diff options
author | Azat Bahawi <azat@bahawi.net> | 2022-09-13 02:37:13 +0300 |
---|---|---|
committer | Azat Bahawi <azat@bahawi.net> | 2022-09-13 02:37:13 +0300 |
commit | cc1ed99b3ec1cb8d025c11bc4db45bf643ef3780 (patch) | |
tree | 548b31332a279a9aae00c202be5623d74e698ad7 /modules | |
parent | 2022-09-12 (diff) |
2022-09-13
Diffstat (limited to 'modules')
-rw-r--r-- | modules/nixfiles/curl.nix | 2 | ||||
-rw-r--r-- | modules/nixfiles/gnupg.nix | 2 | ||||
-rw-r--r-- | modules/nixfiles/ipfs.nix | 2 | ||||
-rw-r--r-- | modules/nixfiles/password-store.nix | 2 | ||||
-rw-r--r-- | modules/nixfiles/profiles/dev/common.nix | 12 | ||||
-rw-r--r-- | modules/nixfiles/profiles/dev/containers/default.nix | 7 | ||||
-rw-r--r-- | modules/nixfiles/profiles/headful.nix | 1 | ||||
-rw-r--r-- | modules/nixfiles/soju.nix | 28 | ||||
-rw-r--r-- | modules/nixfiles/solaar.nix | 5 | ||||
-rw-r--r-- | modules/nixfiles/wget.nix | 6 |
10 files changed, 51 insertions, 16 deletions
diff --git a/modules/nixfiles/curl.nix b/modules/nixfiles/curl.nix index e7bee31..ac5e938 100644 --- a/modules/nixfiles/curl.nix +++ b/modules/nixfiles/curl.nix @@ -11,7 +11,7 @@ in { mkEnableOption "Wether to enable cURL."; config = mkIf cfg.enable { - hm.home.file.".curlrc".text = '' + hm.xdg.configFile.".curlrc".text = '' connect-timeout = 60 progress-bar referer = ";auto" diff --git a/modules/nixfiles/gnupg.nix b/modules/nixfiles/gnupg.nix index 96c34ee..67d36d8 100644 --- a/modules/nixfiles/gnupg.nix +++ b/modules/nixfiles/gnupg.nix @@ -26,6 +26,8 @@ in { programs.gpg = { enable = true; + homedir = "${config.dirs.data}/gnupg"; + settings = { display-charset = "utf-8"; diff --git a/modules/nixfiles/ipfs.nix b/modules/nixfiles/ipfs.nix index 8bdbc12..1b1c802 100644 --- a/modules/nixfiles/ipfs.nix +++ b/modules/nixfiles/ipfs.nix @@ -56,7 +56,7 @@ in { user = my.username; inherit (config.my) group; - dataDir = "${config.my.home}/.ipfs"; + dataDir = "${config.dirs.data}/ipfs"; swarmAddress = let port = toString cfg.swarmPort; diff --git a/modules/nixfiles/password-store.nix b/modules/nixfiles/password-store.nix index d40afab..7eac85e 100644 --- a/modules/nixfiles/password-store.nix +++ b/modules/nixfiles/password-store.nix @@ -16,7 +16,7 @@ in { package = pkgs.pass.withExtensions (p: with p; [pass-otp]); - settings.PASSWORD_STORE_DIR = "${config.my.home}/.password-store"; + settings.PASSWORD_STORE_DIR = "${config.dirs.data}/password-store"; }; # https://github.com/NixOS/nixpkgs/issues/183604 diff --git a/modules/nixfiles/profiles/dev/common.nix b/modules/nixfiles/profiles/dev/common.nix index e5b60dc..497a573 100644 --- a/modules/nixfiles/profiles/dev/common.nix +++ b/modules/nixfiles/profiles/dev/common.nix @@ -110,7 +110,7 @@ in { ".ghc/ghci.conf".source = ./ghci.conf; - ".stack/config.yaml".text = generators.toYAML {} { + "${config.dirs.data}/stack/config.yaml".text = generators.toYAML {} { templates.params = rec { author-name = my.fullname; author-email = my.email; @@ -245,10 +245,14 @@ in { ''; }; - sessionVariables = { - CARGO_HOME = "${config.dirs.data}/cargo"; - GOPATH = "${config.dirs.data}/go"; + sessionVariables = with config.dirs; { + ANDROID_HOME = "${data}/android"; + CABAL_CONFIG = "${data}/cabal/config"; + CABAL_DIR = "${data}/cabal"; + CARGO_HOME = "${data}/cargo"; + GOPATH = "${data}/go"; PYTHONSTARTUP = ./pystartup.py; + STACK_ROOT = "${data}/stack"; }; packages = with pkgs; [ diff --git a/modules/nixfiles/profiles/dev/containers/default.nix b/modules/nixfiles/profiles/dev/containers/default.nix index b533626..c03a30c 100644 --- a/modules/nixfiles/profiles/dev/containers/default.nix +++ b/modules/nixfiles/profiles/dev/containers/default.nix @@ -16,9 +16,12 @@ in { podman.enable = true; }; - hm = { + hm = let + minikubeHome = "${config.dirs.data}/minikube"; + in { home = { sessionVariables = { + MINIKUBE_HOME = minikubeHome; MINIKUBE_IN_STYLE = false; WERF_DEV = true; WERF_INSECURE_REGISTRY = true; @@ -29,7 +32,7 @@ in { WERF_TELEMETRY = false; }; - file.".minikube/config/config.json".text = generators.toJSON {} { + file."${minikubeHome}/config/config.json".text = generators.toJSON {} { config.Rootless = true; driver = "podman"; container-runtime = "cri-o"; diff --git a/modules/nixfiles/profiles/headful.nix b/modules/nixfiles/profiles/headful.nix index d8fc208..94c0d28 100644 --- a/modules/nixfiles/profiles/headful.nix +++ b/modules/nixfiles/profiles/headful.nix @@ -30,7 +30,6 @@ in { mpv.enable = true; openssh.client.enable = true; password-store.enable = true; - solaar.enable = true; sound.enable = true; x11.enable = true; diff --git a/modules/nixfiles/soju.nix b/modules/nixfiles/soju.nix index b7ddec9..a7d30f7 100644 --- a/modules/nixfiles/soju.nix +++ b/modules/nixfiles/soju.nix @@ -55,7 +55,6 @@ in { wantedBy = ["multi-user.target"]; after = ["network-online.target" "postgresql.service"]; serviceConfig = { - Restart = "always"; ExecStart = let configFile = pkgs.writeText "soju.conf" '' listen ${cfg.protocol}://${cfg.address}:${toString cfg.port} @@ -76,7 +75,32 @@ in { "-config ${configFile}" ]; DynamicUser = true; - StateDirectory = "soju"; + AmbientCapabilities = [""]; + CapabilityBoundingSet = [""]; + UMask = "0077"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RemoveIPC = true; + RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = ["@system-service" "~@privileged"]; }; }; }; diff --git a/modules/nixfiles/solaar.nix b/modules/nixfiles/solaar.nix index 073beb0..ceff23d 100644 --- a/modules/nixfiles/solaar.nix +++ b/modules/nixfiles/solaar.nix @@ -22,7 +22,10 @@ in { PartOf = ["graphical-session.target"]; }; Service = { - # The dirtiest hack I've ever implemented... I should be ashamed of it. + # The dirtiest hack I've ever implemented... I should be ashamed of + # it. Regardless, that shit still doesn't work because each reconnect, + # /dev/hidraw* is recreated and has default permissions which breaks + # Solaar. Fuck this shit. ExecStartPre = let pkg = pkgs.writeShellApplication { name = "solaar-pre"; diff --git a/modules/nixfiles/wget.nix b/modules/nixfiles/wget.nix index cb5c99e..6d7b1b2 100644 --- a/modules/nixfiles/wget.nix +++ b/modules/nixfiles/wget.nix @@ -11,7 +11,9 @@ in { config = mkIf cfg.enable { hm = { - home.file.".wgetrc".text = '' + programs.bash.shellAliases.wget = "${pkgs.wget}/bin/wget --hsts-file=${config.dirs.data}/wget-hsts"; + + home.sessionVariables.WGETRC = pkgs.writeText "wgetrc" '' adjust_extension = on dirstruct = off follow_ftp = on @@ -26,8 +28,6 @@ in { wait = 0 waitretry = 10 ''; - - programs.bash.shellAliases.wget = "${pkgs.wget}/bin/wget --hsts-file=${config.hm.xdg.cacheHome}/wget-hsts"; }; environment.systemPackages = with pkgs; [wget]; |