Compare commits
No commits in common. "a4cc770a08fbd7c8b255c6137ae52f60208a5a2e" and "2b8a661288921e34c2e249ef38989df1b614ccdf" have entirely different histories.
a4cc770a08
...
2b8a661288
31
flake.nix
31
flake.nix
|
@ -1,11 +1,10 @@
|
|||
{
|
||||
inputs = {
|
||||
nixpkgs.url = "nixpkgs/nixos-24.11";
|
||||
# nixpkgs-unstable.url = "nixpkgs/nixpkgs-unstable";
|
||||
nixpkgs-unstable.url = "github:NixOS/nixpkgs/master";
|
||||
nixpkgs.url = "nixpkgs/nixos-24.05";
|
||||
nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
|
||||
|
||||
home-manager = {
|
||||
url = "github:nix-community/home-manager/release-24.11";
|
||||
url = "github:nix-community/home-manager/release-24.05";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
|
@ -88,7 +87,7 @@
|
|||
android_sdk.accept_license = true;
|
||||
segger-jlink.acceptLicense = true;
|
||||
permittedInsecurePackages = [
|
||||
"segger-jlink-qt4-796s"
|
||||
"segger-jlink-qt4-794l"
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -98,16 +97,32 @@
|
|||
config.allowUnfree = true;
|
||||
config.segger-jlink.acceptLicense = true;
|
||||
config.permittedInsecurePackages = [
|
||||
"segger-jlink-qt4-796s"
|
||||
"segger-jlink-qt4-794s"
|
||||
];
|
||||
};
|
||||
in [
|
||||
(self: super: {
|
||||
inherit (nonrecursive-unstable-pkgs)
|
||||
calibre
|
||||
fcitx5-mozc
|
||||
atuin
|
||||
wstunnel
|
||||
nrf-udev
|
||||
nrfutil
|
||||
gpclient
|
||||
gpauth
|
||||
;
|
||||
})
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/pull/251706
|
||||
(self: super: {
|
||||
mozc = self.qt6Packages.callPackage ./package-overrides/mozc.nix { };
|
||||
fcitx5-mozc = self.callPackage ./package-overrides/fcitx5-mozc.nix { };
|
||||
})
|
||||
|
||||
(self: super: {
|
||||
mpv-unwrapped = super.mpv-unwrapped.override {
|
||||
ffmpeg = super.ffmpeg_6-full;
|
||||
};
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
|
|
|
@ -25,7 +25,7 @@ in {
|
|||
./programs/ssh
|
||||
./programs/tealdeer
|
||||
./programs/thunderbird.nix
|
||||
./programs/tmux
|
||||
./programs/tmux.nix
|
||||
./programs/zsh
|
||||
|
||||
./services/nix-channel-update.nix
|
||||
|
|
|
@ -91,8 +91,8 @@
|
|||
geogebra
|
||||
ghidra
|
||||
gimp
|
||||
gnome-font-viewer
|
||||
seahorse
|
||||
gnome.gnome-font-viewer
|
||||
gnome.seahorse
|
||||
google-chrome
|
||||
imhex
|
||||
inkscape
|
||||
|
|
|
@ -43,9 +43,9 @@
|
|||
duration = 20;
|
||||
};
|
||||
|
||||
general.live_config_reload = true;
|
||||
live_config_reload = true;
|
||||
|
||||
terminal.shell = {
|
||||
shell = {
|
||||
program = "${pkgs.zsh}/bin/zsh";
|
||||
args = [ "--login" ];
|
||||
};
|
||||
|
|
|
@ -66,59 +66,25 @@
|
|||
}
|
||||
limelight-vim
|
||||
vim-tmux-navigator
|
||||
# vim-polyglot
|
||||
vim-polyglot
|
||||
lightline-vim
|
||||
vim-better-whitespace
|
||||
{
|
||||
plugin = nvim-treesitter.withAllGrammars;
|
||||
plugin = rainbow;
|
||||
config = ''
|
||||
packadd! nvim-treesitter
|
||||
lua << EOF
|
||||
require'nvim-treesitter.configs'.setup {
|
||||
highlight = {
|
||||
enable = true,
|
||||
},
|
||||
}
|
||||
EOF
|
||||
'';
|
||||
}
|
||||
{
|
||||
plugin = rainbow-delimiters-nvim;
|
||||
config = ''
|
||||
lua << EOF
|
||||
local rainbow_delimiters = require 'rainbow-delimiters'
|
||||
vim.g.rainbow_delimiters = {
|
||||
["highlight"] = {
|
||||
'RainbowDelimiterRed',
|
||||
'RainbowDelimiterYellow',
|
||||
'RainbowDelimiterBlue',
|
||||
'RainbowDelimiterGreen',
|
||||
'RainbowDelimiterViolet',
|
||||
'RainbowDelimiterCyan',
|
||||
},
|
||||
}
|
||||
EOF
|
||||
let g:rainbow_active = 1
|
||||
'';
|
||||
}
|
||||
{
|
||||
plugin = vim-monokai;
|
||||
config = ''
|
||||
colorscheme monokai
|
||||
|
||||
autocmd ColorScheme monokai highlight Normal ctermbg=0
|
||||
autocmd ColorScheme monokai highlight LineNr ctermbg=0
|
||||
autocmd ColorScheme monokai highlight CursorLineNR ctermbg=0 ctermfg=208
|
||||
autocmd ColorScheme monokai highlight SignColumn ctermbg=0
|
||||
autocmd ColorScheme monokai highlight GitGutterAdd ctermbg=0
|
||||
autocmd ColorScheme monokai highlight GitGutterChange ctermbg=0
|
||||
autocmd ColorScheme monokai highlight GitGutterDelete ctermbg=0
|
||||
|
||||
autocmd ColorScheme monokai highlight RainbowDelimiterRed { fg = g:terminal_color_9 }
|
||||
autocmd ColorScheme monokai highlight RainbowDelimiterYellow { fg = g:terminal_color_11 }
|
||||
autocmd ColorScheme monokai highlight RainbowDelimiterBlue { fg = g:terminal_color_12 }
|
||||
autocmd ColorScheme monokai highlight RainbowDelimiterGreen { fg = g:terminal_color_10 }
|
||||
autocmd ColorScheme monokai highlight RainbowDelimiterViolet { fg = g:terminal_color_13 }
|
||||
autocmd ColorScheme monokai highlight RainbowDelimiterCyan { fg = g:terminal_color_14 }
|
||||
autocmd ColorScheme * highlight Normal ctermbg=0
|
||||
autocmd ColorScheme * highlight LineNr ctermbg=0
|
||||
autocmd ColorScheme * highlight CursorLineNR ctermbg=0 ctermfg=208
|
||||
autocmd ColorScheme * highlight SignColumn ctermbg=0
|
||||
autocmd ColorScheme * highlight GitGutterAdd ctermbg=0
|
||||
autocmd ColorScheme * highlight GitGutterChange ctermbg=0
|
||||
autocmd ColorScheme * highlight GitGutterDelete ctermbg=0
|
||||
'';
|
||||
}
|
||||
];
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ pkgs, lib, ... }:
|
||||
{pkgs, ...}:
|
||||
{
|
||||
programs.tmux = {
|
||||
enable = true;
|
||||
|
@ -19,25 +19,7 @@
|
|||
tmux-fzf
|
||||
urlview
|
||||
];
|
||||
extraConfig = let
|
||||
fileContentsWithoutShebang = script: lib.pipe script [
|
||||
lib.fileContents
|
||||
(lib.splitString "\n")
|
||||
(lib.drop 3) # remove shebang
|
||||
(lib.concatStringsSep "\n")
|
||||
];
|
||||
|
||||
fcitx5-status = (pkgs.writeShellApplication {
|
||||
name = "tmux-fcitx5-status";
|
||||
runtimeInputs = with pkgs; [ dbus ];
|
||||
text = fileContentsWithoutShebang ./scripts/fcitx5-status.sh;
|
||||
});
|
||||
mpd-status = (pkgs.writeShellApplication {
|
||||
name = "tmux-mpd-status";
|
||||
runtimeInputs = with pkgs; [ mpc-cli gawk gnugrep ];
|
||||
text = fileContentsWithoutShebang ./scripts/mpd-status.sh;
|
||||
});
|
||||
in ''
|
||||
extraConfig = ''
|
||||
# Don't rename windows automatically after rename with ','
|
||||
set-option -g allow-rename off
|
||||
|
||||
|
@ -109,8 +91,8 @@
|
|||
### DESIGN CHANGES ###
|
||||
######################
|
||||
|
||||
set-option -g status-left '#{prefix_highlight} #[bg=blue]#[fg=black,bold] ###S #[bg=default] #[fg=green]#(${lib.getExe fcitx5-status}) #[fg=red]%H:%M '
|
||||
set-option -g status-right '#[fg=red]#(${lib.getExe mpd-status})'
|
||||
set-option -g status-left '#{prefix_highlight} #[bg=blue]#[fg=black,bold] ###S #[bg=default] #[fg=green]#(~/.scripts/tmux/fcitx) #[fg=red]%H:%M '
|
||||
set-option -g status-right '#[fg=red]#(~/.scripts/tmux/mpd)'
|
||||
set-window-option -g window-status-current-style fg=magenta
|
||||
set-option -g status-style 'bg=black fg=default'
|
||||
set-option -g default-shell '${pkgs.zsh}/bin/zsh'
|
|
@ -1,26 +0,0 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p dbus
|
||||
|
||||
printState() {
|
||||
STATUS=$(dbus-send --session --print-reply=literal --dest='org.fcitx.Fcitx5' '/controller' 'org.fcitx.Fcitx.Controller1.CurrentInputMethod' | tr -d '[:space:]')
|
||||
|
||||
case $STATUS in
|
||||
keyboard-us)
|
||||
echo 'US'
|
||||
;;
|
||||
keyboard-no)
|
||||
echo 'NO'
|
||||
;;
|
||||
mozc)
|
||||
echo '日本語'
|
||||
;;
|
||||
*)
|
||||
echo "$STATUS?"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
while :; do
|
||||
printState
|
||||
sleep 1
|
||||
done
|
|
@ -1,29 +0,0 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i sh -p mpc-cli gawk gnugrep
|
||||
|
||||
while true; do
|
||||
MPC_OUTPUT=$(mpc --format '[[%artist% - ]%title%]|[%file%]')
|
||||
|
||||
TITLE=$(head -n 1 <<<"$MPC_OUTPUT")
|
||||
|
||||
if [ ${#TITLE} -gt 60 ]; then
|
||||
TITLE=$(awk '{print substr($0,0,57) "..."}' <<<"$TITLE")
|
||||
fi
|
||||
|
||||
LINE2=$(head -n 2 <<<"$MPC_OUTPUT" | tail -n 1)
|
||||
|
||||
PLAY_STATUS_RAW=$(awk '{print $1}' <<<"$LINE2")
|
||||
|
||||
if [ "$PLAY_STATUS_RAW" == "[playing]" ]; then
|
||||
PLAY_STATUS="▶"
|
||||
elif [ "$PLAY_STATUS_RAW" == "[paused]" ]; then
|
||||
PLAY_STATUS="⏸"
|
||||
else
|
||||
PLAY_STATUS="??"
|
||||
fi
|
||||
|
||||
TIME=$(awk '{print $3}' <<<"$LINE2")
|
||||
|
||||
echo -e "$PLAY_STATUS $TITLE | [$TIME]"
|
||||
sleep 1
|
||||
done
|
|
@ -3,7 +3,7 @@
|
|||
services.dunst = {
|
||||
enable = true;
|
||||
iconTheme = {
|
||||
package = pkgs.adwaita-icon-theme;
|
||||
package = pkgs.gnome.adwaita-icon-theme;
|
||||
name = "Adwaita";
|
||||
size = "32x32";
|
||||
};
|
||||
|
|
|
@ -22,11 +22,11 @@ in
|
|||
|
||||
# Volume
|
||||
|
||||
"super + {@F7,@F8}" = "${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%{-,+}";
|
||||
"super + {@F7,@F8}" = "${pkgs.alsaUtils}/bin/amixer set Master 2%{-,+}";
|
||||
|
||||
"{XF86AudioLowerVolume,XF86AudioRaiseVolume}" = "${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%{-,+}";
|
||||
"{XF86AudioLowerVolume,XF86AudioRaiseVolume}" = "${pkgs.alsaUtils}/bin/amixer set Master 2%{-,+}";
|
||||
|
||||
"XF86AudioMute" = "${pkgs.wireplumber}/bin/wpctl set-mute toggle";
|
||||
"XF86AudioMute" = "${pkgs.pulseaudio}/bin/pactl set-sink-mute @DEFAULT_SINK@ toggle";
|
||||
|
||||
# Music
|
||||
|
||||
|
|
|
@ -12,7 +12,9 @@ in {
|
|||
./programs/ssh.nix
|
||||
./programs/usbtop.nix
|
||||
|
||||
./services/cups.nix
|
||||
./services/dbus.nix
|
||||
./services/logrotate.nix
|
||||
./services/openssh.nix
|
||||
./services/pcscd.nix
|
||||
./services/pipewire.nix
|
||||
|
@ -23,8 +25,6 @@ in {
|
|||
./services/xserver.nix
|
||||
];
|
||||
|
||||
systemd.enableStrictShellChecks = true;
|
||||
|
||||
sops.defaultSopsFile = ./../.. + "/secrets/${config.networking.hostName}.yaml";
|
||||
|
||||
time.timeZone = "Europe/Oslo";
|
||||
|
|
|
@ -0,0 +1,71 @@
|
|||
{ config, lib, ... }:
|
||||
{
|
||||
systemd.services = lib.mkIf config.services.printing.enable {
|
||||
cups.serviceConfig = {
|
||||
PrivateTmp = true;
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
ProtectClock= true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
PrivateDevices = true;
|
||||
NoNewPrivileges = true;
|
||||
# User =
|
||||
AmbientCapabilities = [ "" ];
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DevicePolicy = "closed";
|
||||
KeyringMode = "private";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
PrivateUsers = true;
|
||||
RemoveIPC = true;
|
||||
# RestrictAddressFamilies = [ "" ];
|
||||
RestrictNamespaces=true;
|
||||
RestrictRealtime=true;
|
||||
RestrictSUIDSGID=true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
];
|
||||
UMask = "0077";
|
||||
};
|
||||
cups-browsed.serviceConfig = {
|
||||
PrivateTmp = true;
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
ProtectClock= true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
PrivateDevices = true;
|
||||
NoNewPrivileges = true;
|
||||
# User =
|
||||
AmbientCapabilities = [ "" ];
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DevicePolicy = "closed";
|
||||
KeyringMode = "private";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
PrivateUsers = true;
|
||||
RemoveIPC = true;
|
||||
# RestrictAddressFamilies = [ "" ];
|
||||
RestrictNamespaces=true;
|
||||
RestrictRealtime=true;
|
||||
RestrictSUIDSGID=true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
];
|
||||
UMask = "0077";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,42 @@
|
|||
{ ... }:
|
||||
{
|
||||
# source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
|
||||
systemd.services.logrotate = {
|
||||
documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
|
||||
unitConfig.RequiresMountsFor = "/var/log";
|
||||
serviceConfig = {
|
||||
Nice = 19;
|
||||
IOSchedulingClass = "best-effort";
|
||||
IOSchedulingPriority = 7;
|
||||
|
||||
ReadWritePaths = [ "/var/log" ];
|
||||
|
||||
AmbientCapabilities = [ "" ];
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DeviceAllow = [ "" ];
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
NoNewPrivileges = true; # disable for third party rotate scripts
|
||||
PrivateDevices = true;
|
||||
PrivateNetwork = true; # disable for mail delivery
|
||||
PrivateTmp = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true; # disable for userdir logs
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ProtectSystem = "full";
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true; # disable for creating setgid directories
|
||||
SocketBindDeny = [ "any" ];
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,77 +1,4 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
cfg = config.services.printing;
|
||||
in
|
||||
{ config, ... }:
|
||||
{
|
||||
# services.printing.enable = !config.machineVars.headless;
|
||||
services.printing.enable = false;
|
||||
|
||||
systemd.services = lib.mkIf cfg.enable {
|
||||
cups.serviceConfig = {
|
||||
PrivateTmp = true;
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
ProtectClock= true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
PrivateDevices = true;
|
||||
NoNewPrivileges = true;
|
||||
# User =
|
||||
AmbientCapabilities = [ "" ];
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DevicePolicy = "closed";
|
||||
KeyringMode = "private";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
PrivateUsers = true;
|
||||
RemoveIPC = true;
|
||||
# RestrictAddressFamilies = [ "" ];
|
||||
RestrictNamespaces=true;
|
||||
RestrictRealtime=true;
|
||||
RestrictSUIDSGID=true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
];
|
||||
UMask = "0077";
|
||||
};
|
||||
cups-browsed.serviceConfig = lib.mkIf cfg.enable {
|
||||
PrivateTmp = true;
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
ProtectClock= true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
PrivateDevices = true;
|
||||
NoNewPrivileges = true;
|
||||
# User =
|
||||
AmbientCapabilities = [ "" ];
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DevicePolicy = "closed";
|
||||
KeyringMode = "private";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
PrivateUsers = true;
|
||||
RemoveIPC = true;
|
||||
# RestrictAddressFamilies = [ "" ];
|
||||
RestrictNamespaces=true;
|
||||
RestrictRealtime=true;
|
||||
RestrictSUIDSGID=true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
];
|
||||
UMask = "0077";
|
||||
};
|
||||
};
|
||||
services.printing.enable = !config.machineVars.headless;
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
|
@ -77,11 +77,14 @@
|
|||
fstrim.enable = true;
|
||||
};
|
||||
|
||||
nix.buildMachines = lib.mkForce [ ];
|
||||
|
||||
hardware = {
|
||||
bluetooth.enable = true;
|
||||
enableRedistributableFirmware = true;
|
||||
keyboard.zsa.enable = true;
|
||||
opengl = {
|
||||
enable = true;
|
||||
driSupport = true;
|
||||
driSupport32Bit = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue