The paranoia mode now also enables the firewall and closes down a couple
of small openSSH holes. `noexec` on the whole FS is left out as it will
make every existing PubSolarOS installation panic.
our defined value.
error: The option 'services.getty.autologinUser' has conflicting definition values:
- In '/nix/store/zyh8f18z0m1r9jppvdcdivfvfxg0j3fv-source/nixos/modules/profiles/installation-device.nix': "nixos"
- In '/nix/store/w82qigr5jqv9c6jhdrpdwixydk3rmbzw-source/modules/graphical': "pub-solar"
The swayidle command in the service was straight up broken, this commit
fixes that.
Environment Variables set in the `session-variables` file are now
correctly imported across the system. This fixes `EDITOR` defaulting to
`nano`.
This service is presumably useful for devices that need to ensure there
is an active internet connection before starting other systemd units.
This is neither the case for end-user devices as the an active internet
connection is only needed after login nor the case for server-like
systems as they normally have a static / dhcp-based network configuration
which does not require switchable network configuration profiles.
The resumeDevice and kernel `resume` parameter were being used wrong.
Only `boot.resumeDevice` is necessary, and it should point at the _block
device_ that holds the swapfile. If you are running on encrypted
volumes, this means you will need to use the name of the *decrypted
block device* on which the swapfile sits.
The resumeDevice and kernel `resume` parameter were being used wrong.
Only `boot.resumeDevice` is necessary, and it should point at the _block
device_ that holds the swapfile. If you are running on encrypted
volumes, this means you will need to use the name of the *decrypted
block device* on which the swapfile sits.
This commit shuffles around some sway keybindings and improves the
screen recording experience by adding a small wrapper around `slurp` and
`wf-recorder` conveniently called `record-screen`.
* `$mod+F5` now reload the sway configuration,
* `$mod+Ctrl+r` starts a screen recording (to stop it, go to workspace 7
and kill the process),
* `record-screen` and the firefox sharing indicator are both on
workspace 7 now, making it the "trash" workspace,
* `$mod+F1` and `$mod+Shift+h` now open Firefox with the docs of our
repository availabe under `help.local`.
* To not infuriate `qMasterPassword` users, that is now available under
`$mod+Shift+m` instead of `$mod+F1`.
Hibernation is now a core option:
```
pub-solar.core.hibernation.enable = true;
```
And there's a paranoia mode, that keeps the disk encrypted as much as
possible by enabling hibernation and removing the options for sleep,
screen locking.
Idle locking now hibernates, and it does it on very short notice.
nix-dram as default nix binary isn't worth the
maintenance work anymore, CI builds started
failing because of it:
https://ci.b12f.io/pub-solar/os/533/1/2
Automatic builds still happen each night and can be
checked in our fork of nix-dram:
https://github.com/pub-solar/nix-dram/actions
Users of nix-dram can continue to use it via devshells
or nix run github:dramforever/nix-dram -- --version
This commit removes the default, global `allowUnfree = true;` setting
and removes nonfree packages where I could find them. Tested by building
the `PubSolarOS` host once.
This adds a barebones CI-runner module with the following option:
`pub-solar.ci-runner.enable`
If enabled, this will start a systemd service on boot that runs
`drone-runner-exec`. The configuration expects you to have a file called
`secrets/drone-runner-exec-config` handled by agenix that gets put into
`/run/agenix/drone-runner-exec-config` and is owned by root.
This file should contain a configuration similar to the following:
```
CLIENT_DRONE_RPC_PROTO=https
CLIENT_DRONE_RPC_HOST=drone.company.com
CLIENT_DRONE_RPC_SECRET=super-duper-secret
```
Adds a `config.pub-solar.audio.spotify` option that when enabled
installs and configures `spotifyd` as a systemd daemon and `spotify-tui`
as the terminal-based UI.
After enabling, run `spt` in the terminal to open the UI.
Adds a `config.pub-solar.audio.spotify` option that when enabled
installs and configures `spotifyd` as a systemd daemon and `spotify-tui`
as the terminal-based UI.
After enabling, run `spt` in the terminal to open the UI.
This commit shuffles around some sway keybindings and improves the
screen recording experience by adding a small wrapper around `slurp` and
`wf-recorder` conveniently called `record-screen`.
* `$mod+F5` now reload the sway configuration,
* `$mod+Ctrl+r` starts a screen recording (to stop it, go to workspace 7
and kill the process),
* `record-screen` and the firefox sharing indicator are both on
workspace 7 now, making it the "trash" workspace,
* `$mod+F1` and `$mod+Shift+h` now open Firefox with the docs of our
repository availabe under `help.local`.
* To not infuriate `qMasterPassword` users, that is now available under
`$mod+Shift+m` instead of `$mod+F1`.
In Deno projects `tsserver` is less than ideal. This PR starts `denols`
instead of `tsserver` if `nvim` finds the `NVIM_USE_DENOLS` variable
when reading the lsp config.
In Deno projects `tsserver` is less than ideal. This PR starts `denols`
instead of `tsserver` if `nvim` finds the `NVIM_USE_DENOLS` variable
when reading the lsp config.
home: follow release-22.05 branch
Fixes for upstream changes:
ag renamed to silver-searcher, extfat-utils is now exfat, lot's of
overrides no longer needed, as they're now in the release branch,
services.caddy.config split up into globalConfig and extraConfig
The Firefox sharing indicator sometimes doesn't like to float like it
should, and when it does, it usually floats over UI elements you'd like
to use.
Moving it to sway workspace 7 should get it mostly out of the way
This change allows you to start wayvnc anytime your sway session starts.
For hosts where you want to enable this, you'll need to generate the
certificate and keys, see:
https://github.com/any1/wayvnc#encryption--authentication
You can then add these to your secrets via agenix, and load them as
`vnc-key.pem` and `vnc-cert.pem` into `/run/secrets`.
Enable the wayvnc server via the option `pub-solar.sway.vnc.enable`.
At the time of writing, `tigervnc` appears to be a good vnc client to
use.
```