colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

README: update to reflect recent refactorings

Browse Source
This commit is contained in:
Colin
2024-10-05 14:03:35 +00:00
parent 358b16516b
commit be50bf4499
1 changed files with 13 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
README.md
View File

@@ -17,22 +17,27 @@ the only hard dependency for my exported pkgs/modules should be [nixpkgs][nixpkg
building [hosts/](./hosts/) will require [sops][sops]. building [hosts/](./hosts/) will require [sops][sops].
you might specifically be interested in these files (elaborated further in #key-points-of-interest): you might specifically be interested in these files (elaborated further in #key-points-of-interest):
- [my packages](./pkgs/by-name)
- [my implementation of impermanence](./modules/persist/default.nix) - [my implementation of impermanence](./modules/persist/default.nix)
- my way of deploying dotfiles/configuring programs per-user: - my way of deploying dotfiles/configuring programs per-user:
- [modules/fs/](./modules/fs/default.nix) - [modules/fs/](./modules/fs/default.nix)
- [modules/programs/](./modules/programs/default.nix) - [modules/programs/](./modules/programs/default.nix)
- [modules/users/](./modules/users/default.nix) - [modules/users/](./modules/users/default.nix)
if you find anything here genuinely useful, message me so that i can work to upstream it!
[nixpkgs]: https://github.com/NixOS/nixpkgs [nixpkgs]: https://github.com/NixOS/nixpkgs
[sops]: https://github.com/Mic92/sops-nix [sops]: https://github.com/Mic92/sops-nix
[uninsane-org]: https://uninsane.org [uninsane-org]: https://uninsane.org
## Using This Repo In Your Own Config ## Using This Repo In Your Own Config
follow the instructions [here][NUR] to access my packages through the Nix User Repositories. follow the instructions [here][NUR] to access my packages through the Nix User Repositories.
[NUR]: https://nur.nix-community.org/ [NUR]: https://nur.nix-community.org/
## Layout ## Layout
- `doc/` - `doc/`
- instructions for tasks i find myself doing semi-occasionally in this repo. - instructions for tasks i find myself doing semi-occasionally in this repo.
@@ -50,7 +55,7 @@ follow the instructions [here][NUR] to access my packages through the Nix User R
- `pkgs/` - `pkgs/`
- derivations for things not yet packaged in nixpkgs. - derivations for things not yet packaged in nixpkgs.
- derivations for things from nixpkgs which i need to `override` for some reason. - derivations for things from nixpkgs which i need to `override` for some reason.
- inline code for wholly custom packages (e.g. `pkgs/additional/sane-scripts/` for CLI tools - inline code for wholly custom packages (e.g. `pkgs/by-name/sane-scripts/` for CLI tools
that are highly specific to my setup). that are highly specific to my setup).
- `scripts/` - `scripts/`
- scripts which aren't reachable on a deployed system, but may aid manual deployments. - scripts which aren't reachable on a deployed system, but may aid manual deployments.
@@ -77,25 +82,22 @@ i.e. you might find value in using these in your own config:
- populated with some statically-defined data - populated with some statically-defined data
- populated according to some script - populated according to some script
- created as a dependency of some service (e.g. `nginx`) - created as a dependency of some service (e.g. `nginx`)
- values defined here are applied neither at evaluation time _nor_ at activation time.
- rather, they become systemd services.
- systemd manages dependencies
- e.g. link `/var/www -> /mnt/my-drive/www` only _after_ `/mnt/my-drive/www` appears)
- this is akin to using [Home Manager's][home-manager] file API -- the part which lets you - this is akin to using [Home Manager's][home-manager] file API -- the part which lets you
statically define `~/.config` files -- just with a different philosophy. statically define `~/.config` files -- just with a different philosophy.
namely, it avoids any custom activation scripts by leveraging `systemd-tmpfiles`.
- `modules/persist/` - `modules/persist/`
- my alternative to the Impermanence module. - my implementation of impermanence, built atop the above `fs` module, with a few notable features:
- this builds atop `modules/fs/` to achieve things stock impermanence can't: - no custom activation scripts or services (uses `systemd-tmpfiles` and `.mount` units)
- persist things to encrypted storage which is unlocked at login time (pam_mount).
- "persist" cache directories -- to free up RAM -- but auto-wipe them on mount - "persist" cache directories -- to free up RAM -- but auto-wipe them on mount
and encrypt them to ephemeral keys so they're unreadable post shutdown/unmount. and encrypt them to ephemeral keys so they're unreadable post shutdown/unmount.
- persist to encrypted storage which is unlocked at login time.
- `modules/programs/` - `modules/programs/`
- like nixpkgs' `programs` options, but allows both system-wide or per-user deployment. - like nixpkgs' `programs` options, but allows both system-wide or per-user deployment.
- allows `fs` and `persist` config values to be gated behind program deployment: - allows `fs` and `persist` config values to be gated behind program deployment:
- e.g. `/home/<user>/.mozilla/firefox` is persisted only for users who - e.g. `/home/<user>/.mozilla/firefox` is persisted only for users who
`sane.programs.firefox.enableFor.user."<user>" = true;` `sane.programs.firefox.enableFor.user."<user>" = true;`
- allows aggressive sandboxing any program: - allows aggressive sandboxing any program:
- `sane.programs.firefox.sandbox.method = "bwrap"; # sandbox with bubblewrap` - `sane.programs.firefox.sandbox.enable = true; # wraps the program so that it isolates itself into a new namespace when invoked`
- `sane.programs.firefox.sandbox.whitelistWayland = true; # allow it to render a wayland window` - `sane.programs.firefox.sandbox.whitelistWayland = true; # allow it to render a wayland window`
- `sane.programs.firefox.sandbox.extraHomePaths = [ "Downloads" ]; # allow it read/write access to ~/Downloads` - `sane.programs.firefox.sandbox.extraHomePaths = [ "Downloads" ]; # allow it read/write access to ~/Downloads`
- integrated with `fs` and `persist` modules so that programs' config files and persisted data stores are linked into the sandbox w/o any extra involvement. - integrated with `fs` and `persist` modules so that programs' config files and persisted data stores are linked into the sandbox w/o any extra involvement.
@@ -104,17 +106,16 @@ i.e. you might find value in using these in your own config:
`fs.".config/git"` instead of `fs."/home/colin/.config/git"` `fs.".config/git"` instead of `fs."/home/colin/.config/git"`
- simplified `systemd.services` API - simplified `systemd.services` API
some things in here could easily find broader use. if you would find benefit in
them being factored out of my config, message me and we could work to make that happen.
[home-manager]: https://github.com/nix-community/home-manager [home-manager]: https://github.com/nix-community/home-manager
## Mirrors ## Mirrors
this repo exists in a few known locations: this repo exists in a few known locations:
- primary: <https://git.uninsane.org/colin/nix-files> - primary: <https://git.uninsane.org/colin/nix-files>
- mirror: <https://github.com/nix-community/nur-combined/tree/master/repos/colinsane> - mirror: <https://github.com/nix-community/nur-combined/tree/master/repos/colinsane>
## Contact ## Contact
if you want to contact me for questions, or collaborate to split something useful into a shared repo, etc, if you want to contact me for questions, or collaborate to split something useful into a shared repo, etc,