Compare commits
14 Commits
a05fa53ee1
...
bef0099eec
Author | SHA1 | Date | |
---|---|---|---|
bef0099eec | |||
67434caf45 | |||
be84ab1f45 | |||
43d32641f3 | |||
9bf0dbabae | |||
8c7880774e | |||
5774aa4a8f | |||
6c6d11578e | |||
f33e960bdf | |||
14202a5bcc | |||
3d2babf2bb | |||
9d51b2ecc7 | |||
0b855efb5f | |||
2ae286ff75 |
52
flake.lock
52
flake.lock
|
@ -61,11 +61,11 @@
|
|||
"nixpkgs-lib": "nixpkgs-lib"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1714910950,
|
||||
"narHash": "sha256-gaq5bphSsY+htEXFDkImOrH3MVCkxFTvCiwdCJj096E=",
|
||||
"lastModified": 1715515815,
|
||||
"narHash": "sha256-yaLScMHNFCH6SbB0HSA/8DWDgK0PyOhCXoFTdHlWkhk=",
|
||||
"owner": "nix-community",
|
||||
"repo": "lib-aggregate",
|
||||
"rev": "26fabca301e1133abd3d9192b1bcb6fb45b30f1d",
|
||||
"rev": "09883ca828e8cfaacdb09e29190a7b84ad1d9925",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -99,11 +99,11 @@
|
|||
"treefmt-nix": "treefmt-nix"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1713858845,
|
||||
"narHash": "sha256-StJq7Zy+/iVBUAKFzhHWlsirFucZ3gNtzXhAYXAsNnw=",
|
||||
"lastModified": 1715248291,
|
||||
"narHash": "sha256-npC9Swu4VIlRIiEP0XFGoIukd6vOufS/M3PdHk6rQpc=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-eval-jobs",
|
||||
"rev": "7b6640f2a10701bf0db16aff048070f400e8ea7c",
|
||||
"rev": "63154bdfb22091041b307d17863bdc0e01a32a00",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -136,11 +136,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1713805509,
|
||||
"narHash": "sha256-YgSEan4CcrjivCNO5ZNzhg7/8ViLkZ4CB/GrGBVSudo=",
|
||||
"lastModified": 1715037484,
|
||||
"narHash": "sha256-OUt8xQFmBU96Hmm4T9tOWTu4oCswCzoVl+pxSq/kiFc=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "1e1dc66fe68972a76679644a5577828b6a7e8be4",
|
||||
"rev": "ad7efee13e0d216bf29992311536fce1d3eefbef",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -152,11 +152,11 @@
|
|||
},
|
||||
"nixpkgs-lib": {
|
||||
"locked": {
|
||||
"lastModified": 1714870069,
|
||||
"lastModified": 1715474941,
|
||||
"narHash": "sha256-CNCqCGOHdxuiVnVkhTpp2WcqSSmSfeQjubhDOcgwGjU=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixpkgs.lib",
|
||||
"rev": "4b620020fd73bdd5104e32c702e65b60b6869426",
|
||||
"rev": "58e03b95f65dfdca21979a081aa62db0eed6b1d8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -167,11 +167,11 @@
|
|||
},
|
||||
"nixpkgs-next-unpatched": {
|
||||
"locked": {
|
||||
"lastModified": 1715148084,
|
||||
"narHash": "sha256-arUW5NSCMy7K8uO+1ODJqyptf71HP69XbJlSuf361rI=",
|
||||
"lastModified": 1715601680,
|
||||
"narHash": "sha256-Gmz6U8NMZVVnP6AGX4sMl4X6RcQBASPl/2Gj9R5k1Pk=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c8e3f684443d7c2875ff169f6ef2533534105e7b",
|
||||
"rev": "eda36d7cf3391ad06097009b08822fb74acd5e00",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -183,11 +183,11 @@
|
|||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1714858427,
|
||||
"narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
|
||||
"lastModified": 1715458492,
|
||||
"narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
|
||||
"rev": "8e47858badee5594292921c2668c11004c3b0142",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -199,11 +199,11 @@
|
|||
},
|
||||
"nixpkgs-unpatched": {
|
||||
"locked": {
|
||||
"lastModified": 1715156971,
|
||||
"narHash": "sha256-sEgAH6EkkQf5Aux4JT5HvdKWia0ryePYI0RhioskVS8=",
|
||||
"lastModified": 1715616096,
|
||||
"narHash": "sha256-rxh2XECb5hRzgNR4Xqj3aAjg6821LmNTVRfF6sUW6fI=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "a751e2faa2fc94c1337c32aaf6a6e417afe90be9",
|
||||
"rev": "0a949cf2618e8eab83aa008f1f8e03db137ed36c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -223,11 +223,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1715156333,
|
||||
"narHash": "sha256-8V09AxlIyKh8maX5/fAo8JuijEu9KM1DVlPscxzmKsk=",
|
||||
"lastModified": 1715609745,
|
||||
"narHash": "sha256-z2lQ7G1AxljvYeqrHWjc1ctOI4QZP06vPtvLYJWfZSc=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixpkgs-wayland",
|
||||
"rev": "7dc8fb2aa7db995ac1ce2a8f2f8d8784b2af591c",
|
||||
"rev": "ed18785b8816fa878bdd9df7f2e8722695401ef8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -254,11 +254,11 @@
|
|||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1715035358,
|
||||
"narHash": "sha256-RY6kqhpCPa/q3vbqt3iYRyjO3hJz9KZnshMjbpPon8o=",
|
||||
"lastModified": 1715482972,
|
||||
"narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "893e3df091f6838f4f9d71c61ab079d5c5dedbd1",
|
||||
"rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -121,7 +121,7 @@
|
|||
nixpkgs.hostPlatform.system = target;
|
||||
})
|
||||
(optionalAttrs (variant == "light") {
|
||||
sane.maxBuildCost = 1;
|
||||
sane.maxBuildCost = 2;
|
||||
})
|
||||
(optionalAttrs (variant == "min") {
|
||||
sane.maxBuildCost = 0;
|
||||
|
|
|
@ -30,6 +30,8 @@
|
|||
});
|
||||
};
|
||||
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
|
|
|
@ -215,6 +215,7 @@ in
|
|||
|
||||
backblaze-b2 = {};
|
||||
|
||||
blanket.buildCost = 1;
|
||||
blanket.sandbox.method = "bwrap";
|
||||
blanket.sandbox.whitelistAudio = true;
|
||||
# blanket.sandbox.whitelistDbus = [ "user" ]; # TODO: untested
|
||||
|
@ -267,13 +268,14 @@ in
|
|||
ddrescue.sandbox.method = "landlock"; # TODO:sandbox: untested
|
||||
ddrescue.sandbox.autodetectCliPaths = "existingOrParent";
|
||||
|
||||
# auth token, preferences
|
||||
delfin.buildCost = 1;
|
||||
delfin.sandbox.method = "bwrap";
|
||||
delfin.sandbox.whitelistAudio = true;
|
||||
delfin.sandbox.whitelistDbus = [ "user" ]; # else `mpris` plugin crashes the player
|
||||
delfin.sandbox.whitelistDri = true;
|
||||
delfin.sandbox.whitelistWayland = true;
|
||||
delfin.sandbox.net = "clearnet";
|
||||
# auth token, preferences
|
||||
delfin.persist.byStore.private = [ ".config/delfin" ];
|
||||
|
||||
dig.sandbox.method = "bwrap";
|
||||
|
@ -314,11 +316,13 @@ in
|
|||
|
||||
eg25-control = {};
|
||||
|
||||
electrum.buildCost = 1;
|
||||
electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always
|
||||
electrum.sandbox.whitelistWayland = true;
|
||||
electrum.persist.byStore.cryptClearOnBoot = [ ".electrum" ]; #< TODO: use XDG dirs!
|
||||
|
||||
endless-sky.buildCost = 1;
|
||||
endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
|
||||
endless-sky.sandbox.method = "bwrap";
|
||||
endless-sky.sandbox.whitelistAudio = true;
|
||||
|
@ -357,6 +361,7 @@ in
|
|||
".persist/plaintext"
|
||||
];
|
||||
|
||||
ffmpeg.buildCost = 1;
|
||||
ffmpeg.sandbox.method = "bwrap";
|
||||
ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting
|
||||
|
||||
|
@ -374,6 +379,7 @@ in
|
|||
|
||||
fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
|
||||
|
||||
font-manager.buildCost = 1;
|
||||
font-manager.sandbox.method = "bwrap";
|
||||
font-manager.sandbox.whitelistWayland = true;
|
||||
font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
|
||||
|
@ -410,6 +416,7 @@ in
|
|||
# TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
|
||||
gh.persist.byStore.private = [ ".config/gh" ];
|
||||
|
||||
gimp.buildCost = 1;
|
||||
gimp.sandbox.method = "bwrap";
|
||||
gimp.sandbox.whitelistX = true;
|
||||
gimp.sandbox.whitelistWayland = true;
|
||||
|
@ -429,18 +436,22 @@ in
|
|||
"/tmp" # "Cannot open display:" if it can't mount /tmp 👀
|
||||
];
|
||||
|
||||
"gnome.gnome-calculator".buildCost = 1;
|
||||
"gnome.gnome-calculator".sandbox.method = "bwrap";
|
||||
"gnome.gnome-calculator".sandbox.whitelistWayland = true;
|
||||
|
||||
"gnome.gnome-calendar".buildCost = 1;
|
||||
# gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
|
||||
"gnome.gnome-calendar".sandbox.method = "bwrap";
|
||||
"gnome.gnome-calendar".sandbox.whitelistWayland = true;
|
||||
|
||||
"gnome.gnome-clocks".buildCost = 1;
|
||||
"gnome.gnome-clocks".sandbox.method = "bwrap";
|
||||
"gnome.gnome-clocks".sandbox.whitelistWayland = true;
|
||||
"gnome.gnome-clocks".suggestedPrograms = [ "dconf" ];
|
||||
|
||||
# gnome-disks
|
||||
"gnome.gnome-disk-utility".buildCost = 1;
|
||||
"gnome.gnome-disk-utility".sandbox.method = "bwrap";
|
||||
"gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ];
|
||||
"gnome.gnome-disk-utility".sandbox.whitelistWayland = true;
|
||||
|
@ -451,15 +462,18 @@ in
|
|||
];
|
||||
|
||||
# seahorse: dump gnome-keyring secrets.
|
||||
"gnome.seahorse".buildCost = 1;
|
||||
# N.B.: it can also manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
|
||||
"gnome.seahorse".sandbox.method = "bwrap";
|
||||
"gnome.seahorse".sandbox.whitelistDbus = [ "user" ];
|
||||
"gnome.seahorse".sandbox.whitelistWayland = true;
|
||||
|
||||
gnome-2048.buildCost = 1;
|
||||
gnome-2048.sandbox.method = "bwrap";
|
||||
gnome-2048.sandbox.whitelistWayland = true;
|
||||
gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
|
||||
|
||||
gnome-frog.buildCost = 1;
|
||||
gnome-frog.sandbox.method = "bwrap";
|
||||
gnome-frog.sandbox.whitelistWayland = true;
|
||||
gnome-frog.sandbox.whitelistDbus = [ "user" ];
|
||||
|
@ -486,6 +500,7 @@ in
|
|||
# 1. no number may appear unshaded more than once in the same row/column
|
||||
# 2. no two shaded tiles can be direct N/S/E/W neighbors
|
||||
# - win once (1) and (2) are satisfied
|
||||
"gnome.hitori".buildCost = 1;
|
||||
"gnome.hitori".sandbox.method = "bwrap";
|
||||
"gnome.hitori".sandbox.whitelistWayland = true;
|
||||
|
||||
|
@ -515,6 +530,7 @@ in
|
|||
grim.sandbox.autodetectCliPaths = "existingOrParent";
|
||||
grim.sandbox.whitelistWayland = true;
|
||||
|
||||
hase.buildCost = 1;
|
||||
hase.sandbox.method = "bwrap";
|
||||
hase.sandbox.net = "clearnet";
|
||||
hase.sandbox.whitelistAudio = true;
|
||||
|
@ -535,6 +551,7 @@ in
|
|||
# N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
|
||||
inetutils.sandbox.method = "landlock"; # want to keep the same netns, at least.
|
||||
|
||||
inkscape.buildCost = 1;
|
||||
inkscape.sandbox.method = "bwrap";
|
||||
inkscape.sandbox.whitelistWayland = true;
|
||||
inkscape.sandbox.extraHomePaths = [
|
||||
|
@ -586,6 +603,7 @@ in
|
|||
"/proc"
|
||||
];
|
||||
|
||||
krita.buildCost = 1;
|
||||
krita.sandbox.method = "bwrap";
|
||||
krita.sandbox.whitelistWayland = true;
|
||||
krita.sandbox.autodetectCliPaths = "existing";
|
||||
|
@ -606,6 +624,7 @@ in
|
|||
libnotify.sandbox.method = "bwrap";
|
||||
libnotify.sandbox.whitelistDbus = [ "user" ]; # notify-send
|
||||
|
||||
losslesscut-bin.buildCost = 1;
|
||||
losslesscut-bin.sandbox.method = "bwrap";
|
||||
losslesscut-bin.sandbox.extraHomePaths = [
|
||||
"Music"
|
||||
|
@ -630,6 +649,7 @@ in
|
|||
mercurial.sandbox.whitelistPwd = true;
|
||||
|
||||
# actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
|
||||
monero-gui.buildCost = 1;
|
||||
# XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
|
||||
monero-gui.persist.byStore.plaintext = [ ".bitmonero" ];
|
||||
monero-gui.sandbox.method = "bwrap";
|
||||
|
@ -638,6 +658,7 @@ in
|
|||
"records/finance/cryptocurrencies/monero"
|
||||
];
|
||||
|
||||
mumble.buildCost = 1;
|
||||
mumble.persist.byStore.private = [ ".local/share/Mumble" ];
|
||||
|
||||
nano.sandbox.method = "bwrap";
|
||||
|
@ -741,6 +762,7 @@ in
|
|||
pulsemixer.sandbox.method = "landlock";
|
||||
pulsemixer.sandbox.whitelistAudio = true;
|
||||
|
||||
pwvucontrol.buildCost = 1;
|
||||
pwvucontrol.sandbox.method = "bwrap";
|
||||
pwvucontrol.sandbox.whitelistAudio = true;
|
||||
pwvucontrol.sandbox.whitelistDri = true; # else perf on moby is unusable
|
||||
|
@ -758,7 +780,7 @@ in
|
|||
];
|
||||
|
||||
qemu.sandbox.enable = false; #< it's a launcher
|
||||
qemu.buildCost = 1;
|
||||
qemu.buildCost = 2;
|
||||
|
||||
rsync.sandbox.method = "bwrap";
|
||||
rsync.sandbox.net = "clearnet";
|
||||
|
@ -776,6 +798,7 @@ in
|
|||
sequoia.sandbox.whitelistPwd = true;
|
||||
sequoia.sandbox.autodetectCliPaths = true;
|
||||
|
||||
shattered-pixel-dungeon.buildCost = 1;
|
||||
shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
|
||||
shattered-pixel-dungeon.sandbox.method = "bwrap";
|
||||
shattered-pixel-dungeon.sandbox.whitelistAudio = true;
|
||||
|
@ -783,6 +806,7 @@ in
|
|||
shattered-pixel-dungeon.sandbox.whitelistWayland = true;
|
||||
|
||||
# printer/filament settings
|
||||
slic3r.buildCost = 1;
|
||||
slic3r.persist.byStore.plaintext = [ ".Slic3r" ];
|
||||
|
||||
slurp.sandbox.method = "bwrap";
|
||||
|
@ -803,6 +827,7 @@ in
|
|||
"knowledge"
|
||||
];
|
||||
|
||||
soundconverter.buildCost = 1;
|
||||
soundconverter.sandbox.method = "bwrap";
|
||||
soundconverter.sandbox.whitelistWayland = true;
|
||||
soundconverter.sandbox.extraHomePaths = [
|
||||
|
@ -820,6 +845,7 @@ in
|
|||
sox.sandbox.autodetectCliPaths = "existingFileOrParent";
|
||||
sox.sandbox.whitelistAudio = true;
|
||||
|
||||
space-cadet-pinball.buildCost = 1;
|
||||
space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
|
||||
space-cadet-pinball.sandbox.method = "bwrap";
|
||||
space-cadet-pinball.sandbox.whitelistAudio = true;
|
||||
|
@ -840,6 +866,7 @@ in
|
|||
subversion.sandbox.whitelistPwd = true;
|
||||
sudo.sandbox.enable = false;
|
||||
|
||||
superTux.buildCost = 1;
|
||||
superTux.sandbox.method = "bwrap";
|
||||
superTux.sandbox.wrapperType = "inplace"; # package Makefile incorrectly installs to $out/games/superTux instead of $out/share/games
|
||||
superTux.sandbox.whitelistAudio = true;
|
||||
|
@ -858,12 +885,14 @@ in
|
|||
|
||||
tdesktop.persist.byStore.private = [ ".local/share/TelegramDesktop" ];
|
||||
|
||||
tokodon.buildCost = 1;
|
||||
tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
|
||||
|
||||
tree.sandbox.method = "landlock";
|
||||
tree.sandbox.autodetectCliPaths = true;
|
||||
tree.sandbox.whitelistPwd = true;
|
||||
|
||||
tumiki-fighters.buildCost = 1;
|
||||
tumiki-fighters.sandbox.method = "bwrap";
|
||||
tumiki-fighters.sandbox.whitelistAudio = true;
|
||||
tumiki-fighters.sandbox.whitelistDri = true; #< not strictly necessary, but triples CPU perf
|
||||
|
@ -882,6 +911,7 @@ in
|
|||
"/sys/bus/usb"
|
||||
];
|
||||
|
||||
valgrind.buildCost = 1;
|
||||
valgrind.sandbox.enable = false; #< it's a launcher: can't sandbox
|
||||
|
||||
visidata.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
|
@ -890,6 +920,7 @@ in
|
|||
# `vulkaninfo`, `vkcube`
|
||||
vulkan-tools.sandbox.method = "landlock";
|
||||
|
||||
vvvvvv.buildCost = 1;
|
||||
vvvvvv.sandbox.method = "bwrap";
|
||||
vvvvvv.sandbox.whitelistAudio = true;
|
||||
vvvvvv.sandbox.whitelistDri = true; #< playable without, but burns noticably more CPU
|
||||
|
@ -910,6 +941,7 @@ in
|
|||
wget.sandbox.net = "all";
|
||||
wget.sandbox.whitelistPwd = true; # saves to pwd by default
|
||||
|
||||
whalebird.buildCost = 1;
|
||||
whalebird.persist.byStore.private = [ ".config/Whalebird" ];
|
||||
|
||||
# `wg`, `wg-quick`
|
||||
|
|
|
@ -14,6 +14,8 @@
|
|||
};
|
||||
};
|
||||
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
{ ... }:
|
||||
{
|
||||
sane.programs.celeste64 = {
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDri = true;
|
||||
|
|
|
@ -13,6 +13,8 @@
|
|||
'';
|
||||
});
|
||||
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap"; # landlock gives: _multiprocessing.SemLock: Permission Denied
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
|
|
|
@ -1,15 +1,6 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
sane.programs.dialect = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "inplace"; # share/search_providers/ calls back into the binary, weird wrap semantics
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.extraHomePaths = [
|
||||
".config/dconf" # won't start without it
|
||||
];
|
||||
suggestedPrograms = [ "dconf" ]; #< to persist settings
|
||||
|
||||
packageUnwrapped = pkgs.dialect.overrideAttrs (upstream: {
|
||||
# TODO: send upstream
|
||||
# TODO: figure out how to get audio working
|
||||
|
@ -18,5 +9,17 @@
|
|||
pkgs.glib-networking # for TLS
|
||||
];
|
||||
});
|
||||
|
||||
suggestedPrograms = [ "dconf" ]; #< to persist settings
|
||||
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "inplace"; # share/search_providers/ calls back into the binary, weird wrap semantics
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.extraHomePaths = [
|
||||
".config/dconf" # won't start without it
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -25,6 +25,8 @@
|
|||
"gnome-keyring"
|
||||
];
|
||||
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
|
|
|
@ -23,7 +23,7 @@
|
|||
"tmp"
|
||||
];
|
||||
|
||||
buildCost = 1;
|
||||
buildCost = 2;
|
||||
|
||||
# XXX(2023/07/08): running on moby without `WEBKIT_DISABLE_SANDBOX...` fails, with:
|
||||
# - `bwrap: Can't make symlink at /var/run: File exists`
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
{ ... }:
|
||||
{
|
||||
sane.programs.evince = {
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
|
|
|
@ -2,11 +2,6 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
sane.programs.frozen-bubble = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.net = "clearnet"; # net play
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
packageUnwrapped = pkgs.frozen-bubble.overrideAttrs (upstream: {
|
||||
# patch so it stores its dot-files not in root ~.
|
||||
postPatch = (upstream.postPatch or "") + ''
|
||||
|
@ -14,6 +9,12 @@
|
|||
--replace-fail '$FBHOME = "$ENV{HOME}/.frozen-bubble"' '$FBHOME = "$ENV{HOME}/.local/share/frozen-bubble"'
|
||||
'';
|
||||
});
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.net = "clearnet"; # net play
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
persist.byStore.plaintext = [
|
||||
".local/share/frozen-bubble" # preferences, high scores
|
||||
|
|
|
@ -8,6 +8,8 @@
|
|||
{ ... }:
|
||||
{
|
||||
sane.programs.g4music = {
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
|
|
|
@ -37,7 +37,7 @@ in
|
|||
# fs.".config/geary".dir = {};
|
||||
# fs.".local/share/folks".dir = {};
|
||||
|
||||
buildCost = 2; # uses webkitgtk 4.1
|
||||
buildCost = 3; # uses webkitgtk 4.1
|
||||
persist.byStore.private = [
|
||||
# attachments, and email -- contained in a sqlite db
|
||||
".local/share/geary"
|
||||
|
|
|
@ -3,6 +3,8 @@
|
|||
{ ... }:
|
||||
{
|
||||
sane.programs."gnome.gnome-weather" = {
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "inplace"; #< /share/org.gnome.Weather/org.gnome.Weather file refers to bins by full path
|
||||
sandbox.whitelistWayland = true;
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
sane.programs.handbrake = {
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "landlock"; #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistWayland = true;
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
sane.programs.imagemagick = {
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "inplace"; # /etc/ImageMagick-7/delegates.xml refers to bins by absolute path
|
||||
sandbox.whitelistPwd = true;
|
||||
|
|
|
@ -1,6 +1,15 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
sane.programs.kdenlive = {
|
||||
packageUnwrapped = pkgs.kdenlive.override {
|
||||
ffmpeg-full = pkgs.ffmpeg-full.override {
|
||||
# avoid expensive samba build for a feature i don't use
|
||||
withSamba = false;
|
||||
};
|
||||
};
|
||||
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.extraHomePaths = [
|
||||
"Music"
|
||||
|
@ -14,12 +23,5 @@
|
|||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistDri = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
packageUnwrapped = pkgs.kdenlive.override {
|
||||
ffmpeg-full = pkgs.ffmpeg-full.override {
|
||||
# avoid expensive samba build for a feature i don't use
|
||||
withSamba = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
sandbox.whitelistDri = true; #< required
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
buildCost = 1;
|
||||
buildCost = 2;
|
||||
|
||||
secrets.".local/share/komikku/keyrings/plaintext.keyring" = ../../../secrets/common/komikku_accounts.json.bin;
|
||||
# downloads end up here, and without the toplevel database komikku doesn't know they exist.
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
{ ... }:
|
||||
{
|
||||
sane.programs.lemoa = {
|
||||
buildCost = 1;
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistDbus = [ "user" ]; # for clicking links
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
"tmp"
|
||||
];
|
||||
|
||||
buildCost = 2;
|
||||
buildCost = 3;
|
||||
|
||||
# disable first-run stuff
|
||||
fs.".config/libreoffice/4/user/registrymodifications.xcu".symlink.text = ''
|
||||
|
|
|
@ -103,54 +103,61 @@ in
|
|||
# "use"
|
||||
];
|
||||
|
||||
# packageUnwrapped = config.programs.neovim.finalPackage;
|
||||
packageUnwrapped = pkgs.wrapNeovimUnstable pkgs.neovim-unwrapped (pkgs.neovimUtils.makeNeovimConfig {
|
||||
withRuby = false; #< doesn't cross-compile w/o binfmt
|
||||
viAlias = true;
|
||||
vimAlias = true;
|
||||
plugins = plugin-packages;
|
||||
customRC = ''
|
||||
" let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
|
||||
" this used to be default, until <https://github.com/neovim/neovim/pull/19290>
|
||||
set mouse=
|
||||
packageUnwrapped = let
|
||||
configArgs = {
|
||||
withRuby = false; #< doesn't cross-compile w/o binfmt
|
||||
viAlias = true;
|
||||
vimAlias = true;
|
||||
plugins = plugin-packages;
|
||||
customRC = ''
|
||||
" let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
|
||||
" this used to be default, until <https://github.com/neovim/neovim/pull/19290>
|
||||
set mouse=
|
||||
|
||||
" copy/paste to system clipboard
|
||||
set clipboard=unnamedplus
|
||||
" copy/paste to system clipboard
|
||||
set clipboard=unnamedplus
|
||||
|
||||
" screw tabs; always expand them into spaces
|
||||
set expandtab
|
||||
" screw tabs; always expand them into spaces
|
||||
set expandtab
|
||||
|
||||
" at least don't open files with sections folded by default
|
||||
set nofoldenable
|
||||
" at least don't open files with sections folded by default
|
||||
set nofoldenable
|
||||
|
||||
" allow text substitutions for certain glyphs.
|
||||
" higher number = more aggressive substitution (0, 1, 2, 3)
|
||||
" i only make use of this for tex, but it's unclear how to
|
||||
" apply that *just* to tex and retain the SyntaxRange stuff.
|
||||
set conceallevel=2
|
||||
" allow text substitutions for certain glyphs.
|
||||
" higher number = more aggressive substitution (0, 1, 2, 3)
|
||||
" i only make use of this for tex, but it's unclear how to
|
||||
" apply that *just* to tex and retain the SyntaxRange stuff.
|
||||
set conceallevel=2
|
||||
|
||||
" horizontal rule under the active line
|
||||
" set cursorline
|
||||
" horizontal rule under the active line
|
||||
" set cursorline
|
||||
|
||||
" highlight trailing space & related syntax errors (doesn't seem to work??)
|
||||
" let c_space_errors=1
|
||||
" let python_space_errors=1
|
||||
" highlight trailing space & related syntax errors (doesn't seem to work??)
|
||||
" let c_space_errors=1
|
||||
" let python_space_errors=1
|
||||
|
||||
" enable highlighting of leading/trailing spaces,
|
||||
" and especially tabs
|
||||
" source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
|
||||
set list
|
||||
set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
|
||||
" enable highlighting of leading/trailing spaces,
|
||||
" and especially tabs
|
||||
" source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
|
||||
set list
|
||||
set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
|
||||
|
||||
""""" PLUGIN CONFIG (vim)
|
||||
${plugin-config-viml}
|
||||
""""" PLUGIN CONFIG (vim)
|
||||
${plugin-config-viml}
|
||||
|
||||
""""" PLUGIN CONFIG (lua)
|
||||
lua <<EOF
|
||||
${plugin-config-lua}
|
||||
EOF
|
||||
'';
|
||||
});
|
||||
""""" PLUGIN CONFIG (lua)
|
||||
lua <<EOF
|
||||
${plugin-config-lua}
|
||||
EOF
|
||||
'';
|
||||
};
|
||||
in pkgs.wrapNeovimUnstable
|
||||
pkgs.neovim-unwrapped
|
||||
# XXX(2024/05/13): manifestRc must be null for cross-compilation to work.
|
||||
# wrapper invokes `neovim` with all plugins enabled at build time i guess to generate caches and stuff?
|
||||
# alternative is to emulate `nvim-wrapper` during build.
|
||||
((pkgs.neovimUtils.makeNeovimConfig configArgs) // { manifestRc = null; })
|
||||
;
|
||||
|
||||
# private because there could be sensitive things in the swap
|
||||
persist.byStore.private = [ ".cache/vim-swap" ];
|
||||
|
|
|
@ -13,7 +13,7 @@ let
|
|||
wanted-feeds = feeds.filterByFormat [ "text" "image" "podcast" "video" ] all-feeds;
|
||||
in {
|
||||
sane.programs.newsflash = {
|
||||
buildCost = 1; # mainly for desktop: webkitgtk-6.0
|
||||
buildCost = 2; # mainly for desktop: webkitgtk-6.0
|
||||
persist.byStore.plaintext = [ ".local/share/news-flash" ];
|
||||
fs.".config/newsflashFeeds.opml".symlink.text =
|
||||
feeds.feedsToOpml wanted-feeds
|
||||
|
|
|
@ -10,6 +10,6 @@
|
|||
".local/share/io.github.alainm23.planify"
|
||||
];
|
||||
|
||||
buildCost = 1; # webkitgtk-6.0; slow for desktop
|
||||
buildCost = 2; # webkitgtk-6.0; slow for desktop
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
{ ... }:
|
||||
{
|
||||
sane.programs.spot = {
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
|
|
|
@ -21,6 +21,8 @@ let
|
|||
in
|
||||
{
|
||||
sane.programs.stepmania = {
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "inplace"; #< non-standard packaging; binary lives at $out/stepmania-5.1/stepmania (not even in an /opt dir)
|
||||
sandbox.whitelistAudio = true;
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
{ ... }:
|
||||
{
|
||||
sane.programs.superTuxKart = {
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.net = "clearnet"; # net play
|
||||
sandbox.whitelistAudio = true;
|
||||
|
|
|
@ -27,7 +27,7 @@ in
|
|||
'' + (upstream.preFixup or "");
|
||||
});
|
||||
|
||||
buildCost = 1;
|
||||
buildCost = 2;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.net = "clearnet";
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
{ ... }:
|
||||
{
|
||||
sane.programs.tuba = {
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
"/sys/devices"
|
||||
];
|
||||
|
||||
buildCost = 1;
|
||||
buildCost = 2;
|
||||
|
||||
# wike probably meant to put everything here in a subdir, but didn't.
|
||||
# see: <https://github.com/hugolabe/Wike/issues/176>
|
||||
|
|
|
@ -13,6 +13,6 @@ in
|
|||
];
|
||||
|
||||
fs.".config/wireshark".dir = {};
|
||||
buildCost = 1;
|
||||
buildCost = 2;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
# unar doesn't cross compile well, so disable support for it
|
||||
unar = null;
|
||||
};
|
||||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.whitelistWayland = true;
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
{ ... }:
|
||||
{
|
||||
sane.programs.zathura = {
|
||||
buildCost = 1;
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "inplace"; #< wrapper sets ZATHURA_PLUGINS_PATH to $out/lib/...
|
||||
sandbox.whitelistDri = true;
|
||||
|
|
|
@ -15,7 +15,7 @@ in {
|
|||
sane.programs.zeal = {
|
||||
# packageUnwrapped = pkgs.zeal-qt6; #< TODO: upgrade system to qt6 versions of everything (i.e. jellyfin-media-player, nheko)
|
||||
packageUnwrapped = pkgs.zeal-qt5;
|
||||
buildCost = 2;
|
||||
buildCost = 3;
|
||||
persist.byStore.plaintext = [
|
||||
".cache/Zeal"
|
||||
".local/share/Zeal"
|
||||
|
|
|
@ -79,7 +79,7 @@ in
|
|||
# "gnome.gnome-system-monitor"
|
||||
# "gnome.gnome-terminal" # works on phosh
|
||||
"gnome.gnome-weather"
|
||||
"gnome.seahorse" # keyring/secret manager
|
||||
# "gnome.seahorse" # keyring/secret manager
|
||||
"gnome-frog" # OCR/QR decoder
|
||||
"gpodder"
|
||||
# "gthumb"
|
||||
|
@ -159,7 +159,7 @@ in
|
|||
"libreoffice" # TODO: replace with an office suite that uses saner packaging?
|
||||
"losslesscut-bin" # x86-only
|
||||
# "makemkv" # x86-only
|
||||
"monero-gui" # x86-only
|
||||
# "monero-gui" # x86-only
|
||||
# "mumble"
|
||||
# "nheko" # Matrix chat client
|
||||
# "nicotine-plus" # soulseek client. before re-enabling this, get it to run without firejail.
|
||||
|
@ -175,7 +175,7 @@ in
|
|||
"wireshark" # could maybe ship the cli as sysadmin pkg
|
||||
# "xterm" # requires Xwayland
|
||||
# "zecwallet-lite" # x86-only
|
||||
"zulip"
|
||||
# "zulip"
|
||||
]
|
||||
);
|
||||
|
||||
|
|
|
@ -297,11 +297,15 @@ let
|
|||
'';
|
||||
};
|
||||
buildCost = mkOption {
|
||||
type = types.enum [ 0 1 2 ];
|
||||
type = types.enum [ 0 1 2 3 ];
|
||||
default = 0;
|
||||
description = ''
|
||||
whether this package is very slow, or has unique dependencies which are very slow to build.
|
||||
marking packages like this can be used to achieve faster, but limited, rebuilds/deploys (by omitting the package).
|
||||
- 0: this package is necessary for baseline usability
|
||||
- 1: this package is a nice-to-have, and not too costly to build
|
||||
- 2: this package is a nice-to-have, but costly to build (e.g. `libreoffice`, some webkitgtk-based things)
|
||||
- 3: this package is costly to build, and could go without (some lesser-used webkitgtk-based things)
|
||||
'';
|
||||
};
|
||||
sandbox.net = mkOption {
|
||||
|
|
|
@ -5,7 +5,6 @@
|
|||
./dyn-dns.nix
|
||||
./eg25-manager.nix
|
||||
./kiwix-serve.nix
|
||||
./mautrix-signal.nix
|
||||
./nixserve.nix
|
||||
./trust-dns.nix
|
||||
];
|
||||
|
|
|
@ -1,207 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
# TODO: upstream these "optional-dependencies"
|
||||
# - search that phrase in <nixpkgs:doc/languages-frameworks/python.section.md>
|
||||
pkg = pkgs.mautrix-signal.overridePythonAttrs (super: {
|
||||
propagatedBuildInputs = super.propagatedBuildInputs ++ (with pkgs.python3.pkgs; [
|
||||
# these optional deps come from mautrix-signal's "optional-requirements.txt"
|
||||
|
||||
# #/e2be
|
||||
# python-olm>=3,<4
|
||||
# pycryptodome>=3,<4
|
||||
# unpaddedbase64>=1,<3
|
||||
# XXX: ^above already included in nixpkgs package
|
||||
|
||||
# #/metrics
|
||||
# prometheus_client>=0.6,<0.17
|
||||
# XXX: ^above already included in nixpkgs package
|
||||
|
||||
# #/formattednumbers
|
||||
# phonenumbers>=8,<9
|
||||
# XXX: ^above already included in nixpkgs package
|
||||
|
||||
# #/qrlink
|
||||
# qrcode>=6,<8
|
||||
# Pillow>=4,<10
|
||||
# XXX: ^above already included in nixpkgs package
|
||||
|
||||
# #/stickers
|
||||
# signalstickers-client>=3,<4
|
||||
|
||||
# #/sqlite
|
||||
# aiosqlite>=0.16,<0.19
|
||||
aiosqlite
|
||||
]);
|
||||
});
|
||||
dataDir = "/var/lib/mautrix-signal";
|
||||
registrationFile = "${dataDir}/signal-registration.yaml";
|
||||
cfg = config.services.mautrix-signal;
|
||||
settingsFormat = pkgs.formats.json {};
|
||||
settingsFile =
|
||||
settingsFormat.generate "mautrix-signal-config.json" cfg.settings;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
services.mautrix-signal = {
|
||||
enable = mkEnableOption (lib.mdDoc "Mautrix-Signal, a Matrix-Signal puppeting bridge");
|
||||
|
||||
settings = mkOption rec {
|
||||
apply = recursiveUpdate default;
|
||||
inherit (settingsFormat) type;
|
||||
default = {
|
||||
# defaults based on this upstream example config:
|
||||
# - <https://github.com/mautrix/signal/blob/master/mautrix_signal/example-config.yaml>
|
||||
homeserver = {
|
||||
address = "http://localhost:8008";
|
||||
software = "standard";
|
||||
# domain = "SETME";
|
||||
};
|
||||
|
||||
appservice = rec {
|
||||
address = "http://${hostname}:${toString port}";
|
||||
hostname = "localhost";
|
||||
port = 29328;
|
||||
|
||||
database = "sqlite:///${dataDir}/mautrix-signal.db";
|
||||
database_opts = {};
|
||||
bot_username = "signalbot";
|
||||
};
|
||||
|
||||
bridge = {
|
||||
username_template = "signal_{userid}";
|
||||
permissions."*" = "relay";
|
||||
double_puppet_server_map = {};
|
||||
login_shared_secret_map = {};
|
||||
};
|
||||
|
||||
logging = {
|
||||
version = 1;
|
||||
|
||||
formatters.precise.format = "[%(levelname)s@%(name)s] %(message)s";
|
||||
|
||||
handlers.console = {
|
||||
class = "logging.StreamHandler";
|
||||
formatter = "precise";
|
||||
};
|
||||
|
||||
# log to console/systemd instead of file
|
||||
root = {
|
||||
level = "INFO";
|
||||
handlers = ["console"];
|
||||
};
|
||||
};
|
||||
};
|
||||
example = literalExpression ''
|
||||
{
|
||||
homeserver = {
|
||||
address = "http://localhost:8008";
|
||||
domain = "mydomain.example";
|
||||
};
|
||||
|
||||
bridge.permissions = {
|
||||
"@admin:mydomain.example" = "admin";
|
||||
"mydomain.example" = "user";
|
||||
};
|
||||
}
|
||||
'';
|
||||
description = lib.mdDoc ''
|
||||
{file}`config.yaml` configuration as a Nix attribute set.
|
||||
Configuration options should match those described in
|
||||
[example-config.yaml](https://github.com/mautrix/signale/blob/master/mautrix_signal/example-config.yaml).
|
||||
'';
|
||||
};
|
||||
|
||||
environmentFile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = lib.mdDoc ''
|
||||
File containing environment variables to be passed to the mautrix-signal service,
|
||||
in which secret tokens can be specified securely by defining values for e.g.
|
||||
`MAUTRIX_SIGNAL_APPSERVICE_AS_TOKEN`,
|
||||
`MAUTRIX_SIGNAL_APPSERVICE_HS_TOKEN`
|
||||
|
||||
These environment variables can also be used to set other options by
|
||||
replacing hierarchy levels by `.`, converting the name to uppercase
|
||||
and prepending `MAUTRIX_SIGNAL_`.
|
||||
For example, the first value above maps to
|
||||
{option}`settings.appservice.as_token`.
|
||||
|
||||
The environment variable values can be prefixed with `json::` to have
|
||||
them be parsed as JSON. For example, `login_shared_secret_map` can be
|
||||
set as follows:
|
||||
`MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET_MAP=json::{"example.com":"secret"}`.
|
||||
'';
|
||||
};
|
||||
|
||||
serviceDependencies = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = optional config.services.matrix-synapse.enable "matrix-synapse.service";
|
||||
defaultText = literalExpression ''
|
||||
optional config.services.matrix-synapse.enable "matrix-synapse.service"
|
||||
'';
|
||||
description = lib.mdDoc ''
|
||||
List of Systemd services to require and wait for when starting the application service.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
users.groups.mautrix-signal = {};
|
||||
|
||||
users.users.mautrix-signal = {
|
||||
group = "mautrix-signal";
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
systemd.services.mautrix-signal = {
|
||||
description = "Mautrix-Signal, a Matrix-Signal puppeting bridge.";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
|
||||
after = [ "network-online.target" ] ++ cfg.serviceDependencies;
|
||||
path = [ pkgs.ffmpeg ]; # voice messages need `ffmpeg`
|
||||
|
||||
# environment.HOME = dataDir;
|
||||
|
||||
preStart = ''
|
||||
# generate the appservice's registration file if absent
|
||||
if [ ! -f '${registrationFile}' ]; then
|
||||
${pkg}/bin/mautrix-signal \
|
||||
--generate-registration \
|
||||
--no-update \
|
||||
--base-config='${pkg}/${pkg.pythonModule.sitePackages}/mautrix_signal/example-config.yaml' \
|
||||
--config='${settingsFile}' \
|
||||
--registration='${registrationFile}'
|
||||
fi
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
Restart = "always";
|
||||
|
||||
User = "mautrix-signal";
|
||||
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectControlGroups = true;
|
||||
|
||||
PrivateTmp = true;
|
||||
WorkingDirectory = pkg;
|
||||
StateDirectory = baseNameOf dataDir;
|
||||
UMask = "0027";
|
||||
EnvironmentFile = cfg.environmentFile;
|
||||
|
||||
ExecStart = ''
|
||||
${pkg}/bin/mautrix-signal \
|
||||
--config='${settingsFile}' \
|
||||
--no-update
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -32,11 +32,32 @@ in [
|
|||
# etc, where "date" is like "20240228181608"
|
||||
# and can be found with `nix-repl > :lf . > lastModifiedDate`
|
||||
|
||||
(fetchpatch' {
|
||||
title = "curl-impersonate: fix darwin build and make cross-compilation work";
|
||||
prUrl = "https://github.com/NixOS/nixpkgs/pull/310386";
|
||||
hash = "sha256-feMOgQRrY2t7sYMjqXCo2WCe/J+Kr1ah+DznajQZsDM=";
|
||||
})
|
||||
|
||||
(fetchpatch' {
|
||||
title = "hyprland: fix cross compilation";
|
||||
prUrl = "https://github.com/NixOS/nixpkgs/pull/311408";
|
||||
hash = "sha256-OU5XT/BEmZu1TPXSLKfEgdkoGXRETvJ9dePCeHrFl6o=";
|
||||
})
|
||||
|
||||
(fetchpatch' {
|
||||
# TODO: send upstream after successful deployment
|
||||
title = "gnome.gnome-keyring: support cross compilation";
|
||||
# prUrl = "https://github.com/uninsane/nixpkgs/pull/new/pr-gnome-keyring-cross";
|
||||
saneCommit = "56bc064c0fa39614dfd1048daae4a59e4131df56";
|
||||
hash = "sha256-LZW3CNhcOU+YPTPt/4Ltxyiqo/6SdlIOQADmni4pDM4=";
|
||||
})
|
||||
|
||||
(fetchpatch' {
|
||||
# TODO: send upstream
|
||||
title = "python3Packages.dbus-python: fix build when doInstallCheck=false";
|
||||
saneCommit = "4d4d0310402b8a7f9273dff448522f01b722a60c";
|
||||
hash = "sha256-3fAobeHbM/IHZzhfAqSKhPy1l28F6MbQBp8rSVX2Lrg=";
|
||||
title = "python3Packages.dbus-python: fix cross";
|
||||
prUrl = "https://github.com/NixOS/nixpkgs/pull/310609";
|
||||
hash = "sha256-QCRCotIlHgJn4lo4Qdrh2cJMqqcVGLAE9WSJ4nCQvyk=";
|
||||
merged.staging = "20240510160000";
|
||||
})
|
||||
|
||||
# branch: wip-ffado-cross
|
||||
|
@ -55,13 +76,39 @@ in [
|
|||
hash = "sha256-53X4ssdp02C8NOUL5mlbhR7qwE9/KWp6iLmz1ljJopE=";
|
||||
})
|
||||
|
||||
# 2024/02/25: still outstanding; merge conflicts
|
||||
(fetchpatch' {
|
||||
title = "libgweather: enable introspection on cross builds";
|
||||
prUrl = "https://github.com/NixOS/nixpkgs/pull/251956";
|
||||
hash = "sha256-IW+0u5lytIPU3xhgGtYgexXUrS2VFXAV6GC50jJS5ak=";
|
||||
})
|
||||
|
||||
# 2024/02/25: still outstanding
|
||||
# (fetchpatch' {
|
||||
# title = "hspell: remove build perl from runtime closure";
|
||||
# prUrl = "https://github.com/NixOS/nixpkgs/pull/263182";
|
||||
# hash = "sha256-Wau+PB+EUQDvWX8Kycw1sNrM3GkPVjKSS4niIDI0sjM=";
|
||||
# })
|
||||
|
||||
# (fetchpatch' {
|
||||
# title = "gthumb: make the webservices feature be optional";
|
||||
# prUrl = "https://github.com/NixOS/nixpkgs/pull/240602";
|
||||
# saneCommit = "e83130f2770c314b2a482e1792b010da66cdd5de";
|
||||
# hash = "sha256-GlYWpOVZvr0oFAs4RdSUf7LJD3FmGsCaTm32GPhbBfc=";
|
||||
# })
|
||||
# (fetchpatch' {
|
||||
# # TODO: send for review once hspell fix is merged <https://github.com/NixOS/nixpkgs/pull/263182>
|
||||
# # this patch works as-is, but hspell keeps a ref to build perl and thereby pollutes this closure as well.
|
||||
# title = "gtkspell2: support cross compilation";
|
||||
# saneCommit = "56348833b4411e9fe2016c24c7fc4af1e3c1d28a";
|
||||
# hash = "sha256-RUw88u7CI2C1IpRUhGbdYamHsPT1jBV0ROyVvzLWdv8=";
|
||||
# })
|
||||
# (fetchpatch' {
|
||||
# # TODO: send for review (it should be unblocked as of 2024/05/08)
|
||||
# title = "pidgin: support cross compilation";
|
||||
# saneCommit = "caacbcc54e217f5ee9281422777a7f712765f71a";
|
||||
# hash = "sha256-UyZaNNp84zKShuo6zu0nfZ2FygHGcmV63Ww4Y4CtCF0=";
|
||||
# })
|
||||
|
||||
# (fetchpatch' {
|
||||
# title = "trust-dns: 0.23.0 -> 0.24.0";
|
||||
# prUrl = "https://github.com/NixOS/nixpkgs/pull/262466";
|
||||
|
@ -128,36 +175,10 @@ in [
|
|||
# hash = "sha256-eTwEbVULYjmOW7zUFcTUqvBZqUFjHTKFhvmU2m3XQeo=";
|
||||
# })
|
||||
|
||||
(fetchpatch' {
|
||||
title = "gthumb: make the webservices feature be optional";
|
||||
prUrl = "https://github.com/NixOS/nixpkgs/pull/240602";
|
||||
saneCommit = "e83130f2770c314b2a482e1792b010da66cdd5de";
|
||||
hash = "sha256-GlYWpOVZvr0oFAs4RdSUf7LJD3FmGsCaTm32GPhbBfc=";
|
||||
})
|
||||
(fetchpatch' {
|
||||
# TODO: send for review once hspell fix is merged <https://github.com/NixOS/nixpkgs/pull/263182>
|
||||
# this patch works as-is, but hspell keeps a ref to build perl and thereby pollutes this closure as well.
|
||||
title = "gtkspell2: support cross compilation";
|
||||
saneCommit = "56348833b4411e9fe2016c24c7fc4af1e3c1d28a";
|
||||
hash = "sha256-RUw88u7CI2C1IpRUhGbdYamHsPT1jBV0ROyVvzLWdv8=";
|
||||
})
|
||||
(fetchpatch' {
|
||||
# TODO: send for review (it should be unblocked as of 2024/05/08)
|
||||
title = "pidgin: support cross compilation";
|
||||
saneCommit = "caacbcc54e217f5ee9281422777a7f712765f71a";
|
||||
hash = "sha256-UyZaNNp84zKShuo6zu0nfZ2FygHGcmV63Ww4Y4CtCF0=";
|
||||
})
|
||||
|
||||
(fetchpatch' {
|
||||
title = "libgweather: enable introspection on cross builds";
|
||||
prUrl = "https://github.com/NixOS/nixpkgs/pull/251956";
|
||||
hash = "sha256-IW+0u5lytIPU3xhgGtYgexXUrS2VFXAV6GC50jJS5ak=";
|
||||
})
|
||||
|
||||
# for raspberry pi: allow building u-boot for rpi 4{,00}
|
||||
# TODO: remove after upstreamed: https://github.com/NixOS/nixpkgs/pull/176018
|
||||
# (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )
|
||||
./02-rpi4-uboot.patch
|
||||
# ./02-rpi4-uboot.patch
|
||||
|
||||
# (fetchpatch' {
|
||||
# title = "gnustep: remove `rec` to support `overrideScope`";
|
||||
|
|
|
@ -387,7 +387,7 @@ in with final; {
|
|||
# });
|
||||
# };
|
||||
|
||||
# 2024/02/27: upstreaming is unblocked
|
||||
# 2024/05/13: upstreaming is unblocked; out for review: <https://github.com/NixOS/nixpkgs/pull/305241>
|
||||
appstream = prev.appstream.overrideAttrs (upstream: {
|
||||
# fixes: "Message: Native appstream required for cross-building"
|
||||
# error introduced in:
|
||||
|
@ -815,11 +815,12 @@ in with final; {
|
|||
});
|
||||
|
||||
# 2024/05/08: fix: "meson.build:85:11: ERROR: Dependency "dbus-1" not found, tried pkgconfig".
|
||||
# 2024/05/13: upstreaming is bloked by dbus-python (fixed in staging), appstream (out for PR)
|
||||
gnome-online-accounts = mvToBuildInputs [ dbus ] prev.gnome-online-accounts;
|
||||
|
||||
gnome = prev.gnome.overrideScope (self: super: {
|
||||
evolution-data-server = super.evolution-data-server.overrideAttrs (upstream: {
|
||||
# 2023/12/08: upstreaming is unblocked, but depends on webkitgtk 4.1
|
||||
# 2024/05/13: upstreaming is blocked by appstream (out for PR), libgweather (out for PR)
|
||||
cmakeFlags = upstream.cmakeFlags ++ [
|
||||
"-DCMAKE_CROSSCOMPILING_EMULATOR=${stdenv.hostPlatform.emulator buildPackages}"
|
||||
"-DENABLE_TESTS=no"
|
||||
|
@ -872,12 +873,13 @@ in with final; {
|
|||
# fixes "subprojects/gvc/meson.build:30:0: ERROR: Program 'glib-mkenums mkenums' not found or not executable"
|
||||
# gnome-control-center = mvToNativeInputs [ glib ] super.gnome-control-center;
|
||||
|
||||
gnome-keyring = super.gnome-keyring.overrideAttrs (orig: {
|
||||
# 2024/02/27: upstreaming is unblocked
|
||||
# this seems to work in practice, but leaves gkr with a reference to the build openssl, sqlite, xz, libxcrypt, glibc
|
||||
# fixes "configure.ac:374: error: possibly undefined macro: AM_PATH_LIBGCRYPT"
|
||||
nativeBuildInputs = orig.nativeBuildInputs ++ [ libgcrypt openssh glib ];
|
||||
});
|
||||
# gnome-keyring = super.gnome-keyring.overrideAttrs (orig: {
|
||||
# # 2024/02/27: upstreaming is unblocked; implemented but not for PR
|
||||
# # - <https://github.com/uninsane/nixpkgs/pull/new/pr-gnome-keyring-cross>
|
||||
# # this seems to work in practice, but leaves gkr with a reference to the build openssl, sqlite, xz, libxcrypt, glibc
|
||||
# # fixes "configure.ac:374: error: possibly undefined macro: AM_PATH_LIBGCRYPT"
|
||||
# nativeBuildInputs = orig.nativeBuildInputs ++ [ libgcrypt openssh glib ];
|
||||
# });
|
||||
gnome-maps = super.gnome-maps.overrideAttrs (upstream: {
|
||||
# 2023/11/21: upstreaming is blocked by libshumate, qtsvg (via pipewire/ffado)
|
||||
postPatch = (upstream.postPatch or "") + ''
|
||||
|
@ -997,6 +999,7 @@ in with final; {
|
|||
# '';
|
||||
# });
|
||||
|
||||
# hyprland = mvToNativeInputs [ hwdata ] prev.hyprland;
|
||||
# hyprland = prev.hyprland.overrideAttrs (_: {
|
||||
# depsBuildBuild = [ pkg-config ];
|
||||
# });
|
||||
|
@ -2072,12 +2075,12 @@ in with final; {
|
|||
|
||||
# 2024/02/29: upstreaming is blocked on libei (unless Xwayland config option is disabled in nixpkgs)
|
||||
# out for PR: <https://github.com/NixOS/nixpkgs/pull/292415>
|
||||
wlroots = prev.wlroots.overrideAttrs (upstream: {
|
||||
nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
|
||||
# incorrectly specified as `buildInputs` in nixpkgs.
|
||||
hwdata
|
||||
];
|
||||
});
|
||||
# wlroots = prev.wlroots.overrideAttrs (upstream: {
|
||||
# nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
|
||||
# # incorrectly specified as `buildInputs` in nixpkgs.
|
||||
# hwdata
|
||||
# ];
|
||||
# });
|
||||
|
||||
# wrapFirefox = prev.wrapFirefox.override {
|
||||
# buildPackages = buildPackages // {
|
||||
|
@ -2091,15 +2094,16 @@ in with final; {
|
|||
# };
|
||||
# };
|
||||
|
||||
wrapNeovimUnstable = neovim: config: (prev.wrapNeovimUnstable neovim config).overrideAttrs (upstream: {
|
||||
# nvim wrapper has a sanity check that the plugins will load correctly.
|
||||
# this is effectively a check phase and should be rewritten as such
|
||||
postBuild = lib.replaceStrings
|
||||
[ "! $out/bin/nvim-wrapper" ]
|
||||
# [ "${stdenv.hostPlatform.emulator buildPackages} $out/bin/nvim-wrapper" ]
|
||||
[ "false && $out/bin/nvim-wrapper" ]
|
||||
upstream.postBuild;
|
||||
});
|
||||
# fixes `hostPrograms.moby.neovim` (but breaks eval of `hostPkgs.moby.neovim` :o)
|
||||
# wrapNeovimUnstable = neovim: config: (prev.wrapNeovimUnstable neovim config).overrideAttrs (upstream: {
|
||||
# # nvim wrapper has a sanity check that the plugins will load correctly.
|
||||
# # this is effectively a check phase and should be rewritten as such
|
||||
# postBuild = lib.replaceStrings
|
||||
# [ "! $out/bin/nvim-wrapper" ]
|
||||
# # [ "${stdenv.hostPlatform.emulator buildPackages} $out/bin/nvim-wrapper" ]
|
||||
# [ "false && $out/bin/nvim-wrapper" ]
|
||||
# upstream.postBuild;
|
||||
# });
|
||||
|
||||
# 2023/07/30: upstreaming is blocked on unar (gnustep), unless i also make that optional
|
||||
xarchiver = mvToNativeInputs [ libxslt ] prev.xarchiver;
|
||||
|
|
23
scripts/clean
Executable file
23
scripts/clean
Executable file
|
@ -0,0 +1,23 @@
|
|||
#!/bin/sh
|
||||
# remove artifacts which i've accidentally left lying around
|
||||
# e.g. `result -> /nix/store/...` symlinks
|
||||
|
||||
pushd ~/nixos
|
||||
|
||||
# if this exists it'll interfere with the search
|
||||
rm -f result
|
||||
|
||||
for result in $(fd --follow result) $(fd -uuu result); do
|
||||
if [[ "$(readlink "$result")" != /nix/store/* ]]; then
|
||||
# not a build artifact
|
||||
continue
|
||||
fi
|
||||
if [[ "$result" == build/* ]] || [[ "$result" == .working/* ]]; then
|
||||
# intentionally preserved build artifact
|
||||
continue
|
||||
fi
|
||||
|
||||
echo "removing: $result"
|
||||
unlink "$result"
|
||||
done
|
||||
popd
|
Loading…
Reference in New Issue
Block a user