command = "${getExe pkgs.nixd}"
'')
];
};
helix-wrapped = pkgs.symlinkJoin {
name = helix.pname;
paths = [ helix ];
buildInputs = [ makeWrapper ];
postBuild = ''
wrapProgram $out/bin/${helix.meta.mainProgram} --add-flags "-c ${helix-conf}/${conf-file-name}"
'';
};
in
{
config = mkIf (enable && tooling.enable) {
environment.systemPackages = [ helix-wrapped ];
environment.sessionVariables.EDITOR = getExe' helix-wrapped "hx";
programs.helix.config = {
editor.cursor-shape.insert = "bar";
theme = "base16_transparent";
# editor.commands.git = ":sh git";
# keys.normal.Delete = "delete_selection";
};
};
options.programs.helix = {
config = mkOption {
type = types.attrs;
default = { };
description = "Helix configuration";
};
};
}

44
common/tooling/java.nix Normal file
View file

@ -0,0 +1,44 @@
{
pkgs,
config,
lib,
...
}:
let
lang_support_id = "java";
inherit (config.grimmShared) enable tooling graphical;
inherit (lib)
optionals
mkIf
types
mkOption
elem
;
in
{
config = mkIf (enable && tooling.enable && (elem lang_support_id tooling.supportedLangs)) {
environment.systemPackages = [
pkgs.jdk17
pkgs.visualvm
pkgs.gradle_7
] ++ optionals graphical [ pkgs.jetbrains.idea-community ];
environment.sessionVariables.JAVA_HOME = pkgs.jdk17.home;
grimmShared.tooling.lang_servers = [
{
lsp = {
package = pkgs.jdt-language-server;
};
fmt = {
package = pkgs.google-java-format;
includes = [ "*.java" ];
};
}
];
};
options.grimmShared.tooling.supportedLangs = mkOption {
type = types.listOf (types.enum [ lang_support_id ]);
};
}

84
common/tooling/lilypond.nix
View file

@ -5,49 +5,53 @@
... ...
}: }:
let let
cfg = config.grimmShared; inherit (config.grimmShared) enable tooling graphical;
inherit (lib)
getExe
optional
mkIf
optionalString
mkEnableOption
;
viewer_pkg = pkgs.zathura; viewer_pkg = pkgs.zathura;
viewer_def = lib.optionalString cfg.graphical ''pdf_viewer = "${lib.getExe pkgs.zathura}",''; viewer_def = optionalString graphical ''pdf_viewer = "${lib.getExe pkgs.zathura}",'';
in in
{ {
config = config = mkIf (enable && tooling.enable && tooling.lilypond) {
with cfg; environment.systemPackages = [ pkgs.lilypond-with-fonts ] ++ optional graphical viewer_pkg;
lib.mkIf (enable && tooling.enable && tooling.lilypond) { environment.sessionVariables = {
environment.systemPackages = LYEDITOR = "${getExe pkgs.neovim-remote} -s +:'dr %(file)s | call cursor(%(line)s,%(char)s+1)'";
with pkgs;
[ lilypond-with-fonts ] ++ lib.optional graphical viewer_pkg;
environment.sessionVariables = {
LYEDITOR = "${lib.getExe pkgs.neovim-remote} -s +:'dr %(file)s | call cursor(%(line)s,%(char)s+1)'";
};
grimmShared.sound.midi = true;
grimmShared.tooling.nvim = {
extraLuaRC = lib.singleton ''
require('nvls').setup({
lilypond = {
options = {
${viewer_def}
},
},
latex = {
options = {
${viewer_def}
},
},
player = {
options = {
fluidsynth_flags = {
"/run/current-system/sw/share/soundfonts/FluidR3_GM2-2.sf2"
}
}
}
})
'';
};
grimmShared.tooling.nvim.plugins = with pkgs.vimPlugins; [ nvim-lilypond-suite ];
}; };
options.grimmShared.tooling.lilypond = lib.mkEnableOption "enable lilypond tooling"; grimmShared.sound.midi = true;
grimmShared.tooling.nvim = {
extraLuaRC = lib.singleton ''
require('nvls').setup({
lilypond = {
options = {
${viewer_def}
},
},
latex = {
options = {
${viewer_def}
},
},
player = {
options = {
fluidsynth_flags = {
"/run/current-system/sw/share/soundfonts/FluidR3_GM2-2.sf2"
}
}
}
})
'';
};
grimmShared.tooling.nvim.plugins = with pkgs.vimPlugins; [ nvim-lilypond-suite ];
};
options.grimmShared.tooling.lilypond = mkEnableOption "enable lilypond tooling";
} }

113
common/tooling/lsp.nix Normal file
View file

@ -0,0 +1,113 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib)
mkOption
types
mkIf
getName
getExe
filter
optionalString
concatLines
;
conf_def =
fmt:
(
''
[formatter.${getName fmt.package}]
command = "${fmt.command}"
includes = ${builtins.toJSON fmt.includes}
''
+ (optionalString (fmt.options != [ ]) "options = ${builtins.toJSON fmt.options}\n")
);
treefmt_conf = pkgs.writeText "treefmt.toml" (
concatLines (map (v: (conf_def v.fmt)) (filter (v: !isNull v.fmt) tooling.lang_servers))
);
find_conf = pkgs.writeShellScriptBin "find-treefmt-conf" "(${getExe pkgs.rfindup} treefmt.toml -e 2>/dev/null || echo ${treefmt_conf}) | tr -d '\n'";
in
{
config = mkIf (enable && tooling.enable) {
environment.systemPackages =
[ pkgs.treefmt ]
++ (map (v: v.lsp.package) (filter (v: !isNull v.lsp) tooling.lang_servers))
++ (map (v: v.fmt.package) (filter (v: !isNull v.fmt) tooling.lang_servers));
environment.shellAliases."treefmt" = "${getExe pkgs.treefmt} --config-file $(${getExe find_conf})";
};
options.grimmShared.tooling = {
supportedLangs = mkOption {
type = types.listOf (types.enum [ ]);
default = [ ];
description = "Languages for which to enable support";
};
lang_servers = mkOption {
type = types.listOf (
types.submodule {
options = {
lsp = mkOption {
type = types.nullOr (
types.submodule (
{ config, ... }:
{
options = {
package = mkOption {
type = types.package;
default = null;
description = "LSP package";
};
};
}
)
);
};
fmt = mkOption {
default = null;
type = types.nullOr (
types.submodule (
{ config, ... }:
{
options = {
package = mkOption {
type = types.package;
description = "FMT package";
};
options = mkOption {
type = types.listOf types.nonEmptyStr;
default = [ ];
};
includes = mkOption {
type = types.listOf types.nonEmptyStr;
default = [ ];
};
command = mkOption {
type = types.nonEmptyStr;
default = getExe config.package;
};
};
}
)
);
};
};
}
);
default = { };
description = "Language servers available on the system";
};
};
}

79
common/tooling/nix-index.nix Normal file
View file

@ -0,0 +1,79 @@
{
pkgs,
lib,
config,
...
}:
let
db_path = "/var/nix-index/current";
mode = "755";
user = "nix-index";
in
{
users.users."${user}" = {
isSystemUser = true;
group = user;
};
users.groups."${user}" = { };
# programs.nix-index.enable = true;
# programs.nix-index.enableBashIntegration = true;
nix.settings.allowed-users = [ user ];
environment.systemPackages = with pkgs; [
nix-index
];
systemd.tmpfiles.rules = [
"d /var/nix-index 0${mode} ${user} ${user} 14d"
];
environment.sessionVariables.NIX_INDEX_DATABASE = db_path;
systemd.services.nix-index-update = {
description = "update nix-index database";
after = [
"network-online.target"
"nix-daemon.service"
];
wants = [
"network-online.target"
"nix-daemon.service"
];
serviceConfig = {
Type = "simple";
Nice = 19;
# UMask = mode;
# DynamicUser = true;
ReadWritePaths = "/var/nix-index/";
CacheDirectory = "index-cache";
User = user;
Group = user;
};
environment.NIX_PATH = lib.concatStringsSep ":" config.nix.nixPath;
script = ''
platform="$(uname -m | sed 's/^arm64$/aarch64/')-$(uname | tr "[:upper:]" "[:lower:]")"
path="/var/nix-index/index-$platform-$(date -I)"
mkdir -p "$path" -m ${mode}
XDG_CACHE_HOME=$CACHE_DIRECTORY ${lib.getExe' pkgs.nix-index "nix-index"} --show-trace -c 0 -s $platform --db "$path" || exit 1
rm -f ${db_path}
ln -s "$path" ${db_path}
# && chmod ${mode} ${db_path}
echo "link success"
'';
enable = true;
};
systemd.timers.nix-index-update = {
description = "regularly update nix-index database";
timerConfig.Persistent = true;
timerConfig.OnCalendar = "Mon *-*-* 00:00:00";
wantedBy = [
"multi-user.target"
"timers.target"
];
enable = true;
};
}

47
common/tooling/nix.nix
View file

@ -1,46 +1,73 @@
{ {
pkgs, pkgs,
config,
lib, lib,
inputs, inputs,
system,
... ...
}: }:
let
cfg = config.grimmShared;
in
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
(writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@") (writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@")
(writeShellScriptBin "nixpkgs-review-head" "nixpkgs-review rev HEAD") (writeShellScriptBin "nixpkgs-review-head" "nixpkgs-review rev HEAD")
(writeShellScriptBin "rebuild" "bash -c \"nixos-rebuild switch |& nom\"")
nixpkgs-review nixpkgs-review
nixpkgs-fmt
nixfmt-rfc-style nixfmt-rfc-style
nixd nixd
nixpkgs-hammering nixpkgs-hammering
nix-output-monitor nix-output-monitor
nix-search-cli nix-search-cli
niv nix-update
# niv
nvd
vulnix vulnix
nix-init
# inputs.nixpkgs-update.packages."${system}".default
]; ];
environment.sessionVariables = lib.mkIf pkgs.config.allowUnfree { NIXPKGS_ALLOW_UNFREE = "1"; }; environment.sessionVariables =
(lib.mkIf pkgs.config.allowUnfree { NIXPKGS_ALLOW_UNFREE = "1"; })
// {
NH_NOM = 1;
};
grimmShared.tooling.nvim.plugins = with pkgs.vimPlugins; [ vim-nix ]; environment.shellAliases."rebuild" = "nixos-rebuild switch |& nom";
grimmShared.tooling.lang_servers = [
{
lsp.package = pkgs.nil;
fmt = {
package = pkgs.nixpkgs-fmt;
includes = [ "*.nix" ];
};
}
];
nix.settings = { nix.settings = {
experimental-features = [ experimental-features = [
"nix-command" "nix-command"
"flakes" "flakes"
"pipe-operator"
]; ];
warn-dirty = false; warn-dirty = false;
allowed-users = [
"@wheel"
"grimmauld"
];
}; };
programs.nh = {
enable = true;
# clean.enable = true;
clean.extraArgs = "--keep-since 14d --keep 16";
flake = "/etc/nixos";
};
nix.gc = { nix.gc = {
automatic = true; automatic = true;
dates = "weekly"; dates = "weekly";
options = "--delete-older-than 30d"; options = "--delete-older-than 30d";
}; };
# nix.package = pkgs.nixVersions.latest; # nix.package = pkgs.nixVersions.latest;
nix.optimise.automatic = true; # nix.optimise.automatic = true;
} }

83
common/tooling/python.nix
View file

@ -5,33 +5,70 @@
... ...
}: }:
let let
cfg = config.grimmShared; lang_support_id = "python";
inherit (config.grimmShared) enable tooling graphical;
pyLibs =
python-pkgs: with python-pkgs; [
requests
matplotlib
numpy
scipy
pygobject3
pandas
];
inherit (lib)
mkIf
types
mkOption
mapAttrsToList
concatLines
getExe
elem
;
in in
{ {
config = config = mkIf (enable && tooling.enable && (elem lang_support_id tooling.supportedLangs)) {
with cfg; environment.systemPackages = [
lib.mkIf (enable && tooling.enable) { (pkgs.python3.withPackages pyLibs)
environment.systemPackages = ]; # ++ lib.optionals graphical (with pkgs; [ jetbrains.pycharm-community ]);
with pkgs;
[ python3 ] ++ lib.optionals cfg.graphical [ jetbrains.pycharm-community ];
programs.xonsh = { programs.xonsh = {
enable = true; enable = true;
config = lib.concatLines ( config =
lib.mapAttrsToList ( (
name: value: ''aliases["${name}"] = "${value}"'' let
cfg = config.programs.starship;
settingsFormat = pkgs.formats.toml { };
settingsFile = settingsFormat.generate "starship.toml" cfg.settings;
in
''
$STARSHIP_CONFIG="${settingsFile}"
$SHELL="${getExe config.programs.xonsh.package}"
execx($(${getExe pkgs.starship} init xonsh))
''
)
+ concatLines (
mapAttrsToList (
name: value: "aliases[\"${name}\"] = '''${value}'''"
) config.environment.shellAliases ) config.environment.shellAliases
); );
package = pkgs.xonsh.override { package = pkgs.xonsh.override { extraPackages = pyLibs; };
extraPackages =
ps: with ps; [
requests
matplotlib
numpy
scipy
pygobject3
];
};
};
}; };
grimmShared.tooling.lang_servers = [
{
lsp.package = pkgs.python311Packages.python-lsp-server;
fmt = {
package = pkgs.yapf;
includes = [ "*.py" ];
options = [ "-i" ];
};
}
];
};
options.grimmShared.tooling.supportedLangs = mkOption {
type = types.listOf (types.enum [ lang_support_id ]);
};
} }

44
common/tooling/ranger.nix Normal file
View file

@ -0,0 +1,44 @@
{
pkgs,
config,
inputs,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib)
mkIf
mapAttrs'
concatLines
attrNames
;
plugins = {
ranger_udisk_menu = pkgs.fetchFromGitea {
domain = "git.grimmauld.de";
owner = "grimmauld";
repo = "ranger_udisk_menu";
rev = "981756147834bb485ebcfa0e41ad60d05ccc4351";
hash = "sha256-5nFpEO/54MO6Esvkcqcyw2TI37ham70LkHtOXrYXfbY=";
};
# inputs.ranger_udisk_menu;
};
in
{
config = mkIf (enable && tooling.enable) {
services.gvfs = {
enable = true;
package = pkgs.gvfs;
};
environment.systemPackages = [ pkgs.ranger ];
environment.etc =
(mapAttrs' (n: v: {
name = "ranger/plugins/${n}";
value.source = v;
}) plugins)
// {
"ranger/commands.py".text = concatLines (map (n: "from plugins.${n} import *") (attrNames plugins));
};
};
}

45
common/tooling/rust.nix Normal file
View file

@ -0,0 +1,45 @@
{
pkgs,
lib,
config,
...
}:
let
lang_support_id = "rust";
inherit (lib)
optionals
mkIf
types
mkOption
elem
;
inherit (config.grimmShared) enable tooling graphical;
in
{
config = mkIf (enable && tooling.enable && (elem lang_support_id tooling.supportedLangs)) {
environment.systemPackages =
with pkgs;
[
pkg-config
cargo
rustup
]
++ optionals graphical [ jetbrains.clion jetbrains.rust-rover ];
grimmShared.tooling.lang_servers = [
{
lsp = {
package = pkgs.rust-analyzer;
};
fmt = {
package = pkgs.rustfmt;
includes = [ "*.rs" ];
};
}
];
};
options.grimmShared.tooling.supportedLangs = mkOption {
type = types.listOf (types.enum [ lang_support_id ]);
};
}

54
common/tooling/security.nix
View file

@ -1,54 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
cfg = config.grimmShared;
in
{
config =
with cfg;
lib.mkIf enable {
security.polkit.enable = true;
security.rtkit.enable = true;
security.doas.enable = true;
security.sudo.enable = false;
security.doas.extraRules = [
{
users = lib.attrNames (lib.filterAttrs (n: v: v.isNormalUser) config.users.users);
keepEnv = true;
persist = true;
}
];
environment.systemPackages =
with pkgs;
[
mkpasswd
gnupg
libsecret
vulnix
doas-sudo-shim # muscle memory
agenix
]
++ lib.optionals (tooling.enable && tooling.pass) [
pass
(writeShellScriptBin "passw" "pass $@")
]
++ lib.optional graphical lxqt.lxqt-policykit;
services.passSecretService.enable = lib.mkIf (tooling.enable && tooling.pass) true;
programs.gnupg.agent = {
settings = {
# default-cache-ttl = 6000;
};
pinentryPackage = with pkgs; lib.mkForce (if graphical then pinentry-qt else pinentry-tty);
enable = true;
};
};
options.grimmShared.tooling.pass = lib.mkEnableOption "Enables password-store, gnupg and such secret handling";
}

40
common/tooling/wine.nix Normal file
View file

@ -0,0 +1,40 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib)
mkOption
types
getExe
mkIf
;
in
{
config = mkIf (enable && tooling.enable) {
virtualisation.libvirtd.enable = true;
programs.virt-manager.enable = true;
virtualisation.spiceUSBRedirection.enable = true;
# dconf.settings = {
# "org/virt-manager/virt-manager/connections" = {
# autoconnect = ["qemu:///system"];
# uris = ["qemu:///system"];
# };
# };
environment.systemPackages = with pkgs; [
winetricks
wineWow64Packages.stagingFull
dotnetCorePackages.dotnet_9.sdk
# jetbrains.rider
mono4
# (mono4.overrideAttrs { version="4.6.1"; sha256=""; })
tesseract4
];
};
}

15
common/xdg/default.nix
View file

@ -1,6 +1,19 @@
{ {
imports = [ imports = [
./portals.nix ./portals.nix
./mime.nix # ./mime.nix
]; ];
xdg.terminal-exec = {
enable = true;
settings = {
default = [
"Alacritty.desktop"
"kitty.desktop"
];
};
};
xdg.icons.enable = true;
} }

145
common/xdg/mime.nix
View file

@ -1,145 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
cfg = config.grimmShared;
browsers = [
"firefox-beta.desktop"
"firefox.desktop"
];
text_editors = [
"nvim.desktop"
"geany.desktop"
"imhex.desktop"
];
image_viewers = [
"org.nomacs.ImageLounge.desktop"
"org.kde.krita.desktop"
"draw.desktop"
];
audio_players = [ "vlc.desktop" ];
video_viewers = [ "vlc.desktop" ];
document_viewers = [
"org.pwmt.zathura-pdf-mupdf.desktop"
"com.github.jeromerobert.pdfarranger.desktop"
] ++ browsers;
cad = [
"org.freecadweb.FreeCAD.desktop"
"PrusaSlicer.desktop"
"openscad.desktop"
"blender.desktop"
];
tex_editors = [ ] ++ text_editors;
in
{
config =
with cfg;
lib.mkIf (enable && portals && graphical) {
environment.systemPackages = with pkgs; [
deskwhich
zathura
alacritty
imhex
libreoffice-qt
filezilla
obsidian
nomacs
pdfarranger
geany
krita
weasis
kicad
prusa-slicer
freecad
openscad
vlc
blender
thunderbird
xdg-terminal-exec
xdg-utils
];
xdg.terminal-exec = {
enable = true;
settings = {
default = [
"Alacritty.desktop"
"kitty.desktop"
];
};
};
xdg.mime.enable = true;
xdg.mime.addedAssociations = {
"application/java-vm" = [
"idea-community.desktop"
"imhex.desktop"
];
"application/json" = text_editors ++ [ "firefox-beta.desktop" ];
"application/mp4" = video_viewers;
"application/ogg" = audio_players;
"application/octet-stream" = "imhex.desktop";
"application/pdf" = document_viewers;
"application/rss+xml" = text_editors;
"application/x-chess-pgn" = [ ] ++ text_editors; # fixme
"application/x-krita" = "org.kde.krita.desktop";
"application/x-latex" = tex_editors;
"application/x-tex" = tex_editors;
"application/x-texinfo" = tex_editors;
"application/xml" = text_editors;
"image/svg+xml" = image_viewers ++ browsers ++ text_editors;
"image/*" = image_viewers;
"image/vnd.dwg" = cad;
"model/*" = cad;
"gcode" = [
"PrusaGcodeviewer.desktop"
"PrusaSlicer.desktop"
];
"audio/*" = audio_players;
"text/*" = text_editors;
"text/plain" = text_editors;
"text/markdown" = [ "obsidian.desktop" ] ++ text_editors;
"text/csv" = [ "calc.desktop" ] ++ text_editors;
"text/html" = browsers ++ text_editors;
"text/x-python" = [ "pycharm-community.desktop" ] ++ text_editors;
"text/x-c" = [ "clion.desktop" ] ++ text_editors;
"text/x-java-source" = [ "idea-community.desktop" ] ++ text_editors;
"video/*" = video_viewers;
"inode/directory" = [
"ranger.desktop"
"dolphin.desktop"
];
"x-scheme-handler/mailto" = "thunderbird.desktop";
"application/vnd.oasis.opendocument.chart" = "calc.desktop";
"application/vnd.oasis.opendocument.chart-template" = "calc.desktop";
"application/vnd.oasis.opendocument.database" = "base.desktop";
"application/vnd.oasis.opendocument.formula" = "math.desktop";
"application/vnd.oasis.opendocument.formula-template" = "math.desktop";
"application/vnd.oasis.opendocument.graphics" = "draw.desktop";
"application/vnd.oasis.opendocument.graphics-template" = "draw.desktop";
"application/vnd.oasis.opendocument.image" = "draw.desktop";
"application/vnd.oasis.opendocument.image-template" = "draw.desktop";
"application/vnd.oasis.opendocument.presentation" = "impress.desktop";
"application/vnd.oasis.opendocument.presentation-template" = "impress.desktop";
"application/vnd.oasis.opendocument.spreadsheet" = "calc.desktop";
"application/vnd.oasis.opendocument.spreadsheet-template" = "calc.desktop";
"application/vnd.oasis.opendocument.text" = "writer.desktop";
"application/vnd.oasis.opendocument.text-master" = "writer.desktop";
"application/vnd.oasis.opendocument.text-template" = "writer.desktop";
"application/vnd.oasis.opendocument.text-web" = "writer.desktop";
"application/vnd.openxmlformats-officedocument.presentationml.presentation" = "impress.desktop";
"application/vnd.openxmlformats-officedocument.presentationml.slide" = "impress.desktop";
"application/vnd.openxmlformats-officedocument.presentationml.slideshow" = "impress.desktop";
"application/vnd.openxmlformats-officedocument.presentationml.template" = "impress.desktop";
"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" = "calc.desktop";
"application/vnd.openxmlformats-officedocument.spreadsheetml.template" = "calc.desktop";
"application/vnd.openxmlformats-officedocument.wordprocessingml.document" = "writer.desktop";
"application/vnd.openxmlformats-officedocument.wordprocessingml.template" = "writer.desktop";
};
};
}

92
common/xdg/portals.nix
View file

@ -5,44 +5,68 @@
... ...
}: }:
let let
cfg = config.grimmShared; inherit (config.grimmShared)
enable
portals
sound
screens
;
inherit (lib)
mkIf
mkEnableOption
mapAttrs'
foldl'
min
getExe
isInt
nameValuePair
;
in in
{ {
config = config = mkIf (enable && portals) {
with cfg; xdg.icons.enable = true;
lib.mkIf (enable && portals) { xdg.sounds.enable = lib.mkIf sound.enable true;
xdg.icons.enable = true;
xdg.sounds.enable = lib.mkIf sound.enable true;
xdg.portal = { xdg.portal = {
enable = true; enable = true;
xdgOpenUsePortal = true; xdgOpenUsePortal = true;
extraPortals = with pkgs; [ extraPortals = with pkgs; [
xdg-desktop-portal-wlr xdg-desktop-portal-wlr
xdg-desktop-portal-kde # xdg-desktop-portal-kde
xdg-desktop-portal-gtk # xdg-desktop-portal-gtk
]; # lxqt.xdg-desktop-portal-lxqt
];
wlr.enable = true; wlr.enable = true;
wlr.settings = wlr.settings = mapAttrs' (
with lib; name: value:
mapAttrs' ( nameValuePair ("screencast_" + name) {
name: value: output_name = value.id;
nameValuePair ("screencast_" + name) { max_fps = if isInt value.fps then value.fps else (foldl' min 2147483647 value.fps);
output_name = value.id; chooser_type = "simple";
max_fps = if isInt value.fps then value.fps else (foldl' min 2147483647 value.fps); chooser_cmd = "${getExe pkgs.slurp} -f %o -or";
chooser_type = "simple"; }
chooser_cmd = "${getExe pkgs.slurp} -f %o -or"; ) screens;
}
) cfg.screens;
};
environment.sessionVariables = {
XDG_CONFIG_HOME = "$HOME/.config";
};
environment.systemPackages = with pkgs; [ xwaylandvideobridge ];
}; };
options.grimmShared.portals = lib.mkEnableOption "Enables portals for wlr, gtk and kde as well as fixes fonts"; environment.sessionVariables = {
XDG_CONFIG_HOME = "$HOME/.config";
XDG_DESKTOP_DIR = "$HOME/Desktop";
XDG_DOCUMENTS_DIR = "$HOME/Documents";
XDG_DOWNLOAD_DIR = "$HOME/Downloads";
XDG_MUSIC_DIR = "$HOME/Music";
XDG_PICTURES_DIR = "$HOME/Pictures";
XDG_PUBLICSHARE_DIR = "$HOME/Public";
XDG_TEMPLATES_DIR = "$HOME/Templates";
XDG_VIDEOS_DIR = "$HOME/Videos";
};
environment.systemPackages = with pkgs; [
xwaylandvideobridge
xdg-user-dirs
confwhich
];
};
options.grimmShared.portals = mkEnableOption "Enables portals for wlr, gtk and kde as well as fixes fonts";
} }

15
configuration.nix
View file

@ -1,24 +1,33 @@
{ config, pkgs, ... }: { pkgs, ... }:
{ {
imports = [ imports = [
./overlays ./overlays
./common ./common
./fake_flake.nix # ./fake_flake.nix
./users.nix ./users.nix
./custom
]; ];
# Bootloader. # Bootloader.
boot = { boot = {
loader.efi.canTouchEfiVariables = true; loader.efi.canTouchEfiVariables = true;
# kernelPackages = lib.mkDefault pkgs.linuxPackages_zen;
}; };
services.logrotate.checkConfig = false; # fixme: actually needed? nix.package = pkgs.lix;
nixpkgs.config.allowUnfree = true;
grimmShared = { grimmShared = {
enable = true; enable = true;
locale = true; locale = true;
network = true; network = true;
tooling = { tooling = {
supportedLangs = [
"rust"
"c"
"java"
"python"
];
enable = true; enable = true;
}; };
}; };

29
custom/confwhich/package.nix Normal file
View file

@ -0,0 +1,29 @@
{
lib,
rustPlatform,
fetchFromGitea,
}:
rustPlatform.buildRustPackage {
pname = "confwhich";
version = "unstable-2024-05-14";
src = fetchFromGitea {
domain = "git.grimmauld.de";
owner = "Grimmauld";
repo = "confwhich";
rev = "e561b82d1e2b0d0998ccbef316014297f3468fb6";
hash = "sha256-dMkUJMQjlKzmSsgtH0xOZ5Bk654+h84M1cTx8hVM5SQ=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-YSi7sObmclTR6BSQPSN54/2aurXxCl/q2i8hutlJXkw=";
meta = {
description = "tool to find the path of xdg config files";
homepage = "https://git.grimmauld.de/Grimmauld/confwhich";
license = lib.licenses.bsd3;
mainProgram = "confwhich";
maintainers = with lib.maintainers; [ grimmauld ];
platforms = lib.platforms.linux;
};
}

11
custom/default.nix Normal file
View file

@ -0,0 +1,11 @@
{ lib, ... }: {
nixpkgs.overlays = lib.singleton (final: prev: {
confwhich = prev.callPackage ./confwhich/package.nix { };
deskwhich = prev.callPackage ./deskwhich/package.nix { };
linux-bench = prev.callPackage ./linux-bench/package.nix { };
ooye = prev.callPackage ./ooye/package.nix { };
rfindup = prev.callPackage ./rfindup/package.nix { };
searchclip = prev.callPackage ./searchclip/package.nix { };
tlpui = prev.callPackage ./tlpui/package.nix { };
});
}

13
custom/deskwhich/package.nix
View file

@ -3,19 +3,20 @@
lib, lib,
rustPlatform, rustPlatform,
}: }:
rustPlatform.buildRustPackage rec { rustPlatform.buildRustPackage {
pname = "deskwhich"; pname = "deskwhich";
version = "unstable-2024-04-30"; version = "unstable-2024-04-30";
src = fetchFromGitea { src = fetchFromGitea {
domain = "codeberg.org"; domain = "git.grimmauld.de";
owner = "axtlos"; owner = "grimmauld";
repo = "deskwhich"; repo = "deskwhich";
rev = "cbe8a0cdf4bdbb26faecb028e79ad6c409376051"; rev = "ed412216666a6a22918e57c5dd1fde3855eb0f5f";
hash = "sha256-c0Q0oYIB/1eutV7tkqYXvDMw8A7YsT+5+CmmwbGvcNk="; hash = "sha256-uSXxUehZY1Sp08X3khSQtQc8AT00jJTAsQ+OfTTTkss=";
}; };
cargoHash = "sha256-fBC3UBf9oLswlR6Kgw3nSwjqAtn7VQGzvbUJaYnOid4="; useFetchCargoVendor = true;
cargoHash = "sha256-e4wWQ0QOl0vDRbOFs7eN49sQJXBiJGsHiDLE68NiK8Y=";
meta = { meta = {
description = "tool to find the path of desktop entries"; description = "tool to find the path of desktop entries";

48
custom/linux-bench/package.nix Normal file
View file

@ -0,0 +1,48 @@
{
lib,
buildGoModule,
fetchFromGitea,
makeWrapper,
gnugrep,
iptables,
}:
buildGoModule rec {
pname = "linux-bench";
version = "0-unstable-2025-01-31";
# src = fetchFromGitHub {
# owner = "aquasecurity";
# repo = "linux-bench";
# rev = "ce039756a6211beca47a23220c31998a9a891ad0";
# hash = "sha256-wprsaIe6hgH28yHkSqdHQdFyQMvObQY6hChsfBTviTA=";
# };
src = fetchFromGitea {
owner = "grimmauld";
repo = "linux-bench";
rev = "a936791cd0f4b4c02eb6294a3156ee784bf23c6a";
hash = "sha256-8V0PUZJgNYPM81EH14nw4JpNH4StR1u1PbM+6GVpXVk=";
domain = "git.grimmauld.de";
};
nativeBuildInputs = [
makeWrapper
];
vendorHash = "sha256-dlynz7mOiN+5ndYkmCUQu/Z31AwmJ+J2S3EBjQG5nWI=";
postInstall = ''
wrapProgram $out/bin/linux-bench \
--add-flags "--config-dir ${src}/cfg" \
--prefix PATH : ${lib.makeBinPath [ gnugrep iptables ]}
'';
meta = {
description = "Checks whether a Linux server according to security best practices as defined in the CIS Distribution-Independent Linux Benchmark";
homepage = "https://github.com/aquasecurity/linux-bench";
license = lib.licenses.asl20;
maintainers = with lib.maintainers; [ grimmauld ];
mainProgram = "linux-bench";
};
}

41
custom/ooye/package.nix Normal file
View file

@ -0,0 +1,41 @@
{
buildNpmPackage,
lib,
nodejs,
fetchgit,
}:
buildNpmPackage rec {
pname = "out-of-your-element";
version = "3.0.5";
src = fetchgit {
url = "https://gitdab.com/cadence/out-of-your-element";
rev = "v3.0-beta5";
hash = "sha256-3Y6s9pNKKeqF6s4I2Rd4TpxXPCwqizXeil/sTDVnpr0=";
};
npmDepsHash = "sha256-1STam+Sjy2MQcK5TmRacoxmgErd2sNqw0yIFX2M+iZk=";
dontNpmBuild = true;
postInstall = ''
# create wrapper
makeWrapper "${lib.getExe nodejs}" "$out/bin/ooye-setup" \
--add-flags "$out/lib/node_modules/out-of-your-element/scripts/setup.js"
makeWrapper "${lib.getExe nodejs}" "$out/bin/ooye-addbot" \
--add-flags "$out/lib/node_modules/out-of-your-element/addbot.js"
makeWrapper "${lib.getExe nodejs}" "$out/bin/ooye-start" \
--add-flags "$out/lib/node_modules/out-of-your-element/start.js"
'';
meta = {
description = "";
homepage = "https://gitdab.com/cadence/out-of-your-element";
license = lib.licenses.agpl3Only;
maintainers = with lib.maintainers; [ grimmauld ];
mainProgram = "out-of-your-element";
platforms = lib.platforms.all;
};
}

29
custom/rfindup/package.nix Normal file
View file

@ -0,0 +1,29 @@
{
lib,
rustPlatform,
fetchFromGitea,
}:
rustPlatform.buildRustPackage {
pname = "rfindup";
version = "unstable-2024-09-24";
src = fetchFromGitea {
domain = "git.grimmauld.de";
owner = "Grimmauld";
repo = "rfindup";
rev = "ee4d9997702d6e7c6735436f2b33e15e20669745";
hash = "sha256-nbC/nM6orM19Qh/1bpN6gxOqvhCO4cVBumgEFl9G4Rs=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-S+NpQti2fgaz1UogqXbo+1mgkmetf/brQFcDrW00ZiU=";
meta = {
description = "tool to find files by name in parent directories";
homepage = "https://git.grimmauld.de/Grimmauld/rfindup";
license = lib.licenses.bsd3;
mainProgram = "rfindup";
maintainers = with lib.maintainers; [ grimmauld ];
platforms = lib.platforms.linux;
};
}

16
custom/searchclip/package.nix Normal file
View file

@ -0,0 +1,16 @@
{
writeShellScriptBin,
lib,
urlencode,
}:
let
inherit (lib) getExe;
in
writeShellScriptBin "searchclip" ''
xdg-open https://www.google.com/search?q=$(wl-paste -p | ${getExe urlencode})
browser=$(xdg-settings get default-web-browser | sed "s/\.desktop//")
if [[ -v SWAYSOCK ]]; then
sleep .1
swaymsg [app_id="$browser" urgent="newest"] focus
fi
''

69
custom/tlpui/package.nix Normal file
View file

@ -0,0 +1,69 @@
{
fetchFromGitHub,
gobject-introspection,
gtk3,
lib,
pciutils,
python3Packages,
substituteAll,
tlp,
usbutils,
wrapGAppsHook,
}:
python3Packages.buildPythonPackage rec {
pname = "tlpui";
version = "1.6.5";
pyproject = true;
src = fetchFromGitHub {
owner = "d4nj1";
repo = "TLPUI";
rev = "refs/tags/tlpui-${version}";
hash = "sha256-pgzGhf2WDRNQ2z0hPapUJA5MLTKq92UlgjC+G78T/4s=";
};
patches = [
(substituteAll {
src = ./path.patch;
inherit tlp;
})
];
# ignore test/test_tlp_settings.py asit relies on opening a gui which is non-trivial
pytestFlagsArray = [ "--ignore=test/test_tlp_settings.py" ];
nativeCheckInputs = [
gobject-introspection
python3Packages.pytestCheckHook
];
build-system = [
wrapGAppsHook
python3Packages.poetry-core
];
buildInputs = [ tlp ];
dependencies = [
gobject-introspection
gtk3
pciutils
python3Packages.pycairo
python3Packages.pygobject3
python3Packages.pyyaml
usbutils
];
meta = {
changelog = "https://github.com/d4nj1/TLPUI/releases/tag/tlpui-${version}";
description = "A GTK user interface for TLP written in Python";
homepage = "https://github.com/d4nj1/TLPUI";
license = lib.licenses.gpl2Only;
longDescription = ''
The Python scripts in this project generate a GTK-UI to change TLP configuration files easily.
It has the aim to protect users from setting bad configuration and to deliver a basic overview of all the valid configuration values.
'';
platforms = lib.platforms.linux;
mainProgram = "tlpui";
maintainers = with lib.maintainers; [ grimmauld ];
};
}

57
custom/tlpui/path.patch Normal file
View file

@ -0,0 +1,57 @@
diff --git a/tlpui/file.py b/tlpui/file.py
index f0f3ecb..a9ad7f8 100644
--- a/tlpui/file.py
+++ b/tlpui/file.py
@@ -26,7 +26,7 @@ def get_tlp_config_defaults(tlpversion: str):
tlpconfig_defaults = extract_default_tlp_configs(f"{settings.workdir}/defaults/tlp-{tlpversion}.conf")
# update default values with intrinsic ones
- intrinsic_defaults_path = f"{settings.FOLDER_PREFIX}/usr/share/tlp/defaults.conf"
+ intrinsic_defaults_path = f"@tlp@/share/tlp/defaults.conf"
tlpconfig_defaults.update(extract_default_tlp_configs(intrinsic_defaults_path))
return tlpconfig_defaults
@@ -124,7 +124,10 @@ def create_tmp_tlp_config_file(changedproperties: dict) -> str:
filehandler, tmpfilename = mkstemp(dir=settings.TMP_FOLDER)
newfile = open(tmpfilename, mode='w', encoding='utf-8')
- oldfile = open(settings.tlpconfigfile, encoding='utf-8')
+ try:
+ oldfile = open(settings.tlpconfigfile, encoding='utf-8')
+ except FileNotFoundError:
+ oldfile = open("@tlp@/etc/tlp.conf", encoding='utf-8')
lines = oldfile.readlines()
oldfile.close()
diff --git a/tlpui/mainui.py b/tlpui/mainui.py
index 0242514..da59046 100644
--- a/tlpui/mainui.py
+++ b/tlpui/mainui.py
@@ -115,8 +115,12 @@ def changed_items_dialog(window, tmpfilename: str, dialogtitle: str, message: st
scrolledwindow.set_hexpand(True)
scrolledwindow.set_vexpand(True)
- with open(settings.tlpconfigfile, encoding='utf-8') as fromfile:
- fromfilecontent = fromfile.readlines()
+ try:
+ with open(settings.tlpconfigfile, encoding='utf-8') as fromfile:
+ fromfilecontent = fromfile.readlines()
+ except FileNotFoundError:
+ with open("@tlp@/etc/tlp.conf", encoding='utf-8') as fromfile:
+ fromfilecontent = fromfile.readlines()
with open(tmpfilename, encoding='utf-8') as tofile:
tofilecontent = tofile.readlines()
diff = settings.tlpbaseconfigfile + '\n\n'
diff --git a/tlpui/settingshelper.py b/tlpui/settingshelper.py
index 69481c0..d769029 100644
--- a/tlpui/settingshelper.py
+++ b/tlpui/settingshelper.py
@@ -20,7 +20,7 @@ def exec_command(commands: [str]):
def get_tlp_config_file(prefix: str) -> str:
"""Select tlp config file by prefix."""
- return f"{prefix}/etc/tlp.conf"
+ return f"{prefix}/etc/tlp.d/30-tlpui.conf"
def check_binaries_exist(flatpak_folder_prefix: str) -> None:

73
dual_monitor_otd.json Normal file
View file

@ -0,0 +1,73 @@
{
"Profiles": [
{
"Tablet": "Wacom PTH-660",
"OutputMode": {
"Path": "OpenTabletDriver.Desktop.Output.AbsoluteMode",
"Settings": [],
"Enable": true
},
"Filters": [],
"AbsoluteModeSettings": {
"Display": {
"Width": 3840.0,
"Height": 1080.0,
"X": 1920.0,
"Y": 540.0,
"Rotation": 0.0
},
"Tablet": {
"Width": 148.0,
"Height": 42.0,
"X": 112.0,
"Y": 74.0,
"Rotation": 90.0
},
"EnableClipping": true,
"EnableAreaLimiting": false,
"LockAspectRatio": false
},
"RelativeModeSettings": {
"XSensitivity": 10.0,
"YSensitivity": 10.0,
"RelativeRotation": 0.0,
"RelativeResetDelay": "00:00:00.1000000"
},
"Bindings": {
"TipActivationThreshold": 0.0,
"TipButton": {
"Path": "OpenTabletDriver.Desktop.Binding.MouseBinding",
"Settings": [
{
"Property": "Button",
"Value": "Left"
}
],
"Enable": true
},
"EraserActivationThreshold": 0.0,
"EraserButton": null,
"PenButtons": [
null,
null
],
"AuxButtons": [
null,
null,
null,
null,
null,
null,
null,
null
],
"MouseButtons": [],
"MouseScrollUp": null,
"MouseScrollDown": null
}
}
],
"LockUsableAreaDisplay": true,
"LockUsableAreaTablet": true,
"Tools": []
}

107
fake_flake.nix
View file

@ -1,107 +0,0 @@
{
pkgs,
lib,
config,
system,
...
}:
let
nivSources = import ./nix/sources.nix;
asGithubRef = src: "github:${src.owner}/${src.repo}/${src.rev}";
build_target =
let
env_host = builtins.getEnv "NIXOS_TARGET_HOST";
in
if env_host != "" then
env_host
else
builtins.replaceStrings [ "\n" ] [ "" ] (lib.toLower (builtins.readFile /proc/sys/kernel/hostname));
host_modules = {
grimmauld-nixos = [ ./specific/grimm-nixos-laptop/configuration.nix ];
grimmauld-nixos-server = [
./specific/grimmauld-nixos-server/configuration.nix
./modules/letsencrypt.nix
./modules/matrix.nix
./modules/puffer.nix
./modules/gitea.nix
./modules/grafana.nix
./modules/nextcloud.nix
./modules/prometheus.nix
# ./modules/mjolnir.nix
./modules/fail2ban.nix
./modules/email.nix
./modules/discord-matrix-bridge.nix
./modules/mastodon.nix
];
};
nixpkgs_patches = [
{
# tlpui
url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/305278.patch";
hash = "sha256-vmzj7gF8jwHdqxN+dQiJ4MRxKpHvBTzbrUvFgt1DK8I=";
}
];
in
{
imports = [
"${nivSources.agenix}/modules/age.nix"
(import "${nivSources.lix-module}/module.nix" { lix = nivSources.lix-pkg; })
"${nivSources.nixos-mailserver}/default.nix"
"${nivSources.nixos-matrix-modules}/module.nix"
# fixme: ideally we'd not rely on the flake syntax to load the module
(builtins.getFlake (asGithubRef nivSources.chaotic)).nixosModules.default
# (builtins.getFlake (asGithubRef nivSources.nixos-matrix-modules)).nixosModules.default
# (builtins.getFlake "git+${nivSources.nixos-mailserver.repo}").nixosModules.default
] ++ lib.optionals (builtins.hasAttr build_target host_modules) host_modules.${build_target};
nixpkgs.hostPlatform = system;
# system.nixos = {
# distroId = "lixos";
# distroName = "LixOS";
# };
environment.sessionVariables = with config.system.nixos; {
distro = "${distroName} ${version} (${codeName}) ${system}";
};
nixpkgs.pkgs =
let
src = nivSources.nixpkgs;
config = {
allowUnfree = true;
};
unpatched = import src { inherit config system; };
inherit (unpatched) applyPatches fetchpatch;
in
import (applyPatches {
name = "nixpkgs-patched";
inherit src;
patches = map fetchpatch nixpkgs_patches;
}) { inherit config; };
nixpkgs.overlays = lib.singleton (
final: prev: { agenix = final.callPackage "${nivSources.agenix}/pkgs/agenix.nix" { }; }
);
_module.args = {
system = "x86_64-linux";
};
nix.settings.extra-substituters = [
"https://cache.lix.systems"
"https://nyx.chaotic.cx/"
];
nix.settings.trusted-public-keys = [
"cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
"nyx.chaotic.cx-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
"chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
];
}

706
flake.lock generated Normal file
View file

@ -0,0 +1,706 @@
{
"nodes": {
"aa-alias-manager": {
"inputs": {
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks": "pre-commit-hooks",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1739727446,
"narHash": "sha256-t+KH1NoR/HauQlYgKaNKkxCoSQ4PwPdp5r6nGc3K/tE=",
"owner": "LordGrimmauld",
"repo": "aa-alias-manager",
"rev": "cf56427c87bf93537f0c4f9896beef2da146860b",
"type": "github"
},
"original": {
"owner": "LordGrimmauld",
"repo": "aa-alias-manager",
"type": "github"
}
},
"aagl-gtk-on-nix": {
"inputs": {
"flake-compat": "flake-compat_2",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1736877444,
"narHash": "sha256-K25atZ9alRsGb6TW+rRcpJTbtP5tnb3qusd762B2qWw=",
"owner": "ezKEa",
"repo": "aagl-gtk-on-nix",
"rev": "a1f0ce3bfbe9f0cc81e8b7def5e652a021e95c98",
"type": "github"
},
"original": {
"owner": "ezKEa",
"repo": "aagl-gtk-on-nix",
"type": "github"
}
},
"agenix": {
"inputs": {
"agenix": "agenix_2",
"crane": "crane",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1726755133,
"narHash": "sha256-03XIEjHeZEjHXctsXYUB+ZLQmM0WuhR6qWQjwekFk/M=",
"owner": "yaxitech",
"repo": "ragenix",
"rev": "687ee92114bce9c4724376cf6b21235abe880bfa",
"type": "github"
},
"original": {
"owner": "yaxitech",
"repo": "ragenix",
"type": "github"
}
},
"agenix_2": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"agenix",
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"apparmor-dev": {
"inputs": {
"flake-utils": "flake-utils_2",
"nix-github-actions": "nix-github-actions_2",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1734881868,
"narHash": "sha256-ONpu806E6j/23ZCgvfAR7bNusDjC5bVThTOjNkUMIqQ=",
"owner": "LordGrimmauld",
"repo": "apparmor-dev",
"rev": "032cb3469176411d5bda5642049abc468073e18a",
"type": "github"
},
"original": {
"owner": "LordGrimmauld",
"repo": "apparmor-dev",
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"chaotic": {
"inputs": {
"fenix": "fenix",
"flake-schemas": "flake-schemas",
"home-manager": "home-manager_2",
"jovian": "jovian",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1740016447,
"narHash": "sha256-96hBRGwuG+CFI5+inRIDCh0Za4LOt1dlbO3pFOokw6Y=",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "ed7900391a1969bb0bde432fd3952a6dda37114c",
"type": "github"
},
"original": {
"owner": "chaotic-cx",
"ref": "nyxpkgs-unstable",
"repo": "nyx",
"type": "github"
}
},
"crane": {
"locked": {
"lastModified": 1725409566,
"narHash": "sha256-PrtLmqhM6UtJP7v7IGyzjBFhbG4eOAHT6LPYOFmYfbk=",
"owner": "ipetkov",
"repo": "crane",
"rev": "7e4586bad4e3f8f97a9271def747cf58c4b68f3c",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"fenix": {
"inputs": {
"nixpkgs": [
"chaotic",
"nixpkgs"
],
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1739946876,
"narHash": "sha256-ek0u5FT5yjqYKjF/0HQKwDH2ISZzyvYwu+My5hmSwbU=",
"owner": "nix-community",
"repo": "fenix",
"rev": "95c1eab59767a3dbb11d6616d4ff736813ce41d2",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-schemas": {
"locked": {
"lastModified": 1721999734,
"narHash": "sha256-G5CxYeJVm4lcEtaO87LKzOsVnWeTcHGKbKxNamNWgOw=",
"rev": "0a5c42297d870156d9c57d8f99e476b738dcd982",
"revCount": 75,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/flake-schemas/0.1.5/0190ef2f-61e0-794b-ba14-e82f225e55e6/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%3D0.1.5.tar.gz"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"aa-alias-manager",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"chaotic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1739913864,
"narHash": "sha256-WhzgQjadrwnwPJQLLxZUUEIxojxa7UWDkf7raAkB1Lw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "97ac0801d187b2911e8caa45316399de12f6f199",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_3": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1736941558,
"narHash": "sha256-Q7o9lUoKqw94IhmlhwguhPZX9AJNLnkVb56XHa0W5/I=",
"ref": "refs/heads/master",
"rev": "1ffbc5166cf74f9e5342fca7e3f2257c8d96b5df",
"revCount": 3997,
"type": "git",
"url": "https://git.grimmauld.de/Grimmauld/home-manager"
},
"original": {
"type": "git",
"url": "https://git.grimmauld.de/Grimmauld/home-manager"
}
},
"jovian": {
"inputs": {
"nix-github-actions": "nix-github-actions_3",
"nixpkgs": [
"chaotic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1739952453,
"narHash": "sha256-+tyFW6nNj1fJ1VTtLeqe1PMp5F7Fb9zIkT6mUvdQHrM=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "b2ed82d3ff837960df4518308dfe409dda3ae406",
"type": "github"
},
"original": {
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"aa-alias-manager",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731952509,
"narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "7b5f051df789b6b20d259924d349a9ba3319b226",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-github-actions_2": {
"inputs": {
"nixpkgs": [
"apparmor-dev",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731952509,
"narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "7b5f051df789b6b20d259924d349a9ba3319b226",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-github-actions_3": {
"inputs": {
"nixpkgs": [
"chaotic",
"jovian",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729697500,
"narHash": "sha256-VFTWrbzDlZyFHHb1AlKRiD/qqCJIripXKiCSFS8fAOY=",
"owner": "zhaofengli",
"repo": "nix-github-actions",
"rev": "e418aeb728b6aa5ca8c5c71974e7159c2df1d8cf",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"ref": "matrix-name",
"repo": "nix-github-actions",
"type": "github"
}
},
"nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat_3",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-24_11": "nixpkgs-24_11"
},
"locked": {
"lastModified": 1739121270,
"narHash": "sha256-EmJhpy9U8sVlepl2QPjG019VfG67HcucsQNItTqW6cA=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "8c1c4640b878c692dd3d8055e8cdea0a2bbd8cf3",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "master",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"nixos-matrix-modules": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1735857245,
"narHash": "sha256-AKLLPrgXTxgzll3DqVUMa4QlPlRN3QceutgFBmEf8Nk=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "da9dc0479ffe22362793c87dc089035facf6ec4d",
"type": "github"
},
"original": {
"owner": "dali99",
"repo": "nixos-matrix-modules",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1739866667,
"narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-24_11": {
"locked": {
"lastModified": 1734083684,
"narHash": "sha256-5fNndbndxSx5d+C/D0p/VF32xDiJCJzyOqorOYW4JEo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "314e12ba369ccdb9b352a4db26ff419f7c49fa84",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-24.11",
"type": "indirect"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat",
"gitignore": "gitignore",
"nixpkgs": [
"aa-alias-manager",
"nixpkgs"
]
},
"locked": {
"lastModified": 1735882644,
"narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "a5a961387e75ae44cc20f0a57ae463da5e959656",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"aa-alias-manager": "aa-alias-manager",
"aagl-gtk-on-nix": "aagl-gtk-on-nix",
"agenix": "agenix",
"apparmor-dev": "apparmor-dev",
"chaotic": "chaotic",
"home-manager": "home-manager_3",
"nixos-mailserver": "nixos-mailserver",
"nixos-matrix-modules": "nixos-matrix-modules",
"nixpkgs": "nixpkgs"
}
},
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1739913186,
"narHash": "sha256-7MSzs64dLDgq1wFw2eujZ01qdj9K+TwIlQMyWebotE8=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "3028f844c5898dcf115f6bc67a5ce793989b04a1",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"aa-alias-manager",
"nixpkgs"
]
},
"locked": {
"lastModified": 1736572187,
"narHash": "sha256-it8mU8UkbaeVup7GpCI6n2cWPJ/O4U980CxKAMKUGF0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "06871d5c5f78b0ae846c5758702531b4cabfab9b",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725675754,
"narHash": "sha256-hXW3csqePOcF2e/PYnpXj72KEYyNj2HzTrVNmS/F7Ug=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "8cc45e678e914a16c8e224c3237fb07cf21e5e54",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

174
flake.nix Normal file
View file

@ -0,0 +1,174 @@
{
description = "grimmauld-nixos";
inputs = {
nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable";
# url = "git+file:///home/grimmauld/coding/nixpkgs";
};
chaotic = {
url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = {
url = "github:yaxitech/ragenix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-matrix-modules = {
url = "github:dali99/nixos-matrix-modules";
inputs.nixpkgs.follows = "nixpkgs";
};
# ranger_udisk_menu.url = "git+https://git.grimmauld.de/Grimmauld/ranger_udisk_menu";
# glibc-eac.url = "github:Frogging-Family/glibc-eac";
aagl-gtk-on-nix = {
url = "github:ezKEa/aagl-gtk-on-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
aa-alias-manager = {
url = "github:LordGrimmauld/aa-alias-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
# nixpkgs-update = {
# url = "github:nix-community/nixpkgs-update";
# # inputs.nixpkgs.follows = "nixpkgs";
# };
apparmor-dev = {
url = "github:LordGrimmauld/apparmor-dev";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = {
# https://github.com/nix-community/home-manager/issues/3415
# https://github.com/nix-community/home-manager/pull/2548
# url = "github:nix-community/home-manager";
# url = "git+file:///home/grimmauld/coding/home-manager";
url = "git+https://git.grimmauld.de/Grimmauld/home-manager";
# url = "github:pasqui23/home-manager/nixos-late-start";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
inputs@{
self,
agenix,
nixpkgs,
chaotic,
aagl-gtk-on-nix,
nixos-mailserver,
nixos-matrix-modules,
aa-alias-manager,
# nixpkgs-update,
apparmor-dev,
home-manager,
...
}:
let
patches = [
{
url = "https://github.com/NixOS/nixpkgs/pull/377927.patch?full_index=1";
hash = "sha256-5nFQs0fcU50I6gdmDzCggH2wzaJgM1kwurkS1HHuxnE=";
}
];
customNixosSystem =
system: definitions:
let
unpatched = nixpkgs.legacyPackages.${system};
patched = unpatched.applyPatches {
name = "nixpkgs-patched";
src = inputs.nixpkgs;
patches = map (p: if (builtins.isPath p) then p else (unpatched.fetchpatch p)) patches;
};
nixosSystem =
if patches == [ ] then nixpkgs.lib.nixosSystem else import (patched + "/nixos/lib/eval-config.nix");
in
nixosSystem (
{
inherit system;
specialArgs = {
inherit inputs system;
};
}
// definitions
);
systems = [
"x86_64-linux"
"aarch64-linux"
];
forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
in
{
formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.nixfmt-rfc-style);
nixosConfigurations = {
grimmauld-nixos = customNixosSystem "x86_64-linux" {
modules = [
agenix.nixosModules.default
chaotic.nixosModules.default
aagl-gtk-on-nix.nixosModules.default
./configuration.nix
./specific/grimm-nixos-laptop/configuration.nix
];
};
grimm-nixos-ssd = customNixosSystem "x86_64-linux" {
modules = [
agenix.nixosModules.default
# chaotic.nixosModules.default
aagl-gtk-on-nix.nixosModules.default
./configuration.nix
aa-alias-manager.nixosModules.default
# apparmor-dev.nixosModules.default
./perlless.nix
./specific/grimm-nixos-ssd/configuration.nix
(
{ modulesPath, ... }:
{
imports = [
"${modulesPath}/profiles/hardened.nix"
# "${modulesPath}/profiles/perlless.nix"
];
}
)
home-manager.nixosModules.home-manager
./hm
./hardening
];
};
grimmauld-nixos-server = customNixosSystem "x86_64-linux" {
modules = [
agenix.nixosModules.default
nixos-matrix-modules.nixosModules.default
nixos-mailserver.nixosModules.default
./configuration.nix
./specific/grimmauld-nixos-server/configuration.nix
./modules
];
};
grimm-nixos-server-2 = customNixosSystem "x86_64-linux" {
modules = [
agenix.nixosModules.default
# nixos-matrix-modules.nixosModules.default
nixos-mailserver.nixosModules.default
./configuration.nix
./specific/grimm-nixos-server-2/configuration.nix
./modules2
home-manager.nixosModules.home-manager
./hm
];
};
};
};
}

67
hardening/apparmor/apparmor-d-module.nix Normal file
View file

@ -0,0 +1,67 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (lib)
mkIf
mapAttrs
assertMsg
pathIsRegularFile
mkForce
;
cfg = config.security.apparmor_d;
apparmor-d = pkgs.callPackage ./apparmor-d-package.nix { };
in
{
options.security.apparmor_d = with lib; {
enable = mkEnableOption "enable apparmor.d support";
profiles = mkOption {
type = types.attrsOf (
types.enum [
"disable"
"complain"
"enforce"
]
);
default = { };
description = "set of apparmor profiles to include from apparmor.d";
};
};
config = mkIf (cfg.enable) {
security.apparmor.packages = [ apparmor-d ];
security.apparmor.policies = mapAttrs (name: state: {
inherit state;
path =
let
file = "${apparmor-d}/etc/apparmor.d/${name}";
in
assert assertMsg (pathIsRegularFile file) "profile ${name} not found in apparmor.d path (${file})";
file;
}) cfg.profiles;
security.apparmor.includes."tunables/global.d/store" = ''
@{package1}={@{w},.,-}
@{package2}=@{package1}@{package1}
@{package4}=@{package2}@{package2}
@{package8}=@{package4}@{package4}
@{package16}=@{package8}@{package8}
@{package32}=@{package16}@{package16}
@{package64}=@{package32}@{package32}
@{nix_package_name}={@{package32},}{@{package16},}{@{package8},}{@{package4},}{@{package2},}{@{package1},}
@{nix_store}=/nix/store/@{rand32}-@{nix_package_name}
'';
specialisation.no-apparmor.configuration = {
security.apparmor.enable = mkForce false;
};
environment.systemPackages = [ apparmor-d ];
};
}

51
hardening/apparmor/apparmor-d-package.nix Normal file
View file

@ -0,0 +1,51 @@
{
buildGoModule,
fetchFromGitHub,
lib,
unstableGitUpdater,
}:
buildGoModule {
pname = "apparmor-d";
version = "unstable-2025-02-18";
src = fetchFromGitHub {
rev = "af85db9148b17bb37b4d73454e78d4efec4c2db9";
owner = "roddhjav";
repo = "apparmor.d";
hash = "sha256-mCc1DQXQvzeeA+sq67zK5o18tKByaB5dITmC77j9uEM=";
};
vendorHash = null;
doCheck = false;
dontCheckForBrokenSymlinks = true;
patches = [
./apparmor-d-prebuild.patch
];
subPackages = [
"cmd/prebuild"
"cmd/aa-log"
];
passthru.updateScript = unstableGitUpdater { };
postInstall = ''
mkdir -p $out/etc
DISTRIBUTION=nixos $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available
mv .build/apparmor.d $out/etc
rm $out/bin/prebuild
'';
meta = {
description = "Full set of AppArmor profiles (~ 1500 profiles) ";
homepage = "https://github.com/roddhjav/apparmor.d";
license = lib.licenses.gpl2Only;
mainProgram = "aa-log";
maintainers = with lib.maintainers; [ grimmauld ];
platforms = lib.platforms.linux;
};
}

61
hardening/apparmor/apparmor-d-prebuild.patch Normal file
View file

@ -0,0 +1,61 @@
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 0a95d183..4e15d5e3 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -106,8 +106,8 @@
@{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
# Common places for binaries and libraries across distributions
-@{bin}=/{,usr/}{,s}bin
-@{lib}=/{,usr/}lib{,exec,32,64}
+@{bin}=/{nix/store/*/,}{,usr/}bin
+@{lib}=/{nix/store/*/,/run/wrappers,}{,usr/}lib{,exec,32,64}
# Common places for temporary files
@{tmp}=/tmp/ /tmp/user/@{uid}/
diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
index 3f2dd9f4..39a8b64a 100644
--- a/cmd/prebuild/main.go
+++ b/cmd/prebuild/main.go
@@ -37,7 +37,7 @@ func init() {
// Compatibility with AppArmor 3
switch prebuild.Distribution {
- case "arch":
+ case "arch", "nixos":
case "ubuntu":
if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) {
diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go
index a887d4b9..eb0cc2ef 100644
--- a/pkg/aa/apparmor.go
+++ b/pkg/aa/apparmor.go
@@ -33,13 +33,13 @@ func DefaultTunables() *AppArmorProfileFile {
return &AppArmorProfileFile{
Preamble: Rules{
&Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true},
- &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
+ &Variable{Name: "bin", Values: []string{"/{nix/store/*/,/run/wrappers,}{,usr/}{,s}bin"}, Define: true},
&Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true},
&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},
&Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true},
&Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true},
&Variable{Name: "int2", Values: []string{"[0-9][0-9]"}, Define: true},
- &Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true},
+ &Variable{Name: "lib", Values: []string{"/{nix/store/*/,}{,usr/}lib{,exec,32,64}"}, Define: true},
&Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true},
&Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true},
&Variable{Name: "rand", Values: []string{"@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}"}, Define: true}, // Up to 10 characters
diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go
index 4b8e11ec..11eab5f7 100644
--- a/pkg/prebuild/prepare/configure.go
+++ b/pkg/prebuild/prepare/configure.go
@@ -28,7 +28,7 @@ func (p Configure) Apply() ([]string, error) {
res := []string{}
switch prebuild.Distribution {
- case "arch", "opensuse":
+ case "arch", "opensuse", "nixos":
case "ubuntu":
if err := prebuild.DebianHide.Init(); err != nil {

25
hardening/apparmor/bare.nix Normal file
View file

@ -0,0 +1,25 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib) mkIf;
in
{
config = mkIf (enable && tooling.enable && config.security.apparmor.enable) {
services.dbus.apparmor = "enabled";
security.auditd.enable = true;
security.apparmor.enableCache = true;
environment.systemPackages = with pkgs; [ apparmor-parser ];
# security.apparmor.aa-alias-manager.enable = false;
security.audit.backlogLimit = 512;
};
}

299
hardening/apparmor/default.nix Normal file
View file

@ -0,0 +1,299 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib) mkIf getExe' getExe;
in
{
imports = [ ./apparmor-d-module.nix ]; # ./aa-alias-module.nix ];
config = mkIf (enable && tooling.enable && config.security.apparmor.enable) {
services.dbus.apparmor = "enabled";
security.auditd.enable = true;
security.apparmor.enableCache = true;
security.apparmor.killUnconfinedConfinables = false;
security.apparmor.includes."tunables/alias.d/programs" = ''
# alias / -> /nix/store/*/,
alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify,
alias /bin/spotify -> ${pkgs.spotify}/share/spotify/.spotify-wrapped,
alias /bin/firefox -> /nix/store/*/bin/.firefox-wrapped,
'';
environment.systemPackages = with pkgs; [ apparmor-parser ];
# security.apparmor.aa-alias-manager.enable = false;
security.audit.backlogLimit = 8192;
security.apparmor_d = {
enable = true;
profiles = {
vesktop = "enforce";
speech-dispatcher = "enforce";
thunderbird-glxtest = "enforce";
"firefox.apparmor.d" = "enforce";
pass = "enforce";
spotify = "enforce";
"thunderbird.apparmor.d" = "enforce";
xdg-open = "enforce";
# child-open-any = "enforce";
child-open = "enforce";
firefox-glxtest = "enforce";
firefox-vaapitest = "enforce";
gamemoded = "disable";
# pkexec = "complain";
xdg-mime = "complain";
mimetype = "complain";
# sudo = "complain";
"unix-chkpwd.apparmor.d" = "complain";
};
};
security.apparmor.includes = {
"abstractions/base" = ''
/nix/store/*/bin/** mr,
/nix/store/*/lib/** mr,
/nix/store/** r,
${getExe' pkgs.coreutils "coreutils"} rix,
${getExe' pkgs.coreutils-full "coreutils"} rix,
'';
# "tunables/alias.d/store" = ''
# include <tunables/global>
# alias /bin -> @{bin},
# alias /bin/ -> /nix/store/*/bin/,
# '';
"local/speech-dispatcher" = ''
@{nix_store}/libexec/speech-dispatcher-modules/* ix,
@{PROC}/@{pid}/stat r,
@{bin}/mbrola rix,
'';
"local/pass" = ''
${getExe' pkgs.pass ".pass-wrapped"} rix,
@{nix_store}/wl-copy rUx,
@{nix_store}/wl-paste rUx,
'';
"local/pass_gpg" = ''
@{PROC}/@{pid}/fd/ r,
/nix/store/*/libexec/keyboxd ix,
owner /run/user/*/gnupg/S.keyboxd wr,
'';
"local/xdg-mime" = ''
# include <abstractions/app/bus>
/bin/grep rix,
/bin/gawk rix,
# /bin/dbus-send Cx -> bus,
/dev/tty* rw,
'';
"abstractions/app/udevadm.d/udevadm_is_exec" = ''
@{bin}/udevadm mrix,
'';
"local/firefox" = ''
${pkgs.passff-host}/share/passff-host/passff.py rPx -> passff,
@{HOME}/.mozilla/firefox/** mr,
'';
"local/thunderbird" = ''
${getExe' pkgs.thunderbird ".thunderbird-wrapped_"} rix,
/dev/urandom w,
'';
"abstractions/common/electron.d/libexec" = ''
/nix/store/*/libexec/electron/** rix,
'';
"local/pkexec" = ''
capability sys_ptrace,
'';
"local/xdg-open" = ''
/** r,
'';
"local/child-open" = ''
# include <abstractions/app/bus>
@{bin}/grep ix,
/@{PROC}/version r,
# @{bin}/gdbus Cx -> bus,
@{bin}/gdbus Ux,
'';
"local/vesktop" = ''
/etc/machine-id r,
/dev/udmabuf rw,
/sys/devices/@{pci}/boot_vga r,
/sys/devices/@{pci}/**/id{Vendor,Product} r,
/dev/ r,
# @{bin}/xdg-open rPx,
/bin/electron rix,
'';
"local/sudo" = ''
/run/wrappers/wrappers.*/unix_chkpwd rPx -> unix-chkpwd,
'';
"local/unix-chkpwd" = ''
capability dac_read_search,
'';
# "local/spotify" = ''
# @{bin}/
# '';
};
security.apparmor.policies = {
passff = {
state = "enforce";
profile = ''
abi <abi/4.0>,
include <tunables/global>
profile passff ${pkgs.passff-host}/share/passff-host/passff.py {
include <abstractions/base> # read access to /nix/store, basic presets for most apps
include <abstractions/python>
@{bin}/pass Px -> pass,
}
'';
};
swaymux = {
state = "enforce";
profile = ''
abi <abi/4.0>,
include <tunables/global>
profile swaymux ${getExe pkgs.swaymux} {
include <abstractions/base> # read access to /nix/store, basic presets for most apps
${pkgs.swaymux}/bin/* rix, # wrapping
/dev/tty r,
owner @{user_config_dirs}/** r,
}
'';
};
# speech-dispatcher-test = {
# profile = ''#
#
#abi <abi/4.0>,
#
#include <tunables/global>
#
#@{exec_path} = @{bin}/speech-dispatcher
#profile speech-dispatcher ${getExe' pkgs.speechd "speech-dispatcher"} flags=(complain) {
# include <abstractions/base>
# include <abstractions/audio-client>
# include <abstractions/bus-session>
# include <abstractions/consoles>
# include <abstractions/nameservice-strict>
# network inet stream,
# network inet6 stream,
# @{exec_path} mr,
# @{sh_path} ix,
# @{lib}/speech-dispatcher/** r,
# @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix,
# /etc/machine-id r,
# /etc/speech-dispatcher/{,**} r,
# owner @{run}/user/@{uid}/speech-dispatcher/ rw,
# owner @{run}/user/@{uid}/speech-dispatcher/** rwk,
# include if exists <local/speech-dispatcher>
#} '';
# };
osu-lazer = {
state = "disable";
profile = ''
abi <abi/4.0>,
include <tunables/global>
profile osu-lazer @{bin}/osu\! flags=(attach_disconnected) {
include <abstractions/base> # read access to /nix/store, basic presets for most apps
include <abstractions/common/bwrap>
include <abstractions/devices-usb>
include <abstractions/nameservice-strict>
include <abstractions/app/udevadm>
include <abstractions/app/bus>
include <abstractions/common/game>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
owner @{PROC}/@{pid}/net/dev r,
owner @{PROC}/@{pid}/net/if_inet6 r,
owner @{PROC}/@{pid}/net/ipv6_route r,
owner @{PROC}/@{pid}/net/route r,
capability mknod,
/dev/tty{@{d},} rw,
${pkgs.osu-lazer-bin}/bin/osu? ix,
${getExe pkgs.bubblewrap} rix,
/nix/store/*-osu-lazer-bin-*-bwrap ix,
/nix/store/*-osu-lazer-bin-*-init ix,
/nix/store/*-container-init ix,
/nix/store/*-osu-lazer-bin-*-extracted/** rk,
/nix/store/*-osu-lazer-bin-*-extracted/AppRun ix,
/nix/store/*-osu-lazer-bin-*-extracted/usr/bin/** ix,
@{bin}/ldconfig ix,
@{bin}/appimage-exec.sh ix,
@{bin}/rev ix,
@{bin}/bash ix,
@{bin}/grep ix,
@{bin}/lsblk ix,
@{bin}/awk ix,
@{bin}/gawk ix,
@{bin}/xdg-mime Px,
/usr/bin/xdg-mime Px,
${getExe' pkgs.gamemode "gamemoderun"} ix,
owner @{HOME}/@{XDG_DATA_DIR}/osu/** rwkm,
owner @{HOME}/.dotnet/** rwkm,
owner @{HOME}/@{XDG_DATA_DIR}/Sentry/** rwk,
owner @{HOME}/@{XDG_CONFIG_DIR}/mimeapps* rwk,
owner @{HOME}/@{XDG_DATA_DIR}/applications/discord-*.desktop rwk,
/nix/store/*-etc-os-release rk,
/nix/store/*/share/zoneinfo/** rk,
owner /tmp/** rwk,
/usr/lib/ r,
owner /var/cache/ldconfig/ rw,
owner /etc/ld.so* rw,
owner @{PROC}/@{pid}/{maps,stat} rk,
@{PROC}/sys/kernel/os{type,release} rk,
/dev/snd/** rw,
/dev/udmabuf wr,
/.host-etc/alsa/conf.d/{,**} r,
/.host-etc/ssl/certs/{,**} r,
/.host-etc/resolv.conf rk,
}
'';
};
};
};
}

77
hardening/default.nix Normal file
View file

@ -0,0 +1,77 @@
{
lib,
pkgs,
config,
...
}:
{
imports = [
./systemd
./ssh-as-sudo.nix
./apparmor
./opensnitch
./security.nix
./encrypt-dns.nix
./filesystem-deny-mount.nix
];
specialisation.unhardened.configuration = {
services.opensnitch.enable = lib.mkForce false;
security.apparmor.enable = lib.mkForce false;
};
systemd.oomd.enable = false;
boot.kernel.sysctl = {
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.default.accept_ra" = 0;
"net.ipv4.conf.all.send_redirects"=0;
"net.ipv4.conf.default.accept_source_route"=0;
"net.ipv4.conf.all.accept_redirects"=0;
"net.ipv4.conf.default.accept_redirects"=0;
"net.ipv6.conf.all.accept_redirects"=0;
"net.ipv6.conf.default.accept_redirects"=0;
"net.ipv4.conf.all.secure_redirects"=0;
"net.ipv4.conf.default.secure_redirects"=0;
"net.ipv4.conf.all.log_martians"=1;
"net.ipv4.conf.default.log_martians"=1;
"net.ipv4.icmp_echo_ignore_broadcasts"=1;
"net.ipv4.conf.all.rp_filter"=1;
"net.ipv4.conf.default.rp_filter"=1;
"fs.suid_dumpable" = 0;
};
environment.etc."motd" = { text = config.users.motd; mode = "644"; };
environment.etc."limits.conf".text = "* hard core 0";
environment.etc."hosts.allow" = { text = "ALL: LOCAL"; mode = "644"; };
environment.etc."hosts.deny" = { text = ""; mode = "644"; };
environment.etc."issue" = { text = "Authorized uses only. All activity may be monitored and reported."; mode = "644"; };
environment.etc."issue.net" = { text = "Authorized uses only. All activity may be monitored and reported."; mode = "644"; };
# systemd.tmpfiles.rules = [
# "L+ /etc/passwd- 0644 root root - /etc/passwd"
# "L+ /etc/shadow- 0644 root root - /etc/shadow"
# "L+ /etc/group- 0644 root root - /etc/group"
# "L+ /etc/gshadow- 0644 root root - /etc/gshadow"
# ];
users.motd = "welcome to grimms paranoid box";
security.loginDefs.settings = {
# PASS_MAX_DAYS = 365;
PASS_MIN_DAYS = 7;
PASS_WARN_AGE = 14;
ENCRYPT_METHOD = "SHA512";
};
systemd.tpm2.enable = false;
systemd.enableEmergencyMode = false;
virtualisation.vswitch.enable = false;
security.unprivilegedUsernsClone = true;
security.apparmor.enable = true;
security.allowSimultaneousMultithreading = true;
security.pam.services.systemd-run0 = {};
environment.defaultPackages = lib.mkForce [ ];
environment.systemPackages = with pkgs; [ nano clamav linux-bench ];
}

60
hardening/encrypt-dns.nix Normal file
View file

@ -0,0 +1,60 @@
{ pkgs, config, lib, ... }:
{
networking = {
nameservers = lib.mkForce [ "127.0.0.1" "::1" ];
# nameservers = lib.mkForce [ "127.0.0.1:8053" "[::1]:8053" ];
dhcpcd.extraConfig = "nohook resolv.conf"; # dhcp
networkmanager.dns = "none"; # nm
resolvconf.useLocalResolver = true; # resoved
};
services.tor = {
enable = true;
client.enable = true;
torsocks = {
enable = true;
allowInbound = false;
};
settings.SafeSocks = true;
settings.TestSocks = true;
};
services.dnscrypt-proxy2 = {
enable = true;
settings = {
ipv6_servers = config.networking.enableIPv6;
ipv4_servers = true;
require_dnssec = true;
dnscrypt_servers = true;
doh_servers = true;
odoh_servers = false;
require_nolog = true;
require_nofilter = true;
listen_addresses = [ "127.0.0.1:53" ];
proxy = "socks5://${config.services.tor.torsocks.server}";
force_tcp = true;
sources.public-resolvers = let
serverList = pkgs.fetchurl {
# fetching during build prevents issues e.g. when the certificate can't be validated if the clock is wrong
url = "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md";
hash = "sha256-2Pjs37mMolfWaaTf2c+tTbc1mzjCncK9qLyyZJn0LgA=";
};
in {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = serverList;
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
# You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
# server_names = [ ... ];
};
};
systemd.services.dnscrypt-proxy2.serviceConfig = {
StateDirectory = "dnscrypt-proxy";
};
}

46
hardening/filesystem-deny-mount.nix Normal file
View file

@ -0,0 +1,46 @@
{ pkgs,... }:
{
# copied from https://github.com/NixOS/nixpkgs/issues/11790#issuecomment-2409053332
# Create a symlink from /bin/true to the Nix-managed true binary.
environment.etc."bin/true".source = "${pkgs.coreutils}/bin/true";
# CIS 1.1.1.1.a Ensure mounting of cramfs filesystems is disabled
environment.etc."modprobe.d/cramfs.conf".text = ''
install cramfs /bin/true
'';
# CIS 1.1.1.2.a Ensure mounting of freevxfs filesystems is disabled
environment.etc."modprobe.d/freevxfs.conf".text = ''
install freevxfs /bin/true
'';
# CIS 1.1.1.3.a Ensure mounting of jffs2 filesystems is disabled
environment.etc."modprobe.d/jffs2.conf".text = ''
install jffs2 /bin/true
'';
# CIS 1.1.1.4.a Ensure mounting of hfs filesystems is disabled
environment.etc."modprobe.d/hfs.conf".text = ''
install hfs /bin/true
'';
# CIS 1.1.1.5.a Ensure mounting of hfsplus filesystems is disabled
environment.etc."modprobe.d/hfsplus.conf".text = ''
install hfsplus /bin/true
'';
# CIS 1.1.1.6.a Ensure mounting of squashfs filesystems is disabled
environment.etc."modprobe.d/squashfs.conf".text = ''
install squashfs /bin/true
'';
# CIS 1.1.1.7.a Ensure mounting of udf filesystems is disabled
environment.etc."modprobe.d/udf.conf".text = ''
install udf /bin/true
'';
# CIS 1.1.1.8.a Ensure mounting of FAT filesystems is disabled
# environment.etc."modprobe.d/fat.conf".text = ''
# install fat /bin/true
# '';
environment.etc."modprobe.d/CIS.conf".text = ''
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
'';
}

30
hardening/opensnitch/block_lists.nix Normal file
View file

@ -0,0 +1,30 @@
{
stdenv,
fetchFromGitHub,
lib,
}:
stdenv.mkDerivation rec {
pname = "stevenblack_block";
version = "3.14.116";
src = fetchFromGitHub {
owner = "StevenBlack";
repo = "hosts";
rev = version;
hash = "sha256-MATJK6QO//6z5CXS3zVo/s/Bz6c2z0g8C+InM5iiv2o=";
};
installPhase = ''
mkdir $out
# cp $src/hosts $out/hosts.list
grep 0\.0\.0\.0 $src/hosts > $out/hosts.list
'';
meta = {
description = "Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.";
homepage = "https://github.com/StevenBlack/hosts";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ grimmauld ];
platforms = lib.platforms.all;
};
}

92
hardening/opensnitch/cups.nix Normal file
View file

@ -0,0 +1,92 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
concatLines
getExe'
mkIf
;
local_network = [
"192.168.0.0/16"
"10.0.0.0/8"
"172.16.0.0/12"
"fc00::/7"
];
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
avahi = mkIf (config.services.avahi.enable) {
name = "avahi";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' config.services.avahi.package "avahi-daemon";
}
{
type = "regexp";
operand = "dest.port";
data = "5353";
}
{
type = "simple";
operand = "user.id";
data = "996";
}
];
};
};
cups-filters = mkIf (config.services.printing.enable) {
name = "cups-filters";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.cups-filters "cups-browsed";
}
{
type = "regexp";
operand = "dest.port";
data = "631|80";
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
}
];
};
};
};
};
}

56
hardening/opensnitch/default.nix Normal file
View file

@ -0,0 +1,56 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
graphical
network
;
inherit (lib)
optional
mkIf
;
in
{
imports = [
./vesktop.nix
./nix.nix
./spotify.nix
./global.nix
./time.nix
./osu.nix
./cups.nix
./network_support.nix
./firefox.nix
./tooling.nix
./dns.nix
./tor.nix
];
config = mkIf (enable && tooling.enable && network) {
environment.systemPackages = optional graphical pkgs.opensnitch-ui;
grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
networking.nftables.enable = true;
# security.audit.enable = true;
systemd.services.opensnitchd.path = lib.optional (
config.services.opensnitch.settings.ProcMonitorMethod == "audit"
) pkgs.audit.bin;
services.opensnitch = {
enable = true;
settings = {
DefaultAction = "deny";
Firewall = if config.networking.nftables.enable then "nftables" else "iptables";
ProcMonitorMethod = "ftrace";
# ProcMonitorMethod = "audit";
};
};
};
}

15
hardening/opensnitch/discord_hosts/hosts.list Normal file
View file

@ -0,0 +1,15 @@
cloudflare.com
discordapp.com
discordapp.net
discord.gg
discord.com
vencord.dev
discord-attachments-uploads-prd.storage.googleapis.com
github.com
githubusercontent.com
scdn.co
spotify.com
discord.media
media.tenor.co
media.tenor.com

76
hardening/opensnitch/dns.nix Normal file
View file

@ -0,0 +1,76 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
getExe
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
dnscrypt_proxy_user = "dnscrypt-proxy2";
in
{
config = mkIf (enable && tooling.enable && network) {
users.users."${dnscrypt_proxy_user}" = {
isSystemUser = true;
group = dnscrypt_proxy_user;
uid = 991;
};
users.groups."${dnscrypt_proxy_user}" = { };
systemd.services.dnscrypt-proxy2.serviceConfig = {
User = dnscrypt_proxy_user;
Group = dnscrypt_proxy_user;
};
services.opensnitch.rules = {
dnscrypt-proxy = mkIf (config.services.dnscrypt-proxy2.enable) {
name = "dnscrypt-proxy";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe pkgs.dnscrypt-proxy;
}
{
type = "regexp";
operand = "dest.port";
data = "53|443|4434|5443|4343";
}
# {
# type = "lists";
# operand = "lists.nets";
# data = pkgs.writeTextDir "cidr_dns.list" (
# concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
# );
# }
{
type = "simple";
operand = "user.id";
data = builtins.toString (config.users.users."${dnscrypt_proxy_user}".uid);
}
];
};
};
};
};
}

54
hardening/opensnitch/firefox.nix Normal file
View file

@ -0,0 +1,54 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
getBin
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
firefox =
let
cfg = config.programs.firefox;
pkg = (
cfg.package.override (old: {
extraPrefsFiles =
old.extraPrefsFiles or [ ]
++ cfg.autoConfigFiles
++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ];
nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages;
cfg = (old.cfg or { }) // cfg.wrapperConfig;
})
);
in
# pkg = pkgs.firefox-unwrapped;
mkIf (config.programs.firefox.enable) {
name = "firefox";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${getBin pkg}/lib/firefox/firefox";
};
};
};
};
}

62
hardening/opensnitch/global.nix Normal file
View file

@ -0,0 +1,62 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib) mkIf;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
block-list = {
name = "block-list";
action = "deny";
enabled = true;
duration = "always";
inherit created;
operator = {
type = "lists";
operand = "lists.domains";
data = pkgs.callPackage ./block_lists.nix { };
};
};
localhost = {
name = "localhost";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "dest.ip";
data = "^(127\\.0\\.0\\.1|::1)$";
};
};
icmp = {
name = "icmp";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
operand = "protocol";
sensitive = false;
data = "icmp(4|6)?";
};
};
};
};
}

55
hardening/opensnitch/network_support.nix Normal file
View file

@ -0,0 +1,55 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
getExe'
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
network-manager = mkIf (config.networking.networkmanager.enable) {
name = "network-manager";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.networkmanager "networkmanager";
}
{
type = "regexp";
operand = "dest.port";
data = "547|67";
}
# {
# type ="simple";
# operand = "dest.network";
# data = "ff02::1:2";
# }
];
};
};
};
};
}

80
hardening/opensnitch/nix.nix Normal file
View file

@ -0,0 +1,80 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
getExe
getExe'
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
nix-index = {
name = "nix-index";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nix-index-unwrapped "nix-index";
}
{
type = "regexp";
operand = "dest.port";
data = "443";
}
{
type = "simple";
sensitive = false;
operand = "dest.host";
data = "cache.nixos.org";
}
];
};
};
nix = {
name = "nix";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = getExe config.nix.package;
}
{
type = "regexp";
operand = "dest.port";
data = "443";
}
];
};
};
};
};
}

73
hardening/opensnitch/osu.nix Normal file
View file

@ -0,0 +1,73 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
graphical
network
;
inherit (lib)
escapeRegex
getVersion
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
osu_deny = mkIf (config.grimmShared.gaming && graphical) {
name = "osu-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
};
};
osu_allow = mkIf (config.grimmShared.gaming && graphical) {
name = "osu-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443";
}
{
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = "(api\.github\.com)|((.+\.)?ppy\.sh)";
}
];
};
};
};
};
}

135
hardening/opensnitch/spotify.nix Normal file
View file

@ -0,0 +1,135 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
graphical
network
;
inherit (lib)
concatLines
mkIf
;
local_network = [
"192.168.0.0/16"
"10.0.0.0/8"
"172.16.0.0/12"
"fc00::/7"
];
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
};
};
ncspot = mkIf (config.grimmShared.spotify.enable) {
name = "ncspot";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|4070";
}
{
type = "simple";
sensitive = false;
operand = "process.path";
data = lib.getExe pkgs.ncspot;
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./spotify_hosts;
}
];
};
};
spotify_allow = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|4070";
}
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./spotify_hosts;
}
];
};
};
spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow-local";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
}
];
};
};
};
};
}

3
hardening/opensnitch/spotify_hosts/hosts.list Normal file
View file

@ -0,0 +1,3 @@
scdn.co
spotifycdn.com
spotify.com

60
hardening/opensnitch/time.nix Normal file
View file

@ -0,0 +1,60 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
systemd-timesyncd = mkIf (config.services.timesyncd.enable) {
name = "systemd-timesyncd";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "simple";
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
}
{
type = "regexp";
operand = "dest.port";
data = "123|37";
}
# {
# type = "regexp";
# sensitive = false;
# operand = "dest.host";
# data = ".*\.nixos\.pool\.ntp\.org";
# }
{
type = "simple";
operand = "user.id";
data = "154";
}
];
};
};
};
};
}

52
hardening/opensnitch/tooling.nix Normal file
View file

@ -0,0 +1,52 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
git = {
name = "git-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.git.outPath}/.*";
};
};
ssh = {
name = "ssh-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.openssh.outPath}/.*";
};
};
};
};
}

37
hardening/opensnitch/tor.nix Normal file
View file

@ -0,0 +1,37 @@
{
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
tor = mkIf (config.services.tor.enable) {
name = "tor";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = lib.getExe' config.services.tor.package "tor";
};
};
};
};
}

140
hardening/opensnitch/vesktop.nix Normal file
View file

@ -0,0 +1,140 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
graphical
network
;
inherit (lib)
escapeRegex
getVersion
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
vesktop_deny = mkIf graphical {
name = "vesktop-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.command";
data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
};
};
vesktop_allow = mkIf graphical {
name = "vesktop-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./discord_hosts;
}
];
};
};
vesktop_daemon_allow_udp = mkIf graphical {
name = "vesktop-allow-udp";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "simple";
operand = "protocol";
data = "udp";
}
{
type = "regexp";
operand = "dest.port";
data = "500[0-9]{2}";
}
];
};
};
vesktop_daemon_deny = mkIf graphical {
name = "vesktop-daemon-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.command";
data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
};
};
vesktop_daemon_allow = mkIf graphical {
name = "vesktop-daemon-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./discord_hosts;
}
];
};
};
};
};
}

97
hardening/security.nix Normal file
View file

@ -0,0 +1,97 @@
{
pkgs,
config,
lib,
inputs,
system,
...
}:
let
inherit (lib)
optional
filterAttrs
mkDefault
attrNames
;
age_plugins = with pkgs; [ age-plugin-yubikey ];
in
{
config = {
security.polkit.enable = mkDefault true;
security.rtkit.enable = true;
security.pam.yubico = {
enable = true;
id = [ "26681512" ];
# debug = true;
mode = "challenge-response";
control = lib.mkDefault "sufficient";
};
# security.doas.enable = true;
security.sudo.enable = mkDefault true;
security.sudo.execWheelOnly = true;
security.doas.extraRules = [
{
users = attrNames (filterAttrs (n: v: v.isNormalUser) config.users.users);
keepEnv = true;
persist = true;
}
];
# services.pcscd.enable = true;
age.ageBin =
let
rage_wrapped = pkgs.symlinkJoin {
name = "rage";
paths = [ pkgs.rage ];
buildInputs = [ pkgs.makeWrapper ];
postBuild = ''
wrapProgram $out/bin/rage \
--prefix PATH : ${lib.makeBinPath age_plugins}
'';
};
in
lib.getExe' rage_wrapped "rage";
programs.yubikey-touch-detector.enable = config.programs.sway.enable;
services.yubikey-agent.enable = true;
environment.systemPackages =
(with pkgs; [
mkpasswd
# gnupg
libsecret
vulnix
(inputs.agenix.packages."${system}".default.override { plugins = age_plugins; })
yubikey-manager
yubico-pam
yubikey-personalization
pkgs.pass
])
++ age_plugins
++ (optional config.security.doas.enable pkgs.sudo-doas-shim);
# ++ (optional graphical pkgs.lxqt.lxqt-policykit);
services.passSecretService.enable = true;
services.openssh.settings.LoginGraceTime = 0;
# programs.gnupg.agent = {
# settings = {
# # default-cache-ttl = 6000;
# };
# pinentryPackage = mkForce (if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty);
# enable = true;
# enableSSHSupport = true;
# };
grimmShared.firefox.plugins = {
"passff@invicem.pro" = "passff";
};
programs.firefox.nativeMessagingHosts.packages = [ pkgs.passff-host ];
};
}

49
hardening/ssh-as-sudo.nix Normal file
View file

@ -0,0 +1,49 @@
{ pkgs, lib, ... }:
{
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
challengeResponseAuthentication = false;
# PermitRootLogin = "no";
KbdInteractiveAuthentication = false;
};
# settings.UsePAM = false;
openFirewall = lib.mkDefault false;
allowSFTP = lib.mkDefault false;
# startWhenNeeded = true;
extraConfig = ''
allowtcpforwarding no
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
Protocol 2
MaxAuthTries 4
PermitEmptyPasswords no
PermitUserEnvironment no
MaxSessions 4
LoginGraceTime 60
ClientAliveCountMax 3
ClientAliveInterval 15
HostbasedAuthentication no
IgnoreRhosts yes
banner /etc/issue.net
maxstartups 10:30:60
'';
};
users.users.root = {
# isSystemUser = true;
# isNormalUser = true;
uid = 0;
openssh.authorizedKeys.keyFiles = [ ../ssh/id_ed25519_sk.pub ];
# home = "/root";
hashedPassword = null;
createHome = lib.mkForce true;
};
programs.ssh.startAgent = true;
# security.sudo.enable = false;
# services.yubikey-agent.enable = true;
}

61
hardening/systemd/NetworkManager.nix Normal file
View file

@ -0,0 +1,61 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
NetworkManager.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
])
];
NoNewPrivileges = true;
RestrictNamespaces = "net uts";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
PrivateDevices = true;
LockPersonality = true;
# PrivateUsers = true; # BAD
# ProtectKernelTunables = true; # BAD
ProcSubset = "pid";
ProtectSystem = true;
};
NetworkManager-dispatcher.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
])
];
UMask = "0700";
NoNewPrivileges = true;
RestrictNamespaces = "net uts";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
PrivateDevices = true;
LockPersonality = true;
# PrivateUsers = true; # BAD
# ProtectKernelTunables = true; # BAD
ProcSubset = "pid";
ProtectSystem = true;
};
};
}

45
hardening/systemd/acpid.nix Normal file
View file

@ -0,0 +1,45 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
acpid.serviceConfig = {
CapabilityBoundingSet = [
""
];
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
ProtectSystem = "strict";
PrivateUsers = true;
RestrictRealtime = true;
PrivateTmp = true;
ProtectHome = true;
ProtectProc = "invisible";
ProtectKernelLogs = true;
IPAddressAllow = [ ];
PrivateDevices = false; # acpi needs device access
PrivateNetwork = false; # required for netlink to work properly
NoNewPrivileges = false; # acpi hooks might want to execute things at higher/different access
ProcSubset = "all"; # requires access to /proc/acpi
RestrictAddressFamilies = [
"AF_NETLINK"
"AF_UNIX"
];
};
};
}

41
hardening/systemd/ask-password.nix Normal file
View file

@ -0,0 +1,41 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
systemd-ask-password-console.serviceConfig = {
CapabilityBoundingSet = [
""
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
PrivateUsers = true;
};
systemd-ask-password-wall.serviceConfig = {
CapabilityBoundingSet = [
""
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
PrivateUsers = true;
};
};
}

23
hardening/systemd/auditd.nix Normal file
View file

@ -0,0 +1,23 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
auditd.serviceConfig = {
# CapabilityBoundingSet = [ "CAP_AUDIT_*" "CAP_SYSLOG" "CAP_SYS_NICE" "CAP_SYS_PACCT" "CAP_SYS_PTRACE" ];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
ProtectSystem = true;
# PrivateUsers=true;
# PrivateNetwork=true;
RestrictRealtime = true;
IPAddressAllow = [ ];
RestrictAddressFamilies = "AF_NETLINK";
};
};
}

57
hardening/systemd/bluetooth.nix Normal file
View file

@ -0,0 +1,57 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
bluetooth.serviceConfig = {
CapabilityBoundingSet = [
"CAP_NET_BIND_SERVICE" # sockets and tethering
];
NoNewPrivileges = true;
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
ProtectControlGroups = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
PrivateTmp = true;
PrivateUsers = false;
# loading hardware modules
ProtectKernelModules = false;
ProtectKernelTunables = false;
PrivateNetwork = false; # tethering
};
blueman-mechanism.serviceConfig = {
CapabilityBoundingSet = [
""
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
PrivateUsers = true;
};
};
}

30
hardening/systemd/cups.nix Normal file
View file

@ -0,0 +1,30 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
cups.serviceConfig = {
CapabilityBoundingSet = [
"CAP_LEASE CAP_MKNOD CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN"
];
NoNewPrivileges = true;
RestrictNamespaces = "pid";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service @privileged";
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
ReadWritePaths = "/var/run/cups";
# PrivateUsers=true;
PrivateNetwork = true;
RestrictAddressFamilies = "AF_UNIX";
# ProtectSystem=true;
};
};
}

62
hardening/systemd/dbus-broker.nix Normal file
View file

@ -0,0 +1,62 @@
{
lib,
config,
...
}:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
dbus-broker.serviceConfig = {
DevicePolicy = "closed";
KeyringMode = "private";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = "read-only";
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
RestrictAddressFamilies = [
# "AF_INET"
# "AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
SystemCallFilter = [
"@system-service"
"@privileged"
];
PrivateMounts = true;
# CapabilityBoundingSet = [
# "CAP_NET_BIND_SERVICE"
# "CAP_SETGID"
# "CAP_SETUID"
# "CAP_SYS_CHROOT"
# "cap_dac_override"
# ];
# PrivateUsers = false; # important
# PrivateNetwork = false; # important
};
};
}

32
hardening/systemd/default.nix Normal file
View file

@ -0,0 +1,32 @@
{ lib, config, ... }:
let
inherit (lib) mkDefault types mkIf;
eq = a: b: a == b;
noPred =
preds: x:
if preds == [ ] then
true
else if (lib.head preds) x then
false
else
noPred (lib.tail preds) x;
in
{
imports = [
# ./NetworkManager.nix
./wpa_supplicant.nix
./auditd.nix
./acpid.nix
# ./cups.nix
# ./bluetooth.nix
# ./tty.nix
./ask-password.nix
# ./nix-daemon.nix
./nscd.nix
./rtkit.nix
./sshd.nix
./dbus-broker.nix
./global
];
}

37
hardening/systemd/global/clock.nix Normal file
View file

@ -0,0 +1,37 @@
{ lib, config, ... }:
let
inherit (lib) mkDefault types mkIf;
in
{
options.systemd.services = lib.mkOption {
type =
let
osConfig = config;
in
types.attrsOf (
lib.types.submodule (
{ config, name, ... }:
{
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
ProtectClock = mkDefault true;
};
}
)
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
systemd-timesyncd.serviceConfig = {
ProtectClock = false;
SystemCallFilter = "@system-service @clock";
};
save-hwclock.serviceConfig = {
ProtectClock = false;
SystemCallFilter = "@system-service @clock";
};
};
};
}

9
hardening/systemd/global/default.nix Normal file
View file

@ -0,0 +1,9 @@
{
imports = [
./hostname.nix
./clock.nix
./realtime.nix
./syscall_arch.nix
./suidsgid.nix
];
}

29
hardening/systemd/global/hostname.nix Normal file
View file

@ -0,0 +1,29 @@
{ lib, config, ... }:
let
inherit (lib) types mkIf mkDefault;
in
{
options.systemd.services = lib.mkOption {
type =
let
osConfig = config;
in
types.attrsOf (
lib.types.submodule (
{ config, name, ... }:
{
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
ProtectHostname = mkDefault true;
};
}
)
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
systemd-hostnamed.serviceConfig.ProtectHostname = false;
nix-daemon.serviceConfig.ProtectHostname = false;
};
};
}

27
hardening/systemd/global/realtime.nix Normal file
View file

@ -0,0 +1,27 @@
{ lib, config, ... }:
let
inherit (lib) mkDefault types mkIf;
in
{
options.systemd.services = lib.mkOption {
type =
let
osConfig = config;
in
types.attrsOf (
lib.types.submodule {
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
RestrictRealtime = mkDefault true;
};
}
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
rtkit-daemon.serviceConfig.RestrictRealtime = false;
};
};
}

26
hardening/systemd/global/suidsgid.nix Normal file
View file

@ -0,0 +1,26 @@
{ lib, config, ... }:
let
inherit (lib) types mkIf mkDefault;
in
{
options.systemd.services = lib.mkOption {
type =
let
osConfig = config;
in
types.attrsOf (
lib.types.submodule {
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
RestrictSUIDSGID = mkDefault true;
};
}
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
suid-sgid-wrappers.serviceConfig.RestrictSUIDSGID = false;
};
};
}

22
hardening/systemd/global/syscall_arch.nix Normal file
View file

@ -0,0 +1,22 @@
{ lib, config, ... }:
let
inherit (lib) types mkIf mkDefault;
osConfig = config;
in
{
options.systemd.services = lib.mkOption {
type = types.attrsOf (
lib.types.submodule {
config.serviceConfig = mkIf (osConfig.specialisation != { }) {
SystemCallArchitectures = mkDefault "native";
};
}
);
};
config = mkIf (config.specialisation != { }) {
systemd.services = {
};
};
}

77
hardening/systemd/nix-daemon.nix Normal file
View file

@ -0,0 +1,77 @@
{
lib,
config,
...
}:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
nix-daemon.serviceConfig = {
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true; # good, somehow???
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
# "AF_NETLINK" # needed for some checks
]; # needed to download sources and caches
RestrictNamespaces = [
"user"
"net"
"uts"
"mnt"
"ipc"
"pid"
]; # namespaces needed for sandboxing
SystemCallFilter = [
"@system-service"
"@cpu-emulation"
"@mount"
"@privileged"
];
LockPersonality = true;
ProtectControlGroups = true;
ProtectKernelModules = true; # todo: does kvm need a modprobe here?
PrivateMounts = true;
ProtectProc = "invisible";
ProtectClock = true;
# file system
# PrivateTmp = true; # breaks --keep-failed
ProtectSystem = "strict";
ReadWritePaths = [
"/nix"
"/tmp"
];
# Scheduling: only do as much as resources are available
LimitNICE = 1;
Nice = 19;
RestrictRealtime = true;
# devices
DevicePolicy = "closed"; # allow pseudo-devices like /dev/null, but no real devices
DeviceAllow = "/dev/kvm"; # kvm is needed for VM tests
CapabilityBoundingSet = [
"CAP_FOWNER"
"CAP_CHOWN"
"CAP_SETUID"
"CAP_SETGID"
"CAP_SYS_ADMIN"
"CAP_DAC_OVERRIDE"
];
NoNewPrivileges = false; # build processes might need more
# ProtectKernelLogs=true; # BAD
# ProtectKernelTunables = true; # BAD
# PrivateUsers=true; BAD
# ProtectHome = "read-only"; # BAD
# ProtectHostname = true; # BAD!
# PrivateNetwork = true; # BAD!
};
};
}

47
hardening/systemd/nscd.nix Normal file
View file

@ -0,0 +1,47 @@
{
lib,
config,
...
}:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
nscd.serviceConfig = {
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
SystemCallFilter = "@system-service";
LockPersonality = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
PrivateMounts = true;
ProtectProc = "invisible";
ProtectClock = true;
# file system
PrivateTmp = true;
ProtectSystem = "strict";
RestrictRealtime = true;
PrivateUsers = true;
PrivateDevices = true;
CapabilityBoundingSet = [
"CAP_SETGID"
"CAP_SETUID"
"cap_dac_override"
];
ProtectKernelLogs = true;
ProtectKernelTunables = true;
ProtectHostname = true;
};
};
}

56
hardening/systemd/rtkit.nix Normal file
View file

@ -0,0 +1,56 @@
{
lib,
config,
...
}:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
rtkit-daemon.serviceConfig = {
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true;
RestrictAddressFamilies = "AF_UNIX";
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
SystemCallFilter = [
"@system-service"
"@chroot"
"@mount"
];
LockPersonality = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
PrivateMounts = true;
ProtectClock = true;
PrivateTmp = true;
ProtectSystem = "strict";
RestrictRealtime = false; # important
PrivateDevices = true;
ProcSubset = "pid";
CapabilityBoundingSet = [
"CAP_SYS_NICE"
"CAP_DAC_READ_SEARCH"
"CAP_SYS_CHROOT"
"CAP_SETGID"
"CAP_SETUID"
];
ProtectKernelLogs = true;
ProtectKernelTunables = true;
ProtectHome = true;
ProtectHostname = true;
PrivateNetwork = true;
};
};
}

62
hardening/systemd/sshd.nix Normal file
View file

@ -0,0 +1,62 @@
{
lib,
config,
...
}:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
sshd.serviceConfig = {
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
SystemCallFilter = [
"@system-service"
"@privileged"
];
LockPersonality = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
PrivateMounts = true;
ProtectProc = "invisible";
ProtectClock = true;
ProtectHostname = true;
# file system
PrivateTmp = true;
ProtectSystem = "strict";
ReadWritePaths = "/etc/ssh";
RestrictRealtime = true;
DevicePolicy = "closed"; # allow pseudo-devices like /dev/null, but no real devices
CapabilityBoundingSet = [
"CAP_NET_BIND_SERVICE"
"CAP_SETGID"
"CAP_SETUID"
"CAP_SYS_CHROOT"
"cap_dac_override"
];
ProtectKernelLogs = true;
ProtectKernelTunables = true;
PrivateUsers = false; # important
ProtectHome = false; # important
NoNewPrivileges = false; # IMPORTANT: allow new privileges for spawned shells
PrivateNetwork = false; # important
};
};
}

47
hardening/systemd/tty.nix Normal file
View file

@ -0,0 +1,47 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
"getty@".serviceConfig = {
CapabilityBoundingSet = [
"CAP_CHOWN"
"CAP_FOWNER"
"CAP_FSETID"
"CAP_SETGID"
"CAP_SETUID"
"CAP_SYS_NICE"
"CAP_SYS_RESOURCE"
"CAP_SYS_TTY_CONFIG"
];
# NoNewPrivileges = true;
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
ProtectControlGroups = true;
ProtectHome = false;
# ProtectClock = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
# RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = lib.mkForce "@system-service";
LockPersonality = true;
ProtectProc = "invisible";
# PrivateUsers=true;
PrivateNetwork = true;
RestrictAddressFamilies = "AF_UNIX";
# ProtectSystem=true;
};
};
}

29
hardening/systemd/wpa_supplicant.nix Normal file
View file

@ -0,0 +1,29 @@
{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
wpa_supplicant.serviceConfig = {
CapabilityBoundingSet = [
""
(lib.concatStringsSep " " [
"cap_net_bind_service"
"cap_net_admin"
"cap_net_raw"
"cap_net_broadcast"
])
];
NoNewPrivileges = true;
RestrictNamespaces = "net";
ProtectControlGroups = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
LockPersonality = true;
ProcSubset = "pid";
ProtectSystem = true;
};
};
}

181
hm/common/default.nix Normal file
View file

@ -0,0 +1,181 @@
{
pkgs,
config,
osConfig,
lib,
...
}:
let
getIfHas =
path: attrs:
if path == [ ] then
attrs
else if builtins.hasAttr (builtins.head path) attrs then
getIfHas (builtins.tail path) (builtins.getAttr (builtins.head path) attrs)
else
null;
osConfigGetIfHasOrFalse = path: lib.defaultTo false (getIfHas (lib.splitString "." path) osConfig);
user = config.home.username;
homedir = config.home.homeDirectory;
graphical = osConfigGetIfHasOrFalse "grimmShared.graphical";
in
{
home.preferXdgDirectories = true;
home.packages =
with pkgs;
[
deskwhich
]
++ lib.optionals graphical [
# imhex
# libreoffice-qt
filezilla
obsidian
nomacs
pdfarranger
krita
# weasis
# kicad
prusa-slicer
freecad
openscad
iamb
confy
authenticator
signal-desktop
vlc
# blender
];
home.shellAliases = {
":q" = "exit";
"ls" = "eza";
"lix" = "nix";
"l" = "eza -hla";
"vi" = "hx";
"bat" = "bat --theme=Dracula";
};
programs.thunderbird = {
enable = graphical;
profiles.default = {
isDefault = true;
};
};
programs.zathura.enable = graphical;
programs.bash = {
enable = true;
enableCompletion = true;
};
services.mpris-proxy.enable = true;
# services.ssh-agent.enable = true;
programs.alacritty = {
enable = graphical;
settings = {
font.size = 16;
font.normal = {
family = "Noto Sans Mono";
};
window.opacity = 0.85;
};
};
programs.starship = {
enable = true;
enableBashIntegration = true;
settings = {
format = "$all$directory$character";
nodejs.disabled = true;
cmake.symbol = "cmake ";
custom.shell = {
command = "basename $SHELL";
when = "test -v SHELL";
format = " in [$output]($style)";
# ignore_timeout = true;
};
# env_var.SHELL = {variable = "SHELL"; default = ""; };
};
};
programs.fzf.enable = true;
programs.fzf.tmux.enableShellIntegration = true;
programs.thefuck = {
enable = true;
enableBashIntegration = true;
};
programs.helix = {
enable = true;
defaultEditor = true;
settings = {
editor.cursor-shape.insert = "bar";
theme = "base16_transparent";
};
extraPackages = with pkgs; [
marksman
nixd
];
};
gtk.iconTheme = {
package = pkgs.adwaita-icon-theme;
name = "Adwaita";
};
gtk.theme = {
package = pkgs.adw-gtk3;
name = "adw-gtk3-dark";
};
gtk.enable = true;
programs.tmux = {
enable = true;
clock24 = true;
historyLimit = 50000;
newSession = true;
};
systemd.user.enable = true;
systemd.user.tmpfiles.rules = lib.optional (osConfigGetIfHasOrFalse "services.printing.cups-pdf.enable") "L ${homedir}/PDF - - - - /var/spool/cups-pdf-pdf/users/${user}";
xdg.userDirs = {
enable = true;
createDirectories = true;
};
programs.gradle = {
enable = true;
settings = {
# "org.gradle.java.home" = "${pkgs.openjdk}/lib/openjdk";
"org.gradle.java.installations.auto-detect" = false;
};
};
programs.gpg = {
enable = true;
mutableKeys = true;
publicKeys = [
{
source = ./grimmauld.gpg;
trust = 5;
}
];
};
services.gpg-agent = {
enable = true;
enableBashIntegration = true;
pinentryPackage = if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty;
};
# xdg.mimeApps.enable = true;
}

Some files were not shown because too many files have changed in this diff Show more