]> Git — Sourcephile - julm/julm-nix.git/blob - homes/julm/hosts/pumpkin.nix
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security(firefox): sandbox in firejail
[julm/julm-nix.git] / homes / julm / hosts / pumpkin.nix
1 {
2 pkgs,
3 lib,
4 config,
5 pkgs-unstable,
6 ...
7 }:
8 {
9 imports = [
10 ../../../home-manager/profiles/chat.nix
11 ../../../home-manager/profiles/developing.nix
12 ../../../home-manager/profiles/direnv.nix
13 ../../../home-manager/profiles/drawing.nix
14 ../../../home-manager/profiles/element.nix
15 ../../../home-manager/profiles/firefox.nix
16 ../../../home-manager/profiles/gaming.nix
17 ../../../home-manager/profiles/git.nix
18 ../../../home-manager/profiles/gnupg.nix
19 ../../../home-manager/profiles/graphical.nix
20 ../../../home-manager/profiles/lang-cmn.nix
21 ../../../home-manager/profiles/lf.nix
22 ../../../home-manager/profiles/mpv.nix
23 ../../../home-manager/profiles/networking.nix
24 ../../../home-manager/profiles/nix.nix
25 ../../../home-manager/profiles/radicle.nix
26 ../../../home-manager/profiles/radio.nix
27 ../../../home-manager/profiles/science.nix
28 ../../../home-manager/profiles/signal.nix
29 ../../../home-manager/profiles/thunderbird.nix
30 ../../../home-manager/profiles/video.nix
31 ../../../home-manager/profiles/wine.nix
32 ../../../home-manager/profiles/wireless.nix
33 ../../../home-manager/profiles/yt-dlp.nix
34
35 ../../../home-manager/profiles/emacs.nix
36 ../../../home-manager/profiles/ghc.nix
37 #../../../home-manager/profiles/starship.nix
38 ../../../home-manager/profiles/xmonad.nix
39 ../../../home-manager/profiles/arbtt.nix
40 ../../../home-manager/profiles/music.nix
41
42 # ../mails.nix
43 ];
44 programs.bash.shellAliases.riseup = "sudo ip netns exec riseup sudo -u $USER PULSE_SERVER=/run/user/$(id -u $USER)/pulse/native";
45 programs.gpg.homedir = "${config.home.homeDirectory}/files/sec/.gnupg";
46 home.sessionVariables = {
47 PASSWORD_STORE_DIR = "$HOME/files/sec/.password-store";
48 #(pkgs.jre17_minimal.override { modules = [ "java.base" "java.desktop" "java.logging" "java.sql" ]; })
49 JAVA_HOME = pkgs.libreoffice.unwrapped.jdk;
50 };
51 home.packages = [
52 (lib.meta.hiPrio (
53 pkgs.ffmpeg.override {
54 # For pkgs.ab-av1
55 withVmaf = true;
56 }
57 ))
58 pkgs.ab-av1
59 pkgs.cemu
60 pkgs-unstable.azahar
61 pkgs.mednafen
62 pkgs.radicle-node
63 #pkgs.radicle-httpd
64 pkgs.ghostscript
65 #pkgs.go-mtpfs
66 pkgs.ntfs3g
67 pkgs.unar
68 pkgs.pdftk
69 pkgs.mupdf
70 pkgs.pdfposter
71 pkgs.vips
72 pkgs.poppler_utils
73 # ExplanationNote: psnup conflicts with pkgs.texlive.combined.scheme-*
74 (lib.lowPrio pkgs.psutils)
75 pkgs.ink
76 pkgs.djview
77 pkgs.qpdf
78 pkgs.libreoffice
79 pkgs.calibre
80 pkgs.zotero
81 pkgs.evince
82 pkgs.kdePackages.marble
83 pkgs.gcompris
84 pkgs.frozen-bubble
85 pkgs.neverball
86 pkgs.tuxpaint
87 pkgs.rmg
88 #pkgs.veloren
89 pkgs.shipwright
90 pkgs.steam-run-free
91 pkgs.xsane
92 pkgs.transmission
93 pkgs.transmission-remote-gtk
94 pkgs.gthumb
95 #pkgs.chromium
96 pkgs.gpsbabel
97 #(pkgs.qgis.override { extraPythonPackages = (ps: [
98 # ps.pyqt5_with_qtwebkit
99 #]); })
100 #pkgs.libva-utils
101 pkgs.otpclient
102 pkgs.pandoc
103 pkgs.pdf2djvu
104 #pkgs.ristretto
105 pkgs.xfce.mousepad
106 #pkgs.mate.pluma
107 pkgs.wxmaxima
108 pkgs.espeak-ng
109 pkgs.iodine
110 pkgs.ultrastardx
111 pkgs.vdhcoapp
112 #pkgs.qsynth
113 pkgs.giph
114 pkgs.slop
115 pkgs.xorg.xwininfo
116 pkgs.xdotool
117 pkgs.zip
118 ];
119
120 services.fluidsynth.enable = false;
121
122 /*
123 user's LoadCredentialEncrypted= needs systemd v258
124 systemd.user.services.radicle-node = {
125 Service = {
126 LoadCredentialEncrypted = [
127 "radicle:${pumpkin/radicle/radicle.clear}"
128 "radicle.pub:${pumpkin/radicle/radicle.pub}"
129 ];
130 BindReadOnlyPaths = [
131 "/run/user/1000/credentials/radicle-node.service/radicle:/home/julm/.radicle/keys/radicle"
132 "${pumpkin/radicle/radicle.pub}:/home/julm/.radicle/keys/radicle.pub"
133 ];
134 };
135 Unit = {
136 ConditionPathExists = lib.mkForce [];
137 };
138 };
139 */
140
141 xdg.dataFile."arbtt/categorize.cfg".text = ''
142 $idle > 30 ==> tag inactive,
143
144 current window $program = ["evince", "Evince"] && current window $title =~ m!(.*) — (.*)!
145 ==> tag evince,
146 current window $program = ["gl", "mpv"] && current window $title =~ m!MPV: playing: ([^:]*)!
147 ==> tag mpv,
148 current window $program = ["Navigator"] && current window $title =~ m!Web: ([^:]*): ([^:]*)!
149 ==> tag $1:Web,
150 current window $title =~ m!Term: ([^:]*): (?:~|/home/julm)/(?:src|work)/(.*)!
151 ==> tag Work:$2,
152 current window $title =~ m!Term: ([^:]*): (?:~|/home/julm)/(?:files)/(.*)!
153 ==> tag Perso:$2,
154
155 tag Desktop:$current.desktop,
156 tag Program:$current.program,
157 '';
158
159 home.file.".Xmodmap".text = ''
160 ! Make Control_R behave like Super_L, the modMask used in Xmonad
161 remove control = Control_R
162 add mod4 = Control_R
163 '';
164
165 programs.firefox = {
166 cfg = {
167 speechSynthesisSupport = true;
168 };
169 # about:policies#documentation
170 extraPolicies = {
171 CaptivePortal = false;
172 DNSOverHTTPS = {
173 Enabled = false;
174 Locked = true;
175 };
176 DisableAppUpdate = true;
177 DisableFirefoxAccounts = true;
178 DisableFirefoxStudies = true;
179 DisablePocket = true;
180 DisableTelemetry = true;
181 DontCheckDefaultBrowser = true;
182 FirefoxHome = {
183 Pocket = false;
184 Snippets = false;
185 };
186 NetworkPrediction = false;
187 PromptForDownloadLocation = true;
188 SearchEngines = {
189 PreventInstalls = true;
190 };
191 SearchSuggestEnabled = false;
192 UserMessaging = {
193 ExtensionRecommendations = false;
194 SkipOnboarding = true;
195 };
196 };
197 };
198
199 /*
200 Cannot be automounted
201 systemd.user.mounts = {
202 mnt-aubergine = {
203 Unit = {
204 Wants = [
205 "network-online.target"
206 "wireguard-wg-intra.target"
207 ];
208 After = [
209 "network-online.target"
210 "wireguard-wg-intra.target"
211 ];
212 };
213 Install = {
214 WantedBy = ["default.target"];
215 };
216 Mount = {
217 What = "julm@aubergine.sp:/";
218 Where = "/mnt/aubergine";
219 Type = "fuse.sshfs";
220 Options = lib.concatStringsSep "," [
221 "user"
222 "uid=julm"
223 "gid=users"
224 "allow_other"
225 "exec" # Override "user"'s noexec
226 "noatime"
227 "nosuid"
228 "noauto"
229 "dir_cache=no"
230 #"reconnect"
231 "x-gvfs-hide"
232 # Does not work for user mounts
233 #"x-systemd.automount"
234 "IdentityFile=/home/julm/.ssh/id_ed25519"
235 #"Compression=yes" # YMMV
236 # Disconnect approximately 2*15=30 seconds after a network failure
237 "ServerAliveCountMax=1"
238 "ServerAliveInterval=15"
239 ];
240 };
241 };
242 };
243 */
244 /*
245 Automounting does not work without root privileges
246 systemd.user.automounts = {
247 mnt-aubergine = {
248 Install = {
249 WantedBy = ["user.target"];
250 };
251 Unit = {
252 };
253 Automount = {
254 Where = "/mnt/aubergine";
255 TimeoutIdleSec = "5 min";
256 };
257 };
258 };
259 */
260 }
julm's NixOS and home-manager configs