Compare commits

...

12 Commits

20 changed files with 790 additions and 26 deletions

View File

@ -101,6 +101,8 @@
inherit (nonrecursive-unstable-pkgs) atuin wstunnel; inherit (nonrecursive-unstable-pkgs) atuin wstunnel;
}) })
(import ./overlays/wayland-ime-integration.nix)
# https://github.com/NixOS/nixpkgs/pull/251706 # https://github.com/NixOS/nixpkgs/pull/251706
(self: super: { (self: super: {
mozc = self.qt6Packages.callPackage ./package-overrides/mozc.nix { }; mozc = self.qt6Packages.callPackage ./package-overrides/mozc.nix { };
@ -188,6 +190,7 @@
useGlobalPkgs = true; useGlobalPkgs = true;
extraSpecialArgs = { extraSpecialArgs = {
inherit inputs; inherit inputs;
inherit unstable-pkgs;
inherit (self) extendedLib; inherit (self) extendedLib;
inherit (config) machineVars; inherit (config) machineVars;
secrets = secrets.outputs.settings; secrets = secrets.outputs.settings;

View File

@ -35,12 +35,14 @@ in {
./programs/alacritty.nix ./programs/alacritty.nix
./programs/emacs ./programs/emacs
./programs/firefox.nix ./programs/firefox.nix
./programs/hyprland.nix
./programs/ncmpcpp.nix ./programs/ncmpcpp.nix
./programs/newsboat ./programs/newsboat
./programs/qutebrowser.nix ./programs/qutebrowser.nix
./programs/rofi.nix ./programs/rofi.nix
./programs/taskwarrior.nix ./programs/taskwarrior.nix
./programs/vscode ./programs/vscode
./programs/waybar.nix
# ./programs/xmobar # ./programs/xmobar
./programs/xmonad ./programs/xmonad
./programs/zathura.nix ./programs/zathura.nix
@ -50,11 +52,11 @@ in {
./services/dunst.nix ./services/dunst.nix
./services/fcitx5.nix ./services/fcitx5.nix
./services/mpd.nix ./services/mpd.nix
./services/picom.nix # ./services/picom.nix
./services/polybar.nix # ./services/polybar.nix
./services/screen-locker.nix # ./services/screen-locker.nix
# ./services/stalonetray.nix # ./services/stalonetray.nix
./services/sxhkd.nix # ./services/sxhkd.nix
./services/tumblerd.nix ./services/tumblerd.nix
]; ];
@ -97,6 +99,7 @@ in {
sessionVariables = { sessionVariables = {
CARGO_NET_GIT_FETCH_WITH_CLI = "true"; CARGO_NET_GIT_FETCH_WITH_CLI = "true";
PYTHONSTARTUP = "${config.xdg.configHome}/python/pyrc"; PYTHONSTARTUP = "${config.xdg.configHome}/python/pyrc";
_JAVA_AWT_WM_NONREPARENTING = "1";
}; };
}; };

View File

@ -17,6 +17,7 @@
gpg-tui gpg-tui
gping gping
graphviz graphviz
hexyl
httpie httpie
imagemagick imagemagick
jq jq
@ -24,6 +25,7 @@
# keybase # keybase
keymapviz keymapviz
libwebp libwebp
lnav
lolcat lolcat
mdcat mdcat
mediainfo mediainfo
@ -44,6 +46,7 @@
pandoc pandoc
parallel parallel
progress progress
pwntools
python3 python3
rclone rclone
ripgrep ripgrep
@ -89,10 +92,12 @@
discord discord
element-desktop element-desktop
geogebra geogebra
ghidra
gimp gimp
gnome.gnome-font-viewer gnome.gnome-font-viewer
gnome.seahorse gnome.seahorse
google-chrome google-chrome
imhex
inkscape inkscape
insomnia insomnia
iwgtk iwgtk

View File

@ -4,7 +4,7 @@
enable = true; enable = true;
settings = { settings = {
gitProtocol = "ssh"; gitProtocol = "ssh";
pager = "${pkgs.bat}/git/bat"; pager = "${pkgs.bat}/bin/bat";
aliases = { aliases = {
co = "pr checkout"; co = "pr checkout";
pv = "pr view"; pv = "pr view";

323
home/programs/hyprland.nix Normal file
View File

@ -0,0 +1,323 @@
{ config, pkgs, lib, ... }:
let
cfg = config.wayland.windowManager.hyprland;
in
{
home.sessionVariables = {
WLR_NO_HARDWARE_CURSORS = "1";
WLR_RENDERER_ALLOW_SOFTWARE = "1";
XDG_CURRENT_DESKTOP = "Hyprland";
XDG_SESSION_DESKTOP = "Hyprland";
XDG_SESSION_TYPE = "wayland";
GDK_BACKEND = "wayland,x11,*";
QT_QPA_PLATFORM = "wayland;xcb";
NIXOS_OZONE_WL = "1";
MOZ_ENABLE_WAYLAND = "1";
SDL_VIDEODRIVER = "wayland";
OZONE_PLATFORM = "wayland";
CLUTTER_BACKEND = "wayland";
QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
# QT_QPA_PLATFORMTHEME = "qt6ct";
QT_AUTO_SCREEN_SCALE_FACTOR = "1";
LIBVA_DRIVER_NAME = "nvidia";
GBM_BACKEND = "nvidia-drm";
__GLX_VENDOR_LIBRARY_NAME = "nvidia";
};
home.packages = with pkgs; [
wl-clipboard-rs
];
programs.hyprlock = {
enable = true;
settings = {
general = {
disable_loading_bar = true;
grace = 300;
hide_cursor = true;
no_fade_in = false;
};
background = [
{
path = "screenshot";
blur_passes = 3;
blur_size = 8;
}
];
input-field = [
{
size = "200, 50";
position = "0, -80";
monitor = "";
dots_center = true;
fade_on_empty = false;
font_color = "rgb(202, 211, 245)";
inner_color = "rgb(91, 96, 120)";
outer_color = "rgb(24, 25, 38)";
outline_thickness = 5;
placeholder_text = ''Password...'';
shadow_passes = 2;
}
];
};
};
services.hypridle = {
enable = true;
settings = {
general = {
ignore_dbus_inhibit = false;
lock_cmd = "pidof hyprlock || hyprlock";
before_sleep_cmd = "loginctl lock-session";
after_sleep_cmd = "hyprctl dispatch dpms on";
};
listener = [
{
timeout = 900;
on-timeout = "hyprlock";
}
{
timeout = 1200;
on-timeout = "hyprctl dispatch dpms off";
on-resume = "hyprctl dispatch dpms on";
}
];
};
};
wayland.windowManager.hyprland = {
enable = true;
settings = let
scratchpads = [
(rec {
title = "Floating terminal";
class = "floatingTerminal";
command = "alacritty --class ${class} -e tmux new-session -A -s f";
size = { h = 90; w = 95; };
keys = [
"$mod, RETURN"
"$mod, SPACE"
];
})
(rec {
title = "Ncmpcpp";
class = "floatingNcmpcpp";
command = "alacritty --class ${class} -e ncmpcpp";
size = { h = 95; w = 95; };
keys = [ "$mod, Q" ];
})
# "$mod, W, emacs"
# "$mod, E, filebrowser"
# "$mod, X, taskwarriortui"
];
in {
"$mod" = "SUPER";
# https://github.com/xkbcommon/libxkbcommon/blob/master/include/xkbcommon/xkbcommon-keysyms.h
bind = [
"$mod SHIFT, Q, exit"
"$mod, R, exec, ${pkgs.rofi}/bin/rofi -show drun"
"$mod, T, togglefloating"
# TODO: fix this for upcoming releases
"$mod, F, fullscreen, 2"
"$mod, C, exec, hyprctl reload"
"$mod, BACKSPACE, killactive"
"$mod SHIFT, RETURN, exec, alacritty --class termTerminal -e tmux new-session -A -s term"
"$mod SHIFT, SPACE, exec, alacritty --class termTerminal -e tmux new-session -A -s term"
"$mod, j, layoutmsg,cyclenext"
"$mod, k, layoutmsg,cycleprev"
"$mod SHIFT, j, layoutmsg, swapnext"
"$mod SHIFT, k, layoutmsg, swapprev"
"$mod, 1, focusworkspaceoncurrentmonitor, 1"
"$mod, 2, focusworkspaceoncurrentmonitor, 2"
"$mod, 3, focusworkspaceoncurrentmonitor, 3"
"$mod, 4, focusworkspaceoncurrentmonitor, 4"
"$mod, 5, focusworkspaceoncurrentmonitor, 5"
"$mod, 6, focusworkspaceoncurrentmonitor, 6"
"$mod, 7, focusworkspaceoncurrentmonitor, 7"
"$mod, 8, focusworkspaceoncurrentmonitor, 8"
"$mod, 9, focusworkspaceoncurrentmonitor, 9"
"$mod SHIFT, 1, movetoworkspacesilent, 1"
"$mod SHIFT, 2, movetoworkspacesilent, 2"
"$mod SHIFT, 3, movetoworkspacesilent, 3"
"$mod SHIFT, 4, movetoworkspacesilent, 4"
"$mod SHIFT, 5, movetoworkspacesilent, 5"
"$mod SHIFT, 6, movetoworkspacesilent, 6"
"$mod SHIFT, 7, movetoworkspacesilent, 7"
"$mod SHIFT, 8, movetoworkspacesilent, 8"
"$mod SHIFT, 9, movetoworkspacesilent, 9"
"$mod, b, exec, ${pkgs.fcitx5}/bin/fcitx5-remote -s mozc"
"$mod, n, exec, ${pkgs.fcitx5}/bin/fcitx5-remote -s keyboard-no"
"$mod, m, exec, ${pkgs.fcitx5}/bin/fcitx5-remote -s keyboard-us"
# TODO: ensure exists in environment
"$mod, l, exec, loginctl lock-session"
# TODO: fix
# "super + minus" = "${pkgs.xcalib}/bin/xcalib -invert -alter"
# TODO: fix
", Print, exec, ${lib.getExe pkgs.grimblast} copy area"
# "SHIFT, Print, exec, ${lib.getExe pkgs.grimblast} copy area"
# "shift + @Print" = "${pkgs.maim}/bin/maim --hidecursor --nokeyboard $SCREENSHOT_DIR/$(date +%s).png"
# TODO: Add boomer as package
# "super + @Print" = "boomer"
]
++
(lib.pipe scratchpads [
(map ({ keys, command, class, ... }:
(map (key: let
# TODO: rewrite this to take arguments instead of creating n copies
invokeIfNotRunningAndToggleWorkspace = pkgs.writeShellApplication {
name = "hyprland-toggle-scratchpad-${class}";
runtimeInputs = [ cfg.package pkgs.jq ];
text = ''
SCRATCHPAD_PROGRAM_EXISTS=$(hyprctl clients -j | jq -r '[.[].class]|any(. == "${class}")')
CURRENT_WORKSPACE_ID=$(hyprctl activeworkspace -j | jq -r '.id')
if [ "$SCRATCHPAD_PROGRAM_EXISTS" != "true" ]; then
${command} &
hyprctl dispatch movetoworkspacesilent "''${CURRENT_WORKSPACE_ID},class:${class}"
hyprctl dispatch focuswindow "class:${class}"
else
SCRATCHPAD_PROGRAM_WORKSPACE_ID=$(hyprctl clients -j | jq '.[] | select( .class == "${class}") | .workspace.id')
if [ "$SCRATCHPAD_PROGRAM_WORKSPACE_ID" != "$CURRENT_WORKSPACE_ID" ]; then
hyprctl dispatch movetoworkspacesilent "''${CURRENT_WORKSPACE_ID},class:${class}"
hyprctl dispatch focuswindow "class:${class}"
else
hyprctl dispatch movetoworkspacesilent "special:${class}Ws,class:${class}"
fi
fi
'';
};
in "${key}, exec, ${lib.getExe invokeIfNotRunningAndToggleWorkspace}"
) keys)
))
lib.flatten
]);
bindl = [
"$mod, p, exec, ${pkgs.mpc_cli}/bin/mpc toggle"
",XF86AudioPlay, exec, ${pkgs.mpc_cli}/bin/mpc toggle"
",XF86AudioPrev, exec, ${pkgs.mpc_cli}/bin/mpc prev"
",XF86AudioNext, exec, ${pkgs.mpc_cli}/bin/mpc next"
];
bindle = [
",XF86MonBrightnessUp, exec, ${lib.getExe pkgs.brightnessctl} s +5%"
",XF86MonBrightnessDown, exec, ${lib.getExe pkgs.brightnessctl} s 5%-"
",XF86AudioLowerVolume, exec, ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%-"
",XF86AudioRaiseVolume, exec, ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%+"
"$mod ,F7, exec, ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%-"
"$mod ,F8, exec, ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%+"
];
windowrulev2 = [
"float,class:(Rofi)"
"workspace 2,class:(firefox)"
"workspace 2,class:(google-chrome)"
"workspace 3,class:(Emacs)"
"workspace 3,class:(Code)"
"workspace 3,class:(code-url-handler)"
"workspace 5,class:(discord)"
"workspace 5,class:(Element)"
]
++
(lib.pipe scratchpads [
(map ({ class, size, ... }: [
"workspace special:${class}Ws, class:^${class}$"
"float, class:^${class}$"
"size ${toString size.w}% ${toString size.h}%, class:^${class}$"
"move ${toString ((100 - size.w) / 2)}% ${toString ((100 - size.h) / 2)}%, class:^${class}$"
]))
lib.flatten
]);
monitor = [
"DP-2, 1920x1080@144.00Hz, 0x0, 1"
"DVI-D-1, 1920x1080@144.00Hz, 1920x0, 1"
",preferred,auto,1"
];
general = {
gaps_in = 5;
gaps_out = 15;
border_size = 2;
"col.active_border" = "rgba(33ccffee) rgba(00ff99ee) 45deg";
"col.inactive_border" = "rgba(595959aa)";
resize_on_border = false;
allow_tearing = false;
layout = "master";
};
decoration = {
rounding = 10;
# Change transparency of focused and unfocused windows
active_opacity = 1.0;
inactive_opacity = 1.0;
drop_shadow = true;
shadow_range = 4;
shadow_render_power = 3;
"col.shadow" = "rgba(1a1a1aee)";
# https://wiki.hyprland.org/Configuring/Variables/#blur
blur = {
enabled = true;
size = 3;
passes = 1;
vibrancy = 0.1696;
};
};
animations.enabled = false;
master = {
new_status = "slave";
};
misc = {
force_default_wallpaper = 0; # Set to 0 or 1 to disable the anime mascot wallpapers
disable_hyprland_logo = false; # If true disables the random hyprland logo / anime girl background. :(
};
input ={
kb_layout = "us";
kb_variant = "";
kb_model = "";
kb_options = "";
kb_rules = "";
follow_mouse = 1;
sensitivity = 0; # -1.0 - 1.0, 0 means no modification.
touchpad = {
natural_scroll = false;
};
};
};
};
}

View File

@ -21,6 +21,7 @@
vim-surround vim-surround
vim-fugitive vim-fugitive
vim-css-color vim-css-color
vim-wayland-clipboard
semshi semshi
{ {
plugin = goyo-vim; plugin = goyo-vim;

View File

@ -10,26 +10,35 @@ let
proxyJump = lib.mkDefault null; proxyJump = lib.mkDefault null;
addressFamily = "inet"; addressFamily = "inet";
} }
"dagali"
"drolsum"
"demiurgen"
"eirin"
[ "bekkalokk" "pvv-web" "pvv-wiki" "pvv-webmail" ] [ "bekkalokk" "pvv-web" "pvv-wiki" "pvv-webmail" ]
"ildkule"
"shark"
"buskerud"
[ "bicep" "pvv-databases" ] [ "bicep" "pvv-databases" ]
"bob" "bob"
"knutsen" [ "brzeczyszczykiewicz" "brez" "bokhylle" ]
"buskerud"
"dagali"
"demiurgen"
"drolsum"
"eirin"
"georg"
"ildkule"
"isvegg" "isvegg"
"tom" "knutsen"
[ "microbel" "pvv-users" "pvv-mail" ] [ "microbel" "pvv-users" "pvv-mail" ]
"orchid"
"shark"
"tallulah"
"tom"
"venture"
]; ];
rootMachines = [ rootMachines = [
[ "sleipner" "pvv-salt" ] [ "ameno" "pvv-dns" ]
[ "balduzius" "pvv-krb" ] [ "balduzius" "pvv-krb" ]
[ "innovation" "pvv-minecraft" ] [ "innovation" "pvv-minecraft" ]
"ludvigsen"
[ "principal" "pvv-backup" ]
[ "skrott" "dibbler" ]
[ "sleipner" "pvv-salt" ]
]; ];
# Either( String [String] AttrSet{String} ) -> AttrSet{String} # Either( String [String] AttrSet{String} ) -> AttrSet{String}

239
home/programs/waybar.nix Normal file
View File

@ -0,0 +1,239 @@
{ config, pkgs, lib, ... }:
let
cfg = config.programs.waybar;
cfgs = cfg.settings.mainBar;
in
{
programs.waybar = {
enable = true;
systemd.enable = true;
settings = {
mainBar = {
layer = "top";
position = "top";
height = 30;
# TODO: configure this per machine
output = [ "DP-2" ];
modules-left = [ "hyprland/workspaces" ];
modules-center = [ "clock" ];
modules-right = [ "mpd" "cpu" "memory" "wireplumber" "pulseaudio/slider" "tray" ];
"hyprland/workspaces" = {
all-outputs = true;
disable-scroll = true;
persistent-workspaces = {
${lib.head cfgs.output} = [ 1 2 3 4 5 6 7 8 ];
};
};
"mpd" = {
format = "{filename}";
};
"cpu" = {
format = "[#] {usage}%";
};
"memory" = {
format = "{used}/{total}Gb";
};
"wireplumber" = {
format = "{volume}% {icon}";
format-muted = "[M]";
};
"pulseaudio/slider" = {
orientation = "horizontal";
};
"tray" = {
icon-size = 20;
spacing = 8;
};
};
};
style = let
c = config.colors.defaultColorSet;
in ''
* {
font-family: FiraCode, FontAwesome, Roboto, Helvetica, Arial, sans-serif;
font-size: 13px;
}
window#waybar {
background-color: ${c.background};
color: ${c.foreground};
}
#pulseaudio-slider trough {
min-height: 10px;
min-width: 100px;
}
/**** DEFAULT ****/
window#waybar.hidden {
opacity: 0.2;
}
button {
/* Use box-shadow instead of border so the text isn't offset */
box-shadow: inset 0 -3px transparent;
/* Avoid rounded borders under each button name */
border: none;
border-radius: 0;
}
/* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
button:hover {
background: inherit;
box-shadow: inset 0 -3px #ffffff;
}
#workspaces button.empty {
color: ${c.yellow};
}
#workspaces button {
padding: 0 5px;
color: ${c.magenta};
background-color: transparent;
}
#workspaces button.visible {
color: ${c.green};
}
#workspaces button.urgent {
background-color: ${c.red};
}
#workspaces button:hover {
background: rgba(0, 0, 0, 0.2);
}
#mode {
background-color: #64727D;
box-shadow: inset 0 -3px #ffffff;
}
#clock,
#battery,
#cpu,
#memory,
#disk,
#temperature,
#backlight,
#network,
#pulseaudio,
#wireplumber,
#custom-media,
#tray,
#mode,
#idle_inhibitor,
#scratchpad,
#power-profiles-daemon,
#mpd {
padding: 0 10px;
color: ${c.foreground};
}
#window,
#workspaces {
margin: 0 4px;
}
/* If workspaces is the leftmost module, omit left margin */
.modules-left > widget:first-child > #workspaces {
margin-left: 0;
}
/* If workspaces is the rightmost module, omit right margin */
.modules-right > widget:last-child > #workspaces {
margin-right: 0;
}
#clock {
background-color: #64727D;
}
#cpu {
background-color: ${c.cyan};
color: #000000;
}
#memory {
background-color: ${c.yellow};
color: #000000;
}
#network {
background-color: #2980b9;
}
#network.disconnected {
background-color: #f53c3c;
}
#pulseaudio {
background-color: #f1c40f;
color: #000000;
}
#pulseaudio.muted {
background-color: #90b1b1;
color: #2a5c45;
}
#wireplumber {
background-color: #fff0f5;
color: #000000;
}
#wireplumber.muted {
background-color: #f53c3c;
}
#tray {
background-color: #2980b9;
}
#tray > .passive {
-gtk-icon-effect: dim;
}
#tray > .needs-attention {
-gtk-icon-effect: highlight;
background-color: #eb4d4b;
}
#mpd {
background-color: #66cc99;
color: #2a5c45;
}
#mpd.disconnected {
background-color: #f53c3c;
}
#mpd.stopped {
background-color: #90b1b1;
}
#mpd.paused {
background-color: #51a37a;
}
'';
# background-color: rgba(0,0,0,0);
# border-bottom: 3px solid rgba(100, 114, 125, 0.5);
#style = ''
#'';
};
}

View File

@ -1,6 +1,6 @@
{ config, pkgs, lib, ... }: { config, pkgs, unstable-pkgs, lib, ... }:
{ {
home.packages = with pkgs; [ zed-editor ]; home.packages = with unstable-pkgs; [ zed-editor ];
xdg.configFile."zed/settings.json".source = let xdg.configFile."zed/settings.json".source = let
format = pkgs.formats.json { }; format = pkgs.formats.json { };

View File

@ -13,9 +13,9 @@
class = "Dunst"; class = "Dunst";
browser = "${pkgs.xdg-utils}/bin/xdg-open"; browser = "${pkgs.xdg-utils}/bin/xdg-open";
offset = let # offset = let
status-bar-height = config.services.polybar.settings."bar/top".height; # status-bar-height = config.services.polybar.settings."bar/top".height;
in "15x${toString (status-bar-height + 10)}"; # in "15x${toString (status-bar-height + 10)}";
corner_radius = 0; corner_radius = 0;
font = "Droid Sans 9"; font = "Droid Sans 9";

View File

@ -12,7 +12,9 @@ in {
./programs/ssh.nix ./programs/ssh.nix
./programs/usbtop.nix ./programs/usbtop.nix
./services/cups.nix
./services/dbus.nix ./services/dbus.nix
./services/logrotate.nix
./services/openssh.nix ./services/openssh.nix
./services/pcscd.nix ./services/pcscd.nix
./services/pipewire.nix ./services/pipewire.nix
@ -130,8 +132,6 @@ in {
}; };
irqbalance.enable = true; irqbalance.enable = true;
displayManager.defaultSession = "none+xmonad";
}; };
programs = { programs = {
@ -139,6 +139,7 @@ in {
git.enable = true; git.enable = true;
tmux.enable = true; tmux.enable = true;
zsh.enable = true; zsh.enable = true;
hyprland.enable = true;
}; };
system.extraDependencies = system.extraDependencies =

View File

@ -0,0 +1,71 @@
{ config, lib, ... }:
{
systemd.services = lib.mkIf config.services.printing.enable {
cups.serviceConfig = {
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock= true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
PrivateDevices = true;
NoNewPrivileges = true;
# User =
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
KeyringMode = "private";
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateUsers = true;
RemoveIPC = true;
# RestrictAddressFamilies = [ "" ];
RestrictNamespaces=true;
RestrictRealtime=true;
RestrictSUIDSGID=true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077";
};
cups-browsed.serviceConfig = {
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock= true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
PrivateDevices = true;
NoNewPrivileges = true;
# User =
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
KeyringMode = "private";
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateUsers = true;
RemoveIPC = true;
# RestrictAddressFamilies = [ "" ];
RestrictNamespaces=true;
RestrictRealtime=true;
RestrictSUIDSGID=true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077";
};
};
}

View File

@ -0,0 +1,42 @@
{ ... }:
{
# source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
systemd.services.logrotate = {
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
unitConfig.RequiresMountsFor = "/var/log";
serviceConfig = {
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
ReadWritePaths = [ "/var/log" ];
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; # disable for third party rotate scripts
PrivateDevices = true;
PrivateNetwork = true; # disable for mail delivery
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true; # disable for userdir logs
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true; # disable for creating setgid directories
SocketBindDeny = [ "any" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
};
};
}

View File

@ -1,5 +1,14 @@
{ config, ... }: { config, ... }:
{ {
services.displayManager = {
enable = true;
defaultSession = "none+xmonad";
sddm = {
enable = !config.machineVars.headless;
wayland.enable = true;
};
};
services.xserver = { services.xserver = {
enable = !config.machineVars.headless; enable = !config.machineVars.headless;
@ -13,13 +22,15 @@
# xfce.enable = !config.machineVars.headless; # xfce.enable = !config.machineVars.headless;
# }; # };
displayManager.lightdm.enable = !config.machineVars.headless; # displayManager.lightdm.enable = !config.machineVars.headless;
windowManager.xmonad = { windowManager.xmonad = {
enable = true; enable = true;
enableContribAndExtras = true; enableContribAndExtras = true;
enableConfiguredRecompile = true; enableConfiguredRecompile = true;
extraPackages = hPkgs: with hPkgs; [ dbus ]; extraPackages = hPkgs: with hPkgs; [
dbus
];
}; };
}; };
} }

View File

@ -0,0 +1,19 @@
{ ... }:
{
# TODO: Reproducible certificates
services.journald.remote = {
enable = true;
settings.Remote = {
# ServerKeyFile = "/run/credentials/systemd-journald-remote.service/key.pem";
# ServerCertificateFile = "/run/credentials/systemd-journald-remote.service/.pem";
ServerKeyFile = "/etc/journald-remote-certs/key.pem";
ServerCertificateFile = "/etc/journald-remote-certs/cert.pem";
TrustedCertificateFile = "-";
};
};
# systemd.services.systemd-journal-remote.serviceConfig.LoadCredential = [
# "key.pem:/etc/journald-remote-certs/key.pem"
# "cert.pem:/etc/journald-remote-certs/cert.pem"
# ];
}

View File

@ -5,6 +5,7 @@
./services/avahi.nix ./services/avahi.nix
./services/docker.nix ./services/docker.nix
./services/journald-remote.nix
]; ];
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;

View File

@ -0,0 +1,14 @@
{ ... }:
{
services.journald.upload = {
enable = true;
settings.Upload = {
URL = "https://10.250.14.105:19532";
# ServerKeyFile = toString ./key.pem;
# ServerCertificateFile = toString ./cert.pem;
ServerKeyFile = "-";
ServerCertificateFile = "-";
TrustedCertificateFile = "-";
};
};
}

View File

@ -13,6 +13,8 @@
system.stateVersion = "22.05"; system.stateVersion = "22.05";
security.pam.services.hyprlock = {};
boot.binfmt.emulatedSystems = [ boot.binfmt.emulatedSystems = [
"x86_64-windows" "x86_64-windows"
"aarch64-linux" "aarch64-linux"
@ -74,7 +76,7 @@
services = { services = {
openssh = { openssh = {
enable = true; enable = true;
settings.X11Forwarding = true; # settings.X11Forwarding = true;
}; };
xserver.videoDrivers = [ "amdgpu" ]; xserver.videoDrivers = [ "amdgpu" ];
tailscale.enable = true; tailscale.enable = true;

View File

@ -0,0 +1,20 @@
final: prev: let
inherit (prev) lib;
wrapWithWaylandIMEFlag = pkg: let
binaryName = lib.removePrefix "${lib.getBin pkg}/bin/" (lib.getExe pkg);
in pkg.overrideAttrs (prev': {
postInstall = (prev'.postInstall or "") + ''
wrapProgram "$out/bin/${binaryName}" \
--add-flags "--enable-wayland-ime"
'';
});
programList = [
"element-desktop"
"vscode"
"chromium"
"discord"
];
in
lib.genAttrs programList (name: wrapWithWaylandIMEFlag prev.${name})