WIP: home/{hyprland,waybar}: init

flake.nix

@@ -190,7 +190,6 @@
                   useGlobalPkgs = true;
                   extraSpecialArgs = {
                     inherit inputs;
-                    inherit unstable-pkgs;
                     inherit (self) extendedLib;
                     inherit (config) machineVars;
                     secrets = secrets.outputs.settings;

home/home.nix

@@ -99,7 +99,6 @@ in {
     sessionVariables = {
       CARGO_NET_GIT_FETCH_WITH_CLI = "true";
       PYTHONSTARTUP = "${config.xdg.configHome}/python/pyrc";
-      _JAVA_AWT_WM_NONREPARENTING = "1";
     };
   };
 

home/packages.nix

@@ -17,7 +17,6 @@
     gpg-tui
     gping
     graphviz
-    hexyl
     httpie
     imagemagick
     jq
@@ -25,7 +24,6 @@
     # keybase
     keymapviz
     libwebp
-    lnav
     lolcat
     mdcat
     mediainfo
@@ -46,7 +44,6 @@
     pandoc
     parallel
     progress
-    pwntools
     python3
     rclone
     ripgrep
@@ -92,12 +89,10 @@
       discord
       element-desktop
       geogebra
-      ghidra
       gimp
       gnome.gnome-font-viewer
       gnome.seahorse
       google-chrome
-      imhex
       inkscape
       insomnia
       iwgtk

home/programs/gh.nix

@@ -4,7 +4,7 @@
     enable = true;
     settings = {
       gitProtocol = "ssh";
-      pager = "${pkgs.bat}/bin/bat";
+      pager = "${pkgs.bat}/git/bat";
       aliases = {
         co = "pr checkout";
         pv = "pr view";

home/programs/ssh/pvv.nix

@@ -10,35 +10,26 @@ let
       proxyJump = lib.mkDefault null;
       addressFamily = "inet";
     }
+    "dagali"
+    "drolsum"
+    "demiurgen"
+    "eirin"
     [ "bekkalokk" "pvv-web" "pvv-wiki" "pvv-webmail" ]
+    "ildkule"
+    "shark"
+    "buskerud"
     [ "bicep" "pvv-databases" ]
     "bob"
-    [ "brzeczyszczykiewicz" "brez" "bokhylle" ]
-    "buskerud"
-    "dagali"
-    "demiurgen"
-    "drolsum"
-    "eirin"
-    "georg"
-    "ildkule"
-    "isvegg"
     "knutsen"
-    [ "microbel" "pvv-users" "pvv-mail" ]
+    "isvegg"
-    "orchid"
-    "shark"
-    "tallulah"
     "tom"
-    "venture"
+    [ "microbel" "pvv-users" "pvv-mail" ]
   ];
 
   rootMachines = [
-    [ "ameno" "pvv-dns" ]
+    [ "sleipner" "pvv-salt" ]
     [ "balduzius" "pvv-krb" ]
     [ "innovation" "pvv-minecraft" ]
-    "ludvigsen"
-    [ "principal" "pvv-backup" ]
-    [ "skrott" "dibbler" ]
-    [ "sleipner" "pvv-salt" ]
   ];
 
   # Either( String [String] AttrSet{String} ) -> AttrSet{String}

home/programs/zed/default.nix

@@ -1,6 +1,6 @@
-{ config, pkgs, unstable-pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:
 {
-  home.packages = with unstable-pkgs; [ zed-editor ];
+  home.packages = with pkgs; [ zed-editor ];
 
   xdg.configFile."zed/settings.json".source = let
     format = pkgs.formats.json { };

hosts/common/default.nix

@@ -12,9 +12,7 @@ in {
     ./programs/ssh.nix
     ./programs/usbtop.nix
 
-    ./services/cups.nix
     ./services/dbus.nix
-    ./services/logrotate.nix
     ./services/openssh.nix
     ./services/pcscd.nix
     ./services/pipewire.nix

hosts/common/services/cups.nix

@@ -1,71 +0,0 @@
-{ config, lib, ... }:
-{
-  systemd.services = lib.mkIf config.services.printing.enable {
-    cups.serviceConfig = {
-      PrivateTmp = true;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      ProtectClock= true;
-      ProtectControlGroups = true;
-      ProtectHostname = true; 
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      PrivateDevices = true;
-      NoNewPrivileges = true;
-      # User =
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DevicePolicy = "closed";
-      KeyringMode = "private";
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      PrivateUsers = true;
-      RemoveIPC = true;
-      # RestrictAddressFamilies = [ "" ];
-      RestrictNamespaces=true;
-      RestrictRealtime=true;
-      RestrictSUIDSGID=true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-      ];
-      UMask = "0077";
-    };
-    cups-browsed.serviceConfig = {
-      PrivateTmp = true;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      ProtectClock= true;
-      ProtectControlGroups = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      PrivateDevices = true;
-      NoNewPrivileges = true;
-      # User =
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DevicePolicy = "closed";
-      KeyringMode = "private";
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      PrivateUsers = true;
-      RemoveIPC = true;
-      # RestrictAddressFamilies = [ "" ];
-      RestrictNamespaces=true;
-      RestrictRealtime=true;
-      RestrictSUIDSGID=true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-      ];
-      UMask = "0077";
-    };
-  };
-}

hosts/common/services/logrotate.nix

@@ -1,42 +0,0 @@
-{ ... }:
-{
-  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
-  systemd.services.logrotate = {
-    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
-    unitConfig.RequiresMountsFor = "/var/log";
-    serviceConfig = {
-      Nice = 19;
-      IOSchedulingClass = "best-effort";
-      IOSchedulingPriority = 7;
-
-      ReadWritePaths = [ "/var/log" ];
-
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DeviceAllow = [ "" ];
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      NoNewPrivileges = true; # disable for third party rotate scripts
-      PrivateDevices = true;
-      PrivateNetwork = true; # disable for mail delivery
-      PrivateTmp = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true; # disable for userdir logs
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProtectSystem = "full";
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true; # disable for creating setgid directories
-      SocketBindDeny = [ "any" ];
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-      ];
-    };
-  };
-}

hosts/dosei/services/journald-remote.nix

@@ -1,19 +0,0 @@
-{ ... }:
-{
-  # TODO: Reproducible certificates
-  services.journald.remote = {
-    enable = true;
-    settings.Remote = {
-      # ServerKeyFile = "/run/credentials/systemd-journald-remote.service/key.pem";
-      # ServerCertificateFile = "/run/credentials/systemd-journald-remote.service/.pem";
-      ServerKeyFile = "/etc/journald-remote-certs/key.pem";
-      ServerCertificateFile = "/etc/journald-remote-certs/cert.pem";
-      TrustedCertificateFile = "-";
-    };
-  };
-
-  # systemd.services.systemd-journal-remote.serviceConfig.LoadCredential = [
-  #   "key.pem:/etc/journald-remote-certs/key.pem"
-  #   "cert.pem:/etc/journald-remote-certs/cert.pem"
-  # ];
-}

hosts/europa/configuration.nix

@@ -5,7 +5,6 @@
 
     ./services/avahi.nix
     ./services/docker.nix
-    ./services/journald-remote.nix
   ];
 
   boot.loader.systemd-boot.enable = true;

hosts/europa/services/journald-remote.nix

@@ -1,14 +0,0 @@
-{ ... }:
-{
-  services.journald.upload = {
-    enable = true;
-    settings.Upload = {
-      URL = "https://10.250.14.105:19532";
-      # ServerKeyFile = toString ./key.pem;
-      # ServerCertificateFile = toString ./cert.pem;
-      ServerKeyFile = "-";
-      ServerCertificateFile = "-";
-      TrustedCertificateFile = "-";
-    };
-  };  
-}