Browse Source

initial switch to profiles, add canary check

master
parent
commit
fc1ade65d3
Signed by: govanify GPG Key ID: DE62E1E2A6145556
36 changed files with 931 additions and 869 deletions
  1. +2
    -2
      README.md
  2. +4
    -4
      TODO.md
  3. +1
    -1
      bootstrap/bootstrap.sh
  4. +0
    -61
      common/users.nix
  5. +18
    -12
      components/bootloader.nix
  6. +4
    -2
      components/default.nix
  7. +16
    -10
      components/hardening.nix
  8. +12
    -10
      components/headfull/editor.nix
  9. +90
    -79
      components/headfull/graphical/browser.nix
  10. +6
    -4
      components/headfull/graphical/splash.nix
  11. +13
    -11
      components/headfull/graphical/wm.nix
  12. +218
    -186
      components/headfull/mail.nix
  13. +7
    -5
      components/headfull/music.nix
  14. +12
    -11
      components/headfull/virtualization.nix
  15. +0
    -1
      components/sandboxing.nix
  16. +96
    -96
      components/tor.nix
  17. +44
    -36
      components/xdg.nix
  18. +14
    -6
      default.nix
  19. +0
    -72
      devices/alastor/default.nix
  20. +0
    -92
      devices/alastor/hardware.nix
  21. +0
    -97
      devices/xanadu/default.nix
  22. +0
    -58
      devices/xanadu/hardware.nix
  23. +2
    -2
      docs/code-architecture.txt
  24. +72
    -0
      infrastructure/alastor/default.nix
  25. +85
    -0
      infrastructure/alastor/hardware.nix
  26. +0
    -0
      infrastructure/alastor/wallpaper.png
  27. +30
    -0
      infrastructure/default.nix
  28. +99
    -0
      infrastructure/xanadu/default.nix
  29. +72
    -0
      infrastructure/xanadu/hardware.nix
  30. +0
    -0
      infrastructure/xanadu/wallpaper.png
  31. +5
    -3
      profiles/default.nix
  32. +3
    -1
      profiles/desktop.nix
  33. +0
    -1
      profiles/headfull.nix
  34. +6
    -6
      profiles/laptop.nix
  35. BIN
      secrets/components/default.nix
  36. BIN
      secrets/components/mail-accounts.nix

+ 2
- 2
README.md View File

@ -1,7 +1,7 @@
navi
=====
== ===
navi(NixOS Advanced Virtual Infrastructure) is a set of NixOS configuration
files handling my own internal infrastructure.
files handling my own internal infrastructure.
Currently the machines populated by this configuration are:


+ 4
- 4
TODO.md View File

@ -1,8 +1,8 @@
TODO list sorted by priority:
* workflow: set up patchouli to have regular and automated backups
* security: security hardening through sandboxing
* security: tor profiles and fix iana
* xdg: nixpkgs PR, check if xdg patches actually work
* workflow: set up patchouli to have regular and automated backups
* security: security hardening through sandboxing
* security: tor profiles and fix iana
* xdg: nixpkgs PR, check if xdg patches actually work
* locale: sync mozc/ibus settings, saner defaults
* workflow: fix GTK theme
* workflow: fix re-scaling after swaylock


+ 1
- 1
bootstrap/bootstrap.sh View File

@ -6,7 +6,7 @@ echo "4d16330208714286d397e2cf7d8a977ac2771ac9fa0311226afc0df06e00b4d6 ../secret
| sha256sum --check --status &> /dev/null
if [ "$?" -ne 0 ]; then
echo "failed to verify canary"
echo "failed to verify canary, TODO: start whole-infra bootstrap"
fi
if [ "$#" -ne 2 ]; then


+ 0
- 61
common/users.nix View File

@ -1,61 +0,0 @@
{ config, pkgs, ... }:
{
home-manager.users.govanify = {
programs.git = {
enable = true;
package = pkgs.gitAndTools.gitFull;
userEmail = "gauvain@govanify.com";
userName = "Gauvain 'GovanifY' Roussel-Tarbouriech";
ignores = [ "compile_commands.json" ];
extraConfig = {
pull.rebase = true;
sendemail = {
smtpserver = "${pkgs.msmtp}/bin/msmtp";
smtpserveroption = [ "-a" "govanify" ];
};
};
# use our gpg key by default
signing = {
signByDefault = true;
key = "52142D39A7CEF8FA872BCA7FDE62E1E2A6145556";
};
};
};
navi.components.mail = {
enable = true;
accounts.govanify = {
email = "gauvain@govanify.com";
name = "Gauvain Roussel-Tarbouriech";
pgp_key = "52142D39A7CEF8FA872BCA7FDE62E1E2A6145556";
host = "govanify.com";
signature = ''
Respectfully,
Gauvain Roussel-Tarbouriech
'';
primary = true;
};
accounts.esgi-nf = {
email = "esgi-nf@govanify.com";
name = "Gauvain Roussel-Tarbouriech";
host = "govanify.com";
signature = ''
Respectfully,
Gauvain Roussel-Tarbouriech
'';
primary = false;
};
unread_notif = [ "govanify/INBOX" ];
};
# all our trusted build bots
nix.buildMachines = [{
hostName = "alastor";
system = "x86_64-linux";
maxJobs = 4;
speedFactor = 2;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
mandatoryFeatures = [ ];
}];
}

+ 18
- 12
components/bootloader.nix View File

@ -75,19 +75,25 @@ in
'';
nixpkgs.overlays = [
(self: super: {
grub2 = super.grub2.overrideAttrs (oldAttrs: rec {
postPatch = grubPatch;
});
})
(
self: super: {
grub2 = super.grub2.overrideAttrs (
oldAttrs: rec {
postPatch = grubPatch;
}
);
}
)
];
boot.kernelPatches = [{
name = "silent-boot";
patch = null;
extraConfig = ''
X86_VERBOSE_BOOTUP n
'';
}];
boot.kernelPatches = [
{
name = "silent-boot";
patch = null;
extraConfig = ''
X86_VERBOSE_BOOTUP n
'';
}
];
};
}

+ 4
- 2
components/default.nix View File

@ -2,8 +2,10 @@
with lib;
{
imports = [
(import "${builtins.fetchTarball
https://github.com/rycee/home-manager/archive/master.tar.gz}/nixos")
(
import "${builtins.fetchTarball
https://github.com/rycee/home-manager/archive/master.tar.gz}/nixos"
)
./tor.nix
./bootloader.nix
./xdg.nix


+ 16
- 10
components/hardening.nix View File

@ -3,9 +3,13 @@ with lib;
let
cfg = config.navi.components.hardening;
kernelPackages = with pkgs;
recurseIntoAttrs (linuxPackagesFor (linux_latest_hardened.override {
features.ia32Emulation = true;
}));
recurseIntoAttrs (
linuxPackagesFor (
linux_latest_hardened.override {
features.ia32Emulation = true;
}
)
);
in
{
options.navi.components.hardening = {
@ -42,13 +46,15 @@ in
config = mkIf cfg.enable {
# Use the hardened kernel but keep IA32 emulation.
boot.kernelPackages = mkIf cfg.legacy kernelPackages;
boot.kernelPatches = mkIf cfg.legacy [{
name = "keep-ia32";
patch = null;
extraConfig = ''
IA32_EMULATION y
'';
}];
boot.kernelPatches = mkIf cfg.legacy [
{
name = "keep-ia32";
patch = null;
extraConfig = ''
IA32_EMULATION y
'';
}
];
environment.memoryAllocator.provider = if cfg.scudo then "scudo" else "libc";
security.lockKernelModules = cfg.modules;


+ 12
- 10
components/headfull/editor.nix View File

@ -4,16 +4,18 @@ let
cfg = config.navi.components.editor;
# contains some patches for syntastic and Tagbar support since upstream is
# abandonned
workspace = pkgs.vimPlugins.vim-obsession.overrideAttrs (oldAttrs: rec {
src = pkgs.fetchFromGitHub {
owner = "GovanifY";
repo = "vim-session";
rev = "13b906f18ad0fa88f0be038237a71aa34b3335da";
sha256 = "1hf8gzh42iq46z6b471w6bl44nhwa9h8s02pmg1w482bvhc621w4";
};
version = "2020-12-16";
pname = "vim-session";
});
workspace = pkgs.vimPlugins.vim-obsession.overrideAttrs (
oldAttrs: rec {
src = pkgs.fetchFromGitHub {
owner = "GovanifY";
repo = "vim-session";
rev = "13b906f18ad0fa88f0be038237a71aa34b3335da";
sha256 = "1hf8gzh42iq46z6b471w6bl44nhwa9h8s02pmg1w482bvhc621w4";
};
version = "2020-12-16";
pname = "vim-session";
}
);
vimConf = {
programs.neovim = {
enable = true;


+ 90
- 79
components/headfull/graphical/browser.nix View File

@ -59,81 +59,92 @@ in
};
config = mkIf cfg.enable {
nixpkgs.overlays = [
(self: super: {
firefox = super.wrapFirefox super.firefox-unwrapped {
# automatic updates are not possible at the moment: https://github.com/NixOS/nixpkgs/issues/105783
# probably should drop within the next year (i hope)
nixExtensions = [
(pkgs.fetchFirefoxAddon {
name = "ublock-origin";
url = "https://github.com/gorhill/uBlock/releases/download/1.32.4/uBlock0_1.32.4.firefox.xpi";
sha256 = "05ld465vs92ahaia0z8ifj0m9sdx85k9dshdy8nvil0r0si7cwrh";
})
(pkgs.fetchFirefoxAddon {
name = "decentraleyes";
url = "https://git.synz.io/Synzvato/decentraleyes/uploads/a36861e0609e43d87379805ca0db063f/Decentraleyes.v2.0.15-firefox.xpi";
sha256 = "1pvdb0fz7jqbzwlrhdkjxhafai70bncywdsx3qsw3325d28hcm15";
})
(pkgs.fetchFirefoxAddon {
name = "stylus";
url = "https://addons.mozilla.org/firefox/downloads/file/3614089/stylus-1.5.13-fx.xpi";
sha256 = "0nd1g3vr9vbpk6hqixsg1dqyh7pi075b7fiir4706khlapk7kcrb";
})
(pkgs.fetchFirefoxAddon {
name = "noscript";
url = "https://addons.mozilla.org/firefox/downloads/file/3705391/noscript_security_suite-11.1.8-an+fx.xpi";
sha256 = "0w1q2ah2g23fkjxiwr1ky9icjzgknyqypdlg50a4d86z1iag3g46";
})
(pkgs.fetchFirefoxAddon {
name = "forget-me-not";
url = "https://addons.mozilla.org/firefox/downloads/file/3577046/forget_me_not_forget_cookies_other_data-2.2.8-an+fx.xpi";
sha256 = "1qrbfsf5vmbyis29mhlmwb6dj933rrwpislpg0xi8b4r9xplb107";
})
];
extraPolicies = {
CaptivePortal = false;
DisableFirefoxStudies = true;
DisablePocket = true;
DisableTelemetry = true;
DisableFirefoxAccounts = true;
EncryptedMediaExtensions.Enable = false;
SearchSuggestEnabled = false;
OfferToSaveLogins = false;
NetworkPrediction = false;
OverridePostUpdatePage = "";
FirefoxHome = {
Search = false;
Pocket = false;
Snippets = false;
Highlights = false;
TopSites = true;
(
self: super: {
firefox = super.wrapFirefox super.firefox-unwrapped {
# automatic updates are not possible at the moment: https://github.com/NixOS/nixpkgs/issues/105783
# probably should drop within the next year (i hope)
nixExtensions = [
(
pkgs.fetchFirefoxAddon {
name = "ublock-origin";
url = "https://github.com/gorhill/uBlock/releases/download/1.32.4/uBlock0_1.32.4.firefox.xpi";
sha256 = "05ld465vs92ahaia0z8ifj0m9sdx85k9dshdy8nvil0r0si7cwrh";
}
)
(
pkgs.fetchFirefoxAddon {
name = "decentraleyes";
url = "https://git.synz.io/Synzvato/decentraleyes/uploads/a36861e0609e43d87379805ca0db063f/Decentraleyes.v2.0.15-firefox.xpi";
sha256 = "1pvdb0fz7jqbzwlrhdkjxhafai70bncywdsx3qsw3325d28hcm15";
}
)
(
pkgs.fetchFirefoxAddon {
name = "stylus";
url = "https://addons.mozilla.org/firefox/downloads/file/3614089/stylus-1.5.13-fx.xpi";
sha256 = "0nd1g3vr9vbpk6hqixsg1dqyh7pi075b7fiir4706khlapk7kcrb";
}
)
(
pkgs.fetchFirefoxAddon {
name = "noscript";
url = "https://addons.mozilla.org/firefox/downloads/file/3705391/noscript_security_suite-11.1.8-an+fx.xpi";
sha256 = "0w1q2ah2g23fkjxiwr1ky9icjzgknyqypdlg50a4d86z1iag3g46";
}
)
(
pkgs.fetchFirefoxAddon {
name = "forget-me-not";
url = "https://addons.mozilla.org/firefox/downloads/file/3577046/forget_me_not_forget_cookies_other_data-2.2.8-an+fx.xpi";
sha256 = "1qrbfsf5vmbyis29mhlmwb6dj933rrwpislpg0xi8b4r9xplb107";
}
)
];
extraPolicies = {
CaptivePortal = false;
DisableFirefoxStudies = true;
DisablePocket = true;
DisableTelemetry = true;
DisableFirefoxAccounts = true;
EncryptedMediaExtensions.Enable = false;
SearchSuggestEnabled = false;
OfferToSaveLogins = false;
NetworkPrediction = false;
OverridePostUpdatePage = "";
FirefoxHome = {
Search = false;
Pocket = false;
Snippets = false;
Highlights = false;
TopSites = true;
};
UserMessaging = {
ExtensionRecommendations = false;
SkipOnboarding = true;
};
SupportMenu = {
Title = "${config.navi.branding}'s browser";
URL = "https://govanify.com";
};
SearchBar = "unified";
PictureInPicture.Enabled = false;
PasswordManagerEnabled = false;
NoDefaultBookmarks = false;
DontCheckDefaultBrowser = true;
DisableSetDesktopBackground = true;
# probably handled by nix extensions but oh well
DisableSystemAddonUpdate = true;
ExtensionUpdate = false;
EnableTrackingProtection = {
Value = false;
Locked = true;
};
DisableFeedbackCommands = true;
SearchEngines.Default = "DuckDuckGo";
BlockAboutAddons = true;
};
UserMessaging = {
ExtensionRecommendations = false;
SkipOnboarding = true;
};
SupportMenu = {
Title = "${config.navi.branding}'s browser";
URL = "https://govanify.com";
};
SearchBar = "unified";
PictureInPicture.Enabled = false;
PasswordManagerEnabled = false;
NoDefaultBookmarks = false;
DontCheckDefaultBrowser = true;
DisableSetDesktopBackground = true;
# probably handled by nix extensions but oh well
DisableSystemAddonUpdate = true;
ExtensionUpdate = false;
EnableTrackingProtection = {
Value = false;
Locked = true;
};
DisableFeedbackCommands = true;
SearchEngines.Default = "DuckDuckGo";
BlockAboutAddons = true;
};
extraPrefs = ''
extraPrefs = ''
// make tracking much harder
lockPref("privacy.resistFingerprinting", true);
lockPref("privacy.firstparty.isolate", true);
@ -191,10 +202,11 @@ in
lockPref("devtools.theme", "dark");
lockPref("extensions.activeThemeID", "firefox-compact-dark@mozilla.org");
'';
# TODO: disable drmSupport in nix?
forceWayland = true;
};
})
# TODO: disable drmSupport in nix?
forceWayland = true;
};
}
)
];
# blame them, not me
@ -213,4 +225,3 @@ in
environment.systemPackages = with pkgs; [ firefox ];
};
}

+ 6
- 4
components/headfull/graphical/splash.nix View File

@ -23,10 +23,12 @@ in
boot.plymouth.themePackages = [ breeze-navi ];
security.wrappers = {
plymouth-quit.source =
(pkgs.writeScriptBin "plymouth-quit" ''
#!${pkgs.bash}/bin/bash -p
${pkgs.systemd}/bin/systemctl start plymouth-quit.service
'').outPath + "/bin/plymouth-quit";
(
pkgs.writeScriptBin "plymouth-quit" ''
#!${pkgs.bash}/bin/bash -p
${pkgs.systemd}/bin/systemctl start plymouth-quit.service
''
).outPath + "/bin/plymouth-quit";
};
systemd.services.systemd-ask-password-plymouth.enable = lib.mkForce false;
# XXX: for some reason shellInit isn't called by plymouth which never starts


+ 13
- 11
components/headfull/graphical/wm.nix View File

@ -55,17 +55,19 @@ let
bat-opt = if cfg.battery then " | bat: $battery_info" else "";
status-sh = pkgs.writeShellScript "status.sh" (''
date_formatted=$(date "+%a %d/%m/%Y %H:%M")
mail=$(cat ~/.local/share/mail/unread)
'' + optionalString cfg.battery ''
battery_status=$(cat /sys/class/power_supply/BAT/status)
battery_info=$(upower --show-info $(upower --enumerate |\
grep 'BAT') |\
egrep "state|percentage" | grep -oP '[0-9]*%')
'' + ''
echo "mail: $mail${bat-opt} | $date_formatted"
'');
status-sh = pkgs.writeShellScript "status.sh" (
''
date_formatted=$(date "+%a %d/%m/%Y %H:%M")
mail=$(cat ~/.local/share/mail/unread)
'' + optionalString cfg.battery ''
battery_status=$(cat /sys/class/power_supply/BAT/status)
battery_info=$(upower --show-info $(upower --enumerate |\
grep 'BAT') |\
egrep "state|percentage" | grep -oP '[0-9]*%')
'' + ''
echo "mail: $mail${bat-opt} | $date_formatted"
''
);
layout-keycaps =
if cfg.azerty then ''


+ 218
- 186
components/headfull/mail.nix View File

@ -3,107 +3,123 @@ with lib;
let
cfg = config.navi.components.mail;
notmuch_email_list = concatStringsSep ";" (mapAttrsToList
(name: account: optionalString (!account.primary) "${account.email}")
cfg.accounts);
notmuch_config = concatStringsSep "\n" (mapAttrsToList
(name: account:
optionalString account.primary ''
[database]
path=/home/${config.navi.username}/.local/share/mail
[user]
name=${account.name}
primary_email=${account.email}
other_email=${notmuch_email_list}
[new]
tags=unread;inbox;
ignore=
[search]
exclude_tags=deleted;spam;
[maildir]
synchronize_flags=true
[crypto]
gpg_path=gpg
'')
cfg.accounts);
mailsync = pkgs.writeShellScript "mailsync.sh" (''
if [ ! -z "$1" ]; then
# we have to be nice to systemd apparently
# https://github.com/systemd/systemd/issues/2123
export HOME=$1
export XDG_CONFIG_HOME=$HOME/.config
export XDG_CACHE_HOME=$HOME/.cache
export XDG_DATA_HOME=$HOME/.local/share
export WGETRC=$HOME/.config/wgetrc
export PASSWORD_STORE_DIR=$HOME/.config/pass
export GNUPGHOME=$HOME/.config/gnupg
fi
# Run only if not already running in other instance
pgrep -x mbsync >/dev/null && { echo "mbsync is already running." ; exit ;}
# check if the mailserver is online || if we have internet connection
wget -q --spider https://govanify.com || { echo "No internet connection detected."; exit ;}
# Check account for new mail. Notify if there is new content.
syncandnotify() {
acc="$(echo "$account" | sed "s/.*\///")"
mkdir -p ~/.local/share/mail/$acc
mbsync -c $XDG_CONFIG_HOME/mbsync/config "$acc" || touch /tmp/mailfail
}
# Sync accounts passed as argument or all.
accounts="$(awk '/^Channel/ {print $2}' "$XDG_CONFIG_HOME/mbsync/config")"
rm /tmp/mailfail 2>/dev/null
# Parallelize multiple accounts
for account in $accounts
do
syncandnotify &
done
wait
notmuch new 2>/dev/null
if test -f "/tmp/mailfail"; then
echo "error" > ~/.local/share/mail/unread && exit 1
fi
add=0
'' + concatStringsSep "\n" (map
(notif:
"add=$(($add+`find $XDG_DATA_HOME/mail/${notif} -type f | grep -vE ',[^,]*S[^,]*$' | xargs basename -a | grep -v \"^\\.\" | wc -l`))")
cfg.unread_notif) + "\necho $add > $XDG_DATA_HOME/mail/unread");
isync_config = concatStringsSep "\n" (mapAttrsToList
(name: account: ''
IMAPStore ${name}-remote
Host ${account.host}
Port 993
User ${account.email}
PassCmd "pass ${config.navi.branding}/${account.email} | head -n 1"
SSLType IMAPS
CertificateFile /etc/ssl/certs/ca-certificates.crt
MaildirStore ${name}-local
Subfolders Verbatim
Path ~/.local/share/mail/${name}/
Inbox ~/.local/share/mail/${name}/INBOX
Flatten .
Channel ${name}
Expunge Both
Master :${name}-remote:
Slave :${name}-local:
Create Both
Remove Both
SyncState *
MaxMessages 0
ExpireUnread no
Patterns *
'')
cfg.accounts);
notmuch_email_list = concatStringsSep ";" (
mapAttrsToList
(name: account: optionalString (!account.primary) "${account.email}")
cfg.accounts
);
notmuch_config = concatStringsSep "\n" (
mapAttrsToList
(
name: account:
optionalString account.primary ''
[database]
path=/home/${config.navi.username}/.local/share/mail
[user]
name=${account.name}
primary_email=${account.email}
other_email=${notmuch_email_list}
[new]
tags=unread;inbox;
ignore=
[search]
exclude_tags=deleted;spam;
[maildir]
synchronize_flags=true
[crypto]
gpg_path=gpg
''
)
cfg.accounts
);
mailsync = pkgs.writeShellScript "mailsync.sh" (
''
if [ ! -z "$1" ]; then
# we have to be nice to systemd apparently
# https://github.com/systemd/systemd/issues/2123
export HOME=$1
export XDG_CONFIG_HOME=$HOME/.config
export XDG_CACHE_HOME=$HOME/.cache
export XDG_DATA_HOME=$HOME/.local/share
export WGETRC=$HOME/.config/wgetrc
export PASSWORD_STORE_DIR=$HOME/.config/pass
export GNUPGHOME=$HOME/.config/gnupg
fi
# Run only if not already running in other instance
pgrep -x mbsync >/dev/null && { echo "mbsync is already running." ; exit ;}
# check if the mailserver is online || if we have internet connection
wget -q --spider https://govanify.com || { echo "No internet connection detected."; exit ;}
# Check account for new mail. Notify if there is new content.
syncandnotify() {
acc="$(echo "$account" | sed "s/.*\///")"
mkdir -p ~/.local/share/mail/$acc
mbsync -c $XDG_CONFIG_HOME/mbsync/config "$acc" || touch /tmp/mailfail
}
# Sync accounts passed as argument or all.
accounts="$(awk '/^Channel/ {print $2}' "$XDG_CONFIG_HOME/mbsync/config")"
rm /tmp/mailfail 2>/dev/null
# Parallelize multiple accounts
for account in $accounts
do
syncandnotify &
done
wait
notmuch new 2>/dev/null
if test -f "/tmp/mailfail"; then
echo "error" > ~/.local/share/mail/unread && exit 1
fi
add=0
'' + concatStringsSep "\n" (
map
(
notif:
"add=$(($add+`find $XDG_DATA_HOME/mail/${notif} -type f | grep -vE ',[^,]*S[^,]*$' | xargs basename -a | grep -v \"^\\.\" | wc -l`))"
)
cfg.unread_notif
) + "\necho $add > $XDG_DATA_HOME/mail/unread"
);
isync_config = concatStringsSep "\n" (
mapAttrsToList
(
name: account: ''
IMAPStore ${name}-remote
Host ${account.host}
Port 993
User ${account.email}
PassCmd "pass ${config.navi.branding}/${account.email} | head -n 1"
SSLType IMAPS
CertificateFile /etc/ssl/certs/ca-certificates.crt
MaildirStore ${name}-local
Subfolders Verbatim
Path ~/.local/share/mail/${name}/
Inbox ~/.local/share/mail/${name}/INBOX
Flatten .
Channel ${name}
Expunge Both
Master :${name}-remote:
Slave :${name}-local:
Create Both
Remove Both
SyncState *
MaxMessages 0
ExpireUnread no
Patterns *
''
)
cfg.accounts
);
msmtp_config = ''
defaults
@ -111,8 +127,10 @@ let
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile ~/.local/share/msmtp/msmtp.log
'' + concatStringsSep "\n" (mapAttrsToList
(name: account: ''
'' + concatStringsSep "\n" (
mapAttrsToList
(
name: account: ''
account ${name}
host ${account.host}
@ -120,56 +138,68 @@ let
from ${account.email}
user ${account.email}
passwordeval "pass ${config.navi.branding}/${account.email} | head -n 1"
'')
cfg.accounts);
''
)
cfg.accounts
);
# 3 steps:
# 1. iterate over the attrset, generate primary and switch-to-account to list
# 2. iterate through the list, replace @@number@@ by a counter
# 3. convert the list to string!
accounts_source = concatStringsSep "\n" (imap1 (i: text: replaceStrings [ "@@number@@" ] [ "${toString i}" ] text) (mapAttrsToList
(name: account:
optionalString account.primary "source ~/.config/mutt/accounts/${name}.muttrc\n" + ''
macro index,pager i@@number@@ '<sync-mailbox><enter-command>source ~/.config/mutt/accounts/${name}.muttrc<enter><change-folder>!<enter>;<check-stats>' "switch to ${name}"
'')
cfg.accounts));
accounts_source = concatStringsSep "\n" (
imap1 (i: text: replaceStrings [ "@@number@@" ] [ "${toString i}" ] text) (
mapAttrsToList
(
name: account:
optionalString account.primary "source ~/.config/mutt/accounts/${name}.muttrc\n" + ''
macro index,pager i@@number@@ '<sync-mailbox><enter-command>source ~/.config/mutt/accounts/${name}.muttrc<enter><change-folder>!<enter>;<check-stats>' "switch to ${name}"
''
)
cfg.accounts
)
);
#(".config/mutt/accounts/" + name + ".muttrc") ( {
accounts_config = mapAttrs'
(name: account: nameValuePair
(".config/mutt/accounts/" + name + ".muttrc")
({
text = ''
set realname = "${account.name}"
set from = "${account.email}"
set sendmail = "msmtp -a ${name}"
alias me ${account.name} <${account.email}>
set folder = "/home/${config.navi.username}/.local/share/mail/${name}"
set header_cache = /home/${config.navi.username}/.cache/mutt/${name}-headers
set message_cachedir = /home/${config.navi.username}/.cache/mutt/${name}-bodies
set signature="${(pkgs.writeTextFile { name = name + "-signature"; text = account.signature; })}"
# general folder mappings for email adresses
set mbox_type = Maildir
unmailboxes *
set spoolfile = "+INBOX"
set postponed = "+INBOX.Drafts"
set trash = "+INBOX.Trash"
folder-hook . 'set record=^'
mailboxes `find "/home/${config.navi.username}/.local/share/mail/${name}" -type d -name cur | sort | sed -e 's:/cur/*$::' -e 's/ /\\ /g' | tr '\n' ' '`
'' + optionalString (account.pgp_key != "") ''
set crypt_use_gpgme = yes
set crypt_autosign=yes
set crypt_verify_sig=yes
set crypt_replysign=yes
set crypt_replyencrypt=yes
set crypt_replysignencrypted=yes
set crypt_opportunistic_encrypt=yes
set pgp_default_key="${account.pgp_key}"
set pgp_check_gpg_decrypt_status_fd
set pgp_self_encrypt = yes
set crypt_protected_headers_write = yes
'';
}))
(
name: account: nameValuePair
(".config/mutt/accounts/" + name + ".muttrc")
(
{
text = ''
set realname = "${account.name}"
set from = "${account.email}"
set sendmail = "msmtp -a ${name}"
alias me ${account.name} <${account.email}>
set folder = "/home/${config.navi.username}/.local/share/mail/${name}"
set header_cache = /home/${config.navi.username}/.cache/mutt/${name}-headers
set message_cachedir = /home/${config.navi.username}/.cache/mutt/${name}-bodies
set signature="${(pkgs.writeTextFile { name = name + "-signature"; text = account.signature; })}"
# general folder mappings for email adresses
set mbox_type = Maildir
unmailboxes *
set spoolfile = "+INBOX"
set postponed = "+INBOX.Drafts"
set trash = "+INBOX.Trash"
folder-hook . 'set record=^'
mailboxes `find "/home/${config.navi.username}/.local/share/mail/${name}" -type d -name cur | sort | sed -e 's:/cur/*$::' -e 's/ /\\ /g' | tr '\n' ' '`
'' + optionalString (account.pgp_key != "") ''
set crypt_use_gpgme = yes
set crypt_autosign=yes
set crypt_verify_sig=yes
set crypt_replysign=yes
set crypt_replyencrypt=yes
set crypt_replysignencrypted=yes
set crypt_opportunistic_encrypt=yes
set pgp_default_key="${account.pgp_key}"
set pgp_check_gpg_decrypt_status_fd
set pgp_self_encrypt = yes
set crypt_protected_headers_write = yes
'';
}
)
)
cfg.accounts;
@ -374,48 +404,50 @@ in
options.navi.components.mail = {
enable = mkEnableOption "Enable navi's headfull mail sync service";
accounts = mkOption {
type = types.attrsOf (types.submodule {
options = {
email = mkOption {
type = types.str;
description = ''
The email of the account
'';
};
name = mkOption {
type = types.str;
description = ''
The display name associated with the account
'';
};
pgp_key = mkOption {
type = types.str;
default = "";
description = ''
The PGP key associated with the account, if any
'';
};
host = mkOption {
type = types.str;
description = ''
The website hosting the mail server
'';
};
signature = mkOption {
type = types.str;
description = ''
The signature appended at the end of your emails
'';
};
primary = mkOption {
type = types.bool;
default = false;
description = ''
Whether this is your primary email account
'';
type = types.attrsOf (
types.submodule {
options = {
email = mkOption {
type = types.str;
description = ''
The email of the account
'';
};
name = mkOption {
type = types.str;
description = ''
The display name associated with the account
'';
};
pgp_key = mkOption {
type = types.str;
default = "";
description = ''
The PGP key associated with the account, if any
'';
};
host = mkOption {
type = types.str;
description = ''
The website hosting the mail server
'';
};
signature = mkOption {
type = types.str;
description = ''
The signature appended at the end of your emails
'';
};
primary = mkOption {
type = types.bool;
default = false;
description = ''
Whether this is your primary email account
'';
};
};
};
});
}
);
};
unread_notif = mkOption {
type = types.listOf types.str;


+ 7
- 5
components/headfull/music.nix View File

@ -22,11 +22,13 @@ in
ncmpcpp
];
nixpkgs.overlays = [
(self: super: {
ncmpcpp = super.ncmpcpp.override {
visualizerSupport = true;
};
})
(
self: super: {
ncmpcpp = super.ncmpcpp.override {
visualizerSupport = true;
};
}
)
];
};
}

+ 12
- 11
components/headfull/virtualization.nix View File

@ -58,14 +58,18 @@ in
"vfio_iommu_type1"
"vfio"
];
boot.kernelParams = (optionals (cfg.pci_devices != "") [
"vfio-pci.ids=${cfg.pci_devices}"
]) ++ (optionals cfg.gvt [
"intel_iommu=on"
"i915.enable_guc=0"
"i915.enable_gvt=1"
];
boot.kernelModules = [ "kvm-intel" "vfio_pci" "kvmgt" "vfio-iommu-type1" "vfio-mdev"];
boot.kernelParams = (
optionals (cfg.pci_devices != "") [
"vfio-pci.ids=${cfg.pci_devices}"
]
) ++ (
optionals cfg.gvt [
"intel_iommu=on"
"i915.enable_guc=0"
"i915.enable_gvt=1"
]
);
boot.kernelModules = [ "kvm-intel" "vfio_pci" "kvmgt" "vfio-iommu-type1" "vfio-mdev" ];
networking = mkIf (cfg.bridge_devices != [ ]) {
bridges.br0.interfaces = cfg.bridge_devices;
@ -105,6 +109,3 @@ in
#'';
};
}

+ 0
- 1
components/sandboxing.nix View File

@ -16,4 +16,3 @@ in
};
};
}

+ 96
- 96
components/tor.nix View File

@ -73,146 +73,146 @@ in
transExceptionsIPv6 = concatStringsSep " " cfg.exceptionNetworksIPv6;
in
''
### flush iptables
iptables -F
iptables -t nat -F
### flush iptables
iptables -F
iptables -t nat -F
### set iptables *nat
#nat .onion addresses
iptables -t nat -A OUTPUT -d ${cfg.virtualNetwork} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${toString transPort}
### set iptables *nat
#nat .onion addresses
iptables -t nat -A OUTPUT -d ${cfg.virtualNetwork} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${toString transPort}
#nat dns requests to Tor
iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports ${toString dnsPort}
#nat dns requests to Tor
iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports ${toString dnsPort}
#don't nat the Tor process, the loopback, or the local network
iptables -t nat -A OUTPUT -m owner --uid-owner ${torUid} -j RETURN
iptables -t nat -A OUTPUT -o lo -j RETURN
#
for _except in ${transExceptions + " " + ianaReserved}; do
iptables -t nat -A OUTPUT -d $_except -j RETURN
done
#don't nat the Tor process, the loopback, or the local network
iptables -t nat -A OUTPUT -m owner --uid-owner ${torUid} -j RETURN
iptables -t nat -A OUTPUT -o lo -j RETURN
#
for _except in ${transExceptions + " " + ianaReserved}; do
iptables -t nat -A OUTPUT -d $_except -j RETURN
done
#redirect whatever fell thru to Tor's TransPort
iptables -t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${toString transPort}
#redirect whatever fell thru to Tor's TransPort
iptables -t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${toString transPort}
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
${optionalString cfg.honorFirewallPorts ''
${concatMapStringsSep "\n" (port: ''iptables -A INPUT -i ${cfg.inputNic} -p tcp --dport ${toString port} -m state --state NEW -j ACCEPT'')
${optionalString cfg.honorFirewallPorts ''
${concatMapStringsSep "\n" (port: ''iptables -A INPUT -i ${cfg.inputNic} -p tcp --dport ${toString port} -m state --state NEW -j ACCEPT'')
(unique (config.networking.firewall.allowedTCPPorts ++ config.services.openssh.ports))}
''}
iptables -A INPUT -j DROP
iptables -A INPUT -j DROP
#*filter FORWARD
iptables -A FORWARD -j DROP
#*filter FORWARD
iptables -A FORWARD -j DROP
#*filter OUTPUT
#possible leak fix. See warning.
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
#*filter OUTPUT
#possible leak fix. See warning.
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
#allow Tor process output
iptables -A OUTPUT -o ${cfg.outputNic} -m owner --uid-owner ${torUid} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
#allow Tor process output
iptables -A OUTPUT -o ${cfg.outputNic} -m owner --uid-owner ${torUid} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
#allow loopback output
iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
#allow loopback output
iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
#tor transproxy magic
iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport ${toString transPort} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
#tor transproxy magic
iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport ${toString transPort} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
#allow access to lan hosts in ${transExceptions}
for _except in ${transExceptions}; do
iptables -A OUTPUT -d $_except -j ACCEPT
done
#allow access to lan hosts in ${transExceptions}
for _except in ${transExceptions}; do
iptables -A OUTPUT -d $_except -j ACCEPT
done
#Log & Drop everything else.
iptables -A OUTPUT -j LOG --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid
iptables -A OUTPUT -j DROP
#Log & Drop everything else.
iptables -A OUTPUT -j LOG --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid
iptables -A OUTPUT -j DROP
#Set default policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#Set default policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
### IPv6 ###
### IPv6 ###
### flush iptables
ip6tables -F
ip6tables -t nat -F
### flush iptables
ip6tables -F
ip6tables -t nat -F
### set iptables *nat
#nat .onion addresses
ip6tables -t nat -A OUTPUT -d ${cfg.virtualNetworkIPv6} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${toString transPort}
### set iptables *nat
#nat .onion addresses
ip6tables -t nat -A OUTPUT -d ${cfg.virtualNetworkIPv6} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${toString transPort}
#nat dns requests to Tor
ip6tables -t nat -A OUTPUT -d ::1/128 -p udp -m udp --dport 53 -j REDIRECT --to-ports ${toString dnsPort}
#nat dns requests to Tor
ip6tables -t nat -A OUTPUT -d ::1/128 -p udp -m udp --dport 53 -j REDIRECT --to-ports ${toString dnsPort}
#don't nat the Tor process, the loopback, or the local network
ip6tables -t nat -A OUTPUT -m owner --uid-owner ${torUid} -j RETURN
ip6tables -t nat -A OUTPUT -o lo -j RETURN
#don't nat the Tor process, the loopback, or the local network
ip6tables -t nat -A OUTPUT -m owner --uid-owner ${torUid} -j RETURN
ip6tables -t nat -A OUTPUT -o lo -j RETURN
for _except in ${transExceptionsIPv6 + " " + ianaReservedIPv6}; do
ip6tables -t nat -A OUTPUT -d $_except -j RETURN
done
for _except in ${transExceptionsIPv6 + " " + ianaReservedIPv6}; do
ip6tables -t nat -A OUTPUT -d $_except -j RETURN
done
#redirect whatever fell thru to Tor's TransPort
ip6tables -t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${toString transPort}
#redirect whatever fell thru to Tor's TransPort
ip6tables -t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${toString transPort}
ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
${optionalString cfg.honorFirewallPorts ''
${concatMapStringsSep "\n" (port: ''ip6tables -A INPUT -i ${cfg.inputNic} -p tcp --dport ${toString port} -m state --state NEW -j ACCEPT'')
${optionalString cfg.honorFirewallPorts ''
${concatMapStringsSep "\n" (port: ''ip6tables -A INPUT -i ${cfg.inputNic} -p tcp --dport ${toString port} -m state --state NEW -j ACCEPT'')
(unique (config.networking.firewall.allowedTCPPorts ++ config.services.openssh.ports))}
''}
ip6tables -A INPUT -j DROP
ip6tables -A INPUT -j DROP
#*filter FORWARD
ip6tables -A FORWARD -j DROP
#*filter FORWARD
ip6tables -A FORWARD -j DROP
#*filter OUTPUT
#possible leak fix. See warning.
ip6tables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A OUTPUT -m state --state INVALID -j DROP
ip6tables -A OUTPUT ! -o lo ! -d ::1 ! -s ::1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
ip6tables -A OUTPUT ! -o lo ! -d ::1 ! -s ::1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
#*filter OUTPUT
#possible leak fix. See warning.
ip6tables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A OUTPUT -m state --state INVALID -j DROP
ip6tables -A OUTPUT ! -o lo ! -d ::1 ! -s ::1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
ip6tables -A OUTPUT ! -o lo ! -d ::1 ! -s ::1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
ip6tables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
#allow Tor process output
ip6tables -A OUTPUT -o ${cfg.outputNic} -m owner --uid-owner ${torUid} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
#allow Tor process output
ip6tables -A OUTPUT -o ${cfg.outputNic} -m owner --uid-owner ${torUid} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
#allow loopback output
ip6tables -A OUTPUT -d ::1/128 -o lo -j ACCEPT
#allow loopback output
ip6tables -A OUTPUT -d ::1/128 -o lo -j ACCEPT
#tor transproxy magic
ip6tables -A OUTPUT -d ::1/128 -p tcp -m tcp --dport ${toString transPort} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
#tor transproxy magic
ip6tables -A OUTPUT -d ::1/128 -p tcp -m tcp --dport ${toString transPort} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
#allow access to lan hosts in ${transExceptionsIPv6}
for _except in ${transExceptionsIPv6}; do
ip6tables -A OUTPUT -d $_except -j ACCEPT
done
#allow access to lan hosts in ${transExceptionsIPv6}
for _except in ${transExceptionsIPv6}; do
ip6tables -A OUTPUT -d $_except -j ACCEPT
done
#Log & Drop everything else.
ip6tables -A OUTPUT -j LOG --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid
ip6tables -A OUTPUT -j DROP
#Log & Drop everything else.
ip6tables -A OUTPUT -j LOG --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid
ip6tables -A OUTPUT -j DROP
#Set default policies to DROP
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
#Set default policies to DROP
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
'';
};


+ 44
- 36
components/xdg.nix View File

@ -40,46 +40,54 @@ in
};
config = mkIf cfg.enable {
nixpkgs.overlays = [
(self: super: {
# ssh devs don't want to make ssh XDG compliant? well let's roll our own
# compliance!
openssh = super.openssh.overrideAttrs (oldAttrs: rec {
postPatch = oldAttrs.postPatch + ''
sed -i 's/"\.ssh"/"${escape [ "/" "." ] cfg.config}\/ssh"/' $(grep -Rl '"\.ssh"')
'';
});
(
self: super: {
# ssh devs don't want to make ssh XDG compliant? well let's roll our own
# compliance!
openssh = super.openssh.overrideAttrs (
oldAttrs: rec {
postPatch = oldAttrs.postPatch + ''
sed -i 's/"\.ssh"/"${escape [ "/" "." ] cfg.config}\/ssh"/' $(grep -Rl '"\.ssh"')
'';
}
);
## rarely created on my setup, seems to be x11 related? either way here we go
# NOT haha, this breaks nixos build at some point, so let's forget this
# dbus = super.dbus.overrideAttrs (oldAttrs: rec {
#postPatch = oldAttrs.postPatch + ''
#sed -i 's/"\.dbus"/"\.config\/dbus"/' $(grep -Rl '"\.dbus"')
#'';
#});
## rarely created on my setup, seems to be x11 related? either way here we go
# NOT haha, this breaks nixos build at some point, so let's forget this
# dbus = super.dbus.overrideAttrs (oldAttrs: rec {
#postPatch = oldAttrs.postPatch + ''
#sed -i 's/"\.dbus"/"\.config\/dbus"/' $(grep -Rl '"\.dbus"')
#'';
#});
## eh, it's just a forgotten pulseaudio module everyone forgot about. easier
## to patch than to submit a PR.
pulseaudio = super.pulseaudio.overrideAttrs (oldAttrs: rec {
postPatch = ''
sed -i 's/"\.esd_auth"/"${escape [ "/" "." ] cfg.config}\/esd_auth"/' $(grep -Rl '"\.esd_auth"')
'';
});
## eh, it's just a forgotten pulseaudio module everyone forgot about. easier
## to patch than to submit a PR.
pulseaudio = super.pulseaudio.overrideAttrs (
oldAttrs: rec {
postPatch = ''
sed -i 's/"\.esd_auth"/"${escape [ "/" "." ] cfg.config}\/esd_auth"/' $(grep -Rl '"\.esd_auth"')
'';
}
);
# would be nice to get this working
#freecad = super.freecad.overrideAttrs (oldAttrs: rec {
# postPatch = ''
# sed -i 's/"\.FreeCAD"/"\.config\/FreeCAD"/' $(grep -Rl '"\.FreeCAD"')
# '';
#});
# would be nice to get this working
#freecad = super.freecad.overrideAttrs (oldAttrs: rec {
# postPatch = ''
# sed -i 's/"\.FreeCAD"/"\.config\/FreeCAD"/' $(grep -Rl '"\.FreeCAD"')
# '';
#});
# fuck this dev, contains config+cache hence data
# https://github.com/baldurk/renderdoc/pull/1741
renderdoc = super.renderdoc.overrideAttrs (oldAttrs: rec {
postPatch = ''
sed -i 's/"\.renderdoc"/"${escape [ "/" "." ] cfg.data}\/renderdoc"/' $(grep -Rl '"\.renderdoc"')
'';
});
})
# fuck this dev, contains config+cache hence data
# https://github.com/baldurk/renderdoc/pull/1741
renderdoc = super.renderdoc.overrideAttrs (
oldAttrs: rec {
postPatch = ''
sed -i 's/"\.renderdoc"/"${escape [ "/" "." ] cfg.data}\/renderdoc"/' $(grep -Rl '"\.renderdoc"')
'';
}
);
}
)
];
environment.variables = {


+ 14
- 6
default.nix View File

@ -1,12 +1,20 @@
let
canary =
if (builtins.hashFile "sha256" ./secrets/assets/canary) != "4d16330208714286d397e2cf7d8a977ac2771ac9fa0311226afc0df06e00b4d6"
then
abort
"Incorrect secrets. Please be sure to run ./bootstrap.sh if this
is your #first time using navi!"
else { };
in
{
imports = [
./components
./secrets
./profiles
./infrastructure
];
if (hashFile "sha256" ./secrets/assets/canary) !=
"4d16330208714286d397e2cf7d8a977ac2771ac9fa0311226afc0df06e00b4d6"
then abort
"Incorrect secrets. Please be sure to run ./bootstrap.sh if this
is your first time using navi!"
}
config = canary;
}

+ 0
- 72
devices/alastor/default.nix