Merge branch 'main' into desktop

stusmall · Nov 30, 2024 · 09fcf9d · 09fcf9d
2 parents f0fbfd0 + ca04aff
commit 09fcf9d
Show file tree

Hide file tree

Showing 9 changed files with 106 additions and 53 deletions.
diff --git a/base.nix b/base.nix
@@ -5,6 +5,7 @@
     [
       <home-manager/nixos>
       ./modules/antivirus.nix
+      ./modules/firefox.nix
       ./modules/gnome.nix
       ./modules/jetbrains.nix
       ./modules/opensnitch.nix
@@ -55,7 +56,6 @@
   services.printing.enable = true;
 
   # Enable sound with pipewire.
-  sound.enable = true;
   hardware.pulseaudio.enable = false;
   security.rtkit.enable = true;
   services.pipewire = {
@@ -91,11 +91,10 @@
     operation = "boot";
   };
 
-  # Limit the parallelism of nix rebuilds.  When left on the default it uses all available resources which can make the
-  # system unusable.
-  nix.settings = {
-    cores = 2;
-    max-jobs = 2;
+  # Limit nix rebuilds priority.  When left on the default is uses all available reouses which can make the system unusable
+  nix = {
+    daemonCPUSchedPolicy = "idle";
+    daemonIOSchedClass = "idle";
   };
 
   # Enable udev settings for yubikey personalization
@@ -123,9 +122,6 @@
   # This is the service that lets you pick power profiles in the gnome UI.  It conflicts with auto-cpufreq
   services.power-profiles-daemon.enable = false;
 
-  # Enable zram
-  zramSwap.enable = true;
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

diff --git a/bootstrap.sh b/bootstrap.sh
@@ -37,9 +37,8 @@ esac
 done
 
 echo "Setting up channels"
-sudo nix-channel --add https://nixos.org/channels/nixos-24.05 nixos
-sudo nix-channel --add https://nixos.org/channels/nixos-unstable nixos-unstable
-sudo nix-channel --add https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz home-manager
+sudo nix-channel --add https://nixos.org/channels/nixos-24.11 nixos
+sudo nix-channel --add https://github.com/nix-community/home-manager/archive/release-24.11.tar.gz home-manager
 sudo nix-channel --update
 
 echo "Rebuilding the OS"

diff --git a/dell.nix b/dell.nix
@@ -34,20 +34,16 @@
       fsType = "vfat";
     };
 
-  swapDevices = [ ];
+  swapDevices = [{
+    device = "/var/lib/swapfile";
+    size = 16 * 1024;
+  }];
 
   networking.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 
-  # Enable OpenGL
-  hardware.opengl = {
-    enable = true;
-    driSupport = true;
-    driSupport32Bit = true;
-  };
-
   # Load nvidia driver for Xorg and Wayland
   services.xserver.videoDrivers = [ "nvidia" ];
 

diff --git a/home.nix b/home.nix
@@ -1,7 +1,4 @@
 { lib, pkgs, ... }:
-
-
-
 {
   home.username = "stusmall";
   home.homeDirectory = "/home/stusmall";
@@ -14,7 +11,6 @@
     alacritty
     chromium
     dig
-    firefox
     gnupg
     htop
     jq
@@ -91,6 +87,7 @@
     };
   };
 
+
   programs.helix = {
     enable = true;
   };
@@ -146,6 +143,9 @@
     "org/gnome/shell/extensions/dash-to-dock" = {
       apply-custom-theme = true;
     };
+    "org/gnome/system/location" = {
+      enabled = false;
+    };
   };
 }
 
diff --git a/modules/firefox.nix b/modules/firefox.nix
@@ -0,0 +1,77 @@
+{ pkgs, lib, ... }:
+let
+  managed-firefox = (pkgs.firefox.override {
+    extraPolicies = {
+      AutofillCreditCardEnabled = false;
+      DisableFirefoxAccounts = true;
+      DisableFirefoxScreenshots = true;
+      DisableFirefoxStudies = true;
+      DisablePocket = true;
+      DisableTelemetry = true;
+      DontCheckDefaultBrowser = true;
+      EnableTrackingProtection = {
+        Value = true;
+        Locked = true;
+        Cryptomining = true;
+        Fingerprinting = true;
+        EmailTracking = true;
+      };
+      ExtensionSettings = {
+        "*".installation_mode = "blocked"; # blocks all addons except the ones specified below
+        # 1Password:
+        "{d634138d-c276-4fc8-924b-40a0ea21d284}" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/1password-x-password-manager/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # Facebook container
+        "@contain-facebook" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/facebook-container/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # LeechBlockNG
+        "[email protected]" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/leechblock-ng/latest.xpi";
+          installation_mode = "force_installed";
+        };
+        # ublock origin
+        "[email protected]" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
+          installation_mode = "force_installed";
+        };
+      };
+
+      FirefoxSuggest = {
+        WebSuggestions = false;
+        SponsoredSuggestions = false;
+        ImproveSuggest = false;
+        Locked = true;
+      };
+      PasswordManagerEnabled = false;
+      PictureInPicture = {
+        Enabled = true;
+        Locked = true;
+      };
+    };
+  });
+in
+{
+  environment.systemPackages = [
+    managed-firefox
+  ];
+
+
+  services.opensnitch.rules = {
+    rule-000-firefox = {
+      name = "Allow Firefox";
+      enabled = true;
+      action = "allow";
+      duration = "always";
+      operator = {
+        type = "simple";
+        sensitive = false;
+        operand = "process.path";
+        data = "${lib.getBin managed-firefox}/lib/firefox/firefox";
+      };
+    };
+  };
+}
diff --git a/modules/gnome.nix b/modules/gnome.nix
@@ -11,29 +11,19 @@
 
 
   environment.gnome.excludePackages = (with pkgs; [
-    gnome-photos
-    gnome-tour
-  ]) ++ (with pkgs.gnome; [
-    atomix
-    caribou
-    cheese
-    geary
     epiphany
+    geary
     gnome-calendar
     gnome-characters
     gnome-clocks
-    gnome-dictionary
     gnome-font-viewer
     gnome-keyring
     gnome-maps
     gnome-music
     gnome-remote-desktop
+    gnome-photos
     gnome-terminal
-    gnome-weather
-    hitori
-    iagno
-    tali
-    totem
+    gnome-tour
     yelp
   ]);
 
@@ -51,7 +41,7 @@
             type = "simple";
             sensitive = false;
             operand = "process.path";
-            data = "${lib.getBin pkgs.gnome.gnome-calculator}/bin/.gnome-calculator-wrapped";
+            data = "${lib.getBin pkgs.gnome-calculator}/bin/.gnome-calculator-wrapped";
           }
           {
             type = "regexp";

diff --git a/modules/jetbrains.nix b/modules/jetbrains.nix
@@ -20,13 +20,13 @@
             type = "simple";
             sensitive = false;
             operand = "process.path";
-            data = "${lib.getBin pkgs.jetbrains.jdk})/lib/openjdk/bin/java";
+            data = "${lib.getBin pkgs.jetbrains.jdk}/lib/openjdk/bin/java";
           }
           {
             type = "regexp";
             operand = "dest.host";
             sensitive = false;
-            data = "^(([a-z0-9|-]+\.)*jetbrains\.com|github\.com|([a-z0-9|-]+\.)*schemastore.org)$";
+            data = "^(([a-z0-9|-]+\.)*jetbrains\.com|github\.com|registry.npmjs.org|([a-z0-9|-]+\.)*schemastore.org)$";
           }
         ];
       };

diff --git a/modules/opensnitch.nix b/modules/opensnitch.nix
@@ -14,18 +14,6 @@
     enable = true;
     settings.DefaultAction = "deny";
     rules = {
-      rule-000-firefox = {
-        name = "Allow Firefox";
-        enabled = true;
-        action = "allow";
-        duration = "always";
-        operator = {
-          type = "simple";
-          sensitive = false;
-          operand = "process.path";
-          data = "${lib.getBin pkgs.firefox}/lib/firefox/firefox";
-        };
-      };
       rule-000-localhost = {
         name = "Allow all localhost";
         enabled = true;

diff --git a/modules/steam.nix b/modules/steam.nix
@@ -4,6 +4,13 @@
     steam
   ];
 
+  # We need 32bit versions of all the OpenGL etc libraries for steam to run
+  hardware.graphics.enable32Bit = true;
+
+  programs.steam = {
+    remotePlay.openFirewall = true;
+  };
+
   services.opensnitch.rules = {
     rule-500-steam = {
       name = "Allow Steam";
@@ -24,7 +31,7 @@
             type = "regexp";
             operand = "dest.host";
             sensitive = false;
-            data = "^(api.steampowered.com|([a-z0-9|-]+\.)*steamcontent.com|([a-z0-9|-]+\.)*steamstatic.com|([a-z0-9|-]+\.)*steamserver.net|steamcommunity.com|steamstore-a.akamaihd.net|([a-z0-9|-]+\.)*.steampowered.com)$";
+            data = "^(api.steampowered.com|([a-z0-9|-]+\.)*steamcontent.com|([a-z0-9|-]+\.)*steamstatic.com|([a-z0-9|-]+\.)*steamserver.net|steamcommunity.com|steamstore-a.akamaihd.net|steamuserimages-a.akamaihd.net|steamcommunity-a.akamaihd.net|([a-z0-9|-]+\.)*.steampowered.com|([a-z0-9|-]+\.)*.youtube.com)$";
           }
         ];
       };