10 files changed, 51 insertions, 16 deletions
diff --git a/modules/nixfiles/curl.nix b/modules/nixfiles/curl.nix
index e7bee31..ac5e938 100644
--- a/modules/nixfiles/curl.nix
+++ b/modules/nixfiles/curl.nix
@@ -11,7 +11,7 @@ in {
     mkEnableOption "Wether to enable cURL.";
 
   config = mkIf cfg.enable {
-    hm.home.file.".curlrc".text = ''
+    hm.xdg.configFile.".curlrc".text = ''
       connect-timeout = 60
       progress-bar
       referer = ";auto"
diff --git a/modules/nixfiles/gnupg.nix b/modules/nixfiles/gnupg.nix
index 96c34ee..67d36d8 100644
--- a/modules/nixfiles/gnupg.nix
+++ b/modules/nixfiles/gnupg.nix
@@ -26,6 +26,8 @@ in {
       programs.gpg = {
         enable = true;
 
+        homedir = "${config.dirs.data}/gnupg";
+
         settings =
           {
             display-charset = "utf-8";
diff --git a/modules/nixfiles/ipfs.nix b/modules/nixfiles/ipfs.nix
index 8bdbc12..1b1c802 100644
--- a/modules/nixfiles/ipfs.nix
+++ b/modules/nixfiles/ipfs.nix
@@ -56,7 +56,7 @@ in {
         user = my.username;
         inherit (config.my) group;
 
-        dataDir = "${config.my.home}/.ipfs";
+        dataDir = "${config.dirs.data}/ipfs";
 
         swarmAddress = let
           port = toString cfg.swarmPort;
diff --git a/modules/nixfiles/password-store.nix b/modules/nixfiles/password-store.nix
index d40afab..7eac85e 100644
--- a/modules/nixfiles/password-store.nix
+++ b/modules/nixfiles/password-store.nix
@@ -16,7 +16,7 @@ in {
 
         package = pkgs.pass.withExtensions (p: with p; [pass-otp]);
 
-        settings.PASSWORD_STORE_DIR = "${config.my.home}/.password-store";
+        settings.PASSWORD_STORE_DIR = "${config.dirs.data}/password-store";
       };
 
       # https://github.com/NixOS/nixpkgs/issues/183604
diff --git a/modules/nixfiles/profiles/dev/common.nix b/modules/nixfiles/profiles/dev/common.nix
index e5b60dc..497a573 100644
--- a/modules/nixfiles/profiles/dev/common.nix
+++ b/modules/nixfiles/profiles/dev/common.nix
@@ -110,7 +110,7 @@ in {
 
         ".ghc/ghci.conf".source = ./ghci.conf;
 
-        ".stack/config.yaml".text = generators.toYAML {} {
+        "${config.dirs.data}/stack/config.yaml".text = generators.toYAML {} {
           templates.params = rec {
             author-name = my.fullname;
             author-email = my.email;
@@ -245,10 +245,14 @@ in {
         '';
       };
 
-      sessionVariables = {
-        CARGO_HOME = "${config.dirs.data}/cargo";
-        GOPATH = "${config.dirs.data}/go";
+      sessionVariables = with config.dirs; {
+        ANDROID_HOME = "${data}/android";
+        CABAL_CONFIG = "${data}/cabal/config";
+        CABAL_DIR = "${data}/cabal";
+        CARGO_HOME = "${data}/cargo";
+        GOPATH = "${data}/go";
         PYTHONSTARTUP = ./pystartup.py;
+        STACK_ROOT = "${data}/stack";
       };
 
       packages = with pkgs; [
diff --git a/modules/nixfiles/profiles/dev/containers/default.nix b/modules/nixfiles/profiles/dev/containers/default.nix
index b533626..c03a30c 100644
--- a/modules/nixfiles/profiles/dev/containers/default.nix
+++ b/modules/nixfiles/profiles/dev/containers/default.nix
@@ -16,9 +16,12 @@ in {
       podman.enable = true;
     };
 
-    hm = {
+    hm = let
+      minikubeHome = "${config.dirs.data}/minikube";
+    in {
       home = {
         sessionVariables = {
+          MINIKUBE_HOME = minikubeHome;
           MINIKUBE_IN_STYLE = false;
           WERF_DEV = true;
           WERF_INSECURE_REGISTRY = true;
@@ -29,7 +32,7 @@ in {
           WERF_TELEMETRY = false;
         };
 
-        file.".minikube/config/config.json".text = generators.toJSON {} {
+        file."${minikubeHome}/config/config.json".text = generators.toJSON {} {
           config.Rootless = true;
           driver = "podman";
           container-runtime = "cri-o";
diff --git a/modules/nixfiles/profiles/headful.nix b/modules/nixfiles/profiles/headful.nix
index d8fc208..94c0d28 100644
--- a/modules/nixfiles/profiles/headful.nix
+++ b/modules/nixfiles/profiles/headful.nix
@@ -30,7 +30,6 @@ in {
       mpv.enable = true;
       openssh.client.enable = true;
       password-store.enable = true;
-      solaar.enable = true;
       sound.enable = true;
       x11.enable = true;
 
diff --git a/modules/nixfiles/soju.nix b/modules/nixfiles/soju.nix
index b7ddec9..a7d30f7 100644
--- a/modules/nixfiles/soju.nix
+++ b/modules/nixfiles/soju.nix
@@ -55,7 +55,6 @@ in {
         wantedBy = ["multi-user.target"];
         after = ["network-online.target" "postgresql.service"];
         serviceConfig = {
-          Restart = "always";
           ExecStart = let
             configFile = pkgs.writeText "soju.conf" ''
               listen ${cfg.protocol}://${cfg.address}:${toString cfg.port}
@@ -76,7 +75,32 @@ in {
               "-config ${configFile}"
             ];
           DynamicUser = true;
-          StateDirectory = "soju";
+          AmbientCapabilities = [""];
+          CapabilityBoundingSet = [""];
+          UMask = "0077";
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectSystem = "strict";
+          ProtectProc = "invisible";
+          ProcSubset = "pid";
+          RemoveIPC = true;
+          RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = ["@system-service" "~@privileged"];
         };
       };
     };
diff --git a/modules/nixfiles/solaar.nix b/modules/nixfiles/solaar.nix
index 073beb0..ceff23d 100644
--- a/modules/nixfiles/solaar.nix
+++ b/modules/nixfiles/solaar.nix
@@ -22,7 +22,10 @@ in {
           PartOf = ["graphical-session.target"];
         };
         Service = {
-          # The dirtiest hack I've ever implemented... I should be ashamed of it.
+          # The dirtiest hack I've ever implemented... I should be ashamed of
+          # it. Regardless, that shit still doesn't work because each reconnect,
+          # /dev/hidraw* is recreated and has default permissions which breaks
+          # Solaar. Fuck this shit.
           ExecStartPre = let
             pkg = pkgs.writeShellApplication {
               name = "solaar-pre";
diff --git a/modules/nixfiles/wget.nix b/modules/nixfiles/wget.nix
index cb5c99e..6d7b1b2 100644
--- a/modules/nixfiles/wget.nix
+++ b/modules/nixfiles/wget.nix
@@ -11,7 +11,9 @@ in {
 
   config = mkIf cfg.enable {
     hm = {
-      home.file.".wgetrc".text = ''
+      programs.bash.shellAliases.wget = "${pkgs.wget}/bin/wget --hsts-file=${config.dirs.data}/wget-hsts";
+
+      home.sessionVariables.WGETRC = pkgs.writeText "wgetrc" ''
         adjust_extension = on
         dirstruct = off
         follow_ftp = on
@@ -26,8 +28,6 @@ in {
         wait = 0
         waitretry = 10
       '';
-
-      programs.bash.shellAliases.wget = "${pkgs.wget}/bin/wget --hsts-file=${config.hm.xdg.cacheHome}/wget-hsts";
     };
 
     environment.systemPackages = with pkgs; [wget];