From 53c7532351bae5fdc8bcf808477356fb0b2d53b0 Mon Sep 17 00:00:00 2001 From: Lucy Hochkamp Date: Wed, 17 Sep 2025 09:02:08 +0200 Subject: [PATCH] meow --- flake.lock | 17 ---- flake.nix | 3 - instances/theseus/configuration.nix | 13 ++++ modules/desktop/niri.nix | 45 ++++++----- modules/desktop/swayidle.nix | 29 ++++--- modules/desktop/waybar-wireplumber-db.patch | 2 +- modules/networking/networkd.nix | 25 ++++++ modules/presets/cli.nix | 6 +- modules/presets/common.nix | 12 --- modules/services/wireguard.nix | 86 +++++++++++---------- 10 files changed, 131 insertions(+), 107 deletions(-) diff --git a/flake.lock b/flake.lock index 5d585477..7bfda666 100644 --- a/flake.lock +++ b/flake.lock @@ -514,22 +514,6 @@ "type": "github" } }, - "polkit": { - "flake": false, - "locked": { - "lastModified": 1757590391, - "narHash": "sha256-BVv3NA1ew7Xbslco+28eZdN1s5gJGyerdORQHsaFmiE=", - "owner": "polkit-org", - "repo": "polkit", - "rev": "c3a189919ab53b5f3efe6022840e65f2ac367c41", - "type": "github" - }, - "original": { - "owner": "polkit-org", - "repo": "polkit", - "type": "github" - } - }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": [ @@ -622,7 +606,6 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "nixpkgs-master": "nixpkgs-master", - "polkit": "polkit", "sops-nix": "sops-nix", "terranix": "terranix", "xwayland-satellite": "xwayland-satellite", diff --git a/flake.nix b/flake.nix index d3601cca..534dfd93 100644 --- a/flake.nix +++ b/flake.nix @@ -21,9 +21,6 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - polkit.url = "github:polkit-org/polkit"; - polkit.flake = false; - zen-browser.url = "github:0xc000022070/zen-browser-flake"; zen-browser.inputs.nixpkgs.follows = "nixpkgs-master"; kmonad = { diff --git a/instances/theseus/configuration.nix b/instances/theseus/configuration.nix index 52619b57..6b2b138c 100644 --- a/instances/theseus/configuration.nix +++ b/instances/theseus/configuration.nix @@ -5,6 +5,12 @@ lib, ... }: +let + unfuckWifi = pkgs.writeShellScript "unfuckWifi" '' + modprobe -r mt7921e + modprobe mt7921e + ''; +in { nixpkgs.system = "x86_64-linux"; imports = [ ./hardware-configuration.nix ]; @@ -22,6 +28,12 @@ services.vsmartcard-vpcd.enable = true; hardware.gpgSmartcards.enable = true; networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 35963 ]; + security.wrappers.unfuck-wifi = { + owner = "root"; + group = "root"; + setuid = true; + source = unfuckWifi; + }; environment.systemPackages = with pkgs; [ aerc @@ -47,6 +59,7 @@ pencil2d python311Packages.brother-ql ptouch-print + ]; time.timeZone = "Europe/Berlin"; diff --git a/modules/desktop/niri.nix b/modules/desktop/niri.nix index d46a2e55..4c0174c8 100644 --- a/modules/desktop/niri.nix +++ b/modules/desktop/niri.nix @@ -41,25 +41,31 @@ in wpaperd.enable = mkDefault true; }; nixpkgs.overlays = [ - inputs.niri.overlays.default + inputs.niri.overlays.default ]; services.displayManager.defaultSession = mkDefault "niri"; - home-manager.users.${config.xyno.system.user.name} = - mkIf config.xyno.presets.home-manager.enable - ( - { ... }: - { - xyno.dark-theme.enable = true; - # home.file.".config/xdg-desktop-portal-termfilechooser/config".text = '' - # [filechooser] - # cmd=${pkgs.xdg-desktop-portal-termfilechooser}/share/xdg-desktop-portal-termfilechooser/yazi-wrapper.sh - # default_dir=$HOME - # env=TERMCMD=footclient --app-id floating-alacritty - # open_mode = suggested - # save_mode = suggested - # ''; - } - ); + security.pam.loginLimits = [ + { + domain = "@users"; + item = "rtprio"; + type = "-"; + value = 1; + } + ]; + home-manager.users.${config.xyno.system.user.name} = mkIf config.xyno.presets.home-manager.enable ( + { ... }: + { + xyno.dark-theme.enable = true; + # home.file.".config/xdg-desktop-portal-termfilechooser/config".text = '' + # [filechooser] + # cmd=${pkgs.xdg-desktop-portal-termfilechooser}/share/xdg-desktop-portal-termfilechooser/yazi-wrapper.sh + # default_dir=$HOME + # env=TERMCMD=footclient --app-id floating-alacritty + # open_mode = suggested + # save_mode = suggested + # ''; + } + ); xdg.portal = { extraPortals = [ @@ -73,12 +79,13 @@ in config.niri."org.freedesktop.impl.portal.Access" = [ "gtk" ]; config.niri."org.freedesktop.impl.portal.Notification" = [ "gtk" ]; config.niri."org.freedesktop.impl.portal.Secret" = [ "gnome-keyring" ]; + config.niri."org.freedesktop.impl.portal.Inhibit" = [ "none" ]; }; # xdg.portal = { # enable = true; # wlr.enable = true; # }; - environment.systemPackages = with pkgs;[ + environment.systemPackages = with pkgs; [ playerctl xwayland-satellite ]; @@ -406,7 +413,7 @@ in input { // workspace-auto-back-and-forth focus-follows-mouse max-scroll-amount="10%" - + keyboard { xkb { layout "eu" diff --git a/modules/desktop/swayidle.nix b/modules/desktop/swayidle.nix index adc8b979..2455bf44 100644 --- a/modules/desktop/swayidle.nix +++ b/modules/desktop/swayidle.nix @@ -23,23 +23,34 @@ in }; options.xyno.desktop.swayidle.swaylockArgs = lib.mkOption { type = lib.types.str; - default = "-f -F --clock --timestr %T --datestr %F --indicator -i /home/${config.xyno.system.user.name}/Pictures/background.jpg"; + default = "-f --daemonize -F --clock --timestr %T --datestr %F --indicator -i /home/${config.xyno.system.user.name}/Pictures/background.jpg"; }; config = lib.mkIf cfg.enable { - environment.systemPackages = with cfg; [ package swaylockPackage ( - pkgs.writeScriptBin "lock" '' - #!/${pkgs.bash}/bin/bash - ${cfg.swaylockPackage}/bin/swaylock ${cfg.swaylockArgs} "$@" - '' - ) ]; + environment.systemPackages = with cfg; [ + package + swaylockPackage + (pkgs.writeShellApplication { + name = "lock"; + runtimeInputs = [ cfg.swaylockPackage ]; + text = '' + exec swaylock ${cfg.swaylockArgs} + ''; + }) + ]; systemd.user.services.swayidle = { unitConfig.PartOf = "graphical-session.target"; unitConfig.After = "graphical-session.target"; + unitConfig.ConditionEnvironment = "WAYLAND_DISPLAY"; unitConfig.Requisite = "graphical-session.target"; - serviceConfig.Restart = "on-failure"; + serviceConfig.Restart = "always"; + # environment.PATH = "${lib.makeBinPath [ pkgs.bash ]}"; wantedBy = [ cfg.wantedBy ]; - script = "exec ${cfg.package}/bin/swayidle -w timeout 310 'niri msg action power-off-monitors' timeout 300 '${cfg.swaylockPackage}/bin/swaylock ${cfg.swaylockArgs}' before-sleep '${cfg.swaylockPackage}/bin/swaylock ${cfg.swaylockArgs}'"; + script = '' + exec ${cfg.package}/bin/swayidle -w timeout 310 'niri msg action power-off-monitors' \ + timeout 300 '${cfg.swaylockPackage}/bin/swaylock ${cfg.swaylockArgs}' \ + before-sleep '${cfg.swaylockPackage}/bin/swaylock ${cfg.swaylockArgs}' + ''; }; }; } diff --git a/modules/desktop/waybar-wireplumber-db.patch b/modules/desktop/waybar-wireplumber-db.patch index a0f718e4..6992d4a8 100644 --- a/modules/desktop/waybar-wireplumber-db.patch +++ b/modules/desktop/waybar-wireplumber-db.patch @@ -7,7 +7,7 @@ index a43ad29b..d04edd18 100644 } - int vol = round(volume_ * 100.0); -+ double vol = 20 * std::log10(volume_); // % to dB ++ double vol = 60 * std::log10(volume_); // % to dB int source_vol = round(source_volume_ * 100.0); // Get the state and apply state-specific format if available diff --git a/modules/networking/networkd.nix b/modules/networking/networkd.nix index 968b0540..f6cb5e4e 100644 --- a/modules/networking/networkd.nix +++ b/modules/networking/networkd.nix @@ -18,6 +18,25 @@ in useDHCP = true; useHostResolvConf = false; }; + systemd.network.networks."60-wifi-client" = { + matchConfig = { + WLANInterfaceType = "station"; + }; + networkConfig = { + DHCP = "yes"; + IgnoreCarrierLoss = "3s"; + IPv6PrivacyExtensions = "kernel"; + }; + dhcpV4Config = { + RouteMetric = 1025; + # IPv6OnlyMode = "yes"; + }; + ipv6AcceptRAConfig = { + # UsePREF64 = true; + RouteMetric = 1025; + }; + + }; # systemd.network.networks."60-wifi-client" = { # matchConfig = { # WLANInterfaceType = "station"; @@ -57,6 +76,12 @@ in # # ipv6AcceptRAConfig.UsePREF64 = true; # }; networking.wireless.iwd.enable = cfg.enableWifi; + networking.wireless.iwd.settings = { + General = { + AddressRandomization = "network"; + AddressRandomizationRange = "full"; + }; + }; xyno.impermanence.directories = lib.optionals cfg.enableWifi [ "/var/lib/iwd" ]; # services.clatd.enable = true; }; diff --git a/modules/presets/cli.nix b/modules/presets/cli.nix index f5453f24..2a683663 100644 --- a/modules/presets/cli.nix +++ b/modules/presets/cli.nix @@ -26,11 +26,9 @@ in xyno.cli.starship.enable = true; security.sudo.enable = false; - # Opitionally i18n.defaultLocale = "en_US.UTF-8"; - # i18n.extraLocales = ["de_DE.UTF-8"]; i18n.extraLocaleSettings = { - LC_CTYPE = "en_US.UTF8"; + LC_CTYPE = "en_US.UTF-8"; LC_ADDRESS = "de_DE.UTF-8"; LC_MEASUREMENT = "de_DE.UTF-8"; LC_MESSAGES = "en_US.UTF-8"; @@ -39,7 +37,7 @@ in LC_NUMERIC = "en_US.UTF-8"; LC_PAPER = "de_DE.UTF-8"; LC_TELEPHONE = "de_DE.UTF-8"; - LC_TIME = "de_DE.UTF-8"; + LC_TIME = "en_DK.UTF-8"; LC_COLLATE = "de_DE.UTF-8"; }; diff --git a/modules/presets/common.nix b/modules/presets/common.nix index 97525f05..d5bdedc9 100644 --- a/modules/presets/common.nix +++ b/modules/presets/common.nix @@ -15,18 +15,6 @@ in hardware.keyboard.zsa.enable = true; programs.nh.enable = true; # patch in auth_keep for run0 - security.polkit.debug = true; - security.polkit.package = pkgs.polkit.overrideAttrs (old: { - version = old.version + "-git"; - src = inputs.polkit; - patches = lib.take 1 old.patches; - # patches = [ - # (pkgs.fetchpatch2 { - # url = "https://patch-diff.githubusercontent.com/raw/polkit-org/polkit/pull/533.patch"; - # hash = "sha256-noR87BAzgBWtYDb0j9jkM/8wEkp7H+nArvKZrz69wfQ="; - # }) - # ]; - }); security.polkit.extraConfig = '' polkit.addRule(function(action, subject) { // make run0 keep pw for some time (tm) if ( diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix index 2c75cd2c..90323987 100644 --- a/modules/services/wireguard.nix +++ b/modules/services/wireguard.nix @@ -6,6 +6,7 @@ instanceConfig, ... }: +with lib; let wgServer = instanceConfig ? wg.server && instanceConfig.wg.server; cfg = config.xyno.services.wireguard; @@ -19,33 +20,33 @@ let prefix: hostName: let hostHash = builtins.hashString "sha512" hostName; - localParts = map (n: builtins.substring (n * 4) 4 hostHash) (lib.range 0 3); - localPart = lib.concatStringsSep ":" localParts; + localParts = map (n: builtins.substring (n * 4) 4 hostHash) (range 0 3); + localPart = concatStringsSep ":" localParts; in "${prefix}:${localPart}"; # peers list for networkd filteredConfigs = builtins.filter (x: x.hostName != config.networking.hostName) ( - lib.attrValues instanceConfigs + attrValues instanceConfigs ); wgPeersLists = map ( c: ( - (lib.optional (c ? publicHostname) { + (optional (c ? publicHostname) { # if peer is publicly on the internet AllowedIPs = - (lib.optionals (c ? wg.server && c.wg.server) [ + (optionals (c ? wg.server && c.wg.server) [ # is server "::/0" ]) - ++ (lib.optionals (c ? wg.server && c.wg.server && c ? wg.v4 && instanceConfig ? wg.v4) [ + ++ (optionals (c ? wg.server && c.wg.server && c ? wg.v4 && instanceConfig ? wg.v4) [ # both client and server have a v4 "0.0.0.0/0" ]) - ++ (lib.optionals (!c ? wg.server || !c.wg.server) [ + ++ (optionals (!c ? wg.server || !c.wg.server) [ # is not server "${genUlaForHost ulaPrefix c.hostName}/128" # if a host is reachable but shouldn't play server, send only to the hosts ip ]) - ++ (lib.optionals ((!c ? wg.server || !c.wg.server) && c ? wg.v4 && instanceConfig ? wg.v4) [ + ++ (optionals ((!c ? wg.server || !c.wg.server) && c ? wg.v4 && instanceConfig ? wg.v4) [ # no server, no ipv4 yay "${c.wg.v4}/32" ]); @@ -55,13 +56,13 @@ let PublicKey = c.wg.pubKey; PresharedKeyFile = config.sops.secrets."wg/psk".path; }) - ++ (lib.optional ((!c ? publicHostname) && wgServer && (c ? wg.pubKey)) { + ++ (optional ((!c ? publicHostname) && wgServer && (c ? wg.pubKey)) { # if this is the server and the peer isn't reachable on the internet AllowedIPs = [ "${genUlaForHost ulaPrefix c.hostName}/128" "${genUlaForHost monitoringUlaPrefix c.hostName}/128" ] - ++ (lib.optionals (c ? wg.v4 && instanceConfig ? wg.v4) [ + ++ (optionals (c ? wg.v4 && instanceConfig ? wg.v4) [ "${c.wg.v4}/32" ]); PublicKey = c.wg.pubKey; @@ -69,43 +70,44 @@ let }) ) ) filteredConfigs; - wgPeers = lib.flatten wgPeersLists; + wgPeers = flatten wgPeersLists; in { - options.xyno.services.wireguard.enable = lib.mkEnableOption "enables wireguard"; - options.xyno.services.wireguard.monHostsDomain = lib.mkOption { - type = lib.types.str; + options.xyno.services.wireguard.enable = mkEnableOption "enables wireguard"; + options.xyno.services.wireguard.monHostsDomain = mkOption { + type = types.str; default = "mon.wg.hailsatan.eu"; }; - options.xyno.services.wireguard.hostsDomain = lib.mkOption { - type = lib.types.str; + options.xyno.services.wireguard.hostsDomain = mkOption { + type = types.str; default = "wg.hailsatan.eu"; }; - options.xyno.services.wireguard.ula = lib.mkOption { - type = lib.types.str; + options.xyno.services.wireguard.ula = mkOption { + type = types.str; default = "fd68:b6a4:36e4"; }; - options.xyno.services.wireguard.ip6 = lib.mkOption { - type = lib.types.str; + options.xyno.services.wireguard.ip6 = mkOption { + type = types.str; default = genUlaForHost ulaPrefix config.networking.hostName; }; - options.xyno.services.wireguard.monIp6 = lib.mkOption { - type = lib.types.str; + options.xyno.services.wireguard.monIp6 = mkOption { + type = types.str; default = genUlaForHost monitoringUlaPrefix config.networking.hostName; }; - config = lib.mkIf cfg.enable { + config = mkIf cfg.enable { # TODO: add a all traffic through this network networking.hosts = - (lib.mapAttrs' (n: v: { - value = [ "${v.hostName}.${cfg.hostsDomain}" ]; - name = (genUlaForHost ulaPrefix v.hostName); - }) instanceConfigs) - // (lib.mapAttrs' (n: v: { - value = [ "${v.hostName}.${cfg.monHostsDomain}" ]; - name = (genUlaForHost monitoringUlaPrefix v.hostName); - }) instanceConfigs); - networking.firewall.allowedUDPPorts = lib.optional wgServer 51820; - networking.firewall.interfaces."wg0".allowedUDPPorts = lib.optional wgServer 53; + (mapAttrs' ( + n: v: nameValuePair (genUlaForHost ulaPrefix v.hostName) [ "${v.hostName}.${cfg.hostsDomain}" ] + ) instanceConfigs) + // (mapAttrs' ( + n: v: + nameValuePair (genUlaForHost monitoringUlaPrefix v.hostName) [ + "${v.hostName}.${cfg.monHostsDomain}" + ] + ) instanceConfigs); + networking.firewall.allowedUDPPorts = optional wgServer 51820; + networking.firewall.interfaces."wg0".allowedUDPPorts = optional wgServer 53; systemd.network.netdevs."99-wg0" = { netdevConfig = { Name = "wg0"; @@ -114,9 +116,9 @@ in }; wireguardConfig = { - ListenPort = lib.mkIf wgServer 51820; + ListenPort = mkIf wgServer 51820; PrivateKeyFile = config.sops.secrets."wg/privkey".path; - FirewallMark = "0x8888"; + FirewallMark = 34952; }; wireguardPeers = wgPeers; }; @@ -124,7 +126,7 @@ in matchConfig.Name = "wg0"; networkConfig = { Description = "xyno wireguard"; - IPMasquerade = lib.mkIf (instanceConfig ? wg.server && instanceConfig.wg.server) "both"; + IPMasquerade = mkIf (instanceConfig ? wg.server && instanceConfig.wg.server) "both"; IPv4Forwarding = (instanceConfig ? wg.server && instanceConfig.wg.server); IPv6Forwarding = (instanceConfig ? wg.server && instanceConfig.wg.server); }; @@ -132,7 +134,7 @@ in "${(genUlaForHost ulaPrefix config.networking.hostName)}/64" "${(genUlaForHost monitoringUlaPrefix config.networking.hostName)}/64" ] - ++ (lib.optionals (instanceConfig ? wg.v4) [ "${instanceConfig.wg.v4}/24" ]); + ++ (optionals (instanceConfig ? wg.v4) [ "${instanceConfig.wg.v4}/24" ]); }; systemd.network.networks."51-wg0-all-traffic" = { matchConfig.Name = "wg0"; @@ -144,7 +146,7 @@ in }; routingPolicyRules = [ { - FirewallMark = "0x8888"; + FirewallMark = 34952; InvertRule = true; Table = 1000; Priority = 10; @@ -152,13 +154,13 @@ in ]; }; services.prometheus.exporters.wireguard = - lib.mkIf (wgServer && config.xyno.services.monitoring.enable) + mkIf (wgServer && config.xyno.services.monitoring.enable) { enable = true; interfaces = [ "wg0" ]; }; - services.coredns = lib.mkIf wgServer { + services.coredns = mkIf wgServer { # for non nixos devices to be able to resolve vpn hostnames enable = true; config = '' @@ -170,9 +172,9 @@ in } ''; }; - xyno.services.monitoring.exporters.coredns = lib.mkIf wgServer 9153; + xyno.services.monitoring.exporters.coredns = mkIf wgServer 9153; xyno.services.monitoring.exporters.wireguard = - lib.mkIf wgServer config.services.prometheus.exporters.wireguard.port; + mkIf wgServer config.services.prometheus.exporters.wireguard.port; sops.secrets."wg/privkey" = { reloadUnits = [ "systemd-networkd.service" ]; sopsFile = ../../instances/${config.networking.hostName}/secrets/wg.yaml;