update persist module, small fixes

modules/persist.nix

@@ -24,7 +24,7 @@ let
 in {
   options = let
     inherit (lib) mkOption mkEnableOption;
-    inherit (lib.types) listOf path str;
+    inherit (lib.types) listOf path str either submodule enum;
     common = {
       directories = mkOption {
         type = listOf path;
@@ -34,12 +34,29 @@ in {
         type = listOf str;
         default = [ ];
       };
-      homeDirectories = mkOption {
+      # homeDirectories = mkOption {
+      #   type = listOf str;
+      #   default = [ ];
+      # };
+      homeFiles = mkOption {
         type = listOf str;
         default = [ ];
       };
-      homeFiles = mkOption {
-        type = listOf str;
+      homeDirectories = mkOption {
+        type = listOf (either str (submodule {
+          options = {
+            directory = mkOption {
+              type = str;
+              default = null;
+              description = "The directory path to be linked.";
+            };
+            method = mkOption {
+              type = enum [ "bindfs" "symlink" ];
+              default = "bindfs";
+              description = "The linking method that should be used for this directory.";
+            };
+          };
+        }));
         default = [ ];
       };
     };
@@ -50,7 +67,7 @@ in {
 
       persistRoot = mkOption {
         type = path;
-        default = "/persistent";
+        default = "/persist";
       };
 
       homeDir = mkOption {
@@ -87,7 +104,8 @@ in {
   imports = [ inputs.impermanence.nixosModules.impermanence ];
 
   config = mkIf cfg.enable {
-
+    # FIXME: use symlink instead of bind mounts?
+    # programs.fuse.userAllowOther = true;
 
     environment.persistence.${cfg.persistRoot} = {
       directories = allDirectories;
@@ -99,6 +117,8 @@ in {
       home.persistence."${cfg.persistRoot}${homeDirectory}" = {
         directories = allHomeDirectories;
         files = allHomeFiles;
+        # FIXME: use symlink instead of bind mounts?
+        # allowOther = true;
         allowOther = false;
         removePrefixDirectory = false;
       };

modules/secrets.nix

@@ -3,6 +3,7 @@ with lib;
 with types;
 let
   password-store = config.secretsConfig.password-store;
+  password-store-relative = removePrefix config.home-manager.users.${config.mainuser}.home.homeDirectory password-store;
   secret = { name, ... }: {
     options = {
       encrypted = mkOption {
@@ -48,21 +49,19 @@ let
 
   activate-secrets = pkgs.writeShellScriptBin "activate-secrets" ''
     set -euo pipefail
-    export PATH="${with pkgs; lib.makeBinPath [ openssh gnupg git coreutils ]}:/run/wrappers/bin/:$PATH"
-    export SHELL=${pkgs.runtimeShell}
-    export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
+    PATH="${with pkgs; lib.makeBinPath [ openssh gnupg coreutils ]}:$PATH"
+    export SSH_AUTH_SOCK="$1"
     export GNUPGHOME=${config.secretsConfig.gnupgHome}
-    export GPG_TTY="$(tty)"
     if [ -d "${password-store}/.git" ]; then
-      cd "${password-store}"; git pull
+      ${pkgs.git}/bin/git -C "${password-store}" pull
     else
       echo "${lib.escapeShellArg config.secretsConfig.repo}"
-      git clone ${
+      ${pkgs.git}/bin/git clone ${
         lib.escapeShellArg config.secretsConfig.repo
       } "${password-store}"
     fi
     cat ${password-store}/ssh-builder.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null
-    [ ! -z "${allServices}" ] && doas systemctl restart ${allServices}
+    [ ! -z "${allServices}" ] && /run/wrappers/bin/sudo systemctl restart ${allServices}
   '';
 
   decrypt = name: cfg:
@@ -118,6 +117,48 @@ let
     (builtins.attrNames config.secrets));
 
   allServices = toString allServicesMap;
+
+  # https://github.com/nix-community/home-manager/blob/a993eac1065c6ce63a8d724b7bccf624d0e91ca2/modules/services/gpg-agent.nix#L22
+  home-conf = config.home-manager.users.${config.mainuser};
+  homedir = home-conf.programs.gpg.homedir;
+  gpgconf = dir: let
+    hash = substring 0 24 (hexStringToBase32 (builtins.hashString "sha1" homedir));
+  in if homedir == "${home-conf.home.homeDirectory}/.gnupg" then
+    "%t/gnupg/${dir}"
+  else
+    "%t/gnupg/d.${hash}/${dir}";
+  hexStringToBase32 = with lib; let
+    mod = a: b: a - a / b * b;
+    pow2 = elemAt [ 1 2 4 8 16 32 64 128 256 ];
+    splitChars = s: init (tail (splitString "" s));
+
+    base32Alphabet = splitChars "ybndrfg8ejkmcpqxot1uwisza345h769";
+    hexToIntTable = listToAttrs (genList (x: {
+      name = toLower (toHexString x);
+      value = x;
+    }) 16);
+
+    initState = {
+      ret = "";
+      buf = 0;
+      bufBits = 0;
+    };
+    go = { ret, buf, bufBits }:
+      hex:
+      let
+        buf' = buf * pow2 4 + hexToIntTable.${hex};
+        bufBits' = bufBits + 4;
+        extraBits = bufBits' - 5;
+      in if bufBits >= 5 then {
+        ret = ret + elemAt base32Alphabet (buf' / pow2 extraBits);
+        buf = mod buf' (pow2 extraBits);
+        bufBits = bufBits' - 5;
+      } else {
+        ret = ret;
+        buf = buf';
+        bufBits = bufBits';
+      };
+  in hexString: (foldl' go initState (splitChars hexString)).ret;
 in {
   options.secrets = lib.mkOption {
     type = attrsOf (submodule secret);
@@ -146,17 +187,30 @@ in {
     users = [ config.mainuser ];
     noPass = true;
     keepEnv = true;
-    cmd = "/run/current-system/sw/bin/systemctl ";
+    cmd = "/run/current-system/sw/bin/systemctl";
     args = [ "restart" ] ++ allServicesMap;
   }];
 
+  config.security.sudo.extraRules = [{
+    users = [ config.mainuser ];
+    commands = [{
+      command = "/run/current-system/sw/bin/systemctl";
+      options = [ "SETENV" "NOPASSWD" ];
+    }];
+  }];
+
   config.persist.derivative.directories = [ "/var/secrets" ];
-  config.persist.derivative.homeDirectories = [ password-store ];
+  config.persist.derivative.homeDirectories = [{
+    directory = password-store-relative;
+    method = "symlink";
+  }];
 
   config.home-manager.users.${config.mainuser} = {
-    systemd.user.services.activate-secrets = {
+    systemd.user.services.activate-secrets = let
+      ssh-agent = gpgconf "S.gpg-agent.ssh";
+    in {
       Service = {
-        ExecStart = "${activate-secrets}/bin/activate-secrets";
+        ExecStart = "${activate-secrets}/bin/activate-secrets '${ssh-agent}'";
         Type = "oneshot";
       };
       Unit = {

profiles/workspace/gpg.nix

@@ -26,5 +26,9 @@ with config.deviceSpecific; {
     };
   };
 
-  persist.state.homeDirectories = [ ".local/share/gnupg" ];
+  # persist.state.homeDirectories = [{
+  #   directory = config.secretsConfig.gnupgHome;
+  #   method = "symlink";
+  # }];
+  persist.state.homeDirectories = [ config.secretsConfig.gnupgHome ];
 }

profiles/workspace/hyprland/default.nix

@@ -223,7 +223,7 @@ in with config.deviceSpecific; with lib; {
           bind=${modifier},7,workspace,7
           bind=${modifier},8,workspace,8
           bind=${modifier},9,workspace,9
-          bind=${modifier},0,workspace,10
+          bind=${modifier},0,workspace,name:Steam
           bind=${modifier},b,workspace,name:Music
           bind=${modifier},t,workspace,name:Messengers
           bind=${modifier},Cyrillic_E,workspace,name:Messengers
@@ -236,7 +236,7 @@ in with config.deviceSpecific; with lib; {
           bind=${modifier}SHIFT,7,movetoworkspacesilent,7
           bind=${modifier}SHIFT,8,movetoworkspacesilent,8
           bind=${modifier}SHIFT,9,movetoworkspacesilent,9
-          bind=${modifier}SHIFT,0,movetoworkspacesilent,10
+          bind=${modifier}SHIFT,0,movetoworkspacesilent,name:Steam
           bind=${modifier}SHIFT,B,movetoworkspacesilent,name:Music
           bind=${modifier}SHIFT,T,movetoworkspacesilent,name:Messengers
           bind=${modifier}SHIFT,Cyrillic_E,movetoworkspacesilent,name:Messengers
@@ -249,7 +249,7 @@ in with config.deviceSpecific; with lib; {
           bind=ALT,7,movetoworkspacesilent,7
           bind=ALT,8,movetoworkspacesilent,8
           bind=ALT,9,movetoworkspacesilent,9
-          bind=ALT,0,movetoworkspacesilent,10
+          bind=ALT,0,movetoworkspacesilent,name:Steam
           bind=ALT,b,movetoworkspacesilent,name:Music
           bind=ALT,t,movetoworkspacesilent,name:Messengers
           bind=ALT,Cyrillic_E,movetoworkspacesilent,name:Messengers
@@ -262,7 +262,7 @@ in with config.deviceSpecific; with lib; {
           bind=${modifier}ALT,7,movetoworkspace,7
           bind=${modifier}ALT,8,movetoworkspace,8
           bind=${modifier}ALT,9,movetoworkspace,9
-          bind=${modifier}ALT,0,movetoworkspace,10
+          bind=${modifier}ALT,0,movetoworkspace,name:Steam
           bind=${modifier}ALT,b,movetoworkspace,name:Music
           bind=${modifier}ALT,t,movetoworkspace,name:Messengers
           bind=${modifier}ALT,Cyrillic_E,movetoworkspace,name:Messengers
@@ -272,7 +272,7 @@ in with config.deviceSpecific; with lib; {
         #   "^Screenshot Uploader$" "^Steam Guard - Computer Authorization Required$" "^Steam Keyboard$"
         # ])
         ''
-          windowrule=workspace 10 silent,Steam
+          windowrule=workspace name:Steam silent,Steam
           windowrule=workspace name:Music silent,Spotify
           # windowrule=opaque,Spotify
           windowrule=tile,Spotify

profiles/workspace/proxy.nix

@@ -10,9 +10,8 @@
   };
 
   containers.tor = {
-
+    mullvadExclude = config.deviceSpecific.vpn.mullvad.enable;
     autoStart = true;
-
     ephemeral = true;
     # extraFlags = [ "-U" ]; # unprivileged
     hostAddress = "192.168.1.10";
@@ -24,15 +23,7 @@
       isReadOnly = true;
     };
     config = { config, pkgs, ... }: {
-      # users.mutableUsers = false;
-      # users.users.${config.mainuser} = {
-      #   isNormalUser = true;
-      #   extraGroups = [ "wheel" ];
-      #   hashedPassword = "$6$kDBGyd99tto$9LjQwixa7NYB9Kaey002MD94zHob1MmNbVz9kx3yX6Q4AmVgsFMGUyNuHozXprxyuXHIbOlTcf8nd4rK8MWfI/";
-      # };
-
       services.tor.enable = true;
-
       systemd.services.tor-config = {
         script = ''
           cp /var/secrets/tor-config /var/lib/tor/tor-config
@@ -43,25 +34,48 @@
         wantedBy = [ "multi-user.target" ];
         after = [ "network.target" ];
       };
-
       systemd.services.tor = {
         after = [ "tor-config.service" ];
         serviceConfig.ExecStart = lib.mkForce "${config.services.tor.package}/bin/tor -f /var/lib/tor/tor-config";
       };
-
-      networking.firewall = {
+      networking = {
+        enableIPv6 = false;
+        # nameservers = [ "9.9.9.9" ];
+        nameservers = [ "127.0.0.1" ];
+        firewall = {
+          enable = true;
+          allowedTCPPorts = [ 9050 ];
+          rejectPackets = false;
+        };
+      };
+      services.dnscrypt-proxy2 = {
         enable = true;
-        allowedTCPPorts = [ 9050 ];
-        rejectPackets = false;
+        settings = {
+          ipv6_servers = false;
+          doh_servers = false;
+          require_dnssec = true;
+          require_nolog = true;
+          require_nofilter = true;
+          block_ipv6 = true;
+          bootstrap_resolvers = [ "9.9.9.11:53" "9.9.9.9:53" ];
+          sources = {
+            public-resolvers = {
+              urls = [
+                "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+                "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+              ];
+              cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
+              minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+            };
+          };
+          force_tcp = true;
+          proxy = "socks5://127.0.0.1:9050";
+        };
       };
       # environment.etc."resolv.conf".text = "nameserver 192.168.0.1";
       system.stateVersion = "22.11";
     };
   };
 
-  networking.nat = {
-    enable = true;
-    internalInterfaces = [ "ve-tor" ];
-    externalInterface = "wg-mullvad";
-  };
+  networking.nat.internalInterfaces = [ "ve-tor" ];
 }