usernix: Fixes following testing
This commit is contained in:
		
							parent
							
								
									8b78cad60c
								
							
						
					
					
						commit
						e1c041368b
					
				
					 3 changed files with 59 additions and 18 deletions
				
			
		|  | @ -48,8 +48,12 @@ then | ||||||
|     "$nix_installer" --no-daemon --yes --no-channel-add --no-modify-profile |     "$nix_installer" --no-daemon --yes --no-channel-add --no-modify-profile | ||||||
| fi | fi | ||||||
| 
 | 
 | ||||||
|  | # TODO This installs nix in nix-env, which conflicts with home-manager activation. | ||||||
|  | # Workaround is temporarily set /nix/store-xxx-nix/bin in PATH | ||||||
|  | 
 | ||||||
| . "$nix_profile_path" | . "$nix_profile_path" | ||||||
| 
 | 
 | ||||||
| "${SCRIPT_DIR}/add_channels.sh" | # TODO Useful the first time, but it becomes a bit long after a while | ||||||
|  | # "${SCRIPT_DIR}/add_channels.sh" | ||||||
| 
 | 
 | ||||||
| exec "$@" | exec "$@" | ||||||
|  |  | ||||||
|  | @ -129,7 +129,7 @@ in | ||||||
|                   "${mod}+Shift+d" = "${rofi} -modi drun -show drun"; |                   "${mod}+Shift+d" = "${rofi} -modi drun -show drun"; | ||||||
|                   # Start Applications |                   # Start Applications | ||||||
|                   "${mod}+Return" = "exec ${ |                   "${mod}+Return" = "exec ${ | ||||||
|             pkgs.writeShellScript "terminal" "${config.programs.alacritty.package}/bin/alacritty msg create-window || exec ${config.programs.alacritty.package}/bin/alacritty -e zsh" |             pkgs.writeShellScript "terminal" "${config.programs.alacritty.package}/bin/alacritty msg create-window -e zsh || exec ${config.programs.alacritty.package}/bin/alacritty -e zsh" | ||||||
|             # -e zsh is for systems where I can't configure my user's shell |             # -e zsh is for systems where I can't configure my user's shell | ||||||
|             # TODO Is a shell script even required? |             # TODO Is a shell script even required? | ||||||
|           }"; |           }"; | ||||||
|  |  | ||||||
|  | @ -1,6 +1,7 @@ | ||||||
| { pkgs, lib, config, ... }: | { pkgs, lib, config, ... }: | ||||||
| let | let | ||||||
|   ensureNixPath = "${config.xdg.configHome}/dotfiles/ensure_nix.sh"; |   ensureNixPath = "${config.xdg.configHome}/dotfiles/ensure_nix.sh"; | ||||||
|  |   # TODO Can we maybe use a lighter version of this? | ||||||
| in | in | ||||||
| { | { | ||||||
|   config = lib.mkIf config.frogeye.userNix { |   config = lib.mkIf config.frogeye.userNix { | ||||||
|  | @ -9,43 +10,79 @@ in | ||||||
|       # is started outside of it, so it cannot access /nix. So we need to: |       # is started outside of it, so it cannot access /nix. So we need to: | ||||||
|       # - Ensure files systemd access aren't via /nix. |       # - Ensure files systemd access aren't via /nix. | ||||||
|       #     Sometimes there's multiple layers of redirection, so easiest way is |       #     Sometimes there's multiple layers of redirection, so easiest way is | ||||||
|       #     to copy the file outside the repository, but if using regular files |       #     to copy the file outside the store. | ||||||
|       #     directly home-manager will complain that it will overwrite |  | ||||||
|       #     something it didn't write. |  | ||||||
|       # - Wrap services entrypoints into a proot wrapper |       # - Wrap services entrypoints into a proot wrapper | ||||||
|       prootSystemd = lib.hm.dag.entryAfter [ "linkGeneration" ] [ "reloadSystemd" ] '' |       prootSystemd = lib.hm.dag.entryBetween [ "reloadSystemd" ] [ "linkGeneration" ] '' | ||||||
|         cd ${config.xdg.configHome}/systemd/user |         cd ${config.xdg.configHome}/systemd/user | ||||||
|         ${pkgs.findutils}/bin/find . -type l | while read path |         ${pkgs.findutils}/bin/find . -maxdepth 1 -type l | while read path | ||||||
|         do |         do | ||||||
|           ${pkgs.gnused}/bin/sed 's|^Exec\S\+=|\0${ensureNixPath} |' "$path" > "''${path}-proot" |           temp="$(mktemp -p "$PWD")" | ||||||
|           rm "$path" |           ${pkgs.gnused}/bin/sed 's|^Exec\S\+=|\0${ensureNixPath} |' "$path" > "$temp" | ||||||
|           ln -s "''${path}-proot" "$path" |           $DRY_RUN_CMD mv $VERBOSE_ARG "$temp" "$path" | ||||||
|  |           rm -f "$temp" | ||||||
|         done |         done | ||||||
|  |         # Targets (need to be symlinks to original) | ||||||
|  |         ${pkgs.findutils}/bin/find . -mindepth 2 -maxdepth 2 -type l | while read path | ||||||
|  |         do | ||||||
|  |           $DRY_RUN_CMD rm $VERBOSE_ARG "$path" | ||||||
|  |           $DRY_RUN_CMD ln $VERBOSE_ARG -s "../$(basename "$path")" "$path" | ||||||
|  |         done | ||||||
|  |       ''; | ||||||
|  |       # Unless files were created by HM, it will complain that something is in the way, so we delete them. | ||||||
|  |       # This is very ugly, as you're not supposed to write things before writeBoundary, but hey | ||||||
|  |       prootSystemdClean = lib.hm.dag.entryBefore [ "checkLinkTargets" ] '' | ||||||
|  |         $DRY_RUN_CMD rm $VERBOSE_ARG -rf ${config.xdg.configHome}/systemd/user | ||||||
|       ''; |       ''; | ||||||
|       # I wonder if it's possible to do this in a slightly more Nix way, without causing infinite recursion |       # I wonder if it's possible to do this in a slightly more Nix way, without causing infinite recursion | ||||||
| 
 | 
 | ||||||
|       # Create a graphical entrypoint by overriding one of the OS programs |       # Create a graphical entrypoint by overriding one of the OS programs | ||||||
|       graphicalEntrypoints = |       graphicalEntrypoints = | ||||||
|         let |         let | ||||||
|  |           graphicalBin = "${config.home.homeDirectory}/.local/bin"; | ||||||
|  |           graphicalProfile = pkgs.writeTextFile { | ||||||
|  |             name = "graphical-profile"; | ||||||
|  |             text = '' | ||||||
|  |               export PATH="${graphicalBin}:$PATH" | ||||||
|  |             ''; | ||||||
|  |           }; | ||||||
|           graphicalEntrypoint = pkgs.writeTextFile { |           graphicalEntrypoint = pkgs.writeTextFile { | ||||||
|             name = "graphical-entrypoint"; |             name = "graphical-entrypoint"; | ||||||
|             text = '' |             text = '' | ||||||
|               #!/usr/bin/env sh |               #!/bin/sh | ||||||
|               exec ${ensureNixPath} ${config.xsession.scriptPath} |               exec ${ensureNixPath} ${config.xsession.scriptPath} | ||||||
|             ''; |             ''; | ||||||
|             executable = true; |             executable = true; | ||||||
|           }; |           }; | ||||||
|         in |         in | ||||||
|         lib.mkIf config.frogeye.desktop.xorg |         # lib.mkIf config.frogeye.desktop.xorg # TODO Removed because wrong ordering or something? | ||||||
|         lib.hm.dag.entryAfter [ "writeBoundary" ] '' |         lib.hm.dag.entryAfter [ "writeBoundary" ] '' | ||||||
|           cp -f ${graphicalEntrypoint} ${config.home.homeDirectory}/.local/bin/cinnamon-session-cinnamon |           $DRY_RUN_CMD cp $VERBOSE_ARG -L -f ${graphicalProfile} ${config.home.homeDirectory}/.xprofile | ||||||
|  |           $DRY_RUN_CMD cp $VERBOSE_ARG -L -f ${graphicalEntrypoint} ${graphicalBin}/cinnamon-session-cinnamon | ||||||
|         ''; |         ''; | ||||||
|     }; |     }; | ||||||
| 
 | 
 | ||||||
|  |     # Ubuntu gives you this for some reason, but it just makes warnings | ||||||
|  |     xsession.initExtra = '' | ||||||
|  |       unset LD_PRELOAD | ||||||
|  |     ''; | ||||||
|  | 
 | ||||||
|     # Some systemd options don't work if you're running a proot inside, so they need to be relaxed |     # Some systemd options don't work if you're running a proot inside, so they need to be relaxed | ||||||
|     # TODO Following is what's necessary to remove for Syncthing to work. Might be applicable on all services. |     systemd.user = { | ||||||
|     # PrivateUsers=true |       services = { | ||||||
|     # RestrictNamespaces=true |         mpd.Service = { | ||||||
|     # SystemCallFilter=@system-service |           # This tries to override PATH for some reason, which makes ensure_nix not work | ||||||
|  |           Environment = lib.mkForce [ ]; | ||||||
|  |           # Since we're wrapping in ensure_nix, notifications for Type=notify | ||||||
|  |           # will come from a process lower | ||||||
|  |           NotifyAccess = "all"; | ||||||
|  |         }; | ||||||
|  |         # Below might be applicable on all services that use those options, but none is to test right now | ||||||
|  |         syncthing.Service = { | ||||||
|  |           PrivateUsers = lib.mkForce [ ]; | ||||||
|  |           RestrictNamespaces = lib.mkForce [ ]; | ||||||
|  |           SystemCallFilter = lib.mkForce [ ]; | ||||||
|  |         }; | ||||||
|  |       }; | ||||||
|  |     }; | ||||||
|   }; |   }; | ||||||
| } | } | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue