Compare commits
5 Commits
master
...
wip-nix-fa
Author | SHA1 | Date |
---|---|---|
Colin | 084541da4c | |
Colin | f7a82a845c | |
Colin | 2bdef04552 | |
Colin | 2822a6f0dd | |
Colin | ab6e362f0c |
94
flake.lock
94
flake.lock
|
@ -1,5 +1,23 @@
|
||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
|
"flake-parts": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs-lib": "nixpkgs-lib"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1698882062,
|
||||||
|
"narHash": "sha256-HkhafUayIqxXyHH1X8d9RDl1M2CkFgZLjKD3MzabiEo=",
|
||||||
|
"owner": "hercules-ci",
|
||||||
|
"repo": "flake-parts",
|
||||||
|
"rev": "8c9fa2545007b49a5db5f650ae91f227672c3877",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "hercules-ci",
|
||||||
|
"repo": "flake-parts",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"mobile-nixos": {
|
"mobile-nixos": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -17,6 +35,60 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nix-fast-build": {
|
||||||
|
"inputs": {
|
||||||
|
"flake-parts": "flake-parts",
|
||||||
|
"nixpkgs": "nixpkgs",
|
||||||
|
"treefmt-nix": "treefmt-nix"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1703607026,
|
||||||
|
"narHash": "sha256-Emh0BPoqlS4ntp2UJrwydXfIP4qIMF0VBB2FUE3/M/E=",
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "nix-fast-build",
|
||||||
|
"rev": "4376b8a33b217ee2f78ba3dcff01a3e464d13a46",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "nix-fast-build",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1698890957,
|
||||||
|
"narHash": "sha256-DJ+SppjpPBoJr0Aro9TAcP3sxApCSieY6BYBCoWGUX8=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "c082856b850ec60cda9f0a0db2bc7bd8900d708c",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixpkgs-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs-lib": {
|
||||||
|
"locked": {
|
||||||
|
"dir": "lib",
|
||||||
|
"lastModified": 1698611440,
|
||||||
|
"narHash": "sha256-jPjHjrerhYDy3q9+s5EAsuhyhuknNfowY6yt6pjn9pc=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "0cbe9f69c234a7700596e943bfae7ef27a31b735",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"dir": "lib",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixos-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs-next-unpatched": {
|
"nixpkgs-next-unpatched": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1708992120,
|
"lastModified": 1708992120,
|
||||||
|
@ -68,6 +140,7 @@
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"mobile-nixos": "mobile-nixos",
|
"mobile-nixos": "mobile-nixos",
|
||||||
|
"nix-fast-build": "nix-fast-build",
|
||||||
"nixpkgs-next-unpatched": "nixpkgs-next-unpatched",
|
"nixpkgs-next-unpatched": "nixpkgs-next-unpatched",
|
||||||
"nixpkgs-unpatched": "nixpkgs-unpatched",
|
"nixpkgs-unpatched": "nixpkgs-unpatched",
|
||||||
"sops-nix": "sops-nix",
|
"sops-nix": "sops-nix",
|
||||||
|
@ -95,6 +168,27 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"treefmt-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nix-fast-build",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1698438538,
|
||||||
|
"narHash": "sha256-AWxaKTDL3MtxaVTVU5lYBvSnlspOS0Fjt8GxBgnU0Do=",
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "treefmt-nix",
|
||||||
|
"rev": "5deb8dc125a9f83b65ca86cf0c8167c46593e0b1",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "treefmt-nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"uninsane-dot-org": {
|
"uninsane-dot-org": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
|
|
|
@ -57,6 +57,10 @@
|
||||||
url = "github:nixos/mobile-nixos?ref=d25d3b87e7f300d8066e31d792337d9cd7ecd23b";
|
url = "github:nixos/mobile-nixos?ref=d25d3b87e7f300d8066e31d792337d9cd7ecd23b";
|
||||||
flake = false;
|
flake = false;
|
||||||
};
|
};
|
||||||
|
nix-fast-build = {
|
||||||
|
# https://github.com/Mic92/nix-fast-build
|
||||||
|
url = "github:Mic92/nix-fast-build";
|
||||||
|
};
|
||||||
sops-nix = {
|
sops-nix = {
|
||||||
# <https://github.com/Mic92/sops-nix>
|
# <https://github.com/Mic92/sops-nix>
|
||||||
# used to distribute secrets to my hosts
|
# used to distribute secrets to my hosts
|
||||||
|
@ -77,6 +81,7 @@
|
||||||
nixpkgs-unpatched,
|
nixpkgs-unpatched,
|
||||||
nixpkgs-next-unpatched ? nixpkgs-unpatched,
|
nixpkgs-next-unpatched ? nixpkgs-unpatched,
|
||||||
mobile-nixos,
|
mobile-nixos,
|
||||||
|
nix-fast-build,
|
||||||
sops-nix,
|
sops-nix,
|
||||||
uninsane-dot-org,
|
uninsane-dot-org,
|
||||||
...
|
...
|
||||||
|
@ -207,8 +212,11 @@
|
||||||
let
|
let
|
||||||
mobile = (import "${mobile-nixos}/overlay/overlay.nix");
|
mobile = (import "${mobile-nixos}/overlay/overlay.nix");
|
||||||
uninsane = uninsane-dot-org.overlays.default;
|
uninsane = uninsane-dot-org.overlays.default;
|
||||||
|
# TODO: why do i have to use `self.inputs.nix-fast-build` instead of just `nix-fast-build` here?
|
||||||
|
nix-fast-build = (_: prev: self.inputs.nix-fast-build.packages."${prev.stdenv.system}" or {});
|
||||||
in
|
in
|
||||||
(mobile final prev)
|
(mobile final prev)
|
||||||
|
// (nix-fast-build final prev)
|
||||||
// (uninsane final prev)
|
// (uninsane final prev)
|
||||||
;
|
;
|
||||||
};
|
};
|
||||||
|
|
|
@ -206,6 +206,8 @@ in
|
||||||
alsaUtils.sandbox.wrapperType = "wrappedDerivation";
|
alsaUtils.sandbox.wrapperType = "wrappedDerivation";
|
||||||
alsaUtils.sandbox.whitelistAudio = true; #< not strictly necessary?
|
alsaUtils.sandbox.whitelistAudio = true; #< not strictly necessary?
|
||||||
|
|
||||||
|
backblaze-b2 = {};
|
||||||
|
|
||||||
blanket.sandbox.method = "bwrap";
|
blanket.sandbox.method = "bwrap";
|
||||||
blanket.sandbox.wrapperType = "wrappedDerivation";
|
blanket.sandbox.wrapperType = "wrappedDerivation";
|
||||||
blanket.sandbox.whitelistAudio = true;
|
blanket.sandbox.whitelistAudio = true;
|
||||||
|
@ -243,6 +245,8 @@ in
|
||||||
|
|
||||||
cargo.persist.byStore.plaintext = [ ".cargo" ];
|
cargo.persist.byStore.plaintext = [ ".cargo" ];
|
||||||
|
|
||||||
|
clang = {};
|
||||||
|
|
||||||
# cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
|
# cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
|
||||||
cryptsetup.sandbox.method = "landlock";
|
cryptsetup.sandbox.method = "landlock";
|
||||||
cryptsetup.sandbox.wrapperType = "wrappedDerivation";
|
cryptsetup.sandbox.wrapperType = "wrappedDerivation";
|
||||||
|
@ -293,6 +297,8 @@ in
|
||||||
dtrx.sandbox.whitelistPwd = true;
|
dtrx.sandbox.whitelistPwd = true;
|
||||||
dtrx.sandbox.autodetectCliPaths = "existing"; #< for the archive
|
dtrx.sandbox.autodetectCliPaths = "existing"; #< for the archive
|
||||||
|
|
||||||
|
duplicity = {};
|
||||||
|
|
||||||
e2fsprogs.sandbox.method = "landlock";
|
e2fsprogs.sandbox.method = "landlock";
|
||||||
e2fsprogs.sandbox.wrapperType = "wrappedDerivation";
|
e2fsprogs.sandbox.wrapperType = "wrappedDerivation";
|
||||||
e2fsprogs.sandbox.autodetectCliPaths = "existing";
|
e2fsprogs.sandbox.autodetectCliPaths = "existing";
|
||||||
|
@ -303,6 +309,8 @@ in
|
||||||
"/sys/firmware/efi"
|
"/sys/firmware/efi"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
eg25-control = {};
|
||||||
|
|
||||||
electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
electrum.sandbox.wrapperType = "wrappedDerivation";
|
electrum.sandbox.wrapperType = "wrappedDerivation";
|
||||||
electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always
|
electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always
|
||||||
|
@ -409,6 +417,8 @@ in
|
||||||
gdb.sandbox.wrapperType = "wrappedDerivation";
|
gdb.sandbox.wrapperType = "wrappedDerivation";
|
||||||
gdb.sandbox.autodetectCliPaths = true;
|
gdb.sandbox.autodetectCliPaths = true;
|
||||||
|
|
||||||
|
geoclue2-with-demo-agent = {};
|
||||||
|
|
||||||
# MS GitHub stores auth token in .config
|
# MS GitHub stores auth token in .config
|
||||||
# TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
|
# TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
|
||||||
gh.persist.byStore.private = [ ".config/gh" ];
|
gh.persist.byStore.private = [ ".config/gh" ];
|
||||||
|
@ -505,6 +515,9 @@ in
|
||||||
".persist/plaintext"
|
".persist/plaintext"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
gnused = {};
|
||||||
|
gpsd = {};
|
||||||
|
|
||||||
gptfdisk.sandbox.method = "landlock";
|
gptfdisk.sandbox.method = "landlock";
|
||||||
gptfdisk.sandbox.wrapperType = "wrappedDerivation";
|
gptfdisk.sandbox.wrapperType = "wrappedDerivation";
|
||||||
gptfdisk.sandbox.extraPaths = [
|
gptfdisk.sandbox.extraPaths = [
|
||||||
|
@ -512,6 +525,8 @@ in
|
||||||
];
|
];
|
||||||
gptfdisk.sandbox.autodetectCliPaths = "existing"; #< sometimes you'll use gdisk on a device file.
|
gptfdisk.sandbox.autodetectCliPaths = "existing"; #< sometimes you'll use gdisk on a device file.
|
||||||
|
|
||||||
|
grim = {};
|
||||||
|
|
||||||
hase.sandbox.method = "bwrap";
|
hase.sandbox.method = "bwrap";
|
||||||
hase.sandbox.wrapperType = "wrappedDerivation";
|
hase.sandbox.wrapperType = "wrappedDerivation";
|
||||||
hase.sandbox.net = "clearnet";
|
hase.sandbox.net = "clearnet";
|
||||||
|
@ -643,6 +658,8 @@ in
|
||||||
lsof.sandbox.method = "capshonly"; # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
|
lsof.sandbox.method = "capshonly"; # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
|
||||||
lsof.sandbox.wrapperType = "wrappedDerivation";
|
lsof.sandbox.wrapperType = "wrappedDerivation";
|
||||||
|
|
||||||
|
lua = {};
|
||||||
|
|
||||||
"mate.engrampa".sandbox.method = "bwrap"; # TODO:sandbox: untested
|
"mate.engrampa".sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
"mate.engrampa".sandbox.wrapperType = "inplace";
|
"mate.engrampa".sandbox.wrapperType = "inplace";
|
||||||
"mate.engrampa".sandbox.whitelistWayland = true;
|
"mate.engrampa".sandbox.whitelistWayland = true;
|
||||||
|
@ -717,6 +734,8 @@ in
|
||||||
"/proc"
|
"/proc"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
nodejs = {};
|
||||||
|
|
||||||
# `nvme list` only shows results when run as root.
|
# `nvme list` only shows results when run as root.
|
||||||
nvme-cli.sandbox.method = "landlock";
|
nvme-cli.sandbox.method = "landlock";
|
||||||
nvme-cli.sandbox.wrapperType = "wrappedDerivation";
|
nvme-cli.sandbox.wrapperType = "wrappedDerivation";
|
||||||
|
@ -743,6 +762,8 @@ in
|
||||||
];
|
];
|
||||||
parted.sandbox.autodetectCliPaths = "existing"; #< sometimes you'll use parted on a device file.
|
parted.sandbox.autodetectCliPaths = "existing"; #< sometimes you'll use parted on a device file.
|
||||||
|
|
||||||
|
patchelf = {};
|
||||||
|
|
||||||
pavucontrol.sandbox.method = "bwrap";
|
pavucontrol.sandbox.method = "bwrap";
|
||||||
pavucontrol.sandbox.wrapperType = "wrappedDerivation";
|
pavucontrol.sandbox.wrapperType = "wrappedDerivation";
|
||||||
pavucontrol.sandbox.whitelistAudio = true;
|
pavucontrol.sandbox.whitelistAudio = true;
|
||||||
|
@ -801,6 +822,8 @@ in
|
||||||
rsync.sandbox.net = "clearnet";
|
rsync.sandbox.net = "clearnet";
|
||||||
rsync.sandbox.autodetectCliPaths = "existingOrParent";
|
rsync.sandbox.autodetectCliPaths = "existingOrParent";
|
||||||
|
|
||||||
|
rustc = {};
|
||||||
|
|
||||||
screen.sandbox.enable = false; #< tty; needs to run anything
|
screen.sandbox.enable = false; #< tty; needs to run anything
|
||||||
|
|
||||||
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
|
@ -818,6 +841,8 @@ in
|
||||||
# printer/filament settings
|
# printer/filament settings
|
||||||
slic3r.persist.byStore.plaintext = [ ".Slic3r" ];
|
slic3r.persist.byStore.plaintext = [ ".Slic3r" ];
|
||||||
|
|
||||||
|
slurp = {};
|
||||||
|
|
||||||
# use like `sudo smartctl /dev/sda -a`
|
# use like `sudo smartctl /dev/sda -a`
|
||||||
smartmontools.sandbox.method = "landlock";
|
smartmontools.sandbox.method = "landlock";
|
||||||
smartmontools.sandbox.wrapperType = "inplace"; # ships a script in /etc that calls into its bin
|
smartmontools.sandbox.wrapperType = "inplace"; # ships a script in /etc that calls into its bin
|
||||||
|
@ -864,6 +889,8 @@ in
|
||||||
speedtest-cli.sandbox.wrapperType = "wrappedDerivation";
|
speedtest-cli.sandbox.wrapperType = "wrappedDerivation";
|
||||||
speedtest-cli.sandbox.net = "all";
|
speedtest-cli.sandbox.net = "all";
|
||||||
|
|
||||||
|
sqlite = {};
|
||||||
|
|
||||||
strace.sandbox.enable = false; #< needs to `exec` its args, and therefore support *anything*
|
strace.sandbox.enable = false; #< needs to `exec` its args, and therefore support *anything*
|
||||||
|
|
||||||
subversion.sandbox.method = "bwrap";
|
subversion.sandbox.method = "bwrap";
|
||||||
|
@ -963,6 +990,8 @@ in
|
||||||
wl-clipboard.sandbox.wrapperType = "wrappedDerivation";
|
wl-clipboard.sandbox.wrapperType = "wrappedDerivation";
|
||||||
wl-clipboard.sandbox.whitelistWayland = true;
|
wl-clipboard.sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
|
wtype = {};
|
||||||
|
|
||||||
xwayland.sandbox.method = "bwrap";
|
xwayland.sandbox.method = "bwrap";
|
||||||
xwayland.sandbox.wrapperType = "inplace"; #< consumers use it as a library (e.g. wlroots)
|
xwayland.sandbox.wrapperType = "inplace"; #< consumers use it as a library (e.g. wlroots)
|
||||||
xwayland.sandbox.whitelistWayland = true; #< just assuming this is needed
|
xwayland.sandbox.whitelistWayland = true; #< just assuming this is needed
|
||||||
|
@ -978,13 +1007,11 @@ in
|
||||||
yt-dlp.sandbox.wrapperType = "wrappedDerivation";
|
yt-dlp.sandbox.wrapperType = "wrappedDerivation";
|
||||||
yt-dlp.sandbox.net = "all";
|
yt-dlp.sandbox.net = "all";
|
||||||
yt-dlp.sandbox.whitelistPwd = true; # saves to pwd by default
|
yt-dlp.sandbox.whitelistPwd = true; # saves to pwd by default
|
||||||
|
|
||||||
|
zfs = {};
|
||||||
};
|
};
|
||||||
|
|
||||||
programs.feedbackd = lib.mkIf config.sane.programs.feedbackd.enabled {
|
programs.feedbackd = lib.mkIf config.sane.programs.feedbackd.enabled {
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
programs.firejail = lib.mkIf config.sane.programs.firejail.enabled {
|
|
||||||
enable = true; #< install the suid binary
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -26,6 +26,7 @@
|
||||||
./evince.nix
|
./evince.nix
|
||||||
./feedbackd.nix
|
./feedbackd.nix
|
||||||
./firefox.nix
|
./firefox.nix
|
||||||
|
./firejail.nix
|
||||||
./flare-signal.nix
|
./flare-signal.nix
|
||||||
./fontconfig.nix
|
./fontconfig.nix
|
||||||
./fractal.nix
|
./fractal.nix
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
{ lib, config, ... }:
|
||||||
|
{
|
||||||
|
sane.programs.firejail = {};
|
||||||
|
|
||||||
|
programs.firejail = lib.mkIf config.sane.programs.firejail.enabled {
|
||||||
|
enable = true; #< install the suid binary
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,5 +1,6 @@
|
||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
{
|
{
|
||||||
|
sane.programs.fwupd = {};
|
||||||
services.fwupd = lib.mkIf config.sane.programs.fwupd.enabled {
|
services.fwupd = lib.mkIf config.sane.programs.fwupd.enabled {
|
||||||
# enables the dbus service, which i think the frontend speaks to.
|
# enables the dbus service, which i think the frontend speaks to.
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -49,6 +49,9 @@ in
|
||||||
"sane-scripts.sync-music"
|
"sane-scripts.sync-music"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
"sane-scripts.backup-ls" = {};
|
||||||
|
"sane-scripts.backup-restore" = {};
|
||||||
|
|
||||||
"sane-scripts.bt-add".sandbox = {
|
"sane-scripts.bt-add".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
wrapperType = "wrappedDerivation";
|
||||||
|
@ -121,6 +124,8 @@ in
|
||||||
net = "all";
|
net = "all";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"sane-scripts.ip-port-forward" = {};
|
||||||
|
|
||||||
"sane-scripts.private-change-passwd".sandbox = {
|
"sane-scripts.private-change-passwd".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
wrapperType = "wrappedDerivation";
|
||||||
|
@ -216,9 +221,14 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"sane-scripts.stop-all-servo" = {};
|
||||||
|
|
||||||
# if `tee` isn't trustworthy we have bigger problems
|
# if `tee` isn't trustworthy we have bigger problems
|
||||||
"sane-scripts.sudo-redirect".sandbox.enable = false;
|
"sane-scripts.sudo-redirect".sandbox.enable = false;
|
||||||
|
|
||||||
|
"sane-scripts.sync-music" = {};
|
||||||
|
"sane-scripts.sync-from-iphone" = {};
|
||||||
|
|
||||||
"sane-scripts.tag-music".sandbox = {
|
"sane-scripts.tag-music".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
wrapperType = "wrappedDerivation";
|
||||||
|
|
|
@ -10,7 +10,6 @@ in
|
||||||
./gnome.nix
|
./gnome.nix
|
||||||
./greetd.nix
|
./greetd.nix
|
||||||
./gtk.nix
|
./gtk.nix
|
||||||
./phosh.nix
|
|
||||||
./sxmo
|
./sxmo
|
||||||
./theme
|
./theme
|
||||||
];
|
];
|
||||||
|
|
|
@ -1,159 +0,0 @@
|
||||||
{ lib, config, pkgs, ... }:
|
|
||||||
|
|
||||||
with lib;
|
|
||||||
let
|
|
||||||
cfg = config.sane.gui.phosh;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options = {
|
|
||||||
sane.gui.phosh.enable = mkOption {
|
|
||||||
default = false;
|
|
||||||
type = types.bool;
|
|
||||||
};
|
|
||||||
sane.gui.phosh.useGreeter = mkOption {
|
|
||||||
description = ''
|
|
||||||
launch phosh via a greeter (like lightdm-mobile-greeter).
|
|
||||||
phosh is usable without a greeter, but skipping the greeter means no PAM session.
|
|
||||||
'';
|
|
||||||
default = true;
|
|
||||||
type = types.bool;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkMerge [
|
|
||||||
{
|
|
||||||
sane.programs.phoshApps = {
|
|
||||||
packageUnwrapped = null;
|
|
||||||
suggestedPrograms = [
|
|
||||||
"guiApps"
|
|
||||||
# TODO: see about removing gnome-bluetooth if the in-built gnome-settings bluetooth manager can work
|
|
||||||
"gnome.gnome-bluetooth"
|
|
||||||
"gnome.gnome-terminal"
|
|
||||||
"phosh-mobile-settings"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
(mkIf cfg.enable {
|
|
||||||
sane.programs.phoshApps.enableFor.user.colin = true;
|
|
||||||
|
|
||||||
# docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
|
|
||||||
# docs: <repo:gnome/phosh:src/phoc.ini.example>
|
|
||||||
# docs: <repo:gnome/phosh:src/settings.c#config_ini_handler>
|
|
||||||
services.xserver.desktopManager.phosh = {
|
|
||||||
enable = true;
|
|
||||||
user = "colin";
|
|
||||||
group = "users";
|
|
||||||
phocConfig = {
|
|
||||||
# xwayland = "true";
|
|
||||||
# find default outputs by catting /etc/phosh/phoc.ini
|
|
||||||
outputs.DSI-1 = {
|
|
||||||
scale = 1.5;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# phosh enables `services.gnome.{core-os-services, core-shell}`
|
|
||||||
# and this in turn enables some default apps we don't really care about.
|
|
||||||
# see <nixos/modules/services/x11/desktop-managers/gnome.nix>
|
|
||||||
environment.gnome.excludePackages = with pkgs; [
|
|
||||||
# gnome.gnome-menus # unused outside gnome classic, but probably harmless
|
|
||||||
gnome-tour
|
|
||||||
];
|
|
||||||
services.dleyna-renderer.enable = false;
|
|
||||||
services.dleyna-server.enable = false;
|
|
||||||
services.gnome.gnome-browser-connector.enable = false;
|
|
||||||
services.gnome.gnome-initial-setup.enable = false;
|
|
||||||
services.gnome.gnome-online-accounts.enable = false;
|
|
||||||
services.gnome.gnome-remote-desktop.enable = false;
|
|
||||||
services.gnome.gnome-user-share.enable = false;
|
|
||||||
services.gnome.rygel.enable = false;
|
|
||||||
|
|
||||||
# gnome doesn't use mkDefault for these -- unclear why not
|
|
||||||
services.gnome.evolution-data-server.enable = mkForce false;
|
|
||||||
services.gnome.gnome-online-miners.enable = mkForce false;
|
|
||||||
|
|
||||||
# XXX: phosh enables networkmanager by default; can probably disable these lines
|
|
||||||
networking.networkmanager.enable = true;
|
|
||||||
networking.wireless.enable = lib.mkForce false;
|
|
||||||
|
|
||||||
# XXX: not clear if these are actually needed?
|
|
||||||
hardware.bluetooth.enable = true;
|
|
||||||
services.blueman.enable = true;
|
|
||||||
|
|
||||||
hardware.opengl.enable = true;
|
|
||||||
hardware.opengl.driSupport = true;
|
|
||||||
|
|
||||||
environment.variables = {
|
|
||||||
# Qt apps won't always start unless this env var is set
|
|
||||||
QT_QPA_PLATFORM = "wayland";
|
|
||||||
# electron apps (e.g. Element) should use the wayland backend
|
|
||||||
# toggle this to have electron apps (e.g. Element) use the wayland backend.
|
|
||||||
# phocConfig.xwayland should be disabled if you do this
|
|
||||||
NIXOS_OZONE_WL = "1";
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.phosh.environment = {
|
|
||||||
# PHOC_DEBUG: comma-separated list of:
|
|
||||||
# - ``auto-maximize``: Maximize toplevels
|
|
||||||
# - ``damage-tracking``: Debug damage tracking
|
|
||||||
# - ``no-quit``: Don't quit when session ends
|
|
||||||
# - ``touch-points``: Debug touch points
|
|
||||||
# - ``layer-shell``: Debug layer shell
|
|
||||||
# - ``cutouts``: Debug display cutouts and notches
|
|
||||||
PHOC_DEBUG = "layer-shell";
|
|
||||||
# G_DEBUG, G_MESSAGE_DEBUG for glib debugging: <https://docs.gtk.org/glib/running.html>
|
|
||||||
};
|
|
||||||
|
|
||||||
programs.dconf.packages = [
|
|
||||||
# org.kde.konsole.desktop
|
|
||||||
(pkgs.writeTextFile {
|
|
||||||
name = "dconf-phosh-settings";
|
|
||||||
destination = "/etc/dconf/db/site.d/00_phosh_settings";
|
|
||||||
text = ''
|
|
||||||
[org/gnome/desktop/interface]
|
|
||||||
show-battery-percentage=true
|
|
||||||
|
|
||||||
[org/gnome/settings-daemon/plugins/power]
|
|
||||||
sleep-inactive-ac-timeout=5400
|
|
||||||
sleep-inactive-battery-timeout=5400
|
|
||||||
|
|
||||||
[sm/puri/phosh]
|
|
||||||
favorites=['gpodder.desktop', 'nheko.desktop', 'sublime-music.desktop', 'firefox.desktop', 'org.gnome.Terminal.desktop']
|
|
||||||
'';
|
|
||||||
})
|
|
||||||
];
|
|
||||||
})
|
|
||||||
|
|
||||||
(mkIf (cfg.enable && cfg.useGreeter) {
|
|
||||||
services.xserver.enable = true;
|
|
||||||
# NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
|
|
||||||
# know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
|
|
||||||
# lightdm greeters get the login users from lightdm which gets it from org.freedesktop.Accounts.ListCachedUsers.
|
|
||||||
# this requires the user we want to login as to be cached.
|
|
||||||
services.xserver.displayManager.job.preStart = ''
|
|
||||||
${pkgs.systemd}/bin/busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s colin
|
|
||||||
'';
|
|
||||||
# XXX for some reason specifying defaultSession = "sm.puri.Phosh" breaks cross-compiled display-manager startup
|
|
||||||
# - causes an attempt to load x86-64 glib-2.76.2/lib/libglib-2.0.so.0
|
|
||||||
# - likely <repo:nixpkgs:nixos/modules/services/x11/display-managers/account-service-util.nix>
|
|
||||||
# - but i believe some variant of this issue existed even during emulated compilation
|
|
||||||
# services.xserver.displayManager.defaultSession = "sm.puri.Phosh";
|
|
||||||
services.xserver.displayManager.lightdm.extraSeatDefaults = ''
|
|
||||||
user-session = phosh
|
|
||||||
'';
|
|
||||||
# services.xserver.displayManager.lightdm.greeters.gtk.enable = false; # gtk greeter overrides our own?
|
|
||||||
# services.xserver.displayManager.lightdm.greeter = {
|
|
||||||
# enable = true;
|
|
||||||
# package = pkgs.lightdm-mobile-greeter.xgreeters;
|
|
||||||
# name = "lightdm-mobile-greeter";
|
|
||||||
# };
|
|
||||||
# # services.xserver.displayManager.lightdm.enable = true;
|
|
||||||
|
|
||||||
services.xserver.displayManager.lightdm.enable = true;
|
|
||||||
services.xserver.displayManager.lightdm.greeters.mobile.enable = true;
|
|
||||||
|
|
||||||
systemd.services.phosh.wantedBy = lib.mkForce []; # disable auto-start
|
|
||||||
})
|
|
||||||
];
|
|
||||||
}
|
|
|
@ -652,26 +652,8 @@ in
|
||||||
{
|
{
|
||||||
environment.pathsToLink = [ "/share/sane-sandboxed" ];
|
environment.pathsToLink = [ "/share/sane-sandboxed" ];
|
||||||
environment.systemPackages = [ config.sane.sandboxHelper ];
|
environment.systemPackages = [ config.sane.sandboxHelper ];
|
||||||
}
|
|
||||||
{
|
|
||||||
# expose the pkgs -- as available to the system -- as a build target.
|
# expose the pkgs -- as available to the system -- as a build target.
|
||||||
system.build.pkgs = pkgs;
|
system.build.pkgs = pkgs;
|
||||||
|
|
||||||
sane.programs = lib.mkMerge [
|
|
||||||
# make a program for every (toplevel) package
|
|
||||||
(lib.mapAttrs (_pkgName: _pkg: {}) pkgs)
|
|
||||||
|
|
||||||
# do the same for programs in known groups
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "cacert.${pkgName}"; value = {}; }) pkgs.cacert)
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "gnome.${pkgName}"; value = {}; }) pkgs.gnome)
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "libsForQt5.${pkgName}"; value = {}; }) pkgs.libsForQt5)
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "mate.${pkgName}"; value = {}; }) pkgs.mate)
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "perlPackages.${pkgName}"; value = {}; }) pkgs.perlPackages)
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "plasma5Packages.${pkgName}"; value = {}; }) pkgs.plasma5Packages)
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "python3Packages.${pkgName}"; value = {}; }) pkgs.python3Packages)
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "sane-scripts.${pkgName}"; value = {}; }) pkgs.sane-scripts)
|
|
||||||
(lib.mapAttrs' (pkgName: _pkg: { name = "sway-contrib.${pkgName}"; value = {}; }) pkgs.sway-contrib)
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -28,10 +28,10 @@ wipe_browser() {
|
||||||
|| true # in case no matches
|
|| true # in case no matches
|
||||||
|
|
||||||
# browsers like to stick around in the background so they can load faster
|
# browsers like to stick around in the background so they can load faster
|
||||||
sudo pkill brave || true
|
pkill brave || true
|
||||||
sudo pkill epiphany || true
|
pkill epiphany || true
|
||||||
sudo pkill firefox || true
|
pkill firefox || true
|
||||||
sudo pkill librewolf || true
|
pkill librewolf || true
|
||||||
}
|
}
|
||||||
|
|
||||||
wipe_dino() {
|
wipe_dino() {
|
||||||
|
|
Loading…
Reference in New Issue