diff --git a/modules/applications.nix b/modules/applications.nix
index 10d19bc..ed5cfde 100644
--- a/modules/applications.nix
+++ b/modules/applications.nix
@@ -15,8 +15,8 @@ with import ../support.nix { inherit lib config; }; {
desktop = "rofi";
};
editor = {
- cmd = "${pkgs.vscodium}/bin/codium";
- desktop = "codium";
+ cmd = "${pkgs.vscode}/bin/code";
+ desktop = "code";
};
browser = {
cmd = "${pkgs.vivaldi}/bin/vivaldi";
diff --git a/modules/applications/packages.nix b/modules/applications/packages.nix
index 0b85ff4..547f353 100644
--- a/modules/applications/packages.nix
+++ b/modules/applications/packages.nix
@@ -73,7 +73,8 @@ with deviceSpecific; {
home-manager.users.alukard.home.packages = with pkgs; [
nix-zsh-completions
qbittorrent
- vscodium
+ # vscodium
+ vscode
# vscode-with-extensions
xarchiver
tdesktop
@@ -82,6 +83,7 @@ with deviceSpecific; {
] ++ lib.optionals (!isVM) [
steam
steam-run
+ protontricks
];
}
diff --git a/modules/applications/podman-compose.nix b/modules/applications/podman-compose.nix
new file mode 100644
index 0000000..b73d37e
--- /dev/null
+++ b/modules/applications/podman-compose.nix
@@ -0,0 +1,20 @@
+{ lib, python37Packages }:
+with python37Packages;
+buildPythonPackage rec {
+ pname = "podman-compose";
+ version = "0.1.5";
+
+ src = fetchPypi {
+ inherit pname version;
+ sha256 = "1sgbc889zq127qhxa9frhswa1mid19fs5qnyzfihx648y5i968pv";
+ };
+
+ propagatedBuildInputs = [ pyaml ];
+
+ meta = with lib; {
+ homepage = https://github.com/containers/podman-compose;
+ description = "A script to run docker-compose.yml using podman";
+ license = licenses.gpl2;
+ # maintainers = with maintainers; [ alukardbf ];
+ };
+}
\ No newline at end of file
diff --git a/modules/default.nix b/modules/default.nix
index 9bf01d7..aa3e291 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -12,15 +12,12 @@
./workspace/dunst.nix
./workspace/mpv.nix
./workspace/kde
- # ./workspace/ssh.nix
./workspace/locale.nix
./workspace/fonts.nix
./workspace/light.nix
- # ./workspace/autorandr.nix
- # ./workspace/gcalcli.nix
- # ./workspace/rclone.nix
./workspace/xresources.nix
./workspace/barrier.nix
+ ./workspace/podman.nix
./themes.nix
./mullvad.nix
./applications.nix
diff --git a/modules/devices.nix b/modules/devices.nix
index fdbab8d..fd824a6 100644
--- a/modules/devices.nix
+++ b/modules/devices.nix
@@ -18,6 +18,7 @@ with types; {
cpu = devInfo.cpu.vendor;
video = devInfo.video;
isSSD = devInfo.drive.type == "ssd";
+ # isGaming = (isNull (builtins.match ".*VM" device));
hostName = if !isNull devInfo.hostName then
devInfo.hostName
else
diff --git a/modules/packages.nix b/modules/packages.nix
index bf39579..0561ce5 100644
--- a/modules/packages.nix
+++ b/modules/packages.nix
@@ -4,6 +4,7 @@
# nerdfonts = nur.balsoft.pkgs.roboto-mono-nerd;
youtube-to-mpv = pkgs.callPackage ./applications/youtube-to-mpv.nix {};
wg-conf = pkgs.callPackage ./applications/wg-conf.nix {};
+ podman-compose = pkgs.callPackage ./applications/podman-compose.nix {};
xonar-fp = pkgs.writers.writeBashBin "xonar-fp" ''
CURRENT_STATE=`amixer -c 0 sget "Front Panel" | egrep -o '\[o.+\]'`
if [[ $CURRENT_STATE == '[on]' ]]; then
diff --git a/modules/services.nix b/modules/services.nix
index 8e5efc6..294868b 100644
--- a/modules/services.nix
+++ b/modules/services.nix
@@ -85,7 +85,10 @@
services.gnome3.gnome-keyring.enable = true;
+ # TODO: move environment.systemPackages to applications/package.nix
virtualisation.docker.enable = config.devices.${config.device}.enableDocker;
+ environment.systemPackages = lib.mkIf (config.devices.${config.device}.enableDocker)
+ [ pkgs.docker-compose ];
# virtualisation.virtualbox.host = lib.mkIf config.deviceSpecific.isHost {
# enable = true;
# # enableHardening = false;
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index 35730f3..3f2afb2 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -13,7 +13,7 @@ in {
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
environment.DEVICE = "wg0";
- path = [ pkgs.kmod pkgs.wireguard-tools ];
+ path = [ pkgs.kmod pkgs.wireguard-tools pkgs.iptables ];
serviceConfig = {
Type = "oneshot";
@@ -26,13 +26,34 @@ in {
'';
postStart = lib.mkIf cfg.killswitch ''
- ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.0.0/24 -j ACCEPT && ${pkgs.iptables}/bin/ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
+ iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && && iptables -I OUTPUT -s 192.168.0.0/24 -j ACCEPT
+ ${lib.strings.optionalString (config.virtualisation.docker.enable) "iptables -I OUTPUT -s 172.17.0.0/16 -j ACCEPT"}
'';
preStop = ''
- ${lib.strings.optionalString (cfg.killswitch) "${pkgs.iptables}/bin/iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ${pkgs.iptables}/bin/iptables -D OUTPUT -s 192.168.0.0/24 && ${pkgs.iptables}/bin/ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT"}
+ ${lib.strings.optionalString (cfg.killswitch) "iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && && iptables -D OUTPUT -s 192.168.0.0/24"}
+ ${lib.strings.optionalString (cfg.killswitch && config.virtualisation.docker.enable) "iptables -D OUTPUT -s 172.17.0.0/16"}
wg-quick down /root/wg0.conf
'';
};
+
+ # systemd.services."iptables-docker" = lib.mkIf (config.virtualisation.docker.enable) {
+ # description = "Configure iptables to work with docker";
+ # wantedBy = [ "multi-user.target" ];
+ # path = [ pkgs.iptables pkgs.iproute pkgs.gnugrep pkgs.gnused ];
+
+ # serviceConfig = {
+ # Type = "oneshot";
+ # RemainAfterExit = true;
+ # };
+
+ # script = ''
+ # iptables -A FORWARD -i docker0 -o $(ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//") -j ACCEPT
+ # iptables -A FORWARD -i $(ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//") -o docker0 -j ACCEPT
+ # '';
+ # };
+
+ # virtualisation.docker.extraOptions = lib.mkIf (config.virtualisation.docker.enable)
+ # "--iptables=false";
};
}
\ No newline at end of file
diff --git a/modules/workspace/i3/default.nix b/modules/workspace/i3/default.nix
index 741bbe2..27925ed 100644
--- a/modules/workspace/i3/default.nix
+++ b/modules/workspace/i3/default.nix
@@ -10,7 +10,8 @@ in {
package = pkgs.i3-gaps;
config = rec {
assigns = {
- "" = [ { class = "Chromium"; } { class = "Firefox"; } ];
+ # "" = [ { class = "Chromium"; } { class = "Firefox"; } ];
+ "" = [ { class = "Spotify"; } ];
"" = [
{ class = "^Telegram"; }
{ class = "^VK"; }
@@ -90,6 +91,7 @@ in {
startup = map (a: { notification = false; } // a) [
{ command = "${pkgs.xorg.xrdb}/bin/xrdb -merge ~/.Xresources"; }
{ command = "${pkgs.pywal}/bin/wal -R"; }
+ { command = "${pkgs.spotifywm}/bin/spotifywm"; }
];
keybindings = let
script = name: content: "exec ${pkgs.writeScript name content}";
diff --git a/modules/workspace/podman.nix b/modules/workspace/podman.nix
new file mode 100644
index 0000000..2e829a6
--- /dev/null
+++ b/modules/workspace/podman.nix
@@ -0,0 +1,160 @@
+# cfg = config.devices.${config.device}.enableDocker;
+{ config, pkgs, lib, ... }:
+with lib;
+let
+ cfg = config.programs.podman;
+
+ surroundEachWith = str: list:
+ map (e: str + (toString e) + str) list;
+
+ registriesConf = let
+ registryList = list:
+ "registries = [" + (concatStringsSep ", " (surroundEachWith "'" list)) + "]";
+ in concatStringsSep "\n" (mapAttrsToList (type: registries: ''
+ [registries.${type}]
+ ${registryList registries}
+ '') { inherit (cfg.registries) block insecure search; });
+
+in {
+ ###### interface
+
+ options = {
+ programs.podman = {
+
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Whenever to configure podman user-wide.";
+ };
+
+ installSystemWide = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Install packages system-wide.";
+ };
+
+ registries = {
+ search = mkOption {
+ type = types.listOf types.str;
+ default = [ "docker.io" "quay.io" ];
+ description = ''
+ List of repositories to search.
+ '';
+ };
+
+ insecure = mkOption {
+ default = [ ];
+ type = types.listOf types.str;
+ description = ''
+ List of insecure repositories.
+ '';
+ };
+
+ block = mkOption {
+ default = [ ];
+ type = types.listOf types.str;
+ description = ''
+ List of blocked repositories.
+ '';
+ };
+ };
+
+ policy = mkOption {
+ default = {
+ default = [ { type = "reject"; }];
+ };
+ type = types.attrs;
+ example = literalExample ''
+ {
+ default = [ { type = "insecureAcceptAnything"; } ];
+ transports = {
+ docker-daemon = {
+ "" = [ { type = "insecureAcceptAnything"; } ];
+ };
+ };
+ }
+ '';
+ description = ''
+ Signature verification policy file
+
+
+ The default will simply reject everything.
+ '';
+ };
+ };
+ };
+
+ ###### implementation
+
+ config = mkMerge [
+ (mkIf cfg.enable {
+ home-manager.users.alukard.xdg.configFile = {
+ "containers/libpod.conf".text = ''
+ cgroup_manager = "systemd"
+ cni_config_dir = "/etc/cni/net.d/"
+ cni_default_network = "podman"
+ cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"]
+ conmon_path = ["${pkgs.conmon}/bin/conmon"]
+ image_default_transport = "docker://"
+ runtime = "${pkgs.crun}/bin/crun"
+ runtimes = ["${pkgs.crun}/bin/crun", "${pkgs.runc}/bin/runc"]
+ # pause
+ pause_image = "k8s.gcr.io/pause:3.1"
+ pause_command = "/pause"
+ '';
+ "containers/registries.conf".text = registriesConf;
+ "containers/policy.json".text = builtins.toJSON cfg.policy;
+ };
+
+ environment.etc."cni/net.d/87-podman-bridge.conflist".text = (builtins.toJSON {
+ cniVersion = "0.3.0";
+ name = "podman";
+ plugins = [
+ {
+ type = "bridge";
+ bridge = "cni0";
+ isGateway = true;
+ ipMasq = true;
+ ipam = {
+ type = "host-local";
+ subnet = "10.88.0.0/16";
+ routes = [
+ { dst = "0.0.0.0/0"; }
+ ];
+ };
+ }
+ {
+ type = "portmap";
+ capabilities = {
+ portMappings = true;
+ };
+ }
+ ];
+ });
+
+ environment.systemPackages = mkIf cfg.installSystemWide
+ (with pkgs; [
+ buildah conmon crun fuse-overlayfs podman runc slirp4netns iptables podman-compose
+ ]);
+
+ home-manager.users.alukard.home.packages = mkIf (!cfg.installSystemWide)
+ (with pkgs; [
+ buildah conmon crun fuse-overlayfs podman runc slirp4netns iptables podman-compose
+ ]);
+
+ users.users.alukard = {
+ subUidRanges = [{ startUid = 100000; count = 65536; }];
+ subGidRanges = [{ startGid = 100000; count = 65536; }];
+ };
+ })
+ ({
+ programs.podman = {
+ # enable = config.devices.${config.device}.enableDocker;
+ enable = false;
+ policy = {
+ default = [ { type = "insecureAcceptAnything"; }];
+ };
+ };
+ })
+ ];
+}
\ No newline at end of file
diff --git a/modules/xserver.nix b/modules/xserver.nix
index 9101738..a1b5bd7 100644
--- a/modules/xserver.nix
+++ b/modules/xserver.nix
@@ -11,6 +11,7 @@ with deviceSpecific; with themes; {
enable = isLaptop;
# sendEventsMode = "disabled-on-external-mouse";
# middleEmulation = false;
+ accelProfile = lib.mkIf (!isLaptop) "flat";
naturalScrolling = true;
};