From cc1ed99b3ec1cb8d025c11bc4db45bf643ef3780 Mon Sep 17 00:00:00 2001
From: Azat Bahawi <azat@bahawi.net>
Date: Tue, 13 Sep 2022 02:37:13 +0300
Subject: 2022-09-13

---
 modules/nixfiles/curl.nix                          |  2 +-
 modules/nixfiles/gnupg.nix                         |  2 ++
 modules/nixfiles/ipfs.nix                          |  2 +-
 modules/nixfiles/password-store.nix                |  2 +-
 modules/nixfiles/profiles/dev/common.nix           | 12 ++++++----
 .../nixfiles/profiles/dev/containers/default.nix   |  7 ++++--
 modules/nixfiles/profiles/headful.nix              |  1 -
 modules/nixfiles/soju.nix                          | 28 ++++++++++++++++++++--
 modules/nixfiles/solaar.nix                        |  5 +++-
 modules/nixfiles/wget.nix                          |  6 ++---
 packages/ultimmc.nix                               | 22 ++++++-----------
 11 files changed, 58 insertions(+), 31 deletions(-)

diff --git a/modules/nixfiles/curl.nix b/modules/nixfiles/curl.nix
index e7bee31..ac5e938 100644
--- a/modules/nixfiles/curl.nix
+++ b/modules/nixfiles/curl.nix
@@ -11,7 +11,7 @@ in {
     mkEnableOption "Wether to enable cURL.";
 
   config = mkIf cfg.enable {
-    hm.home.file.".curlrc".text = ''
+    hm.xdg.configFile.".curlrc".text = ''
       connect-timeout = 60
       progress-bar
       referer = ";auto"
diff --git a/modules/nixfiles/gnupg.nix b/modules/nixfiles/gnupg.nix
index 96c34ee..67d36d8 100644
--- a/modules/nixfiles/gnupg.nix
+++ b/modules/nixfiles/gnupg.nix
@@ -26,6 +26,8 @@ in {
       programs.gpg = {
         enable = true;
 
+        homedir = "${config.dirs.data}/gnupg";
+
         settings =
           {
             display-charset = "utf-8";
diff --git a/modules/nixfiles/ipfs.nix b/modules/nixfiles/ipfs.nix
index 8bdbc12..1b1c802 100644
--- a/modules/nixfiles/ipfs.nix
+++ b/modules/nixfiles/ipfs.nix
@@ -56,7 +56,7 @@ in {
         user = my.username;
         inherit (config.my) group;
 
-        dataDir = "${config.my.home}/.ipfs";
+        dataDir = "${config.dirs.data}/ipfs";
 
         swarmAddress = let
           port = toString cfg.swarmPort;
diff --git a/modules/nixfiles/password-store.nix b/modules/nixfiles/password-store.nix
index d40afab..7eac85e 100644
--- a/modules/nixfiles/password-store.nix
+++ b/modules/nixfiles/password-store.nix
@@ -16,7 +16,7 @@ in {
 
         package = pkgs.pass.withExtensions (p: with p; [pass-otp]);
 
-        settings.PASSWORD_STORE_DIR = "${config.my.home}/.password-store";
+        settings.PASSWORD_STORE_DIR = "${config.dirs.data}/password-store";
       };
 
       # https://github.com/NixOS/nixpkgs/issues/183604
diff --git a/modules/nixfiles/profiles/dev/common.nix b/modules/nixfiles/profiles/dev/common.nix
index e5b60dc..497a573 100644
--- a/modules/nixfiles/profiles/dev/common.nix
+++ b/modules/nixfiles/profiles/dev/common.nix
@@ -110,7 +110,7 @@ in {
 
         ".ghc/ghci.conf".source = ./ghci.conf;
 
-        ".stack/config.yaml".text = generators.toYAML {} {
+        "${config.dirs.data}/stack/config.yaml".text = generators.toYAML {} {
           templates.params = rec {
             author-name = my.fullname;
             author-email = my.email;
@@ -245,10 +245,14 @@ in {
         '';
       };
 
-      sessionVariables = {
-        CARGO_HOME = "${config.dirs.data}/cargo";
-        GOPATH = "${config.dirs.data}/go";
+      sessionVariables = with config.dirs; {
+        ANDROID_HOME = "${data}/android";
+        CABAL_CONFIG = "${data}/cabal/config";
+        CABAL_DIR = "${data}/cabal";
+        CARGO_HOME = "${data}/cargo";
+        GOPATH = "${data}/go";
         PYTHONSTARTUP = ./pystartup.py;
+        STACK_ROOT = "${data}/stack";
       };
 
       packages = with pkgs; [
diff --git a/modules/nixfiles/profiles/dev/containers/default.nix b/modules/nixfiles/profiles/dev/containers/default.nix
index b533626..c03a30c 100644
--- a/modules/nixfiles/profiles/dev/containers/default.nix
+++ b/modules/nixfiles/profiles/dev/containers/default.nix
@@ -16,9 +16,12 @@ in {
       podman.enable = true;
     };
 
-    hm = {
+    hm = let
+      minikubeHome = "${config.dirs.data}/minikube";
+    in {
       home = {
         sessionVariables = {
+          MINIKUBE_HOME = minikubeHome;
           MINIKUBE_IN_STYLE = false;
           WERF_DEV = true;
           WERF_INSECURE_REGISTRY = true;
@@ -29,7 +32,7 @@ in {
           WERF_TELEMETRY = false;
         };
 
-        file.".minikube/config/config.json".text = generators.toJSON {} {
+        file."${minikubeHome}/config/config.json".text = generators.toJSON {} {
           config.Rootless = true;
           driver = "podman";
           container-runtime = "cri-o";
diff --git a/modules/nixfiles/profiles/headful.nix b/modules/nixfiles/profiles/headful.nix
index d8fc208..94c0d28 100644
--- a/modules/nixfiles/profiles/headful.nix
+++ b/modules/nixfiles/profiles/headful.nix
@@ -30,7 +30,6 @@ in {
       mpv.enable = true;
       openssh.client.enable = true;
       password-store.enable = true;
-      solaar.enable = true;
       sound.enable = true;
       x11.enable = true;
 
diff --git a/modules/nixfiles/soju.nix b/modules/nixfiles/soju.nix
index b7ddec9..a7d30f7 100644
--- a/modules/nixfiles/soju.nix
+++ b/modules/nixfiles/soju.nix
@@ -55,7 +55,6 @@ in {
         wantedBy = ["multi-user.target"];
         after = ["network-online.target" "postgresql.service"];
         serviceConfig = {
-          Restart = "always";
           ExecStart = let
             configFile = pkgs.writeText "soju.conf" ''
               listen ${cfg.protocol}://${cfg.address}:${toString cfg.port}
@@ -76,7 +75,32 @@ in {
               "-config ${configFile}"
             ];
           DynamicUser = true;
-          StateDirectory = "soju";
+          AmbientCapabilities = [""];
+          CapabilityBoundingSet = [""];
+          UMask = "0077";
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectSystem = "strict";
+          ProtectProc = "invisible";
+          ProcSubset = "pid";
+          RemoveIPC = true;
+          RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = ["@system-service" "~@privileged"];
         };
       };
     };
diff --git a/modules/nixfiles/solaar.nix b/modules/nixfiles/solaar.nix
index 073beb0..ceff23d 100644
--- a/modules/nixfiles/solaar.nix
+++ b/modules/nixfiles/solaar.nix
@@ -22,7 +22,10 @@ in {
           PartOf = ["graphical-session.target"];
         };
         Service = {
-          # The dirtiest hack I've ever implemented... I should be ashamed of it.
+          # The dirtiest hack I've ever implemented... I should be ashamed of
+          # it. Regardless, that shit still doesn't work because each reconnect,
+          # /dev/hidraw* is recreated and has default permissions which breaks
+          # Solaar. Fuck this shit.
           ExecStartPre = let
             pkg = pkgs.writeShellApplication {
               name = "solaar-pre";
diff --git a/modules/nixfiles/wget.nix b/modules/nixfiles/wget.nix
index cb5c99e..6d7b1b2 100644
--- a/modules/nixfiles/wget.nix
+++ b/modules/nixfiles/wget.nix
@@ -11,7 +11,9 @@ in {
 
   config = mkIf cfg.enable {
     hm = {
-      home.file.".wgetrc".text = ''
+      programs.bash.shellAliases.wget = "${pkgs.wget}/bin/wget --hsts-file=${config.dirs.data}/wget-hsts";
+
+      home.sessionVariables.WGETRC = pkgs.writeText "wgetrc" ''
         adjust_extension = on
         dirstruct = off
         follow_ftp = on
@@ -26,8 +28,6 @@ in {
         wait = 0
         waitretry = 10
       '';
-
-      programs.bash.shellAliases.wget = "${pkgs.wget}/bin/wget --hsts-file=${config.hm.xdg.cacheHome}/wget-hsts";
     };
 
     environment.systemPackages = with pkgs; [wget];
diff --git a/packages/ultimmc.nix b/packages/ultimmc.nix
index 86377b4..0259a7a 100644
--- a/packages/ultimmc.nix
+++ b/packages/ultimmc.nix
@@ -16,22 +16,14 @@ stdenv.mkDerivation rec {
   src = fetchFromGitHub {
     owner = "UltimMC";
     repo = "Launcher";
-    rev = "6bfa07e728865d8d31a43ef5231b2461d55fc4b3";
+    rev = "a522ec3ad4602de1f457a25bce98ef912a29d7d6";
     fetchSubmodules = true;
-    hash = "sha256-gMEjy1jM/T7Un4FDNbAd9AAdVUOHRfL+arhahHPCBFo=";
+    hash = "sha256-+UgBblyEx0cKH8UMBOPtjhQLv2YUKj91UokQWKCEPbY=";
   };
 
-  nativeBuildInputs = [
-    cmake
-    jdk
-    ninja
-    wrapQtAppsHook
-  ];
+  nativeBuildInputs = [cmake jdk ninja wrapQtAppsHook];
 
-  buildInputs = [
-    qtbase
-    zlib
-  ];
+  buildInputs = [qtbase zlib];
 
   postPatch = ''
     substituteInPlace CMakeLists.txt \
@@ -44,7 +36,7 @@ stdenv.mkDerivation rec {
 
   desktopItem = makeDesktopItem {
     name = pname;
-    exec = "DevLauncher";
+    exec = pname;
     icon = pname;
     desktopName = pname;
     genericName = "Custom Minecraft launcher";
@@ -54,7 +46,7 @@ stdenv.mkDerivation rec {
   dontWrapQtApps = true;
 
   postInstall = ''
-    rm $out/DevLauncher
+    rm $out/${pname}
 
     install -Dm644 \
       ${desktopItem}/share/applications/${pname}.desktop \
@@ -65,7 +57,7 @@ stdenv.mkDerivation rec {
   '';
 
   postFixup = ''
-    wrapProgram $out/bin/DevLauncher \
+    wrapProgram $out/bin/${pname} \
       --add-flags "--dir \''${XDG_DATA_HOME:-~/.local/share}/${pname}" \
       "''${qtWrapperArgs[@]}"
   '';
-- 
cgit v1.2.3