AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-01-26 00:36:27 +03:00
parent 885096bf81
commit 4edefd3f19
21 changed files with 410 additions and 171 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
patches/gitea-208605.patch Normal file
View File

@ -0,0 +1,45 @@
From 482bafe254f447040d10716a5e8cd6692b743994 Mon Sep 17 00:00:00 2001
From: Izorkin <izorkin@elven.pw>
Date: Sun, 1 Jan 2023 14:07:09 +0300
Subject: [PATCH] nixos/gitea: update sandboxing options
---
nixos/modules/services/misc/gitea.nix | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix
index 00e90f5b32b47..d93bb393429de 100644
--- a/nixos/modules/services/misc/gitea.nix
+++ b/nixos/modules/services/misc/gitea.nix
@@ -567,7 +567,10 @@ in
Restart = "always";
# Runtime directory and mode
RuntimeDirectory = "gitea";
- RuntimeDirectoryMode = "0755";
+ RuntimeDirectoryMode = "0750";
+ # Proc filesystem
+ ProcSubset = "pid";
+ ProtectProc = "invisible";
# Access write directories
ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ];
UMask = "0027";
@@ -587,15 +590,17 @@ in
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
- RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
+ RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+ RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
+ RemoveIPC = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
- SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap";
+ SystemCallFilter = [ "~@cpu-emulation @debug @keyring @memlock @mount @obsolete @privileged @resources @setuid" "setrlimit" ];
};
environment = {

14
patches/mullvad.patch Normal file
View File

@ -0,0 +1,14 @@
diff --git a/pkgs/applications/networking/mullvad-vpn/default.nix b/pkgs/applications/networking/mullvad-vpn/default.nix
index 9b1a609d832..15dc909aa64 100644
--- a/pkgs/applications/networking/mullvad-vpn/default.nix
+++ b/pkgs/applications/networking/mullvad-vpn/default.nix
@@ -79,6 +79,9 @@ stdenv.mkDerivation rec {
wrapProgram $out/bin/mullvad-vpn --set MULLVAD_DISABLE_UPDATE_NOTIFICATION 1
+ wrapProgram $out/bin/mullvad-daemon \
+ --set-default MULLVAD_RESOURCE_DIR "$out/share/mullvad/resources"
+
sed -i "s|Exec.*$|Exec=$out/bin/mullvad-vpn $U|" $out/share/applications/mullvad-vpn.desktop
runHook postInstall

265
patches/postfix-93305.patch Normal file
View File

@ -0,0 +1,265 @@
From 769237466abb4614cf203c3d5b9adafe49451a26 Mon Sep 17 00:00:00 2001
From: Izorkin <izorkin@elven.pw>
Date: Sat, 28 Dec 2019 12:51:41 +0300
Subject: [PATCH 1/4] nixos/postfix: enable sandboxing
---
nixos/modules/services/mail/postfix.nix | 73 ++++++++++++++++---------
1 file changed, 47 insertions(+), 26 deletions(-)
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index ad10ba1d9090d..a499f83971d8c 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -705,6 +705,34 @@ in
{ ${setgidGroup}.gid = config.ids.gids.postdrop;
};
+ systemd.tmpfiles.rules = [
+ "d '/var/lib/postfix' 0755 postfix postfix - -"
+ "d '/var/lib/postfix/conf' 0755 postfix postfix - -"
+ "d '/var/lib/postfix/data' 0750 postfix postfix - -"
+ "d '/var/lib/postfix/queue' 0755 postfix postfix - -"
+ "d '/var/lib/postfix/queue/active' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/bounce' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/corrupt' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/defer' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/deferred' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/flush' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/hold' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/incoming' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/maildrop' 0730 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/pid' 0755 postfix postfix - -"
+ "d '/var/lib/postfix/queue/private' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/public' 0710 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/saved' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/trace' 0700 postfix postdrop - -"
+ "d '/var/spool/mail' 1777 root root - -"
+ "Z '/var/lib/postfix' - postfix postfix - -"
+ "Z '/var/lib/postfix/queue/maildrop' - postfix postdrop - -"
+ "Z '/var/lib/postfix/queue/public' - postfix postdrop - -"
+ "L+ '/var/mail' - - - - /var/spool/mail"
+ "L+ '/var/lib/postfix/conf/main.cf' - - - - ${mainCfFile}"
+ "L+ '/var/lib/postfix/conf/master.cf' - - - - ${masterCfFile}"
+ ];
+
systemd.services.postfix =
{ description = "Postfix mail server";
@@ -719,43 +747,36 @@ in
ExecStart = "${pkgs.postfix}/bin/postfix start";
ExecStop = "${pkgs.postfix}/bin/postfix stop";
ExecReload = "${pkgs.postfix}/bin/postfix reload";
+ # Capabilities
+ CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
+ # Security
+ NoNewPrivileges = true;
+ # Sandboxing
+ ProtectSystem = "full";
+ ProtectHome = true;
+ PrivateTmp = true;
+ PrivateDevices = true;
+ ProtectHostname = true;
+ ProtectKernelTunables = true;
+ ProtectKernelModules = true;
+ ProtectControlGroups = true;
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ RestrictRealtime = true;
+ PrivateMounts = true;
};
preStart = ''
- # Backwards compatibility
- if [ ! -d /var/lib/postfix ] && [ -d /var/postfix ]; then
- mkdir -p /var/lib
- mv /var/postfix /var/lib/postfix
- fi
-
- # All permissions set according ${pkgs.postfix}/etc/postfix/postfix-files script
- mkdir -p /var/lib/postfix /var/lib/postfix/queue/{pid,public,maildrop}
- chmod 0755 /var/lib/postfix
- chown root:root /var/lib/postfix
-
- rm -rf /var/lib/postfix/conf
- mkdir -p /var/lib/postfix/conf
- chmod 0755 /var/lib/postfix/conf
- ln -sf ${pkgs.postfix}/etc/postfix/postfix-files /var/lib/postfix/conf/postfix-files
- ln -sf ${mainCfFile} /var/lib/postfix/conf/main.cf
- ln -sf ${masterCfFile} /var/lib/postfix/conf/master.cf
-
${concatStringsSep "\n" (mapAttrsToList (to: from: ''
+ test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
ln -sf ${from} /var/lib/postfix/conf/${to}
${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to}
'') cfg.aliasFiles)}
${concatStringsSep "\n" (mapAttrsToList (to: from: ''
+ test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
ln -sf ${from} /var/lib/postfix/conf/${to}
${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to}
'') cfg.mapFiles)}
-
- mkdir -p /var/spool/mail
- chown root:root /var/spool/mail
- chmod a+rwxt /var/spool/mail
- ln -sf /var/spool/mail /var/
-
- #Finally delegate to postfix checking remain directories in /var/lib/postfix and set permissions on them
- ${pkgs.postfix}/bin/postfix set-permissions config_directory=/var/lib/postfix/conf
'';
};
From a4f4dd228823316959786e7fdaf137f6ca09c4ba Mon Sep 17 00:00:00 2001
From: Philipp Bartsch <phil@grmr.de>
Date: Sat, 18 Jul 2020 01:22:53 +0200
Subject: [PATCH 2/4] nixos/postfix: more sandboxing
---
nixos/modules/services/mail/postfix.nix | 65 +++++++++++++++----------
1 file changed, 40 insertions(+), 25 deletions(-)
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index a499f83971d8c..b9b9836813ddd 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -9,6 +9,25 @@ let
group = cfg.group;
setgidGroup = cfg.setgidGroup;
+ preStartScript = pkgs.writeScript "pre-start-script" ''
+ #!${pkgs.stdenv.shell}
+ set -euo pipefail
+
+ ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
+ test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
+ ln -sf ${from} /var/lib/postfix/conf/${to}
+ ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to}
+ '') cfg.aliasFiles)}
+ ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
+ test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
+ ln -sf ${from} /var/lib/postfix/conf/${to}
+ ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to}
+ '') cfg.mapFiles)}
+
+ # Finally delegate to postfix checking remain directories in /var/lib/postfix and set permissions on them
+ ${pkgs.postfix}/bin/postfix set-permissions config_directory=/var/lib/postfix/conf
+ '';
+
haveAliases = cfg.postmasterAlias != "" || cfg.rootAlias != ""
|| cfg.extraAliases != "";
haveTransport = cfg.transport != "";
@@ -747,37 +766,33 @@ in
ExecStart = "${pkgs.postfix}/bin/postfix start";
ExecStop = "${pkgs.postfix}/bin/postfix stop";
ExecReload = "${pkgs.postfix}/bin/postfix reload";
- # Capabilities
- CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
- # Security
+ ExecStartPre = "+${preStartScript}";
+
+ ReadWritePaths = [ "/var/lib/postfix" "/var/spool/mail" ];
+
+ CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID";
+ DevicePolicy = "closed";
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
- # Sandboxing
- ProtectSystem = "full";
- ProtectHome = true;
- PrivateTmp = true;
PrivateDevices = true;
+ PrivateMounts = true;
+ PrivateTmp = true;
+ ProtectClock = true;
+ ProtectControlGroups = true;
ProtectHostname = true;
- ProtectKernelTunables = true;
+ ProtectKernelLogs = true;
ProtectKernelModules = true;
- ProtectControlGroups = true;
- LockPersonality = true;
- MemoryDenyWriteExecute = true;
+ ProtectKernelTunables = true;
+ ProtectSystem = "full";
+ RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX";
+ RestrictNamespaces = true;
RestrictRealtime = true;
- PrivateMounts = true;
+ RestrictSUIDSGID = true;
+ SystemCallArchitectures = "native";
+ SystemCallFilter = [ "@system-service" "~@resources" ];
+ UMask = "0077";
};
-
- preStart = ''
- ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
- test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
- ln -sf ${from} /var/lib/postfix/conf/${to}
- ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to}
- '') cfg.aliasFiles)}
- ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
- test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
- ln -sf ${from} /var/lib/postfix/conf/${to}
- ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to}
- '') cfg.mapFiles)}
- '';
};
services.postfix.config = (mapAttrs (_: v: mkDefault v) {
From 0bf216e6268bccfabda21e9a9444934fe651db6a Mon Sep 17 00:00:00 2001
From: Philipp Bartsch <phil@grmr.de>
Date: Sun, 19 Jul 2020 14:25:24 +0200
Subject: [PATCH 3/4] nixos/postfix: fixup cosmetics
---
nixos/modules/services/mail/postfix.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index b9b9836813ddd..f039b2b6832ff 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -770,7 +770,7 @@ in
ReadWritePaths = [ "/var/lib/postfix" "/var/spool/mail" ];
- CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID";
+ CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
@@ -785,7 +785,7 @@ in
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "full";
- RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX";
+ RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
From 7b285fb877a7463fb769e8f57d0679eb7f0de8c0 Mon Sep 17 00:00:00 2001
From: Philipp Bartsch <phil@grmr.de>
Date: Tue, 21 Jul 2020 22:31:24 +0200
Subject: [PATCH 4/4] nixos/postfix: fix permission issue
---
nixos/modules/services/mail/postfix.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index f039b2b6832ff..3cd3b170e2f68 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -770,7 +770,7 @@ in
ReadWritePaths = [ "/var/lib/postfix" "/var/spool/mail" ];
- CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
+ CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;

12
patches/zen-kernels.patch
View File

@ -1,17 +1,17 @@
diff --git a/pkgs/os-specific/linux/kernel/zen-kernels.nix b/pkgs/os-specific/linux/kernel/zen-kernels.nix diff --git a/pkgs/os-specific/linux/kernel/zen-kernels.nix b/pkgs/os-specific/linux/kernel/zen-kernels.nix
index 6ee6c38..ea55339 100644 index 4c72a78..37baf48 100644
--- a/pkgs/os-specific/linux/kernel/zen-kernels.nix --- a/pkgs/os-specific/linux/kernel/zen-kernels.nix
+++ b/pkgs/os-specific/linux/kernel/zen-kernels.nix +++ b/pkgs/os-specific/linux/kernel/zen-kernels.nix
@@ -11,9 +11,9 @@ let @@ -11,9 +11,9 @@ let
}; };
# ./update-zen.py lqx # ./update-zen.py lqx
lqxVariant = { lqxVariant = {
- version = "6.0.10"; #lqx - version = "6.1.3"; #lqx
- suffix = "lqx1"; #lqx - suffix = "lqx1"; #lqx
- sha256 = "0hbak9m4j259xrhbv173axbfzr13r47xqsax7s64ga9688bra1m7"; #lqx - sha256 = "0vp6skhw4wsxk2nl3m8y975a9bx78h5wl574wsfgnc5nvzmh250l"; #lqx
+ version = "6.0.11"; #lqx + version = "6.0.13"; #lqx
+ suffix = "lqx2"; #lqx + suffix = "lqx3"; #lqx
+ sha256 = "089mhxfdfi6wv0f2jx3j30y71mrkwrw5k8a7hyga1516j17qxva1"; #lqx + sha256 = "0dc295d9dfm3j2nmvkzy21ky1k6jp7c7miqjhqgfjny9yk1b41k4"; #lqx
isLqx = true; isLqx = true;
}; };
zenKernelsFor = { version, suffix, sha256, isLqx }: buildLinux (args // { zenKernelsFor = { version, suffix, sha256, isLqx }: buildLinux (args // {

24
profiles/applications/firefox.nix
View File

@ -45,26 +45,6 @@ in {
# enable = true; # enable = true;
# browsers = [ "firefox" ]; # browsers = [ "firefox" ];
# }; # };
wayland.windowManager.sway.config = {
window.commands = [
{
criteria = { title = "Firefox Sharing Indicator"; };
command = "floating enable";
}
{
criteria = { title = "Firefox Sharing Indicator"; };
command = "no_focus";
}
{
criteria = { title = "Firefox Sharing Indicator"; };
command = "resize set 0 0";
}
{
criteria = { title = "Firefox Sharing Indicator"; };
command = "move absolute position 10 10";
}
];
};
programs.firefox = { programs.firefox = {
enable = true; enable = true;
@ -111,7 +91,7 @@ in {
"browser.anchor_color" = thm.base0D-hex; "browser.anchor_color" = thm.base0D-hex;
"browser.visited_color" = thm.base0C-hex; "browser.visited_color" = thm.base0C-hex;
"browser.display.use_document_fonts" = true; "browser.display.use_document_fonts" = true;
"pdfjs.disabled" = true; # "pdfjs.disabled" = true;
"media.eme.enabled" = true; "media.eme.enabled" = true;
@ -119,6 +99,8 @@ in {
"experiments.enabled" = false; "experiments.enabled" = false;
"experiments.supported" = false; "experiments.supported" = false;
"network.allow-experiments" = false; "network.allow-experiments" = false;
# "identity.sync.tokenserver.uri" = "https://fsync.ataraxiadev.com/1.0/sync/1.5";
}; };
extraPrefs = "${fileContents "${pkgs.arkenfox-userjs}/share/user-js/profiles/user.js"}"; extraPrefs = "${fileContents "${pkgs.arkenfox-userjs}/share/user-js/profiles/user.js"}";
}; };

4
profiles/applications/packages.nix
View File

@ -85,7 +85,7 @@ with config.deviceSpecific; {
prismlauncher prismlauncher
reshade-shaders reshade-shaders
(retroarch.override { cores = [ libretro.genesis-plus-gx libretro.dosbox ]; }) (retroarch.override { cores = [ libretro.genesis-plus-gx libretro.dosbox ]; })
parsec # parsec
protonhax protonhax
protontricks protontricks
vkBasalt vkBasalt
@ -93,6 +93,6 @@ with config.deviceSpecific; {
winetricks winetricks
] ++ lib.optionals isLaptop [ ] ++ lib.optionals isLaptop [
acpi acpi
seadrive-fuse # seadrive-fuse
]; ];
} }

75
profiles/applications/vscode/default.nix
View File

@ -24,43 +24,44 @@ in
enableExtensionUpdateCheck = false; enableExtensionUpdateCheck = false;
enableUpdateCheck = false; enableUpdateCheck = false;
extensions = let extensions = let
vscode = inputs.nix-vscode-marketplace.packages.${pkgs.system}.vscode; vscode = inputs.nix-vscode-marketplace.packages.${pkgs.system}.vscode;
open-vsx = inputs.nix-vscode-marketplace.packages.${pkgs.system}.open-vsx; open-vsx = inputs.nix-vscode-marketplace.packages.${pkgs.system}.open-vsx;
nixpkgs = pkgs.vscode-extensions; nixpkgs = pkgs.vscode-extensions;
in [ in [
(inputs.direnv-vscode.packages.${pkgs.system}.vsix.overrideAttrs (_: { (pkgs.callPackage ./theme.nix { mainuser = config.mainuser; } config.lib.base16.theme)
buildPhase = "yarn run build";
installPhase = ''
mkdir -p $out/share/vscode/extensions/direnv.direnv-vscode
cp -R * $out/share/vscode/extensions/direnv.direnv-vscode
'';
}))
(pkgs.callPackage ./theme.nix { mainuser = config.mainuser; } config.lib.base16.theme)
vscode.aaron-bond.better-comments vscode.aaron-bond.better-comments
vscode.alefragnani.bookmarks vscode.alefragnani.bookmarks
vscode.alefragnani.project-manager vscode.alefragnani.project-manager
vscode.bungcip.better-toml vscode.bungcip.better-toml
vscode.catppuccin.catppuccin-vsc vscode.catppuccin.catppuccin-vsc
vscode.christian-kohler.path-intellisense vscode.christian-kohler.path-intellisense
vscode.codezombiech.gitignore vscode.codezombiech.gitignore
vscode.dart-code.dart-code vscode.dart-code.dart-code
# dlasagno.wal-theme # dlasagno.wal-theme
vscode.eamodio.gitlens-insiders vscode.eamodio.gitlens-insiders
vscode.enkia.tokyo-night vscode.enkia.tokyo-night
vscode.equinusocio.vsc-material-theme-icons vscode.equinusocio.vsc-material-theme-icons
vscode.felixangelov.bloc vscode.felixangelov.bloc
vscode.github.vscode-pull-request-github vscode.github.vscode-pull-request-github
vscode.irongeek.vscode-env vscode.irongeek.vscode-env
vscode.jebbs.plantuml vscode.jebbs.plantuml
vscode.jnoortheen.nix-ide vscode.jnoortheen.nix-ide
vscode.lucax88x.codeacejumper vscode.lucax88x.codeacejumper
vscode.marcelovelasquez.flutter-tree vscode.marcelovelasquez.flutter-tree
vscode.mhutchie.git-graph vscode.mhutchie.git-graph
vscode.ms-azuretools.vscode-docker vscode.mkhl.direnv
vscode.ms-vscode-remote.remote-ssh vscode.ms-azuretools.vscode-docker
nixpkgs.rust-lang.rust-analyzer vscode.ms-vscode-remote.remote-ssh
]; nixpkgs.rust-lang.rust-analyzer
# Django
nixpkgs.ms-python.python
vscode.monosans.djlint
vscode.ms-python.isort
vscode.ms-python.vscode-pylance
vscode.thebarkman.vscode-djaneiro
];
# mutableExtensionsDir = false; # mutableExtensionsDir = false;
userSettings = { userSettings = {
"update.mode" = "none"; "update.mode" = "none";
@ -121,7 +122,7 @@ in
"search.exclude" = { "search.exclude" = {
"**/.direnv" = true; "**/.direnv" = true;
}; };
"git.autofetch" = true; "git.autofetch" = false;
"git.enableCommitSigning" = true; "git.enableCommitSigning" = true;
"git-graph.repository.sign.commits" = true; "git-graph.repository.sign.commits" = true;
"git-graph.repository.sign.tags" = true; "git-graph.repository.sign.tags" = true;

2
profiles/overlay.nix
View File

@ -36,7 +36,7 @@ with lib; {
reshade-shaders = pkgs.callPackage ./packages/reshade-shaders.nix { }; reshade-shaders = pkgs.callPackage ./packages/reshade-shaders.nix { };
rosepine-gtk-theme = pkgs.callPackage ./packages/rosepine-gtk-theme.nix { }; rosepine-gtk-theme = pkgs.callPackage ./packages/rosepine-gtk-theme.nix { };
rosepine-icon-theme = pkgs.callPackage ./packages/rosepine-icon-theme.nix { }; rosepine-icon-theme = pkgs.callPackage ./packages/rosepine-icon-theme.nix { };
seadrive-fuse = pkgs.callPackage ./packages/seadrive-fuse.nix { }; # seadrive-fuse = pkgs.callPackage ./packages/seadrive-fuse.nix { };
tidal-dl = pkgs.callPackage ./packages/tidal-dl.nix { }; tidal-dl = pkgs.callPackage ./packages/tidal-dl.nix { };
tokyonight-gtk-theme = pkgs.callPackage ./packages/tokyonight-gtk-theme.nix { }; tokyonight-gtk-theme = pkgs.callPackage ./packages/tokyonight-gtk-theme.nix { };
tokyonight-icon-theme = pkgs.callPackage ./packages/tokyonight-icon-theme.nix { }; tokyonight-icon-theme = pkgs.callPackage ./packages/tokyonight-icon-theme.nix { };

80
profiles/packages/hyprpaper.nix
View File

@ -1,80 +0,0 @@
{
lib,
stdenv,
pkg-config,
cmake,
ninja,
cairo,
fribidi,
libdatrie,
libjpeg,
libselinux,
libsepol,
libthai,
pango,
pcre,
utillinux,
wayland,
wayland-protocols,
wayland-scanner,
wlr-protocols,
libXdmcp,
version ? "git",
src,
}:
stdenv.mkDerivation {
pname = "hyprpaper";
inherit version;
src = src;
nativeBuildInputs = [
cmake
ninja
pkg-config
];
buildInputs = [
cairo
fribidi
libdatrie
libjpeg
libselinux
libsepol
libthai
pango
pcre
wayland
wayland-protocols
wayland-scanner
wlr-protocols
libXdmcp
utillinux
];
configurePhase = ''
runHook preConfigure
make release
runHook postConfigure
'';
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,share/licenses}
install -Dm755 build/hyprpaper -t $out/bin
install -Dm644 LICENSE -t $out/share/licenses/hyprpaper
runHook postInstall
'';
meta = with lib; {
homepage = "https://github.com/hyprwm/hyprpaper";
description = "A blazing fast wayland wallpaper utility with IPC controls";
license = licenses.bsd3;
platforms = platforms.linux;
mainProgram = "hyprpaper";
};
}

2
profiles/packages/parsec.nix
View File

@ -44,7 +44,7 @@ let
name = "parsec-pkg"; name = "parsec-pkg";
src = fetchurl { src = fetchurl {
url = "https://s3.amazonaws.com/parsec-build/package/parsec-linux.deb"; url = "https://s3.amazonaws.com/parsec-build/package/parsec-linux.deb";
sha256 = "1hfdzjd8qiksv336m4s4ban004vhv00cv2j461gc6zrp37s0fwhc"; hash = "sha256-wwBy86TdrHaH9ia40yh24yd5G84WTXREihR+9I6o6uU=";
}; };
phases = [ "buildPhase" ]; phases = [ "buildPhase" ];
buildInputs = [ dpkg ]; buildInputs = [ dpkg ];

4
profiles/servers/stable-diffusion.nix
View File

@ -21,10 +21,10 @@ in with config.virtualisation.oci-containers; {
"seccomp=unconfined" "seccomp=unconfined"
"--hostname=stable-diffusion-ct" "--hostname=stable-diffusion-ct"
]; ];
image = "rocm-arch"; image = "docker.io/ataraxiadev/rocm-pytorch";
ports = [ "80:7860/tcp" ]; ports = [ "80:7860/tcp" ];
volumes = [ volumes = [
"/home/${config.mainuser}/projects/rocm-terminal/shared:/shared" "/home/${config.mainuser}/projects/stable-diffusion-rocm/shared:/shared"
]; ];
}; };

16
profiles/services.nix
View File

@ -98,14 +98,14 @@ with config.deviceSpecific; {
}; };
}; };
secrets.seadrive = { # secrets.seadrive = {
owner = config.mainuser; # owner = config.mainuser;
}; # };
services.seadrive = { # services.seadrive = {
enable = !isServer; # enable = !isServer;
settingsFile = config.secrets.seadrive.decrypted; # settingsFile = config.secrets.seadrive.decrypted;
mountPoint = "/media/seadrive"; # mountPoint = "/media/seadrive";
}; # };
services.upower.enable = true; services.upower.enable = true;

2
profiles/virtualisation.nix
View File

@ -17,7 +17,7 @@ with config.deviceSpecific; {
virtualisation.podman = { virtualisation.podman = {
enable = true; enable = true;
extraPackages = [ pkgs.zfs ]; extraPackages = [ pkgs.zfs ];
defaultNetwork.dnsname.enable = true; defaultNetwork.settings.dns_enabled = true;
}; };
virtualisation.containers.registries.search = [ virtualisation.containers.registries.search = [
"docker.io" "gcr.io" "quay.io" "docker.io" "gcr.io" "quay.io"

3
profiles/workspace/aria2.nix
View File

@ -5,7 +5,7 @@ in {
# TODO: enable websocket (--rpc-certificate) # TODO: enable websocket (--rpc-certificate)
services.aria2 = { services.aria2 = {
enable = true; enable = true;
downloadDir = "${homeDir}/Downloads/aria2"; downloadDir = "/media/aria2";
rpcListenPort = 6800; rpcListenPort = 6800;
# FIXME: I can expose this, since i listen rpc only on localhost # FIXME: I can expose this, since i listen rpc only on localhost
# but in future it's better to implement read key from secrets before start daemon # but in future it's better to implement read key from secrets before start daemon
@ -14,4 +14,5 @@ in {
openPorts = false; openPorts = false;
}; };
# networking.firewall.allowedTCPPorts = [ config.services.aria2.rpcListenPort ]; # networking.firewall.allowedTCPPorts = [ config.services.aria2.rpcListenPort ];
persist.state.directories = [ "/media/ari2" ];
} }

6
profiles/workspace/gpg.nix
View File

@ -30,5 +30,9 @@ with config.deviceSpecific; {
# directory = config.secretsConfig.gnupgHome; # directory = config.secretsConfig.gnupgHome;
# method = "symlink"; # method = "symlink";
# }]; # }];
persist.state.homeDirectories = [ config.secretsConfig.gnupgHome ]; persist.state.homeDirectories = let
gnupgHome-relative = lib.removePrefix
config.home-manager.users.${config.mainuser}.home.homeDirectory
config.secretsConfig.gnupgHome;
in [ gnupgHome-relative ];
} }

4
profiles/workspace/mako.nix
View File

@ -3,8 +3,8 @@
systemd.user.services.mako = { systemd.user.services.mako = {
Service = { ExecStart = "${pkgs.mako}/bin/mako"; }; Service = { ExecStart = "${pkgs.mako}/bin/mako"; };
Install = { Install = {
After = [ "sway-session.target" ]; After = [ "hyprland-session.target" ];
WantedBy = [ "sway-session.target" ]; WantedBy = [ "hyprland-session.target" ];
}; };
}; };
programs.mako = with config.lib.base16; { programs.mako = with config.lib.base16; {

5
profiles/workspace/misc.nix
View File

@ -53,7 +53,10 @@
]; ];
persist.state.homeDirectories = [ persist.state.homeDirectories = [
"projects" "projects"
"nixos-config" {
directory = "nixos-config";
method = "symlink";
}
] ++ lib.optionals (!config.deviceSpecific.isServer) [ ] ++ lib.optionals (!config.deviceSpecific.isServer) [
"games" "games"
# "persist" # "persist"

2
profiles/workspace/nix-index.nix
View File

@ -1,4 +1,4 @@
{ config, ... }: { { config, lib, ... }: {
home-manager.users.${config.mainuser} = { home-manager.users.${config.mainuser} = {
programs.nix-index = { programs.nix-index = {
enable = true; enable = true;

9
profiles/workspace/ssh.nix
View File

@ -18,9 +18,12 @@ with config.deviceSpecific; {
programs.ssh.extraConfig = '' programs.ssh.extraConfig = ''
Host nix-builder Host nix-builder
hostname 192.168.0.100 hostname 192.168.0.100
user ${config.mainuser} user alukard
identitiesOnly yes identitiesOnly yes
identityFile ${config.secrets.ssh-builder.decrypted} identityFile ${config.secrets.ssh-builder.decrypted}
Host hypervisor
hostname 192.168.0.10
user ataraxia
''; '';
home-manager.users.${config.mainuser} = { home-manager.users.${config.mainuser} = {
@ -30,9 +33,9 @@ with config.deviceSpecific; {
"*" = { "*" = {
compression = false; compression = false;
}; };
"proxmox.pve" = { "hypervisor" = {
hostname = "192.168.0.10"; hostname = "192.168.0.10";
user = "root"; user = "ataraxia";
}; };
"matrix.pve" = { "matrix.pve" = {
hostname = "192.168.0.11"; hostname = "192.168.0.11";

3
profiles/workspace/xdg.nix
View File

@ -2,8 +2,7 @@
home-manager.users.${config.mainuser} = { home-manager.users.${config.mainuser} = {
xdg.enable = true; xdg.enable = true;
xdg.userDirs.enable = true; xdg.userDirs.enable = true;
xdg.systemDirs.data = [
home.sessionVariables.XDG_DATA_DIRS = [
"${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/${pkgs.gsettings-desktop-schemas.name}" "${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/${pkgs.gsettings-desktop-schemas.name}"
"${pkgs.gtk3}/share/gsettings-schemas/${pkgs.gtk3.name}" "${pkgs.gtk3}/share/gsettings-schemas/${pkgs.gtk3.name}"
]; ];

4
profiles/workspace/zsh/default.nix
View File

@ -60,7 +60,7 @@
"redd" = "systemctl --user stop gammastep.service &"; "redd" = "systemctl --user stop gammastep.service &";
"show-packages" = "_ nix-store -q --references /run/current-system/sw"; "show-packages" = "_ nix-store -q --references /run/current-system/sw";
"nsp" = "nix-shell --run zsh -p"; "nsp" = "nix-shell --run zsh -p";
"nd" = "nix develop"; "nd" = "nix develop -c zsh";
"nb" = "nix build"; "nb" = "nix build";
"nr" = "nix run"; "nr" = "nix run";
"e" = "$EDITOR"; "e" = "$EDITOR";
@ -76,6 +76,8 @@
"t" = "${pkgs.translate-shell}/bin/trans"; "t" = "${pkgs.translate-shell}/bin/trans";
}; };
initExtra = '' initExtra = ''
setopt HIST_IGNORE_SPACE
rga-fzf() { rga-fzf() {
RG_PREFIX="rga --files-with-matches" RG_PREFIX="rga --files-with-matches"
local file local file