Compare commits

...

14 Commits

Author SHA1 Message Date
bef0099eec scripts/clean: fix to cleanup more dangling result symlinks 2024-05-13 22:45:33 +00:00
67434caf45 scripts: add a script to clean the git dir 2024-05-13 22:45:33 +00:00
be84ab1f45 programs: set buildCost=1 for assorted low-priority programs 2024-05-13 22:45:33 +00:00
43d32641f3 programs: buildCost: introduce a new level between min and light 2024-05-13 22:45:33 +00:00
9bf0dbabae gnome.seahorse: disable 2024-05-13 22:45:33 +00:00
8c7880774e monero-gui: disable 2024-05-13 22:45:33 +00:00
5774aa4a8f zulip: dont ship 2024-05-13 22:45:33 +00:00
6c6d11578e cross: fix curl-impersonate-chome build 2024-05-13 22:45:33 +00:00
f33e960bdf cross: gnome-keyring: patch via nixpkgs patch instead of override 2024-05-13 22:45:33 +00:00
14202a5bcc neovim: wrap in such a way as to avoid cross-compilation-specific patching 2024-05-13 22:45:33 +00:00
3d2babf2bb overlays/cross: sync upstreaming status 2024-05-13 22:45:33 +00:00
9d51b2ecc7 nixpatches: stop applying patches i dont need 2024-05-13 22:45:33 +00:00
0b855efb5f nixpkgs: bump; nixpkgs-wayland: bump
```
• Updated input 'nixpkgs-next-unpatched':
    'github:nixos/nixpkgs/6a217e9b1d39415076c7a6cfc44be5e935e7a839' (2024-05-13)
  → 'github:nixos/nixpkgs/eda36d7cf3391ad06097009b08822fb74acd5e00' (2024-05-13)
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/6bc8c8a7ac13182ee24a5e2caab7ad739f1c55c5' (2024-05-13)
  → 'github:nixos/nixpkgs/0a949cf2618e8eab83aa008f1f8e03db137ed36c' (2024-05-13)
• Updated input 'nixpkgs-wayland':
    'github:nix-community/nixpkgs-wayland/5f7272dff81558143f93e2cb32189a52ef965892' (2024-05-13)
  → 'github:nix-community/nixpkgs-wayland/ed18785b8816fa878bdd9df7f2e8722695401ef8' (2024-05-13)
```
2024-05-13 22:45:33 +00:00
2ae286ff75 nixpkgs: 2024-05-08 -> 2024-05-13, nixpkgs-wayland, sops-nix
```
• Updated input 'nixpkgs-next-unpatched':
    'github:nixos/nixpkgs/c8e3f684443d7c2875ff169f6ef2533534105e7b' (2024-05-08)
  → 'github:nixos/nixpkgs/6a217e9b1d39415076c7a6cfc44be5e935e7a839' (2024-05-13)
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/a751e2faa2fc94c1337c32aaf6a6e417afe90be9' (2024-05-08)
  → 'github:nixos/nixpkgs/6bc8c8a7ac13182ee24a5e2caab7ad739f1c55c5' (2024-05-13)
• Updated input 'nixpkgs-wayland':
    'github:nix-community/nixpkgs-wayland/7dc8fb2aa7db995ac1ce2a8f2f8d8784b2af591c' (2024-05-08)
  → 'github:nix-community/nixpkgs-wayland/5f7272dff81558143f93e2cb32189a52ef965892' (2024-05-13)
• Updated input 'nixpkgs-wayland/lib-aggregate':
    'github:nix-community/lib-aggregate/26fabca301e1133abd3d9192b1bcb6fb45b30f1d' (2024-05-05)
  → 'github:nix-community/lib-aggregate/09883ca828e8cfaacdb09e29190a7b84ad1d9925' (2024-05-12)
• Updated input 'nixpkgs-wayland/lib-aggregate/nixpkgs-lib':
    'github:nix-community/nixpkgs.lib/4b620020fd73bdd5104e32c702e65b60b6869426' (2024-05-05)
  → 'github:nix-community/nixpkgs.lib/58e03b95f65dfdca21979a081aa62db0eed6b1d8' (2024-05-12)
• Updated input 'nixpkgs-wayland/nix-eval-jobs':
    'github:nix-community/nix-eval-jobs/7b6640f2a10701bf0db16aff048070f400e8ea7c' (2024-04-23)
  → 'github:nix-community/nix-eval-jobs/63154bdfb22091041b307d17863bdc0e01a32a00' (2024-05-09)
• Updated input 'nixpkgs-wayland/nix-eval-jobs/nixpkgs':
    'github:NixOS/nixpkgs/1e1dc66fe68972a76679644a5577828b6a7e8be4' (2024-04-22)
  → 'github:NixOS/nixpkgs/ad7efee13e0d216bf29992311536fce1d3eefbef' (2024-05-06)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/893e3df091f6838f4f9d71c61ab079d5c5dedbd1' (2024-05-06)
  → 'github:Mic92/sops-nix/b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e' (2024-05-12)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/b980b91038fc4b09067ef97bbe5ad07eecca1e76' (2024-05-04)
  → 'github:NixOS/nixpkgs/8e47858badee5594292921c2668c11004c3b0142' (2024-05-11)
```
2024-05-13 22:45:33 +00:00
41 changed files with 285 additions and 365 deletions

View File

@ -61,11 +61,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1714910950,
"narHash": "sha256-gaq5bphSsY+htEXFDkImOrH3MVCkxFTvCiwdCJj096E=",
"lastModified": 1715515815,
"narHash": "sha256-yaLScMHNFCH6SbB0HSA/8DWDgK0PyOhCXoFTdHlWkhk=",
"owner": "nix-community",
"repo": "lib-aggregate",
"rev": "26fabca301e1133abd3d9192b1bcb6fb45b30f1d",
"rev": "09883ca828e8cfaacdb09e29190a7b84ad1d9925",
"type": "github"
},
"original": {
@ -99,11 +99,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1713858845,
"narHash": "sha256-StJq7Zy+/iVBUAKFzhHWlsirFucZ3gNtzXhAYXAsNnw=",
"lastModified": 1715248291,
"narHash": "sha256-npC9Swu4VIlRIiEP0XFGoIukd6vOufS/M3PdHk6rQpc=",
"owner": "nix-community",
"repo": "nix-eval-jobs",
"rev": "7b6640f2a10701bf0db16aff048070f400e8ea7c",
"rev": "63154bdfb22091041b307d17863bdc0e01a32a00",
"type": "github"
},
"original": {
@ -136,11 +136,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1713805509,
"narHash": "sha256-YgSEan4CcrjivCNO5ZNzhg7/8ViLkZ4CB/GrGBVSudo=",
"lastModified": 1715037484,
"narHash": "sha256-OUt8xQFmBU96Hmm4T9tOWTu4oCswCzoVl+pxSq/kiFc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1e1dc66fe68972a76679644a5577828b6a7e8be4",
"rev": "ad7efee13e0d216bf29992311536fce1d3eefbef",
"type": "github"
},
"original": {
@ -152,11 +152,11 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1714870069,
"lastModified": 1715474941,
"narHash": "sha256-CNCqCGOHdxuiVnVkhTpp2WcqSSmSfeQjubhDOcgwGjU=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "4b620020fd73bdd5104e32c702e65b60b6869426",
"rev": "58e03b95f65dfdca21979a081aa62db0eed6b1d8",
"type": "github"
},
"original": {
@ -167,11 +167,11 @@
},
"nixpkgs-next-unpatched": {
"locked": {
"lastModified": 1715148084,
"narHash": "sha256-arUW5NSCMy7K8uO+1ODJqyptf71HP69XbJlSuf361rI=",
"lastModified": 1715601680,
"narHash": "sha256-Gmz6U8NMZVVnP6AGX4sMl4X6RcQBASPl/2Gj9R5k1Pk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c8e3f684443d7c2875ff169f6ef2533534105e7b",
"rev": "eda36d7cf3391ad06097009b08822fb74acd5e00",
"type": "github"
},
"original": {
@ -183,11 +183,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1714858427,
"narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
"lastModified": 1715458492,
"narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
"rev": "8e47858badee5594292921c2668c11004c3b0142",
"type": "github"
},
"original": {
@ -199,11 +199,11 @@
},
"nixpkgs-unpatched": {
"locked": {
"lastModified": 1715156971,
"narHash": "sha256-sEgAH6EkkQf5Aux4JT5HvdKWia0ryePYI0RhioskVS8=",
"lastModified": 1715616096,
"narHash": "sha256-rxh2XECb5hRzgNR4Xqj3aAjg6821LmNTVRfF6sUW6fI=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "a751e2faa2fc94c1337c32aaf6a6e417afe90be9",
"rev": "0a949cf2618e8eab83aa008f1f8e03db137ed36c",
"type": "github"
},
"original": {
@ -223,11 +223,11 @@
]
},
"locked": {
"lastModified": 1715156333,
"narHash": "sha256-8V09AxlIyKh8maX5/fAo8JuijEu9KM1DVlPscxzmKsk=",
"lastModified": 1715609745,
"narHash": "sha256-z2lQ7G1AxljvYeqrHWjc1ctOI4QZP06vPtvLYJWfZSc=",
"owner": "nix-community",
"repo": "nixpkgs-wayland",
"rev": "7dc8fb2aa7db995ac1ce2a8f2f8d8784b2af591c",
"rev": "ed18785b8816fa878bdd9df7f2e8722695401ef8",
"type": "github"
},
"original": {
@ -254,11 +254,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1715035358,
"narHash": "sha256-RY6kqhpCPa/q3vbqt3iYRyjO3hJz9KZnshMjbpPon8o=",
"lastModified": 1715482972,
"narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "893e3df091f6838f4f9d71c61ab079d5c5dedbd1",
"rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e",
"type": "github"
},
"original": {

View File

@ -121,7 +121,7 @@
nixpkgs.hostPlatform.system = target;
})
(optionalAttrs (variant == "light") {
sane.maxBuildCost = 1;
sane.maxBuildCost = 2;
})
(optionalAttrs (variant == "min") {
sane.maxBuildCost = 0;

View File

@ -30,6 +30,8 @@
});
};
buildCost = 1;
sandbox.method = "bwrap";
sandbox.whitelistWayland = true;

View File

@ -215,6 +215,7 @@ in
backblaze-b2 = {};
blanket.buildCost = 1;
blanket.sandbox.method = "bwrap";
blanket.sandbox.whitelistAudio = true;
# blanket.sandbox.whitelistDbus = [ "user" ]; # TODO: untested
@ -267,13 +268,14 @@ in
ddrescue.sandbox.method = "landlock"; # TODO:sandbox: untested
ddrescue.sandbox.autodetectCliPaths = "existingOrParent";
# auth token, preferences
delfin.buildCost = 1;
delfin.sandbox.method = "bwrap";
delfin.sandbox.whitelistAudio = true;
delfin.sandbox.whitelistDbus = [ "user" ]; # else `mpris` plugin crashes the player
delfin.sandbox.whitelistDri = true;
delfin.sandbox.whitelistWayland = true;
delfin.sandbox.net = "clearnet";
# auth token, preferences
delfin.persist.byStore.private = [ ".config/delfin" ];
dig.sandbox.method = "bwrap";
@ -314,11 +316,13 @@ in
eg25-control = {};
electrum.buildCost = 1;
electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested
electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always
electrum.sandbox.whitelistWayland = true;
electrum.persist.byStore.cryptClearOnBoot = [ ".electrum" ]; #< TODO: use XDG dirs!
endless-sky.buildCost = 1;
endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
endless-sky.sandbox.method = "bwrap";
endless-sky.sandbox.whitelistAudio = true;
@ -357,6 +361,7 @@ in
".persist/plaintext"
];
ffmpeg.buildCost = 1;
ffmpeg.sandbox.method = "bwrap";
ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting
@ -374,6 +379,7 @@ in
fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
font-manager.buildCost = 1;
font-manager.sandbox.method = "bwrap";
font-manager.sandbox.whitelistWayland = true;
font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
@ -410,6 +416,7 @@ in
# TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
gh.persist.byStore.private = [ ".config/gh" ];
gimp.buildCost = 1;
gimp.sandbox.method = "bwrap";
gimp.sandbox.whitelistX = true;
gimp.sandbox.whitelistWayland = true;
@ -429,18 +436,22 @@ in
"/tmp" # "Cannot open display:" if it can't mount /tmp 👀
];
"gnome.gnome-calculator".buildCost = 1;
"gnome.gnome-calculator".sandbox.method = "bwrap";
"gnome.gnome-calculator".sandbox.whitelistWayland = true;
"gnome.gnome-calendar".buildCost = 1;
# gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
"gnome.gnome-calendar".sandbox.method = "bwrap";
"gnome.gnome-calendar".sandbox.whitelistWayland = true;
"gnome.gnome-clocks".buildCost = 1;
"gnome.gnome-clocks".sandbox.method = "bwrap";
"gnome.gnome-clocks".sandbox.whitelistWayland = true;
"gnome.gnome-clocks".suggestedPrograms = [ "dconf" ];
# gnome-disks
"gnome.gnome-disk-utility".buildCost = 1;
"gnome.gnome-disk-utility".sandbox.method = "bwrap";
"gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ];
"gnome.gnome-disk-utility".sandbox.whitelistWayland = true;
@ -451,15 +462,18 @@ in
];
# seahorse: dump gnome-keyring secrets.
"gnome.seahorse".buildCost = 1;
# N.B.: it can also manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
"gnome.seahorse".sandbox.method = "bwrap";
"gnome.seahorse".sandbox.whitelistDbus = [ "user" ];
"gnome.seahorse".sandbox.whitelistWayland = true;
gnome-2048.buildCost = 1;
gnome-2048.sandbox.method = "bwrap";
gnome-2048.sandbox.whitelistWayland = true;
gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
gnome-frog.buildCost = 1;
gnome-frog.sandbox.method = "bwrap";
gnome-frog.sandbox.whitelistWayland = true;
gnome-frog.sandbox.whitelistDbus = [ "user" ];
@ -486,6 +500,7 @@ in
# 1. no number may appear unshaded more than once in the same row/column
# 2. no two shaded tiles can be direct N/S/E/W neighbors
# - win once (1) and (2) are satisfied
"gnome.hitori".buildCost = 1;
"gnome.hitori".sandbox.method = "bwrap";
"gnome.hitori".sandbox.whitelistWayland = true;
@ -515,6 +530,7 @@ in
grim.sandbox.autodetectCliPaths = "existingOrParent";
grim.sandbox.whitelistWayland = true;
hase.buildCost = 1;
hase.sandbox.method = "bwrap";
hase.sandbox.net = "clearnet";
hase.sandbox.whitelistAudio = true;
@ -535,6 +551,7 @@ in
# N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
inetutils.sandbox.method = "landlock"; # want to keep the same netns, at least.
inkscape.buildCost = 1;
inkscape.sandbox.method = "bwrap";
inkscape.sandbox.whitelistWayland = true;
inkscape.sandbox.extraHomePaths = [
@ -586,6 +603,7 @@ in
"/proc"
];
krita.buildCost = 1;
krita.sandbox.method = "bwrap";
krita.sandbox.whitelistWayland = true;
krita.sandbox.autodetectCliPaths = "existing";
@ -606,6 +624,7 @@ in
libnotify.sandbox.method = "bwrap";
libnotify.sandbox.whitelistDbus = [ "user" ]; # notify-send
losslesscut-bin.buildCost = 1;
losslesscut-bin.sandbox.method = "bwrap";
losslesscut-bin.sandbox.extraHomePaths = [
"Music"
@ -630,6 +649,7 @@ in
mercurial.sandbox.whitelistPwd = true;
# actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
monero-gui.buildCost = 1;
# XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
monero-gui.persist.byStore.plaintext = [ ".bitmonero" ];
monero-gui.sandbox.method = "bwrap";
@ -638,6 +658,7 @@ in
"records/finance/cryptocurrencies/monero"
];
mumble.buildCost = 1;
mumble.persist.byStore.private = [ ".local/share/Mumble" ];
nano.sandbox.method = "bwrap";
@ -741,6 +762,7 @@ in
pulsemixer.sandbox.method = "landlock";
pulsemixer.sandbox.whitelistAudio = true;
pwvucontrol.buildCost = 1;
pwvucontrol.sandbox.method = "bwrap";
pwvucontrol.sandbox.whitelistAudio = true;
pwvucontrol.sandbox.whitelistDri = true; # else perf on moby is unusable
@ -758,7 +780,7 @@ in
];
qemu.sandbox.enable = false; #< it's a launcher
qemu.buildCost = 1;
qemu.buildCost = 2;
rsync.sandbox.method = "bwrap";
rsync.sandbox.net = "clearnet";
@ -776,6 +798,7 @@ in
sequoia.sandbox.whitelistPwd = true;
sequoia.sandbox.autodetectCliPaths = true;
shattered-pixel-dungeon.buildCost = 1;
shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
shattered-pixel-dungeon.sandbox.method = "bwrap";
shattered-pixel-dungeon.sandbox.whitelistAudio = true;
@ -783,6 +806,7 @@ in
shattered-pixel-dungeon.sandbox.whitelistWayland = true;
# printer/filament settings
slic3r.buildCost = 1;
slic3r.persist.byStore.plaintext = [ ".Slic3r" ];
slurp.sandbox.method = "bwrap";
@ -803,6 +827,7 @@ in
"knowledge"
];
soundconverter.buildCost = 1;
soundconverter.sandbox.method = "bwrap";
soundconverter.sandbox.whitelistWayland = true;
soundconverter.sandbox.extraHomePaths = [
@ -820,6 +845,7 @@ in
sox.sandbox.autodetectCliPaths = "existingFileOrParent";
sox.sandbox.whitelistAudio = true;
space-cadet-pinball.buildCost = 1;
space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
space-cadet-pinball.sandbox.method = "bwrap";
space-cadet-pinball.sandbox.whitelistAudio = true;
@ -840,6 +866,7 @@ in
subversion.sandbox.whitelistPwd = true;
sudo.sandbox.enable = false;
superTux.buildCost = 1;
superTux.sandbox.method = "bwrap";
superTux.sandbox.wrapperType = "inplace"; # package Makefile incorrectly installs to $out/games/superTux instead of $out/share/games
superTux.sandbox.whitelistAudio = true;
@ -858,12 +885,14 @@ in
tdesktop.persist.byStore.private = [ ".local/share/TelegramDesktop" ];
tokodon.buildCost = 1;
tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
tree.sandbox.method = "landlock";
tree.sandbox.autodetectCliPaths = true;
tree.sandbox.whitelistPwd = true;
tumiki-fighters.buildCost = 1;
tumiki-fighters.sandbox.method = "bwrap";
tumiki-fighters.sandbox.whitelistAudio = true;
tumiki-fighters.sandbox.whitelistDri = true; #< not strictly necessary, but triples CPU perf
@ -882,6 +911,7 @@ in
"/sys/bus/usb"
];
valgrind.buildCost = 1;
valgrind.sandbox.enable = false; #< it's a launcher: can't sandbox
visidata.sandbox.method = "bwrap"; # TODO:sandbox: untested
@ -890,6 +920,7 @@ in
# `vulkaninfo`, `vkcube`
vulkan-tools.sandbox.method = "landlock";
vvvvvv.buildCost = 1;
vvvvvv.sandbox.method = "bwrap";
vvvvvv.sandbox.whitelistAudio = true;
vvvvvv.sandbox.whitelistDri = true; #< playable without, but burns noticably more CPU
@ -910,6 +941,7 @@ in
wget.sandbox.net = "all";
wget.sandbox.whitelistPwd = true; # saves to pwd by default
whalebird.buildCost = 1;
whalebird.persist.byStore.private = [ ".config/Whalebird" ];
# `wg`, `wg-quick`

View File

@ -14,6 +14,8 @@
};
};
buildCost = 1;
sandbox.method = "bwrap";
sandbox.whitelistAudio = true;
sandbox.whitelistWayland = true;

View File

@ -1,6 +1,8 @@
{ ... }:
{
sane.programs.celeste64 = {
buildCost = 1;
sandbox.method = "bwrap";
sandbox.whitelistAudio = true;
sandbox.whitelistDri = true;

View File

@ -13,6 +13,8 @@
'';
});
buildCost = 1;
sandbox.method = "bwrap"; # landlock gives: _multiprocessing.SemLock: Permission Denied
sandbox.whitelistAudio = true;
sandbox.whitelistDbus = [ "user" ]; # mpris

View File

@ -1,15 +1,6 @@
{ pkgs, ... }:
{
sane.programs.dialect = {
sandbox.method = "bwrap";
sandbox.wrapperType = "inplace"; # share/search_providers/ calls back into the binary, weird wrap semantics
sandbox.whitelistWayland = true;
sandbox.net = "clearnet";
sandbox.extraHomePaths = [
".config/dconf" # won't start without it
];
suggestedPrograms = [ "dconf" ]; #< to persist settings
packageUnwrapped = pkgs.dialect.overrideAttrs (upstream: {
# TODO: send upstream
# TODO: figure out how to get audio working
@ -18,5 +9,17 @@
pkgs.glib-networking # for TLS
];
});
suggestedPrograms = [ "dconf" ]; #< to persist settings
buildCost = 1;
sandbox.method = "bwrap";
sandbox.wrapperType = "inplace"; # share/search_providers/ calls back into the binary, weird wrap semantics
sandbox.whitelistWayland = true;
sandbox.net = "clearnet";
sandbox.extraHomePaths = [
".config/dconf" # won't start without it
];
};
}

View File

@ -25,6 +25,8 @@
"gnome-keyring"
];
buildCost = 1;
sandbox.method = "bwrap";
sandbox.net = "clearnet";
sandbox.whitelistAudio = true;

View File

@ -23,7 +23,7 @@
"tmp"
];
buildCost = 1;
buildCost = 2;
# XXX(2023/07/08): running on moby without `WEBKIT_DISABLE_SANDBOX...` fails, with:
# - `bwrap: Can't make symlink at /var/run: File exists`

View File

@ -1,6 +1,8 @@
{ ... }:
{
sane.programs.evince = {
buildCost = 1;
sandbox.method = "bwrap";
sandbox.autodetectCliPaths = true;
sandbox.whitelistWayland = true;

View File

@ -2,11 +2,6 @@
{ pkgs, ... }:
{
sane.programs.frozen-bubble = {
sandbox.method = "bwrap";
sandbox.net = "clearnet"; # net play
sandbox.whitelistAudio = true;
sandbox.whitelistWayland = true;
packageUnwrapped = pkgs.frozen-bubble.overrideAttrs (upstream: {
# patch so it stores its dot-files not in root ~.
postPatch = (upstream.postPatch or "") + ''
@ -14,6 +9,12 @@
--replace-fail '$FBHOME = "$ENV{HOME}/.frozen-bubble"' '$FBHOME = "$ENV{HOME}/.local/share/frozen-bubble"'
'';
});
buildCost = 1;
sandbox.method = "bwrap";
sandbox.net = "clearnet"; # net play
sandbox.whitelistAudio = true;
sandbox.whitelistWayland = true;
persist.byStore.plaintext = [
".local/share/frozen-bubble" # preferences, high scores

View File

@ -8,6 +8,8 @@
{ ... }:
{
sane.programs.g4music = {
buildCost = 1;
sandbox.method = "bwrap";
sandbox.whitelistAudio = true;
sandbox.whitelistDbus = [ "user" ]; # mpris

View File

@ -37,7 +37,7 @@ in
# fs.".config/geary".dir = {};
# fs.".local/share/folks".dir = {};
buildCost = 2; # uses webkitgtk 4.1
buildCost = 3; # uses webkitgtk 4.1
persist.byStore.private = [
# attachments, and email -- contained in a sqlite db
".local/share/geary"

View File

@ -3,6 +3,8 @@
{ ... }:
{
sane.programs."gnome.gnome-weather" = {
buildCost = 1;
sandbox.method = "bwrap";
sandbox.wrapperType = "inplace"; #< /share/org.gnome.Weather/org.gnome.Weather file refers to bins by full path
sandbox.whitelistWayland = true;

View File

@ -1,6 +1,8 @@
{ pkgs, ... }:
{
sane.programs.handbrake = {
buildCost = 1;
sandbox.method = "landlock"; #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir
sandbox.whitelistDbus = [ "user" ]; # notifications
sandbox.whitelistWayland = true;

View File

@ -1,6 +1,8 @@
{ pkgs, ... }:
{
sane.programs.imagemagick = {
buildCost = 1;
sandbox.method = "bwrap";
sandbox.wrapperType = "inplace"; # /etc/ImageMagick-7/delegates.xml refers to bins by absolute path
sandbox.whitelistPwd = true;

View File

@ -1,6 +1,15 @@
{ pkgs, ... }:
{
sane.programs.kdenlive = {
packageUnwrapped = pkgs.kdenlive.override {
ffmpeg-full = pkgs.ffmpeg-full.override {
# avoid expensive samba build for a feature i don't use
withSamba = false;
};
};
buildCost = 1;
sandbox.method = "bwrap";
sandbox.extraHomePaths = [
"Music"
@ -14,12 +23,5 @@
sandbox.whitelistDbus = [ "user" ]; # notifications
sandbox.whitelistDri = true;
sandbox.whitelistWayland = true;
packageUnwrapped = pkgs.kdenlive.override {
ffmpeg-full = pkgs.ffmpeg-full.override {
# avoid expensive samba build for a feature i don't use
withSamba = false;
};
};
};
}

View File

@ -16,7 +16,7 @@
sandbox.whitelistDri = true; #< required
sandbox.whitelistWayland = true;
buildCost = 1;
buildCost = 2;
secrets.".local/share/komikku/keyrings/plaintext.keyring" = ../../../secrets/common/komikku_accounts.json.bin;
# downloads end up here, and without the toplevel database komikku doesn't know they exist.

View File

@ -1,6 +1,7 @@
{ ... }:
{
sane.programs.lemoa = {
buildCost = 1;
sandbox.method = "bwrap";
sandbox.net = "clearnet";
sandbox.whitelistDbus = [ "user" ]; # for clicking links

View File

@ -16,7 +16,7 @@
"tmp"
];
buildCost = 2;
buildCost = 3;
# disable first-run stuff
fs.".config/libreoffice/4/user/registrymodifications.xcu".symlink.text = ''

View File

@ -103,54 +103,61 @@ in
# "use"
];
# packageUnwrapped = config.programs.neovim.finalPackage;
packageUnwrapped = pkgs.wrapNeovimUnstable pkgs.neovim-unwrapped (pkgs.neovimUtils.makeNeovimConfig {
withRuby = false; #< doesn't cross-compile w/o binfmt
viAlias = true;
vimAlias = true;
plugins = plugin-packages;
customRC = ''
" let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
" this used to be default, until <https://github.com/neovim/neovim/pull/19290>
set mouse=
packageUnwrapped = let
configArgs = {
withRuby = false; #< doesn't cross-compile w/o binfmt
viAlias = true;
vimAlias = true;
plugins = plugin-packages;
customRC = ''
" let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
" this used to be default, until <https://github.com/neovim/neovim/pull/19290>
set mouse=
" copy/paste to system clipboard
set clipboard=unnamedplus
" copy/paste to system clipboard
set clipboard=unnamedplus
" screw tabs; always expand them into spaces
set expandtab
" screw tabs; always expand them into spaces
set expandtab
" at least don't open files with sections folded by default
set nofoldenable
" at least don't open files with sections folded by default
set nofoldenable
" allow text substitutions for certain glyphs.
" higher number = more aggressive substitution (0, 1, 2, 3)
" i only make use of this for tex, but it's unclear how to
" apply that *just* to tex and retain the SyntaxRange stuff.
set conceallevel=2
" allow text substitutions for certain glyphs.
" higher number = more aggressive substitution (0, 1, 2, 3)
" i only make use of this for tex, but it's unclear how to
" apply that *just* to tex and retain the SyntaxRange stuff.
set conceallevel=2
" horizontal rule under the active line
" set cursorline
" horizontal rule under the active line
" set cursorline
" highlight trailing space & related syntax errors (doesn't seem to work??)
" let c_space_errors=1
" let python_space_errors=1
" highlight trailing space & related syntax errors (doesn't seem to work??)
" let c_space_errors=1
" let python_space_errors=1
" enable highlighting of leading/trailing spaces,
" and especially tabs
" source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
set list
set listchars=tab:\·,trail:·,extends:,precedes:,nbsp:
" enable highlighting of leading/trailing spaces,
" and especially tabs
" source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
set list
set listchars=tab:\·,trail:·,extends:,precedes:,nbsp:
""""" PLUGIN CONFIG (vim)
${plugin-config-viml}
""""" PLUGIN CONFIG (vim)
${plugin-config-viml}
""""" PLUGIN CONFIG (lua)
lua <<EOF
${plugin-config-lua}
EOF
'';
});
""""" PLUGIN CONFIG (lua)
lua <<EOF
${plugin-config-lua}
EOF
'';
};
in pkgs.wrapNeovimUnstable
pkgs.neovim-unwrapped
# XXX(2024/05/13): manifestRc must be null for cross-compilation to work.
# wrapper invokes `neovim` with all plugins enabled at build time i guess to generate caches and stuff?
# alternative is to emulate `nvim-wrapper` during build.
((pkgs.neovimUtils.makeNeovimConfig configArgs) // { manifestRc = null; })
;
# private because there could be sensitive things in the swap
persist.byStore.private = [ ".cache/vim-swap" ];

View File

@ -13,7 +13,7 @@ let
wanted-feeds = feeds.filterByFormat [ "text" "image" "podcast" "video" ] all-feeds;
in {
sane.programs.newsflash = {
buildCost = 1; # mainly for desktop: webkitgtk-6.0
buildCost = 2; # mainly for desktop: webkitgtk-6.0
persist.byStore.plaintext = [ ".local/share/news-flash" ];
fs.".config/newsflashFeeds.opml".symlink.text =
feeds.feedsToOpml wanted-feeds

View File

@ -10,6 +10,6 @@
".local/share/io.github.alainm23.planify"
];
buildCost = 1; # webkitgtk-6.0; slow for desktop
buildCost = 2; # webkitgtk-6.0; slow for desktop
};
}

View File

@ -1,6 +1,8 @@
{ ... }:
{
sane.programs.spot = {
buildCost = 1;
sandbox.method = "bwrap";
sandbox.net = "clearnet";
sandbox.whitelistAudio = true;

View File

@ -21,6 +21,8 @@ let
in
{
sane.programs.stepmania = {
buildCost = 1;
sandbox.method = "bwrap";
sandbox.wrapperType = "inplace"; #< non-standard packaging; binary lives at $out/stepmania-5.1/stepmania (not even in an /opt dir)
sandbox.whitelistAudio = true;

View File

@ -1,6 +1,8 @@
{ ... }:
{
sane.programs.superTuxKart = {
buildCost = 1;
sandbox.method = "bwrap";
sandbox.net = "clearnet"; # net play
sandbox.whitelistAudio = true;

View File

@ -27,7 +27,7 @@ in
'' + (upstream.preFixup or "");
});
buildCost = 1;
buildCost = 2;
sandbox.method = "bwrap";
sandbox.net = "clearnet";

View File

@ -1,6 +1,8 @@
{ ... }:
{
sane.programs.tuba = {
buildCost = 1;
sandbox.method = "bwrap";
sandbox.net = "clearnet";
sandbox.whitelistAudio = true;

View File

@ -20,7 +20,7 @@
"/sys/devices"
];
buildCost = 1;
buildCost = 2;
# wike probably meant to put everything here in a subdir, but didn't.
# see: <https://github.com/hugolabe/Wike/issues/176>

View File

@ -13,6 +13,6 @@ in
];
fs.".config/wireshark".dir = {};
buildCost = 1;
buildCost = 2;
};
}

View File

@ -5,6 +5,7 @@
# unar doesn't cross compile well, so disable support for it
unar = null;
};
buildCost = 1;
sandbox.method = "bwrap";
sandbox.whitelistWayland = true;

View File

@ -1,6 +1,7 @@
{ ... }:
{
sane.programs.zathura = {
buildCost = 1;
sandbox.method = "bwrap";
sandbox.wrapperType = "inplace"; #< wrapper sets ZATHURA_PLUGINS_PATH to $out/lib/...
sandbox.whitelistDri = true;

View File

@ -15,7 +15,7 @@ in {
sane.programs.zeal = {
# packageUnwrapped = pkgs.zeal-qt6; #< TODO: upgrade system to qt6 versions of everything (i.e. jellyfin-media-player, nheko)
packageUnwrapped = pkgs.zeal-qt5;
buildCost = 2;
buildCost = 3;
persist.byStore.plaintext = [
".cache/Zeal"
".local/share/Zeal"

View File

@ -79,7 +79,7 @@ in
# "gnome.gnome-system-monitor"
# "gnome.gnome-terminal" # works on phosh
"gnome.gnome-weather"
"gnome.seahorse" # keyring/secret manager
# "gnome.seahorse" # keyring/secret manager
"gnome-frog" # OCR/QR decoder
"gpodder"
# "gthumb"
@ -159,7 +159,7 @@ in
"libreoffice" # TODO: replace with an office suite that uses saner packaging?
"losslesscut-bin" # x86-only
# "makemkv" # x86-only
"monero-gui" # x86-only
# "monero-gui" # x86-only
# "mumble"
# "nheko" # Matrix chat client
# "nicotine-plus" # soulseek client. before re-enabling this, get it to run without firejail.
@ -175,7 +175,7 @@ in
"wireshark" # could maybe ship the cli as sysadmin pkg
# "xterm" # requires Xwayland
# "zecwallet-lite" # x86-only
"zulip"
# "zulip"
]
);

View File

@ -297,11 +297,15 @@ let
'';
};
buildCost = mkOption {
type = types.enum [ 0 1 2 ];
type = types.enum [ 0 1 2 3 ];
default = 0;
description = ''
whether this package is very slow, or has unique dependencies which are very slow to build.
marking packages like this can be used to achieve faster, but limited, rebuilds/deploys (by omitting the package).
- 0: this package is necessary for baseline usability
- 1: this package is a nice-to-have, and not too costly to build
- 2: this package is a nice-to-have, but costly to build (e.g. `libreoffice`, some webkitgtk-based things)
- 3: this package is costly to build, and could go without (some lesser-used webkitgtk-based things)
'';
};
sandbox.net = mkOption {

View File

@ -5,7 +5,6 @@
./dyn-dns.nix
./eg25-manager.nix
./kiwix-serve.nix
./mautrix-signal.nix
./nixserve.nix
./trust-dns.nix
];

View File

@ -1,207 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
# TODO: upstream these "optional-dependencies"
# - search that phrase in <nixpkgs:doc/languages-frameworks/python.section.md>
pkg = pkgs.mautrix-signal.overridePythonAttrs (super: {
propagatedBuildInputs = super.propagatedBuildInputs ++ (with pkgs.python3.pkgs; [
# these optional deps come from mautrix-signal's "optional-requirements.txt"
# #/e2be
# python-olm>=3,<4
# pycryptodome>=3,<4
# unpaddedbase64>=1,<3
# XXX: ^above already included in nixpkgs package
# #/metrics
# prometheus_client>=0.6,<0.17
# XXX: ^above already included in nixpkgs package
# #/formattednumbers
# phonenumbers>=8,<9
# XXX: ^above already included in nixpkgs package
# #/qrlink
# qrcode>=6,<8
# Pillow>=4,<10
# XXX: ^above already included in nixpkgs package
# #/stickers
# signalstickers-client>=3,<4
# #/sqlite
# aiosqlite>=0.16,<0.19
aiosqlite
]);
});
dataDir = "/var/lib/mautrix-signal";
registrationFile = "${dataDir}/signal-registration.yaml";
cfg = config.services.mautrix-signal;
settingsFormat = pkgs.formats.json {};
settingsFile =
settingsFormat.generate "mautrix-signal-config.json" cfg.settings;
in
{
options = {
services.mautrix-signal = {
enable = mkEnableOption (lib.mdDoc "Mautrix-Signal, a Matrix-Signal puppeting bridge");
settings = mkOption rec {
apply = recursiveUpdate default;
inherit (settingsFormat) type;
default = {
# defaults based on this upstream example config:
# - <https://github.com/mautrix/signal/blob/master/mautrix_signal/example-config.yaml>
homeserver = {
address = "http://localhost:8008";
software = "standard";
# domain = "SETME";
};
appservice = rec {
address = "http://${hostname}:${toString port}";
hostname = "localhost";
port = 29328;
database = "sqlite:///${dataDir}/mautrix-signal.db";
database_opts = {};
bot_username = "signalbot";
};
bridge = {
username_template = "signal_{userid}";
permissions."*" = "relay";
double_puppet_server_map = {};
login_shared_secret_map = {};
};
logging = {
version = 1;
formatters.precise.format = "[%(levelname)s@%(name)s] %(message)s";
handlers.console = {
class = "logging.StreamHandler";
formatter = "precise";
};
# log to console/systemd instead of file
root = {
level = "INFO";
handlers = ["console"];
};
};
};
example = literalExpression ''
{
homeserver = {
address = "http://localhost:8008";
domain = "mydomain.example";
};
bridge.permissions = {
"@admin:mydomain.example" = "admin";
"mydomain.example" = "user";
};
}
'';
description = lib.mdDoc ''
{file}`config.yaml` configuration as a Nix attribute set.
Configuration options should match those described in
[example-config.yaml](https://github.com/mautrix/signale/blob/master/mautrix_signal/example-config.yaml).
'';
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
description = lib.mdDoc ''
File containing environment variables to be passed to the mautrix-signal service,
in which secret tokens can be specified securely by defining values for e.g.
`MAUTRIX_SIGNAL_APPSERVICE_AS_TOKEN`,
`MAUTRIX_SIGNAL_APPSERVICE_HS_TOKEN`
These environment variables can also be used to set other options by
replacing hierarchy levels by `.`, converting the name to uppercase
and prepending `MAUTRIX_SIGNAL_`.
For example, the first value above maps to
{option}`settings.appservice.as_token`.
The environment variable values can be prefixed with `json::` to have
them be parsed as JSON. For example, `login_shared_secret_map` can be
set as follows:
`MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET_MAP=json::{"example.com":"secret"}`.
'';
};
serviceDependencies = mkOption {
type = with types; listOf str;
default = optional config.services.matrix-synapse.enable "matrix-synapse.service";
defaultText = literalExpression ''
optional config.services.matrix-synapse.enable "matrix-synapse.service"
'';
description = lib.mdDoc ''
List of Systemd services to require and wait for when starting the application service.
'';
};
};
};
config = mkIf cfg.enable {
users.groups.mautrix-signal = {};
users.users.mautrix-signal = {
group = "mautrix-signal";
isSystemUser = true;
};
systemd.services.mautrix-signal = {
description = "Mautrix-Signal, a Matrix-Signal puppeting bridge.";
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
after = [ "network-online.target" ] ++ cfg.serviceDependencies;
path = [ pkgs.ffmpeg ]; # voice messages need `ffmpeg`
# environment.HOME = dataDir;
preStart = ''
# generate the appservice's registration file if absent
if [ ! -f '${registrationFile}' ]; then
${pkg}/bin/mautrix-signal \
--generate-registration \
--no-update \
--base-config='${pkg}/${pkg.pythonModule.sitePackages}/mautrix_signal/example-config.yaml' \
--config='${settingsFile}' \
--registration='${registrationFile}'
fi
'';
serviceConfig = {
Type = "simple";
Restart = "always";
User = "mautrix-signal";
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
PrivateTmp = true;
WorkingDirectory = pkg;
StateDirectory = baseNameOf dataDir;
UMask = "0027";
EnvironmentFile = cfg.environmentFile;
ExecStart = ''
${pkg}/bin/mautrix-signal \
--config='${settingsFile}' \
--no-update
'';
};
};
};
}

View File

@ -32,11 +32,32 @@ in [
# etc, where "date" is like "20240228181608"
# and can be found with `nix-repl > :lf . > lastModifiedDate`
(fetchpatch' {
title = "curl-impersonate: fix darwin build and make cross-compilation work";
prUrl = "https://github.com/NixOS/nixpkgs/pull/310386";
hash = "sha256-feMOgQRrY2t7sYMjqXCo2WCe/J+Kr1ah+DznajQZsDM=";
})
(fetchpatch' {
title = "hyprland: fix cross compilation";
prUrl = "https://github.com/NixOS/nixpkgs/pull/311408";
hash = "sha256-OU5XT/BEmZu1TPXSLKfEgdkoGXRETvJ9dePCeHrFl6o=";
})
(fetchpatch' {
# TODO: send upstream after successful deployment
title = "gnome.gnome-keyring: support cross compilation";
# prUrl = "https://github.com/uninsane/nixpkgs/pull/new/pr-gnome-keyring-cross";
saneCommit = "56bc064c0fa39614dfd1048daae4a59e4131df56";
hash = "sha256-LZW3CNhcOU+YPTPt/4Ltxyiqo/6SdlIOQADmni4pDM4=";
})
(fetchpatch' {
# TODO: send upstream
title = "python3Packages.dbus-python: fix build when doInstallCheck=false";
saneCommit = "4d4d0310402b8a7f9273dff448522f01b722a60c";
hash = "sha256-3fAobeHbM/IHZzhfAqSKhPy1l28F6MbQBp8rSVX2Lrg=";
title = "python3Packages.dbus-python: fix cross";
prUrl = "https://github.com/NixOS/nixpkgs/pull/310609";
hash = "sha256-QCRCotIlHgJn4lo4Qdrh2cJMqqcVGLAE9WSJ4nCQvyk=";
merged.staging = "20240510160000";
})
# branch: wip-ffado-cross
@ -55,13 +76,39 @@ in [
hash = "sha256-53X4ssdp02C8NOUL5mlbhR7qwE9/KWp6iLmz1ljJopE=";
})
# 2024/02/25: still outstanding; merge conflicts
(fetchpatch' {
title = "libgweather: enable introspection on cross builds";
prUrl = "https://github.com/NixOS/nixpkgs/pull/251956";
hash = "sha256-IW+0u5lytIPU3xhgGtYgexXUrS2VFXAV6GC50jJS5ak=";
})
# 2024/02/25: still outstanding
# (fetchpatch' {
# title = "hspell: remove build perl from runtime closure";
# prUrl = "https://github.com/NixOS/nixpkgs/pull/263182";
# hash = "sha256-Wau+PB+EUQDvWX8Kycw1sNrM3GkPVjKSS4niIDI0sjM=";
# })
# (fetchpatch' {
# title = "gthumb: make the webservices feature be optional";
# prUrl = "https://github.com/NixOS/nixpkgs/pull/240602";
# saneCommit = "e83130f2770c314b2a482e1792b010da66cdd5de";
# hash = "sha256-GlYWpOVZvr0oFAs4RdSUf7LJD3FmGsCaTm32GPhbBfc=";
# })
# (fetchpatch' {
# # TODO: send for review once hspell fix is merged <https://github.com/NixOS/nixpkgs/pull/263182>
# # this patch works as-is, but hspell keeps a ref to build perl and thereby pollutes this closure as well.
# title = "gtkspell2: support cross compilation";
# saneCommit = "56348833b4411e9fe2016c24c7fc4af1e3c1d28a";
# hash = "sha256-RUw88u7CI2C1IpRUhGbdYamHsPT1jBV0ROyVvzLWdv8=";
# })
# (fetchpatch' {
# # TODO: send for review (it should be unblocked as of 2024/05/08)
# title = "pidgin: support cross compilation";
# saneCommit = "caacbcc54e217f5ee9281422777a7f712765f71a";
# hash = "sha256-UyZaNNp84zKShuo6zu0nfZ2FygHGcmV63Ww4Y4CtCF0=";
# })
# (fetchpatch' {
# title = "trust-dns: 0.23.0 -> 0.24.0";
# prUrl = "https://github.com/NixOS/nixpkgs/pull/262466";
@ -128,36 +175,10 @@ in [
# hash = "sha256-eTwEbVULYjmOW7zUFcTUqvBZqUFjHTKFhvmU2m3XQeo=";
# })
(fetchpatch' {
title = "gthumb: make the webservices feature be optional";
prUrl = "https://github.com/NixOS/nixpkgs/pull/240602";
saneCommit = "e83130f2770c314b2a482e1792b010da66cdd5de";
hash = "sha256-GlYWpOVZvr0oFAs4RdSUf7LJD3FmGsCaTm32GPhbBfc=";
})
(fetchpatch' {
# TODO: send for review once hspell fix is merged <https://github.com/NixOS/nixpkgs/pull/263182>
# this patch works as-is, but hspell keeps a ref to build perl and thereby pollutes this closure as well.
title = "gtkspell2: support cross compilation";
saneCommit = "56348833b4411e9fe2016c24c7fc4af1e3c1d28a";
hash = "sha256-RUw88u7CI2C1IpRUhGbdYamHsPT1jBV0ROyVvzLWdv8=";
})
(fetchpatch' {
# TODO: send for review (it should be unblocked as of 2024/05/08)
title = "pidgin: support cross compilation";
saneCommit = "caacbcc54e217f5ee9281422777a7f712765f71a";
hash = "sha256-UyZaNNp84zKShuo6zu0nfZ2FygHGcmV63Ww4Y4CtCF0=";
})
(fetchpatch' {
title = "libgweather: enable introspection on cross builds";
prUrl = "https://github.com/NixOS/nixpkgs/pull/251956";
hash = "sha256-IW+0u5lytIPU3xhgGtYgexXUrS2VFXAV6GC50jJS5ak=";
})
# for raspberry pi: allow building u-boot for rpi 4{,00}
# TODO: remove after upstreamed: https://github.com/NixOS/nixpkgs/pull/176018
# (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )
./02-rpi4-uboot.patch
# ./02-rpi4-uboot.patch
# (fetchpatch' {
# title = "gnustep: remove `rec` to support `overrideScope`";

View File

@ -387,7 +387,7 @@ in with final; {
# });
# };
# 2024/02/27: upstreaming is unblocked
# 2024/05/13: upstreaming is unblocked; out for review: <https://github.com/NixOS/nixpkgs/pull/305241>
appstream = prev.appstream.overrideAttrs (upstream: {
# fixes: "Message: Native appstream required for cross-building"
# error introduced in:
@ -815,11 +815,12 @@ in with final; {
});
# 2024/05/08: fix: "meson.build:85:11: ERROR: Dependency "dbus-1" not found, tried pkgconfig".
# 2024/05/13: upstreaming is bloked by dbus-python (fixed in staging), appstream (out for PR)
gnome-online-accounts = mvToBuildInputs [ dbus ] prev.gnome-online-accounts;
gnome = prev.gnome.overrideScope (self: super: {
evolution-data-server = super.evolution-data-server.overrideAttrs (upstream: {
# 2023/12/08: upstreaming is unblocked, but depends on webkitgtk 4.1
# 2024/05/13: upstreaming is blocked by appstream (out for PR), libgweather (out for PR)
cmakeFlags = upstream.cmakeFlags ++ [
"-DCMAKE_CROSSCOMPILING_EMULATOR=${stdenv.hostPlatform.emulator buildPackages}"
"-DENABLE_TESTS=no"
@ -872,12 +873,13 @@ in with final; {
# fixes "subprojects/gvc/meson.build:30:0: ERROR: Program 'glib-mkenums mkenums' not found or not executable"
# gnome-control-center = mvToNativeInputs [ glib ] super.gnome-control-center;
gnome-keyring = super.gnome-keyring.overrideAttrs (orig: {
# 2024/02/27: upstreaming is unblocked
# this seems to work in practice, but leaves gkr with a reference to the build openssl, sqlite, xz, libxcrypt, glibc
# fixes "configure.ac:374: error: possibly undefined macro: AM_PATH_LIBGCRYPT"
nativeBuildInputs = orig.nativeBuildInputs ++ [ libgcrypt openssh glib ];
});
# gnome-keyring = super.gnome-keyring.overrideAttrs (orig: {
# # 2024/02/27: upstreaming is unblocked; implemented but not for PR
# # - <https://github.com/uninsane/nixpkgs/pull/new/pr-gnome-keyring-cross>
# # this seems to work in practice, but leaves gkr with a reference to the build openssl, sqlite, xz, libxcrypt, glibc
# # fixes "configure.ac:374: error: possibly undefined macro: AM_PATH_LIBGCRYPT"
# nativeBuildInputs = orig.nativeBuildInputs ++ [ libgcrypt openssh glib ];
# });
gnome-maps = super.gnome-maps.overrideAttrs (upstream: {
# 2023/11/21: upstreaming is blocked by libshumate, qtsvg (via pipewire/ffado)
postPatch = (upstream.postPatch or "") + ''
@ -997,6 +999,7 @@ in with final; {
# '';
# });
# hyprland = mvToNativeInputs [ hwdata ] prev.hyprland;
# hyprland = prev.hyprland.overrideAttrs (_: {
# depsBuildBuild = [ pkg-config ];
# });
@ -2072,12 +2075,12 @@ in with final; {
# 2024/02/29: upstreaming is blocked on libei (unless Xwayland config option is disabled in nixpkgs)
# out for PR: <https://github.com/NixOS/nixpkgs/pull/292415>
wlroots = prev.wlroots.overrideAttrs (upstream: {
nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
# incorrectly specified as `buildInputs` in nixpkgs.
hwdata
];
});
# wlroots = prev.wlroots.overrideAttrs (upstream: {
# nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
# # incorrectly specified as `buildInputs` in nixpkgs.
# hwdata
# ];
# });
# wrapFirefox = prev.wrapFirefox.override {
# buildPackages = buildPackages // {
@ -2091,15 +2094,16 @@ in with final; {
# };
# };
wrapNeovimUnstable = neovim: config: (prev.wrapNeovimUnstable neovim config).overrideAttrs (upstream: {
# nvim wrapper has a sanity check that the plugins will load correctly.
# this is effectively a check phase and should be rewritten as such
postBuild = lib.replaceStrings
[ "! $out/bin/nvim-wrapper" ]
# [ "${stdenv.hostPlatform.emulator buildPackages} $out/bin/nvim-wrapper" ]
[ "false && $out/bin/nvim-wrapper" ]
upstream.postBuild;
});
# fixes `hostPrograms.moby.neovim` (but breaks eval of `hostPkgs.moby.neovim` :o)
# wrapNeovimUnstable = neovim: config: (prev.wrapNeovimUnstable neovim config).overrideAttrs (upstream: {
# # nvim wrapper has a sanity check that the plugins will load correctly.
# # this is effectively a check phase and should be rewritten as such
# postBuild = lib.replaceStrings
# [ "! $out/bin/nvim-wrapper" ]
# # [ "${stdenv.hostPlatform.emulator buildPackages} $out/bin/nvim-wrapper" ]
# [ "false && $out/bin/nvim-wrapper" ]
# upstream.postBuild;
# });
# 2023/07/30: upstreaming is blocked on unar (gnustep), unless i also make that optional
xarchiver = mvToNativeInputs [ libxslt ] prev.xarchiver;

23
scripts/clean Executable file
View File

@ -0,0 +1,23 @@
#!/bin/sh
# remove artifacts which i've accidentally left lying around
# e.g. `result -> /nix/store/...` symlinks
pushd ~/nixos
# if this exists it'll interfere with the search
rm -f result
for result in $(fd --follow result) $(fd -uuu result); do
if [[ "$(readlink "$result")" != /nix/store/* ]]; then
# not a build artifact
continue
fi
if [[ "$result" == build/* ]] || [[ "$result" == .working/* ]]; then
# intentionally preserved build artifact
continue
fi
echo "removing: $result"
unlink "$result"
done
popd