From 8eac2df40e9de4da807687bd7dcc19ea692e6a7d Mon Sep 17 00:00:00 2001 From: Lukas Wurzinger Date: Thu, 4 Apr 2024 21:05:02 +0200 Subject: [PATCH] improvements --- class/desktop/default.nix | 1 - class/desktop/gtk.nix | 7 -- class/desktop/plasma.nix | 32 +++--- common/default.nix | 2 +- common/{myvim.nix => neovim.nix} | 9 +- flake.lock | 182 ++++++++++++++----------------- flake.nix | 1 + hosts/abacus/hiraeth.nix | 67 ++++++++++++ modules/default.nix | 5 + modules/hiraeth.nix | 75 +++++++++++++ 10 files changed, 252 insertions(+), 129 deletions(-) delete mode 100644 class/desktop/gtk.nix rename common/{myvim.nix => neovim.nix} (55%) create mode 100644 hosts/abacus/hiraeth.nix create mode 100644 modules/default.nix create mode 100644 modules/hiraeth.nix diff --git a/class/desktop/default.nix b/class/desktop/default.nix index 58d8aca..7896690 100644 --- a/class/desktop/default.nix +++ b/class/desktop/default.nix @@ -7,7 +7,6 @@ ./fonts.nix ./fs.nix ./gamemode.nix - ./gtk.nix ./hardware.nix ./location.nix ./mullvad.nix diff --git a/class/desktop/gtk.nix b/class/desktop/gtk.nix deleted file mode 100644 index 0996747..0000000 --- a/class/desktop/gtk.nix +++ /dev/null @@ -1,7 +0,0 @@ -{pkgs, ...}: { - xdg.portal.extraPortals = [ - pkgs.xdg-desktop-portal-gtk - ]; - - programs.dconf.enable = true; -} diff --git a/class/desktop/plasma.nix b/class/desktop/plasma.nix index 2a35374..c7b7626 100644 --- a/class/desktop/plasma.nix +++ b/class/desktop/plasma.nix @@ -1,37 +1,39 @@ -{pkgs, ...}: { - services.xserver = { - enable = true; +{ + lib, + pkgs, + ... +}: { + services = { desktopManager.plasma6.enable = true; - displayManager = { - defaultSession = "plasma"; - sddm = { + xserver = { + enable = true; + excludePackages = [pkgs.xterm]; + displayManager.sddm = { enable = true; wayland.enable = true; - settings.Theme.CursorTheme = "breeze_cursors"; }; }; - excludePackages = [pkgs.xterm]; }; environment = { - systemPackages = [ - pkgs.discover - pkgs.kate - pkgs.sddm-kcm - ]; + systemPackages = with pkgs.kdePackages; [discover kate]; sessionVariables = { SUDO_ASKPASS = pkgs.writeShellScript "kdialogaskpass" '' - exec ${pkgs.kdialog} --password Askpass + exec ${lib.getExe' pkgs.kdialog "kdialog"} --password Askpass ''; MOZ_USE_XINPUT2 = "1"; GDK_SCALE = "1"; }; }; - xdg.portal.xdgOpenUsePortal = true; + xdg.portal = { + xdgOpenUsePortal = true; + extraPortals = [pkgs.xdg-desktop-portal-gtk]; + }; programs = { kdeconnect.enable = true; partition-manager.enable = true; + dconf.enable = true; }; } diff --git a/common/default.nix b/common/default.nix index 9d1bb71..51177fe 100644 --- a/common/default.nix +++ b/common/default.nix @@ -10,7 +10,7 @@ ./fs.nix ./fwupd.nix ./git.nix - ./myvim.nix + ./neovim.nix ./nix.nix ./opengl.nix ./readline.nix diff --git a/common/myvim.nix b/common/neovim.nix similarity index 55% rename from common/myvim.nix rename to common/neovim.nix index b9a3ed1..6b9940c 100644 --- a/common/myvim.nix +++ b/common/neovim.nix @@ -1,6 +1,6 @@ { - lib, inputs, + lib, pkgs, ... }: { @@ -8,11 +8,6 @@ package = inputs.myvim.packages.${pkgs.system}.default; in { systemPackages = [package]; - variables = let - name = builtins.baseNameOf (lib.getExe package); - in { - EDITOR = name; - VISUAL = name; - }; + variables = lib.genAttrs ["EDITOR" "VISUAL"] (_: lib.getExe package); }; } diff --git a/flake.lock b/flake.lock index 8334fc3..630c7b6 100644 --- a/flake.lock +++ b/flake.lock @@ -8,11 +8,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1707830867, - "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=", + "lastModified": 1712079060, + "narHash": "sha256-/JdiT9t+zzjChc5qQiF+jhrVhRt8figYH29rZO7pFe4=", "owner": "ryantm", "repo": "agenix", - "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6", + "rev": "1381a759b205dff7a6818733118d02253340fd5e", "type": "github" }, "original": { @@ -69,11 +69,11 @@ ] }, "locked": { - "lastModified": 1708939976, - "narHash": "sha256-O5+nFozxz2Vubpdl1YZtPrilcIXPcRAjqNdNE8oCRoA=", + "lastModified": 1711099426, + "narHash": "sha256-HzpgM/wc3aqpnHJJ2oDqPBkNsqWbW0WfWUO8lKu8nGk=", "owner": "numtide", "repo": "devshell", - "rev": "5ddecd67edbd568ebe0a55905273e56cc82aabe3", + "rev": "2d45b54ca4a183f2fdcf4b19c895b64fbf620ee8", "type": "github" }, "original": { @@ -85,11 +85,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -133,11 +133,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1709336216, - "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=", + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", "type": "github" }, "original": { @@ -151,11 +151,11 @@ "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1709336216, - "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=", + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", "type": "github" }, "original": { @@ -188,7 +188,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1701680307, @@ -206,14 +206,14 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { @@ -232,11 +232,11 @@ ] }, "locked": { - "lastModified": 1703887061, - "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=", + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", "owner": "hercules-ci", "repo": "gitignore.nix", - "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", "type": "github" }, "original": { @@ -247,11 +247,11 @@ }, "hardware": { "locked": { - "lastModified": 1709410583, - "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=", + "lastModified": 1711352745, + "narHash": "sha256-luvqik+i3HTvCbXQZgB6uggvEcxI9uae0nmrgtXJ17U=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc", + "rev": "9a763a7acc4cfbb8603bb0231fec3eda864f81c0", "type": "github" }, "original": { @@ -290,11 +290,11 @@ ] }, "locked": { - "lastModified": 1709578243, - "narHash": "sha256-hF96D+c2PBmAFhymMw3z8hou++lqKtZ7IzpFbYeL1/Y=", + "lastModified": 1711625603, + "narHash": "sha256-W+9dfqA9bqUIBV5u7jaIARAzMe3kTq/Hp2SpSVXKRQw=", "owner": "nix-community", "repo": "home-manager", - "rev": "23ff9821bcaec12981e32049e8687f25f11e5ef3", + "rev": "c0ef0dab55611c676ad7539bf4e41b3ec6fa87d2", "type": "github" }, "original": { @@ -323,16 +323,14 @@ "blobs": "blobs", "flake-compat": "flake-compat", "nixpkgs": "nixpkgs_2", - "nixpkgs-23_05": "nixpkgs-23_05", - "nixpkgs-23_11": "nixpkgs-23_11", "utils": "utils" }, "locked": { - "lastModified": 1709905972, - "narHash": "sha256-18OF2/ypr0n4Lp6Fk5SLHPu12ok6jM+Hv3sC0PCim0Q=", + "lastModified": 1710449465, + "narHash": "sha256-2orO8nfplp6uQJBFqKkj1iyNMC6TysmwbWwbb4osTag=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "572c1b4d69deea1093ac231c37927cfa8ccad477", + "rev": "79c8cfcd5873a85559da6201b116fb38b490d030", "type": "gitlab" }, "original": { @@ -348,11 +346,11 @@ "nixvim": "nixvim" }, "locked": { - "lastModified": 1710094655, - "narHash": "sha256-Fu9eyHnh4YdXqXMnfBMfe2NJ13hapLU3QflaSKIZM1E=", + "lastModified": 1712249134, + "narHash": "sha256-kA0BE1jlr60csxeJ4KxsJmhQRno9ozZ6sFqopPWcNNA=", "owner": "lukaswrz", "repo": "myvim", - "rev": "79c22dbccbb4d87b3af6ffc933f71f4ca2d7873f", + "rev": "8520c624b044f4652aedc9eb76e84e46099df779", "type": "github" }, "original": { @@ -370,11 +368,11 @@ ] }, "locked": { - "lastModified": 1709554374, - "narHash": "sha256-1yYgwxBzia+QrOaQaZ6YKqGFfiQcSBwYLzd9XRsRLQY=", + "lastModified": 1711763326, + "narHash": "sha256-sXcesZWKXFlEQ8oyGHnfk4xc9f2Ip0X/+YZOq3sKviI=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "daa03606dfb5296a22e842acb02b46c1c4e9f5e7", + "rev": "36524adc31566655f2f4d55ad6b875fb5c1a4083", "type": "github" }, "original": { @@ -399,44 +397,14 @@ "type": "github" } }, - "nixpkgs-23_05": { - "locked": { - "lastModified": 1704290814, - "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-23.05", - "type": "indirect" - } - }, - "nixpkgs-23_11": { - "locked": { - "lastModified": 1706098335, - "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a77ab169a83a4175169d78684ddd2e54486ac651", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-23.11", - "type": "indirect" - } - }, "nixpkgs-lib": { "locked": { "dir": "lib", - "lastModified": 1709237383, - "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=", + "lastModified": 1711703276, + "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8", + "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089", "type": "github" }, "original": { @@ -450,11 +418,11 @@ "nixpkgs-lib_2": { "locked": { "dir": "lib", - "lastModified": 1709237383, - "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=", + "lastModified": 1711703276, + "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8", + "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089", "type": "github" }, "original": { @@ -467,11 +435,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1705856552, - "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", + "lastModified": 1709703039, + "narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", + "rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d", "type": "github" }, "original": { @@ -482,11 +450,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1709703039, - "narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=", + "lastModified": 1712163089, + "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d", + "rev": "fd281bd6b7d3e32ddfa399853946f782553163b5", "type": "github" }, "original": { @@ -498,11 +466,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1709479366, - "narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=", + "lastModified": 1711703276, + "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b8697e57f10292a6165a20f03d2f42920dfaf973", + "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089", "type": "github" }, "original": { @@ -514,11 +482,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1709703039, - "narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=", + "lastModified": 1712163089, + "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d", + "rev": "fd281bd6b7d3e32ddfa399853946f782553163b5", "type": "github" }, "original": { @@ -539,11 +507,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1709939045, - "narHash": "sha256-cnh6ffM9DtulbQTZozM8ya1i7gjpbG7+n8udSTaYzrM=", + "lastModified": 1712234256, + "narHash": "sha256-UKt7HrwYc9xab+gDb5C24V75MVKfHW2VsZ6qL28my6Q=", "owner": "nix-community", "repo": "nixvim", - "rev": "8569b5c5506247423c39f2b3a0739f12fde41e38", + "rev": "2c99cefa913c8afb8fa08e53608c6f8bd5a2e5c4", "type": "github" }, "original": { @@ -569,11 +537,11 @@ ] }, "locked": { - "lastModified": 1708018599, - "narHash": "sha256-M+Ng6+SePmA8g06CmUZWi1AjG2tFBX9WCXElBHEKnyM=", + "lastModified": 1711760932, + "narHash": "sha256-DqUTQ2iAAqSDwMhKBqvi24v0Oc7pD3LCK/0FCG//TdA=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "5df5a70ad7575f6601d91f0efec95dd9bc619431", + "rev": "c11e43aed6f17336c25cd120eac886b96c455731", "type": "github" }, "original": { @@ -638,13 +606,31 @@ "type": "github" } }, - "utils": { + "systems_4": { "locked": { - "lastModified": 1605370193, - "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1709126324, + "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", "owner": "numtide", "repo": "flake-utils", - "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "rev": "d465f4819400de7c8d874d50b982301f28a84605", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index aa0aabd..9919919 100644 --- a/flake.nix +++ b/flake.nix @@ -31,6 +31,7 @@ inputs.agenix.nixosModules.default inputs.mailserver.nixosModule + ./modules ./common ./class/${class} ./hosts/${name} diff --git a/hosts/abacus/hiraeth.nix b/hosts/abacus/hiraeth.nix new file mode 100644 index 0000000..a0efaac --- /dev/null +++ b/hosts/abacus/hiraeth.nix @@ -0,0 +1,67 @@ +{ + config, + lib, + ... +}: { + # TODO + age.secrets = { + hiraeth-jwt-sign-key = { + file = ../../secrets/hiraeth-jwt-sign-key.age; + owner = "hiraeth"; + group = "hiraeth"; + }; + + hiraeth-jwt-verify-key = { + file = ../../secrets/hiraeth-jwt-verify-key.age; + owner = "hiraeth"; + group = "hiraeth"; + }; + }; + + services = { + postgresql = { + enable = lib.mkDefault true; + + ensureDatabases = ["hiraeth"]; + ensureUsers = [ + { + name = "hiraeth"; + ensureDBOwnership = true; + } + ]; + }; + + hiraeth = { + enable = true; + settings = { + address = "127.0.0.1:8040"; + name = "hiraeth"; + db_type = "postgres"; + datadir = "/var/lib/hiraeth"; + dsn = "host=/run/postgresql user=hiraeth"; + jwt_sign_key_file = config.age.secrets.hiraeth-jwt-sign-key.path; + jwt_verify_key_file = config.age.secrets.hiraeth-jwt-verify-key.path; + chunk_size = 1024 * 1024 * 128; + timeout = 60; + inline_types = [ + "application/pdf" + "audio/mpeg" + "audio/flac" + "audio/vorbis" + "image/jpeg" + "image/png" + "text/plain" + "video/mp4" + ]; + }; + }; + + nginx.virtualHosts."share.${config.networking.domain}" = { + enableACME = true; + forceSSL = true; + quic = true; + + locations."/".proxyPass = "http://${config.services.hiraeth.settings.address}"; + }; + }; +} diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..4482bf5 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./hiraeth.nix + ]; +} diff --git a/modules/hiraeth.nix b/modules/hiraeth.nix new file mode 100644 index 0000000..08db537 --- /dev/null +++ b/modules/hiraeth.nix @@ -0,0 +1,75 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.services.hiraeth; + settingsFormat = pkgs.formats.toml {}; +in { + options.services.hiraeth = { + enable = lib.mkEnableOption "hiraeth"; + package = lib.mkPackageOption pkgs "hiraeth" {}; + settings = lib.mkOption { + type = settingsFormat.type; + default = {}; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.hiraeth = { + description = "Hiraeth File Sharing Service"; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + + serviceConfig = { + Type = "simple"; + User = config.users.users.hiraeth.name; + Group = config.users.groups.hiraeth.name; + StateDirectory = "hiraeth"; + StateDirectoryMode = "0700"; + UMask = "0077"; + WorkingDirectory = "/var/lib/hiraeth"; + ExecStart = "${pkgs.getExe' cfg.package "hiraeth"} run"; + Restart = "always"; + TimeoutSec = 10; + ReadOnlyPaths = "/etc/hiraeth/hiraeth.toml"; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + ProtectHome = "read-only"; + PrivateTmp = true; + PrivateUsers = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = ["AF_INET" "AF_INET6"]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + + users = { + users.hiraeth = { + isSystemUser = true; + group = config.users.groups.hiraeth.name; + }; + groups.hiraeth = {}; + }; + + environment.etc."hiraeth/hiraeth.toml" = { + source = settingsFormat.generate "hiraeth.toml" cfg.settings; + + mode = "0440"; + user = config.users.users.hiraeth.name; + group = config.users.users.hiraeth.group; + }; + }; +}