From 125433cfe5ecdd0ac006c90e4f103f0a208ecf99 Mon Sep 17 00:00:00 2001
From: Jonas Heinrich <onny@project-insanity.org>
Date: Tue, 22 Feb 2022 15:15:33 +0100
Subject: [PATCH] add librewolf, use firejail sandbox
---
configuration.nix | 40 +++++++++++++++++++++++++---------------
flake.lock | 26 +++++++++++++-------------
home.nix | 11 +++++++----
network.nix | 21 ++++++++++++++++++---
security.nix | 14 +++++++++++---
5 files changed, 74 insertions(+), 38 deletions(-)
diff --git a/configuration.nix b/configuration.nix
index f6fbc2e..81276cb 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -14,7 +14,6 @@ let
in
{
- nixpkgs.config.allowUnfree = true;
# FIXME
nixpkgs = {
@@ -25,13 +24,14 @@ in
"https://github.com/onny/nixpkgs/archive/4d6cb6b4c8ebc35d848fe0ef5cda1ce5fcd6e072.tar.gz";
sha256 = "1ymfdil2z2q3sbdfgqhqn4wyz0p53q2ypj1bss8qgbmkilq1lxn4";
}) {}).opensnitch;
- #cups = (import (builtins.fetchTarball {
- # url =
- # "https://github.com/onny/nixpkgs/archive/cups.tar.gz";
- # sha256 = "06zh26jw8vbhahcapj7c47mswnrl4vzdzyxldgv1x4xzv7mnvr6h";
- #}) {}).cups;
})
];
+ config = {
+ packageOverrides = unstable: rec {
+ cups = unstable.cups;
+ };
+ allowUnfree = true;
+ };
};
imports =
@@ -79,8 +79,8 @@ in
# core
nload nox wget fwup wirelesstools p7zip fd bat ripgrep file acpid unrar
- tmux mosh wipe rsync openssl calc bc ethtool sshfs nfs-utils
- gnome-firmware-updater bluez aria2 sd jq wdisplays lrzip
+ tmux mosh wipe rsync openssl calc bc ethtool sshfs nfs-utils zip
+ gnome-firmware-updater bluez aria2 sd jq wdisplays lrzip iftop
appimage-run exfatprogs exfat killall pwgen ntfs3g unzip
gnome3.gnome-calculator libva-utils htop multipath-tools # (kpartx)
@@ -88,6 +88,7 @@ in
geeqie kid3 pinta mixxx kdenlive gnome3.eog inkscape gimp imv mediainfo
mousai zbar vlc mpv shortwave split2flac musescore r128gain downonspot
# ocenaudio # FIXME
+ unstable.spot
# office
pdfarranger posterazor pandoc texlive.combined.scheme-basic teams foliate
@@ -95,7 +96,8 @@ in
onlyoffice-bin # FIXME
# privacy
- zeronet torsocks electrum
+ zeronet torsocks electrum
+ unstable.orjail # FIXME
tor-browser-bundle-bin # FIXME
# security
@@ -103,19 +105,18 @@ in
# networking
soulseekqt openvpn fragments
+ # librewolf (see security.nix)
# communication
- signal-desktop tdesktop signal-cli
-
- # web
- firefox # FIXME
+ tdesktop signal-cli
+ # signal-desktop (see security.nix)
# development
- gitAndTools.hub proot etcher php nodePackages.node2nix nixos-shell dhex
+ gitAndTools.hub proot etcher php nodePackages.node2nix dhex
patchelf wkhtmltopdf fritzing cmake minicom libvirt glade libnotify
gnome-builder heimdall gcc gnumake uwsgi vscodium nodejs cargo gcolor3
krankerl dep2nix go pkg-config dep git nix-review poedit yarn2nix yarn
- meson gettext wp-cli nodePackages.pnpm pmbootstrap checkra1n
+ meson gettext wp-cli nodePackages.pnpm checkra1n hub
nodePackages.hyperpotamus docker-compose
(python3.withPackages (python-packages: with python-packages; [
djangorestframework django pillow pip virtualenv bottle requests
@@ -124,6 +125,8 @@ in
]))
unstable.nixopsUnstable # FIXME: Waiting for version 2.0 in stable
ventoy-bin # FIXME
+ unstable.pmbootstrap
+ unstable.nixos-shell
# device support
libimobiledevice libirecovery idevicerestore
@@ -289,6 +292,13 @@ in
};
};
+ # Qt / KDE application support with theming and icos
+ qt5 = {
+ enable = true;
+ platformTheme = "gtk2";
+ style = "cleanlooks";
+ };
+
users.users.onny = {
isNormalUser = true;
extraGroups = [
diff --git a/flake.lock b/flake.lock
index 1304bcf..736705d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
]
},
"locked": {
- "lastModified": 1643151280,
- "narHash": "sha256-sVlOWjDm+QU9vIjY+awfOwB5T/Sl8R+LkP9sNXhVCw4=",
+ "lastModified": 1645089656,
+ "narHash": "sha256-+2eah/jPWwbjTqKmpO0hogM1OHYbHuoSvy3zTJcL0Ik=",
"owner": "nix-community",
"repo": "home-manager",
- "rev": "990ca662c4b92636053ea399f5fb80702830522c",
+ "rev": "2116fe6b50a5118d56f1f443cccf024abee9de40",
"type": "github"
},
"original": {
@@ -23,11 +23,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1642961095,
- "narHash": "sha256-RLatktZmvwFBOyqdoIk4qdS4OGKB7aKIvvs4ZP2L8D8=",
+ "lastModified": 1645010845,
+ "narHash": "sha256-hO9X4PvxkSLMQnGGB7tOrKPwufhLMiNQMNXNwzLqneo=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "604c44137d97b5111be1ca5c0d97f6e24fbc5c2c",
+ "rev": "2128d0aa28edef51fd8fef38b132ffc0155595df",
"type": "github"
},
"original": {
@@ -39,11 +39,11 @@
},
"nixpkgs-unstable": {
"locked": {
- "lastModified": 1643119265,
- "narHash": "sha256-mmDEctIkHSWcC/HRpeaw6QOe+DbNOSzc0wsXAHOZWwo=",
+ "lastModified": 1644972330,
+ "narHash": "sha256-6V2JFpTUzB9G+KcqtUR1yl7f6rd9495YrFECslEmbGw=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "b05d2077ebe219f6a47825767f8bab5c6211d200",
+ "rev": "19574af0af3ffaf7c9e359744ed32556f34536bd",
"type": "github"
},
"original": {
@@ -81,11 +81,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
- "lastModified": 1643216076,
- "narHash": "sha256-vK8RqdRFQz7U5bDwOWu0jYCcsPpYQAKDAWyDl054Emg=",
+ "lastModified": 1643277141,
+ "narHash": "sha256-6Tg02SQC4UdN+TGL72AIo0WL4PScYFL/C2CFWVc9IyA=",
"ref": "main",
- "rev": "969d77f0ffbf27fd74bd62752093a237ac581263",
- "revCount": 8,
+ "rev": "8b7ef07016165c04fece2db83bcb2977bcf9a292",
+ "revCount": 10,
"type": "git",
"url": "https://git.project-insanity.org/onny/wl-togglescreens.git"
},
diff --git a/home.nix b/home.nix
index fb351c9..7ef2b53 100644
--- a/home.nix
+++ b/home.nix
@@ -47,7 +47,7 @@ in
'';
interactiveShellInit = ''
alias codium='codium --enable-features=UseOzonePlatform·--ozone-platform=wayland'
- alias signal-desktop='signal-desktop --enable-features=UseOzonePlatform·--ozone-platform=wayland'
+ alias signal-desktop='signal-desktop --enable-features=UseOzonePlatform·--ozone-platform=wayland' # FIXME
'';
};
@@ -126,14 +126,14 @@ in
menu = "${pkgs.bemenu}/bin/bemenu-run -b";
modifier = "Mod4";
startup = [
- { command = "firefox"; }
+ { command = "librewolf"; }
{ command = "signal-desktop --enable-features=UseOzonePlatform·--ozone-platform=wayland"; }
{ command = "waybar"; }
{ command = "mako"; }
];
bars = [];
assigns = {
- "1" = [{ app_id = "firefox"; }];
+ "1" = [{ app_id = "librewolf"; }];
"2" = [{ app_id = "Signal"; }];
};
workspaceAutoBackAndForth = true;
@@ -172,6 +172,9 @@ in
file = {
".ssh/id_rsa".text = "${secrets.ssh-privkey}";
".ssh/id_rsa.pub".text = "${secrets.ssh-pubkey}";
+ ".netrc".text = ''default
+ login ${secrets.nextcloud-user}
+ password ${secrets.nextcloud-password}'';
".nextcloud/sync-exclude.lst".text = ''.cache'';
};
@@ -199,7 +202,7 @@ in
};
Service = {
Type = "simple";
- ExecStart= "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --exclude /home/onny/.nextcloud/sync-exclude.lst /home/onny/. https://nextcloud.project-insanity.org/remote.php/webdav/";
+ ExecStart= "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --exclude /home/onny/.nextcloud/sync-exclude.lst /home/onny/. https://nextcloud.project-insanity.org";
TimeoutStopSec = "180";
KillMode = "process";
KillSignal = "SIGINT";
diff --git a/network.nix b/network.nix
index 46f1221..a9b1180 100644
--- a/network.nix
+++ b/network.nix
@@ -23,7 +23,7 @@ in
services.resolved.enable = true;
systemd = {
-
+
network = {
enable = true;
netdevs = {
@@ -33,14 +33,14 @@ in
MTUBytes = "1500";
Name = "wg0";
};
- wireguardConfig.PrivateKeyFile = builtins.toPath( pkgs.writeText "privateKey" secrets.wireguardPrivateKey );
+ wireguardConfig.PrivateKeyFile = builtins.toPath( pkgs.writeText "privateKey" secrets.wireguard-privkey );
wireguardPeers = [{
wireguardPeerConfig = {
AllowedIPs = [ "10.25.0.0/16" ];
# FIXME: Endpoint list of strings?
#Endpoint = "2a01:4f8:191:327::2:51820";
Endpoint = "144.76.16.40:51820";
- PublicKey = secrets.wireguardPublicKey;
+ PublicKey = secrets.wireguard-pubkey;
PersistentKeepalive = 25;
};
}];
@@ -71,4 +71,19 @@ in
};
};
+ #networking = {
+ # useDHCP = false;
+ # interfaces = {
+ # enp0s25.ipv4.addresses = [{
+ # address = "192.168.178.2";
+ # prefixLength = 24;
+ # }];
+ # };
+ # nameservers = [ "192.168.178.1" ];
+ # defaultGateway = {
+ # address = "192.168.178.1";
+ # interface = "enp0s25";
+ # };
+ #};
+
}
diff --git a/security.nix b/security.nix
index e8ccb14..ca8edf5 100644
--- a/security.nix
+++ b/security.nix
@@ -1,12 +1,20 @@
{ config, pkgs, lib, ... }:{
- services.opensnitch.enable = true; # FIXME, currently unstable
+ services.opensnitch.enable = true;
+ # programs.orjail = { # FIXME
programs.firejail = {
enable = true;
wrappedBinaries = {
- firefox = "${pkgs.firefox}/bin/firefox";
- signal-desktop = "${pkgs.signal-desktop}/bin/signal-desktop";
+ librewolf = {
+ executable = "${lib.getBin pkgs.unstable.librewolf-wayland}/bin/librewolf"; # FIXME
+ profile = "${pkgs.firejail}/etc/firejail/librewolf.profile";
+ #extraArgs = [ "--ignore=private-dev" ]; # FIXME
+ };
+ signal-desktop = {
+ executable = "${lib.getBin pkgs.signal-desktop}/bin/signal-desktop";
+ profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
+ };
};
};
--
GitLab