From ae9036f47f2240e74d76b1e7708d5a1bc6bffa12 Mon Sep 17 00:00:00 2001 From: Chris Thompson Date: Sat, 7 Dec 2024 22:17:13 -0500 Subject: [PATCH] Lazy bulk update after a number of things --- flake.lock | 12 +++--- hosts/default/configuration.nix | 73 ++++++++++++++++++++++++++++++--- hosts/default/main-user.nix | 36 ++++++++++++---- 3 files changed, 101 insertions(+), 20 deletions(-) diff --git a/flake.lock b/flake.lock index c9c4de9..d07c620 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1730837930, - "narHash": "sha256-0kZL4m+bKBJUBQse0HanewWO0g8hDdCvBhudzxgehqc=", + "lastModified": 1733484277, + "narHash": "sha256-i5ay20XsvpW91N4URET/nOc0VQWOAd4c4vbqYtcH8Rc=", "owner": "nix-community", "repo": "home-manager", - "rev": "2f607e07f3ac7e53541120536708e824acccfaa8", + "rev": "d00c6f6d0ad16d598bf7e2956f52c1d9d5de3c3a", "type": "github" }, "original": { @@ -22,11 +22,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730785428, - "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=", + "lastModified": 1733392399, + "narHash": "sha256-kEsTJTUQfQFIJOcLYFt/RvNxIK653ZkTBIs4DG+cBns=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7", + "rev": "d0797a04b81caeae77bcff10a9dde78bc17f5661", "type": "github" }, "original": { diff --git a/hosts/default/configuration.nix b/hosts/default/configuration.nix index e1acc00..64191cf 100644 --- a/hosts/default/configuration.nix +++ b/hosts/default/configuration.nix @@ -46,6 +46,9 @@ # Feel like I should be sure this is safe w/flakes first: #system.autoUpgrade.enable = true; + # sets up things so envs can do shebang whatever + # instead of #!/usr/bin/env whatever + #services.envfs.enable = true; # Bootloader. boot.loader.systemd-boot.enable = true; @@ -96,6 +99,8 @@ #}; # Enable CUPS to print documents. + # ...no. Recent security issues, prefer disabled + # apps like e.g. LibreOffice can still generate pdf's (e.g. to stand in [generally] for Print to pdf) # services.printing.enable = true; # Enable sound with pipewire. @@ -117,6 +122,7 @@ # Enable touchpad support (enabled default in most desktopManager). # services.xserver.libinput.enable = true; # Define a user account. Don't forget to set a password with ‘passwd’. + # Note that extraGroups overrides the module defaults entirely (they don't merge...probably a lib.* thing for that?) # Pull defaults from main-user: main-user.enable = true; main-user.userName = "wolcen"; @@ -124,7 +130,7 @@ users.users.wolcen = { description = "Chris Thompson"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdxdKYrlwOolJpYxvWu6gW/60pzT6aKN6JHhnTSBFqN wolcen@typhoon" ]; - extraGroups = [ "networkmanager" "wheel" ]; + extraGroups = [ "networkmanager" "wheel" "docker" "dialout" ]; }; home-manager = { @@ -139,9 +145,16 @@ # Add docker! virtualisation.docker.enable = true; virtualisation.docker.storageDriver = "btrfs"; # Only when using BTRFS! (wolcen approved!) - # Required for DDEV to add hosts files, if your DNS will not resolve addresses to localhost. - environment.etc.hosts.mode = "0644"; - # For xdebug...verify actual necessity (...I still doubt it) + + # Required for DDEV to add hosts files, if your DNS will not resolve addresses to localhost. + # Some firewall DNS resolvers will NOT allow an externally resolved domain name to resolve to a reserved IP (e.g. localhost). + # This is a security protection method that can assist attackers with discovery of a LAN. + # With fpSense, you can tell unbound (or dnsmasq) to resolve *.ddev.site to 127.0.0.1 and remove this mode statement + # See https://docs.netgate.com/pfsense/en/latest/services/dns/wildcards.html + # environment.etc.hosts.mode = "0644"; + + # For xdebug...verify actual necessity + # Have had to use this, but I think it can be disabled still - perhaps w/xdebug binding setting...don't know. networking.firewall.allowedTCPPorts = [ 9003 ]; # Allow unfree packages nixpkgs.config.allowUnfree = true; @@ -163,6 +176,7 @@ eza # a better ls lm_sensors # hardware monitoring (e.g. temps) btop # cli sys monitor + amdgpu_top # top-like monitor for AMD GPUs direnv # autoload .envrc files zoxide # directory navigator (z) nextcloud-client # next cloud UI @@ -174,15 +188,48 @@ niv # dependency cli for nix-shell openrgb-with-all-plugins # colors hardware control just # command runner like make + #ansible # configuration management system/automation tool + kdePackages.kcachegrind # analyze xdebug output + libreoffice-qt # libreoffice - qt is best for KDE + hunspell # spell checking + hunspellDicts.en_US # spell check dictionary + #corectl # this doesn't exist???? + magic-wormhole # transfer files with ease + screen # terminal multiplexer...from GNU + gnumake # build automation tool + #git-open # open the url of the project in web + diffr # another diff hilighting tool + brave # privacy oriented browser + zig # the zig language ]; programs.git = { enable = true; lfs.enable = true; }; + # Orchestrator for FOSS VR stack + #programs.envision = { + # enable = true; + # openFirewall = true; # This is set true by default + #}; nixpkgs.config.permittedInsecurePackages = [ "electron-27.3.11" ]; + #fonts = { + # fontconfig.enable = true; + # enableFontDir = true; + # enableGhostscriptFonts = true; + # fonts = with pkgs; [ + # corefonts + # dejavu_fonts + # inconsolata + # source-han-sans-japanese + # source-han-sans-korean + # source-han-sans-simplified-chinese + # source-han-sans-traditional-chinese + # ubuntu_font_family + # ]; + #}; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; @@ -195,6 +242,9 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; + services.openssh.ports = [ 2112 ]; # must be a list...for some reason. + # Enable mobile shell (for roaming, intermittent connectivity, etc) + programs.mosh.enable = true; # RX 6700 XT setup hardware.graphics.extraPackages = [ @@ -220,8 +270,18 @@ dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers }; - - programs.java.enable = true; + # VR + #Commmand: `renice -20 -p $(pgrep monado)` may help w/issues + services.monado = { + enable = true; + defaultRuntime = true; # Register as default OpenXR runtime + #environment.WMR_HANDTRACKING = "1"; # Enable for hand tracking + #environment.U_PACING_COMP_MIN_TIME_MS = "5"; # This is a tweak for something...I forgot + }; + # allow clock adjustments/priority change, etc (gamemoderun ./game) + # https://wiki.nixos.org/wiki/GameMode + programs.gamemode.enable = true; # for performance mode + #programs.java.enable = true; #programs.steam.package = pkgs.steam.override { withJava = true; }; programs.steam.gamescopeSession.enable = true; @@ -241,3 +301,4 @@ system.stateVersion = "24.05"; # Did you read the comment? } + diff --git a/hosts/default/main-user.nix b/hosts/default/main-user.nix index 0543bd0..a123ae3 100644 --- a/hosts/default/main-user.nix +++ b/hosts/default/main-user.nix @@ -19,17 +19,37 @@ in isNormalUser = true; initialPassword = "B@dC0d3MangFIX|T"; description = lib.mkDefault "Just a normal admin"; + # groups: wheel => sudo access, dialout => serial access extraGroups = [ "wheel" "networkmanager" "docker" ]; packages = with pkgs; [ - kdePackages.kate - thunderbird - keepassxc - macchina - z-lua + #kdePackages.kate # ... why did I add this? + thunderbird # email client + keepassxc # passwords! + macchina # like *fetch - display basics + z-lua # jump around directories (be careful with same-named ones!) logseq # REQUIRES TEMPORARY INSECURE ELECTRON - signal-desktop - ddev - vscodium + signal-desktop # messaging + ddev # local docker dev awesome + vscodium # vs code editor, but free + # go to 2.17 when no more servers w/python issues (elizabeth) + ansible_2_16 # deployment/automation + #python311Full # troubleshooting ansible things. + #python311Packages.ansible + # php added for ansible composer build temporarily + # switch to an ansible build environment instead. + php81 + php81Packages.composer + php81Packages.composer + php81Extensions.zip + php81Extensions.xml + php81Extensions.dom + php81Extensions.bz2 + php81Extensions.yaml + php81Extensions.zlib + php81Extensions.zstd + php81Extensions.intl + php81Extensions.curl + php81Extensions.posix ]; }; };