oysteikt/nix-dotfiles
oysteikt
/
nix-dotfiles
2
1
Fork 0
Code Issues Pull Requests Activity

Compare commits

base: oysteikt:a4cc770a08fbd7c8b255c6137ae52f60208a5a2e
Branches Tags
oysteikt:main
oysteikt:home-wayland-migration
oysteikt:cleanup-x11-xmonad-environment
oysteikt:setup-ra-multiplexer
..
compare: oysteikt:2b8a661288921e34c2e249ef38989df1b614ccdf
Branches Tags
oysteikt:main
oysteikt:home-wayland-migration
oysteikt:cleanup-x11-xmonad-environment
oysteikt:setup-ra-multiplexer

No commits in common. "a4cc770a08fbd7c8b255c6137ae52f60208a5a2e" and "2b8a661288921e34c2e249ef38989df1b614ccdf" have entirely different histories.
a4cc770a08 ... 2b8a661288

15 changed files with 169 additions and 218 deletions
Show Stats Expand all files Collapse all files

31
flake.nix
View File

@ -1,11 +1,10 @@
{ {
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-24.11"; nixpkgs.url = "nixpkgs/nixos-24.05";
# nixpkgs-unstable.url = "nixpkgs/nixpkgs-unstable"; nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/master";
home-manager = { home-manager = {
url = "github:nix-community/home-manager/release-24.11"; url = "github:nix-community/home-manager/release-24.05";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
@ -88,7 +87,7 @@
android_sdk.accept_license = true; android_sdk.accept_license = true;
segger-jlink.acceptLicense = true; segger-jlink.acceptLicense = true;
permittedInsecurePackages = [ permittedInsecurePackages = [
"segger-jlink-qt4-796s" "segger-jlink-qt4-794l"
]; ];
}; };
@ -98,16 +97,32 @@
config.allowUnfree = true; config.allowUnfree = true;
config.segger-jlink.acceptLicense = true; config.segger-jlink.acceptLicense = true;
config.permittedInsecurePackages = [ config.permittedInsecurePackages = [
"segger-jlink-qt4-796s" "segger-jlink-qt4-794s"
]; ];
}; };
in [ in [
(self: super: { (self: super: {
inherit (nonrecursive-unstable-pkgs) inherit (nonrecursive-unstable-pkgs)
calibre atuin
fcitx5-mozc wstunnel
nrf-udev
nrfutil
gpclient
gpauth
; ;
}) })
# https://github.com/NixOS/nixpkgs/pull/251706
(self: super: {
mozc = self.qt6Packages.callPackage ./package-overrides/mozc.nix { };
fcitx5-mozc = self.callPackage ./package-overrides/fcitx5-mozc.nix { };
})
(self: super: {
mpv-unwrapped = super.mpv-unwrapped.override {
ffmpeg = super.ffmpeg_6-full;
};
})
]; ];
}; };

2
home/home.nix
View File

@ -25,7 +25,7 @@ in {
./programs/ssh ./programs/ssh
./programs/tealdeer ./programs/tealdeer
./programs/thunderbird.nix ./programs/thunderbird.nix
./programs/tmux ./programs/tmux.nix
./programs/zsh ./programs/zsh
./services/nix-channel-update.nix ./services/nix-channel-update.nix

4
home/packages.nix
View File

@ -91,8 +91,8 @@
geogebra geogebra
ghidra ghidra
gimp gimp
gnome-font-viewer gnome.gnome-font-viewer
seahorse gnome.seahorse
google-chrome google-chrome
imhex imhex
inkscape inkscape

4
home/programs/alacritty.nix
View File

@ -43,9 +43,9 @@
duration = 20; duration = 20;
}; };
general.live_config_reload = true; live_config_reload = true;
terminal.shell = { shell = {
program = "${pkgs.zsh}/bin/zsh"; program = "${pkgs.zsh}/bin/zsh";
args = [ "--login" ]; args = [ "--login" ];
}; };

54
home/programs/neovim/default.nix
View File

@ -66,59 +66,25 @@
} }
limelight-vim limelight-vim
vim-tmux-navigator vim-tmux-navigator
# vim-polyglot vim-polyglot
lightline-vim lightline-vim
vim-better-whitespace
{ {
plugin = nvim-treesitter.withAllGrammars; plugin = rainbow;
config = '' config = ''
packadd! nvim-treesitter let g:rainbow_active = 1
lua << EOF
require'nvim-treesitter.configs'.setup {
highlight = {
enable = true,
},
}
EOF
'';
}
{
plugin = rainbow-delimiters-nvim;
config = ''
lua << EOF
local rainbow_delimiters = require 'rainbow-delimiters'
vim.g.rainbow_delimiters = {
["highlight"] = {
'RainbowDelimiterRed',
'RainbowDelimiterYellow',
'RainbowDelimiterBlue',
'RainbowDelimiterGreen',
'RainbowDelimiterViolet',
'RainbowDelimiterCyan',
},
}
EOF
''; '';
} }
{ {
plugin = vim-monokai; plugin = vim-monokai;
config = '' config = ''
colorscheme monokai colorscheme monokai
autocmd ColorScheme * highlight Normal ctermbg=0
autocmd ColorScheme monokai highlight Normal ctermbg=0 autocmd ColorScheme * highlight LineNr ctermbg=0
autocmd ColorScheme monokai highlight LineNr ctermbg=0 autocmd ColorScheme * highlight CursorLineNR ctermbg=0 ctermfg=208
autocmd ColorScheme monokai highlight CursorLineNR ctermbg=0 ctermfg=208 autocmd ColorScheme * highlight SignColumn ctermbg=0
autocmd ColorScheme monokai highlight SignColumn ctermbg=0 autocmd ColorScheme * highlight GitGutterAdd ctermbg=0
autocmd ColorScheme monokai highlight GitGutterAdd ctermbg=0 autocmd ColorScheme * highlight GitGutterChange ctermbg=0
autocmd ColorScheme monokai highlight GitGutterChange ctermbg=0 autocmd ColorScheme * highlight GitGutterDelete ctermbg=0
autocmd ColorScheme monokai highlight GitGutterDelete ctermbg=0
autocmd ColorScheme monokai highlight RainbowDelimiterRed { fg = g:terminal_color_9 }
autocmd ColorScheme monokai highlight RainbowDelimiterYellow { fg = g:terminal_color_11 }
autocmd ColorScheme monokai highlight RainbowDelimiterBlue { fg = g:terminal_color_12 }
autocmd ColorScheme monokai highlight RainbowDelimiterGreen { fg = g:terminal_color_10 }
autocmd ColorScheme monokai highlight RainbowDelimiterViolet { fg = g:terminal_color_13 }
autocmd ColorScheme monokai highlight RainbowDelimiterCyan { fg = g:terminal_color_14 }
''; '';
} }
]; ];

26
home/programs/tmux/default.nix → home/programs/tmux.nix
View File

@ -1,4 +1,4 @@
{ pkgs, lib, ... }: {pkgs, ...}:
{ {
programs.tmux = { programs.tmux = {
enable = true; enable = true;
@ -19,25 +19,7 @@
tmux-fzf tmux-fzf
urlview urlview
]; ];
extraConfig = let extraConfig = ''
fileContentsWithoutShebang = script: lib.pipe script [
lib.fileContents
(lib.splitString "\n")
(lib.drop 3) # remove shebang
(lib.concatStringsSep "\n")
];
fcitx5-status = (pkgs.writeShellApplication {
name = "tmux-fcitx5-status";
runtimeInputs = with pkgs; [ dbus ];
text = fileContentsWithoutShebang ./scripts/fcitx5-status.sh;
});
mpd-status = (pkgs.writeShellApplication {
name = "tmux-mpd-status";
runtimeInputs = with pkgs; [ mpc-cli gawk gnugrep ];
text = fileContentsWithoutShebang ./scripts/mpd-status.sh;
});
in ''
# Don't rename windows automatically after rename with ',' # Don't rename windows automatically after rename with ','
set-option -g allow-rename off set-option -g allow-rename off
@ -109,8 +91,8 @@
### DESIGN CHANGES ### ### DESIGN CHANGES ###
###################### ######################
set-option -g status-left '#{prefix_highlight} #[bg=blue]#[fg=black,bold] ###S #[bg=default] #[fg=green]#(${lib.getExe fcitx5-status}) #[fg=red]%H:%M ' set-option -g status-left '#{prefix_highlight} #[bg=blue]#[fg=black,bold] ###S #[bg=default] #[fg=green]#(~/.scripts/tmux/fcitx) #[fg=red]%H:%M '
set-option -g status-right '#[fg=red]#(${lib.getExe mpd-status})' set-option -g status-right '#[fg=red]#(~/.scripts/tmux/mpd)'
set-window-option -g window-status-current-style fg=magenta set-window-option -g window-status-current-style fg=magenta
set-option -g status-style 'bg=black fg=default' set-option -g status-style 'bg=black fg=default'
set-option -g default-shell '${pkgs.zsh}/bin/zsh' set-option -g default-shell '${pkgs.zsh}/bin/zsh'

26
home/programs/tmux/scripts/fcitx5-status.sh
View File

@ -1,26 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p dbus
printState() {
STATUS=$(dbus-send --session --print-reply=literal --dest='org.fcitx.Fcitx5' '/controller' 'org.fcitx.Fcitx.Controller1.CurrentInputMethod' | tr -d '[:space:]')
case $STATUS in
keyboard-us)
echo 'US'
;;
keyboard-no)
echo 'NO'
;;
mozc)
echo '日本語'
;;
*)
echo "$STATUS?"
;;
esac
}
while :; do
printState
sleep 1
done

29
home/programs/tmux/scripts/mpd-status.sh
View File

@ -1,29 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i sh -p mpc-cli gawk gnugrep
while true; do
MPC_OUTPUT=$(mpc --format '[[%artist% - ]%title%]|[%file%]')
TITLE=$(head -n 1 <<<"$MPC_OUTPUT")
if [ ${#TITLE} -gt 60 ]; then
TITLE=$(awk '{print substr($0,0,57) "..."}' <<<"$TITLE")
fi
LINE2=$(head -n 2 <<<"$MPC_OUTPUT" | tail -n 1)
PLAY_STATUS_RAW=$(awk '{print $1}' <<<"$LINE2")
if [ "$PLAY_STATUS_RAW" == "[playing]" ]; then
PLAY_STATUS="▶"
elif [ "$PLAY_STATUS_RAW" == "[paused]" ]; then
PLAY_STATUS="⏸"
else
PLAY_STATUS="??"
fi
TIME=$(awk '{print $3}' <<<"$LINE2")
echo -e "$PLAY_STATUS $TITLE | [$TIME]"
sleep 1
done

2
home/services/dunst.nix
View File

@ -3,7 +3,7 @@
services.dunst = { services.dunst = {
enable = true; enable = true;
iconTheme = { iconTheme = {
package = pkgs.adwaita-icon-theme; package = pkgs.gnome.adwaita-icon-theme;
name = "Adwaita"; name = "Adwaita";
size = "32x32"; size = "32x32";
}; };

6
home/services/sxhkd.nix
View File

@ -22,11 +22,11 @@ in
# Volume # Volume
"super + {@F7,@F8}" = "${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%{-,+}"; "super + {@F7,@F8}" = "${pkgs.alsaUtils}/bin/amixer set Master 2%{-,+}";
"{XF86AudioLowerVolume,XF86AudioRaiseVolume}" = "${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%{-,+}"; "{XF86AudioLowerVolume,XF86AudioRaiseVolume}" = "${pkgs.alsaUtils}/bin/amixer set Master 2%{-,+}";
"XF86AudioMute" = "${pkgs.wireplumber}/bin/wpctl set-mute toggle"; "XF86AudioMute" = "${pkgs.pulseaudio}/bin/pactl set-sink-mute @DEFAULT_SINK@ toggle";
# Music # Music

4
hosts/common/default.nix
View File

@ -12,7 +12,9 @@ in {
./programs/ssh.nix ./programs/ssh.nix
./programs/usbtop.nix ./programs/usbtop.nix
./services/cups.nix
./services/dbus.nix ./services/dbus.nix
./services/logrotate.nix
./services/openssh.nix ./services/openssh.nix
./services/pcscd.nix ./services/pcscd.nix
./services/pipewire.nix ./services/pipewire.nix
@ -23,8 +25,6 @@ in {
./services/xserver.nix ./services/xserver.nix
]; ];
systemd.enableStrictShellChecks = true;
sops.defaultSopsFile = ./../.. + "/secrets/${config.networking.hostName}.yaml"; sops.defaultSopsFile = ./../.. + "/secrets/${config.networking.hostName}.yaml";
time.timeZone = "Europe/Oslo"; time.timeZone = "Europe/Oslo";

71
hosts/common/services/cups.nix Normal file
View File

@ -0,0 +1,71 @@
{ config, lib, ... }:
{
systemd.services = lib.mkIf config.services.printing.enable {
cups.serviceConfig = {
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock= true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
PrivateDevices = true;
NoNewPrivileges = true;
# User =
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
KeyringMode = "private";
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateUsers = true;
RemoveIPC = true;
# RestrictAddressFamilies = [ "" ];
RestrictNamespaces=true;
RestrictRealtime=true;
RestrictSUIDSGID=true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077";
};
cups-browsed.serviceConfig = {
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock= true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
PrivateDevices = true;
NoNewPrivileges = true;
# User =
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
KeyringMode = "private";
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateUsers = true;
RemoveIPC = true;
# RestrictAddressFamilies = [ "" ];
RestrictNamespaces=true;
RestrictRealtime=true;
RestrictSUIDSGID=true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077";
};
};
}

42
hosts/common/services/logrotate.nix Normal file
View File

@ -0,0 +1,42 @@
{ ... }:
{
# source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
systemd.services.logrotate = {
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
unitConfig.RequiresMountsFor = "/var/log";
serviceConfig = {
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
ReadWritePaths = [ "/var/log" ];
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; # disable for third party rotate scripts
PrivateDevices = true;
PrivateNetwork = true; # disable for mail delivery
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true; # disable for userdir logs
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true; # disable for creating setgid directories
SocketBindDeny = [ "any" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
};
};
}

77
hosts/common/services/printing.nix
View File

@ -1,77 +1,4 @@
{ config, lib, ... }: { config, ... }:
let
cfg = config.services.printing;
in
{ {
# services.printing.enable = !config.machineVars.headless; services.printing.enable = !config.machineVars.headless;
services.printing.enable = false;
systemd.services = lib.mkIf cfg.enable {
cups.serviceConfig = {
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock= true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
PrivateDevices = true;
NoNewPrivileges = true;
# User =
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
KeyringMode = "private";
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateUsers = true;
RemoveIPC = true;
# RestrictAddressFamilies = [ "" ];
RestrictNamespaces=true;
RestrictRealtime=true;
RestrictSUIDSGID=true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077";
};
cups-browsed.serviceConfig = lib.mkIf cfg.enable {
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectClock= true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
PrivateDevices = true;
NoNewPrivileges = true;
# User =
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
KeyringMode = "private";
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateUsers = true;
RemoveIPC = true;
# RestrictAddressFamilies = [ "" ];
RestrictNamespaces=true;
RestrictRealtime=true;
RestrictSUIDSGID=true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077";
};
};
} }

9
hosts/dosei/configuration.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { config, pkgs, ... }:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
@ -77,11 +77,14 @@
fstrim.enable = true; fstrim.enable = true;
}; };
nix.buildMachines = lib.mkForce [ ];
hardware = { hardware = {
bluetooth.enable = true; bluetooth.enable = true;
enableRedistributableFirmware = true; enableRedistributableFirmware = true;
keyboard.zsa.enable = true; keyboard.zsa.enable = true;
opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
}; };
} }