/run/wrappers: remove unused newgidmap,newuidmap,newgrp binaries
This commit is contained in:
parent
af72f312d3
commit
9ce7dcd57a
|
@ -2,87 +2,101 @@
|
||||||
|
|
||||||
{ lib, ... }:
|
{ lib, ... }:
|
||||||
{
|
{
|
||||||
# disable non-required packages like nano, perl, rsync, strace
|
# remove a few items from /run/wrappers we don't need.
|
||||||
environment.defaultPackages = [];
|
# these were populated by <repo:nixos/nixpkgs:nixos/modules/programs/shadow.nix>
|
||||||
|
options.security.wrappers = lib.mkOption {
|
||||||
|
apply = lib.filterAttrs (name: _: !(builtins.elem name [
|
||||||
|
"newgidmap"
|
||||||
|
"newgrp"
|
||||||
|
"newuidmap"
|
||||||
|
# "sg"
|
||||||
|
# "su"
|
||||||
|
]));
|
||||||
|
};
|
||||||
|
|
||||||
# remove all the non-existent default directories from XDG_DATA_DIRS, XDG_CONFIG_DIRS to simplify debugging.
|
config = {
|
||||||
# this is defaulted in <repo:nixos/nixpkgs:nixos/modules/programs/environment.nix>,
|
# disable non-required packages like nano, perl, rsync, strace
|
||||||
# without being gated by any higher config.
|
environment.defaultPackages = [];
|
||||||
environment.profiles = lib.mkForce [
|
|
||||||
"/etc/profiles/per-user/$USER"
|
|
||||||
"/run/current-system/sw"
|
|
||||||
];
|
|
||||||
|
|
||||||
# NIXPKGS_CONFIG defaults to "/etc/nix/nixpkgs-config.nix" in <nixos/modules/programs/environment.nix>.
|
# remove all the non-existent default directories from XDG_DATA_DIRS, XDG_CONFIG_DIRS to simplify debugging.
|
||||||
# that's never existed on my system and everything does fine without it set empty (no nixpkgs API to forcibly *unset* it).
|
# this is defaulted in <repo:nixos/nixpkgs:nixos/modules/programs/environment.nix>,
|
||||||
environment.variables.NIXPKGS_CONFIG = lib.mkForce "";
|
# without being gated by any higher config.
|
||||||
# XDG_CONFIG_DIRS defaults to "/etc/xdg", which doesn't exist.
|
environment.profiles = lib.mkForce [
|
||||||
# in practice, pam appends the values i want to XDG_CONFIG_DIRS, though this approach causes an extra leading `:`
|
"/etc/profiles/per-user/$USER"
|
||||||
environment.sessionVariables.XDG_CONFIG_DIRS = lib.mkForce [];
|
"/run/current-system/sw"
|
||||||
# XCURSOR_PATH: defaults to `[ "$HOME/.icons" "$HOME/.local/share/icons" ]`, neither of which i use, just adding noise.
|
];
|
||||||
# see: <repo:nixos/nixpkgs:nixos/modules/config/xdg/icons.nix>
|
|
||||||
environment.sessionVariables.XCURSOR_PATH = lib.mkForce [];
|
|
||||||
|
|
||||||
# disable nixos' portal module, otherwise /share/applications gets linked into the system and complicates things (sandboxing).
|
# NIXPKGS_CONFIG defaults to "/etc/nix/nixpkgs-config.nix" in <nixos/modules/programs/environment.nix>.
|
||||||
# instead, i manage portals myself via the sane.programs API (e.g. sane.programs.xdg-desktop-portal).
|
# that's never existed on my system and everything does fine without it set empty (no nixpkgs API to forcibly *unset* it).
|
||||||
xdg.portal.enable = false;
|
environment.variables.NIXPKGS_CONFIG = lib.mkForce "";
|
||||||
xdg.menus.enable = false; #< links /share/applications, and a bunch of other empty (i.e. unused) dirs
|
# XDG_CONFIG_DIRS defaults to "/etc/xdg", which doesn't exist.
|
||||||
|
# in practice, pam appends the values i want to XDG_CONFIG_DIRS, though this approach causes an extra leading `:`
|
||||||
|
environment.sessionVariables.XDG_CONFIG_DIRS = lib.mkForce [];
|
||||||
|
# XCURSOR_PATH: defaults to `[ "$HOME/.icons" "$HOME/.local/share/icons" ]`, neither of which i use, just adding noise.
|
||||||
|
# see: <repo:nixos/nixpkgs:nixos/modules/config/xdg/icons.nix>
|
||||||
|
environment.sessionVariables.XCURSOR_PATH = lib.mkForce [];
|
||||||
|
|
||||||
# xdg.autostart.enable defaults to true, and links /etc/xdg/autostart into the environment, populated with .desktop files.
|
# disable nixos' portal module, otherwise /share/applications gets linked into the system and complicates things (sandboxing).
|
||||||
# see: <repo:nixos/nixpkgs:nixos/modules/config/xdg/autostart.nix>
|
# instead, i manage portals myself via the sane.programs API (e.g. sane.programs.xdg-desktop-portal).
|
||||||
# .desktop files are a questionable way to autostart things: i generally prefer a service manager for that.
|
xdg.portal.enable = false;
|
||||||
xdg.autostart.enable = false;
|
xdg.menus.enable = false; #< links /share/applications, and a bunch of other empty (i.e. unused) dirs
|
||||||
|
|
||||||
# nix.channel.enable: populates `/nix/var/nix/profiles/per-user/root/channels`, `/root/.nix-channels`, `$HOME/.nix-defexpr/channels`
|
# xdg.autostart.enable defaults to true, and links /etc/xdg/autostart into the environment, populated with .desktop files.
|
||||||
# <repo:nixos/nixpkgs:nixos/modules/config/nix-channel.nix>
|
# see: <repo:nixos/nixpkgs:nixos/modules/config/xdg/autostart.nix>
|
||||||
# TODO: may want to recreate NIX_PATH, nix.settings.nix-path
|
# .desktop files are a questionable way to autostart things: i generally prefer a service manager for that.
|
||||||
nix.channel.enable = false;
|
xdg.autostart.enable = false;
|
||||||
|
|
||||||
# environment.stub-ld: populate /lib/ld-linux.so with an object that unconditionally errors on launch,
|
# nix.channel.enable: populates `/nix/var/nix/profiles/per-user/root/channels`, `/root/.nix-channels`, `$HOME/.nix-defexpr/channels`
|
||||||
# so as to inform when trying to run a non-nixos binary?
|
# <repo:nixos/nixpkgs:nixos/modules/config/nix-channel.nix>
|
||||||
# IMO that's confusing: i thought /lib/ld-linux.so was some file actually required by nix.
|
# TODO: may want to recreate NIX_PATH, nix.settings.nix-path
|
||||||
environment.stub-ld.enable = false;
|
nix.channel.enable = false;
|
||||||
|
|
||||||
# `less.enable` sets LESSKEYIN_SYSTEM, LESSOPEN, LESSCLOSE env vars, which does confusing "lesspipe" things, so disable that.
|
# environment.stub-ld: populate /lib/ld-linux.so with an object that unconditionally errors on launch,
|
||||||
# it's enabled by default from `<nixos/modules/programs/environment.nix>`, who also sets `PAGER="less"` and `EDITOR="nano"` (keep).
|
# so as to inform when trying to run a non-nixos binary?
|
||||||
programs.less.enable = lib.mkForce false;
|
# IMO that's confusing: i thought /lib/ld-linux.so was some file actually required by nix.
|
||||||
environment.variables.PAGER = lib.mkOverride 900 ""; # mkDefault sets 1000. non-override is 100. 900 will beat the nixpkgs `mkDefault` but not anyone else.
|
environment.stub-ld.enable = false;
|
||||||
environment.variables.EDITOR = lib.mkOverride 900 "";
|
|
||||||
|
|
||||||
# several packages (dconf, modemmanager, networkmanager, gvfs, polkit, udisks, bluez/blueman, feedbackd, etc)
|
# `less.enable` sets LESSKEYIN_SYSTEM, LESSOPEN, LESSCLOSE env vars, which does confusing "lesspipe" things, so disable that.
|
||||||
# will add themselves to the dbus search path.
|
# it's enabled by default from `<nixos/modules/programs/environment.nix>`, who also sets `PAGER="less"` and `EDITOR="nano"` (keep).
|
||||||
# i prefer dbus to only search XDG paths (/share/dbus-1) for service files, as that's more introspectable.
|
programs.less.enable = lib.mkForce false;
|
||||||
# see: <repo:nixos/nixpkgs:nixos/modules/services/system/dbus.nix>
|
environment.variables.PAGER = lib.mkOverride 900 ""; # mkDefault sets 1000. non-override is 100. 900 will beat the nixpkgs `mkDefault` but not anyone else.
|
||||||
# TODO: sandbox dbus? i pretty explicitly don't want to use it as a launcher.
|
environment.variables.EDITOR = lib.mkOverride 900 "";
|
||||||
services.dbus.packages = lib.mkForce [
|
|
||||||
"/run/current-system/sw"
|
|
||||||
# config.system.path
|
|
||||||
# pkgs.dbus
|
|
||||||
# pkgs.polkit.out
|
|
||||||
# pkgs.modemmanager
|
|
||||||
# pkgs.networkmanager
|
|
||||||
# pkgs.udisks
|
|
||||||
# pkgs.wpa_supplicant
|
|
||||||
];
|
|
||||||
|
|
||||||
# systemd by default forces shitty defaults for e.g. /tmp/.X11-unix.
|
# several packages (dconf, modemmanager, networkmanager, gvfs, polkit, udisks, bluez/blueman, feedbackd, etc)
|
||||||
# nixos propagates those in: <nixos/modules/system/boot/systemd/tmpfiles.nix>
|
# will add themselves to the dbus search path.
|
||||||
# by overwriting this with an empty file, we can effectively remove it.
|
# i prefer dbus to only search XDG paths (/share/dbus-1) for service files, as that's more introspectable.
|
||||||
environment.etc."tmpfiles.d/x11.conf".text = "# (removed by Colin)";
|
# see: <repo:nixos/nixpkgs:nixos/modules/services/system/dbus.nix>
|
||||||
|
# TODO: sandbox dbus? i pretty explicitly don't want to use it as a launcher.
|
||||||
|
services.dbus.packages = lib.mkForce [
|
||||||
|
"/run/current-system/sw"
|
||||||
|
# config.system.path
|
||||||
|
# pkgs.dbus
|
||||||
|
# pkgs.polkit.out
|
||||||
|
# pkgs.modemmanager
|
||||||
|
# pkgs.networkmanager
|
||||||
|
# pkgs.udisks
|
||||||
|
# pkgs.wpa_supplicant
|
||||||
|
];
|
||||||
|
|
||||||
# see: <nixos/modules/tasks/swraid.nix>
|
# systemd by default forces shitty defaults for e.g. /tmp/.X11-unix.
|
||||||
# it was enabled by default before 23.11
|
# nixos propagates those in: <nixos/modules/system/boot/systemd/tmpfiles.nix>
|
||||||
boot.swraid.enable = lib.mkDefault false;
|
# by overwriting this with an empty file, we can effectively remove it.
|
||||||
|
environment.etc."tmpfiles.d/x11.conf".text = "# (removed by Colin)";
|
||||||
|
|
||||||
# see: <nixos/modules/system/boot/kernel.nix>
|
# see: <nixos/modules/tasks/swraid.nix>
|
||||||
# by default, it adds to boot.initrd.availableKernelModules:
|
# it was enabled by default before 23.11
|
||||||
# - SATA: "ahci" "sata_nv" "sata_via" "sata_sis" "sata_uli" "ata_piix" "pata_marvell"
|
boot.swraid.enable = lib.mkDefault false;
|
||||||
# - "nvme"
|
|
||||||
# - scsi: "sd_mod" "sr_mod"
|
|
||||||
# - SD/eMMC: "mmc_block"
|
|
||||||
# - USB keyboards: "uhci_hcd" "ehci_hcd" "ehci_pci" "ohci_hcd" "ohci_pci" "xhci_hcd" "xhci_pci" "usbhid" "hid_generic" "hid_lenovo" "hid_apple" "hid_roccat" "hid_logitech_hidpp" "hid_logitech_dj" "hid_microsoft" "hid_cherry" "hid_corsair"
|
|
||||||
# - LVM: "dm_mod"
|
|
||||||
# - on x86 only: more keyboard stuff: "pcips2" "atkbd" "i8042"
|
|
||||||
|
|
||||||
boot.initrd.includeDefaultModules = lib.mkDefault false;
|
# see: <nixos/modules/system/boot/kernel.nix>
|
||||||
|
# by default, it adds to boot.initrd.availableKernelModules:
|
||||||
|
# - SATA: "ahci" "sata_nv" "sata_via" "sata_sis" "sata_uli" "ata_piix" "pata_marvell"
|
||||||
|
# - "nvme"
|
||||||
|
# - scsi: "sd_mod" "sr_mod"
|
||||||
|
# - SD/eMMC: "mmc_block"
|
||||||
|
# - USB keyboards: "uhci_hcd" "ehci_hcd" "ehci_pci" "ohci_hcd" "ohci_pci" "xhci_hcd" "xhci_pci" "usbhid" "hid_generic" "hid_lenovo" "hid_apple" "hid_roccat" "hid_logitech_hidpp" "hid_logitech_dj" "hid_microsoft" "hid_cherry" "hid_corsair"
|
||||||
|
# - LVM: "dm_mod"
|
||||||
|
# - on x86 only: more keyboard stuff: "pcips2" "atkbd" "i8042"
|
||||||
|
|
||||||
|
boot.initrd.includeDefaultModules = lib.mkDefault false;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user