From 4edefd3f19a77d01e156dbda901fc06ab652dc8f Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Thu, 26 Jan 2023 00:36:27 +0300 Subject: [PATCH] update --- patches/gitea-208605.patch | 45 ++++ patches/mullvad.patch | 14 ++ patches/postfix-93305.patch | 265 +++++++++++++++++++++++ patches/zen-kernels.patch | 12 +- profiles/applications/firefox.nix | 24 +- profiles/applications/packages.nix | 4 +- profiles/applications/vscode/default.nix | 75 +++---- profiles/overlay.nix | 2 +- profiles/packages/hyprpaper.nix | 80 ------- profiles/packages/parsec.nix | 2 +- profiles/servers/stable-diffusion.nix | 4 +- profiles/services.nix | 16 +- profiles/virtualisation.nix | 2 +- profiles/workspace/aria2.nix | 3 +- profiles/workspace/gpg.nix | 6 +- profiles/workspace/mako.nix | 4 +- profiles/workspace/misc.nix | 5 +- profiles/workspace/nix-index.nix | 2 +- profiles/workspace/ssh.nix | 9 +- profiles/workspace/xdg.nix | 3 +- profiles/workspace/zsh/default.nix | 4 +- 21 files changed, 410 insertions(+), 171 deletions(-) create mode 100644 patches/gitea-208605.patch create mode 100644 patches/mullvad.patch create mode 100644 patches/postfix-93305.patch delete mode 100644 profiles/packages/hyprpaper.nix diff --git a/patches/gitea-208605.patch b/patches/gitea-208605.patch new file mode 100644 index 0000000..f286241 --- /dev/null +++ b/patches/gitea-208605.patch @@ -0,0 +1,45 @@ +From 482bafe254f447040d10716a5e8cd6692b743994 Mon Sep 17 00:00:00 2001 +From: Izorkin +Date: Sun, 1 Jan 2023 14:07:09 +0300 +Subject: [PATCH] nixos/gitea: update sandboxing options + +--- + nixos/modules/services/misc/gitea.nix | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix +index 00e90f5b32b47..d93bb393429de 100644 +--- a/nixos/modules/services/misc/gitea.nix ++++ b/nixos/modules/services/misc/gitea.nix +@@ -567,7 +567,10 @@ in + Restart = "always"; + # Runtime directory and mode + RuntimeDirectory = "gitea"; +- RuntimeDirectoryMode = "0755"; ++ RuntimeDirectoryMode = "0750"; ++ # Proc filesystem ++ ProcSubset = "pid"; ++ ProtectProc = "invisible"; + # Access write directories + ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ]; + UMask = "0027"; +@@ -587,15 +590,17 @@ in + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; +- RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; ++ RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; ++ RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; ++ RemoveIPC = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; +- SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap"; ++ SystemCallFilter = [ "~@cpu-emulation @debug @keyring @memlock @mount @obsolete @privileged @resources @setuid" "setrlimit" ]; + }; + + environment = { diff --git a/patches/mullvad.patch b/patches/mullvad.patch new file mode 100644 index 0000000..b6e4091 --- /dev/null +++ b/patches/mullvad.patch @@ -0,0 +1,14 @@ +diff --git a/pkgs/applications/networking/mullvad-vpn/default.nix b/pkgs/applications/networking/mullvad-vpn/default.nix +index 9b1a609d832..15dc909aa64 100644 +--- a/pkgs/applications/networking/mullvad-vpn/default.nix ++++ b/pkgs/applications/networking/mullvad-vpn/default.nix +@@ -79,6 +79,9 @@ stdenv.mkDerivation rec { + + wrapProgram $out/bin/mullvad-vpn --set MULLVAD_DISABLE_UPDATE_NOTIFICATION 1 + ++ wrapProgram $out/bin/mullvad-daemon \ ++ --set-default MULLVAD_RESOURCE_DIR "$out/share/mullvad/resources" ++ + sed -i "s|Exec.*$|Exec=$out/bin/mullvad-vpn $U|" $out/share/applications/mullvad-vpn.desktop + + runHook postInstall diff --git a/patches/postfix-93305.patch b/patches/postfix-93305.patch new file mode 100644 index 0000000..788fa86 --- /dev/null +++ b/patches/postfix-93305.patch @@ -0,0 +1,265 @@ +From 769237466abb4614cf203c3d5b9adafe49451a26 Mon Sep 17 00:00:00 2001 +From: Izorkin +Date: Sat, 28 Dec 2019 12:51:41 +0300 +Subject: [PATCH 1/4] nixos/postfix: enable sandboxing + +--- + nixos/modules/services/mail/postfix.nix | 73 ++++++++++++++++--------- + 1 file changed, 47 insertions(+), 26 deletions(-) + +diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix +index ad10ba1d9090d..a499f83971d8c 100644 +--- a/nixos/modules/services/mail/postfix.nix ++++ b/nixos/modules/services/mail/postfix.nix +@@ -705,6 +705,34 @@ in + { ${setgidGroup}.gid = config.ids.gids.postdrop; + }; + ++ systemd.tmpfiles.rules = [ ++ "d '/var/lib/postfix' 0755 postfix postfix - -" ++ "d '/var/lib/postfix/conf' 0755 postfix postfix - -" ++ "d '/var/lib/postfix/data' 0750 postfix postfix - -" ++ "d '/var/lib/postfix/queue' 0755 postfix postfix - -" ++ "d '/var/lib/postfix/queue/active' 0700 postfix postdrop - -" ++ "d '/var/lib/postfix/queue/bounce' 0700 postfix postdrop - -" ++ "d '/var/lib/postfix/queue/corrupt' 0700 postfix postdrop - -" ++ "d '/var/lib/postfix/queue/defer' 0700 postfix postdrop - -" ++ "d '/var/lib/postfix/queue/deferred' 0700 postfix postdrop - -" ++ "d '/var/lib/postfix/queue/flush' 0700 postfix postdrop - -" ++ "d '/var/lib/postfix/queue/hold' 0700 postfix postdrop - -" ++ "d '/var/lib/postfix/queue/incoming' 0700 postfix postdrop - -" ++ "d '/var/lib/postfix/queue/maildrop' 0730 postfix postdrop - -" ++ "d '/var/lib/postfix/queue/pid' 0755 postfix postfix - -" ++ "d '/var/lib/postfix/queue/private' 0700 postfix postdrop - -" ++ "d '/var/lib/postfix/queue/public' 0710 postfix postdrop - -" ++ "d '/var/lib/postfix/queue/saved' 0700 postfix postdrop - -" ++ "d '/var/lib/postfix/queue/trace' 0700 postfix postdrop - -" ++ "d '/var/spool/mail' 1777 root root - -" ++ "Z '/var/lib/postfix' - postfix postfix - -" ++ "Z '/var/lib/postfix/queue/maildrop' - postfix postdrop - -" ++ "Z '/var/lib/postfix/queue/public' - postfix postdrop - -" ++ "L+ '/var/mail' - - - - /var/spool/mail" ++ "L+ '/var/lib/postfix/conf/main.cf' - - - - ${mainCfFile}" ++ "L+ '/var/lib/postfix/conf/master.cf' - - - - ${masterCfFile}" ++ ]; ++ + systemd.services.postfix = + { description = "Postfix mail server"; + +@@ -719,43 +747,36 @@ in + ExecStart = "${pkgs.postfix}/bin/postfix start"; + ExecStop = "${pkgs.postfix}/bin/postfix stop"; + ExecReload = "${pkgs.postfix}/bin/postfix reload"; ++ # Capabilities ++ CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; ++ # Security ++ NoNewPrivileges = true; ++ # Sandboxing ++ ProtectSystem = "full"; ++ ProtectHome = true; ++ PrivateTmp = true; ++ PrivateDevices = true; ++ ProtectHostname = true; ++ ProtectKernelTunables = true; ++ ProtectKernelModules = true; ++ ProtectControlGroups = true; ++ LockPersonality = true; ++ MemoryDenyWriteExecute = true; ++ RestrictRealtime = true; ++ PrivateMounts = true; + }; + + preStart = '' +- # Backwards compatibility +- if [ ! -d /var/lib/postfix ] && [ -d /var/postfix ]; then +- mkdir -p /var/lib +- mv /var/postfix /var/lib/postfix +- fi +- +- # All permissions set according ${pkgs.postfix}/etc/postfix/postfix-files script +- mkdir -p /var/lib/postfix /var/lib/postfix/queue/{pid,public,maildrop} +- chmod 0755 /var/lib/postfix +- chown root:root /var/lib/postfix +- +- rm -rf /var/lib/postfix/conf +- mkdir -p /var/lib/postfix/conf +- chmod 0755 /var/lib/postfix/conf +- ln -sf ${pkgs.postfix}/etc/postfix/postfix-files /var/lib/postfix/conf/postfix-files +- ln -sf ${mainCfFile} /var/lib/postfix/conf/main.cf +- ln -sf ${masterCfFile} /var/lib/postfix/conf/master.cf +- + ${concatStringsSep "\n" (mapAttrsToList (to: from: '' ++ test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}' + ln -sf ${from} /var/lib/postfix/conf/${to} + ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to} + '') cfg.aliasFiles)} + ${concatStringsSep "\n" (mapAttrsToList (to: from: '' ++ test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}' + ln -sf ${from} /var/lib/postfix/conf/${to} + ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to} + '') cfg.mapFiles)} +- +- mkdir -p /var/spool/mail +- chown root:root /var/spool/mail +- chmod a+rwxt /var/spool/mail +- ln -sf /var/spool/mail /var/ +- +- #Finally delegate to postfix checking remain directories in /var/lib/postfix and set permissions on them +- ${pkgs.postfix}/bin/postfix set-permissions config_directory=/var/lib/postfix/conf + ''; + }; + + +From a4f4dd228823316959786e7fdaf137f6ca09c4ba Mon Sep 17 00:00:00 2001 +From: Philipp Bartsch +Date: Sat, 18 Jul 2020 01:22:53 +0200 +Subject: [PATCH 2/4] nixos/postfix: more sandboxing + +--- + nixos/modules/services/mail/postfix.nix | 65 +++++++++++++++---------- + 1 file changed, 40 insertions(+), 25 deletions(-) + +diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix +index a499f83971d8c..b9b9836813ddd 100644 +--- a/nixos/modules/services/mail/postfix.nix ++++ b/nixos/modules/services/mail/postfix.nix +@@ -9,6 +9,25 @@ let + group = cfg.group; + setgidGroup = cfg.setgidGroup; + ++ preStartScript = pkgs.writeScript "pre-start-script" '' ++ #!${pkgs.stdenv.shell} ++ set -euo pipefail ++ ++ ${concatStringsSep "\n" (mapAttrsToList (to: from: '' ++ test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}' ++ ln -sf ${from} /var/lib/postfix/conf/${to} ++ ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to} ++ '') cfg.aliasFiles)} ++ ${concatStringsSep "\n" (mapAttrsToList (to: from: '' ++ test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}' ++ ln -sf ${from} /var/lib/postfix/conf/${to} ++ ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to} ++ '') cfg.mapFiles)} ++ ++ # Finally delegate to postfix checking remain directories in /var/lib/postfix and set permissions on them ++ ${pkgs.postfix}/bin/postfix set-permissions config_directory=/var/lib/postfix/conf ++ ''; ++ + haveAliases = cfg.postmasterAlias != "" || cfg.rootAlias != "" + || cfg.extraAliases != ""; + haveTransport = cfg.transport != ""; +@@ -747,37 +766,33 @@ in + ExecStart = "${pkgs.postfix}/bin/postfix start"; + ExecStop = "${pkgs.postfix}/bin/postfix stop"; + ExecReload = "${pkgs.postfix}/bin/postfix reload"; +- # Capabilities +- CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; +- # Security ++ ExecStartPre = "+${preStartScript}"; ++ ++ ReadWritePaths = [ "/var/lib/postfix" "/var/spool/mail" ]; ++ ++ CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; ++ DevicePolicy = "closed"; ++ LockPersonality = true; ++ MemoryDenyWriteExecute = true; + NoNewPrivileges = true; +- # Sandboxing +- ProtectSystem = "full"; +- ProtectHome = true; +- PrivateTmp = true; + PrivateDevices = true; ++ PrivateMounts = true; ++ PrivateTmp = true; ++ ProtectClock = true; ++ ProtectControlGroups = true; + ProtectHostname = true; +- ProtectKernelTunables = true; ++ ProtectKernelLogs = true; + ProtectKernelModules = true; +- ProtectControlGroups = true; +- LockPersonality = true; +- MemoryDenyWriteExecute = true; ++ ProtectKernelTunables = true; ++ ProtectSystem = "full"; ++ RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX"; ++ RestrictNamespaces = true; + RestrictRealtime = true; +- PrivateMounts = true; ++ RestrictSUIDSGID = true; ++ SystemCallArchitectures = "native"; ++ SystemCallFilter = [ "@system-service" "~@resources" ]; ++ UMask = "0077"; + }; +- +- preStart = '' +- ${concatStringsSep "\n" (mapAttrsToList (to: from: '' +- test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}' +- ln -sf ${from} /var/lib/postfix/conf/${to} +- ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to} +- '') cfg.aliasFiles)} +- ${concatStringsSep "\n" (mapAttrsToList (to: from: '' +- test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}' +- ln -sf ${from} /var/lib/postfix/conf/${to} +- ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to} +- '') cfg.mapFiles)} +- ''; + }; + + services.postfix.config = (mapAttrs (_: v: mkDefault v) { + +From 0bf216e6268bccfabda21e9a9444934fe651db6a Mon Sep 17 00:00:00 2001 +From: Philipp Bartsch +Date: Sun, 19 Jul 2020 14:25:24 +0200 +Subject: [PATCH 3/4] nixos/postfix: fixup cosmetics + +--- + nixos/modules/services/mail/postfix.nix | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix +index b9b9836813ddd..f039b2b6832ff 100644 +--- a/nixos/modules/services/mail/postfix.nix ++++ b/nixos/modules/services/mail/postfix.nix +@@ -770,7 +770,7 @@ in + + ReadWritePaths = [ "/var/lib/postfix" "/var/spool/mail" ]; + +- CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; ++ CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; +@@ -785,7 +785,7 @@ in + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "full"; +- RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX"; ++ RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + +From 7b285fb877a7463fb769e8f57d0679eb7f0de8c0 Mon Sep 17 00:00:00 2001 +From: Philipp Bartsch +Date: Tue, 21 Jul 2020 22:31:24 +0200 +Subject: [PATCH 4/4] nixos/postfix: fix permission issue + +--- + nixos/modules/services/mail/postfix.nix | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix +index f039b2b6832ff..3cd3b170e2f68 100644 +--- a/nixos/modules/services/mail/postfix.nix ++++ b/nixos/modules/services/mail/postfix.nix +@@ -770,7 +770,7 @@ in + + ReadWritePaths = [ "/var/lib/postfix" "/var/spool/mail" ]; + +- CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; ++ CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; diff --git a/patches/zen-kernels.patch b/patches/zen-kernels.patch index 249bc44..5efe13e 100644 --- a/patches/zen-kernels.patch +++ b/patches/zen-kernels.patch @@ -1,17 +1,17 @@ diff --git a/pkgs/os-specific/linux/kernel/zen-kernels.nix b/pkgs/os-specific/linux/kernel/zen-kernels.nix -index 6ee6c38..ea55339 100644 +index 4c72a78..37baf48 100644 --- a/pkgs/os-specific/linux/kernel/zen-kernels.nix +++ b/pkgs/os-specific/linux/kernel/zen-kernels.nix @@ -11,9 +11,9 @@ let }; # ./update-zen.py lqx lqxVariant = { -- version = "6.0.10"; #lqx +- version = "6.1.3"; #lqx - suffix = "lqx1"; #lqx -- sha256 = "0hbak9m4j259xrhbv173axbfzr13r47xqsax7s64ga9688bra1m7"; #lqx -+ version = "6.0.11"; #lqx -+ suffix = "lqx2"; #lqx -+ sha256 = "089mhxfdfi6wv0f2jx3j30y71mrkwrw5k8a7hyga1516j17qxva1"; #lqx +- sha256 = "0vp6skhw4wsxk2nl3m8y975a9bx78h5wl574wsfgnc5nvzmh250l"; #lqx ++ version = "6.0.13"; #lqx ++ suffix = "lqx3"; #lqx ++ sha256 = "0dc295d9dfm3j2nmvkzy21ky1k6jp7c7miqjhqgfjny9yk1b41k4"; #lqx isLqx = true; }; zenKernelsFor = { version, suffix, sha256, isLqx }: buildLinux (args // { diff --git a/profiles/applications/firefox.nix b/profiles/applications/firefox.nix index 9a7f363..a0bfcf5 100755 --- a/profiles/applications/firefox.nix +++ b/profiles/applications/firefox.nix @@ -45,26 +45,6 @@ in { # enable = true; # browsers = [ "firefox" ]; # }; - wayland.windowManager.sway.config = { - window.commands = [ - { - criteria = { title = "Firefox — Sharing Indicator"; }; - command = "floating enable"; - } - { - criteria = { title = "Firefox — Sharing Indicator"; }; - command = "no_focus"; - } - { - criteria = { title = "Firefox — Sharing Indicator"; }; - command = "resize set 0 0"; - } - { - criteria = { title = "Firefox — Sharing Indicator"; }; - command = "move absolute position 10 10"; - } - ]; - }; programs.firefox = { enable = true; @@ -111,7 +91,7 @@ in { "browser.anchor_color" = thm.base0D-hex; "browser.visited_color" = thm.base0C-hex; "browser.display.use_document_fonts" = true; - "pdfjs.disabled" = true; + # "pdfjs.disabled" = true; "media.eme.enabled" = true; @@ -119,6 +99,8 @@ in { "experiments.enabled" = false; "experiments.supported" = false; "network.allow-experiments" = false; + + # "identity.sync.tokenserver.uri" = "https://fsync.ataraxiadev.com/1.0/sync/1.5"; }; extraPrefs = "${fileContents "${pkgs.arkenfox-userjs}/share/user-js/profiles/user.js"}"; }; diff --git a/profiles/applications/packages.nix b/profiles/applications/packages.nix index 6908eda..3c01786 100644 --- a/profiles/applications/packages.nix +++ b/profiles/applications/packages.nix @@ -85,7 +85,7 @@ with config.deviceSpecific; { prismlauncher reshade-shaders (retroarch.override { cores = [ libretro.genesis-plus-gx libretro.dosbox ]; }) - parsec + # parsec protonhax protontricks vkBasalt @@ -93,6 +93,6 @@ with config.deviceSpecific; { winetricks ] ++ lib.optionals isLaptop [ acpi - seadrive-fuse + # seadrive-fuse ]; } diff --git a/profiles/applications/vscode/default.nix b/profiles/applications/vscode/default.nix index 006224d..6d0a37e 100644 --- a/profiles/applications/vscode/default.nix +++ b/profiles/applications/vscode/default.nix @@ -24,43 +24,44 @@ in enableExtensionUpdateCheck = false; enableUpdateCheck = false; extensions = let - vscode = inputs.nix-vscode-marketplace.packages.${pkgs.system}.vscode; - open-vsx = inputs.nix-vscode-marketplace.packages.${pkgs.system}.open-vsx; - nixpkgs = pkgs.vscode-extensions; - in [ - (inputs.direnv-vscode.packages.${pkgs.system}.vsix.overrideAttrs (_: { - buildPhase = "yarn run build"; - installPhase = '' - mkdir -p $out/share/vscode/extensions/direnv.direnv-vscode - cp -R * $out/share/vscode/extensions/direnv.direnv-vscode - ''; - })) - (pkgs.callPackage ./theme.nix { mainuser = config.mainuser; } config.lib.base16.theme) + vscode = inputs.nix-vscode-marketplace.packages.${pkgs.system}.vscode; + open-vsx = inputs.nix-vscode-marketplace.packages.${pkgs.system}.open-vsx; + nixpkgs = pkgs.vscode-extensions; + in [ + (pkgs.callPackage ./theme.nix { mainuser = config.mainuser; } config.lib.base16.theme) - vscode.aaron-bond.better-comments - vscode.alefragnani.bookmarks - vscode.alefragnani.project-manager - vscode.bungcip.better-toml - vscode.catppuccin.catppuccin-vsc - vscode.christian-kohler.path-intellisense - vscode.codezombiech.gitignore - vscode.dart-code.dart-code - # dlasagno.wal-theme - vscode.eamodio.gitlens-insiders - vscode.enkia.tokyo-night - vscode.equinusocio.vsc-material-theme-icons - vscode.felixangelov.bloc - vscode.github.vscode-pull-request-github - vscode.irongeek.vscode-env - vscode.jebbs.plantuml - vscode.jnoortheen.nix-ide - vscode.lucax88x.codeacejumper - vscode.marcelovelasquez.flutter-tree - vscode.mhutchie.git-graph - vscode.ms-azuretools.vscode-docker - vscode.ms-vscode-remote.remote-ssh - nixpkgs.rust-lang.rust-analyzer - ]; + vscode.aaron-bond.better-comments + vscode.alefragnani.bookmarks + vscode.alefragnani.project-manager + vscode.bungcip.better-toml + vscode.catppuccin.catppuccin-vsc + vscode.christian-kohler.path-intellisense + vscode.codezombiech.gitignore + vscode.dart-code.dart-code + # dlasagno.wal-theme + vscode.eamodio.gitlens-insiders + vscode.enkia.tokyo-night + vscode.equinusocio.vsc-material-theme-icons + vscode.felixangelov.bloc + vscode.github.vscode-pull-request-github + vscode.irongeek.vscode-env + vscode.jebbs.plantuml + vscode.jnoortheen.nix-ide + vscode.lucax88x.codeacejumper + vscode.marcelovelasquez.flutter-tree + vscode.mhutchie.git-graph + vscode.mkhl.direnv + vscode.ms-azuretools.vscode-docker + vscode.ms-vscode-remote.remote-ssh + nixpkgs.rust-lang.rust-analyzer + + # Django + nixpkgs.ms-python.python + vscode.monosans.djlint + vscode.ms-python.isort + vscode.ms-python.vscode-pylance + vscode.thebarkman.vscode-djaneiro + ]; # mutableExtensionsDir = false; userSettings = { "update.mode" = "none"; @@ -121,7 +122,7 @@ in "search.exclude" = { "**/.direnv" = true; }; - "git.autofetch" = true; + "git.autofetch" = false; "git.enableCommitSigning" = true; "git-graph.repository.sign.commits" = true; "git-graph.repository.sign.tags" = true; diff --git a/profiles/overlay.nix b/profiles/overlay.nix index 41484f2..ab8c71d 100644 --- a/profiles/overlay.nix +++ b/profiles/overlay.nix @@ -36,7 +36,7 @@ with lib; { reshade-shaders = pkgs.callPackage ./packages/reshade-shaders.nix { }; rosepine-gtk-theme = pkgs.callPackage ./packages/rosepine-gtk-theme.nix { }; rosepine-icon-theme = pkgs.callPackage ./packages/rosepine-icon-theme.nix { }; - seadrive-fuse = pkgs.callPackage ./packages/seadrive-fuse.nix { }; + # seadrive-fuse = pkgs.callPackage ./packages/seadrive-fuse.nix { }; tidal-dl = pkgs.callPackage ./packages/tidal-dl.nix { }; tokyonight-gtk-theme = pkgs.callPackage ./packages/tokyonight-gtk-theme.nix { }; tokyonight-icon-theme = pkgs.callPackage ./packages/tokyonight-icon-theme.nix { }; diff --git a/profiles/packages/hyprpaper.nix b/profiles/packages/hyprpaper.nix deleted file mode 100644 index 18ac551..0000000 --- a/profiles/packages/hyprpaper.nix +++ /dev/null @@ -1,80 +0,0 @@ -{ - lib, - stdenv, - pkg-config, - cmake, - ninja, - cairo, - fribidi, - libdatrie, - libjpeg, - libselinux, - libsepol, - libthai, - pango, - pcre, - utillinux, - wayland, - wayland-protocols, - wayland-scanner, - wlr-protocols, - libXdmcp, - version ? "git", - src, -}: -stdenv.mkDerivation { - pname = "hyprpaper"; - inherit version; - src = src; - - nativeBuildInputs = [ - cmake - ninja - pkg-config - ]; - - buildInputs = [ - cairo - fribidi - libdatrie - libjpeg - libselinux - libsepol - libthai - pango - pcre - wayland - wayland-protocols - wayland-scanner - wlr-protocols - libXdmcp - utillinux - ]; - - configurePhase = '' - runHook preConfigure - - make release - - runHook postConfigure - ''; - - installPhase = '' - runHook preInstall - - mkdir -p $out/{bin,share/licenses} - - install -Dm755 build/hyprpaper -t $out/bin - install -Dm644 LICENSE -t $out/share/licenses/hyprpaper - - runHook postInstall - ''; - - meta = with lib; { - homepage = "https://github.com/hyprwm/hyprpaper"; - description = "A blazing fast wayland wallpaper utility with IPC controls"; - license = licenses.bsd3; - platforms = platforms.linux; - mainProgram = "hyprpaper"; - }; -} diff --git a/profiles/packages/parsec.nix b/profiles/packages/parsec.nix index 0ca4181..293081f 100644 --- a/profiles/packages/parsec.nix +++ b/profiles/packages/parsec.nix @@ -44,7 +44,7 @@ let name = "parsec-pkg"; src = fetchurl { url = "https://s3.amazonaws.com/parsec-build/package/parsec-linux.deb"; - sha256 = "1hfdzjd8qiksv336m4s4ban004vhv00cv2j461gc6zrp37s0fwhc"; + hash = "sha256-wwBy86TdrHaH9ia40yh24yd5G84WTXREihR+9I6o6uU="; }; phases = [ "buildPhase" ]; buildInputs = [ dpkg ]; diff --git a/profiles/servers/stable-diffusion.nix b/profiles/servers/stable-diffusion.nix index 8ffbdaf..cfc2061 100644 --- a/profiles/servers/stable-diffusion.nix +++ b/profiles/servers/stable-diffusion.nix @@ -21,10 +21,10 @@ in with config.virtualisation.oci-containers; { "seccomp=unconfined" "--hostname=stable-diffusion-ct" ]; - image = "rocm-arch"; + image = "docker.io/ataraxiadev/rocm-pytorch"; ports = [ "80:7860/tcp" ]; volumes = [ - "/home/${config.mainuser}/projects/rocm-terminal/shared:/shared" + "/home/${config.mainuser}/projects/stable-diffusion-rocm/shared:/shared" ]; }; diff --git a/profiles/services.nix b/profiles/services.nix index e0da796..95c4956 100644 --- a/profiles/services.nix +++ b/profiles/services.nix @@ -98,14 +98,14 @@ with config.deviceSpecific; { }; }; - secrets.seadrive = { - owner = config.mainuser; - }; - services.seadrive = { - enable = !isServer; - settingsFile = config.secrets.seadrive.decrypted; - mountPoint = "/media/seadrive"; - }; + # secrets.seadrive = { + # owner = config.mainuser; + # }; + # services.seadrive = { + # enable = !isServer; + # settingsFile = config.secrets.seadrive.decrypted; + # mountPoint = "/media/seadrive"; + # }; services.upower.enable = true; diff --git a/profiles/virtualisation.nix b/profiles/virtualisation.nix index ba76deb..1a88233 100644 --- a/profiles/virtualisation.nix +++ b/profiles/virtualisation.nix @@ -17,7 +17,7 @@ with config.deviceSpecific; { virtualisation.podman = { enable = true; extraPackages = [ pkgs.zfs ]; - defaultNetwork.dnsname.enable = true; + defaultNetwork.settings.dns_enabled = true; }; virtualisation.containers.registries.search = [ "docker.io" "gcr.io" "quay.io" diff --git a/profiles/workspace/aria2.nix b/profiles/workspace/aria2.nix index ade1884..d05196e 100644 --- a/profiles/workspace/aria2.nix +++ b/profiles/workspace/aria2.nix @@ -5,7 +5,7 @@ in { # TODO: enable websocket (--rpc-certificate) services.aria2 = { enable = true; - downloadDir = "${homeDir}/Downloads/aria2"; + downloadDir = "/media/aria2"; rpcListenPort = 6800; # FIXME: I can expose this, since i listen rpc only on localhost # but in future it's better to implement read key from secrets before start daemon @@ -14,4 +14,5 @@ in { openPorts = false; }; # networking.firewall.allowedTCPPorts = [ config.services.aria2.rpcListenPort ]; + persist.state.directories = [ "/media/ari2" ]; } \ No newline at end of file diff --git a/profiles/workspace/gpg.nix b/profiles/workspace/gpg.nix index 40ad992..0412d5d 100644 --- a/profiles/workspace/gpg.nix +++ b/profiles/workspace/gpg.nix @@ -30,5 +30,9 @@ with config.deviceSpecific; { # directory = config.secretsConfig.gnupgHome; # method = "symlink"; # }]; - persist.state.homeDirectories = [ config.secretsConfig.gnupgHome ]; + persist.state.homeDirectories = let + gnupgHome-relative = lib.removePrefix + config.home-manager.users.${config.mainuser}.home.homeDirectory + config.secretsConfig.gnupgHome; + in [ gnupgHome-relative ]; } \ No newline at end of file diff --git a/profiles/workspace/mako.nix b/profiles/workspace/mako.nix index 885fb5e..27d6a33 100644 --- a/profiles/workspace/mako.nix +++ b/profiles/workspace/mako.nix @@ -3,8 +3,8 @@ systemd.user.services.mako = { Service = { ExecStart = "${pkgs.mako}/bin/mako"; }; Install = { - After = [ "sway-session.target" ]; - WantedBy = [ "sway-session.target" ]; + After = [ "hyprland-session.target" ]; + WantedBy = [ "hyprland-session.target" ]; }; }; programs.mako = with config.lib.base16; { diff --git a/profiles/workspace/misc.nix b/profiles/workspace/misc.nix index 3ed1a79..3de1b95 100644 --- a/profiles/workspace/misc.nix +++ b/profiles/workspace/misc.nix @@ -53,7 +53,10 @@ ]; persist.state.homeDirectories = [ "projects" - "nixos-config" + { + directory = "nixos-config"; + method = "symlink"; + } ] ++ lib.optionals (!config.deviceSpecific.isServer) [ "games" # "persist" diff --git a/profiles/workspace/nix-index.nix b/profiles/workspace/nix-index.nix index 925c07a..8ec86a1 100644 --- a/profiles/workspace/nix-index.nix +++ b/profiles/workspace/nix-index.nix @@ -1,4 +1,4 @@ -{ config, ... }: { +{ config, lib, ... }: { home-manager.users.${config.mainuser} = { programs.nix-index = { enable = true; diff --git a/profiles/workspace/ssh.nix b/profiles/workspace/ssh.nix index 4ab9e59..778c6fc 100644 --- a/profiles/workspace/ssh.nix +++ b/profiles/workspace/ssh.nix @@ -18,9 +18,12 @@ with config.deviceSpecific; { programs.ssh.extraConfig = '' Host nix-builder hostname 192.168.0.100 - user ${config.mainuser} + user alukard identitiesOnly yes identityFile ${config.secrets.ssh-builder.decrypted} + Host hypervisor + hostname 192.168.0.10 + user ataraxia ''; home-manager.users.${config.mainuser} = { @@ -30,9 +33,9 @@ with config.deviceSpecific; { "*" = { compression = false; }; - "proxmox.pve" = { + "hypervisor" = { hostname = "192.168.0.10"; - user = "root"; + user = "ataraxia"; }; "matrix.pve" = { hostname = "192.168.0.11"; diff --git a/profiles/workspace/xdg.nix b/profiles/workspace/xdg.nix index 13eefb3..dc6910f 100644 --- a/profiles/workspace/xdg.nix +++ b/profiles/workspace/xdg.nix @@ -2,8 +2,7 @@ home-manager.users.${config.mainuser} = { xdg.enable = true; xdg.userDirs.enable = true; - - home.sessionVariables.XDG_DATA_DIRS = [ + xdg.systemDirs.data = [ "${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/${pkgs.gsettings-desktop-schemas.name}" "${pkgs.gtk3}/share/gsettings-schemas/${pkgs.gtk3.name}" ]; diff --git a/profiles/workspace/zsh/default.nix b/profiles/workspace/zsh/default.nix index 4a1cb93..0d5d4ad 100644 --- a/profiles/workspace/zsh/default.nix +++ b/profiles/workspace/zsh/default.nix @@ -60,7 +60,7 @@ "redd" = "systemctl --user stop gammastep.service &"; "show-packages" = "_ nix-store -q --references /run/current-system/sw"; "nsp" = "nix-shell --run zsh -p"; - "nd" = "nix develop"; + "nd" = "nix develop -c zsh"; "nb" = "nix build"; "nr" = "nix run"; "e" = "$EDITOR"; @@ -76,6 +76,8 @@ "t" = "${pkgs.translate-shell}/bin/trans"; }; initExtra = '' + setopt HIST_IGNORE_SPACE + rga-fzf() { RG_PREFIX="rga --files-with-matches" local file