From a35ccb42a7ee8635adae966354181b25bb82e7f5 Mon Sep 17 00:00:00 2001
From: Jonas Heinrich <onny@project-insanity.org>
Date: Fri, 2 Dec 2022 14:22:33 +0100
Subject: [PATCH] update to nixos-22.11
---
configuration.nix | 117 ++++++++++++++++----------
flake.lock | 112 +++++++++++++++++++------
flake.nix | 28 +++++--
home.nix | 205 +++++++++++++++++++++++++++-------------------
network.nix | 52 ++++--------
security.nix | 144 ++++++++++++++++++++++++++------
sway.nix | 2 -
7 files changed, 435 insertions(+), 225 deletions(-)
diff --git a/configuration.nix b/configuration.nix
index d361bdb..0b08f6e 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -21,76 +21,89 @@ in {
nixpkgs.config.allowUnfree = true; # FIXME: Needed because of unrar
+ nixpkgs.config.permittedInsecurePackages = [
+ "qtwebkit-5.212.0-alpha4"
+ ];
+
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
- kernelPackages = pkgs.linuxPackages_latest-libre;
+ kernelPackages = pkgs.linuxPackages-libre;
cleanTmpDir = true;
};
- console = {
- packages = [ pkgs.terminus-nerdfont ];
- font = "ter-122n";
- keyMap = "de";
- };
+ console.keyMap = "de";
i18n.defaultLocale = "en_US.UTF-8";
time.timeZone = "Europe/Berlin";
+ environment.etc = {
+ "ovmf/edk2-x86_64-secure-code.fd" = {
+ source = config.virtualisation.libvirtd.qemu.package + "/share/qemu/edk2-x86_64-secure-code.fd";
+ };
+
+ "ovmf/edk2-i386-vars.fd" = {
+ source = config.virtualisation.libvirtd.qemu.package + "/share/qemu/edk2-i386-vars.fd";
+ mode = "0644";
+ user = "libvirtd";
+ };
+ };
+
environment.systemPackages = with pkgs; [
# unsorted
aria2 tcpdump btrfs-progs curl ffmpeg-full gnome3.vinagre
- gnome3.nautilus gparted plowshare samba cups sigil yt-dlp
+ gnome3.nautilus gparted samba cups sigil yt-dlp
virtmanager wireshark-cli valgrind wine-staging winetricks acpi pmutils
pavucontrol bluez-tools udisks pv nextcloud-client grc time wcalc foot
pciutils usbutils ghostscript bind nmap woeusb gnome3.gnome-boxes spice-gtk
whois binutils-unwrapped bison flex graphicsmagick-imagemagick-compat
parallel curlftpfs filezilla dnsmasq libarchive testdisk
python39Packages.binwalk-full glib ifuse cifs-utils pinentry pinentry-gnome
- nix-index
+ nix-index parted plowshare
# FIXME
#libsForQt5.plasma-wayland-protocols libsForQt5.qt5.qtwayland breeze-qt5 breeze-icons qt5ct qt5.qtwayland
# core
- nload nox wget wirelesstools p7zip fd bat ripgrep file acpid unrar
- tmux mosh wipe rsync openssl calc bc ethtool sshfs nfs-utils zip
+ nload nox wget wirelesstools p7zip fd bat ripgrep file acpid unrar fzf xcp
+ tmux mosh wipe rsync openssl calc bc ethtool sshfs nfs-utils zip rmlint
gnome-firmware-updater bluez aria2 sd jq wdisplays lrzip iftop
appimage-run exfatprogs exfat killall pwgen ntfs3g unzip dd_rescue
gnome3.gnome-calculator libva-utils htop multipath-tools # (kpartx)
- linux-wifi-hotspot gnome-text-editor
+ linux-wifi-hotspot gnome-text-editor unstable.moar
# media
geeqie kid3 pinta mixxx kdenlive gnome3.eog inkscape gimp imv mediainfo
mousai zbar vlc mpv musescore r128gain downonspot nodePackages.peerflix
- sonixd shortwave # shnsplit
+ sonixd shortwave popcorntime # shnsplit
# ocenaudio # FIXME
# office
pdfarranger posterazor pandoc texlive.combined.scheme-basic foliate
- evince krop ocrmypdf xournalpp pdfmixtool
+ krop ocrmypdf xournalpp pdfmixtool evince
onlyoffice-bin # FIXME
# privacy and security
- torsocks electrum gnome-secrets lynis gnupg tor-browser-bundle-bin
- orjail firejail
+ unstable.torsocks electrum lynis gnupg tor-browser-bundle-bin orjail
+ gnome-secrets
+ # firejail (see security.nix)
# networking
- soulseekqt openvpn fragments
+ nicotine-plus openvpn fragments
# librewolf # (see security.nix)
# communication
- tdesktop signal-cli
+ tdesktop signal-cli fractal slack
# signal-desktop (see security.nix)
# development
gitAndTools.hub proot php nodePackages.node2nix dhex
patchelf wkhtmltopdf fritzing cmake minicom libvirt glade libnotify
gnome-builder heimdall gcc gnumake uwsgi vscodium nodejs cargo gcolor3
- krankerl dep2nix go pkg-config dep git nix-review poedit yarn2nix yarn
- meson gettext wp-cli nodePackages.pnpm hub nix-update
- nodePackages.hyperpotamus docker-compose pmbootstrap nixos-shell
+ krankerl dep2nix go pkg-config dep git poedit yarn2nix yarn
+ meson gettext wp-cli nodePackages.pnpm hub unstable.nix-update
+ nodePackages.hyperpotamus docker-compose pmbootstrap nixos-shell devbox
(python3.withPackages (python-packages: with python-packages; [
djangorestframework django pillow pip virtualenv bottle requests
feedparser beautifulsoup4 PyRSS2Gen dateutil lxml netifaces dbus-python
@@ -98,19 +111,34 @@ in {
]))
nixopsUnstable # FIXME: Waiting for version 2.0 in stable
ventoy-bin # FIXME
- # checkra1n
+ nixpkgs-review
+ # checkra1n # FIXME unfree
# device support
libimobiledevice libirecovery idevicerestore
- # FIXME missing: vlc-bittorrent, popcorntime
- mate.mate-terminal
-
+ # FIXME missing: vlc-bittorrent
+ # temporary
+ keepassxc
];
virtualisation = {
- libvirtd.enable = true;
+ #waydroid. enable = true;
+ #lxd.enable = true;
+
+ libvirtd = {
+ enable = true;
+ onShutdown = "suspend";
+ onBoot = "ignore";
+ qemu = {
+ package = pkgs.qemu_kvm;
+ ovmf.enable = true;
+ ovmf.packages = [ pkgs.OVMFFull.fd ];
+ swtpm.enable = true;
+ runAsRoot = false;
+ };
+ };
docker = {
enable = true;
@@ -123,8 +151,11 @@ in {
security.rtkit.enable = true; # required for pipewire
- fonts.fonts = [ pkgs.font-awesome ];
-
+ fonts.fonts = with pkgs; [
+ liberation_ttf
+ (nerdfonts.override { fonts = [ "Ubuntu" ]; })
+ ];
+
hardware = {
opengl = {
@@ -178,15 +209,19 @@ in {
services = {
- avahi.enable = true;
+ #avahi = {
+ # enable = true; # Required for IPP client
+ # nssmdns = true; # mDNS support by avahi instead of resolved
+ # openFirewall = true;
+ #};
udev.packages = [ pkgs.android-udev-rules ];
- nfs.server.enable = true; # required for NFS client
+ # nfs.server.enable = true; # required for NFS client
davfs2.enable = true;
- #iwd-autocaptiveauth.enable = true;
+ iwd-autocaptiveauth.enable = true;
usbmuxd = {
enable = true;
@@ -211,11 +246,6 @@ in {
blueman.enable = true;
- tor = {
- enable = true;
- client.enable = true;
- };
-
gvfs.enable = true;
fwupd.enable = true;
@@ -236,6 +266,8 @@ in {
};
};
+ #teamviewer.enable = true;
+
};
programs = {
@@ -251,12 +283,11 @@ in {
};
- # Qt / KDE application support with theming and icos
- #qt5 = {
- # enable = true;
- # platformTheme = "gtk2";
- # style = "cleanlooks";
- #};
+ qt5 = {
+ enable = true;
+ platformTheme = "gnome";
+ style = "adwaita-dark";
+ };
users.users.onny = {
isNormalUser = true;
@@ -271,11 +302,11 @@ in {
system = {
stateVersion = "21.11";
- autoUpgrade.enable = true;
+ #autoUpgrade.enable = true;
};
nix = {
- autoOptimiseStore = true;
+ settings.auto-optimise-store = true;
gc = {
automatic = true;
dates = "weekly";
diff --git a/flake.lock b/flake.lock
index b067dae..4bd5cfd 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,55 +1,81 @@
{
"nodes": {
- "fish-grc": {
- "flake": false,
+ "home-manager": {
+ "inputs": {
+ "nixpkgs": "nixpkgs",
+ "utils": "utils"
+ },
"locked": {
- "lastModified": 1653372102,
- "narHash": "sha256-NQa12L0zlEz2EJjMDhWUhw5cz/zcFokjuCK5ZofTn+Q=",
- "owner": "oh-my-fish",
- "repo": "plugin-grc",
- "rev": "61de7a8a0d7bda3234f8703d6e07c671992eb079",
+ "lastModified": 1669724862,
+ "narHash": "sha256-GwLonjmyhnTGQRNfKcUCgMSKYj49ZehjjJulaM/yH18=",
+ "owner": "rycee",
+ "repo": "home-manager",
+ "rev": "e891b060e7d11bb8f7dedb86a41d804891a6f5a9",
"type": "github"
},
"original": {
- "owner": "oh-my-fish",
- "repo": "plugin-grc",
+ "owner": "rycee",
+ "ref": "release-22.11",
+ "repo": "home-manager",
"type": "github"
}
},
- "home-manager": {
+ "iwd-autocaptiveauth": {
"inputs": {
- "nixpkgs": "nixpkgs"
+ "nixpkgs": "nixpkgs_2"
},
"locked": {
- "lastModified": 1653391668,
- "narHash": "sha256-6iwOkl6Q/oIrMwdfvb/oUqvtzP8wnXHE/eOMeo5kuJs=",
- "path": "/home/onny/projects/home-manager",
- "type": "path"
+ "lastModified": 1657117358,
+ "narHash": "sha256-TsXlhq86xg5Kl/z7Ra6NgnibvAtFYA8F1ufNEKr1ykU=",
+ "ref": "refs/heads/master",
+ "rev": "8c20934607141f83043387568b37c0dca5c06324",
+ "revCount": 24,
+ "type": "git",
+ "url": "https://git.project-insanity.org/onny/py-iwd-autocaptiveauth.git"
},
"original": {
- "path": "/home/onny/projects/home-manager",
- "type": "path"
+ "type": "git",
+ "url": "https://git.project-insanity.org/onny/py-iwd-autocaptiveauth.git"
}
},
"nixpkgs": {
"locked": {
- "lastModified": 0,
- "narHash": "sha256-VIYazYCWNvcFNns2XQkHx/mVmCZ3oebZv8W2LS1gLQE=",
- "path": "/nix/store/fxs7gkly65bmvnymc7j40ymi2kj8gnln-source",
- "type": "path"
+ "lastModified": 1667629849,
+ "narHash": "sha256-P+v+nDOFWicM4wziFK9S/ajF2lc0N2Rg9p6Y35uMoZI=",
+ "owner": "nixos",
+ "repo": "nixpkgs",
+ "rev": "3bacde6273b09a21a8ccfba15586fb165078fb62",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nixos",
+ "ref": "nixos-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs-unstable": {
+ "locked": {
+ "lastModified": 1669927173,
+ "narHash": "sha256-Z7rSKzC5OuWv5Q7RRNQPZb0jVJRJk0BJB6/fGZzaAIU=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "9063accddd2e68dcc71032459a58399e977374c9",
+ "type": "github"
},
"original": {
"id": "nixpkgs",
+ "ref": "nixpkgs-unstable",
"type": "indirect"
}
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1653733789,
- "narHash": "sha256-VIYazYCWNvcFNns2XQkHx/mVmCZ3oebZv8W2LS1gLQE=",
+ "lastModified": 1654847188,
+ "narHash": "sha256-MC+eP7XOGE1LAswOPqdcGoUqY9mEQ3ZaaxamVTbc0hM=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "d1086907f56c5a6c33c0c2e8dc9f42ef6988294f",
+ "rev": "8b66e3f2ebcc644b78cec9d6f152192f4e7d322f",
"type": "github"
},
"original": {
@@ -60,6 +86,22 @@
}
},
"nixpkgs_3": {
+ "locked": {
+ "lastModified": 1669834992,
+ "narHash": "sha256-YnhZGHgb4C3Q7DSGisO/stc50jFb9F/MzHeKS4giotg=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "596a8e828c5dfa504f91918d0fa4152db3ab5502",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixos-22.11",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs_4": {
"locked": {
"lastModified": 1642961095,
"narHash": "sha256-RLatktZmvwFBOyqdoIk4qdS4OGKB7aKIvvs4ZP2L8D8=",
@@ -77,15 +119,31 @@
},
"root": {
"inputs": {
- "fish-grc": "fish-grc",
"home-manager": "home-manager",
- "nixpkgs": "nixpkgs_2",
+ "iwd-autocaptiveauth": "iwd-autocaptiveauth",
+ "nixpkgs": "nixpkgs_3",
+ "nixpkgs-unstable": "nixpkgs-unstable",
"wl-togglescreens": "wl-togglescreens"
}
},
+ "utils": {
+ "locked": {
+ "lastModified": 1667395993,
+ "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "type": "github"
+ }
+ },
"wl-togglescreens": {
"inputs": {
- "nixpkgs": "nixpkgs_3"
+ "nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1643277141,
diff --git a/flake.nix b/flake.nix
index 1629b0d..50f25c9 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,13 +1,10 @@
{
inputs = {
- nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
- home-manager = {
- #url = "github:rycee/home-manager/release-22.05";
- url = "path:/home/onny/projects/home-manager"; # FIXME
- };
+ nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
+ nixpkgs-unstable.url = "nixpkgs/nixpkgs-unstable"; # FIXME
+ home-manager.url = "github:rycee/home-manager/release-22.11";
wl-togglescreens.url = "git+https://git.project-insanity.org/onny/wl-togglescreens.git?ref=main";
- fish-grc.url = "github:oh-my-fish/plugin-grc"; # FIXME
- fish-grc.flake = false;
+ iwd-autocaptiveauth.url = "git+https://git.project-insanity.org/onny/py-iwd-autocaptiveauth.git";
};
outputs = {self, nixpkgs, ...}@inputs: {
@@ -17,8 +14,17 @@
specialArgs.inputs = inputs;
modules = [
inputs.home-manager.nixosModules.home-manager
+ inputs.iwd-autocaptiveauth.nixosModule
+
+ ({ pkgs, ... }:
+
+ # FIXME
+ let
+ overlay-unstable = final: prev: {
+ unstable = inputs.nixpkgs-unstable.legacyPackages.${prev.system};
+ };
- ({ pkgs, ... }: {
+ in {
# FIXME
nix = {
@@ -29,6 +35,12 @@
home-manager.useGlobalPkgs = true;
+ # FIXME
+ nixpkgs.overlays = [
+ overlay-unstable
+ inputs.iwd-autocaptiveauth.overlay
+ ];
+
})
./configuration.nix
diff --git a/home.nix b/home.nix
index 9df5a0a..2f73e66 100644
--- a/home.nix
+++ b/home.nix
@@ -7,7 +7,27 @@ in
home-manager.users.onny = {
- services.opensnitch-ui.enable = true;
+ disabledModules = [ "programs/librewolf.nix" ];
+
+ # FIXME
+ imports = [
+ (builtins.fetchurl {
+ url = "https://raw.githubusercontent.com/nix-community/home-manager/3badaf35a61d82806e59742911f2df79e905c044/modules/programs/librewolf.nix";
+ sha256 = "1vbccpwapai53fcld8ypr061p83v1pmbhy72j20jd3p2ki1jz0zq";
+ })
+ (builtins.fetchurl {
+ url = "https://raw.githubusercontent.com/nix-community/home-manager/1f5250329f3199dd3c0ca96b41191091a99fe90a/modules/services/waydroid.nix";
+ sha256 = "1qw9ayifak7n3zw7qh075zif2gcxjxczlvgp7if770a8h52w5yn9";
+ })
+ ];
+
+ services = {
+
+ opensnitch-ui.enable = true;
+
+ #waydroid.enable = true;
+
+ };
programs = {
@@ -43,21 +63,26 @@ in
defaultTimeout = 3500;
};
+ foot = {
+ enable = true;
+ settings.main.font = "monospace:pixelsize=15";
+ };
+
fish = {
enable = true;
interactiveShellInit = ''
set fish_greeting # Disable greeting
'';
plugins = with pkgs.fishPlugins; [
- {
- name = "grc";
- src = inputs.fish-grc; # FIXME
- }
+ { name = "grc"; src = pkgs.unstable.fishPlugins.grc.src; }
+ { name = "fzf-fish"; src = pkgs.fishPlugins.fzf-fish.src; }
];
};
librewolf = {
enable = true;
+ # Workaround to prioritize system wide installed package
+ package = pkgs.sl;
# Enable WebGL, cookies and history
overrides = {
"webgl.disabled" = false;
@@ -65,7 +90,12 @@ in
"privacy.clearOnShutdown.history" = false;
"privacy.clearOnShutdown.cookies" = false;
"network.cookie.lifetimePolicy" = 0;
+ "general.useragent.override" = "Mozilla/5.0 (Windows NT 10.0; rv:101.0) Gecko/20100101 Firefox/101.0";
};
+ # Extensions
+ # I still dont care about cookies, Privacy Badger,
+ # Bypass Paywalls Clean, Cookie AutoDelete
+ # uBlock Origin already included in LibreWolf
};
waybar = {
@@ -77,54 +107,52 @@ in
height = 24;
modules-left = ["sway/workspaces" "sway/mode"];
modules-center = ["sway/window"];
- modules-right = ["custom/stopwatch" "network" "pulseaudio" "battery" "clock" "tray"];
- modules = {
- "sway/workspaces" = {
- format = "{icon}";
- format-icons = {
- "urgent" = "ïª";
- "focused" = "";
- "default" = "ï„‘";
- };
- };
- "custom/stopwatch" = {
- format = "  {} ";
- exec = "~/.config/waybar/sw";
- on-click = "~/.config/waybar/sw";
- on-click-right = "~/.config/waybar/sw --stop";
- return-type = "json";
- };
- "network" = {
- format-wifi = " {essid} ({signalStrength}%)";
- format-ethernet = "ïƒ {ifname}: {ipaddr}/{cidr}";
- format-disconnected = "Disconnected âš ";
+ modules-right = ["custom/stopwatch" "cpu" "memory" "network" "pulseaudio" "battery" "clock" "tray"];
+ "sway/workspaces" = {
+ format = "{icon}";
+ format-icons = {
+ "urgent" = "ïª";
+ "focused" = "";
+ "default" = "";
};
- "pulseaudio" = {
- format = "{icon} {volume}%";
- format-bluetooth = "{icon} {volume}%";
- format-muted = " 0%";
- format-icons = {
- "headphones" = "";
- "handsfree" = "ï–";
- "headset" = "ï–";
- "phone" = "ï‚•";
- "portable" = "ï‚•";
- "car" = "";
- "default" = ["" ""];
- };
- };
- "battery" = {
- bat = "BAT0";
- states = {
- "warning" = 30;
- "critical" = 15;
- };
- format = "{icon} {capacity}%";
- format-icons = ["" "" "" "ï‰" ""];
+ };
+ "custom/stopwatch" = {
+ format = " ï’› {} ";
+ exec = "~/.config/waybar/sw";
+ on-click = "~/.config/waybar/sw";
+ on-click-right = "~/.config/waybar/sw --stop";
+ return-type = "json";
+ };
+ "network" = {
+ format-wifi = " {essid} ({signalStrength}%)";
+ format-ethernet = "ïƒ {ifname}: {ipaddr}/{cidr}";
+ format-disconnected = "Disconnected âš ";
+ };
+ "pulseaudio" = {
+ format = "{icon} {volume}%";
+ format-bluetooth = "{icon} {volume}%";
+ format-muted = " 0%";
+ format-icons = {
+ "headphones" = "";
+ "handsfree" = "ï–";
+ "headset" = "ï–";
+ "phone" = "ï‚•";
+ "portable" = "ï‚•";
+ "car" = "";
+ "default" = ["" ""];
};
- "clock" = {
- format = "{:%a %d %b %H:%M}";
+ };
+ "battery" = {
+ bat = "BAT0";
+ states = {
+ "warning" = 30;
+ "critical" = 15;
};
+ format = "{icon} {capacity}%";
+ format-icons = ["" "" "" "ï‰" ""];
+ };
+ "clock" = {
+ format = "{:%a %d %b %H:%M}";
};
}];
style = (builtins.readFile ./configs/waybar/style.css);
@@ -178,7 +206,7 @@ in
};
};
};
-
+
gtk = {
enable = true;
iconTheme = {
@@ -224,11 +252,28 @@ in
".netrc".text = ''default
login ${secrets.nextcloud-user}
password ${secrets.nextcloud-password}'';
- ".nextcloud/sync-exclude.lst".text = ''.cache'';
+ ".nextcloud/sync-exclude.lst".text = ''
+ .cache
+ .atom
+ .local
+ .wine
+ projects
+ .tor-browser-en
+ .waterfox
+ go
+ .config/Signal
+ .config/Sonixd
+ .npm
+ .config/VSCodium
+ .pnpm-store
+ .librewolf
+ .mozilla
+ .thunderbird
+ '';
};
sessionVariables = {
- GDK_BACKEND = "wayland,x11"; # FIXME: wayland only. electron patches!
+ GDK_BACKEND = "wayland";
BROWSER = "librewolf";
TERMINAL = "foot";
EDITOR = "nvim";
@@ -238,45 +283,35 @@ in
XDG_SESSION_TYPE = "wayland";
XDG_RUNTIME_DIR = "/run/user/1000";
#QT_QPA_PLATFORM = "wayland";
- #QT_STYLE_OVERRIDE = "Breeze";
- #QT_QPA_PLATFORMTHEME = "qt5ct";
+ #QT_STYLE_OVERRIDE = "Breeze";
+ #QT_QPA_PLATFORMTHEME = "qt5ct";
+ NIXOS_OZONE_WL = 1;
+ MOZ_ENABLE_WAYLAND = 1;
};
+ stateVersion = "22.11";
+
};
systemd.user = {
- services = {
- nextcloud-autosync = {
- Unit = {
- Description = "Auto sync Nextcloud";
- After = "network-online.target";
- };
- Service = {
- Type = "simple";
- ExecStart= "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --exclude /home/onny/.nextcloud/sync-exclude.lst /home/onny/. https://nextcloud.project-insanity.org";
- TimeoutStopSec = "180";
- KillMode = "process";
- KillSignal = "SIGINT";
- };
- Install = {
- WantedBy = ["multi-user.target"];
- };
+ services.nextcloud-autosync = {
+ Unit = {
+ Description = "Auto sync Nextcloud";
+ After = "network-online.target";
};
- };
- timers = {
- nextcloud-autosync = {
- Unit = {
- Description = "Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 60 minutes";
- };
- Timer = {
- OnBootSec = "5min";
- OnUnitActiveSec = "60min";
- Unit = "nextcloud-autosync.service";
- };
- Install = {
- WantedBy = ["multi-user.target" "timers.target"];
- };
+ Service = {
+ Type = "simple";
+ ExecStart= "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --exclude /home/onny/.nextcloud/sync-exclude.lst /home/onny/. https://nextcloud.project-insanity.org";
+ TimeoutStopSec = "180";
+ KillMode = "process";
+ KillSignal = "SIGINT";
};
+ Install.WantedBy = ["multi-user.target"];
+ };
+ timers.nextcloud-autosync = {
+ Unit.Description = "Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 60 minutes";
+ Timer.OnUnitActiveSec = "60min";
+ Install.WantedBy = ["multi-user.target" "timers.target"];
};
startServices = true;
};
diff --git a/network.nix b/network.nix
index 57da682..1e00c99 100644
--- a/network.nix
+++ b/network.nix
@@ -6,6 +6,14 @@ let
in
{
+ # FIXME
+ #disabledModules = [
+ # "services/networking/iwd.nix"
+ #];
+ #imports = [
+ # /home/onny/projects/nixpkgs/nixos/modules/services/networking/iwd.nix
+ #];
+
networking = {
hostName = "tuxzentrale";
@@ -15,37 +23,21 @@ in
wireless.iwd = {
enable = true;
# FIXME 8021x networks missing
- # networks = secrets.wifiNetworks;
+ #networks = secrets.wifiNetworks;
+ settings.General.AddressRandomization = "network";
};
};
- services.resolved.enable = true;
+ services.resolved = {
+ enable = true;
+ fallbackDns = [ "127.0.0.1:5353" ];
+ };
systemd = {
network = {
enable = true;
- netdevs = {
- "10-wg0" = {
- netdevConfig = {
- Kind = "wireguard";
- MTUBytes = "1384";
- Name = "wg0";
- };
- wireguardConfig.PrivateKeyFile = builtins.toPath( pkgs.writeText "privateKey" secrets.wireguard-privkey );
- wireguardPeers = [{
- wireguardPeerConfig = {
- AllowedIPs = [ "10.25.0.0/16" ];
- # FIXME: Endpoint list of strings?
- #Endpoint = "2a01:4f8:191:327::2:51820";
- Endpoint = "144.76.16.40:51820";
- PublicKey = secrets.wireguard-pubkey;
- PersistentKeepalive = 25;
- };
- }];
- };
- };
networks = {
"10-enp0s25" = {
name = "enp025";
@@ -57,21 +49,11 @@ in
DHCP = "yes";
networkConfig.MulticastDNS = true;
};
- "30-wg0" = {
- name = "wg0";
- address = ["10.25.40.2/16"];
- dns = ["10.25.0.1"];
- networkConfig.DNSSEC = "no";
- };
- #"40-libvirt" = { # FIXME
- # name = "virbr0";
- # networkConfig.MulticastDNS = true;
- #};
};
};
};
- #networking = {
+ networking = {
# useDHCP = false;
# interfaces = {
# enp0s25.ipv4.addresses = [{
@@ -79,11 +61,11 @@ in
# prefixLength = 24;
# }];
# };
- # nameservers = [ "192.168.178.1" ];
+ nameservers = [ "8.8.8.8" ];
# defaultGateway = {
# address = "192.168.178.1";
# interface = "enp0s25";
# };
- #};
+ };
}
diff --git a/security.nix b/security.nix
index cd0d363..32c1160 100644
--- a/security.nix
+++ b/security.nix
@@ -1,6 +1,106 @@
{ config, pkgs, lib, ... }:{
- services.opensnitch.enable = true;
+ disabledModules = [ "services/security/opensnitch.nix" ];
+ imports = [
+ "${fetchTarball "https://github.com/NixOS/nixpkgs/archive/master.tar.gz"}/nixos/modules/services/security/opensnitch.nix"
+ ];
+
+ services.opensnitch = {
+ enable = true;
+ rules = {
+ tor = {
+ name = "tor";
+ enabled = true;
+ action = "allow";
+ duration = "always";
+ operator = {
+ type ="simple";
+ sensitive = false;
+ operand = "process.path";
+ data = "${lib.getBin pkgs.tor}/bin/tor";
+ };
+ };
+ dhcpcd = {
+ name = "dhcpcd";
+ enabled = true;
+ action = "allow";
+ duration = "always";
+ operator = {
+ type ="simple";
+ sensitive = false;
+ operand = "process.path";
+ data = "${lib.getBin pkgs.dhcpcd}/bin/dhcpcd";
+ };
+ };
+ systemd-timesyncd = {
+ name = "systemd-timesyncd";
+ enabled = true;
+ action = "allow";
+ duration = "always";
+ operator = {
+ type ="simple";
+ sensitive = false;
+ operand = "process.path";
+ data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
+ };
+ };
+ systemd-resolved = {
+ name = "systemd-resolved";
+ enabled = true;
+ action = "allow";
+ duration = "always";
+ operator = {
+ type ="simple";
+ sensitive = false;
+ operand = "process.path";
+ data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-resolved";
+ };
+ };
+ systemd-networkd = {
+ name = "systemd-networkd";
+ enabled = true;
+ action = "allow";
+ duration = "always";
+ operator = {
+ type ="simple";
+ sensitive = false;
+ operand = "process.path";
+ data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-networkd";
+ };
+ };
+
+ };
+ };
+
+ services.tor = {
+ enable = true;
+ openFirewall = true;
+ client.enable = true;
+ settings = {
+ TransPort = [ 9040 ];
+ DNSPort = 5353;
+ VirtualAddrNetworkIPv4 = "172.30.0.0/16";
+ };
+ };
+
+ networking.bridges."tornet" = {
+ interfaces = [];
+ };
+ networking.interfaces.tornet.ipv4.addresses = [{
+ address = "10.100.100.1";
+ prefixLength = 24;
+ }];
+
+ boot.kernel.sysctl = {
+ "net.ipv4.conf.tornet.route_localnet" = 1;
+ };
+
+ networking.firewall.extraCommands = ''
+ iptables -t nat -A PREROUTING -i tornet -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
+ iptables -t nat -A PREROUTING -i tornet -p tcp -j DNAT --to-destination 127.0.0.1:9040
+ iptables -A INPUT -i tornet -p tcp --dport 9040 -j ACCEPT
+ iptables -A INPUT -i tornet -p udp --dport 5353 -j ACCEPT
+ '';
programs.firejail = {
enable = true;
@@ -10,35 +110,29 @@
profile = "${pkgs.firejail}/etc/firejail/librewolf.profile";
# FIXME: Use global GTK theme configuration
extraArgs = [
- # Required for U2F USB stick
- "--ignore=private-dev"
- # Enforce dark mode
- "--env=GTK_THEME=Adwaita:dark"
- ];
+ "--net=tornet"
+ "--dns=46.182.19.48" # plaintext digitalcourage
+ # Required for U2F USB stick
+ "--ignore=private-dev"
+ # Enforce dark mode
+ "--env=GTK_THEME=Adwaita:dark"
+ "--env=MOZ_ENABLE_WAYLAND=1"
+ # Enable system notifications
+ "--dbus-user.talk=org.freedesktop.Notifications"
+ ];
};
signal-desktop = {
- executable = "${pkgs.signal-desktop}/bin/signal-desktop --enable-features=UseOzonePlatform --ozone-platform=wayland"; # FIXME
+ executable = "${pkgs.signal-desktop}/bin/signal-desktop";
profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
- extraArgs = [ "--env=LC_ALL=C" "--env=GTK_THEME=Adwaita:dark" ]; # FIXME
+ extraArgs = [
+ "--net=tornet"
+ "--dns=46.182.19.48" # plaintext digitalcourage
+ "--env=LC_ALL=C"
+ "--env=GTK_THEME=Adwaita:dark"
+ "--env=NIXOS_OZONE_WL=1"
+ ]; # FIXME
};
};
};
- #imports = [
- # /home/onny/projects/nixpkgs/nixos/modules/programs/orjail/orjail.nix
- #];
-
- #programs.orjail = {
- # enable = true;
- # wrappedBinaries = {
- # chromium = {
- # executable = "${lib.getBin pkgs.chromium}/bin/chromium"; # FIXME
- # extraArgs = [
- # # Enable Firejail sandboxing
- # "-f"
- # ];
- # };
- # };
- #};
-
}
diff --git a/sway.nix b/sway.nix
index 164b5e7..8a9698f 100644
--- a/sway.nix
+++ b/sway.nix
@@ -8,14 +8,12 @@
swaylock
grim
brightnessctl
- xwayland
kanshi
bemenu
wl-clipboard
wf-recorder
xdg-user-dirs
waybar
- #snipping_tool
];
extraSessionCommands = ''
export XKB_DEFAULT_LAYOUT=de
--
GitLab