diff --git a/flake.nix b/flake.nix index a959ef4..3b1ced8 100644 --- a/flake.nix +++ b/flake.nix @@ -1,10 +1,11 @@ { inputs = { - nixpkgs.url = "nixpkgs/nixos-24.05"; - nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; + nixpkgs.url = "nixpkgs/nixos-24.11"; + # nixpkgs-unstable.url = "nixpkgs/nixpkgs-unstable"; + nixpkgs-unstable.url = "github:NixOS/nixpkgs/master"; home-manager = { - url = "github:nix-community/home-manager/release-24.05"; + url = "github:nix-community/home-manager/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; }; @@ -87,7 +88,7 @@ android_sdk.accept_license = true; segger-jlink.acceptLicense = true; permittedInsecurePackages = [ - "segger-jlink-qt4-794l" + "segger-jlink-qt4-796s" ]; }; @@ -97,32 +98,16 @@ config.allowUnfree = true; config.segger-jlink.acceptLicense = true; config.permittedInsecurePackages = [ - "segger-jlink-qt4-794s" + "segger-jlink-qt4-796s" ]; }; in [ (self: super: { inherit (nonrecursive-unstable-pkgs) - atuin - wstunnel - nrf-udev - nrfutil - gpclient - gpauth + calibre + fcitx5-mozc ; }) - - # https://github.com/NixOS/nixpkgs/pull/251706 - (self: super: { - mozc = self.qt6Packages.callPackage ./package-overrides/mozc.nix { }; - fcitx5-mozc = self.callPackage ./package-overrides/fcitx5-mozc.nix { }; - }) - - (self: super: { - mpv-unwrapped = super.mpv-unwrapped.override { - ffmpeg = super.ffmpeg_6-full; - }; - }) ]; }; diff --git a/home/packages.nix b/home/packages.nix index 515e824..b06911a 100644 --- a/home/packages.nix +++ b/home/packages.nix @@ -91,8 +91,8 @@ geogebra ghidra gimp - gnome.gnome-font-viewer - gnome.seahorse + gnome-font-viewer + seahorse google-chrome imhex inkscape diff --git a/home/programs/alacritty.nix b/home/programs/alacritty.nix index 9a72595..476d06a 100644 --- a/home/programs/alacritty.nix +++ b/home/programs/alacritty.nix @@ -43,9 +43,9 @@ duration = 20; }; - live_config_reload = true; + general.live_config_reload = true; - shell = { + terminal.shell = { program = "${pkgs.zsh}/bin/zsh"; args = [ "--login" ]; }; diff --git a/home/services/dunst.nix b/home/services/dunst.nix index fb0f14f..c0e553b 100644 --- a/home/services/dunst.nix +++ b/home/services/dunst.nix @@ -3,7 +3,7 @@ services.dunst = { enable = true; iconTheme = { - package = pkgs.gnome.adwaita-icon-theme; + package = pkgs.adwaita-icon-theme; name = "Adwaita"; size = "32x32"; }; diff --git a/home/services/sxhkd.nix b/home/services/sxhkd.nix index 840b2fe..b824b44 100644 --- a/home/services/sxhkd.nix +++ b/home/services/sxhkd.nix @@ -22,11 +22,11 @@ in # Volume - "super + {@F7,@F8}" = "${pkgs.alsaUtils}/bin/amixer set Master 2%{-,+}"; + "super + {@F7,@F8}" = "${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%{-,+}"; - "{XF86AudioLowerVolume,XF86AudioRaiseVolume}" = "${pkgs.alsaUtils}/bin/amixer set Master 2%{-,+}"; + "{XF86AudioLowerVolume,XF86AudioRaiseVolume}" = "${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%{-,+}"; - "XF86AudioMute" = "${pkgs.pulseaudio}/bin/pactl set-sink-mute @DEFAULT_SINK@ toggle"; + "XF86AudioMute" = "${pkgs.wireplumber}/bin/wpctl set-mute toggle"; # Music diff --git a/hosts/common/default.nix b/hosts/common/default.nix index 42640f1..6019693 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -12,9 +12,7 @@ in { ./programs/ssh.nix ./programs/usbtop.nix - ./services/cups.nix ./services/dbus.nix - ./services/logrotate.nix ./services/openssh.nix ./services/pcscd.nix ./services/pipewire.nix diff --git a/hosts/common/services/cups.nix b/hosts/common/services/cups.nix deleted file mode 100644 index d4a9feb..0000000 --- a/hosts/common/services/cups.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ config, lib, ... }: -{ - systemd.services = lib.mkIf config.services.printing.enable { - cups.serviceConfig = { - PrivateTmp = true; - ProtectSystem = "strict"; - ProtectHome = true; - ProtectClock= true; - ProtectControlGroups = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - PrivateDevices = true; - NoNewPrivileges = true; - # User = - AmbientCapabilities = [ "" ]; - CapabilityBoundingSet = [ "" ]; - DevicePolicy = "closed"; - KeyringMode = "private"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - PrivateUsers = true; - RemoveIPC = true; - # RestrictAddressFamilies = [ "" ]; - RestrictNamespaces=true; - RestrictRealtime=true; - RestrictSUIDSGID=true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@privileged" - ]; - UMask = "0077"; - }; - cups-browsed.serviceConfig = { - PrivateTmp = true; - ProtectSystem = "strict"; - ProtectHome = true; - ProtectClock= true; - ProtectControlGroups = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - PrivateDevices = true; - NoNewPrivileges = true; - # User = - AmbientCapabilities = [ "" ]; - CapabilityBoundingSet = [ "" ]; - DevicePolicy = "closed"; - KeyringMode = "private"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - PrivateUsers = true; - RemoveIPC = true; - # RestrictAddressFamilies = [ "" ]; - RestrictNamespaces=true; - RestrictRealtime=true; - RestrictSUIDSGID=true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@privileged" - ]; - UMask = "0077"; - }; - }; -} diff --git a/hosts/common/services/logrotate.nix b/hosts/common/services/logrotate.nix deleted file mode 100644 index d922b0d..0000000 --- a/hosts/common/services/logrotate.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ ... }: -{ - # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service - systemd.services.logrotate = { - documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ]; - unitConfig.RequiresMountsFor = "/var/log"; - serviceConfig = { - Nice = 19; - IOSchedulingClass = "best-effort"; - IOSchedulingPriority = 7; - - ReadWritePaths = [ "/var/log" ]; - - AmbientCapabilities = [ "" ]; - CapabilityBoundingSet = [ "" ]; - DeviceAllow = [ "" ]; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; # disable for third party rotate scripts - PrivateDevices = true; - PrivateNetwork = true; # disable for mail delivery - PrivateTmp = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; # disable for userdir logs - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "full"; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; # disable for creating setgid directories - SocketBindDeny = [ "any" ]; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - ]; - }; - }; -} diff --git a/hosts/common/services/printing.nix b/hosts/common/services/printing.nix index 65fe52c..ce234ce 100644 --- a/hosts/common/services/printing.nix +++ b/hosts/common/services/printing.nix @@ -1,4 +1,77 @@ -{ config, ... }: +{ config, lib, ... }: +let + cfg = config.services.printing; +in { - services.printing.enable = !config.machineVars.headless; + # services.printing.enable = !config.machineVars.headless; + services.printing.enable = false; + + systemd.services = lib.mkIf cfg.enable { + cups.serviceConfig = { + PrivateTmp = true; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectClock= true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + PrivateDevices = true; + NoNewPrivileges = true; + # User = + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + KeyringMode = "private"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateUsers = true; + RemoveIPC = true; + # RestrictAddressFamilies = [ "" ]; + RestrictNamespaces=true; + RestrictRealtime=true; + RestrictSUIDSGID=true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; + }; + cups-browsed.serviceConfig = lib.mkIf cfg.enable { + PrivateTmp = true; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectClock= true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + PrivateDevices = true; + NoNewPrivileges = true; + # User = + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + KeyringMode = "private"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateUsers = true; + RemoveIPC = true; + # RestrictAddressFamilies = [ "" ]; + RestrictNamespaces=true; + RestrictRealtime=true; + RestrictSUIDSGID=true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; + }; + }; } diff --git a/hosts/dosei/configuration.nix b/hosts/dosei/configuration.nix index 80549f8..4fa7385 100644 --- a/hosts/dosei/configuration.nix +++ b/hosts/dosei/configuration.nix @@ -81,10 +81,5 @@ bluetooth.enable = true; enableRedistributableFirmware = true; keyboard.zsa.enable = true; - opengl = { - enable = true; - driSupport = true; - driSupport32Bit = true; - }; }; }