diff options
author | Azat Bahawi <azat@bahawi.net> | 2022-09-13 02:37:13 +0300 |
---|---|---|
committer | Azat Bahawi <azat@bahawi.net> | 2022-09-13 02:37:13 +0300 |
commit | cc1ed99b3ec1cb8d025c11bc4db45bf643ef3780 (patch) | |
tree | 548b31332a279a9aae00c202be5623d74e698ad7 | |
parent | 2022-09-12 (diff) |
2022-09-13
-rw-r--r-- | modules/nixfiles/curl.nix | 2 | ||||
-rw-r--r-- | modules/nixfiles/gnupg.nix | 2 | ||||
-rw-r--r-- | modules/nixfiles/ipfs.nix | 2 | ||||
-rw-r--r-- | modules/nixfiles/password-store.nix | 2 | ||||
-rw-r--r-- | modules/nixfiles/profiles/dev/common.nix | 12 | ||||
-rw-r--r-- | modules/nixfiles/profiles/dev/containers/default.nix | 7 | ||||
-rw-r--r-- | modules/nixfiles/profiles/headful.nix | 1 | ||||
-rw-r--r-- | modules/nixfiles/soju.nix | 28 | ||||
-rw-r--r-- | modules/nixfiles/solaar.nix | 5 | ||||
-rw-r--r-- | modules/nixfiles/wget.nix | 6 | ||||
-rw-r--r-- | packages/ultimmc.nix | 22 |
11 files changed, 58 insertions, 31 deletions
diff --git a/modules/nixfiles/curl.nix b/modules/nixfiles/curl.nix index e7bee31..ac5e938 100644 --- a/modules/nixfiles/curl.nix +++ b/modules/nixfiles/curl.nix @@ -11,7 +11,7 @@ in { mkEnableOption "Wether to enable cURL."; config = mkIf cfg.enable { - hm.home.file.".curlrc".text = '' + hm.xdg.configFile.".curlrc".text = '' connect-timeout = 60 progress-bar referer = ";auto" diff --git a/modules/nixfiles/gnupg.nix b/modules/nixfiles/gnupg.nix index 96c34ee..67d36d8 100644 --- a/modules/nixfiles/gnupg.nix +++ b/modules/nixfiles/gnupg.nix @@ -26,6 +26,8 @@ in { programs.gpg = { enable = true; + homedir = "${config.dirs.data}/gnupg"; + settings = { display-charset = "utf-8"; diff --git a/modules/nixfiles/ipfs.nix b/modules/nixfiles/ipfs.nix index 8bdbc12..1b1c802 100644 --- a/modules/nixfiles/ipfs.nix +++ b/modules/nixfiles/ipfs.nix @@ -56,7 +56,7 @@ in { user = my.username; inherit (config.my) group; - dataDir = "${config.my.home}/.ipfs"; + dataDir = "${config.dirs.data}/ipfs"; swarmAddress = let port = toString cfg.swarmPort; diff --git a/modules/nixfiles/password-store.nix b/modules/nixfiles/password-store.nix index d40afab..7eac85e 100644 --- a/modules/nixfiles/password-store.nix +++ b/modules/nixfiles/password-store.nix @@ -16,7 +16,7 @@ in { package = pkgs.pass.withExtensions (p: with p; [pass-otp]); - settings.PASSWORD_STORE_DIR = "${config.my.home}/.password-store"; + settings.PASSWORD_STORE_DIR = "${config.dirs.data}/password-store"; }; # https://github.com/NixOS/nixpkgs/issues/183604 diff --git a/modules/nixfiles/profiles/dev/common.nix b/modules/nixfiles/profiles/dev/common.nix index e5b60dc..497a573 100644 --- a/modules/nixfiles/profiles/dev/common.nix +++ b/modules/nixfiles/profiles/dev/common.nix @@ -110,7 +110,7 @@ in { ".ghc/ghci.conf".source = ./ghci.conf; - ".stack/config.yaml".text = generators.toYAML {} { + "${config.dirs.data}/stack/config.yaml".text = generators.toYAML {} { templates.params = rec { author-name = my.fullname; author-email = my.email; @@ -245,10 +245,14 @@ in { ''; }; - sessionVariables = { - CARGO_HOME = "${config.dirs.data}/cargo"; - GOPATH = "${config.dirs.data}/go"; + sessionVariables = with config.dirs; { + ANDROID_HOME = "${data}/android"; + CABAL_CONFIG = "${data}/cabal/config"; + CABAL_DIR = "${data}/cabal"; + CARGO_HOME = "${data}/cargo"; + GOPATH = "${data}/go"; PYTHONSTARTUP = ./pystartup.py; + STACK_ROOT = "${data}/stack"; }; packages = with pkgs; [ diff --git a/modules/nixfiles/profiles/dev/containers/default.nix b/modules/nixfiles/profiles/dev/containers/default.nix index b533626..c03a30c 100644 --- a/modules/nixfiles/profiles/dev/containers/default.nix +++ b/modules/nixfiles/profiles/dev/containers/default.nix @@ -16,9 +16,12 @@ in { podman.enable = true; }; - hm = { + hm = let + minikubeHome = "${config.dirs.data}/minikube"; + in { home = { sessionVariables = { + MINIKUBE_HOME = minikubeHome; MINIKUBE_IN_STYLE = false; WERF_DEV = true; WERF_INSECURE_REGISTRY = true; @@ -29,7 +32,7 @@ in { WERF_TELEMETRY = false; }; - file.".minikube/config/config.json".text = generators.toJSON {} { + file."${minikubeHome}/config/config.json".text = generators.toJSON {} { config.Rootless = true; driver = "podman"; container-runtime = "cri-o"; diff --git a/modules/nixfiles/profiles/headful.nix b/modules/nixfiles/profiles/headful.nix index d8fc208..94c0d28 100644 --- a/modules/nixfiles/profiles/headful.nix +++ b/modules/nixfiles/profiles/headful.nix @@ -30,7 +30,6 @@ in { mpv.enable = true; openssh.client.enable = true; password-store.enable = true; - solaar.enable = true; sound.enable = true; x11.enable = true; diff --git a/modules/nixfiles/soju.nix b/modules/nixfiles/soju.nix index b7ddec9..a7d30f7 100644 --- a/modules/nixfiles/soju.nix +++ b/modules/nixfiles/soju.nix @@ -55,7 +55,6 @@ in { wantedBy = ["multi-user.target"]; after = ["network-online.target" "postgresql.service"]; serviceConfig = { - Restart = "always"; ExecStart = let configFile = pkgs.writeText "soju.conf" '' listen ${cfg.protocol}://${cfg.address}:${toString cfg.port} @@ -76,7 +75,32 @@ in { "-config ${configFile}" ]; DynamicUser = true; - StateDirectory = "soju"; + AmbientCapabilities = [""]; + CapabilityBoundingSet = [""]; + UMask = "0077"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RemoveIPC = true; + RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = ["@system-service" "~@privileged"]; }; }; }; diff --git a/modules/nixfiles/solaar.nix b/modules/nixfiles/solaar.nix index 073beb0..ceff23d 100644 --- a/modules/nixfiles/solaar.nix +++ b/modules/nixfiles/solaar.nix @@ -22,7 +22,10 @@ in { PartOf = ["graphical-session.target"]; }; Service = { - # The dirtiest hack I've ever implemented... I should be ashamed of it. + # The dirtiest hack I've ever implemented... I should be ashamed of + # it. Regardless, that shit still doesn't work because each reconnect, + # /dev/hidraw* is recreated and has default permissions which breaks + # Solaar. Fuck this shit. ExecStartPre = let pkg = pkgs.writeShellApplication { name = "solaar-pre"; diff --git a/modules/nixfiles/wget.nix b/modules/nixfiles/wget.nix index cb5c99e..6d7b1b2 100644 --- a/modules/nixfiles/wget.nix +++ b/modules/nixfiles/wget.nix @@ -11,7 +11,9 @@ in { config = mkIf cfg.enable { hm = { - home.file.".wgetrc".text = '' + programs.bash.shellAliases.wget = "${pkgs.wget}/bin/wget --hsts-file=${config.dirs.data}/wget-hsts"; + + home.sessionVariables.WGETRC = pkgs.writeText "wgetrc" '' adjust_extension = on dirstruct = off follow_ftp = on @@ -26,8 +28,6 @@ in { wait = 0 waitretry = 10 ''; - - programs.bash.shellAliases.wget = "${pkgs.wget}/bin/wget --hsts-file=${config.hm.xdg.cacheHome}/wget-hsts"; }; environment.systemPackages = with pkgs; [wget]; diff --git a/packages/ultimmc.nix b/packages/ultimmc.nix index 86377b4..0259a7a 100644 --- a/packages/ultimmc.nix +++ b/packages/ultimmc.nix @@ -16,22 +16,14 @@ stdenv.mkDerivation rec { src = fetchFromGitHub { owner = "UltimMC"; repo = "Launcher"; - rev = "6bfa07e728865d8d31a43ef5231b2461d55fc4b3"; + rev = "a522ec3ad4602de1f457a25bce98ef912a29d7d6"; fetchSubmodules = true; - hash = "sha256-gMEjy1jM/T7Un4FDNbAd9AAdVUOHRfL+arhahHPCBFo="; + hash = "sha256-+UgBblyEx0cKH8UMBOPtjhQLv2YUKj91UokQWKCEPbY="; }; - nativeBuildInputs = [ - cmake - jdk - ninja - wrapQtAppsHook - ]; + nativeBuildInputs = [cmake jdk ninja wrapQtAppsHook]; - buildInputs = [ - qtbase - zlib - ]; + buildInputs = [qtbase zlib]; postPatch = '' substituteInPlace CMakeLists.txt \ @@ -44,7 +36,7 @@ stdenv.mkDerivation rec { desktopItem = makeDesktopItem { name = pname; - exec = "DevLauncher"; + exec = pname; icon = pname; desktopName = pname; genericName = "Custom Minecraft launcher"; @@ -54,7 +46,7 @@ stdenv.mkDerivation rec { dontWrapQtApps = true; postInstall = '' - rm $out/DevLauncher + rm $out/${pname} install -Dm644 \ ${desktopItem}/share/applications/${pname}.desktop \ @@ -65,7 +57,7 @@ stdenv.mkDerivation rec { ''; postFixup = '' - wrapProgram $out/bin/DevLauncher \ + wrapProgram $out/bin/${pname} \ --add-flags "--dir \''${XDG_DATA_HOME:-~/.local/share}/${pname}" \ "''${qtWrapperArgs[@]}" ''; |