hardware.opengl.extraPackages: move to machine-specific files

(we might not need nurpkgs anymore)

nixpkgs: 2022-06-30 -> 2022-07-01
nurpkgs: 2022-06-30 -> 2022-07-02

TODO.md

@@ -1,5 +1,4 @@
 # features/tweaks
-- set firefox default search engine
 - iron out video drivers
 - emoji picker application
 - find a Masto/Pleroma app which works on mobile

flake.lock

@@ -54,11 +54,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1656265786,
-        "narHash": "sha256-A9RkoGrxzsmMm0vily18p92Rasb+MbdDMaSnzmywXKw=",
+        "lastModified": 1656679828,
+        "narHash": "sha256-akGA97pR1BAQew1FrVTCME3p8qvYxJXB2X3a13aBphs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cd90e773eae83ba7733d2377b6cdf84d45558780",
+        "rev": "915f5a5b3cc4f8ba206afd0b70e52ba4c6a2796b",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nurpkgs": {
       "locked": {
-        "lastModified": 1656313781,
-        "narHash": "sha256-T3acwGi/9SnIV/giHCvN+3BqcIDo4GBBW+TBX15EaSg=",
+        "lastModified": 1656786319,
+        "narHash": "sha256-MpdBL2+csFfnMu+2eUNkkACkrPt7UhUdpvXnhrLim0E=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "b3b8539bbfd02b4543d6723c547cae6edaece8b7",
+        "rev": "433704dc83b1491725e616bbb898ccd17fbe3d0e",
         "type": "github"
       },
       "original": {
@@ -147,11 +147,11 @@
         "nixpkgs-22_05": "nixpkgs-22_05"
       },
       "locked": {
-        "lastModified": 1656215886,
-        "narHash": "sha256-67fkBb4GUbuMZTHs08mNycg0hBzboy+5boMD76wLpj4=",
+        "lastModified": 1656399028,
+        "narHash": "sha256-re66+rVHGR3y+0QsaDAwoAHCfoi3BlGV24t2EqRZsAE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "aff5d8542c9eb566a000302b22fcc10715bc2feb",
+        "rev": "d26947f2d6252e2aae5ffddfe9b38b7c4b94e8f9",
         "type": "github"
       },
       "original": {

machines/desko/default.nix

@@ -5,7 +5,7 @@
   ];
 
   colinsane.home-manager.extraPackages = [
-    pkgs.electron
+    pkgs.electrum
   ];
   colinsane.gui.sway.enable = true;
   colinsane.services.duplicity.enable = true;
@@ -15,6 +15,12 @@
   boot.loader.efi.canTouchEfiVariables = false;
   colinsane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
+  hardware.opengl.extraPackages = with pkgs; [
+    rocm-opencl-icd
+    rocm-opencl-runtime
+    amdvlk
+  ];
+
   # needed to use libimobiledevice/ifuse, for iphone sync
   services.usbmuxd.enable = true;
 

machines/lappy/default.nix

@@ -10,6 +10,13 @@
   boot.loader.efi.canTouchEfiVariables = false;
   colinsane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
+  hardware.opengl.extraPackages = with pkgs; [
+    intel-compute-runtime
+    intel-media-driver  # new
+    libvdpau-va-gl      # new
+    vaapiIntel
+  ];
+
   # default config: https://man.archlinux.org/man/snapper-configs.5
   # defaults to something like:
   #   - hourly snapshots

modules/hardware/x86_64.nix

@@ -40,16 +40,6 @@ with lib;
     # powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
     powerManagement.powertop.enable = false;
 
-    hardware.opengl.extraPackages = [
-      # laptop
-      pkgs.intel-compute-runtime
-      pkgs.intel-media-driver  # new
-      pkgs.libvdpau-va-gl      # new
-      pkgs.vaapiIntel
-      # desktop
-      pkgs.rocm-opencl-icd
-      pkgs.rocm-opencl-runtime
-    ];
     hardware.opengl.driSupport = true;
     # For 32 bit applications
     hardware.opengl.driSupport32Bit = true;

modules/impermanence.nix

@@ -25,6 +25,7 @@ in
       directories = [
         { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/archive"; }
         { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/dev"; }
+        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/records"; }
         { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/ref"; }
         { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/tmp"; }
         { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/use"; }
@@ -35,6 +36,8 @@ in
         # cache is probably too big to fit on the tmpfs
         # TODO: we could bind-mount it to something which gets cleared per boot, though.
         { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.cache"; }
+        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.cargo"; }
+        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.rustup"; }
         { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.ssh"; }
         # intentionally omitted:
         # "/home/colin/.config"  # managed by home-manager
@@ -44,6 +47,8 @@ in
         { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.config/spotify"; }
         # creds, but also 200 MB of node modules, etc
         { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.config/discord"; }
+        # creds/session keys, etc
+        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.config/Element"; }
 
         { user = "root"; group = "root"; mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
         # "/etc/nixos"
@@ -53,6 +58,7 @@ in
         # "/var/lib/blueman"           # files aren't human readable
         { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/bluetooth"; }           # preserve bluetooth handshakes
         { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/colord"; }              # preserve color calibrations (?)
+        { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/duplicity"; }           # we need this mostly because of the size of duplicity's cache
         # "/var/lib/dhclient"          # empty on lappy; dunno about desko
         # "/var/lib/fwupd"             # not sure why this would need persistent state
         # "/var/lib/geoclue"           # empty on lappy
@@ -88,6 +94,7 @@ in
         { user = "70"; group = "70"; mode = "0755"; directory = "/var/lib/transmission"; } # TODO: mode? we need this specifically for the stats tracking in .config/
         { user = "colin"; group = "users"; mode = "0755"; directory = "/var/lib/uninsane"; }
         { user = "root"; group = "root"; mode = "0755"; directory = "/var/log"; }
+        { user = "root"; group = "root"; mode = "0755"; directory = "/var/backup"; }  # for e.g. postgres dumps
         # TODO: what even GOES in /srv?
         { user = "root"; group = "root"; mode = "0755"; directory = "/srv"; }
       ];
@@ -102,6 +109,13 @@ in
         # { file = "/home/test2"; persistentStoragePath = "/nix/persist"; }
       ];
     };
+
+    systemd.services.sane-sops = {
+      description = "sops relies on /etc/ssh being available, so re-run its activation AFTER fs-local";
+      script = config.system.activationScripts.setupSecrets.text;
+      after = [ "fs-local.target" ];
+      wantedBy = [ "multi-user.target" ];
+    };
   };
 }
 

modules/universal/home-manager.nix

@@ -65,6 +65,14 @@ in
         templates = "$HOME/.xdg/Templates";
         videos = "$HOME/Videos";
       };
+      xdg.mimeApps.enable = true;
+      xdg.mimeApps.defaultApplications = {
+        "text/html" = [ "librewolf.desktop" ];
+        "x-scheme-handler/http" = [ "librewolf.desktop" ];
+        "x-scheme-handler/https" = [ "librewolf.desktop" ];
+        "x-scheme-handler/about" = [ "librewolf.desktop" ];
+        "x-scheme-handler/unknown" = [ "librewolf.desktop" ];
+      };
 
       # convenience
       home.file."knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
@@ -109,7 +117,10 @@ in
             };
           };
         };
-        kitty.enable = true;
+        kitty = {
+          enable = true;
+          settings.enable_audio_bell = false;
+        };
         git = {
           enable = true;
           userName = "colin";
@@ -141,35 +152,91 @@ in
         };
 
         firefox = lib.mkIf (sysconfig.colinsane.gui.enable) {
+          # common settings to toggle (at runtime, in about:config):
+          #   > security.ssl.require_safe_negotiation
           enable = true;
-
-          profiles.default = {
-            bookmarks = {
-              fed_uninsane.url = "https://fed.uninsane.org/";
-              delightful.url = "https://delightful.club/";
-              crowdsupply.url = "https://www.crowdsupply.com/";
-              linux_phone_apps.url = "https://linuxphoneapps.org/mobile-compatibility/5/";
-              mempool.url = "https://jochen-hoenicke.de/queue";
+          # librewolf is a forked firefox which patches firefox to allow more things
+          # (like default search engines) to be configurable at runtime.
+          # many of the settings below won't have effect without those patches.
+          # see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
+          package = pkgs.wrapFirefox pkgs.librewolf-unwrapped {
+            # inherit the default librewolf.cfg
+            # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
+            inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
+            libName = "librewolf";
+            extraPolicies = {
+              NoDefaultBookmarks = true;
+              SearchEngines = {
+                Default = "DuckDuckGo";
               };
-          };
-
-          # firefox profile support seems to be broken :shrug:
-          # profiles.other = {
-          #   id = 2;
-          # };
-
-          # NB: these must be manually enabled in the Firefox settings on first start
-          # extensions can be found here: https://gitlab.com/rycee/nur-expressions/-/blob/master/pkgs/firefox-addons/addons.json
-          extensions = let
-            addons = pkgs.nur.repos.rycee.firefox-addons;
-          in [
-            addons.bypass-paywalls-clean
-            addons.metamask
-            addons.i-dont-care-about-cookies
-            addons.sidebery
-            addons.sponsorblock
-            addons.ublock-origin
+              AppUpdateURL = "https://localhost";
+              DisableAppUpdate = true;
+              OverrideFirstRunPage = "";
+              OverridePostUpdatePage = "";
+              DisableSystemAddonUpdate = true;
+              DisableFirefoxStudies = true;
+              DisableTelemetry = true;
+              DisableFeedbackCommands = true;
+              DisablePocket = true;
+              DisableSetDesktopBackground = false;
+              Extensions = {
+                Install = [
+                  "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
+                  "https://addons.mozilla.org/firefox/downloads/latest/i-dont-care-about-cookies/latest.xpi"
+                  "https://addons.mozilla.org/firefox/downloads/latest/sponsorblock/latest.xpi"
+                  "https://addons.mozilla.org/firefox/downloads/latest/bypass-paywalls-clean/latest.xpi"
+                  "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi"
+                  "https://addons.mozilla.org/firefox/downloads/latest/ether-metamask/latest.xpi"
                 ];
+                # remove many default search providers
+                Uninstall = [
+                  "google@search.mozilla.org"
+                  "bing@search.mozilla.org"
+                  "amazondotcom@search.mozilla.org"
+                  "ebay@search.mozilla.org"
+                  "twitter@search.mozilla.org"
+                ];
+              };
+              # XXX doesn't seem to have any effect...
+              # docs: https://github.com/mozilla/policy-templates#homepage
+              # Homepage = {
+              #   HomepageURL = "https://uninsane.org/";
+              #   StartPage = "homepage";
+              # };
+              # NewTabPage = true;
+              # docs: https://chromeenterprise.google/policies/?policy=ManagedBookmarks
+              # docs: https://github.com/mozilla/policy-templates#managedbookmarks
+              ManagedBookmarks = [
+                {
+                  toplevel_name = "bookmarks";
+                }
+                {
+                  name = "Pleroma";
+                  url = "https://fed.uninsane.org/";
+                }
+                {
+                  name = "Home Manager Config";
+                  url = "https://nix-community.github.io/home-manager/options.html";
+                }
+                {
+                  name = "Delightful Apps";
+                  url = "https://delightful.club/";
+                }
+                {
+                  name = "Linux Phone Apps";
+                  url = "https://linuxphoneapps.org/mobile-compatibility/5/";
+                }
+                {
+                  name = "Crowdsupply";
+                  url = "https://www.crowdsupply.com/";
+                }
+                {
+                  name = "Mempool";
+                  url = "https://jochen-hoenicke.de/queue";
+                }
+              ];
+            };
+          };
         };
 
         # "command not found" will cause the command to be searched in nixpkgs
@@ -203,6 +270,7 @@ in
         fatresize
         fd
         file
+        gcc
         gnumake
         gptfdisk
         hdparm
@@ -227,7 +295,6 @@ in
         # nettools
         nmap
         oathToolkit  # for oathtool
-        obsidian
         openssl
         parted
         pciutils
@@ -237,7 +304,9 @@ in
         python3
         ripgrep
         rmlint
+        rustup
         sane-scripts
+        screen
         smartmontools
         snapper
         socat
@@ -273,6 +342,7 @@ in
         libreoffice-fresh  # XXX colin: maybe don't want this on mobile
         mesa-demos
         networkmanagerapplet
+        obsidian
         playerctl
         tdesktop  # broken on phosh
         vlc  # works on phosh

pkgs/firefox-unwrapped/allow-searchengines-non-esr.patch

@@ -0,0 +1,13 @@
+diff --git a/browser/components/enterprisepolicies/schemas/policies-schema.json b/browser/components/enterprisepolicies/schemas/policies-schema.json
+index d436cf1ca1..ecd6e53b9e 100644
+--- a/browser/components/enterprisepolicies/schemas/policies-schema.json
++++ b/browser/components/enterprisepolicies/schemas/policies-schema.json
+@@ -1074,7 +1074,7 @@
+     },
+ 
+     "SearchEngines": {
+-      "enterprise_only": true,
++      "enterprise_only": false,
+ 
+       "type": "object",
+       "properties": {

pkgs/firefox-unwrapped/default.nix

@@ -0,0 +1,10 @@
+{ pkgs }:
+
+(pkgs.firefox-unwrapped.overrideAttrs (upstream: {
+  # NB: firefox takes about 1hr to build on my 24-thread ryzen desktop
+  patches = (upstream.patches or []) ++ [
+    # see https://gitlab.com/librewolf-community/browser/source/-/blob/main/patches/sed-patches/allow-searchengines-non-esr.patch
+    ./allow-searchengines-non-esr.patch
+  ];
+}))
+

pkgs/overlay.nix

@@ -18,6 +18,8 @@
   pleroma = prev.callPackage ./pleroma { };
   # jackett doesn't allow customization of the bind address: this will probably always be here.
   jackett = prev.callPackage ./jackett { pkgs = prev; };
+  # mozilla keeps nerfing itself and removing configuration options
+  firefox-unwrapped = prev.callPackage ./firefox-unwrapped { pkgs = prev; };
   # fix abrupt HDD poweroffs as during reboot. patching systemd requires rebuilding nearly every package.
   # systemd = import ./pkgs/systemd { pkgs = prev; };