AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-01-26 00:36:27 +03:00
parent 885096bf81
commit 4edefd3f19
21 changed files with 410 additions and 171 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
patches/gitea-208605.patch Normal file
View File

@ -0,0 +1,45 @@
From 482bafe254f447040d10716a5e8cd6692b743994 Mon Sep 17 00:00:00 2001
From: Izorkin <izorkin@elven.pw>
Date: Sun, 1 Jan 2023 14:07:09 +0300
Subject: [PATCH] nixos/gitea: update sandboxing options
---
nixos/modules/services/misc/gitea.nix | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix
index 00e90f5b32b47..d93bb393429de 100644
--- a/nixos/modules/services/misc/gitea.nix
+++ b/nixos/modules/services/misc/gitea.nix
@@ -567,7 +567,10 @@ in
Restart = "always";
# Runtime directory and mode
RuntimeDirectory = "gitea";
- RuntimeDirectoryMode = "0755";
+ RuntimeDirectoryMode = "0750";
+ # Proc filesystem
+ ProcSubset = "pid";
+ ProtectProc = "invisible";
# Access write directories
ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ];
UMask = "0027";
@@ -587,15 +590,17 @@ in
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
- RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
+ RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+ RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
+ RemoveIPC = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
- SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap";
+ SystemCallFilter = [ "~@cpu-emulation @debug @keyring @memlock @mount @obsolete @privileged @resources @setuid" "setrlimit" ];
};
environment = {

14
patches/mullvad.patch Normal file
View File

@ -0,0 +1,14 @@
diff --git a/pkgs/applications/networking/mullvad-vpn/default.nix b/pkgs/applications/networking/mullvad-vpn/default.nix
index 9b1a609d832..15dc909aa64 100644
--- a/pkgs/applications/networking/mullvad-vpn/default.nix
+++ b/pkgs/applications/networking/mullvad-vpn/default.nix
@@ -79,6 +79,9 @@ stdenv.mkDerivation rec {
wrapProgram $out/bin/mullvad-vpn --set MULLVAD_DISABLE_UPDATE_NOTIFICATION 1
+ wrapProgram $out/bin/mullvad-daemon \
+ --set-default MULLVAD_RESOURCE_DIR "$out/share/mullvad/resources"
+
sed -i "s|Exec.*$|Exec=$out/bin/mullvad-vpn $U|" $out/share/applications/mullvad-vpn.desktop
runHook postInstall

265
patches/postfix-93305.patch Normal file
View File

@ -0,0 +1,265 @@
From 769237466abb4614cf203c3d5b9adafe49451a26 Mon Sep 17 00:00:00 2001
From: Izorkin <izorkin@elven.pw>
Date: Sat, 28 Dec 2019 12:51:41 +0300
Subject: [PATCH 1/4] nixos/postfix: enable sandboxing
---
nixos/modules/services/mail/postfix.nix | 73 ++++++++++++++++---------
1 file changed, 47 insertions(+), 26 deletions(-)
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index ad10ba1d9090d..a499f83971d8c 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -705,6 +705,34 @@ in
{ ${setgidGroup}.gid = config.ids.gids.postdrop;
};
+ systemd.tmpfiles.rules = [
+ "d '/var/lib/postfix' 0755 postfix postfix - -"
+ "d '/var/lib/postfix/conf' 0755 postfix postfix - -"
+ "d '/var/lib/postfix/data' 0750 postfix postfix - -"
+ "d '/var/lib/postfix/queue' 0755 postfix postfix - -"
+ "d '/var/lib/postfix/queue/active' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/bounce' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/corrupt' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/defer' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/deferred' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/flush' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/hold' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/incoming' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/maildrop' 0730 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/pid' 0755 postfix postfix - -"
+ "d '/var/lib/postfix/queue/private' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/public' 0710 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/saved' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/trace' 0700 postfix postdrop - -"
+ "d '/var/spool/mail' 1777 root root - -"
+ "Z '/var/lib/postfix' - postfix postfix - -"
+ "Z '/var/lib/postfix/queue/maildrop' - postfix postdrop - -"
+ "Z '/var/lib/postfix/queue/public' - postfix postdrop - -"
+ "L+ '/var/mail' - - - - /var/spool/mail"
+ "L+ '/var/lib/postfix/conf/main.cf' - - - - ${mainCfFile}"
+ "L+ '/var/lib/postfix/conf/master.cf' - - - - ${masterCfFile}"
+ ];
+
systemd.services.postfix =
{ description = "Postfix mail server";
@@ -719,43 +747,36 @@ in
ExecStart = "${pkgs.postfix}/bin/postfix start";
ExecStop = "${pkgs.postfix}/bin/postfix stop";
ExecReload = "${pkgs.postfix}/bin/postfix reload";
+ # Capabilities
+ CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
+ # Security
+ NoNewPrivileges = true;
+ # Sandboxing
+ ProtectSystem = "full";
+ ProtectHome = true;
+ PrivateTmp = true;
+ PrivateDevices = true;
+ ProtectHostname = true;
+ ProtectKernelTunables = true;
+ ProtectKernelModules = true;
+ ProtectControlGroups = true;
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ RestrictRealtime = true;
+ PrivateMounts = true;
};
preStart = ''
- # Backwards compatibility
- if [ ! -d /var/lib/postfix ] && [ -d /var/postfix ]; then
- mkdir -p /var/lib
- mv /var/postfix /var/lib/postfix
- fi
-
- # All permissions set according ${pkgs.postfix}/etc/postfix/postfix-files script
- mkdir -p /var/lib/postfix /var/lib/postfix/queue/{pid,public,maildrop}
- chmod 0755 /var/lib/postfix
- chown root:root /var/lib/postfix
-
- rm -rf /var/lib/postfix/conf
- mkdir -p /var/lib/postfix/conf
- chmod 0755 /var/lib/postfix/conf
- ln -sf ${pkgs.postfix}/etc/postfix/postfix-files /var/lib/postfix/conf/postfix-files
- ln -sf ${mainCfFile} /var/lib/postfix/conf/main.cf
- ln -sf ${masterCfFile} /var/lib/postfix/conf/master.cf
-
${concatStringsSep "\n" (mapAttrsToList (to: from: ''
+ test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
ln -sf ${from} /var/lib/postfix/conf/${to}
${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to}
'') cfg.aliasFiles)}
${concatStringsSep "\n" (mapAttrsToList (to: from: ''
+ test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
ln -sf ${from} /var/lib/postfix/conf/${to}
${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to}
'') cfg.mapFiles)}
-
- mkdir -p /var/spool/mail
- chown root:root /var/spool/mail
- chmod a+rwxt /var/spool/mail
- ln -sf /var/spool/mail /var/
-
- #Finally delegate to postfix checking remain directories in /var/lib/postfix and set permissions on them
- ${pkgs.postfix}/bin/postfix set-permissions config_directory=/var/lib/postfix/conf
'';
};
From a4f4dd228823316959786e7fdaf137f6ca09c4ba Mon Sep 17 00:00:00 2001
From: Philipp Bartsch <phil@grmr.de>
Date: Sat, 18 Jul 2020 01:22:53 +0200
Subject: [PATCH 2/4] nixos/postfix: more sandboxing
---
nixos/modules/services/mail/postfix.nix | 65 +++++++++++++++----------
1 file changed, 40 insertions(+), 25 deletions(-)
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index a499f83971d8c..b9b9836813ddd 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -9,6 +9,25 @@ let
group = cfg.group;
setgidGroup = cfg.setgidGroup;
+ preStartScript = pkgs.writeScript "pre-start-script" ''
+ #!${pkgs.stdenv.shell}
+ set -euo pipefail
+
+ ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
+ test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
+ ln -sf ${from} /var/lib/postfix/conf/${to}
+ ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to}
+ '') cfg.aliasFiles)}
+ ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
+ test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
+ ln -sf ${from} /var/lib/postfix/conf/${to}
+ ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to}
+ '') cfg.mapFiles)}
+
+ # Finally delegate to postfix checking remain directories in /var/lib/postfix and set permissions on them
+ ${pkgs.postfix}/bin/postfix set-permissions config_directory=/var/lib/postfix/conf
+ '';
+
haveAliases = cfg.postmasterAlias != "" || cfg.rootAlias != ""
|| cfg.extraAliases != "";
haveTransport = cfg.transport != "";
@@ -747,37 +766,33 @@ in
ExecStart = "${pkgs.postfix}/bin/postfix start";
ExecStop = "${pkgs.postfix}/bin/postfix stop";
ExecReload = "${pkgs.postfix}/bin/postfix reload";
- # Capabilities
- CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
- # Security
+ ExecStartPre = "+${preStartScript}";
+
+ ReadWritePaths = [ "/var/lib/postfix" "/var/spool/mail" ];
+
+ CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID";
+ DevicePolicy = "closed";
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
- # Sandboxing
- ProtectSystem = "full";
- ProtectHome = true;
- PrivateTmp = true;
PrivateDevices = true;
+ PrivateMounts = true;
+ PrivateTmp = true;
+ ProtectClock = true;
+ ProtectControlGroups = true;
ProtectHostname = true;
- ProtectKernelTunables = true;
+ ProtectKernelLogs = true;
ProtectKernelModules = true;
- ProtectControlGroups = true;
- LockPersonality = true;
- MemoryDenyWriteExecute = true;
+ ProtectKernelTunables = true;
+ ProtectSystem = "full";
+ RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX";
+ RestrictNamespaces = true;
RestrictRealtime = true;
- PrivateMounts = true;
+ RestrictSUIDSGID = true;
+ SystemCallArchitectures = "native";
+ SystemCallFilter = [ "@system-service" "~@resources" ];
+ UMask = "0077";
};
-
- preStart = ''
- ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
- test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
- ln -sf ${from} /var/lib/postfix/conf/${to}
- ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to}
- '') cfg.aliasFiles)}
- ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
- test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
- ln -sf ${from} /var/lib/postfix/conf/${to}
- ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to}
- '') cfg.mapFiles)}
- '';
};
services.postfix.config = (mapAttrs (_: v: mkDefault v) {
From 0bf216e6268bccfabda21e9a9444934fe651db6a Mon Sep 17 00:00:00 2001
From: Philipp Bartsch <phil@grmr.de>
Date: Sun, 19 Jul 2020 14:25:24 +0200
Subject: [PATCH 3/4] nixos/postfix: fixup cosmetics
---
nixos/modules/services/mail/postfix.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index b9b9836813ddd..f039b2b6832ff 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -770,7 +770,7 @@ in
ReadWritePaths = [ "/var/lib/postfix" "/var/spool/mail" ];
- CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID";
+ CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
@@ -785,7 +785,7 @@ in
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "full";
- RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX";
+ RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
From 7b285fb877a7463fb769e8f57d0679eb7f0de8c0 Mon Sep 17 00:00:00 2001
From: Philipp Bartsch <phil@grmr.de>
Date: Tue, 21 Jul 2020 22:31:24 +0200
Subject: [PATCH 4/4] nixos/postfix: fix permission issue
---
nixos/modules/services/mail/postfix.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index f039b2b6832ff..3cd3b170e2f68 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -770,7 +770,7 @@ in
ReadWritePaths = [ "/var/lib/postfix" "/var/spool/mail" ];
- CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
+ CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;

12
patches/zen-kernels.patch
View File

@ -1,17 +1,17 @@
diff --git a/pkgs/os-specific/linux/kernel/zen-kernels.nix b/pkgs/os-specific/linux/kernel/zen-kernels.nix
index 6ee6c38..ea55339 100644
index 4c72a78..37baf48 100644
--- a/pkgs/os-specific/linux/kernel/zen-kernels.nix
+++ b/pkgs/os-specific/linux/kernel/zen-kernels.nix
@@ -11,9 +11,9 @@ let
};
# ./update-zen.py lqx
lqxVariant = {
- version = "6.0.10"; #lqx
- version = "6.1.3"; #lqx
- suffix = "lqx1"; #lqx
- sha256 = "0hbak9m4j259xrhbv173axbfzr13r47xqsax7s64ga9688bra1m7"; #lqx
+ version = "6.0.11"; #lqx
+ suffix = "lqx2"; #lqx
+ sha256 = "089mhxfdfi6wv0f2jx3j30y71mrkwrw5k8a7hyga1516j17qxva1"; #lqx
- sha256 = "0vp6skhw4wsxk2nl3m8y975a9bx78h5wl574wsfgnc5nvzmh250l"; #lqx
+ version = "6.0.13"; #lqx
+ suffix = "lqx3"; #lqx
+ sha256 = "0dc295d9dfm3j2nmvkzy21ky1k6jp7c7miqjhqgfjny9yk1b41k4"; #lqx
isLqx = true;
};
zenKernelsFor = { version, suffix, sha256, isLqx }: buildLinux (args // {

24
profiles/applications/firefox.nix
View File

@ -45,26 +45,6 @@ in {
# enable = true;
# browsers = [ "firefox" ];
# };
wayland.windowManager.sway.config = {
window.commands = [
{
criteria = { title = "Firefox Sharing Indicator"; };
command = "floating enable";
}
{
criteria = { title = "Firefox Sharing Indicator"; };
command = "no_focus";
}
{
criteria = { title = "Firefox Sharing Indicator"; };
command = "resize set 0 0";
}
{
criteria = { title = "Firefox Sharing Indicator"; };
command = "move absolute position 10 10";
}
];
};
programs.firefox = {
enable = true;
@ -111,7 +91,7 @@ in {
"browser.anchor_color" = thm.base0D-hex;
"browser.visited_color" = thm.base0C-hex;
"browser.display.use_document_fonts" = true;
"pdfjs.disabled" = true;
# "pdfjs.disabled" = true;
"media.eme.enabled" = true;
@ -119,6 +99,8 @@ in {
"experiments.enabled" = false;
"experiments.supported" = false;
"network.allow-experiments" = false;
# "identity.sync.tokenserver.uri" = "https://fsync.ataraxiadev.com/1.0/sync/1.5";
};
extraPrefs = "${fileContents "${pkgs.arkenfox-userjs}/share/user-js/profiles/user.js"}";
};

4
profiles/applications/packages.nix
View File

@ -85,7 +85,7 @@ with config.deviceSpecific; {
prismlauncher
reshade-shaders
(retroarch.override { cores = [ libretro.genesis-plus-gx libretro.dosbox ]; })
parsec
# parsec
protonhax
protontricks
vkBasalt
@ -93,6 +93,6 @@ with config.deviceSpecific; {
winetricks
] ++ lib.optionals isLaptop [
acpi
seadrive-fuse
# seadrive-fuse
];
}

17
profiles/applications/vscode/default.nix
View File

@ -28,13 +28,6 @@ in
open-vsx = inputs.nix-vscode-marketplace.packages.${pkgs.system}.open-vsx;
nixpkgs = pkgs.vscode-extensions;
in [
(inputs.direnv-vscode.packages.${pkgs.system}.vsix.overrideAttrs (_: {
buildPhase = "yarn run build";
installPhase = ''
mkdir -p $out/share/vscode/extensions/direnv.direnv-vscode
cp -R * $out/share/vscode/extensions/direnv.direnv-vscode
'';
}))
(pkgs.callPackage ./theme.nix { mainuser = config.mainuser; } config.lib.base16.theme)
vscode.aaron-bond.better-comments
@ -57,9 +50,17 @@ in
vscode.lucax88x.codeacejumper
vscode.marcelovelasquez.flutter-tree
vscode.mhutchie.git-graph
vscode.mkhl.direnv
vscode.ms-azuretools.vscode-docker
vscode.ms-vscode-remote.remote-ssh
nixpkgs.rust-lang.rust-analyzer
# Django
nixpkgs.ms-python.python
vscode.monosans.djlint
vscode.ms-python.isort
vscode.ms-python.vscode-pylance
vscode.thebarkman.vscode-djaneiro
];
# mutableExtensionsDir = false;
userSettings = {
@ -121,7 +122,7 @@ in
"search.exclude" = {
"**/.direnv" = true;
};
"git.autofetch" = true;
"git.autofetch" = false;
"git.enableCommitSigning" = true;
"git-graph.repository.sign.commits" = true;
"git-graph.repository.sign.tags" = true;

2
profiles/overlay.nix
View File

@ -36,7 +36,7 @@ with lib; {
reshade-shaders = pkgs.callPackage ./packages/reshade-shaders.nix { };
rosepine-gtk-theme = pkgs.callPackage ./packages/rosepine-gtk-theme.nix { };
rosepine-icon-theme = pkgs.callPackage ./packages/rosepine-icon-theme.nix { };
seadrive-fuse = pkgs.callPackage ./packages/seadrive-fuse.nix { };
# seadrive-fuse = pkgs.callPackage ./packages/seadrive-fuse.nix { };
tidal-dl = pkgs.callPackage ./packages/tidal-dl.nix { };
tokyonight-gtk-theme = pkgs.callPackage ./packages/tokyonight-gtk-theme.nix { };
tokyonight-icon-theme = pkgs.callPackage ./packages/tokyonight-icon-theme.nix { };

80
profiles/packages/hyprpaper.nix
View File

@ -1,80 +0,0 @@
{
lib,
stdenv,
pkg-config,
cmake,
ninja,
cairo,
fribidi,
libdatrie,
libjpeg,
libselinux,
libsepol,
libthai,
pango,
pcre,
utillinux,
wayland,
wayland-protocols,
wayland-scanner,
wlr-protocols,
libXdmcp,
version ? "git",
src,
}:
stdenv.mkDerivation {
pname = "hyprpaper";
inherit version;
src = src;
nativeBuildInputs = [
cmake
ninja
pkg-config
];
buildInputs = [
cairo
fribidi
libdatrie
libjpeg
libselinux
libsepol
libthai
pango
pcre
wayland
wayland-protocols
wayland-scanner
wlr-protocols
libXdmcp
utillinux
];
configurePhase = ''
runHook preConfigure
make release
runHook postConfigure
'';
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,share/licenses}
install -Dm755 build/hyprpaper -t $out/bin
install -Dm644 LICENSE -t $out/share/licenses/hyprpaper
runHook postInstall
'';
meta = with lib; {
homepage = "https://github.com/hyprwm/hyprpaper";
description = "A blazing fast wayland wallpaper utility with IPC controls";
license = licenses.bsd3;
platforms = platforms.linux;
mainProgram = "hyprpaper";
};
}

2
profiles/packages/parsec.nix
View File

@ -44,7 +44,7 @@ let
name = "parsec-pkg";
src = fetchurl {
url = "https://s3.amazonaws.com/parsec-build/package/parsec-linux.deb";
sha256 = "1hfdzjd8qiksv336m4s4ban004vhv00cv2j461gc6zrp37s0fwhc";
hash = "sha256-wwBy86TdrHaH9ia40yh24yd5G84WTXREihR+9I6o6uU=";
};
phases = [ "buildPhase" ];
buildInputs = [ dpkg ];

4
profiles/servers/stable-diffusion.nix
View File

@ -21,10 +21,10 @@ in with config.virtualisation.oci-containers; {
"seccomp=unconfined"
"--hostname=stable-diffusion-ct"
];
image = "rocm-arch";
image = "docker.io/ataraxiadev/rocm-pytorch";
ports = [ "80:7860/tcp" ];
volumes = [
"/home/${config.mainuser}/projects/rocm-terminal/shared:/shared"
"/home/${config.mainuser}/projects/stable-diffusion-rocm/shared:/shared"
];
};

16
profiles/services.nix
View File

@ -98,14 +98,14 @@ with config.deviceSpecific; {
};
};
secrets.seadrive = {
owner = config.mainuser;
};
services.seadrive = {
enable = !isServer;
settingsFile = config.secrets.seadrive.decrypted;
mountPoint = "/media/seadrive";
};
# secrets.seadrive = {
# owner = config.mainuser;
# };
# services.seadrive = {
# enable = !isServer;
# settingsFile = config.secrets.seadrive.decrypted;
# mountPoint = "/media/seadrive";
# };
services.upower.enable = true;

2
profiles/virtualisation.nix
View File

@ -17,7 +17,7 @@ with config.deviceSpecific; {
virtualisation.podman = {
enable = true;
extraPackages = [ pkgs.zfs ];
defaultNetwork.dnsname.enable = true;
defaultNetwork.settings.dns_enabled = true;
};
virtualisation.containers.registries.search = [
"docker.io" "gcr.io" "quay.io"

3
profiles/workspace/aria2.nix
View File

@ -5,7 +5,7 @@ in {
# TODO: enable websocket (--rpc-certificate)
services.aria2 = {
enable = true;
downloadDir = "${homeDir}/Downloads/aria2";
downloadDir = "/media/aria2";
rpcListenPort = 6800;
# FIXME: I can expose this, since i listen rpc only on localhost
# but in future it's better to implement read key from secrets before start daemon
@ -14,4 +14,5 @@ in {
openPorts = false;
};
# networking.firewall.allowedTCPPorts = [ config.services.aria2.rpcListenPort ];
persist.state.directories = [ "/media/ari2" ];
}

6
profiles/workspace/gpg.nix
View File

@ -30,5 +30,9 @@ with config.deviceSpecific; {
# directory = config.secretsConfig.gnupgHome;
# method = "symlink";
# }];
persist.state.homeDirectories = [ config.secretsConfig.gnupgHome ];
persist.state.homeDirectories = let
gnupgHome-relative = lib.removePrefix
config.home-manager.users.${config.mainuser}.home.homeDirectory
config.secretsConfig.gnupgHome;
in [ gnupgHome-relative ];
}

4
profiles/workspace/mako.nix
View File

@ -3,8 +3,8 @@
systemd.user.services.mako = {
Service = { ExecStart = "${pkgs.mako}/bin/mako"; };
Install = {
After = [ "sway-session.target" ];
WantedBy = [ "sway-session.target" ];
After = [ "hyprland-session.target" ];
WantedBy = [ "hyprland-session.target" ];
};
};
programs.mako = with config.lib.base16; {

5
profiles/workspace/misc.nix
View File

@ -53,7 +53,10 @@
];
persist.state.homeDirectories = [
"projects"
"nixos-config"
{
directory = "nixos-config";
method = "symlink";
}
] ++ lib.optionals (!config.deviceSpecific.isServer) [
"games"
# "persist"

2
profiles/workspace/nix-index.nix
View File

@ -1,4 +1,4 @@
{ config, ... }: {
{ config, lib, ... }: {
home-manager.users.${config.mainuser} = {
programs.nix-index = {
enable = true;

9
profiles/workspace/ssh.nix
View File

@ -18,9 +18,12 @@ with config.deviceSpecific; {
programs.ssh.extraConfig = ''
Host nix-builder
hostname 192.168.0.100
user ${config.mainuser}
user alukard
identitiesOnly yes
identityFile ${config.secrets.ssh-builder.decrypted}
Host hypervisor
hostname 192.168.0.10
user ataraxia
'';
home-manager.users.${config.mainuser} = {
@ -30,9 +33,9 @@ with config.deviceSpecific; {
"*" = {
compression = false;
};
"proxmox.pve" = {
"hypervisor" = {
hostname = "192.168.0.10";
user = "root";
user = "ataraxia";
};
"matrix.pve" = {
hostname = "192.168.0.11";

3
profiles/workspace/xdg.nix
View File

@ -2,8 +2,7 @@
home-manager.users.${config.mainuser} = {
xdg.enable = true;
xdg.userDirs.enable = true;
home.sessionVariables.XDG_DATA_DIRS = [
xdg.systemDirs.data = [
"${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/${pkgs.gsettings-desktop-schemas.name}"
"${pkgs.gtk3}/share/gsettings-schemas/${pkgs.gtk3.name}"
];

4
profiles/workspace/zsh/default.nix
View File

@ -60,7 +60,7 @@
"redd" = "systemctl --user stop gammastep.service &";
"show-packages" = "_ nix-store -q --references /run/current-system/sw";
"nsp" = "nix-shell --run zsh -p";
"nd" = "nix develop";
"nd" = "nix develop -c zsh";
"nb" = "nix build";
"nr" = "nix run";
"e" = "$EDITOR";
@ -76,6 +76,8 @@
"t" = "${pkgs.translate-shell}/bin/trans";
};
initExtra = ''
setopt HIST_IGNORE_SPACE
rga-fzf() {
RG_PREFIX="rga --files-with-matches"
local file