]> Git — Sourcephile - julm/julm-nix.git/blob - homes/julm/hosts/nan2gua1.nix
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security(firefox): sandbox in firejail
[julm/julm-nix.git] / homes / julm / hosts / nan2gua1.nix
1 {
2 pkgs,
3 lib,
4 config,
5 pkgs-unstable,
6 ...
7 }:
8 {
9 imports = [
10 ../../../home-manager/profiles/chat.nix
11 ../../../home-manager/profiles/developing.nix
12 ../../../home-manager/profiles/direnv.nix
13 ../../../home-manager/profiles/drawing.nix
14 ../../../home-manager/profiles/element.nix
15 ../../../home-manager/profiles/firefox.nix
16 ../../../home-manager/profiles/gaming.nix
17 ../../../home-manager/profiles/git.nix
18 ../../../home-manager/profiles/gnupg.nix
19 ../../../home-manager/profiles/graphical.nix
20 ../../../home-manager/profiles/lang-cmn.nix
21 ../../../home-manager/profiles/lf.nix
22 ../../../home-manager/profiles/mpv.nix
23 ../../../home-manager/profiles/networking.nix
24 ../../../home-manager/profiles/nix.nix
25 ../../../home-manager/profiles/radicle.nix
26 ../../../home-manager/profiles/radio.nix
27 ../../../home-manager/profiles/science.nix
28 ../../../home-manager/profiles/signal.nix
29 ../../../home-manager/profiles/thunderbird.nix
30 ../../../home-manager/profiles/video.nix
31 ../../../home-manager/profiles/wine.nix
32 ../../../home-manager/profiles/wireless.nix
33 ../../../home-manager/profiles/yt-dlp.nix
34
35 ../../../home-manager/profiles/emacs.nix
36 ../../../home-manager/profiles/ghc.nix
37 #../../../home-manager/profiles/starship.nix
38 ../../../home-manager/profiles/xmonad.nix
39 ../../../home-manager/profiles/arbtt.nix
40 ../../../home-manager/profiles/music.nix
41
42 # ../mails.nix
43 ];
44 programs.bash.shellAliases.riseup = "sudo ip netns exec riseup sudo -u $USER PULSE_SERVER=/run/user/$(id -u $USER)/pulse/native";
45 programs.gpg.homedir = "${config.home.homeDirectory}/files/sec/.gnupg";
46 home.sessionVariables = {
47 PASSWORD_STORE_DIR = "$HOME/files/sec/.password-store";
48 #(pkgs.jre17_minimal.override { modules = [ "java.base" "java.desktop" "java.logging" "java.sql" ]; })
49 JAVA_HOME = pkgs.libreoffice.unwrapped.jdk;
50 };
51 home.packages = [
52 /*
53 (lib.meta.hiPrio (
54 pkgs.ffmpeg.override {
55 # For pkgs.ab-av1
56 withVmaf = true;
57 }
58 ))
59 */
60 pkgs.ab-av1
61 pkgs.blender
62 pkgs.cemu
63 pkgs-unstable.azahar
64 pkgs.mednafen
65 pkgs.radicle-node
66 #pkgs.radicle-httpd
67 pkgs.ghostscript
68 #pkgs.go-mtpfs
69 pkgs.ntfs3g
70 pkgs.unar
71 pkgs.pdftk
72 pkgs.mupdf
73 pkgs.pdfposter
74 pkgs.vips
75 pkgs.poppler_utils
76 # ExplanationNote: psnup conflicts with pkgs.texlive.combined.scheme-*
77 (lib.lowPrio pkgs.psutils)
78 pkgs.ink
79 pkgs.djview
80 pkgs.qpdf
81 pkgs.libreoffice
82 pkgs.calibre
83 pkgs.zotero
84 pkgs.evince
85 pkgs.kdePackages.marble
86 pkgs.gcompris
87 pkgs.frozen-bubble
88 pkgs.neverball
89 pkgs.tuxpaint
90 pkgs.rmg
91 #pkgs.veloren
92 #pkgs.shipwright
93 pkgs.steam-run-free
94 pkgs.xsane
95 pkgs.transmission
96 pkgs.transmission-remote-gtk
97 pkgs.gthumb
98 #pkgs.chromium
99 pkgs.gpsbabel
100 #(pkgs.qgis.override { extraPythonPackages = (ps: [
101 # ps.pyqt5_with_qtwebkit
102 #]); })
103 #pkgs.libva-utils
104 pkgs.otpclient
105 pkgs.pandoc
106 pkgs.pdf2djvu
107 #pkgs.ristretto
108 pkgs.xfce.mousepad
109 #pkgs.mate.pluma
110 pkgs.wxmaxima
111 pkgs.espeak-ng
112 pkgs.iodine
113 pkgs.ultrastardx
114 pkgs.vdhcoapp
115 #pkgs.qsynth
116 pkgs.giph
117 pkgs.slop
118 pkgs.xorg.xwininfo
119 pkgs.xdotool
120 pkgs.zip
121 ];
122
123 services.fluidsynth.enable = false;
124
125 /*
126 user's LoadCredentialEncrypted= needs systemd v258
127 systemd.user.services.radicle-node = {
128 Service = {
129 LoadCredentialEncrypted = [
130 "radicle:${nan2gua1/radicle/radicle.clear}"
131 "radicle.pub:${nan2gua1/radicle/radicle.pub}"
132 ];
133 BindReadOnlyPaths = [
134 "/run/user/1000/credentials/radicle-node.service/radicle:/home/julm/.radicle/keys/radicle"
135 "${nan2gua1/radicle/radicle.pub}:/home/julm/.radicle/keys/radicle.pub"
136 ];
137 };
138 Unit = {
139 ConditionPathExists = lib.mkForce [];
140 };
141 };
142 */
143
144 xdg.dataFile."arbtt/categorize.cfg".text = ''
145 $idle > 30 ==> tag inactive,
146
147 current window $program = ["evince", "Evince"] && current window $title =~ m!(.*) — (.*)!
148 ==> tag evince,
149 current window $program = ["gl", "mpv"] && current window $title =~ m!MPV: playing: ([^:]*)!
150 ==> tag mpv,
151 current window $program = ["Navigator"] && current window $title =~ m!Web: ([^:]*): ([^:]*)!
152 ==> tag $1:Web,
153 current window $title =~ m!Term: ([^:]*): (?:~|/home/julm)/(?:src|work)/(.*)!
154 ==> tag Work:$2,
155 current window $title =~ m!Term: ([^:]*): (?:~|/home/julm)/(?:files)/(.*)!
156 ==> tag Perso:$2,
157
158 tag Desktop:$current.desktop,
159 tag Program:$current.program,
160 '';
161
162 home.file.".Xmodmap".text = ''
163 ! Make Control_R behave like Super_L, the modMask used in Xmonad
164 remove control = Control_R
165 add mod4 = Control_R
166 '';
167
168 programs.firefox = {
169 cfg = {
170 enableGnomeExtensions = false;
171 speechSynthesisSupport = true;
172 };
173 firejail.args = [
174 # Allow access to the systemd-instantiated gpg-agent socket
175 # See https://github.com/netblue30/firejail/issues/1422#issuecomment-377263770
176 "--writable-run-user"
177 "--whitelist=\\\${RUNUSER}/gnupg"
178 # Enable access to pass(1) in /etc/profiles/per-user/julm/bin/pass
179 "--private-etc=static/profiles,profiles"
180
181 # For browserpass's native extension
182 "--whitelist=\\\${HOME}/.gnupg"
183 "--whitelist=\\\${HOME}/.password-store"
184 "--read-only=\\\${HOME}/.gnupg"
185 "--read-only=\\\${HOME}/.password-store"
186
187 "--whitelist=\\\${HOME}/files/sec/.gnupg"
188 "--whitelist=\\\${HOME}/files/sec/.password-store"
189 "--read-only=\\\${HOME}/files/sec/.gnupg"
190 "--read-only=\\\${HOME}/files/sec/.password-store"
191
192 "--profile=${pkgs.firejail}/etc/firejail/firefox.profile"
193 ];
194
195 # about:policies#documentation
196 policies = {
197 CaptivePortal = false;
198 DNSOverHTTPS = {
199 Enabled = false;
200 Locked = true;
201 };
202 DisableAppUpdate = true;
203 DisableFirefoxAccounts = true;
204 DisableFirefoxStudies = true;
205 DisablePocket = true;
206 DisableTelemetry = true;
207 DontCheckDefaultBrowser = true;
208 FirefoxHome = {
209 Pocket = false;
210 Snippets = false;
211 };
212 NetworkPrediction = false;
213 PromptForDownloadLocation = true;
214 SearchEngines = {
215 PreventInstalls = true;
216 };
217 SearchSuggestEnabled = false;
218 UserMessaging = {
219 ExtensionRecommendations = false;
220 SkipOnboarding = true;
221 };
222 };
223 };
224
225 /*
226 Cannot be automounted
227 systemd.user.mounts = {
228 mnt-aubergine = {
229 Unit = {
230 Wants = [
231 "network-online.target"
232 "wireguard-wg-intra.target"
233 ];
234 After = [
235 "network-online.target"
236 "wireguard-wg-intra.target"
237 ];
238 };
239 Install = {
240 WantedBy = ["default.target"];
241 };
242 Mount = {
243 What = "julm@aubergine.sp:/";
244 Where = "/mnt/aubergine";
245 Type = "fuse.sshfs";
246 Options = lib.concatStringsSep "," [
247 "user"
248 "uid=julm"
249 "gid=users"
250 "allow_other"
251 "exec" # Override "user"'s noexec
252 "noatime"
253 "nosuid"
254 "noauto"
255 "dir_cache=no"
256 #"reconnect"
257 "x-gvfs-hide"
258 # Does not work for user mounts
259 #"x-systemd.automount"
260 "IdentityFile=/home/julm/.ssh/id_ed25519"
261 #"Compression=yes" # YMMV
262 # Disconnect approximately 2*15=30 seconds after a network failure
263 "ServerAliveCountMax=1"
264 "ServerAliveInterval=15"
265 ];
266 };
267 };
268 };
269 */
270 /*
271 Automounting does not work without root privileges
272 systemd.user.automounts = {
273 mnt-aubergine = {
274 Install = {
275 WantedBy = ["user.target"];
276 };
277 Unit = {
278 };
279 Automount = {
280 Where = "/mnt/aubergine";
281 TimeoutIdleSec = "5 min";
282 };
283 };
284 };
285 */
286 }
julm's NixOS and home-manager configs