colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: colin:staging/gtk-theme
Branches Tags
colin:master colin:2025-03-02-pure colin:2025-02-23-nixpkgs-update colin:2025-02-17-nixpkgs-update-2 colin:2025-02-17-nixpkgs-update colin:2025-01-30-wip-blanket colin:2025-01-30-wip-sane-vpn-up-bind-fix colin:2024-12-29-bind colin:2024-12-26-nixpkgs-update colin:2024-09-25-ppp-kernel colin:2024-09-20-megapixels colin:2024-08-14-wip-sandbox-share colin:2024-08-12-wip-flatpak colin:2024-08-11-wip-firefox-xdg-open colin:wip-2024-08-01-nixpkgs-bump colin:wip-secure-mounts colin:wip-login-gocryptfs-rework2 colin:dev colin:save-geoclue-polkit-override colin:wip-doofnet colin:tx-to-desko colin:wip-nm-systemd-sandbox colin:test-nm-nixpkgs-refactor colin:wip-polyunfill-pam colin:wip-trust-dns colin:wip-mpv-sysvol colin:wip-s6-2 colin:wip-nix-fast-build colin:wg-dev colin:wip-mootube colin:wip-swaync-update colin:wip-sxmo-suspend colin:sxmo-sway-merge colin:dev-export colin:wip-proot3 colin:wip-emulate-builder3 colin:wip-emulate-builder2 colin:wip-emulate-builder colin:staging/nixpkgs-2023-07-29 colin:staging/nixpkgs-2023-07-25 colin:wip/koreader colin:staging/gtk-theme colin:staging/nixpkgs-2023-06-27 colin:staging/nixpkgs-2023-06-23 colin:staging/nixpkgs-2023-06-22 colin:wip/sxmo-as-pkg2 colin:wip/sxmo-as-pkg colin:staging/nixpkgs-2023-06-10 colin:staging/nixpkgs-2023-06-07 colin:staging/jellyfin-cross colin:staging/dns-refactor colin:staging/nixpkgs-2023-05-24 colin:staging/nixpkgs-2023-05-22 colin:staging/librewolf-ext colin:staging/nixpkgs-2023-05-14 colin:staging/nur colin:staging/nixpkgs-2023-04-28 colin:staging/nixpkgs-2023-04-24-staging-next colin:staging/nixpkgs-2023-04-19-staging-next colin:staging/nixpkgs-2023-04-11 colin:staging/nixpkgs-2023-04-08 colin:wip/less-disable-flakey-tests colin:staging/nixpkgs-next-2023-03-28 colin:staging/nixpkgs-next-2023-03-11 colin:staging/nixpkgs-2023-03-09 colin:staging/nixpkgs-2023-03-08 colin:staging/nixpkgs-2023-03-04 colin:staging/ccache colin:wip/ccache colin:staging/mesa-downgrade-10 colin:staging/mesa-downgrade-12 colin:staging/nixpkgs-2023-02-25 colin:staging/mesa-downgrade-9 colin:staging/mesa-downgrade-8 colin:staging/nixpkgs-2023-02-09 colin:staging/mesa-downgrade-7 colin:staging/mesa-downgrade-6 colin:staging/mesa-downgrade-5 colin:staging/mesa-downgrade-4 colin:staging/mesa-downgrade-3 colin:staging/mesa-downgrade-2 colin:staging/nixpkgs-2023-02-01 colin:staging/mesa-downgrade colin:wip/packages2 colin:wip/packages colin:archive/dovecot-sieve colin:historic/fix-handbrake colin:wip/sway3-dbg colin:wip/sway2 colin:wip/sway colin:staging/nixpkgs-2023-01-25 colin:staging/linux-6.2 colin:staging/nixpkgs-2023-01-23 colin:wip/hosts colin:staging/nixpkgs-2023-01-15 colin:wip/signal colin:wip/mx-signal colin:wip/flake-std-uri colin:stable colin:staging/master colin:wip/moby-kernel colin:wip/feeds3 colin:wip/feeds2 colin:wip/overlays colin:wip/feeds colin:staging/merge colin:staging/nixpkgs-2023-01-04 colin:staging/impermanence-stores colin:wip/impermanence-fs colin:staging/impermanence-encrypt2 colin:staging/impermanence-encrypt colin:staging/nixpkgs-2022-12-22 colin:staging/nixpkgs-2022-12-18 colin:staging/nixpkgs-2022-12-02 colin:staging/moby-6.1.0-rc7 colin:staging/nixpkgs-2022-11-27 colin:ryzen-servo colin:staging/nixpkgs-2022-11-21 colin:staging/nixpkgs-2022-11-09 colin:staging/lightdm-mobile-upstream colin:staging/nixpkgs-2022-10-31 colin:stacking/nixpkgs-2022-10-30 colin:staging/nixpkgs-2022-10-29 colin:wip/tokodon colin:staging/pleroma-update colin:staging/nixpkgs-2022-10-22 colin:testing/munin colin:staging/nixpkgs-2022-10-20 colin:staging/phosh-lightdm colin:archive/2022-10-14-matrix-appservice-discord colin:staging/nixpkgs-2022-10-08 colin:wip/arm-flutter colin:staging/2022-10-08-flutter-update colin:staging/phosh-mobile-settings-2 colin:staging/phosh-mobile-settings colin:fork/alsa-pinephone-patch colin:wip.fluffychat.2022.09.20 colin:wip/fluffychat colin:wip-vulkan colin:wip-servoimg colin:wip-kaiteki
colin:test-tag
..
compare: colin:staging/dns-refactor
Branches Tags
colin:master colin:2025-03-02-pure colin:2025-02-23-nixpkgs-update colin:2025-02-17-nixpkgs-update-2 colin:2025-02-17-nixpkgs-update colin:2025-01-30-wip-blanket colin:2025-01-30-wip-sane-vpn-up-bind-fix colin:2024-12-29-bind colin:2024-12-26-nixpkgs-update colin:2024-09-25-ppp-kernel colin:2024-09-20-megapixels colin:2024-08-14-wip-sandbox-share colin:2024-08-12-wip-flatpak colin:2024-08-11-wip-firefox-xdg-open colin:wip-2024-08-01-nixpkgs-bump colin:wip-secure-mounts colin:wip-login-gocryptfs-rework2 colin:dev colin:save-geoclue-polkit-override colin:wip-doofnet colin:tx-to-desko colin:wip-nm-systemd-sandbox colin:test-nm-nixpkgs-refactor colin:wip-polyunfill-pam colin:wip-trust-dns colin:wip-mpv-sysvol colin:wip-s6-2 colin:wip-nix-fast-build colin:wg-dev colin:wip-mootube colin:wip-swaync-update colin:wip-sxmo-suspend colin:sxmo-sway-merge colin:dev-export colin:wip-proot3 colin:wip-emulate-builder3 colin:wip-emulate-builder2 colin:wip-emulate-builder colin:staging/nixpkgs-2023-07-29 colin:staging/nixpkgs-2023-07-25 colin:wip/koreader colin:staging/gtk-theme colin:staging/nixpkgs-2023-06-27 colin:staging/nixpkgs-2023-06-23 colin:staging/nixpkgs-2023-06-22 colin:wip/sxmo-as-pkg2 colin:wip/sxmo-as-pkg colin:staging/nixpkgs-2023-06-10 colin:staging/nixpkgs-2023-06-07 colin:staging/jellyfin-cross colin:staging/dns-refactor colin:staging/nixpkgs-2023-05-24 colin:staging/nixpkgs-2023-05-22 colin:staging/librewolf-ext colin:staging/nixpkgs-2023-05-14 colin:staging/nur colin:staging/nixpkgs-2023-04-28 colin:staging/nixpkgs-2023-04-24-staging-next colin:staging/nixpkgs-2023-04-19-staging-next colin:staging/nixpkgs-2023-04-11 colin:staging/nixpkgs-2023-04-08 colin:wip/less-disable-flakey-tests colin:staging/nixpkgs-next-2023-03-28 colin:staging/nixpkgs-next-2023-03-11 colin:staging/nixpkgs-2023-03-09 colin:staging/nixpkgs-2023-03-08 colin:staging/nixpkgs-2023-03-04 colin:staging/ccache colin:wip/ccache colin:staging/mesa-downgrade-10 colin:staging/mesa-downgrade-12 colin:staging/nixpkgs-2023-02-25 colin:staging/mesa-downgrade-9 colin:staging/mesa-downgrade-8 colin:staging/nixpkgs-2023-02-09 colin:staging/mesa-downgrade-7 colin:staging/mesa-downgrade-6 colin:staging/mesa-downgrade-5 colin:staging/mesa-downgrade-4 colin:staging/mesa-downgrade-3 colin:staging/mesa-downgrade-2 colin:staging/nixpkgs-2023-02-01 colin:staging/mesa-downgrade colin:wip/packages2 colin:wip/packages colin:archive/dovecot-sieve colin:historic/fix-handbrake colin:wip/sway3-dbg colin:wip/sway2 colin:wip/sway colin:staging/nixpkgs-2023-01-25 colin:staging/linux-6.2 colin:staging/nixpkgs-2023-01-23 colin:wip/hosts colin:staging/nixpkgs-2023-01-15 colin:wip/signal colin:wip/mx-signal colin:wip/flake-std-uri colin:stable colin:staging/master colin:wip/moby-kernel colin:wip/feeds3 colin:wip/feeds2 colin:wip/overlays colin:wip/feeds colin:staging/merge colin:staging/nixpkgs-2023-01-04 colin:staging/impermanence-stores colin:wip/impermanence-fs colin:staging/impermanence-encrypt2 colin:staging/impermanence-encrypt colin:staging/nixpkgs-2022-12-22 colin:staging/nixpkgs-2022-12-18 colin:staging/nixpkgs-2022-12-02 colin:staging/moby-6.1.0-rc7 colin:staging/nixpkgs-2022-11-27 colin:ryzen-servo colin:staging/nixpkgs-2022-11-21 colin:staging/nixpkgs-2022-11-09 colin:staging/lightdm-mobile-upstream colin:staging/nixpkgs-2022-10-31 colin:stacking/nixpkgs-2022-10-30 colin:staging/nixpkgs-2022-10-29 colin:wip/tokodon colin:staging/pleroma-update colin:staging/nixpkgs-2022-10-22 colin:testing/munin colin:staging/nixpkgs-2022-10-20 colin:staging/phosh-lightdm colin:archive/2022-10-14-matrix-appservice-discord colin:staging/nixpkgs-2022-10-08 colin:wip/arm-flutter colin:staging/2022-10-08-flutter-update colin:staging/phosh-mobile-settings-2 colin:staging/phosh-mobile-settings colin:fork/alsa-pinephone-patch colin:wip.fluffychat.2022.09.20 colin:wip/fluffychat colin:wip-vulkan colin:wip-servoimg colin:wip-kaiteki
colin:test-tag

2 Commits
staging/gt ... staging/dn

Author SHA1 Message Date
Colin
20bdad9132 add missing dns.nix module 2023-06-07 23:36:15 +00:00
Colin
7aaab9eb30 WIP: DNS: split the zone generation out of trust-dns 
this is in preparation for upstreaming parts of this into nixpkgs
 2023-06-07 23:34:00 +00:00
148 changed files with 1403 additions and 9696 deletions
Expand all files Collapse all files

39
TODO.md
View File

@@ -3,7 +3,6 @@
- else DNS fails
## REFACTORING:
### sops/secrets
- attach secrets to the thing they're used by (sane.programs)
- rework secrets to leverage `sane.fs`
@@ -16,13 +15,11 @@
### upstreaming
- split out a trust-dns module
- see: <https://github.com/NixOS/nixpkgs/pull/205866#issuecomment-1575753054>
- split out a sxmo module usable by NUR consumers
- bump nodejs version in lemmy-ui
- add updateScripts to all my packages in nixpkgs
- fix lightdm-mobile-greeter for newer libhandy
- port zecwallet-lite to a from-source build
- REVIEW/integrate jellyfin dataDir config: <https://github.com/NixOS/nixpkgs/pull/233617>
- remove `libsForQt5.callPackage` broadly: <https://github.com/NixOS/nixpkgs/issues/180841>
- fix or abandon Whalebird
## IMPROVEMENTS:
@@ -33,39 +30,31 @@
- have `sane.programs` be wrapped such that they run in a cgroup?
- at least, only give them access to the portion of the fs they *need*.
- Android takes approach of giving each app its own user: could hack that in here.
- **systemd-run** takes a command and runs it in a temporary scope (cgroup)
- presumably uses the same options as systemd services
- see e.g. <https://github.com/NixOS/nixpkgs/issues/113903#issuecomment-857296349>
- flatpak does this, somehow
- apparmor? SElinux? (desktop) "portals"?
- see Spectrum OS; Alyssa Ross; etc
- canaries for important services
- e.g. daily email checks; daily backup checks
- integrate `nix check` into Gitea actions?
### user experience
- neovim: set up language server (lsp; rnix-lsp; nvim-lspconfig)
- firefox/librewolf: don't show browserpass/sponsorblock/metamask "first run" on every boot
- moby: improve gPodder launch time
- moby: theme GTK apps (i.e. non-adwaita styles)
- especially, make the menubar collapsible
- moby: replace jellyfin-desktop with jellyfin-vue?
- allows (maybe) to cache media for offline use
- "newer" jellyfin client
- not packaged for nix
- find a nice desktop ActivityPub client
- package Nix/NixOS docs for Zeal
- install [doc-browser](https://github.com/qwfy/doc-browser)
- this supports both dash (zeal) *and* the datasets from <https://devdocs.io> (which includes nix!)
- install [devhelp](https://wiki.gnome.org/Apps/Devhelp) (gnome)
- auto-mount servo
- have xdg-open parse `<repo:...> URIs (or adjust them so that it _can_ parse)
- `sane.programs`: auto-populate defaults with everything from `pkgs`
- `sane.persist`: auto-create parent dirs in ~/private
- currently if the application doesn't autocreate dirs leading to its destination, then ~/private storage fails
- this might be why librewolf on mobile is still amnesiac
- sane-bt-search: show details like 5.1 vs stereo, h264 vs h265
- uninsane.org: make URLs relative to allow local use (and as offline homepage)
- email: fix so that local mail doesn't go to junk
- git sendmail flow adds the DKIM signatures, but gets delivered locally w/o having the sig checked, so goes into Junk
- could change junk filter from "no DKIM success" to explicit "DKIM failed"
- zsh: disable "command not found" corrections
- sxmo: allow rotation to the upside-down position
- see: <repo:mil/sxmo-utils:scripts/core/sxmo_autorotate.sh>
- all orientations *except* upside down are supported
- sxmo: launch with auto-rotation enabled
### perf
- why does zsh take so long to init?
- why does nixos-rebuild switch take 5 minutes when net is flakey?
- trying to auto-mount servo?
- something to do with systemd services restarting/stalling
@@ -74,13 +63,13 @@
- these use significant /tmp space.
- either place /tmp on encrypted-cleared-at-boot storage
- which probably causes each CPU load for the encryption
- or have nix builds use a subdir of /tmp like /tmp/nix/...
- and place that on non-encrypted clear-on-boot (with very lax writeback/swappiness to minimize writes)
- **or set up encrypted swap**
- encrypted swap could remove the need for my encrypted-cleared-at-boot stuff
## NEW FEATURES:
- add a FTP-accessible file share to servo
- just /var/www?
- migrate MAME cabinet to nix
- boot it from PXE from servo?
- enable IPv6

58
flake.lock generated
View File

@@ -1,15 +1,12 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1687709756,
"narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
"lastModified": 1678901627,
"narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
"rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
"type": "github"
},
"original": {
@@ -39,11 +36,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1687251388,
"narHash": "sha256-E9cVlgeCvzPbA/G3mCDCzz8TdRwXyGYzIjmwcvIfghg=",
"lastModified": 1684319086,
"narHash": "sha256-5wwlkWqP1cQUPXp/PJsi09FkgAule5yBghngRZZbUQg=",
"owner": "edolstra",
"repo": "nix-serve",
"rev": "d6df5bd8584f37e22cff627db2fc4058a4aab5ee",
"rev": "e6e3d09438e803daa5374ad8edf1271289348456",
"type": "github"
},
"original": {
@@ -69,27 +66,27 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1687031877,
"narHash": "sha256-yMFcVeI+kZ6KD2QBrFPNsvBrLq2Gt//D0baHByMrjFY=",
"lastModified": 1684632198,
"narHash": "sha256-SdxMPd0WmU9MnDBuuy7ouR++GftrThmSGL7PCQj/uVI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e2e2059d19668dab1744301b8b0e821e3aae9c99",
"rev": "d0dade110dc7072d67ce27826cfe9ab2ab0cf247",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.05",
"ref": "release-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unpatched": {
"locked": {
"lastModified": 1688049487,
"narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=",
"lastModified": 1684935479,
"narHash": "sha256-6QMMsXMr2nhmOPHdti2j3KRHt+bai2zw+LJfdCl97Mk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9",
"rev": "f91ee3065de91a3531329a674a45ddcb3467a650",
"type": "github"
},
"original": {
@@ -116,11 +113,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1687398569,
"narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=",
"lastModified": 1684637723,
"narHash": "sha256-0vAxL7MVMhGbTkAyvzLvleELHjVsaS43p+PR1h9gzNQ=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "2ff6973350682f8d16371f8c071a304b8067f192",
"rev": "4ccdfb573f323a108a44c13bb7730e42baf962a9",
"type": "github"
},
"original": {
@@ -129,21 +126,6 @@
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"uninsane-dot-org": {
"inputs": {
"flake-utils": "flake-utils",
@@ -152,11 +134,11 @@
]
},
"locked": {
"lastModified": 1687821285,
"narHash": "sha256-pw0UYKG8yhW1H3nPgAhVYCzYFXYtamMh2DmF8YhtRec=",
"lastModified": 1684528780,
"narHash": "sha256-QdYxjcTCCLPv++1v9tJBL98nn/AFx0fmzlgzcLK6KRE=",
"ref": "refs/heads/master",
"rev": "ae27eb61b55b6c6d83c25384fb163df398a80265",
"revCount": 201,
"rev": "f3747a1dad3d34880613821faf26357ba432d3d7",
"revCount": 194,
"type": "git",
"url": "https://git.uninsane.org/colin/uninsane"
},

36
flake.nix
View File

@@ -23,6 +23,9 @@
# preferably, i would rewrite the human-readable https URLs to nix-specific github: URLs with a helper,
# but `inputs` is required to be a strict attrset: not an expression.
inputs = {
# <https://github.com/nixos/nixpkgs/tree/nixos-22.11>
# nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-22.11";
# branch workflow:
# - daily:
# - nixos-unstable cut from master after enough packages have been built in caches.
@@ -177,6 +180,12 @@
optimizations = final: prev: import ./overlays/optimizations.nix final prev;
passthru = final: prev:
let
stable =
if inputs ? "nixpkgs-stable" then (
final': prev': {
stable = inputs.nixpkgs-stable.legacyPackages."${prev'.stdenv.hostPlatform.system}";
}
) else (final': prev': {});
mobile = (import "${mobile-nixos}/overlay/overlay.nix");
uninsane = uninsane-dot-org.overlay;
# nix-serve' = nix-serve.overlay;
@@ -187,10 +196,11 @@
inherit (nix-serve.packages."${next.system}") nix-serve;
};
in
(mobile final prev)
// (uninsane final prev)
// (nix-serve' final prev)
;
(stable final prev)
// (mobile final prev)
// (uninsane final prev)
// (nix-serve' final prev)
;
};
nixosModules = rec {
@@ -242,7 +252,7 @@
deployScript = action: pkgs.writeShellScript "deploy-moby" ''
nixos-rebuild --flake '.#moby' build $@
sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)
nixos-rebuild --flake '.#moby' ${action} --target-host colin@moby --use-remote-sudo $@
nixos-rebuild --flake '.#moby' ${action} --target-host colin@moby-hn --use-remote-sudo $@
'';
in {
update-feeds = {
@@ -266,22 +276,6 @@
type = "app";
program = ''${deployScript "switch"}'';
};
check-nur = {
# `nix run '.#check-nur'`
# validates that my repo can be included in the Nix User Repository
type = "app";
program = builtins.toString (pkgs.writeShellScript "check-nur" ''
cd ${./.}/integrations/nur
NIX_PATH= NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 nix-env -f . -qa \* --meta --xml \
--allowed-uris https://static.rust-lang.org \
--option restrict-eval true \
--option allow-import-from-derivation true \
--drv-path --show-trace \
-I nixpkgs=$(nix-instantiate --find-file nixpkgs) \
-I ../../
'');
};
};
templates = {

7
hosts/by-name/desko/default.nix
View File

@@ -4,12 +4,6 @@
./fs.nix
];
sane.guest.enable = true;
# TODO: make sure this plays nice with impermanence
services.distccd.enable = true;
sane.programs.distcc.enableFor.user.guest = true;
sops.secrets.colin-passwd.neededForUsers = true;
sane.roles.build-machine.enable = true;
@@ -25,7 +19,6 @@
sane.programs.iphoneUtils.enableFor.user.colin = true;
sane.programs.guiApps.suggestedPrograms = [ "desktopGuiApps" ];
sane.programs.consoleUtils.suggestedPrograms = [ "consoleMediaUtils" ];
boot.loader.efi.canTouchEfiVariables = false;
sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];

1
hosts/by-name/lappy/default.nix
View File

@@ -19,7 +19,6 @@
"desktopGuiApps"
"stepmania"
];
sane.programs.consoleUtils.suggestedPrograms = [ "consoleMediaUtils" ];
sops.secrets.colin-passwd.neededForUsers = true;

8
hosts/by-name/lappy/polyfill.nix
View File

@@ -1,6 +1,6 @@
# doesn't actually *enable* anything,
# but sets up any modules such that if they *were* enabled, they'll act as expected.
{ pkgs, ... }:
{ ... }:
{
sane.gui.sxmo = {
greeter = "sway";
@@ -28,11 +28,5 @@
# see <repo:mil/sxmo-utils:scripts/deviceprofiles>
# SXMO_DEVICE_NAME = "pine64,pinephone-1.2";
};
package = pkgs.sxmo-utils.overrideAttrs (base: {
postPatch = (base.postPatch or "") + ''
# after volume-button navigation mode, restore full keyboard functionality
cp ${./xkb_mobile_normal_buttons} ./configs/xkb/xkb_mobile_normal_buttons
'';
});
};
}

6
hosts/by-name/moby/default.nix
View File

@@ -33,15 +33,11 @@
".config/pulse" # persist pulseaudio volume
];
sane.gui.sxmo.enable = true;
sane.gui.phosh.enable = true;
# sane.programs.consoleUtils.enableFor.user.colin = false;
# sane.programs.guiApps.enableFor.user.colin = false;
sane.programs.sequoia.enableFor.user.colin = false;
sane.programs.tuiApps.enableFor.user.colin = false; # visidata, others, don't compile well
# disabled for faster deploys (gthumb depends on webkitgtk, particularly)
sane.programs.soundconverter.enableFor.user.colin = false;
sane.programs.jellyfin-media-player.enableFor.user.colin = false;
# sane.programs.mpv.enableFor.user.colin = true;
boot.loader.efi.canTouchEfiVariables = false;
# /boot space is at a premium. default was 20.

31
hosts/by-name/moby/polyfill.nix
View File

@@ -1,26 +1,23 @@
{ pkgs, sane-lib, ... }:
{ sane-lib, ... }:
{
sane.gui.sxmo = {
settings = {
# touch screen
SXMO_LISGD_INPUT_DEVICE = "/dev/input/by-path/platform-1c2ac00.i2c-event";
# vol and power are detected correctly by upstream
# preferences
# N.B. some deviceprofiles explicitly set SXMO_SWAY_SCALE, overwriting what we put here.
SXMO_SWAY_SCALE = "1.5";
SXMO_ROTATION_GRAVITY = "12800";
SXMO_LOCK_IDLE_TIME = "15"; # how long between screenoff -> lock -> back to screenoff
DEFAULT_COUNTRY = "US";
BROWSWER = "librewolf";
};
package = pkgs.sxmo-utils.overrideAttrs (base: {
postPatch = (base.postPatch or "") + ''
cat <<EOF >> ./configs/default_hooks/sxmo_hook_start.sh
# rotate UI based on physical display angle by default
sxmo_daemons.sh start autorotate sxmo_autorotate.sh
EOF
'';
});
};
# TODO: only populate this if sxmo is enabled?
sane.user.fs.".config/sxmo/profile" = sane-lib.fs.wantedText ''
# sourced by sxmo_init.sh
. sxmo_common.sh
export SXMO_SWAY_SCALE=1.5
export SXMO_ROTATION_GRAVITY=12800
export DEFAULT_COUNTRY=US
export BROWSER=librewolf
export SXMO_BG_IMG="$(xdg_data_path sxmo/background.jpg)"
'';
}

2
hosts/by-name/servo/services/calibre.nix
View File

@@ -30,5 +30,5 @@ lib.mkIf false
proxyPass = "http://${ip}:${builtins.toString port}";
};
};
sane.dns.zones."uninsane.org".inet.CNAME."calibre" = "native";
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."calibre" = "native";
}

2
hosts/by-name/servo/services/default.nix
View File

@@ -7,7 +7,6 @@
./email
./ejabberd.nix
./freshrss.nix
./ftp
./gitea.nix
./goaccess.nix
./ipfs.nix
@@ -18,7 +17,6 @@
./lemmy.nix
./matrix
./navidrome.nix
./nfs.nix
./nixserve.nix
./nginx.nix
./pict-rs.nix

2
hosts/by-name/servo/services/ejabberd.nix
View File

@@ -115,7 +115,7 @@
useACMEHost = "uninsane.org";
};
sane.dns.zones."uninsane.org".inet = {
sane.services.trust-dns.zones."uninsane.org".inet = {
# XXX: SRV records have to point to something with a A/AAAA record; no CNAMEs
A."xmpp" = "%ANATIVE%";
CNAME."muc.xmpp" = "xmpp";

2
hosts/by-name/servo/services/email/dovecot.nix
View File

@@ -24,7 +24,7 @@
enableACME = true;
};
sane.dns.zones."uninsane.org".inet = {
sane.services.trust-dns.zones."uninsane.org".inet = {
CNAME."imap" = "native";
};

2
hosts/by-name/servo/services/email/postfix.nix
View File

@@ -50,7 +50,7 @@ in
};
sane.dns.zones."uninsane.org".inet = {
sane.services.trust-dns.zones."uninsane.org".inet = {
MX."@" = "10 mx.uninsane.org.";
# XXX: RFC's specify that the MX record CANNOT BE A CNAME
A."mx" = "185.157.162.178";

2
hosts/by-name/servo/services/freshrss.nix
View File

@@ -59,5 +59,5 @@
# the routing is handled by services.freshrss.virtualHost
};
sane.dns.zones."uninsane.org".inet.CNAME."rss" = "native";
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."rss" = "native";
}

70
hosts/by-name/servo/services/ftp/default.nix
View File

@@ -1,70 +0,0 @@
# docs:
# - <https://github.com/drakkan/sftpgo>
# - config options: <https://github.com/drakkan/sftpgo/blob/main/docs/full-configuration.md>
# - config defaults: <https://github.com/drakkan/sftpgo/blob/main/sftpgo.json>
# - nixos options: <repo:nixos/nixpkgs:nixos/modules/services/web-apps/sftpgo.nix>
#
# sftpgo is a FTP server that also supports WebDAV, SFTP, and web clients.
{ lib, pkgs, sane-lib, ... }:
let
authProgram = pkgs.static-nix-shell.mkBash {
pname = "sftpgo_external_auth_hook";
src = ./.;
};
in
{
# Client initiates a FTP "control connection" on port 21.
# - this handles the client -> server commands, and the server -> client status, but not the actual data
# - file data, directory listings, etc need to be transferred on an ephemeral "data port".
# - 50000-50100 is a common port range for this.
sane.ports.ports = {
"21" = {
protocol = [ "tcp" ];
visibleTo.lan = true;
description = "colin-FTP server";
};
} // (sane-lib.mapToAttrs
(port: {
name = builtins.toString port;
value = {
protocol = [ "tcp" ];
visibleTo.lan = true;
description = "colin-FTP server data port range";
};
})
(lib.range 50000 50100)
);
services.sftpgo = {
enable = true;
settings = {
ftpd = {
bindings = [{
address = "10.0.10.5";
port = 21;
debug = true;
}];
# active mode is susceptible to "bounce attacks", without much benefit over passive mode
disable_active_mode = true;
hash_support = true;
passive_port_range = {
start = 50000;
end = 50100;
};
banner = ''
Welcome, friends, to Colin's read-only FTP server! Also available via NFS on the same host.
Please let me know if anything's broken or not as it should be. Otherwise, browse and DL freely :)
'';
};
data_provider = {
driver = "memory";
external_auth_hook = "${authProgram}/bin/sftpgo_external_auth_hook";
};
};
};
}

55
hosts/by-name/servo/services/ftp/sftpgo_external_auth_hook
View File

@@ -1,55 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash
# vim: set filetype=bash :
#
# available environment variables:
# - SFTPGO_AUTHD_USERNAME
# - SFTPGO_AUTHD_USER
# - SFTPGO_AUTHD_IP
# - SFTPGO_AUTHD_PROTOCOL = { "DAV", "FTP", "HTTP", "SSH" }
# - SFTPGO_AUTHD_PASSWORD
# - SFTPGO_AUTHD_PUBLIC_KEY
# - SFTPGO_AUTHD_KEYBOARD_INTERACTIVE
# - SFTPGO_AUTHD_TLS_CERT
#
# user permissions:
# - see <repo:drakkan/sftpgo:internal/dataprovider/user.go>
# - "*" = grant all permissions
# - read-only perms:
# - "list" = list files and directories
# - "download"
# - rw perms:
# - "upload"
# - "overwrite" = allow uploads to replace existing files
# - "delete" = delete files and directories
# - "delete_files"
# - "delete_dirs"
# - "rename" = rename files and directories
# - "rename_files"
# - "rename_dirs"
# - "create_dirs"
# - "create_symlinks"
# - "chmod"
# - "chown"
# - "chtimes" = change atime/mtime (access and modification times)
#
# home_dir:
# - it seems (empirically) that a user can't cd above their home directory.
# though i don't have a reference for that in the docs.
# TODO: don't reuse /var/nfs/export here. formalize this some other way.
if [ "$SFTPGO_AUTHD_USERNAME" = "anonymous" ]; then
echo '{'
echo ' "status":1,'
echo ' "username":"anonymous","expiration_date":0,'
echo ' "home_dir":"/var/nfs/export","uid":65534,"gid":65534,"max_sessions":0,"quota_size":0,"quota_files":100000,'
echo ' "permissions":{'
echo ' "/":["list", "download"]'
echo ' },'
echo ' "upload_bandwidth":0,"download_bandwidth":0,'
echo ' "filters":{"allowed_ip":[],"denied_ip":[]},"public_keys":[]'
echo '}'
else
echo '{"username":""}'
fi

2
hosts/by-name/servo/services/gitea.nix
View File

@@ -98,7 +98,7 @@
};
};
sane.dns.zones."uninsane.org".inet.CNAME."git" = "native";
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."git" = "native";
sane.ports.ports."22" = {
protocol = [ "tcp" ];

2
hosts/by-name/servo/services/goaccess.nix
View File

@@ -64,5 +64,5 @@
};
};
sane.dns.zones."uninsane.org".inet.CNAME."sink" = "native";
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."sink" = "native";
}

2
hosts/by-name/servo/services/ipfs.nix
View File

@@ -34,7 +34,7 @@ lib.mkIf false # i don't actively use ipfs anymore
};
};
sane.dns.zones."uninsane.org".inet.CNAME."ipfs" = "native";
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."ipfs" = "native";
# services.ipfs.enable = true;
services.kubo.localDiscovery = true;

3
hosts/by-name/servo/services/jackett.nix
View File

@@ -24,10 +24,9 @@
locations."/" = {
# proxyPass = "http://ovpns.uninsane.org:9117";
proxyPass = "http://10.0.1.6:9117";
recommendedProxySettings = true;
};
};
sane.dns.zones."uninsane.org".inet.CNAME."jackett" = "native";
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jackett" = "native";
}

2
hosts/by-name/servo/services/jellyfin.nix
View File

@@ -121,7 +121,7 @@
};
};
sane.dns.zones."uninsane.org".inet.CNAME."jelly" = "native";
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jelly" = "native";
services.jellyfin.enable = true;
}

2
hosts/by-name/servo/services/kiwix-serve.nix
View File

@@ -13,5 +13,5 @@
locations."/".proxyPass = "http://127.0.0.1:8013";
};
sane.dns.zones."uninsane.org".inet.CNAME."w" = "native";
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."w" = "native";
}

2
hosts/by-name/servo/services/komga.nix
View File

@@ -18,5 +18,5 @@ in
proxyPass = "http://127.0.0.1:${builtins.toString port}";
};
};
sane.dns.zones."uninsane.org".inet.CNAME."komga" = "native";
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."komga" = "native";
}

5
hosts/by-name/servo/services/lemmy.nix
View File

@@ -14,8 +14,8 @@ in {
services.lemmy = {
enable = true;
settings.hostname = "lemmy.uninsane.org";
settings.federation.enabled = true;
# federation.debug forces outbound federation queries to be run synchronously
# N.B.: this option might not be read for 0.17.0+? <https://github.com/LemmyNet/lemmy/blob/c32585b03429f0f76d1e4ff738786321a0a9df98/RELEASES.md#upgrade-instructions>
# settings.federation.debug = true;
settings.port = backendPort;
ui.port = uiPort;
@@ -32,7 +32,6 @@ in {
systemd.services.lemmy.environment = {
RUST_BACKTRACE = "full";
# RUST_LOG = "debug";
# RUST_LOG = "trace";
# upstream defaults LEMMY_DATABASE_URL = "postgres:///lemmy?host=/run/postgresql";
# - Postgres complains that we didn't specify a user
# lemmy formats the url as:
@@ -55,5 +54,5 @@ in {
enableACME = true;
};
sane.dns.zones."uninsane.org".inet.CNAME."lemmy" = "native";
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."lemmy" = "native";
}

2
hosts/by-name/servo/services/matrix/default.nix
View File

@@ -132,7 +132,7 @@
};
};
sane.dns.zones."uninsane.org".inet = {
sane.services.trust-dns.zones."uninsane.org".inet = {
CNAME."matrix" = "native";
CNAME."web.matrix" = "native";
};

18
hosts/by-name/servo/services/matrix/irc.nix
View File

@@ -5,11 +5,12 @@
{ config, lib, ... }:
let
ircServer = { name, additionalAddresses ? [], sasl ? true, port ? 6697 }: let
ircServer = { name, additionalAddresses ? [], sasl ? true }: let
lowerName = lib.toLower name;
in {
# XXX sasl: appservice doesn't support NickServ identification (only SASL, or PASS if sasl = false)
inherit name additionalAddresses sasl port;
inherit name additionalAddresses sasl;
port = 6697;
ssl = true;
botConfig = {
# bot has no presence in IRC channel; only real Matrix users
@@ -107,12 +108,6 @@ in
{ user = "matrix-appservice-irc"; group = "matrix-appservice-irc"; directory = "/var/lib/matrix-appservice-irc"; }
];
# XXX: matrix-appservice-irc PreStart tries to chgrp the registration.yml to matrix-synapse,
# which requires matrix-appservice-irc to be of that group
users.users.matrix-appservice-irc.extraGroups = [ "matrix-synapse" ];
# weird race conditions around registration.yml mean we want matrix-synapse to be of matrix-appservice-irc group too.
users.users.matrix-synapse.extraGroups = [ "matrix-appservice-irc" ];
services.matrix-synapse.settings.app_service_config_files = [
"/var/lib/matrix-appservice-irc/registration.yml" # auto-created by irc appservice
];
@@ -150,7 +145,6 @@ in
};
"irc.oftc.net" = ircServer {
name = "oftc";
sasl = false;
# notable channels:
# - #sxmo
# - #sxmo-offtopic
@@ -159,10 +153,4 @@ in
};
};
};
systemd.services.matrix-appservice-irc.serviceConfig = {
# XXX 2023/06/20: nixos specifies this + @aio and @memlock as forbidden
# the service actively uses at least one of these, and both of them are fairly innocuous
SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @setuid @swap";
};
}

2
hosts/by-name/servo/services/navidrome.nix
View File

@@ -36,5 +36,5 @@
locations."/".proxyPass = "http://127.0.0.1:4533";
};
sane.dns.zones."uninsane.org".inet.CNAME."music" = "native";
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."music" = "native";
}

67
hosts/by-name/servo/services/nfs.nix
View File

@@ -1,67 +0,0 @@
# docs:
# - <https://nixos.wiki/wiki/NFS>
# - <https://wiki.gentoo.org/wiki/Nfs-utils>
{ ... }:
{
services.nfs.server.enable = true;
# see which ports NFS uses with:
# - `rpcinfo -p`
sane.ports.ports."111" = {
protocol = [ "tcp" "udp" ];
visibleTo.lan = true;
description = "NFS server portmapper";
};
sane.ports.ports."2049" = {
protocol = [ "tcp" ];
visibleTo.lan = true;
description = "NFS server";
};
sane.ports.ports."4000" = {
protocol = [ "udp" ];
visibleTo.lan = true;
description = "NFS server status daemon";
};
sane.ports.ports."4001" = {
protocol = [ "tcp" "udp" ];
visibleTo.lan = true;
description = "NFS server lock daemon";
};
sane.ports.ports."4002" = {
protocol = [ "tcp" "udp" ];
visibleTo.lan = true;
description = "NFS server mount daemon";
};
# NFS4 allows these to float, but NFS3 mandates specific ports, so fix them for backwards compat.
services.nfs.server.lockdPort = 4001;
services.nfs.server.mountdPort = 4002;
services.nfs.server.statdPort = 4000;
# format:
# fspoint visibility(options)
# options:
# - see: <https://wiki.gentoo.org/wiki/Nfs-utils#Exports>
# - see [man 5 exports](https://linux.die.net/man/5/exports)
# - insecure: require clients use src port > 1024
# - rw, ro (default)
# - async, sync (default)
# - no_subtree_check (default), subtree_check: verify not just that files requested by the client live
# in the expected fs, but also that they live under whatever subdirectory of that fs is exported.
# - no_root_squash, root_squash (default): map requests from uid 0 to user `nobody`.
# - crossmnt: reveal filesystems that are mounted under this endpoint
# - fsid: must be zero for the root export
# - mountpoint[=/path]: only export the directory if it's a mountpoint. used to avoid exporting failed mounts.
#
# 10.0.0.0/8 to export (readonly) both to LAN (unencrypted) and wg vpn (encrypted)
services.nfs.server.exports = ''
/var/nfs/export 10.78.79.0/22(ro,crossmnt,fsid=0,subtree_check) 10.0.10.0/24(rw,no_root_squash,crossmnt,fsid=0,subtree_check)
'';
fileSystems."/var/nfs/export/media" = {
# everything in here could be considered publicly readable (based on the viewer's legal jurisdiction)
device = "/var/lib/uninsane/media";
options = [ "rbind" ];
};
}

2
hosts/by-name/servo/services/nixserve.nix
View File

@@ -14,7 +14,7 @@
'';
};
sane.dns.zones."uninsane.org".inet.CNAME."nixcache" = "native";
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."nixcache" = "native";
sane.services.nixserve.enable = true;
sane.services.nixserve.secretKeyFile = config.sops.secrets.nix_serve_privkey.path;

6
hosts/by-name/servo/services/pleroma.nix
View File

@@ -3,8 +3,6 @@
# - https://docs.pleroma.social/backend/configuration/cheatsheet/
#
# to run it in a oci-container: https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix
#
# admin frontend: <https://fed.uninsane.org/pleroma/admin>
{ config, pkgs, ... }:
{
@@ -102,8 +100,6 @@
# level: :debug
# XXX colin: not sure if this actually _does_ anything
# better to steal emoji from other instances?
# - <https://docs.pleroma.social/backend/configuration/cheatsheet/#mrf_steal_emoji>
config :pleroma, :emoji,
shortcode_globs: ["/emoji/**/*.png"],
groups: [
@@ -186,7 +182,7 @@
};
};
sane.dns.zones."uninsane.org".inet.CNAME."fed" = "native";
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."fed" = "native";
sops.secrets."pleroma_secrets" = {
owner = config.users.users.pleroma.name;

2
hosts/by-name/servo/services/transmission.nix
View File

@@ -75,6 +75,6 @@
};
};
sane.dns.zones."uninsane.org".inet.CNAME."bt" = "native";
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."bt" = "native";
}

27
hosts/by-name/servo/services/trust-dns.nix
View File

@@ -1,25 +1,17 @@
{ config, lib, pkgs, ... }:
{ config, pkgs, ... }:
{
sane.services.trust-dns.enable = true;
sane.services.trust-dns.settings.listen_addrs_ipv4 = [
sane.services.trust-dns.listenAddrsIPv4 = [
# specify each address explicitly, instead of using "*".
# this ensures responses are sent from the address at which the request was received.
config.sane.hosts.by-name."servo".lan-ip
"10.0.1.5"
];
sane.services.trust-dns.quiet = true;
# sane.services.trust-dns.debug = true;
sane.ports.ports."53" = {
protocol = [ "udp" "tcp" ];
visibleTo.lan = true;
visibleTo.wan = true;
description = "colin-dns-hosting";
};
sane.dns.zones."uninsane.org".TTL = 900;
sane.services.trust-dns.zones."uninsane.org".TTL = 900;
# SOA record structure: <https://en.wikipedia.org/wiki/SOA_record#Structure>
# SOA MNAME RNAME (... rest)
@@ -29,7 +21,7 @@
# Refresh = how frequently secondary NS should query master
# Retry = how long secondary NS should wait until re-querying master after a failure (must be < Refresh)
# Expire = how long secondary NS should continue to reply to queries after master fails (> Refresh + Retry)
sane.dns.zones."uninsane.org".inet = {
sane.services.trust-dns.zones."uninsane.org".inet = {
SOA."@" = ''
ns1.uninsane.org. admin-dns.uninsane.org. (
2022122101 ; Serial
@@ -59,13 +51,8 @@
];
};
# we need trust-dns to load our zone by relative path instead of /nix/store path
# because we generate it at runtime.
sane.services.trust-dns.settings.zones = [
{
zone = "uninsane.org";
}
];
sane.services.trust-dns.zones."uninsane.org".file = "uninsane.org.zone";
sane.services.trust-dns.zonedir = null;
sane.services.trust-dns.package =
let
@@ -73,7 +60,7 @@
zone-dir = "/var/lib/trust-dns";
zone-wan = "${zone-dir}/wan/uninsane.org.zone";
zone-lan = "${zone-dir}/lan/uninsane.org.zone";
zone-template = pkgs.writeText "uninsane.org.zone.in" config.sane.dns.zones."uninsane.org".rendered;
zone-template = config.sane.services.trust-dns.zones."uninsane.org".file;
in pkgs.writeShellScriptBin "named" ''
# compute wan/lan values
mkdir -p ${zone-dir}/{ovpn,wan,lan}

33
hosts/common/default.nix
View File

@@ -13,7 +13,7 @@
./programs
./secrets.nix
./ssh.nix
./users
./users.nix
./vpn.nix
];
@@ -43,24 +43,6 @@
# does the builder use some content-addressed db to efficiently dedupe?
nix.settings.auto-optimise-store = true;
systemd.services.nix-daemon.serviceConfig = {
# the nix-daemon manages nix builders
# kill nix-daemon subprocesses when systemd-oomd detects an out-of-memory condition
# see:
# - nixos PR that enabled systemd-oomd: <https://github.com/NixOS/nixpkgs/pull/169613>
# - systemd's docs on these properties: <https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#ManagedOOMSwap=auto%7Ckill>
#
# systemd's docs warn that without swap, systemd-oomd might not be able to react quick enough to save the system.
# see `man oomd.conf` for further tunables that may help.
#
# alternatively, apply this more broadly with `systemd.oomd.enableSystemSlice = true` or `enableRootSlice`
# TODO: also apply this to the guest user's slice (user-1100.slice)
# TODO: also apply this to distccd
ManagedOOMMemoryPressure = "kill";
ManagedOOMSwap = "kill";
};
# TODO: move this to gui machines only
fonts = {
enableDefaultFonts = true;
fonts = with pkgs; [ font-awesome noto-fonts-emoji hack-font ];
@@ -89,6 +71,19 @@
# disable non-required packages like nano, perl, rsync, strace
environment.defaultPackages = [];
# programs.vim.defaultEditor = true;
environment.variables = {
EDITOR = "vim";
# git claims it should use EDITOR, but it doesn't!
GIT_EDITOR = "vim";
# TODO: these should be moved to `home.sessionVariables` (home-manager)
# Electron apps should use native wayland backend:
# https://nixos.wiki/wiki/Slack#Wayland
# Discord under sway crashes with this.
# NIXOS_OZONE_WL = "1";
# LIBGL_ALWAYS_SOFTWARE = "1";
};
# dconf docs: <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/profiles>
# find keys/values with `dconf dump /`
programs.dconf.enable = true;

15
hosts/common/feeds.nix
View File

@@ -1,6 +1,3 @@
# where to find good stuff?
# - podcast rec thread: <https://lemmy.ml/post/1565858>
#
# candidates:
# - The Nonlinear Library (podcast): <https://forum.effectivealtruism.org/posts/JTZTBienqWEAjGDRv/listen-to-more-ea-content-with-the-nonlinear-library>
# - has ~10 posts per day, text-to-speech; i would need better tagging before adding this
@@ -82,14 +79,12 @@ let
(fromDb "feeds.transistor.fm/acquired" // tech)
## ACQ2 - more "Acquired" episodes
(fromDb "acquiredlpbonussecretsecret.libsyn.com" // tech)
# The Intercept - Deconstructed
(fromDb "rss.acast.com/deconstructed")
# (fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol) #< possible URL rot
# The Intercept - Deconstructed; also available: <rss.acast.com/deconstructed>
(fromDb "rss.prod.firstlook.media/deconstructed/podcast.rss" // pol)
## The Daily
(mkPod "https://feeds.simplecast.com/54nAGcIl" // pol // daily)
# The Intercept - Intercepted
(fromDb "rss.acast.com/intercepted-with-jeremy-scahill")
# (fromDb "rss.prod.firstlook.media/intercepted/podcast.rss" // pol) #< possible URL rot
# The Intercept - Intercepted; also available: <https://rss.acast.com/intercepted-with-jeremy-scahill>
(fromDb "rss.prod.firstlook.media/intercepted/podcast.rss" // pol)
(fromDb "podcast.posttv.com/itunes/post-reports.xml" // pol)
## Eric Weinstein
(fromDb "rss.art19.com/the-portal" // rat)
@@ -107,8 +102,6 @@ let
(fromDb "feeds.megaphone.fm/recodedecode" // tech)
## Matrix (chat) Live
(fromDb "feed.podbean.com/matrixlive/feed.xml" // tech)
(fromDb "cast.postmarketos.org" // tech)
(fromDb "podcast.thelinuxexp.com" // tech)
## Michael Malice - Your Welcome -- also available here: <https://origin.podcastone.com/podcast?categoryID2=2232>
(fromDb "rss.art19.com/your-welcome" // pol)
(fromDb "seattlenice.buzzsprout.com" // pol)

151
hosts/common/fs.nix
View File

@@ -1,131 +1,72 @@
# docs
# - x-systemd options: <https://www.freedesktop.org/software/systemd/man/systemd.mount.html>
{ pkgs, ... }:
{ pkgs, sane-lib, ... }:
let fsOpts = rec {
common = [
let sshOpts = rec {
fsType = "fuse.sshfs";
optionsBase = [
"x-systemd.automount"
"_netdev"
"noatime"
"user" # allow any user with access to the device to mount the fs
"x-systemd.requires=network-online.target"
"x-systemd.after=network-online.target"
"x-systemd.mount-timeout=10s" # how long to wait for mount **and** how long to wait for unmount
];
auto = [ "x-systemd.automount" ];
noauto = [ "noauto" ]; # don't mount as part of remote-fs.target
wg = [
"x-systemd.requires=wireguard-wg-home.service"
"x-systemd.after=wireguard-wg-home.service"
];
ssh = common ++ [
"user"
"identityfile=/home/colin/.ssh/id_ed25519"
"allow_other"
"default_permissions"
];
sshColin = ssh ++ [
optionsColin = optionsBase ++ [
"transform_symlinks"
"idmap=user"
"uid=1000"
"gid=100"
];
sshRoot = ssh ++ [
optionsRoot = optionsBase ++ [
# we don't transform_symlinks because that breaks the validity of remote /nix stores
"sftp_server=/run/wrappers/bin/sudo\\040/run/current-system/sw/libexec/sftp-server"
];
# in the event of hunt NFS mounts, consider:
# - <https://unix.stackexchange.com/questions/31979/stop-broken-nfs-mounts-from-locking-a-directory>
# NFS options: <https://linux.die.net/man/5/nfs>
# actimeo=n = how long (in seconds) to cache file/dir attributes (default: 3-60s)
# bg = retry failed mounts in the background
# retry=n = for how many minutes `mount` will retry NFS mount operation
# soft = on "major timeout", report I/O error to userspace
# retrans=n = how many times to retry a NFS request before giving userspace a "server not responding" error (default: 3)
# timeo=n = number of *deciseconds* to wait for a response before retrying it (default: 600)
# note: client uses a linear backup, so the second request will have double this timeout, then triple, etc.
nfs = common ++ [
# "actimeo=10"
"bg"
"retrans=4"
"retry=0"
"soft"
"timeo=15"
"nofail" # don't fail remote-fs.target when this mount fails (not an option for sshfs else would be common)
];
};
in
{
# fileSystems."/mnt/servo-nfs" = {
# device = "servo-hn:/";
# noCheck = true;
# fsType = "nfs";
# options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
# };
fileSystems."/mnt/servo-nfs/media" = {
device = "servo-hn:/media";
noCheck = true;
fsType = "nfs";
options = fsOpts.nfs ++ fsOpts.auto ++ fsOpts.wg;
};
# fileSystems."/mnt/servo-media-nfs" = {
# device = "servo-hn:/media";
# noCheck = true;
# fsType = "nfs";
# options = fsOpts.common ++ fsOpts.auto;
# };
sane.fs."/mnt/servo-media" = sane-lib.fs.wantedSymlinkTo "/mnt/servo-nfs/media";
fileSystems."/mnt/servo-media-wan" = {
device = "colin@uninsane.org:/var/lib/uninsane/media";
fsType = "fuse.sshfs";
options = fsOpts.sshColin ++ fsOpts.noauto;
noCheck = true;
};
sane.fs."/mnt/servo-media-wan" = sane-lib.fs.wantedDir;
fileSystems."/mnt/servo-media-lan" = {
device = "colin@servo:/var/lib/uninsane/media";
fsType = "fuse.sshfs";
options = fsOpts.sshColin ++ fsOpts.noauto;
noCheck = true;
};
sane.fs."/mnt/servo-media-lan" = sane-lib.fs.wantedDir;
fileSystems."/mnt/servo-root-wan" = {
device = "colin@uninsane.org:/";
fsType = "fuse.sshfs";
options = fsOpts.sshRoot ++ fsOpts.noauto;
noCheck = true;
};
sane.fs."/mnt/servo-root-wan" = sane-lib.fs.wantedDir;
fileSystems."/mnt/servo-root-lan" = {
device = "colin@servo:/";
fsType = "fuse.sshfs";
options = fsOpts.sshRoot ++ fsOpts.noauto;
noCheck = true;
};
sane.fs."/mnt/servo-root-lan" = sane-lib.fs.wantedDir;
fileSystems."/mnt/desko-home" = {
device = "colin@desko:/home/colin";
fsType = "fuse.sshfs";
options = fsOpts.sshColin ++ fsOpts.noauto;
noCheck = true;
};
sane.fs."/mnt/desko-home" = sane-lib.fs.wantedDir;
fileSystems."/mnt/desko-root" = {
device = "colin@desko:/";
fsType = "fuse.sshfs";
options = fsOpts.sshRoot ++ fsOpts.noauto;
noCheck = true;
};
sane.fs."/mnt/desko-root" = sane-lib.fs.wantedDir;
environment.pathsToLink = [
# needed to achieve superuser access for user-mounted filesystems (see optionsRoot above)
# we can only link whole directories here, even though we're only interested in pkgs.openssh
"/libexec"
];
fileSystems."/mnt/servo-media-wan" = {
device = "colin@uninsane.org:/var/lib/uninsane/media";
inherit (sshOpts) fsType;
options = sshOpts.optionsColin;
noCheck = true;
};
fileSystems."/mnt/servo-media-lan" = {
device = "colin@servo:/var/lib/uninsane/media";
inherit (sshOpts) fsType;
options = sshOpts.optionsColin;
noCheck = true;
};
fileSystems."/mnt/servo-root-wan" = {
device = "colin@uninsane.org:/";
inherit (sshOpts) fsType;
options = sshOpts.optionsRoot;
noCheck = true;
};
fileSystems."/mnt/servo-root-lan" = {
device = "colin@servo:/";
inherit (sshOpts) fsType;
options = sshOpts.optionsRoot;
noCheck = true;
};
fileSystems."/mnt/desko-home" = {
device = "colin@desko:/home/colin";
inherit (sshOpts) fsType;
options = sshOpts.optionsColin;
noCheck = true;
};
fileSystems."/mnt/desko-root" = {
device = "colin@desko:/";
inherit (sshOpts) fsType;
options = sshOpts.optionsRoot;
noCheck = true;
};
environment.systemPackages = [
pkgs.sshfs-fuse
];

1
hosts/common/home/keyring.nix
View File

@@ -7,6 +7,5 @@
generated.script.script = builtins.readFile ../../../scripts/init-keyring;
# TODO: is this `wantedBy` needed? can we inherit it?
wantedBy = [ config.sane.fs."/home/colin/private".unit ];
wantedBeforeBy = [ ]; # don't created this as part of `multi-user.target`
};
}

3
hosts/common/home/mime.nix
View File

@@ -1,7 +1,6 @@
{ config, sane-lib, ...}:
let
# TODO: should move all of this into `sane.programs` to not ship broken associations
www = config.sane.programs.web-browser.config.browser.desktop;
pdf = "org.gnome.Evince.desktop";
md = "obsidian.desktop";
@@ -9,7 +8,6 @@ let
video = "vlc.desktop";
# audio = "mpv.desktop";
audio = "vlc.desktop";
email = "aerc.desktop";
in
{
@@ -41,6 +39,5 @@ in
# RICH-TEXT DOCUMENTS
"application/pdf" = pdf;
"text/markdown" = md;
"x-scheme-handler/mailto" = email;
};
}

2
hosts/common/ids.nix
View File

@@ -40,8 +40,6 @@
sane.ids.lemmy.gid = 2408;
sane.ids.pict-rs.uid = 2409;
sane.ids.pict-rs.gid = 2409;
sane.ids.sftpgo.uid = 2410;
sane.ids.sftpgo.gid = 2410;
sane.ids.colin.uid = 1000;
sane.ids.guest.uid = 1100;

14
hosts/common/net.nix
View File

@@ -21,20 +21,6 @@
General.RoamThreshold5G = "-52"; # default -76
};
# plugins mostly add support for establishing different VPN connections.
# the default plugin set includes mostly proprietary VPNs:
# - fortisslvpn (Fortinet)
# - iodine (DNS tunnels)
# - l2tp
# - openconnect (Cisco Anyconnect / Juniper / ocserv)
# - openvpn
# - vpnc (Cisco VPN)
# - sstp
#
# i don't use these, and notably they drag in huge dependency sets and don't cross compile well.
# e.g. openconnect drags in webkitgtk (for SSO)!
networking.networkmanager.plugins = lib.mkForce [];
networking.firewall.allowedUDPPorts = [
1900 # to received UPnP advertisements. required by sane-ip-check-upnp
];

5
hosts/common/nix-path/default.nix
View File

@@ -5,9 +5,6 @@
nix.nixPath = [
"nixpkgs=${pkgs.path}"
# note the import starts at repo root: this allows `./overlay/default.nix` to access the stuff at the root
# "nixpkgs-overlays=${../../..}/hosts/common/nix-path/overlay"
# as long as my system itself doesn't rely on NIXPKGS at runtime, we can point the overlays to git
# to avoid switching so much during development
"nixpkgs-overlays=/home/colin/dev/nixos/hosts/common/nix-path/overlay"
"nixpkgs-overlays=${../../..}/hosts/common/nix-path/overlay"
];
}

392
hosts/common/programs/assorted.nix
View File

@@ -1,392 +0,0 @@
{ lib, pkgs, ... }:
let
inherit (builtins) attrNames;
flattenedPkgs = pkgs // (with pkgs; {
# XXX can't `inherit` a nested attr, so we move them to the toplevel
"cacert.unbundled" = pkgs.cacert.unbundled;
"gnome.cheese" = gnome.cheese;
"gnome.dconf-editor" = gnome.dconf-editor;
"gnome.file-roller" = gnome.file-roller;
"gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
"gnome.gnome-maps" = gnome.gnome-maps;
"gnome.nautilus" = gnome.nautilus;
"gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
"gnome.gnome-terminal" = gnome.gnome-terminal;
"gnome.gnome-weather" = gnome.gnome-weather;
"gnome.totem" = gnome.totem;
"libsForQt5.plasmatube" = libsForQt5.plasmatube;
});
sysadminPkgs = {
inherit (flattenedPkgs)
btrfs-progs
"cacert.unbundled" # some services require unbundled /etc/ssl/certs
cryptsetup
dig
efibootmgr
fatresize
fd
file
gawk
git
gptfdisk
hdparm
htop
iftop
inetutils # for telnet
iotop
iptables
jq
killall
lsof
miniupnpc
nano
neovim
netcat
nethogs
nmap
openssl
parted
pciutils
powertop
pstree
ripgrep
screen
smartmontools
socat
strace
subversion
tcpdump
tree
usbutils
wget
wirelesstools # iwlist
;
};
sysadminExtraPkgs = {
# application-specific packages
inherit (pkgs)
backblaze-b2
duplicity
sqlite # to debug sqlite3 databases
;
};
iphonePkgs = {
inherit (pkgs)
ifuse
ipfs
libimobiledevice
;
};
tuiPkgs = {
inherit (pkgs)
aerc # email client
msmtp # sendmail
offlineimap # email mailox sync
sfeed # RSS fetcher
visidata # TUI spreadsheet viewer/editor
w3m
;
};
consoleMediaPkgs = {
inherit (pkgs)
ffmpeg
imagemagick
sox
yt-dlp
;
};
# TODO: split these into smaller groups.
# - moby doesn't want a lot of these.
# - categories like
# - dev?
# - debugging?
consolePkgs = {
inherit (pkgs)
alsaUtils # for aplay, speaker-test
# cdrtools
clinfo
dmidecode
efivar
# flashrom
fwupd
gh # MS GitHub cli
git # needed as a user package, for config.
# gnupg
# gocryptfs
# gopass
# gopass-jsonapi
kitty # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
libsecret # for managing user keyrings. TODO: what needs this? lift into the consumer
lm_sensors # for sensors-detect. TODO: what needs this? lift into the consumer
lshw
# memtester
neovim # needed as a user package, for swap persistence
# nettools
# networkmanager
nix-index
nixpkgs-review
# nixos-generators
nmon
# node2nix
# oathToolkit # for oathtool
# ponymix
pulsemixer
python3
ripgrep # needed as a user package so that its user-level config file can be installed
rsync
# python3Packages.eyeD3 # music tagging
sane-scripts
sequoia
snapper
sops
speedtest-cli
# ssh-to-age
sudo
# tageditor # music tagging
unar
wireguard-tools
xdg-terminal-exec
xdg-utils # for xdg-open
# yarn
zsh
;
};
guiPkgs = {
inherit (flattenedPkgs)
# celluloid # mpv frontend
cozy # audiobook player
# emote
evince # works on phosh
# { pkg = fluffychat-moby; persist.plaintext = [ ".local/share/chat.fluffy.fluffychat" ]; } # TODO: ship normal fluffychat on non-moby?
# foliate # e-book reader
# XXX by default fractal stores its state in ~/.local/share/<UUID>.
# after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
# then reboot (so that libsecret daemon re-loads the keyring...?)
# { pkg = fractal-latest; persist.private = [ ".local/share/fractal" ]; }
# { pkg = fractal-next; persist.private = [ ".local/share/fractal" ]; }
# "gnome.cheese"
# gnome-feeds # RSS reader (with claimed mobile support)
"gnome.file-roller"
# "gnome.gnome-maps" # works on phosh
"gnome.nautilus"
# gnome-podcasts
# "gnome.gnome-system-monitor"
# "gnome.gnome-terminal" # works on phosh
# "gnome.gnome-weather"
gpodder
gthumb
jellyfin-media-player
komikku
koreader
lemoa # lemmy app
# lollypop
mepo # maps viewer
# mpv
# networkmanagerapplet
# newsflash
nheko
pavucontrol
# picard # music tagging
# "libsForQt5.plasmatube" # Youtube player
soundconverter
# sublime-music
# tdesktop # broken on phosh
# tokodon
tuba # mastodon/pleroma client (stores pw in keyring)
vlc
# pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
# whalebird
xterm # broken on phosh
;
};
desktopGuiPkgs = {
inherit (flattenedPkgs)
audacity
brave # for the integrated wallet -- as a backup
chromium
dino
electrum
element-desktop
# font-manager #< depends on webkitgtk4_0 (expensive to build)
gajim # XMPP client
gimp # broken on phosh
"gnome.dconf-editor"
"gnome.gnome-disk-utility"
# "gnome.totem" # video player, supposedly supports UPnP
handbrake
hase
inkscape
kdenlive
kid3 # audio tagging
krita
libreoffice-fresh
mumble
obsidian
slic3r
steam
wireshark # could maybe ship the cli as sysadmin pkg
;
};
x86GuiPkgs = {
inherit (pkgs)
discord
# kaiteki # Pleroma client
# gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
# gpt2tc # XXX: unreliable mirror
# logseq # Personal Knowledge Management
losslesscut-bin
makemkv
monero-gui
signal-desktop
spotify
tor-browser-bundle-bin
zecwallet-lite
;
};
# packages not part of any package set; not enabled by default
otherPkgs = {
inherit (pkgs)
lemmy-server
mx-sanebot
stepmania
;
};
# define -- but don't enable -- the packages in some attrset.
declarePkgs = pkgsAsAttrs: lib.mapAttrs (_n: p: {
# no need to actually define the package here: it's defaulted
# package = mkDefault p;
}) pkgsAsAttrs;
in
{
sane.programs = lib.mkMerge [
(declarePkgs consoleMediaPkgs)
(declarePkgs consolePkgs)
(declarePkgs desktopGuiPkgs)
(declarePkgs guiPkgs)
(declarePkgs iphonePkgs)
(declarePkgs sysadminPkgs)
(declarePkgs sysadminExtraPkgs)
(declarePkgs tuiPkgs)
(declarePkgs x86GuiPkgs)
(declarePkgs otherPkgs)
{
# link the various package sets into their own meta packages
consoleMediaUtils = {
package = null;
suggestedPrograms = attrNames consoleMediaPkgs;
};
consoleUtils = {
package = null;
suggestedPrograms = attrNames consolePkgs;
};
desktopGuiApps = {
package = null;
suggestedPrograms = attrNames desktopGuiPkgs;
};
guiApps = {
package = null;
suggestedPrograms = (attrNames guiPkgs)
++ [ "web-browser" ]
++ [ "tuiApps" ]
++ lib.optional (pkgs.system == "x86_64-linux") "x86GuiApps";
};
iphoneUtils = {
package = null;
suggestedPrograms = attrNames iphonePkgs;
};
sysadminUtils = {
package = null;
suggestedPrograms = attrNames sysadminPkgs;
};
sysadminExtraUtils = {
package = null;
suggestedPrograms = attrNames sysadminExtraPkgs;
};
tuiApps = {
package = null;
suggestedPrograms = attrNames tuiPkgs;
};
x86GuiApps = {
package = null;
suggestedPrograms = attrNames x86GuiPkgs;
};
}
{
# nontrivial package definitions
dino.persist.private = [ ".local/share/dino" ];
# creds, but also 200 MB of node modules, etc
discord.persist.private = [ ".config/discord" ];
# creds/session keys, etc
element-desktop.persist.private = [ ".config/Element" ];
# `emote` will show a first-run dialog based on what's in this directory.
# mostly, it just keeps a LRU of previously-used emotes to optimize display order.
# TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
emote.persist.plaintext = [ ".local/share/Emote" ];
# MS GitHub stores auth token in .config
# TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
gh.persist.private = [ ".config/gh" ];
# actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
# XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
monero-gui.persist.plaintext = [ ".bitmonero" ];
mumble.persist.private = [ ".local/share/Mumble" ];
# not strictly necessary, but allows caching articles; offline use, etc.
nheko.persist.private = [
".config/nheko" # config file (including client token)
".cache/nheko" # media cache
".local/share/nheko" # per-account state database
];
# settings (electron app)
obsidian.persist.plaintext = [ ".config/obsidian" ];
# creds, media
signal-desktop.persist.private = [ ".config/Signal" ];
# printer/filament settings
slic3r.persist.plaintext = [ ".Slic3r" ];
# creds, widevine .so download. TODO: could easily manage these statically.
spotify.persist.plaintext = [ ".config/spotify" ];
tdesktop.persist.private = [ ".local/share/TelegramDesktop" ];
tokodon.persist.private = [ ".cache/KDE/tokodon" ];
# hardenedMalloc solves a crash at startup
# TODO 2023/02/02: is this safe to remove yet?
tor-browser-bundle-bin.package = pkgs.tor-browser-bundle-bin.override {
useHardenedMalloc = false;
};
whalebird.persist.private = [ ".config/Whalebird" ];
yarn.persist.plaintext = [ ".cache/yarn" ];
# zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
zecwallet-lite.persist.private = [ ".zcash" ];
}
];
}

11
hosts/common/programs/cozy.nix
View File

@@ -1,11 +0,0 @@
{ ... }:
{
sane.programs.cozy = {
# cozy uses a sqlite db for its config and exposes no CLI options other than --help and --debug
persist.plaintext = [
".local/share/cozy" # sqlite db (config & index?)
".cache/cozy" # offline cache
];
};
}

405
hosts/common/programs/default.nix
View File

@@ -1,32 +1,278 @@
{ pkgs, ... }:
{ config, lib, pkgs, ... }:
let
inherit (builtins) attrNames concatLists;
inherit (lib) mapAttrs mapAttrsToList mkDefault mkIf mkMerge optional;
flattenedPkgs = pkgs // (with pkgs; {
# XXX can't `inherit` a nested attr, so we move them to the toplevel
"cacert.unbundled" = pkgs.cacert.unbundled;
"gnome.cheese" = gnome.cheese;
"gnome.dconf-editor" = gnome.dconf-editor;
"gnome.file-roller" = gnome.file-roller;
"gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
"gnome.gnome-maps" = gnome.gnome-maps;
"gnome.nautilus" = gnome.nautilus;
"gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
"gnome.gnome-terminal" = gnome.gnome-terminal;
"gnome.gnome-weather" = gnome.gnome-weather;
"gnome.totem" = gnome.totem;
"libsForQt5.plasmatube" = libsForQt5.plasmatube;
});
sysadminPkgs = {
inherit (flattenedPkgs)
btrfs-progs
"cacert.unbundled" # some services require unbundled /etc/ssl/certs
cryptsetup
dig
efibootmgr
fatresize
fd
file
gawk
git
gptfdisk
hdparm
htop
iftop
inetutils # for telnet
iotop
iptables
jq
killall
lsof
miniupnpc
nano
netcat
nethogs
nmap
openssl
parted
pciutils
powertop
pstree
ripgrep
screen
smartmontools
socat
strace
subversion
tcpdump
tree
usbutils
wget
wirelesstools # iwlist
;
};
sysadminExtraPkgs = {
# application-specific packages
inherit (pkgs)
backblaze-b2
duplicity
sqlite # to debug sqlite3 databases
;
};
iphonePkgs = {
inherit (pkgs)
ifuse
ipfs
libimobiledevice
;
};
tuiPkgs = {
inherit (pkgs)
aerc # email client
offlineimap # email mailox sync
visidata # TUI spreadsheet viewer/editor
w3m
;
};
# TODO: split these into smaller groups.
# - transcoders (ffmpeg, imagemagick) only wanted on desko/lappy ("powerutils"?)
consolePkgs = {
inherit (pkgs)
alsaUtils # for aplay, speaker-test
cdrtools
dmidecode
efivar
flashrom
fwupd
gh # MS GitHub cli
git # needed as a user package, for config.
gnupg
gocryptfs
gopass # TODO: shouldn't be needed here
gopass-jsonapi
imagemagick
kitty # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
libsecret # for managing user keyrings
lm_sensors # for sensors-detect
lshw
ffmpeg
# memtester
neovim
# nettools
# networkmanager
nixpkgs-review
# nixos-generators
nmon
# node2nix
# oathToolkit # for oathtool
# ponymix
pulsemixer
python3
ripgrep # needed as a user package, for config.
rsync
# python3Packages.eyeD3 # music tagging
sane-scripts
sequoia
snapper
sops
sox
speedtest-cli
# ssh-to-age
sudo
# tageditor # music tagging
unar
wireguard-tools
xdg-utils # for xdg-open
# yarn
# youtube-dl
yt-dlp
zsh
;
};
guiPkgs = {
inherit (flattenedPkgs)
# celluloid # mpv frontend
clinfo
emote
evince # works on phosh
# { pkg = fluffychat-moby; persist.plaintext = [ ".local/share/chat.fluffy.fluffychat" ]; } # TODO: ship normal fluffychat on non-moby?
# foliate # e-book reader
# XXX by default fractal stores its state in ~/.local/share/<UUID>.
# after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
# then reboot (so that libsecret daemon re-loads the keyring...?)
# { pkg = fractal-latest; persist.private = [ ".local/share/fractal" ]; }
# { pkg = fractal-next; persist.private = [ ".local/share/fractal" ]; }
# "gnome.cheese"
"gnome.dconf-editor"
# gnome-feeds # RSS reader (with claimed mobile support)
"gnome.file-roller"
# "gnome.gnome-maps" # works on phosh
"gnome.nautilus"
# gnome-podcasts
"gnome.gnome-system-monitor"
# "gnome.gnome-terminal" # works on phosh
# "gnome.gnome-weather"
gpodder
gthumb
jellyfin-media-player
# lollypop
# mpv
networkmanagerapplet
# newsflash
nheko
pavucontrol
# picard # music tagging
playerctl
# "libsForQt5.plasmatube" # Youtube player
soundconverter
sublime-music
# tdesktop # broken on phosh
# tokodon
vlc
# pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
# whalebird
xterm # broken on phosh
;
};
desktopGuiPkgs = {
inherit (flattenedPkgs)
audacity
brave # for the integrated wallet -- as a backup
chromium
dino
electrum
element-desktop
font-manager
gajim # XMPP client
gimp # broken on phosh
"gnome.gnome-disk-utility"
# "gnome.totem" # video player, supposedly supports UPnP
handbrake
hase
inkscape
kdenlive
kid3 # audio tagging
krita
libreoffice-fresh
mumble
obsidian
slic3r
steam
wireshark # could maybe ship the cli as sysadmin pkg
;
};
x86GuiPkgs = {
inherit (pkgs)
discord
# kaiteki # Pleroma client
# gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
# gpt2tc # XXX: unreliable mirror
# logseq # Personal Knowledge Management
losslesscut-bin
makemkv
monero-gui
signal-desktop
spotify
tor-browser-bundle-bin
zecwallet-lite
;
};
# packages not part of any package set; not enabled by default
otherPkgs = {
inherit (pkgs)
lemmy-server
mx-sanebot
stepmania
;
};
# define -- but don't enable -- the packages in some attrset.
declarePkgs = pkgsAsAttrs: mapAttrs (_n: p: {
# no need to actually define the package here: it's defaulted
# package = mkDefault p;
}) pkgsAsAttrs;
in
{
imports = [
./aerc.nix
./assorted.nix
./cozy.nix
./git.nix
./gnome-feeds.nix
./gpodder.nix
./gthumb.nix
./imagemagick.nix
./jellyfin-media-player.nix
./kitty
./komikku.nix
./koreader
./libreoffice.nix
./lemoa.nix
./mepo.nix
./mpv.nix
./msmtp.nix
./neovim.nix
./newsflash.nix
./nix-index.nix
./offlineimap.nix
./ripgrep.nix
./sfeed.nix
./splatmoji.nix
./steam.nix
./sublime-music.nix
./vlc.nix
./web-browser.nix
@@ -36,8 +282,141 @@
];
config = {
sane.programs = mkMerge [
(declarePkgs consolePkgs)
(declarePkgs desktopGuiPkgs)
(declarePkgs guiPkgs)
(declarePkgs iphonePkgs)
(declarePkgs sysadminPkgs)
(declarePkgs sysadminExtraPkgs)
(declarePkgs tuiPkgs)
(declarePkgs x86GuiPkgs)
(declarePkgs otherPkgs)
{
# link the various package sets into their own meta packages
consoleUtils = {
package = null;
suggestedPrograms = attrNames consolePkgs;
};
desktopGuiApps = {
package = null;
suggestedPrograms = attrNames desktopGuiPkgs;
};
guiApps = {
package = null;
suggestedPrograms = (attrNames guiPkgs)
++ [ "web-browser" ]
++ [ "tuiApps" ]
++ optional (pkgs.system == "x86_64-linux") "x86GuiApps";
};
iphoneUtils = {
package = null;
suggestedPrograms = attrNames iphonePkgs;
};
sysadminUtils = {
package = null;
suggestedPrograms = attrNames sysadminPkgs;
};
sysadminExtraUtils = {
package = null;
suggestedPrograms = attrNames sysadminExtraPkgs;
};
tuiApps = {
package = null;
suggestedPrograms = attrNames tuiPkgs;
};
x86GuiApps = {
package = null;
suggestedPrograms = attrNames x86GuiPkgs;
};
}
{
# nontrivial package definitions
dino.persist.private = [ ".local/share/dino" ];
# creds, but also 200 MB of node modules, etc
discord.persist.private = [ ".config/discord" ];
# creds/session keys, etc
element-desktop.persist.private = [ ".config/Element" ];
# `emote` will show a first-run dialog based on what's in this directory.
# mostly, it just keeps a LRU of previously-used emotes to optimize display order.
# TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
emote.persist.plaintext = [ ".local/share/Emote" ];
# MS GitHub stores auth token in .config
# TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
gh.persist.private = [ ".config/gh" ];
ghostscript = {}; # used by imagemagick
imagemagick = {
package = pkgs.imagemagick.override {
ghostscriptSupport = true;
};
suggestedPrograms = [ "ghostscript" ];
};
# actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
# XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
monero-gui.persist.plaintext = [ ".bitmonero" ];
mumble.persist.private = [ ".local/share/Mumble" ];
# not strictly necessary, but allows caching articles; offline use, etc.
nheko.persist.private = [
".config/nheko" # config file (including client token)
".cache/nheko" # media cache
".local/share/nheko" # per-account state database
];
# settings (electron app)
obsidian.persist.plaintext = [ ".config/obsidian" ];
# creds, media
signal-desktop.persist.private = [ ".config/Signal" ];
# printer/filament settings
slic3r.persist.plaintext = [ ".Slic3r" ];
# creds, widevine .so download. TODO: could easily manage these statically.
spotify.persist.plaintext = [ ".config/spotify" ];
steam.persist.plaintext = [
".steam"
".local/share/Steam"
];
tdesktop.persist.private = [ ".local/share/TelegramDesktop" ];
tokodon.persist.private = [ ".cache/KDE/tokodon" ];
# hardenedMalloc solves a crash at startup
# TODO 2023/02/02: is this safe to remove yet?
tor-browser-bundle-bin.package = pkgs.tor-browser-bundle-bin.override {
useHardenedMalloc = false;
};
whalebird.persist.private = [ ".config/Whalebird" ];
yarn.persist.plaintext = [ ".cache/yarn" ];
# zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
zecwallet-lite.persist.private = [ ".zcash" ];
}
];
# XXX: this might not be necessary. try removing this and cacert.unbundled (servo)?
environment.etc."ssl/certs".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/*";
# steam requires system-level config for e.g. firewall or controller support
programs.steam = mkIf config.sane.programs.steam.enabled {
enable = true;
# not sure if needed: stole this whole snippet from the wiki
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
};
};
}

15
hosts/common/programs/git.nix
View File

@@ -11,15 +11,7 @@ in
user.name = "Colin";
user.email = "colin@uninsane.org";
alias.br = "branch";
alias.co = "checkout";
alias.cp = "cherry-pick";
alias.d = "difftool";
alias.dif = "diff"; # common typo
alias.difsum = "diff --compact-summary"; #< show only the list of files which changed, not contents
alias.rb = "rebase";
alias.st = "status";
alias.stat = "status";
alias.co = "checkout";
# difftastic docs:
# - <https://difftastic.wilfred.me.uk/git.html>
@@ -30,10 +22,5 @@ in
# render dates as YYYY-MM-DD HH:MM:SS +TZ
log.date = "iso";
sendemail.annotate = "yes";
sendemail.confirm = "always";
stash.showPatch = true;
};
}

3
hosts/common/programs/gpodder.nix
View File

@@ -7,8 +7,7 @@ let
wanted-feeds = feeds.filterByFormat ["podcast"] all-feeds;
in {
sane.programs.gpodder = {
package = pkgs.gpodder-adaptive-configured;
# package = pkgs.gpodder-configured;
package = pkgs.gpodder-configured;
fs.".config/gpodderFeeds.opml".symlink.text = feeds.feedsToOpml wanted-feeds;
# XXX: we preserve the whole thing because if we only preserve gPodder/Downloads

4
hosts/common/programs/gthumb.nix
View File

@@ -1,4 +0,0 @@
{ pkgs, ... }:
{
sane.programs.gthumb.package = pkgs.gthumb.override { withWebservices = false; };
}

10
hosts/common/programs/imagemagick.nix
View File

@@ -1,10 +0,0 @@
{ pkgs, ... }:
{
sane.programs.imagemagick = {
package = pkgs.imagemagick.override {
ghostscriptSupport = true;
};
suggestedPrograms = [ "ghostscript" ];
};
sane.programs.ghostscript = {};
}

4
hosts/common/programs/jellyfin-media-player.nix
View File

@@ -2,8 +2,8 @@
{
sane.programs.jellyfin-media-player = {
# package = pkgs.jellyfin-media-player;
package = pkgs.jellyfin-media-player-qt6;
package = pkgs.jellyfin-media-player;
# package = pkgs.jellyfin-media-player-qt6;
# jellyfin stores things in a bunch of directories: this one persists auth info.
# it *might* be possible to populate this externally (it's Qt stuff), but likely to

19
hosts/common/programs/kitty/default.nix
View File

@@ -1,17 +1,14 @@
{ lib, ... }:
{ ... }:
{
sane.programs.kitty = {
fs.".config/kitty/kitty.conf".symlink.text = ''
# docs: https://sw.kovidgoyal.net/kitty/conf/
# disable terminal bell (when e.g. you backspace too many times)
enable_audio_bell no
sane.programs.kitty.fs.".config/kitty/kitty.conf".symlink.text = ''
# docs: https://sw.kovidgoyal.net/kitty/conf/
# disable terminal bell (when e.g. you backspace too many times)
enable_audio_bell no
map ctrl+n new_os_window_with_cwd
include ${./PaperColor_dark.conf}
'';
env.TERMINAL = lib.mkDefault "kitty";
};
map ctrl+n new_os_window_with_cwd
include ${./PaperColor_dark.conf}
'';
# include ${pkgs.kitty-themes}/themes/PaperColor_dark.conf

8
hosts/common/programs/komikku.nix
View File

@@ -1,8 +0,0 @@
{ ... }:
{
sane.programs.komikku = {
secrets.".local/share/komikku/keyrings/plaintext.keyring" = ../../../secrets/common/komikku_accounts.json.bin;
# downloads end up here, and without the toplevel database komikku doesn't know they exist.
persist.plaintext = [ ".local/share/komikku" ];
};
}

42
hosts/common/programs/koreader/2-colin-NetworkManager-isConnected.lua
View File

@@ -1,42 +0,0 @@
-- as of 2023.05.1, koreader FTP browser always fails to load.
-- it's convinced that it's offline, and asks to connect to wifi.
-- this seems to be because of the following in <frontend/device/sdl/device.lua>:
--
-- function Device:initNetworkManager(NetworkMgr)
-- function NetworkMgr:isWifiOn() return true end
-- function NetworkMgr:isConnected()
-- -- Pull the default gateway first, so we don't even try to ping anything if there isn't one...
-- local default_gw = Device:getDefaultRoute()
-- if not default_gw then
-- return false
-- end
-- return 0 == os.execute("ping -c1 -w2 " .. default_gw .. " > /dev/null")
-- end
-- end
--
-- specifically, `os.execute` is not *expected* to return 0. it returns `true` on success:
-- <https://www.lua.org/manual/5.3/manual.html#pdf-os.execute>
-- this apparently changed from 5.1 -> 5.2
--
-- XXX: this same bug likely applies to `isCommand` and `runCommand` in <frontend/device/sdl/device.lua>
-- - that would manifest as wikipedia links failing to open in external application (xdg-open)
local logger = require("logger")
logger.info("applying colin patch")
local Device = require("device")
logger.info("Device:" .. tostring(Device))
local orig_initNetworkManager = Device.initNetworkManager
Device.initNetworkManager = function(self, NetworkMgr)
logger.info("Device:initNetworkManager")
orig_initNetworkManager(self, NetworkMgr)
function NetworkMgr:isConnected()
logger.info("mocked `NetworkMgr:isConnected` to return true")
return true
-- unpatch to show that the boolean form works
-- local rc = os.execute("ping -c1 -w2 10.78.79.1 > /dev/null")
-- logger.info("ping rc: " .. tostring(rc))
-- return rc
end
end

46
hosts/common/programs/koreader/default.nix
View File

@@ -1,46 +0,0 @@
{ config, lib, sane-lib, ... }:
let
feeds = sane-lib.feeds;
allFeeds = config.sane.feeds;
wantedFeeds = feeds.filterByFormat [ "image" "text" ] allFeeds;
koreaderRssEntries = builtins.map (feed:
# format:
# { "<rss/atom url>", limit = <int>, download_full_article=<bool>, include_images=<bool>, enable_filter=<bool>, filter_element = "<css selector>"},
# limit = 0 => download and keep *all* articles
# download_full_article = true => populate feed by downloading the webpage -- not just what's encoded in the RSS <article> tags
# - use this for articles where the RSS only encodes content previews
# enable_filter = true => only render content that matches the filter_element css selector.
let fields = [
(lib.escapeShellArg feed.url)
"limit = 5"
"download_full_article = false"
"include_images = true"
"enable_filter = false"
"filter_element = \"\""
]; in "{ ${lib.concatStringsSep ", " fields } }"
) wantedFeeds;
in {
sane.programs.koreader = {
# koreader applies these lua "patches" at boot:
# - <https://github.com/koreader/koreader/wiki/User-patches>
# - TODO: upstream this patch to koreader
# fs.".config/koreader/patches".symlink.target = "${./.}";
fs.".config/koreader/patches/2-colin-NetworkManager-isConnected.lua".symlink.target = "${./2-colin-NetworkManager-isConnected.lua}";
# koreader news plugin, enabled by default. file format described here:
# - <repo:koreader/koreader:plugins/newsdownloader.koplugin/feed_config.lua>
fs.".config/koreader/news/feed_config.lua".symlink.text = ''
return {--do NOT change this line
${lib.concatStringsSep ",\n " koreaderRssEntries}
}--do NOT change this line
'';
# koreader on aarch64 errors if there's no fonts directory (sandboxing thing, i guess)
fs.".local/share/fonts".dir = {};
# history, cache, dictionaries...
# could be more explicit if i symlinked the history.lua file to somewhere it can persist better.
persist.plaintext = [ ".config/koreader" ];
};
}

7
hosts/common/programs/lemoa.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
sane.programs.lemoa = {
# creds
persist.private = [ ".local/share/io.github.lemmygtk.lemoa" ];
};
}

18
hosts/common/programs/mepo.nix
View File

@@ -1,18 +0,0 @@
# docs: <https://git.sr.ht/~mil/mepo>
# irc #mepo:irc.oftc.net
{ config, lib, ... }:
{
sane.programs.mepo = {
persist.plaintext = [ ".cache/mepo/tiles" ];
# ~/.cache/mepo/savestate has precise coordinates and pins: keep those private
persist.private = [ ".cache/mepo/savestate" ];
};
programs.mepo = lib.mkIf config.sane.programs.mepo.enabled {
# enable location services (via geoclue)
enable = true;
# more precise, via gpsd ("may require additional config")
# programs.mepo.gpsd.enable = true
};
}

25
hosts/common/programs/msmtp.nix
View File

@@ -1,25 +0,0 @@
# docs: <https://nixos.wiki/wiki/Msmtp>
# validate with e.g.
# - `echo -e "Content-Type: text/plain\r\nSubject: Test\r\n\r\nHello World" | sendmail test@uninsane.org`
{ config, lib, ... }:
{
sane.programs.msmtp = {
secrets.".config/msmtp/password.txt" = ../../../secrets/common/msmtp_password.txt.bin;
};
programs.msmtp = lib.mkIf config.sane.programs.msmtp.enabled {
enable = true;
accounts = {
default = {
auth = true;
tls = true;
tls_starttls = false; # needed else sendmail hangs
from = "Colin <colin@uninsane.org>";
host = "mx.uninsane.org";
user = "colin";
passwordeval = "cat ~/.config/msmtp/password.txt";
};
};
};
}

66
hosts/common/programs/neovim.nix
View File

@@ -5,11 +5,30 @@ let
inherit (lib) concatMapStrings mkIf optionalString;
# this structure roughly mirrors home-manager's `programs.neovim.plugins` option
plugins = with pkgs.vimPlugins; [
{
# docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
plugin = fzf-vim;
}
{
# docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
# docs: vim-surround: https://github.com/tpope/vim-surround
{ plugin = vim-surround; }
# docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
{ plugin = fzf-vim; }
({
# docs: tex-conceal-vim: https://github.com/KeitaNakamura/tex-conceal.vim/
plugin = tex-conceal-vim;
type = "viml";
config = ''
" present prettier fractions
let g:tex_conceal_frac=1
'';
})
({
plugin = vim-SyntaxRange;
type = "viml";
config = ''
" enable markdown-style codeblock highlighting for tex code
autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
" autocmd Syntax tex set conceallevel=2
'';
})
({
# treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
# docs: https://github.com/nvim-treesitter/nvim-treesitter
# config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
@@ -45,35 +64,7 @@ let
vim.o.foldmethod = 'expr'
vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
'';
}
{
# docs: tex-conceal-vim: https://github.com/KeitaNakamura/tex-conceal.vim/
plugin = tex-conceal-vim;
type = "viml";
config = ''
" present prettier fractions
let g:tex_conceal_frac=1
'';
}
{
# source: <https://github.com/LnL7/vim-nix>
# fixes auto-indent (incl tab size) when editing .nix files
plugin = vim-nix;
}
{
# docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
# docs: vim-surround: https://github.com/tpope/vim-surround
plugin = vim-surround;
}
{
plugin = vim-SyntaxRange;
type = "viml";
config = ''
" enable markdown-style codeblock highlighting for tex code
autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
" autocmd Syntax tex set conceallevel=2
'';
}
})
];
plugin-packages = map (p: p.plugin) plugins;
plugin-config-tex = concatMapStrings (p: optionalString (p.type or "" == "viml") p.config) plugins;
@@ -81,12 +72,7 @@ let
in
{
# private because there could be sensitive things in the swap
sane.programs.neovim = {
persist.private = [ ".cache/vim-swap" ];
env.EDITOR = "vim";
# git claims it should use EDITOR, but it doesn't!
env.GIT_EDITOR = "vim";
};
sane.programs.neovim.persist.private = [ ".cache/vim-swap" ];
programs.neovim = mkIf config.sane.programs.neovim.enabled {
# neovim: https://github.com/neovim/neovim

7
hosts/common/programs/nix-index.nix
View File

@@ -1,7 +0,0 @@
{ config, lib, ... }:
{
# provides `nix-locate`, backed by the manually run `nix-index`
sane.programs.nix-index = {
persist.plaintext = [ ".cache/nix-index" ];
};
}

28
hosts/common/programs/sfeed.nix
View File

@@ -1,28 +0,0 @@
# simple RSS and Atom parser
# - <https://codemadness.org/sfeed-simple-feed-parser.html>
# - used by sxmo
# - man 5 sfeedrc
#
# call `sfeed_update` to query each feed and populate entries in ~/.sfeed/feeds
{ lib, config, sane-lib, ... }:
let
feeds = sane-lib.feeds;
allFeeds = config.sane.feeds;
wantedFeeds = feeds.filterByFormat ["text"] allFeeds;
sfeedEntries = builtins.map (feed:
# format:
# feed <name> <feedurl> [basesiteurl] [encoding]
lib.escapeShellArgs [ "feed" (if feed.title != null then feed.title else feed.url) feed.url ]
) wantedFeeds;
in {
sane.programs.sfeed = {
fs.".sfeed/sfeedrc".symlink.text = ''
feeds() {
${lib.concatStringsSep "\n " sfeedEntries}
}
'';
# this is where the parsed feed items go
persist.plaintext = [ ".sfeed/feeds" ];
};
}

16
hosts/common/programs/steam.nix
View File

@@ -1,16 +0,0 @@
{ config, lib, ...}:
{
sane.programs.steam = {
persist.plaintext = [
".steam"
".local/share/Steam"
];
};
# steam requires system-level config for e.g. firewall or controller support
programs.steam = lib.mkIf config.sane.programs.steam.enabled {
enable = true;
# not sure if needed: stole this whole snippet from the wiki
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
};
}

27
hosts/common/programs/web-browser.nix
View File

@@ -13,15 +13,17 @@ let
# allow easy switching between firefox and librewolf with `defaultSettings`, below
librewolfSettings = {
browser = pkgs.librewolf-unwrapped;
extraPrefsFiles = pkgs.librewolf-unwrapped.extraPrefsFiles ++ pkgs.librewolf-pmos-mobile.extraPrefsFiles;
# browser = pkgs.librewolf-unwrapped.overrideAttrs (drv: {
# # this allows side-loading unsigned addons
# MOZ_REQUIRE_SIGNING = false;
# });
libName = "librewolf";
dotDir = ".librewolf";
cacheDir = ".cache/librewolf";
cacheDir = ".cache/librewolf"; # TODO: is it?
desktop = "librewolf.desktop";
};
firefoxSettings = {
browser = pkgs.firefox-esr-unwrapped;
extraPrefsFiles = pkgs.firefox-pmos-mobile.extraPrefsFiles;
libName = "firefox";
dotDir = ".mozilla/firefox";
cacheDir = ".cache/mozilla";
@@ -45,7 +47,8 @@ let
package = pkgs.wrapFirefox cfg.browser.browser {
# inherit the default librewolf.cfg
# it can be further customized via ~/.librewolf/librewolf.overrides.cfg
inherit (cfg.browser) extraPrefsFiles libName;
inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
inherit (cfg.browser) libName;
extraNativeMessagingHosts = optional cfg.addons.browserpass-extension.enable pkgs.browserpass;
# extraNativeMessagingHosts = [ pkgs.gopass-native-messaging-host ];
@@ -69,10 +72,7 @@ let
};
UserMessaging = {
ExtensionRecommendations = false;
FeatureRecommendations = false;
SkipOnboarding = true;
UrlbarInterventions = false;
WhatsNew = false;
};
# these were taken from Librewolf
@@ -162,9 +162,8 @@ in
# bypass-paywalls-clean.package = addon "bypass-paywalls-clean" "{d133e097-46d9-4ecc-9903-fa6a722a6e0e}" "sha256-oUwdqdAwV3DezaTtOMx7A/s4lzIws+t2f08mwk+324k=";
# bypass-paywalls-clean.enable = lib.mkDefault true;
# TODO: give these update scripts, make them reachable via `pkgs`
ether-metamask = {
package = addon "ether-metamask" "webextension@metamask.io" "sha256-UI83wUUc33OlQYX+olgujeppoo2D2PAUJ+Wma5mH2O0=";
package = addon "ether-metamask" "webextension@metamask.io" "sha256-G+MwJDOcsaxYSUXjahHJmkWnjLeQ0Wven8DU/lGeMzA=";
enable = lib.mkDefault true;
};
i2p-in-private-browsing = {
@@ -176,15 +175,15 @@ in
enable = lib.mkDefault true;
};
sponsorblock = {
package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-b/OTFmhSEUZ/CYrYCE4rHVMQmY+Y78k8jSGMoR8vsZA=";
package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
enable = lib.mkDefault true;
};
ublacklist = {
package = addon "ublacklist" "@ublacklist" "sha256-NZ2FmgJiYnH7j2Lkn0wOembxaEphmUuUk0Ytmb0rNWo=";
package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
enable = lib.mkDefault true;
};
ublock-origin = {
package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-EGGAA+cLUow/F5luNzFG055rFfd3rEyh8hTaL/23pbM=";
package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-eHlQrU/b9X/6sTbHBpGAd+0VsLT7IrVCnd0AQ948lyA=";
enable = lib.mkDefault true;
};
};
@@ -193,9 +192,6 @@ in
sane.programs.web-browser = {
inherit package;
# env.BROWSER = "${package}/bin/${cfg.browser.libName}";
env.BROWSER = cfg.browser.libName; # used by misc tools like xdg-email, as fallback
# uBlock filter list configuration.
# specifically, enable the GDPR cookie prompt blocker.
# data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
@@ -214,7 +210,6 @@ in
}
}
'';
# TODO: this is better suited in `extraPrefs` during `wrapFirefox` call
fs."${cfg.browser.dotDir}/${cfg.browser.libName}.overrides.cfg".symlink.text = ''
// if we can't query the revocation status of a SSL cert because the issuer is offline,
// treat it as unrevoked.

97
hosts/common/programs/zsh/default.nix
View File

@@ -1,20 +1,3 @@
# zsh files/init order
# - see `man zsh` => "STARTUP/SHUTDOWN FILES"
# - /etc/zshenv
# - $ZDOTDIR/.zshenv
# - if login shell:
# - /etc/zprofile
# - $ZDOTDIR/.zprofile
# - if interactive:
# - /etc/zshrc
# - $ZDOTDIR/.zshrc
# - if login (again):
# - /etc/zlogin
# - ZDOTDIR/.zlogin
# - at exit:
# - $ZDOTDIR/.zlogout
# - /etc/zlogout
{ config, lib, pkgs, ... }:
let
@@ -50,7 +33,7 @@ in
showDeadlines = mkOption {
type = types.bool;
default = true;
description = "show upcoming deadlines (from my PKM) upon shell init";
description = "show upcoming deadlines (frommy PKM) upon shell init";
};
};
};
@@ -58,60 +41,41 @@ in
config = mkMerge [
({
sane.programs.zsh = {
persist.private = [
# we don't need to full zsh dir -- just the history file --
# but zsh will sometimes backup the history file and symlinking just the file messes things up
".local/share/zsh"
];
persist.plaintext = [
# cache gitstatus otherwise p10k fetches it from the net EVERY BOOT
# we don't need to full zsh dir -- just the history file --
# but zsh will sometimes backup the history file and we get fewer errors if we do proper mounts instead of symlinks.
# TODO: should be private?
".local/share/zsh"
# cache gitstatus otherwise p10k fetched it from the net EVERY BOOT
".cache/gitstatus"
];
fs.".config/zsh/.zshrc".symlink.text = ''
# zsh/prezto complains if zshrc doesn't exist or is empty;
# preserve this comment to prevent that from ever happening.
'' + lib.optionalString cfg.showDeadlines ''
${pkgs.sane-scripts.deadlines}/bin/sane-deadlines
'' + ''
# auto-cd into any of these dirs by typing them and pressing 'enter':
hash -d 3rd="/home/colin/dev/3rd"
hash -d dev="/home/colin/dev"
hash -d knowledge="/home/colin/knowledge"
hash -d nixos="/home/colin/nixos"
hash -d nixpkgs="/home/colin/dev/3rd/nixpkgs"
hash -d ref="/home/colin/ref"
hash -d secrets="/home/colin/knowledge/secrets"
hash -d tmp="/home/colin/tmp"
hash -d uninsane="/home/colin/dev/uninsane"
hash -d Videos="/home/colin/Videos"
'';
# zsh/prezto complains if zshrc doesn't exist; but it does allow an "empty" file.
fs.".config/zsh/.zshrc".symlink.text = "# ";
# prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
# see: https://github.com/sorin-ionescu/prezto
# this file is auto-sourced by the prezto init.zsh script.
# TODO: i should work to move away from prezto:
# - it's FUCKING SLOW to initialize (that might also be powerlevel10k tho)
# - it messes with my other `setopt`s
# i believe this file is auto-sourced by the prezto init.zsh script.
fs.".config/zsh/.zpreztorc".symlink.text = ''
zstyle ':prezto:*:*' color 'yes'
zstyle ':prezto:module:utility' correct 'no' # prezto: don't setopt CORRECT
# modules (they ship with prezto):
# ENVIRONMENT: configures jobs to persist after shell exit; other basic niceties
# TERMINAL: auto-titles terminal (e.g. based on cwd)
# EDITOR: configures shortcuts like Ctrl+U=undo, Ctrl+L=clear
# HISTORY: `history-stat` alias, setopts for good history defaults
# DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack. also overrides CLOBBER and some other options
# DIRECTORY: sets AUTO_CD, adds `d` alias to list directory stack, and `1`-`9` to cd that far back the stack
# SPECTRUM: helpers for term colors and styling. used by prompts? might be unnecessary
# UTILITY: configures aliases like `ll`, `la`, disables globbing for things like rsync
# adds aliases like `get` to fetch a file. also adds `http-serve` alias??
# COMPLETION: tab completion. requires `utility` module prior to loading
# TODO: enable AUTO_PARAM_SLASH
zstyle ':prezto:load' pmodule \
'environment' \
'terminal' \
'editor' \
'history' \
'directory' \
'spectrum' \
'utility' \
'completion' \
@@ -141,19 +105,12 @@ in
"cd../" = "cd ../";
};
setOptions = [
# docs: `man zshoptions`
# nixos defaults:
"HIST_FCNTL_LOCK"
# defaults:
"HIST_IGNORE_DUPS"
"SHARE_HISTORY"
# customizations:
"AUTO_CD" # type directory name to go there
"AUTO_MENU" # show auto-complete menu on double-tab
"CDABLE_VARS" # allow auto-cd to use my `hash` aliases -- not just immediate subdirs
"CLOBBER" # allow `foo > bar.txt` to overwrite bar.txt
"NO_CORRECT" # don't try to correct commands
"PIPE_FAIL" # when `cmd_a | cmd_b`, make $? be non-zero if *any* of cmd_a or cmd_b fail
"RM_STAR_SILENT" # disable `rm *` confirmations
"HIST_FCNTL_LOCK"
# disable `rm *` confirmations
"rmstarsilent"
];
# .zshenv config:
@@ -161,7 +118,7 @@ in
ZDOTDIR=$HOME/.config/zsh
'';
# system-wide .zshrc config:
# .zshrc config:
interactiveShellInit =
(builtins.readFile ./p10k.zsh)
+ p10k-overrides
@@ -179,6 +136,22 @@ in
mkdir -p "$1";
pushd "$1";
}
''
+ lib.optionalString cfg.showDeadlines ''
${pkgs.sane-scripts.deadlines}/bin/sane-deadlines
''
+ ''
# auto-cd into any of these dirs by typing them and pressing 'enter':
hash -d 3rd="/home/colin/dev/3rd"
hash -d dev="/home/colin/dev"
hash -d knowledge="/home/colin/knowledge"
hash -d nixos="/home/colin/nixos"
hash -d nixpkgs="/home/colin/dev/3rd/nixpkgs"
hash -d ref="/home/colin/ref"
hash -d secrets="/home/colin/knowledge/secrets"
hash -d tmp="/home/colin/tmp"
hash -d uninsane="/home/colin/dev/uninsane"
hash -d Videos="/home/colin/Videos"
'';
syntaxHighlighting.enable = true;
@@ -186,8 +159,8 @@ in
};
# enable a command-not-found hook to show nix packages that might provide the binary typed.
# programs.nix-index.enableZshIntegration = true;
programs.command-not-found.enable = false;
programs.nix-index.enable = true;
programs.command-not-found.enable = false; #< mutually exclusive with nix-index
})
];
}

9
hosts/common/secrets.nix
View File

@@ -29,18 +29,14 @@
let
inherit (lib.strings) hasSuffix removeSuffix;
secretsForHost = host: let
extraAttrsForPath = path: lib.optionalAttrs (sane-lib.path.isChild "guest" path) {
owner = "guest";
};
in sane-lib.joinAttrsets (
secretsForHost = host: sane-lib.joinAttrsets (
map
(path: lib.optionalAttrs (hasSuffix ".bin" path) (sane-lib.nameValueToAttrs {
name = removeSuffix ".bin" path;
value = {
sopsFile = ../../secrets/${host}/${path};
format = "binary";
} // (extraAttrsForPath path);
};
}))
(sane-lib.enumerateFilePaths ../../secrets/${host})
);
@@ -67,7 +63,6 @@ in
"jackett_apikey".owner = config.users.users.colin.name;
"mx-sanebot-env".owner = config.users.users.colin.name;
"snippets".owner = config.users.users.colin.name;
"transmission_passwd".owner = config.users.users.colin.name;
}
];
}

20
hosts/common/ssh.nix
View File

@@ -1,7 +1,7 @@
{ config, lib, sane-data, sane-lib, ... }:
let
inherit (builtins) attrValues head map mapAttrs tail;
inherit (builtins) head map mapAttrs tail;
inherit (lib) concatStringsSep mkMerge reverseList;
in
{
@@ -18,21 +18,11 @@ in
# [{ path :: [String], value :: String }] for the keys we want to install
globalKeys = sane-lib.flattenAttrs sane-data.keys;
keysForHost = hostCfg: sane-lib.mapToAttrs
(name: {
inherit name;
value = {
colin = hostCfg.ssh.user_pubkey;
root = hostCfg.ssh.host_pubkey;
};
})
hostCfg.names
;
domainKeys = sane-lib.flattenAttrs (
sane-lib.joinAttrsets (
map keysForHost (builtins.attrValues config.sane.hosts.by-name)
)
mapAttrs (host: cfg: {
colin = cfg.ssh.user_pubkey;
root = cfg.ssh.host_pubkey;
}) config.sane.hosts.by-name
);
in mkMerge (map
({ path, value }: {

133
hosts/common/users.nix Normal file
View File

@@ -0,0 +1,133 @@
{ config, pkgs, lib, sane-lib, ... }:
# installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
with lib;
let
cfg = config.sane.guest;
fs = sane-lib.fs;
in
{
options = {
sane.guest.enable = mkOption {
default = false;
type = types.bool;
};
};
config = {
# Users are exactly these specified here;
# old ones will be deleted (from /etc/passwd, etc) upon upgrade.
users.mutableUsers = false;
# docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
users.users.colin = {
# sets group to "users" (?)
isNormalUser = true;
home = "/home/colin";
createHome = true;
homeMode = "0700";
# i don't get exactly what this is, but nixos defaults to this non-deterministically
# in /var/lib/nixos/auto-subuid-map and i don't want that.
subUidRanges = [
{ startUid=100000; count=1; }
];
group = "users";
extraGroups = [
"dialout" # required for modem access (moby)
"feedbackd"
"input" # for /dev/input/<xyz>: sxmo
"networkmanager"
"nixbuild"
"video" # phosh/mobile. XXX colin: unsure if necessary
"wheel"
"wireshark"
];
# initial password is empty, in case anything goes wrong.
# if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
initialPassword = lib.mkDefault "";
passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
shell = pkgs.zsh;
# mount encrypted stuff at login
# some other nix pam users:
# - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
# - <https://github.com/lourkeur/distro/blob/11173454c6bb50f7ccab28cc2c757dca21446d1d/nixos/profiles/users/louis-full.nix>
# - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
pamMount = let
priv = config.fileSystems."/home/colin/private";
in {
fstype = priv.fsType;
path = priv.device;
mountpoint = priv.mountPoint;
options = builtins.concatStringsSep "," priv.options;
};
};
security.pam.mount.enable = true;
sane.users.colin.default = true;
# ensure ~ perms are known to sane.fs module.
# TODO: this is generic enough to be lifted up into sane.fs itself.
sane.fs."/home/colin".dir.acl = {
user = "colin";
group = config.users.users.colin.group;
mode = config.users.users.colin.homeMode;
};
sane.user.persist.plaintext = [
"archive"
"dev"
# TODO: records should be private
"records"
"ref"
"tmp"
"use"
"Music"
"Pictures"
"Videos"
".cache/nix"
".cache/nix-index"
# ".cargo"
# ".rustup"
];
# convenience
sane.user.fs."knowledge" = fs.wantedSymlinkTo "private/knowledge";
sane.user.fs."nixos" = fs.wantedSymlinkTo "dev/nixos";
sane.user.fs."Books/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Books";
sane.user.fs."Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
sane.user.fs."Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
sane.user.fs."Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
sane.user.fs."Pictures/servo-macros" = fs.wantedSymlinkTo "/mnt/servo-media/Pictures/macros";
# used by password managers, e.g. unix `pass`
sane.user.fs.".password-store" = fs.wantedSymlinkTo "knowledge/secrets/accounts";
sane.persist.sys.plaintext = mkIf cfg.enable [
# intentionally allow other users to write to the guest folder
{ directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
];
users.users.guest = mkIf cfg.enable {
isNormalUser = true;
home = "/home/guest";
subUidRanges = [
{ startUid=200000; count=1; }
];
group = "users";
initialPassword = lib.mkDefault "";
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
# TODO: insert pubkeys that should be allowed in
];
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
};
}

93
hosts/common/users/colin.nix
View File

@@ -1,93 +0,0 @@
{ config, pkgs, lib, ... }:
{
# docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
users.users.colin = {
# sets group to "users" (?)
isNormalUser = true;
home = "/home/colin";
createHome = true;
homeMode = "0700";
# i don't get exactly what this is, but nixos defaults to this non-deterministically
# in /var/lib/nixos/auto-subuid-map and i don't want that.
subUidRanges = [
{ startUid=100000; count=1; }
];
group = "users";
extraGroups = [
"dialout" # required for modem access (moby)
"feedbackd"
"input" # for /dev/input/<xyz>: sxmo
"networkmanager"
"nixbuild"
"transmission" # servo, to admin /var/lib/uninsane/media
"video" # phosh/mobile. XXX colin: unsure if necessary
"wheel"
"wireshark"
];
# initial password is empty, in case anything goes wrong.
# if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
initialPassword = lib.mkDefault "";
passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
shell = pkgs.zsh;
# mount encrypted stuff at login
# some other nix pam users:
# - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
# - <https://github.com/lourkeur/distro/blob/11173454c6bb50f7ccab28cc2c757dca21446d1d/nixos/profiles/users/louis-full.nix>
# - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
pamMount = let
priv = config.fileSystems."/home/colin/private";
in {
fstype = priv.fsType;
path = priv.device;
mountpoint = priv.mountPoint;
options = builtins.concatStringsSep "," priv.options;
};
};
security.pam.mount.enable = true;
sane.users.colin = {
default = true;
# ensure ~ perms are known to sane.fs module.
# TODO: this is generic enough to be lifted up into sane.fs itself.
fs."/".dir.acl = {
user = "colin";
group = config.users.users.colin.group;
mode = config.users.users.colin.homeMode;
};
persist.plaintext = [
"archive"
"dev"
# TODO: records should be private
"records"
"ref"
"tmp"
"use"
"Music"
"Pictures"
"Videos"
".cache/nix"
# ".cargo"
# ".rustup"
];
# convenience
fs."knowledge".symlink.target = "private/knowledge";
fs."nixos".symlink.target = "dev/nixos";
fs."Books/servo".symlink.target = "/mnt/servo-media/Books";
fs."Videos/servo".symlink.target = "/mnt/servo-media/Videos";
fs."Videos/servo-incomplete".symlink.target = "/mnt/servo-media/incomplete";
fs."Music/servo".symlink.target = "/mnt/servo-media/Music";
fs."Pictures/servo-macros".symlink.target = "/mnt/servo-media/Pictures/macros";
# used by password managers, e.g. unix `pass`
fs.".password-store".symlink.target = "knowledge/secrets/accounts";
};
}

17
hosts/common/users/default.nix
View File

@@ -1,17 +0,0 @@
{ config, pkgs, lib, sane-lib, ... }:
{
imports = [
./colin.nix
./guest.nix
];
# Users are exactly these specified here;
# old ones will be deleted (from /etc/passwd, etc) upon upgrade.
users.mutableUsers = false;
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
}

33
hosts/common/users/guest.nix
View File

@@ -1,33 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.sane.guest;
in
{
options = with lib; {
sane.guest.enable = mkOption {
default = false;
type = types.bool;
};
};
config = {
users.users.guest = lib.mkIf cfg.enable {
isNormalUser = true;
home = "/home/guest";
subUidRanges = [
{ startUid=200000; count=1; }
];
group = "users";
initialPassword = lib.mkDefault "";
shell = pkgs.zsh;
};
sane.users.guest.fs.".ssh/authorized_keys".symlink.target = config.sops.secrets."guest/authorized_keys".path or "/dev/null";
sane.persist.sys.plaintext = lib.mkIf cfg.enable [
# intentionally allow other users to write to the guest folder
{ directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
];
};
}

1
hosts/modules/gui/default.nix
View File

@@ -7,7 +7,6 @@ in
{
imports = [
./gnome.nix
./gtk.nix
./phosh.nix
./plasma.nix
./plasma-mobile.nix

133
hosts/modules/gui/gtk.nix
View File

@@ -1,133 +0,0 @@
{ config, lib, pkgs }:
let
cfg = config.sane.gui.gtk;
themes = {
inherit (pkgs)
# themes are in <repo:nixos/nixpkgs:pkgs/data/themes>
adapta-gtk-theme
adapta-kde-theme
adementary-theme
adi1090x-plymouth-themes
adw-gtk3
adwaita-qt
adwaita-qt6
albatross
amarena-theme
amber-theme
ant-bloody-theme
ant-nebula-theme
ant-theme
arc-kde-theme
arc-theme
artim-dark
ayu-theme-gtk
base16-schemes
blackbird
breath-theme
canta-theme
catppuccin-gtk
catppuccin-kde
catppuccin-kvantum
catppuccin-plymouth
clearlooks-phenix
colloid-gtk-theme
colloid-kde
dracula-theme
e17gtk
equilux-theme
flat-remix-gnome
flat-remix-gtk
fluent-gtk-theme
graphite-gtk-theme
graphite-kde-theme
greybird
gruvbox-dark-gtk
gruvbox-gtk-theme
gruvterial-theme
juno-theme
kde-gruvbox
kde-rounded-corners
layan-gtk-theme
layan-kde
lightly-boehs
lightly-qt
lounge-gtk-theme
marwaita
marwaita-manjaro
marwaita-peppermint
marwaita-pop_os
marwaita-ubuntu
matcha-gtk-theme
materia-kde-theme
materia-theme
material-kwin-decoration
mojave-gtk-theme
nixos-bgrt-plymouth
nordic
numix-gtk-theme
numix-solarized-gtk-theme
numix-sx-gtk-theme
oceanic-theme
omni-gtk-theme
onestepback
openzone-cursors
orchis-theme
orion
palenight-theme
paper-gtk-theme
pitch-black
plano-theme
plasma-overdose-kde-theme
plata-theme
pop-gtk-theme
qogir-kde
qogir-theme
rose-pine-gtk-theme
shades-of-gray-theme
sierra-breeze-enhanced
sierra-gtk-theme
skeu
snowblind
solarc-gtk-theme
spacx-gtk-theme
stilo-themes
sweet
sweet-nova
theme-jade1
theme-obsidian2
theme-vertex
tokyo-night-gtk
ubuntu-themes
venta
vimix-gtk-themes
whitesur-gtk-theme
yaru-remix-theme
yaru-theme
zuki-themes
;
};
in
{
options = with lib; {
sane.gui.gtk.enable = mkOption {
default = false;
type = types.bool;
description = "apply theme to gtk4 apps";
};
};
config = lib.mkIf cfg.enable {
programs.dconf.packages = [
(pkgs.writeTextFile {
name = "dconf-sway-settings";
destination = "/etc/dconf/db/site.d/10_sway_settings";
text = ''
[org/gnome/desktop/interface]
gtk-theme="Dracula"
icon-theme="Dracula"
'';
})
];
environment.systemPackages = lib.attrValues themes;
};
}

2
hosts/modules/gui/phosh.nix
View File

@@ -43,7 +43,7 @@ in
})
phosh-mobile-settings
"plasma5Packages.konsole"
"gnome.gnome-bluetooth"
# "gnome.gnome-bluetooth"
"gnome.gnome-terminal"
;
};

19
hosts/modules/gui/sway/default.nix
View File

@@ -66,17 +66,16 @@ in
"mako" # notification daemon
# # "pavucontrol"
# "gnome.gnome-bluetooth" # XXX(2023/05/14): broken
# "gnome.gnome-control-center" # XXX(2023/06/28): depends on webkitgtk4_1
"gnome.gnome-control-center"
"sway-contrib.grimshot"
"wdisplays" # like xrandr
];
};
}
{
sane.programs = {
inherit (pkgs // {
# "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
# "gnome.gnome-control-center" = pkgs.gnome.gnome-control-center;
"gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
"gnome.gnome-control-center" = pkgs.gnome.gnome-control-center;
"sway-contrib.grimshot" = pkgs.sway-contrib.grimshot;
})
swaylock
@@ -84,17 +83,15 @@ in
wl-clipboard
blueberry
mako
# "gnome.gnome-bluetooth"
# "gnome.gnome-control-center"
"gnome.gnome-bluetooth"
"gnome.gnome-control-center"
"sway-contrib.grimshot"
wdisplays
;
};
}
(mkIf cfg.enable {
sane.programs.swayApps.enableFor.user.colin = true;
sane.gui.gtk.enable = lib.mkDefault true;
# swap in these lines to use SDDM instead of `services.greetd`.
# services.xserver.displayManager.sddm.enable = true;
@@ -129,13 +126,13 @@ in
hardware.bluetooth.enable = true;
services.blueman.enable = true;
# gsd provides Rfkill, which is required for the bluetooth pane in gnome-control-center to work
# services.gnome.gnome-settings-daemon.enable = true;
services.gnome.gnome-settings-daemon.enable = true;
# start the components of gsd we need at login
# systemd.user.targets."org.gnome.SettingsDaemon.Rfkill".wantedBy = [ "graphical-session.target" ];
systemd.user.targets."org.gnome.SettingsDaemon.Rfkill".wantedBy = [ "graphical-session.target" ];
# go ahead and `systemctl --user cat gnome-session-initialized.target`. i dare you.
# the only way i can figure out how to get Rfkill to actually load is to just disable all the shit it depends on.
# it doesn't actually seem to need ANY of them in the first place T_T
# systemd.user.targets."gnome-session-initialized".enable = false;
systemd.user.targets."gnome-session-initialized".enable = false;
# bluez can't connect to audio devices unless pipewire is running.
# a system service can't depend on a user service, so just launch it at graphical-session
systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];

113
hosts/modules/gui/sxmo.nix
View File

@@ -63,13 +63,29 @@ in
"sway" => layered sway greeter. behaves as if you booted to swaylock.
'';
};
sane.gui.sxmo.package = mkOption {
sane.gui.sxmo.hooks = mkOption {
type = types.package;
default = pkgs.sxmo-utils;
default = pkgs.runCommand "sxmo-hooks" { } ''
mkdir -p $out
ln -s ${pkgs.sxmo-utils}/share/sxmo/default_hooks $out/bin
'';
description = ''
sxmo base scripts and hooks collection.
consider overriding the outputs under /share/sxmo/default_hooks
to insert your own user scripts.
hooks to make visible to sxmo.
a hook is a script generally of the name sxmo_hook_<thing>.sh
which is called by sxmo at key moments to proide user programmability.
'';
};
sane.gui.sxmo.deviceHooks = mkOption {
type = types.package;
default = pkgs.runCommand "sxmo-device-hooks" { } ''
mkdir -p $out
ln -s ${pkgs.sxmo-utils}/share/sxmo/default_hooks/unknown $out/bin
'';
description = ''
device-specific hooks to make visible to sxmo.
this package supplies things like `sxmo_hook_inputhandler.sh`.
a hook is a script generally of the name sxmo_hook_<thing>.sh
which is called by sxmo at key moments to proide user programmability.
'';
};
sane.gui.sxmo.terminal = mkOption {
@@ -92,29 +108,12 @@ in
'';
};
sane.gui.sxmo.settings = mkOption {
type = types.attrsOf types.str;
default = {};
description = ''
environment variables used to configure sxmo.
e.g. SXMO_UNLOCK_IDLE_TIME or SXMO_VOLUME_BUTTON.
'';
type = types.submodule {
freeformType = types.attrsOf types.str;
options =
let
mkSettingsOpt = default: description: mkOption {
inherit default description;
type = types.nullOr types.str;
};
in {
SXMO_BAR_SHOW_BAT_PER = mkSettingsOpt "1" "show battery percentage in statusbar";
SXMO_UNLOCK_IDLE_TIME = mkSettingsOpt "300" "how many seconds of inactivity before locking the screen"; # lock -> screenoff happens 8s later, not configurable
};
};
default = {};
};
sane.gui.sxmo.noidle = mkOption {
type = types.bool;
default = false;
description = "inhibit lock-on-idle and screenoff-on-idle";
};
};
@@ -124,25 +123,18 @@ in
package = null;
suggestedPrograms = [
"guiApps"
"sfeed" # want this here so that the user's ~/.sfeed/sfeedrc gets created
];
};
}
{
# TODO: lift to option declaration
sane.gui.sxmo.settings.TERMCMD = lib.mkIf (cfg.terminal != null)
(lib.mkDefault (if cfg.terminal == "vte" then "vte-2.91" else cfg.terminal));
sane.gui.sxmo.settings.KEYBOARD = lib.mkIf (cfg.keyboard != null)
(lib.mkDefault (if cfg.keyboard == "wvkbd" then "wvkbd-mobintl" else cfg.keyboard));
}
(lib.mkIf cfg.enable {
sane.programs.sxmoApps.enableFor.user.colin = true;
# some programs (e.g. fractal/nheko) **require** a "Secret Service Provider"
services.gnome.gnome-keyring.enable = true;
# TODO: probably need to enable pipewire
networking.useDHCP = false;
networking.networkmanager.enable = true;
networking.wireless.enable = lib.mkForce false;
@@ -154,12 +146,10 @@ in
security.doas.enable = true;
security.doas.wheelNeedsPassword = false;
# TODO: nerdfonts is 4GB. it accepts an option to ship only some fonts: probably want to use that.
# TODO: not all of these fonts seem to be mapped to the correct icon
fonts.fonts = [ pkgs.nerdfonts ];
# sxmo has first-class support only for pulseaudio and alsa -- not pipewire.
# however, pipewire can emulate pulseaudio support via `services.pipewire.pulse.enable = true`
# after which the stock pulseaudio binaries magically work
# i believe sxmo recomments a different audio stack
# administer with pw-cli, pw-mon, pw-top commands
services.pipewire = {
enable = true;
@@ -170,19 +160,45 @@ in
systemd.user.services."pipewire".wantedBy = [ "graphical-session.target" ];
# TODO: could use `displayManager.sessionPackages`?
environment.systemPackages = [
cfg.package
environment.systemPackages = with pkgs; [
bc
bemenu
bonsai
conky
gojq
inotify-tools
jq
libnotify
lisgd
mako
superd
sway
swayidle
sxmo-utils
wob
wvkbd
xdg-user-dirs
# X11 only?
xdotool
cfg.deviceHooks
cfg.hooks
] ++ lib.optionals (cfg.terminal != null) [ pkgs."${cfg.terminal}" ]
++ lib.optionals (cfg.keyboard != null) [ pkgs."${cfg.keyboard}" ];
environment.sessionVariables = {
XDG_DATA_DIRS = [
# TODO: only need the share/sxmo directly linked
"${cfg.package}/share"
"${pkgs.sxmo-utils}/share"
];
} // lib.optionalAttrs (cfg.terminal != null) {
TERMCMD = lib.mkDefault (if cfg.terminal == "vte" then "vte-2.91" else cfg.terminal);
} // lib.optionalAttrs (cfg.keyboard != null) {
KEYBOARD = lib.mkDefault (if cfg.keyboard == "wvkbd" then "wvkbd-mobintl" else cfg.keyboard);
} // cfg.settings;
sane.user.fs.".cache/sxmo/sxmo.noidle" = lib.mkIf cfg.noidle (sane-lib.fs.wantedText "");
sane.user.fs.".cache/sxmo/sxmo.noidle" = sane-lib.fs.wantedText "";
## greeter
@@ -197,7 +213,7 @@ in
'';
displayManager.sessionPackages = with pkgs; [
cfg.package # this gets share/wayland-sessions/swmo.desktop linked
sxmo-utils # this gets share/wayland-sessions/swmo.desktop linked
];
# taken from gui/phosh:
@@ -232,15 +248,6 @@ in
in "${sway-as-greeter}/bin/sway-as-greeter";
};
systemd.services."sxmo-set-permissions" = {
description = "configure specific /sys and /dev nodes to be writable by sxmo scripts";
serviceConfig = {
Type = "oneshot";
ExecStart = "${cfg.package}/bin/sxmo_setpermissions.sh";
};
wantedBy = [ "display-manager.service" ];
};
sane.fs."/var/log/sway" = lib.mkIf (cfg.greeter == "sway") {
dir.acl.mode = "0777";
wantedBeforeBy = [ "greetd.service" "display-manager.service" ];
@@ -253,7 +260,7 @@ in
# name = "sxmo";
# desktopNames = [ "sxmo" ];
# start = ''
# ${cfg.package}/bin/sxmo_xinit.sh &
# ${pkgs.sxmo-utils}/bin/sxmo_xinit.sh &
# waitPID=$!
# '';
# }];
@@ -263,7 +270,7 @@ in
# enable = true;
# settings = {
# default_session = {
# command = "${cfg.package}/bin/sxmo_winit.sh";
# command = "${pkgs.sxmo-utils}/bin/sxmo_winit.sh";
# user = "colin";
# };
# };

1
hosts/modules/hostnames.nix
View File

@@ -11,7 +11,6 @@
name = cfg.lan-ip;
value = [ host ];
}) config.sane.hosts.by-name)
(lib.mapAttrs' (host: cfg: {
# -hn suffixed name for communication over my wg-home VPN.
# hn = "home network"

13
hosts/modules/hosts.nix
View File

@@ -4,14 +4,8 @@ let
inherit (lib) attrValues filterAttrs mkMerge mkOption types;
cfg = config.sane.hosts;
host = types.submodule ({ config, name, ... }: {
host = types.submodule ({ config, ... }: {
options = {
names = mkOption {
type = types.listOf types.str;
description = ''
all names by which this host is reachable
'';
};
ssh.user_pubkey = mkOption {
type = types.str;
description = ''
@@ -54,11 +48,6 @@ let
'';
};
};
config = {
names = [ name ]
++ lib.optional (config.wg-home.ip != null) "${name}-hn";
};
});
in
{

5
hosts/modules/roles/build-machine.nix
View File

@@ -32,11 +32,6 @@ in
# serve packages to other machines that ask for them
sane.services.nixserve.enable = true;
# each concurrent derivation realization uses a different nix build user.
# default is 32 build users, limiting us to that many concurrent jobs.
# it's nice to not be limited in that way, so increase this a bit.
nix.nrBuildUsers = 64;
# enable cross compilation
# TODO: do this via stdenv injection, linking into /run/binfmt the stuff in <nixpkgs:nixos/modules/system/boot/binfmt.nix>
boot.binfmt.emulatedSystems = lib.optionals cfg.emulation [

4
hosts/modules/roles/dev-machine.nix
View File

@@ -17,8 +17,8 @@ in
config = mkMerge [
({
sane.programs.docsets.config.rustPkgs = [
# "lemmy-server"
# "mx-sanebot"
"lemmy-server"
"mx-sanebot"
];
})
(mkIf cfg {

1
integrations/nur/default.nix
View File

@@ -22,7 +22,6 @@
# ^ source: <https://github.com/nix-community/nur-packages-template/blob/master/.github/workflows/build.yml#L63>
# N.B.: nur eval allows only PATH (inherited) and NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM="1" (forced),
# hence the erasing of NIX_PATH above (to remove external overlays)
# - or do: `nix run '.#check-nur'` via the toplevel flake.nix in this repo
#
# if it validates here but not upstream, likely to do with different `nixpkgs` inputs.
# - CI logs: <https://github.com/nix-community/NUR/actions/workflows/update.yml>

21
modules/data/feeds/sources/cast.postmarketos.org/default.json
View File

File diff suppressed because one or more lines are too long

26
modules/data/feeds/sources/podcast.thelinuxexp.com/default.json
View File

File diff suppressed because one or more lines are too long

21
modules/data/feeds/sources/rss.acast.com/deconstructed/default.json
View File

@@ -1,21 +0,0 @@
{
"bozo": 0,
"content_length": 918085,
"content_type": "application/xml; charset=utf-8",
"description": "A show that cuts through all the political drivel and media misinformation to give you a straight take on one big news story of the week.",
"favicon": "",
"favicon_data_uri": "",
"hubs": [],
"is_podcast": true,
"is_push": false,
"item_count": 238,
"last_updated": "2023-06-06T16:03:38+00:00",
"score": 10,
"self_url": "https://feeds.acast.com/public/shows/1d1223a2-9d05-473b-9e79-c2b65b71d676",
"site_name": "",
"site_url": "",
"title": "Deconstructed",
"url": "https://feeds.acast.com/public/shows/1d1223a2-9d05-473b-9e79-c2b65b71d676",
"velocity": 0.123,
"version": "rss20"
}

21
modules/data/feeds/sources/rss.acast.com/intercepted-with-jeremy-scahill/default.json
View File

@@ -1,21 +0,0 @@
{
"bozo": 0,
"content_length": 1131706,
"content_type": "application/xml; charset=utf-8",
"description": "The people behind The Intercept\u2019s fearless reporting and incisive commentary discuss the crucial issues of our time.",
"favicon": "",
"favicon_data_uri": "",
"hubs": [],
"is_podcast": true,
"is_push": false,
"item_count": 261,
"last_updated": "2023-06-07T09:30:43+00:00",
"score": 10,
"self_url": "https://feeds.acast.com/public/shows/f5b64019-68c3-57d4-b70b-043e63e5cbf6",
"site_name": "",
"site_url": "",
"title": "Intercepted",
"url": "https://feeds.acast.com/public/shows/f5b64019-68c3-57d4-b70b-043e63e5cbf6",
"velocity": 0.111,
"version": "rss20"
}

21
modules/data/feeds/sources/rss.prod.firstlook.media/deconstructed/podcast.rss/default.json Normal file
View File

@@ -0,0 +1,21 @@
{
"bozo": 0,
"content_length": 809084,
"content_type": "application/xml+rss; charset=utf-8",
"description": "A show that cuts through all the political drivel and media misinformation to give you a straight take on one big news story of the week.",
"favicon": null,
"hubs": [],
"is_podcast": true,
"is_push": false,
"item_count": 217,
"last_seen": "2023-01-11T13:40:50.240217+00:00",
"last_updated": "2023-01-06T10:37:50+00:00",
"score": 16,
"self_url": "https://feeds.acast.com/public/shows/1d1223a2-9d05-473b-9e79-c2b65b71d676",
"site_name": null,
"site_url": null,
"title": "Deconstructed",
"url": "https://rss.prod.firstlook.media/deconstructed/podcast.rss",
"velocity": 0.122,
"version": "rss20"
}

21
modules/data/feeds/sources/rss.prod.firstlook.media/intercepted/podcast.rss/default.json Normal file
View File

@@ -0,0 +1,21 @@
{
"bozo": 0,
"content_length": 1034995,
"content_type": "application/xml+rss; charset=utf-8",
"description": "The people behind The Intercepts fearless reporting and incisive commentary discuss the crucial issues of our time.",
"favicon": null,
"hubs": [],
"is_podcast": true,
"is_push": false,
"item_count": 243,
"last_seen": "2023-01-11T14:04:41.283509+00:00",
"last_updated": "2022-12-21T10:30:43+00:00",
"score": 16,
"self_url": "https://feeds.acast.com/public/shows/f5b64019-68c3-57d4-b70b-043e63e5cbf6",
"site_name": null,
"site_url": null,
"title": "Intercepted",
"url": "https://rss.prod.firstlook.media/intercepted/podcast.rss",
"velocity": 0.112,
"version": "rss20"
}

42
modules/dns.nix
View File

@@ -1,8 +1,5 @@
# TODO: consider using this library for .zone file generation:
# - <https://github.com/kirelagin/dns.nix>
{ config, lib, pkgs, ... }:
with builtins;
let
cfg = config.sane.dns;
toml = pkgs.formats.toml { };
@@ -59,28 +56,18 @@ let
# CNAME."foo" = "bar";
# as shorthand for
# CNAME."foo" = [ "bar" ];
listOrUnit = with lib; ty: types.coercedTo ty (elem: [ elem ]) (types.listOf ty);
listOrUnit = ty: types.coercedTo ty (elem: [ elem ]) (types.listOf ty);
in
{
options = {
sane.dns = with lib; {
sane.dns = {
zones = mkOption {
description = ''
declarative zone config.
this doesn't feed into anything, rather, one should read `config.sane.dns.zones."foo".rendered`
and do something with it.
'';
default = {};
type = types.attrsOf (types.submodule ({ name, config, ... }: {
type = types.attrsOf (types.submodule {
options = {
name = mkOption {
type = types.nullOr types.str;
description = "zone name. defaults to the attribute name in zones";
default = name;
};
rendered = mkOption {
type = types.str;
description = "rendered .zone text for this zone (read-only)";
default = null;
};
TTL = mkOption {
type = types.int;
@@ -134,12 +121,25 @@ in
default = {};
};
};
file = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
instead of using the generated zone file, use the specified path (user should populate the file specified here).
'';
};
};
config = {
rendered = genZone config;
};
}));
});
default = {};
description = "Declarative zone config";
};
};
};
config = {
sane.services.trust-dns.zones = builtins.mapAttrs (_name: zcfg: {
text = genZone zcfg;
}) cfg.zones;
};
}

8
modules/lib/path.nix
View File

@@ -24,8 +24,6 @@ let path = rec {
# return the last path component; error on the empty path
leaf = str: lib.last (split str);
# XXX: this is bugged in that
# from "/foo/bar" "/foo/barbag" => "/bag"
from = start: end: let
s = path.norm start;
e = path.norm end;
@@ -34,12 +32,6 @@ let path = rec {
"/" + (lib.removePrefix s e)
);
isChild = parent: child:
lib.any
(p: p == norm parent)
(walk "/" child)
;
# yield every node between start and end, including each the endpoints
# e.g. walk "/foo" "/foo/bar/baz" => [ "/foo" "/foo/bar" "/foo/bar/baz" ]
# XXX: assumes input paths are normalized

2
modules/persist/stores/crypt.nix
View File

@@ -25,7 +25,7 @@ lib.mkIf config.sane.persist.enable
"nosuid"
"allow_other"
"passfile=${key}"
# "defaults" # "unknown flag: --defaults. Try 'gocryptfs -help'"
"defaults"
];
noCheck = true;
};

2
modules/persist/stores/private.nix
View File

@@ -35,7 +35,7 @@ lib.mkIf config.sane.persist.enable
"nodev"
"nosuid"
"quiet"
# "defaults" # "unknown flag: --defaults. Try 'gocryptfs -help'"
"defaults"
];
noCheck = true;
};

32
modules/programs.nix
View File

@@ -52,17 +52,11 @@ let
};
enableFor.user = mkOption {
type = types.attrsOf types.bool;
default =
let
suggestedBy = mapAttrsToList (otherName: otherPkg:
optionalAttrs
(otherName != name && elem name otherPkg.suggestedPrograms && otherPkg.enableSuggested)
(filterAttrs (user: en: en) otherPkg.enableFor.user)
) cfg;
in
# we can just // the attrs since each set is flat and the only value
# each attr can have here is `true`, never `false`
lib.foldl' (prev: next: prev // next) {} suggestedBy;
default = joinAttrsets (mapAttrsToList (otherName: otherPkg:
optionalAttrs
(otherName != name && elem name otherPkg.suggestedPrograms && otherPkg.enableSuggested)
(filterAttrs (user: en: en) otherPkg.enableFor.user)
) cfg);
description = ''
place this program on the PATH for some specified user(s).
'';
@@ -110,11 +104,6 @@ let
the secret will have same owner as the user under which the program is enabled.
'';
};
env = mkOption {
type = types.attrsOf types.str;
default = {};
description = "environment variables to set when this program is enabled";
};
configOption = mkOption {
type = types.raw;
default = mkOption {
@@ -142,11 +131,10 @@ let
message = ''program "${sug}" referenced by "${name}", but not defined'';
}) p.suggestedPrograms;
# conditionally add to system PATH and env
environment = lib.optionalAttrs p.enableFor.system {
systemPackages = lib.optional (p.package != null) p.package;
variables = p.env;
};
# conditionally add to system PATH
environment.systemPackages = optional
(p.package != null && p.enableFor.system)
p.package;
# conditionally add to user(s) PATH
users.users = mapAttrs (user: en: {
@@ -156,7 +144,6 @@ let
# conditionally persist relevant user dirs and create files
sane.users = mapAttrs (user: en: optionalAttrs en {
inherit (p) persist;
environment = p.env;
fs = mkMerge [
# make every fs entry wanted by system boot:
(mapAttrs (_path: sane-lib.fs.wanted) p.fs)
@@ -203,7 +190,6 @@ in
take = f: {
assertions = f.assertions;
environment.systemPackages = f.environment.systemPackages;
environment.variables = f.environment.variables;
users.users = f.users.users;
sane.users = f.sane.users;
sops.secrets = f.sops.secrets;

151
modules/services/trust-dns.nix
View File

@@ -1,16 +1,23 @@
# WIP: porting to the API described here:
# - <https://github.com/NixOS/nixpkgs/pull/205866>
# - TODO: hardening!
{ config, lib, pkgs, ... }:
# TODO: consider using this library for .zone file generation:
# - <https://github.com/kirelagin/dns.nix>
with lib;
let
cfg = config.sane.services.trust-dns;
toml = pkgs.formats.toml { };
configFile = toml.generate "trust-dns.toml" (
lib.filterAttrsRecursive (_: v: v != null) cfg.settings
);
configFile = toml.generate "trust-dns.toml" {
listen_addrs_ipv4 = cfg.listenAddrsIPv4;
zones = attrValues (
mapAttrs (zname: zcfg: rec {
zone = if zcfg.name == null then zname else zcfg.name;
zone_type = "Primary";
file = zcfg.file;
}) cfg.zones
);
};
in
{
options = {
@@ -27,113 +34,79 @@ in
should provide bin/named, which will be invoked with --config x and --zonedir d and maybe -q.
'';
};
listenAddrsIPv4 = mkOption {
type = types.listOf types.str;
default = [];
description = "array of ipv4 addresses on which to listen for DNS queries";
};
quiet = mkOption {
type = types.bool;
default = false;
};
zonedir = mkOption {
type = types.nullOr types.str;
default = "/";
description = ''
log ERROR level messages only.
if not specified, defaults to INFO level logging.
mutually exclusive with the `debug` option.
where the `file` option in zones.* is relative to.
'';
};
debug = mkOption {
type = types.bool;
default = false;
description = ''
log DEBUG, INFO, WARN and ERROR messages.
if not specified, defaults to INFO level logging.
mutually exclusive with the `quiet` option.
'';
};
settings = mkOption {
type = types.submodule {
freeformType = toml.type;
# reference <nixpkgs:nixos/modules/services/web-servers/nginx/vhost-options.nix>
zones = mkOption {
type = types.attrsOf (types.submodule ({ config, name, ... }: {
options = {
listen_addrs_ipv4 = mkOption {
type = types.listOf types.str;
default = [];
description = "array of ipv4 addresses on which to listen for DNS queries";
};
listen_addrs_ipv6 = mkOption {
type = types.listOf types.str;
default = [];
description = "array of ipv6 addresses on which to listen for DNS queries";
};
listen_port = mkOption {
type = types.port;
default = 53;
description = ''
port to listen on (applies to all listen addresses).
'';
};
directory = mkOption {
name = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
directory in which trust-dns will look for .zone files
whenever zones aren't specified by absolute path.
upstream defaults this to "/var/named".
'';
description = "zone name. defaults to the attribute name in zones";
default = name;
};
zones = mkOption {
description = "Declarative zone config";
default = {};
type = types.listOf (types.submodule ({ config, name, ... }: {
options = {
zone = mkOption {
type = types.str;
description = ''
zone name, like "example.com", "localhost", or "0.0.127.in-addr.arpa".
'';
};
zone_type = mkOption {
type = types.enum [ "Primary" "Secondary" "Hint" "Forward" ];
default = "Primary";
description = ''
one of:
- "Primary" (the master, authority for the zone)
- "Secondary" (the slave, replicated from the primary)
- "Hint" (a cached zone with recursive resolver abilities)
- "Forward" (a cached zone where all requests are forwarded to another resolver)
'';
};
file = mkOption {
type = types.either types.path types.str;
description = ''
path to a .zone file.
if not a fully-qualified path, it will be interpreted relative to the `directory` option.
defaults to the value of `zone` suffixed with ".zone".
'';
};
};
config = {
file = lib.mkDefault "${config.zone}.zone";
};
}));
text = mkOption {
type = types.nullOr types.str; # TODO: types.lines?
default = null;
};
file = mkOption {
type = types.nullOr types.str; # TODO: types.path?
description = ''
runtime path to a .zone file.
if omitted, will be generated from the `text` option.
'';
};
};
};
config = {
file = lib.mkIf (config.text != null) (pkgs.writeText "${config.name}.zone" config.text);
};
}));
default = {};
description = "Declarative zone config";
};
};
};
config = mkIf cfg.enable {
sane.ports.ports."53" = {
protocol = [ "udp" "tcp" ];
visibleTo.lan = true;
visibleTo.wan = true;
description = "colin-dns-hosting";
};
systemd.services.trust-dns = {
description = "trust-dns DNS server";
serviceConfig = {
ExecStart =
let
flags = lib.optional cfg.debug "--debug"
++ lib.optional cfg.quiet "--quiet";
flagsStr = builtins.concatStringsSep " " flags;
in ''
${cfg.package}/bin/named --config ${configFile} ${flagsStr}
'';
let
flags = lib.optional cfg.quiet "-q" ++
lib.optionals (cfg.zonedir != null) [ "--zonedir" cfg.zonedir ];
flagsStr = builtins.concatStringsSep " " flags;
in ''
${cfg.package}/bin/named \
--config ${configFile} \
${flagsStr}
'';
Type = "simple";
Restart = "on-failure";
RestartSec = "10s";
# TODO: hardening (like, don't run as root!)
# TODO: link to docs
};
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];

37
modules/users.nix
View File

@@ -12,13 +12,9 @@ let
type = types.attrs;
default = {};
description = ''
entries to pass onto `sane.fs` after prepending the user's home-dir to the path
and marking them as wanted.
entries to pass onto `sane.fs` after prepending the user's home-dir to the path.
e.g. `sane.users.colin.fs."/.config/aerc" = X`
=> `sane.fs."/home/colin/.config/aerc" = { wantedBy = [ "multi-user.target"]; } // X;
conventions are similar as to toplevel `sane.fs`. so `sane.users.foo.fs."/"` represents the home directory,
whereas every other entry is expected to *not* have a trailing slash.
=> `sane.fs."/home/colin/.config/aerc" = X;
'';
};
@@ -29,15 +25,6 @@ let
entries to pass onto `sane.persist.sys` after prepending the user's home-dir to the path.
'';
};
environment = mkOption {
type = types.attrsOf types.str;
default = {};
description = ''
environment variables to place in user's shell profile.
these end up in ~/.profile
'';
};
};
};
userModule = types.submodule ({ name, config, ... }: {
@@ -59,20 +46,8 @@ let
};
};
config = lib.mkMerge [
# if we're the default user, inherit whatever settings were routed to the default user
(mkIf config.default sane-user-cfg)
{
fs.".profile".symlink.text =
let
env = lib.mapAttrsToList
(key: value: ''export ${key}="${value}"'')
config.environment
;
in
lib.concatStringsSep "\n" env;
}
];
config = mkIf config.default sane-user-cfg;
});
processUser = user: defn:
let
@@ -80,13 +55,9 @@ let
name = path-lib.concat [ defn.home path ];
inherit value;
});
makeWanted = lib.mapAttrs (n: v: {
# default if not otherwise provided
wantedBeforeBy = [ "multi-user.target" ];
} // v);
in
{
sane.fs = makeWanted (prefixWithHome defn.fs);
sane.fs = prefixWithHome defn.fs;
# `byPath` is the actual output here, computed from the other keys.
sane.persist.sys.byPath = prefixWithHome defn.persist.byPath;

10
nixpatches/2023-06-10-lemmy-downgrade.patch → nixpatches/2023-04-29-lemmy.patch
View File

@@ -1,15 +1,15 @@
diff --git a/pkgs/servers/web-apps/lemmy/pin.json b/pkgs/servers/web-apps/lemmy/pin.json
index 5b7b9aa49a5..6cd30d294d8 100644
index b2a1f1923ce..621b5945b6b 100644
--- a/pkgs/servers/web-apps/lemmy/pin.json
+++ b/pkgs/servers/web-apps/lemmy/pin.json
@@ -1,7 +1,7 @@
{
- "version": "0.17.4",
- "serverSha256": "sha256-nztT6o5Tur64dMWII+wf5CBVJBJ59MGXKdS5OJO0SSc=",
- "serverCargoSha256": "sha256-3In2W+cSVtMkaKrn1hWOVL/V/qkKlH30qGPi3rNdpQI=",
- "version": "0.17.2",
- "serverSha256": "sha256-fkpMVm52XLyrk9RfzJpthT8fctIilawAIgfK+4TXHvU=",
- "serverCargoSha256": "sha256-AC6EP612uaeGfqHbrHrz89h0tsNlMceEg6GxEsm1QMA=",
+ "version": "88a0d2feec3f9b4a06f2d8d090894111afcbd9e2",
+ "serverSha256": "sha256-jVa7SckpH21TG+i1yjJOkhEgjnZ0Zgk2IUP7sCdtv1Y=",
+ "serverCargoSha256": "sha256-trp/TCGtAtZlKdZk2CaJ3E9Lj95cq797PLWUF/DD6/M=",
"uiSha256": "sha256-Ebc4VzuCJhPoO16qCgSVyYFXH7YcymxcGcN/Sgyg5Gs=",
"uiSha256": "sha256-0Zhm6Jgc6rlN4c7ryRnR45+fZEdzQhuOXSwU8Wz0D5g=",
"uiYarnDepsSha256": "sha256-aZAclSaFZJvuK+FpCBWboGaVEOEJTxq2jnWk0A6iAFw="
}

31
nixpatches/2023-06-02-qt6-qtwebengine-cross.patch
View File

@@ -1,31 +0,0 @@
diff --git a/pkgs/development/libraries/qt-6/modules/qtwebengine.nix b/pkgs/development/libraries/qt-6/modules/qtwebengine.nix
index fadbc5d2bfa..e4f2aec5a32 100644
--- a/pkgs/development/libraries/qt-6/modules/qtwebengine.nix
+++ b/pkgs/development/libraries/qt-6/modules/qtwebengine.nix
@@ -97,6 +97,9 @@
, xnu
}:
+let
+ buildPython = buildPackages.python3.withPackages (ps: with ps; [ html5lib ]);
+in
qtModule {
pname = "qtwebengine";
qtInputs = [ qtdeclarative qtwebchannel qtwebsockets qtpositioning ];
@@ -108,7 +111,7 @@ qtModule {
gperf
ninja
pkg-config
- (python3.withPackages (ps: with ps; [ html5lib ]))
+ buildPython
which
gn
nodejs
@@ -304,6 +307,7 @@ qtModule {
preConfigure = ''
export NINJAFLAGS="-j$NIX_BUILD_CORES"
+ export CMAKE_PREFIX_PATH="${buildPython}/bin:$CMAKE_PREFIX_PATH"
'';
meta = with lib; {

60
nixpatches/2023-06-06-jellyfin-no-libsForQt5-callPackage.patch
View File

@@ -1,60 +0,0 @@
diff --git a/pkgs/applications/video/jellyfin-media-player/default.nix b/pkgs/applications/video/jellyfin-media-player/default.nix
index e781f80e455..d1990294141 100644
--- a/pkgs/applications/video/jellyfin-media-player/default.nix
+++ b/pkgs/applications/video/jellyfin-media-player/default.nix
@@ -1,7 +1,6 @@
{ lib
, fetchFromGitHub
, fetchzip
-, mkDerivation
, stdenv
, Cocoa
, CoreAudio
@@ -12,21 +11,20 @@
, libGL
, libX11
, libXrandr
+, libsForQt5
, libvdpau
, mpv
, ninja
, pkg-config
, python3
-, qtbase
-, qtwayland
-, qtwebchannel
-, qtwebengine
-, qtx11extras
, jellyfin-web
, withDbus ? stdenv.isLinux, dbus
}:
-mkDerivation rec {
+let
+ inherit (libsForQt5) qtbase qtwayland qtwebchannel qtwebengine qtx11extras wrapQtAppsHook;
+in
+stdenv.mkDerivation rec {
pname = "jellyfin-media-player";
version = "1.9.1";
@@ -69,6 +67,7 @@ mkDerivation rec {
ninja
pkg-config
python3
+ wrapQtAppsHook
];
cmakeFlags = [
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index eb309c9b283..d8a718db698 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -5289,7 +5289,7 @@ with pkgs;
jellyfin-ffmpeg = callPackage ../development/libraries/jellyfin-ffmpeg { };
- jellyfin-media-player = libsForQt5.callPackage ../applications/video/jellyfin-media-player {
+ jellyfin-media-player = callPackage ../applications/video/jellyfin-media-player {
inherit (darwin.apple_sdk.frameworks) CoreFoundation Cocoa CoreAudio MediaPlayer;
# Disable pipewire to avoid segfault, see https://github.com/jellyfin/jellyfin-media-player/issues/341
mpv = wrapMpv (mpv-unwrapped.override { pipewireSupport = false; }) { };

2
nixpatches/flake.nix
View File

@@ -9,7 +9,7 @@
name = "nixpkgs-patched-uninsane";
src = nixpkgs;
patches = import ./list.nix {
inherit (nixpkgs.legacyPackages.${system}) fetchpatch2 fetchurl;
inherit (nixpkgs.legacyPackages.${system}) fetchpatch fetchurl;
};
};
patchedFlakeFor = system: import "${patchedPkgsFor system}/flake.nix";

125
nixpatches/list.nix
View File

@@ -1,4 +1,4 @@
{ fetchpatch2, fetchurl }:
{ fetchpatch, fetchurl }:
let
fetchpatch' = {
saneCommit ? null,
@@ -13,56 +13,13 @@ let
else
"https://git.uninsane.org/colin/nixpkgs/commit/${saneCommit}.diff"
;
in fetchpatch2 (
in fetchpatch (
{ inherit url; }
// (if hash != null then { inherit hash; } else {})
// (if title != null then { name = title; } else {})
);
in [
# (fetchpatch' {
# # XXX: doesn't cleanly apply; fetch `firefox-pmos-mobile` branch from my git instead
# title = "firefox-pmos-mobile: init at -pmos-2.2.0";
# prUrl = "https://github.com/NixOS/nixpkgs/pull/121356";
# hash = "sha256-eDsR1cJC/IMmhJl5wERpTB1VGawcnMw/gck9sI64GtQ=";
# })
# (fetchpatch' {
# saneCommit = "70c12451b783d6310ab90229728d63e8a903c8cb";
# title = "firefox-pmos-mobile: init at -pmos-2.2.0";
# hash = "sha256-mA22g3ZIERVctq8Uk5nuEsS1JprxA+3DvukJMDTOyso=";
# })
# (fetchpatch' {
# saneCommit = "ee19a28aa188bb87df836a4edc7b73355b8766eb";
# title = "firefox-pmos-mobile: format the generated policies.nix file";
# hash = "sha256-K8b3QpyVEjajilB5w4F1UHGDRGlmN7i66lP7SwLZpWI=";
# })
# (fetchpatch' {
# saneCommit = "c068439c701c160ba15b6ed5abe9cf09b159d584";
# title = "firefox-pmos-mobile: implement an updateScript";
# hash = "sha256-afiGDHbZIVR3kJuWABox2dakyiRb/8EgDr39esqwcEk=";
# })
# (fetchpatch' {
# saneCommit = "865c9849a9f7bd048e066c2efd8068ecddd48e33";
# title = "firefox-pmos-mobile: 2.2.0 -> 4.0.2";
# hash = "sha256-WjWSW0qE+cypvUkDRfK7d9Te8m5zQXwF33z8nEhbvrE=";
# })
# (fetchpatch' {
# saneCommit = "eb6aae632c55ce7b0a76bca549c09da5e1f7761b";
# title = "firefox-pmos-mobile: refactor and populate `passthru` to aid external consumers";
# hash = "sha256-/LhbwXjC8vuKzIuGQ3/FGplbLllsz57nR5y+PeDjGuA=";
# })
# (fetchpatch' {
# saneCommit = "c9b90ef1e17ea21ac779a86994e5d9079a2057b9";
# title = "librewolf-pmos-mobile: init";
# hash = "sha256-oQEM3EZfAOmfZzDu9faCqyOFZsdHYGn1mVBgkxt68Zg=";
# })
(fetchpatch' {
saneCommit = "c3becd7cdf144d85d12e2e76663e9549a0536efd";
title = "firefox-pmos-mobile: init at 4.0.2";
hash = "sha256-NRh2INUMA2K7q8zioqKA7xwoqg7v6sxpuJRpTG5IP1Q=";
})
# splatmoji: init at 1.2.0
(fetchpatch' {
saneCommit = "75149039b6eaf57d8a92164e90aab20eb5d89196";
@@ -95,12 +52,38 @@ in [
# TODO: why doesn't this apply?
# ./2023-03-04-ccache-cross-fix.patch
# 2023-04-11: bambu-studio: init at 01.06.02.04
# 2023-04-11: bambu-studio: init at unstable-2023-01-11
(fetchpatch' {
prUrl = "https://github.com/NixOS/nixpkgs/pull/206495";
hash = "sha256-jl6SZwSDhQTlpM5FyGaFU/svwTb1ySdKtvWMgsneq3A=";
hash = "sha256-RbQzAtFTr7Nrk2YBcHpKQMYoPlFMVSXNl96B/lkKluQ=";
})
# update to newer lemmy-server.
# should be removable when > 0.17.2 releases?
# removing this now causes:
# INFO lemmy_server::code_migrations: No Local Site found, creating it.
# Error: LemmyError { message: None, inner: duplicate key value violates unique constraint "local_site_site_id_key", context: "SpanTrace" }
# though perhaps this error doesn't occur on fresh databases (idk).
./2023-04-29-lemmy.patch
(fetchpatch' {
title = "cargo-docset: init at 0.3.1";
saneCommit = "5a09e84c6159ce545029483384580708bc04c08f";
prUrl = "https://github.com/NixOS/nixpkgs/pull/231188";
hash = "sha256-Z1HOps3w/WvxAiyUAHWszKqwS9EwA6rf4XfgPGp+2sQ=";
})
(fetchpatch' {
title = "nixos/lemmy: support nginx";
saneCommit = "4c86db6dcb78795ac9bb514d9c779fd591070b23";
hash = "sha256-G7jGhSPUp9BMxh2yTzo0KUUVabMJeZ28YTA+0iPldRI=";
})
(fetchpatch' {
title = "feedbackd: 0.1.0 -> 0.2.0";
saneCommit = "a0186a5782708a640cd6eaad6e9742b9cccebe9d";
hash = "sha256-f8he7pQow4fZkTVVqU/A5KgovZA7m7MccRQNTnDxw5o=";
})
# (fetchpatch' {
# # phoc: 0.25.0 -> 0.27.0
# # TODO: move wayland-scanner & glib to nativeBuildInputs
@@ -170,54 +153,6 @@ in [
# make alsa-project members overridable
./2023-05-31-toplevel-alsa.patch
# qt6 qtwebengine: specify `python` as buildPackages
./2023-06-02-qt6-qtwebengine-cross.patch
# Jellyfin: don't build via `libsForQt5.callPackage`
./2023-06-06-jellyfin-no-libsForQt5-callPackage.patch
# pin to a pre-0.17.3 release
# removing this and using stock 0.17.3 (also 0.17.4) causes:
# INFO lemmy_server::code_migrations: No Local Site found, creating it.
# Error: LemmyError { message: None, inner: duplicate key value violates unique constraint "local_site_site_id_key", context: "SpanTrace" }
# more specifically, lemmy can't find the site because it receives an error from diesel:
# Err(DeserializationError("Unrecognized enum variant"))
# this is likely some mis-ordered db migrations
# or perhaps the whole set of migrations here isn't being running right.
# related: <https://github.com/NixOS/nixpkgs/issues/236890#issuecomment-1585030861>
# ./2023-06-10-lemmy-downgrade.patch
# (fetchpatch' {
# title = "gpodder: wrap with missing `xdg-utils` path";
# saneCommit = "10d0ac11bc083cbcf0d6340950079b3888095abf";
# hash = "sha256-cu8L30ZiUJnWFGRR/SK917TC7TalzpGkurGkUAAxl54=";
# })
(fetchpatch' {
title = "koreader: 2023.04 -> 2023.05.1";
saneCommit = "a5c471bd263abe93e291239e0078ac4255a94262";
hash = "sha256-m++Vv/FK7cxONCz6n0MLO3CiKNrRH0ttFmoC1Xmba+A=";
})
(fetchpatch' {
title = "mepo: 1.1 -> 1.1.2";
saneCommit = "eee68d7146a6cd985481cdd8bca52ffb204de423";
hash = "sha256-uNerTwyFzivTU+o9bEKmNMFceOmy2AKONfKJWI5qkzo=";
})
(fetchpatch' {
title = "gthumb: make the webservices feature be optional";
saneCommit = "50767d5746fd80657e997b43fc5d82ba0c2c2447";
hash = "sha256-lXuLHdSPhWol9X5QX4cxnZqoVGUWEQTCZLmosvLX+WY=";
})
# (fetchpatch' {
# # N.B.: compiles, but runtime error on launch suggestive of some module not being shipped
# title = "matrix-appservice-irc: 0.38.0 -> 1.0.0";
# saneCommit = "b168bf862d53535151b9142a15fbd53e18e688c5";
# hash = "sha256-dDa2mrCJ416PIYsDH9ya/4aQdqtp4BwzIisa8HdVFxo=";
# })
# for raspberry pi: allow building u-boot for rpi 4{,00}
# TODO: remove after upstreamed: https://github.com/NixOS/nixpkgs/pull/176018
# (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )

2
overlays/all.nix
View File

@@ -4,6 +4,7 @@
final: prev:
let
pins = import ./pins.nix;
pkgs = import ./pkgs.nix;
disable-flakey-tests = import ./disable-flakey-tests.nix;
optimizations = import ./optimizations.nix;
@@ -17,6 +18,7 @@ let
overlays;
in
renderOverlays [
pins
pkgs
disable-flakey-tests
(ifCross optimizations)

261
overlays/cross.nix
View File

@@ -82,12 +82,11 @@ in {
ibus # "error: cannot run test program while cross compiling"
jellyfin-web # in node-dependencies-jellyfin-web: "node: command not found" (nodePackages don't cross compile)
# libgccjit # "../../gcc-9.5.0/gcc/jit/jit-result.c:52:3: error: 'dlclose' was not declared in this scope" (needed by emacs!)
# libsForQt5 # if we emulate qt5, we're better off emulating libsForQt5 else qt complains about multiple versions of qtbase
mepo # /build/source/src/sdlshim.zig:1:20: error: C import failed
# libsForQt5 # qtbase # make: g++: No such file or directory
perlInterpreters # perl5.36.0-Module-Build perl5.36.0-Test-utf8 (see tracking issues ^)
# qgnomeplatform
# qtbase
# qt5 # qt5.qtbase, qt5.qtx11extras fails, but we can't selectively emulate them.
qt5 # qt5.qtx11extras fails, but we can't selectively emulate it
# qt6 # "You need to set QT_HOST_PATH to cross compile Qt."
# sequoia # "/nix/store/q8hg17w47f9xr014g36rdc2gi8fv02qc-clang-aarch64-unknown-linux-gnu-12.0.1-lib/lib/libclang.so.12: cannot open shared object file: No such file or directory"', /build/sequoia-0.27.0-vendor.tar.gz/bindgen/src/lib.rs:1975:31"
# splatmoji
@@ -248,14 +247,6 @@ in {
nativeBuildInputs = upstream.nativeBuildInputs ++ [ final.git ];
});
cozy = prev.cozy.override {
cozy = prev.cozy.upstream.cozy.override {
# fixes runtime error: "Settings schema 'org.gtk.Settings.FileChooser' is not installed"
# otherwise gtk3+ schemas aren't added to XDG_DATA_DIRS
inherit (emulated) wrapGAppsHook;
};
};
dante = prev.dante.override {
# fixes: "configure: error: error: getaddrinfo() error value count too low"
inherit (emulated) stdenv;
@@ -517,13 +508,6 @@ in {
}
super.nautilus
).override {
# fixes -msse2, -mfpmath=sse flags
# wrapGAppsHook4 = final.wrapGAppsHook;
# fixes -msse2, -mfpmath=ssh flags AND "Settings schema 'org.gtk.gtk4.Settings.FileChooser' is not installed"
wrapGAppsHook4 = emulated.wrapGAppsHook4;
};
zenity = super.zenity.override {
# fixes -msse2, -mfpmath=sse flags
wrapGAppsHook4 = final.wrapGAppsHook;
};
@@ -663,21 +647,12 @@ in {
};
};
jellyfin-media-player = mvToBuildInputs
[ final.libsForQt5.wrapQtAppsHook ] # this shouldn't be: but otherwise we get mixed qtbase deps
(prev.jellyfin-media-player.overrideAttrs (upstream: {
meta = upstream.meta // {
platforms = upstream.meta.platforms ++ [
"aarch64-linux"
];
};
}));
jellyfin-media-player-qt6 = prev.jellyfin-media-player-qt6.overrideAttrs (upstream: {
# nativeBuildInputs => result targets x86.
# buildInputs => result targets correct platform, but doesn't wrap the runtime deps
# TODO: fix the hook in qt6 itself?
depsHostHost = upstream.depsHostHost or [] ++ [ final.qt6.wrapQtAppsHook ];
nativeBuildInputs = lib.remove [ final.qt6.wrapQtAppsHook ] upstream.nativeBuildInputs;
jellyfin-media-player = prev.jellyfin-media-player.overrideAttrs (upstream: {
meta = upstream.meta // {
platforms = upstream.meta.platforms ++ [
"aarch64-linux"
];
};
});
# jellyfin-web = prev.jellyfin-web.override {
# # in node-dependencies-jellyfin-web: "node: command not found"
@@ -695,18 +670,6 @@ in {
./kitty-no-docs.patch
];
});
komikku = prev.komikku.override {
# GI_TYPELIB_PATH points to x86_64 types in the default build, only when using wrapGAppsHook4
wrapGAppsHook4 = final.wrapGAppsHook;
};
koreader = (prev.koreader.override {
# fixes runtime error: luajit: ./ffi/util.lua:757: attempt to call field 'pack' (a nil value)
inherit (emulated) luajit;
}).overrideAttrs (upstream: {
nativeBuildInputs = upstream.nativeBuildInputs ++ [
final.autoPatchelfHook
];
});
libgweather = rmNativeBuildInputs [ final.glib ] (prev.libgweather.override {
# alternative to emulating python3 is to specify it in `buildInputs` instead of `nativeBuildInputs` (upstream),
# but presumably that's just a different way to emulate it.
@@ -726,51 +689,18 @@ in {
# buildInputs = upstream.buildInputs ++ [ final.vala ];
# });
# libsForQt5 = prev.libsForQt5.overrideScope' (self: super: {
# qgpgme = super.qgpgme.overrideAttrs (orig: {
# # fix so it can find the MOC compiler
# # it looks like it might not *need* to propagate qtbase, but so far unclear
# nativeBuildInputs = orig.nativeBuildInputs ++ [ self.qtbase ];
# propagatedBuildInputs = lib.remove self.qtbase orig.propagatedBuildInputs;
# });
# phonon = super.phonon.overrideAttrs (orig: {
# # fixes "ECM (required version >= 5.60), Extra CMake Modules"
# buildInputs = orig.buildInputs ++ [ final.extra-cmake-modules ];
# });
# });
# libsForQt5 = prev.libsForQt5.overrideScope' (self: super: {
# # emulate all the qt5 packages, but rework `libsForQt5.callPackage` and `mkDerivation`
# # to use non-emulated stdenv by default.
# mkDerivation = self.mkDerivationWith final.stdenv.mkDerivation;
# callPackage = self.newScope { inherit (self) qtCompatVersion qtModule srcs; inherit (final) stdenv; };
# });
# mepo = (prev.mepo.override {
# inherit (emulated)
# stdenv
# SDL2
# SDL2_gfx
# SDL2_image
# SDL2_ttf
# zig
# ;
# }).overrideAttrs (_upstream: {
# doCheck = false;
# # dontConfigure = true;
# # dontBuild = true;
# # preInstall = ''
# # export HOME=$TMPDIR
# # '';
# # installPhase = ''
# # runHook preInstall
# # zig build -Drelease-safe=true -Dtarget=aarch64-linux-gnu -Dcpu=baseline --prefix $out
# # install -d $out/share/man/man1
# # $out/bin/mepo -docman > $out/share/man/man1/mepo.1
# # runHook postInstall
# # '';
# });
libsForQt5 = prev.libsForQt5.overrideScope' (self: super: {
qgpgme = super.qgpgme.overrideAttrs (orig: {
# fix so it can find the MOC compiler
# it looks like it might not *need* to propagate qtbase, but so far unclear
nativeBuildInputs = orig.nativeBuildInputs ++ [ self.qtbase ];
propagatedBuildInputs = lib.remove self.qtbase orig.propagatedBuildInputs;
});
phonon = super.phonon.overrideAttrs (orig: {
# fixes "ECM (required version >= 5.60), Extra CMake Modules"
buildInputs = orig.buildInputs ++ [ final.extra-cmake-modules ];
});
});
# fixes: "ar: command not found"
# `ar` is provided by bintools
@@ -1041,106 +971,34 @@ in {
# inherit (emulated.qt5) qtModule;
# };
# });
qt5 = emulated.qt5.overrideScope' (self: super: {
# emulate all the qt5 packages, but rework `libsForQt5.callPackage` and `mkDerivation`
# to use non-emulated stdenv by default.
mkDerivation = self.mkDerivationWith final.stdenv.mkDerivation;
callPackage = self.newScope { inherit (self) qtCompatVersion qtModule srcs; inherit (final) stdenv; };
});
qt6 = prev.qt6.overrideScope' (self: super: {
# # inherit (emulated.qt6) qtModule;
# qtbase = super.qtbase.overrideAttrs (upstream: {
# # cmakeFlags = upstream.cmakeFlags ++ lib.optionals (final.stdenv.buildPlatform != final.stdenv.hostPlatform) [
# cmakeFlags = upstream.cmakeFlags ++ lib.optionals (final.stdenv.buildPlatform != final.stdenv.hostPlatform) [
# # "-DCMAKE_CROSSCOMPILING=True" # fails to solve QT_HOST_PATH error
# "-DQT_HOST_PATH=${final.buildPackages.qt6.full}"
# ];
# });
# qtModule = args: (super.qtModule args).overrideAttrs (upstream: {
# # the nixpkgs comment about libexec seems to be outdated:
# # it's just that cross-compiled syncqt.pl doesn't get its #!/usr/bin/env shebang replaced.
# preConfigure = lib.replaceStrings
# ["${lib.getDev self.qtbase}/libexec/syncqt.pl"]
# ["perl ${lib.getDev self.qtbase}/libexec/syncqt.pl"]
# upstream.preConfigure;
# });
# # qtwayland = super.qtwayland.overrideAttrs (upstream: {
# # preConfigure = "fixQtBuiltinPaths . '*.pr?'";
# # });
# # qtwayland = super.qtwayland.override {
# # inherit (self) qtbase;
# # };
# # qtbase = super.qtbase.override {
# # # fixes: "You need to set QT_HOST_PATH to cross compile Qt."
# # inherit (emulated) stdenv;
# # };
qtwebengine = super.qtwebengine.overrideAttrs (upstream: {
# depsBuildBuild = upstream.depsBuildBuild or [] ++ [ final.pkg-config ];
# XXX: qt seems to use its own terminology for "host" and "target":
# - <https://www.qt.io/blog/qt6-development-hosts-and-targets>
# - "host" = machine invoking the compiler
# - "target" = machine on which the resulting qtwebengine.so binaries will run
# XXX: NIX_CFLAGS_COMPILE_<machine> is how we get the `-isystem <dir>` flags.
# probably we shouldn't blindly copy these from host machine to build machine,
# as the headers could reasonably make different assumptions.
preConfigure = upstream.preConfigure + ''
# export PKG_CONFIG_HOST="$PKG_CONFIG"
export PKG_CONFIG_HOST="$PKG_CONFIG_FOR_BUILD"
# expose -isystem <zlib> to x86 builds
export NIX_CFLAGS_COMPILE_x86_64_unknown_linux_gnu="$NIX_CFLAGS_COMPILE"
export NIX_LDFLAGS_x86_64_unknown_linux_gnu="-L${final.buildPackages.zlib}/lib"
'';
patches = upstream.patches or [] ++ [
# ./qtwebengine-host-pkg-config.patch
# alternatively, look at dlopenBuildInputs
./qtwebengine-host-cc.patch
];
# patch the qt pkg-config script to show us more debug info
postPatch = upstream.postPatch or "" + ''
sed -i s/options.debug/True/g src/3rdparty/chromium/build/config/linux/pkg-config.py
'';
nativeBuildInputs = upstream.nativeBuildInputs ++ [
final.bintools-unwrapped # for readelf
final.buildPackages.cups # for cups-config
final.buildPackages.fontconfig
final.buildPackages.glib
final.buildPackages.harfbuzz
final.buildPackages.icu
final.buildPackages.libjpeg
final.buildPackages.libpng
final.buildPackages.libwebp
final.buildPackages.nss
# final.gcc-unwrapped.libgcc # for libgcc_s.so
final.buildPackages.zlib
];
depsBuildBuild = upstream.depsBuildBuild or [] ++ [ final.pkg-config ];
# buildInputs = upstream.buildInputs ++ [
# final.gcc-unwrapped.libgcc # for libgcc_s.so. this gets loaded during build, suggesting i surely messed something up
# ];
# buildInputs = upstream.buildInputs ++ [
# final.gcc-unwrapped.libgcc
# ];
# nativeBuildInputs = upstream.nativeBuildInputs ++ [
# final.icu
# ];
# buildInputs = upstream.buildInputs ++ [
# final.icu
# ];
# env.NIX_DEBUG="1";
# env.NIX_DEBUG="7";
# cmakeFlags = lib.remove "-DQT_FEATURE_webengine_system_icu=ON" upstream.cmakeFlags;
cmakeFlags = upstream.cmakeFlags ++ lib.optionals (final.stdenv.hostPlatform != final.stdenv.buildPlatform) [
# "--host-cc=${final.buildPackages.stdenv.cc}/bin/cc"
# "--host-cxx=${final.buildPackages.stdenv.cc}/bin/c++"
# these are my own vars, used by my own patch
"-DCMAKE_HOST_C_COMPILER=${final.buildPackages.stdenv.cc}/bin/gcc"
"-DCMAKE_HOST_CXX_COMPILER=${final.buildPackages.stdenv.cc}/bin/g++"
"-DCMAKE_HOST_AR=${final.buildPackages.stdenv.cc}/bin/ar"
"-DCMAKE_HOST_NM=${final.buildPackages.stdenv.cc}/bin/nm"
];
});
});
# qt6 = prev.qt6.overrideScope' (self: super: {
# # inherit (emulated.qt6) qtModule;
# qtbase = super.qtbase.overrideAttrs (upstream: {
# # cmakeFlags = upstream.cmakeFlags ++ lib.optionals (final.stdenv.buildPlatform != final.stdenv.hostPlatform) [
# cmakeFlags = upstream.cmakeFlags ++ lib.optionals (final.stdenv.buildPlatform != final.stdenv.hostPlatform) [
# # "-DCMAKE_CROSSCOMPILING=True" # fails to solve QT_HOST_PATH error
# "-DQT_HOST_PATH=${final.buildPackages.qt6.full}"
# ];
# });
# qtModule = args: (super.qtModule args).overrideAttrs (upstream: {
# # the nixpkgs comment about libexec seems to be outdated:
# # it's just that cross-compiled syncqt.pl doesn't get its #!/usr/bin/env shebang replaced.
# preConfigure = lib.replaceStrings
# ["${lib.getDev self.qtbase}/libexec/syncqt.pl"]
# ["perl ${lib.getDev self.qtbase}/libexec/syncqt.pl"]
# upstream.preConfigure;
# });
# # qtwayland = super.qtwayland.overrideAttrs (upstream: {
# # preConfigure = "fixQtBuiltinPaths . '*.pr?'";
# # });
# # qtwayland = super.qtwayland.override {
# # inherit (self) qtbase;
# # };
# # qtbase = super.qtbase.override {
# # # fixes: "You need to set QT_HOST_PATH to cross compile Qt."
# # inherit (emulated) stdenv;
# # };
# });
rmlint = prev.rmlint.override {
# fixes "Checking whether the C compiler works... no"
@@ -1236,13 +1094,6 @@ in {
# fixes "meson.build:183:0: ERROR: Can not run test applications in this cross environment."
inherit (emulated) stdenv;
};
tuba = (prev.tuba.override {
# fixes -msse2, -mfpmath=sse flags
wrapGAppsHook4 = final.wrapGAppsHook;
}).overrideAttrs (upstream: {
# error: Package `{libadwaita-1,gtksourceview-5,libsecret-1,gee-0.8}' not found in specified Vala API directories or GObject-Introspection GIR directories
buildInputs = upstream.buildInputs ++ [ final.vala ];
});
# twitter-color-emoji = prev.twitter-color-emoji.override {
# # fails to fix original error
# inherit (emulated) stdenv;
@@ -1318,19 +1169,9 @@ in {
});
# XXX: aarch64 webp-pixbuf-loader wanted by gdk-pixbuf-loaders.cache.drv, wanted by aarch64 gnome-control-center
wrapFirefox = prev.wrapFirefox.override {
buildPackages = let
bpkgs = final.buildPackages;
in bpkgs // {
# fixes "extract-binary-wrapper-cmd: line 2: strings: command not found"
# ^- in the `nix log` output of cross-compiled `firefox` (it's non-fatal)
makeBinaryWrapper = bpkgs.makeBinaryWrapper.overrideAttrs (upstream: {
passthru.extractCmd = bpkgs.writeShellScript "extract-binary-wrapper-cmd" ''
${final.stdenv.cc.targetPrefix}strings -dw "$1" | sed -n '/^makeCWrapper/,/^$/ p'
'';
});
};
};
# "extract-binary-wrapper-cmd: line 2: strings: command not found"
# XXX: technically this belongs in pkgs/build-support/setup-hooks/make-binary-wrapper/default.nix ?
wrapFirefox = browser: args: addNativeInputs [ final.bintools-unwrapped ] (prev.wrapFirefox browser args);
wvkbd = (
# "wayland-scanner: no such program"

15
overlays/optimizations.nix
View File

@@ -22,12 +22,11 @@ in {
# webkitgtk = ccache-able super.webkitgtk;
# mesa = ccache-able super.mesa;
# webkitgtk = super.webkitgtk.overrideAttrs (_upstream: {
# # means we drop debug info when linking.
# # this is a trade-off to require less memory when linking, since
# # building `webkitgtk` otherwise requires about 40G+ of RAM.
# # <https://github.com/NixOS/nixpkgs/issues/153528>
# # XXX(2023/06/29): doesn't seem to actually reduce the resource requirements
# separateDebugInfo = false;
# });
webkitgtk = super.webkitgtk.overrideAttrs (_upstream: {
# means we drop debug info when linking.
# this is a trade-off to require less memory when linking, since
# building `webkitgtk` otherwise requires about 40G+ of RAM.
# <https://github.com/NixOS/nixpkgs/issues/153528>
separateDebugInfo = false;
});
})

31
overlays/pins.nix Normal file
View File

@@ -0,0 +1,31 @@
# when a `nixos-rebuild` fails after a nixpkgs update:
# - take the failed package
# - search it here: <https://hydra.nixos.org/search?query=pkgname>
# - if it's broken by that upstream builder, then pin it: somebody will come along and fix the package.
# - otherwise, search github issues/PRs for knowledge of it before pinning.
# - if nobody's said anything about it yet, probably want to root cause it or hold off on updating.
#
# note that these pins apply to *all* platforms:
# - natively compiled packages
# - cross compiled packages
# - qemu-emulated packages
(next: prev: {
# XXX: when invoked outside our flake (e.g. via NIX_PATH) there is no `next.stable`,
# so just forward the unstable packages.
inherit (next.stable or prev)
;
# chromium can take 4 hours to build from source, with no signs of progress.
# disable it if you're in a rush.
# chromium = next.emptyDirectory;
# lemmy-server = prev.lemmy-server.overrideAttrs (upstream: {
# patches = upstream.patches or [] ++ [
# (next.fetchpatch {
# # "Fix docker federation setup (#2706)"
# url = "https://github.com/LemmyNet/lemmy/commit/2891856b486ad9397bca1c9839255d73be66361.diff";
# hash = "sha256-qgRvBO2y7pmOWdteu4uiZNi8hs0VazOV+L5Z0wu60/E=";
# })
# ];
# });
})

35
overlays/qtwebengine-host-cc.patch
View File

@@ -1,35 +0,0 @@
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 771446ece..c20da0d56 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -172,7 +172,11 @@ if(CMAKE_CROSSCOMPILING AND NOT IOS AND NOT MACOS)
CMAKE_ARGS -DCMAKE_TOOLCHAIN_FILE=${QT_HOST_PATH}/lib/cmake/Qt6/qt.toolchain.cmake
-DWEBENGINE_ROOT_BUILD_DIR=${PROJECT_BINARY_DIR}
-DWEBENGINE_ROOT_SOURCE_DIR=${WEBENGINE_ROOT_SOURCE_DIR}
- -DGN_TARGET_CPU=${TEST_architecture_arch}
+ -DGN_TARGET_CPU=${CMAKE_HOST_SYSTEM_PROCESSOR}
+ -DCMAKE_C_COMPILER=${CMAKE_HOST_C_COMPILER}
+ -DCMAKE_CXX_COMPILER=${CMAKE_HOST_CXX_COMPILER}
+ -DCMAKE_AR=${CMAKE_HOST_AR}
+ -DCMAKE_NM=${CMAKE_HOST_NM}
-DCMAKE_C_FLAGS=
-DCMAKE_CXX_FLAGS=
-DQT_FEATURE_qtwebengine_build=${QT_FEATURE_qtwebengine_build}
diff --git a/src/host/CMakeLists.txt b/src/host/CMakeLists.txt
index 2b92ebe85..e2ff58b35 100644
--- a/src/host/CMakeLists.txt
+++ b/src/host/CMakeLists.txt
@@ -22,11 +22,11 @@ project(QtWebEngineConfigure
find_package(Qt6 ${PROJECT_VERSION} CONFIG REQUIRED COMPONENTS BuildInternals Core)
set(buildDir ${CMAKE_CURRENT_BINARY_DIR})
-configure_gn_toolchain(host ${TEST_architecture_arch} ${TEST_architecture_arch}
+configure_gn_toolchain(host ${CMAKE_HOST_SYSTEM_PROCESSOR} ${CMAKE_HOST_SYSTEM_PROCESSOR}
${WEBENGINE_ROOT_SOURCE_DIR}/src/host/BUILD.toolchain.gn.in
${buildDir}/host_toolchain
)
-get_v8_arch(GN_V8_HOST_CPU ${GN_TARGET_CPU} ${TEST_architecture_arch})
+get_v8_arch(GN_V8_HOST_CPU ${GN_TARGET_CPU} ${CMAKE_HOST_SYSTEM_PROCESSOR})
configure_gn_toolchain(v8 ${GN_V8_HOST_CPU} ${GN_TARGET_CPU}
${WEBENGINE_ROOT_SOURCE_DIR}/src/host/BUILD.toolchain.gn.in
${buildDir}/v8_toolchain)

Some files were not shown because too many files have changed in this diff Show More