From 8d9f5edc2e489030309f080f568315f336738b83 Mon Sep 17 00:00:00 2001 From: Vinzenz Schroeter Date: Sun, 12 Oct 2025 13:00:15 +0200 Subject: [PATCH 1/6] the most starship configuration --- homeConfigurations/vinzenz/starship.nix | 164 ++++++++++++++++++++---- 1 file changed, 142 insertions(+), 22 deletions(-) diff --git a/homeConfigurations/vinzenz/starship.nix b/homeConfigurations/vinzenz/starship.nix index 1478bf3..480c748 100644 --- a/homeConfigurations/vinzenz/starship.nix +++ b/homeConfigurations/vinzenz/starship.nix @@ -10,19 +10,21 @@ format = "[](fg:color_r)[$username $os $hostname ($container )](bg:color_r fg:text_r)[ ](fg:color_r bg:color_g)" + "[$directory ](bg:color_g fg:text_g)[ ](fg:color_g bg:color_b)" - + "([($git_state$git_branch$git_commit$git_status)" - + "$all](bg:color_b fg:text_b))[ ](fg:color_b)" - + "$cmd_duration" - + "$line_break$character$status > "; + + "([(\\[$git_state$git_branch$git_commit$git_status\\] )" + + "$all](bg:color_b fg:text_b))[](fg:color_b bg:color_y)" + + "([ $cmd_duration$status](bg:color_y fg:text_y))[](fg:color_y)" + + "$line_break$character "; palette = "color_me_surprised"; palettes.color_me_surprised = { - "color_r" = "red"; - "color_g" = "green"; - "color_b" = "blue"; + "color_r" = "#a30262"; + "color_g" = "#d162a4"; + "color_b" = "#5BCEFA"; + "color_y" = "white"; "text_r" = "white"; "text_g" = "black"; - "text_b" = "white"; + "text_b" = "black"; + "text_y" = "black"; }; username = { @@ -30,6 +32,9 @@ style_user = "bg:color_r fg:text_r"; style_root = "bold bg:color_r fg:text_r"; show_always = true; + aliases = { + "vinzenz" = "müde"; + }; }; os = { disabled = false; @@ -65,19 +70,21 @@ }; git_state = { - style = "fg:white bg:color_b"; + style = "fg:text_b bg:color_b"; }; git_branch = { - style = "fg:white bg:color_b"; + style = "fg:text_b bg:color_b"; format = "[$symbol $branch(:$remote_branch) ]($style)"; + symbol = ""; }; git_commit = { format = "[$hash$tag ]($style)"; - style = "fg:white bg:color_b"; + style = "fg:text_b bg:color_b"; + tag_symbol = ""; }; git_status = { - format = "[$all_status$ahead_behind ]($style)"; - style = "fg:white bg:color_b"; + format = "[$all_status$ahead_behind]($style)"; + style = "fg:text_b bg:color_b"; ahead = "⇡$count"; behind = "⇣$count"; diverged = "⇕⇡$ahead_count⇣$behind_count"; @@ -91,26 +98,27 @@ rust = { symbol = "󱘗"; format = "$symbol$version "; - version_format = "$\{raw\}"; + version_format = "$major.$minor"; }; nix_shell = { symbol = ""; format = "$symbol( \($name\))"; }; - character = { - success_symbol = "[](bold fg:green)"; - error_symbol = "[✗](bold fg:color_r)"; - }; status = { disabled = false; format = "[$symbol$status_common_meaning$status_signal_name$status_maybe_int]($style)"; map_symbol = true; pipestatus = true; - symbol = "🔴"; + style = "bg:color_y fg:text_y"; }; cmd_duration = { - format = "[󱦟 $duration]($style)"; + format = "󱦟 $duration "; + }; + + character = { + success_symbol = "[](bold)"; + error_symbol = "[✗](bold fg:color_r)"; }; # icons @@ -130,8 +138,6 @@ fennel.symbol = ""; fossil_branch.symbol = ""; gcloud.symbol = " "; - git_branch.symbol = ""; - git_commit.tag_symbol = " "; golang.symbol = ""; guix_shell.symbol = ""; haskell.symbol = ""; @@ -205,6 +211,120 @@ zig.symbol = ""; gradle.symbol = ""; + palettes = { + catppuccin_mocha = { + rosewater = "#f5e0dc"; + flamingo = "#f2cdcd"; + pink = "#f5c2e7"; + mauve = "#cba6f7"; + red = "#f38ba8"; + maroon = "#eba0ac"; + peach = "#fab387"; + yellow = "#f9e2af"; + green = "#a6e3a1"; + teal = "#94e2d5"; + sky = "#89dceb"; + sapphire = "#74c7ec"; + blue = "#89b4fa"; + lavender = "#b4befe"; + text = "#cdd6f4"; + subtext1 = "#bac2de"; + subtext0 = "#a6adc8"; + overlay2 = "#9399b2"; + overlay1 = "#7f849c"; + overlay0 = "#6c7086"; + surface2 = "#585b70"; + surface1 = "#45475a"; + surface0 = "#313244"; + base = "#1e1e2e"; + mantle = "#181825"; + crust = "#11111b"; + }; + catppuccin_frappe = { + rosewater = "#f2d5cf"; + flamingo = "#eebebe"; + pink = "#f4b8e4"; + mauve = "#ca9ee6"; + red = "#e78284"; + maroon = "#ea999c"; + peach = "#ef9f76"; + yellow = "#e5c890"; + green = "#a6d189"; + teal = "#81c8be"; + sky = "#99d1db"; + sapphire = "#85c1dc"; + blue = "#8caaee"; + lavender = "#babbf1"; + text = "#c6d0f5"; + subtext1 = "#b5bfe2"; + subtext0 = "#a5adce"; + overlay2 = "#949cbb"; + overlay1 = "#838ba7"; + overlay0 = "#737994"; + surface2 = "#626880"; + surface1 = "#51576d"; + surface0 = "#414559"; + base = "#303446"; + mantle = "#292c3c"; + crust = "#232634"; + }; + catppuccin_latte = { + rosewater = "#dc8a78"; + flamingo = "#dd7878"; + pink = "#ea76cb"; + mauve = "#8839ef"; + red = "#d20f39"; + maroon = "#e64553"; + peach = "#fe640b"; + yellow = "#df8e1d"; + green = "#40a02b"; + teal = "#179299"; + sky = "#04a5e5"; + sapphire = "#209fb5"; + blue = "#1e66f5"; + lavender = "#7287fd"; + text = "#4c4f69"; + subtext1 = "#5c5f77"; + subtext0 = "#6c6f85"; + overlay2 = "#7c7f93"; + overlay1 = "#8c8fa1"; + overlay0 = "#9ca0b0"; + surface2 = "#acb0be"; + surface1 = "#bcc0cc"; + surface0 = "#ccd0da"; + base = "#eff1f5"; + mantle = "#e6e9ef"; + crust = "#dce0e8"; + }; + catppuccin_macchiato = { + rosewater = "#f4dbd6"; + flamingo = "#f0c6c6"; + pink = "#f5bde6"; + mauve = "#c6a0f6"; + red = "#ed8796"; + maroon = "#ee99a0"; + peach = "#f5a97f"; + yellow = "#eed49f"; + green = "#a6da95"; + teal = "#8bd5ca"; + sky = "#91d7e3"; + sapphire = "#7dc4e4"; + blue = "#8aadf4"; + lavender = "#b7bdf8"; + text = "#cad3f5"; + subtext1 = "#b8c0e0"; + subtext0 = "#a5adcb"; + overlay2 = "#939ab7"; + overlay1 = "#8087a2"; + overlay0 = "#6e738d"; + surface2 = "#5b6078"; + surface1 = "#494d64"; + surface0 = "#363a4f"; + base = "#24273a"; + mantle = "#1e2030"; + crust = "#181926"; + }; + }; }; }; } From 9c840ba61ddc162e68e6fe0c580737280884d6d5 Mon Sep 17 00:00:00 2001 From: Vinzenz Schroeter Date: Sun, 12 Oct 2025 15:16:44 +0200 Subject: [PATCH 2/6] add servicepoint-tanks service --- flake.lock | 66 ++++++++++ flake.nix | 15 ++- homeConfigurations/vinzenz/vscode.nix | 1 + nixosConfigurations/vinzenz-lpt2/default.nix | 8 ++ nixosModules/servicepoint-tanks.nix | 121 +++++++++++++++++++ 5 files changed, 207 insertions(+), 4 deletions(-) create mode 100644 nixosModules/servicepoint-tanks.nix diff --git a/flake.lock b/flake.lock index f0e3317..5b7de92 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,49 @@ { "nodes": { + "binding": { + "inputs": { + "binding": "binding_2", + "nixpkgs": [ + "servicepoint-tanks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1759096792, + "narHash": "sha256-CW4D1yJecw7Id6AxIEJOW3OpcX3Y4Ehng76/YlR1I9w=", + "ref": "refs/heads/main", + "rev": "8df2996504866f3193fbe51860ab173d25724e5e", + "revCount": 307, + "type": "git", + "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-binding-csharp.git" + }, + "original": { + "type": "git", + "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-binding-csharp.git" + } + }, + "binding_2": { + "inputs": { + "nixpkgs": [ + "servicepoint-tanks", + "binding", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1759093963, + "narHash": "sha256-nis9Xps/P1f/v9FC3LoMLGGCOMMbdrOniDSklqLsH8o=", + "ref": "refs/heads/main", + "rev": "44ef4bb6d707c46af1bed6244f17a16f26f246c1", + "revCount": 304, + "type": "git", + "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-binding-uniffi.git" + }, + "original": { + "type": "git", + "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-binding-uniffi.git" + } + }, "fenix": { "inputs": { "nixpkgs": [ @@ -281,6 +325,7 @@ "nixpkgs-unstable": "nixpkgs-unstable", "servicepoint-cli": "servicepoint-cli", "servicepoint-simulator": "servicepoint-simulator", + "servicepoint-tanks": "servicepoint-tanks", "zerforschen-plus": "zerforschen-plus" } }, @@ -362,6 +407,27 @@ "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-simulator.git" } }, + "servicepoint-tanks": { + "inputs": { + "binding": "binding", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1760271116, + "narHash": "sha256-cdQwPsIryhPrv3Cr99Wupmlj7zycJWk+tDH24TbpqFY=", + "ref": "refs/heads/main", + "rev": "f814eeedc16455c0c9c2c83e28e227633ae4b52a", + "revCount": 217, + "type": "git", + "url": "https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git" + }, + "original": { + "type": "git", + "url": "https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 863a4c0..b9d02da 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,11 @@ inputs.nixpkgs-stable.follows = "nixpkgs"; }; + nix-vscode-extensions = { + url = "github:nix-community/nix-vscode-extensions"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + zerforschen-plus = { url = "git+https://git.berlin.ccc.de/vinzenz/zerforschen.plus"; inputs.nixpkgs.follows = "nixpkgs"; @@ -29,8 +34,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nix-vscode-extensions = { - url = "github:nix-community/nix-vscode-extensions"; + servicepoint-tanks = { + url = "git+https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git"; inputs.nixpkgs.follows = "nixpkgs"; }; }; @@ -43,10 +48,10 @@ niri, zerforschen-plus, nixpkgs-unstable, + nix-vscode-extensions, servicepoint-cli, servicepoint-simulator, - nix-vscode-extensions, - ... + servicepoint-tanks, }: let devices = { @@ -247,10 +252,12 @@ self.nixosModules.nix-ld self.nixosModules.quiet-boot self.nixosModules.firmware-updates + self.nixosModules.servicepoint-tanks home-manager.nixosModules.home-manager servicepoint-simulator.nixosModules.default servicepoint-cli.nixosModules.default + servicepoint-tanks.nixosModules.default ]) ++ additional-modules; } diff --git a/homeConfigurations/vinzenz/vscode.nix b/homeConfigurations/vinzenz/vscode.nix index c4ff381..73a09f3 100644 --- a/homeConfigurations/vinzenz/vscode.nix +++ b/homeConfigurations/vinzenz/vscode.nix @@ -22,6 +22,7 @@ mkhl.direnv muhammad-sammy.csharp davidanson.vscode-markdownlint + #mermaidchart.vscode-mermaid-chart ] ++ (with pkgs.vscode-extensions; [ vadimcn.vscode-lldb diff --git a/nixosConfigurations/vinzenz-lpt2/default.nix b/nixosConfigurations/vinzenz-lpt2/default.nix index 255dd7a..8d42e68 100644 --- a/nixosConfigurations/vinzenz-lpt2/default.nix +++ b/nixosConfigurations/vinzenz-lpt2/default.nix @@ -42,5 +42,13 @@ 8776 1337 ]; + + services.servicepoint-tanks = { + enable = true; + urls = [ + "http://localhost:5666" + "http://localhost:5667" + ]; + }; }; } diff --git a/nixosModules/servicepoint-tanks.nix b/nixosModules/servicepoint-tanks.nix new file mode 100644 index 0000000..67709f8 --- /dev/null +++ b/nixosModules/servicepoint-tanks.nix @@ -0,0 +1,121 @@ +{ + pkgs, + config, + lib, + ... +}: +let + cfg = config.services.servicepoint-tanks; + default-user-name = "servicepoint-tanks"; +in +{ + options.services.servicepoint-tanks = { + enable = lib.mkEnableOption "servicepoint-tanks"; + package = lib.mkPackageOption pkgs "servicepoint-tanks" { }; + urls = lib.mkOption { + default = [ "http://localhost:5000" ]; + description = '' + Configures which protocol to bind on which host:port combination. + ''; + type = lib.types.listOf lib.types.str; + example = [ + "http://0.0.0.0" + "http://localhost:5000" + # TODO: allow HTTPS + ]; + }; + user = lib.mkOption { + default = default-user-name; + description = '' + The user under which servicepoint-tanks is run. + + This module utilizes systemd's DynamicUser feature. See the corresponding section in + {manpage}`systemd.exec(5)` for more details. + ''; + type = lib.types.str; + }; + group = lib.mkOption { + default = default-user-name; + description = '' + The group under which servicepoint-tanks is run. + + This module utilizes systemd's DynamicUser feature. See the corresponding section in + {manpage}`systemd.exec(5)` for more details. + ''; + type = lib.types.str; + }; + }; + + config = lib.mkIf cfg.enable { + users = { + users = lib.mkIf (cfg.user == default-user-name) { + "${default-user-name}" = { + isSystemUser = true; + group = cfg.group; + }; + }; + + groups = lib.mkIf (cfg.group == default-user-name) { + "${default-user-name}" = { }; + }; + }; + + systemd.services.sericepoint-tanks = { + description = "Run the servicepoint-tanks server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + + environment = { + ASPNETCORE_URLS = "${lib.strings.concatStringsSep ";" cfg.urls}"; + }; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + DynamicUser = true; + + Type = "exec"; + ExecStart = "${lib.getBin cfg.package}/bin/TanksServer"; + + # hardening + NoNewPrivileges = true; + CapabilityBoundingSet = null; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + SystemCallArchitectures = "native"; + AmbientCapabilities = ""; + PrivateMounts = true; + PrivateUsers = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHome = true; + ProtectClock = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ProtectControlGroups = "strict"; + LockPersonality = true; + RemoveIPC = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictNamespaces = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + + # TODO: enable unix domain socket bind + # "AF_UNIX" + ]; + + # TODO: try fully AOT build with: + #MemoryDenyWriteExecute = true; + }; + }; + }; +} From f59d3f25bad4f800cd3df1b3b4a41b319aa99eb1 Mon Sep 17 00:00:00 2001 From: Vinzenz Schroeter Date: Thu, 23 Oct 2025 20:15:13 +0200 Subject: [PATCH 3/6] rename user --- nixosModules/user-vinzenz.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixosModules/user-vinzenz.nix b/nixosModules/user-vinzenz.nix index b48e750..13ccf11 100644 --- a/nixosModules/user-vinzenz.nix +++ b/nixosModules/user-vinzenz.nix @@ -3,7 +3,7 @@ users.users.vinzenz = { isNormalUser = true; name = "vinzenz"; - description = "Vinzenz"; + description = "müde"; home = "/home/vinzenz"; extraGroups = [ "networkmanager" From e3423c9b612d650705fc814ab9c2ed549dc5ad44 Mon Sep 17 00:00:00 2001 From: Vinzenz Schroeter Date: Thu, 23 Oct 2025 20:15:48 +0200 Subject: [PATCH 4/6] nix flake update, use nixosModule from tanks repo --- flake.lock | 81 ++++++------------- flake.nix | 3 +- nixosModules/nix-ld.nix | 1 + nixosModules/servicepoint-tanks.nix | 121 ---------------------------- 4 files changed, 26 insertions(+), 180 deletions(-) delete mode 100644 nixosModules/servicepoint-tanks.nix diff --git a/flake.lock b/flake.lock index 5b7de92..59dacee 100644 --- a/flake.lock +++ b/flake.lock @@ -90,24 +90,6 @@ "type": "github" } }, - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "home-manager": { "inputs": { "nixpkgs": [ @@ -187,11 +169,11 @@ "xwayland-satellite-unstable": "xwayland-satellite-unstable" }, "locked": { - "lastModified": 1760106247, - "narHash": "sha256-6eoVSzv2sNlZx3wgIGvwYrbL8X/FpCb/5cw/N/f/v6c=", + "lastModified": 1761187190, + "narHash": "sha256-5ln16iOeWpEX5MO7M3jzFEBNFE42gpFsCvSvPjtF6tQ=", "owner": "sodiboo", "repo": "niri-flake", - "rev": "8ba0df9f335050044eddae848a7be8d9269ecc76", + "rev": "77a07f5d3b775fba67550c38122ebb8d3ee3ba1c", "type": "github" }, "original": { @@ -220,11 +202,11 @@ "niri-unstable": { "flake": false, "locked": { - "lastModified": 1759395653, - "narHash": "sha256-sv9J1z6CrTPf9lRJLyCN90fZVdQz7LFeX7pIlInH8BQ=", + "lastModified": 1760940149, + "narHash": "sha256-KbM47vD6E0cx+v4jYQZ8mD5N186AKm2CQlyh34TW58U=", "owner": "YaLTeR", "repo": "niri", - "rev": "ba6e5e082a79901dc89b0d49c5da1b769d652aec", + "rev": "b3245b81a6ed8edfaf5388a74d2e0a23c24941e5", "type": "github" }, "original": { @@ -265,17 +247,16 @@ }, "nix-vscode-extensions": { "inputs": { - "flake-utils": "flake-utils", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1760071578, - "narHash": "sha256-MZUsqax6PoXPDzhpLyduHoPY4CYYrzL97uKbsx/iGPE=", + "lastModified": 1761240986, + "narHash": "sha256-EjePxTz1P2cdFCPG+M33CGUpBVkD2W+zllZF0Cv1uDY=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "65365fe8c09b6c1b6bba1885a126723815376b1b", + "rev": "868d9f20e2d57e78cc53598f760c547a516f6ba7", "type": "github" }, "original": { @@ -286,11 +267,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1759994382, - "narHash": "sha256-wSK+3UkalDZRVHGCRikZ//CyZUJWDJkBDTQX1+G77Ow=", + "lastModified": 1761016216, + "narHash": "sha256-G/iC4t/9j/52i/nm+0/4ybBmAF4hzR8CNHC75qEhjHo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5da4a26309e796daa7ffca72df93dbe53b8164c7", + "rev": "481cf557888e05d3128a76f14c76397b7d7cc869", "type": "github" }, "original": { @@ -302,11 +283,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1759977445, - "narHash": "sha256-LYr4IDfuihCkFAkSYz5//gT2r1ewcWBYgd5AxPzPLIo=", + "lastModified": 1760965567, + "narHash": "sha256-0JDOal5P7xzzAibvD0yTE3ptyvoVOAL0rcELmDdtSKg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2dad7af78a183b6c486702c18af8a9544f298377", + "rev": "cb82756ecc37fa623f8cf3e88854f9bf7f64af93", "type": "github" }, "original": { @@ -415,34 +396,20 @@ ] }, "locked": { - "lastModified": 1760271116, - "narHash": "sha256-cdQwPsIryhPrv3Cr99Wupmlj7zycJWk+tDH24TbpqFY=", - "ref": "refs/heads/main", - "rev": "f814eeedc16455c0c9c2c83e28e227633ae4b52a", - "revCount": 217, + "lastModified": 1760288584, + "narHash": "sha256-2eY1f4LV9s5Hc/tb1iuJYPewE4Seyeguf7VdzC9bbbo=", + "ref": "service-improvements", + "rev": "1bb73d664dac78c5d69a02ae67169d76cca7aab4", + "revCount": 218, "type": "git", "url": "https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git" }, "original": { + "ref": "service-improvements", "type": "git", "url": "https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git" } }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "xwayland-satellite-stable": { "flake": false, "locked": { @@ -463,11 +430,11 @@ "xwayland-satellite-unstable": { "flake": false, "locked": { - "lastModified": 1759707084, - "narHash": "sha256-0pkftKs6/LReNvxw7DVTN2AJEheZVgyeK0Aarbagi70=", + "lastModified": 1761173223, + "narHash": "sha256-FumZh+fPRaKXkl9Y1uTh5KV7Io/AyOZso+UkqLhLArs=", "owner": "Supreeeme", "repo": "xwayland-satellite", - "rev": "a9188e70bd748118b4d56a529871b9de5adb9988", + "rev": "bf745144acda1343934e9a094cf9458a54d57889", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b9d02da..b046911 100644 --- a/flake.nix +++ b/flake.nix @@ -35,7 +35,7 @@ }; servicepoint-tanks = { - url = "git+https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git"; + url = "git+https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git?ref=service-improvements"; inputs.nixpkgs.follows = "nixpkgs"; }; }; @@ -252,7 +252,6 @@ self.nixosModules.nix-ld self.nixosModules.quiet-boot self.nixosModules.firmware-updates - self.nixosModules.servicepoint-tanks home-manager.nixosModules.home-manager servicepoint-simulator.nixosModules.default diff --git a/nixosModules/nix-ld.nix b/nixosModules/nix-ld.nix index 382aa3d..0d09078 100644 --- a/nixosModules/nix-ld.nix +++ b/nixosModules/nix-ld.nix @@ -17,6 +17,7 @@ util-linux xz systemd + icu ]; }; } diff --git a/nixosModules/servicepoint-tanks.nix b/nixosModules/servicepoint-tanks.nix deleted file mode 100644 index 67709f8..0000000 --- a/nixosModules/servicepoint-tanks.nix +++ /dev/null @@ -1,121 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: -let - cfg = config.services.servicepoint-tanks; - default-user-name = "servicepoint-tanks"; -in -{ - options.services.servicepoint-tanks = { - enable = lib.mkEnableOption "servicepoint-tanks"; - package = lib.mkPackageOption pkgs "servicepoint-tanks" { }; - urls = lib.mkOption { - default = [ "http://localhost:5000" ]; - description = '' - Configures which protocol to bind on which host:port combination. - ''; - type = lib.types.listOf lib.types.str; - example = [ - "http://0.0.0.0" - "http://localhost:5000" - # TODO: allow HTTPS - ]; - }; - user = lib.mkOption { - default = default-user-name; - description = '' - The user under which servicepoint-tanks is run. - - This module utilizes systemd's DynamicUser feature. See the corresponding section in - {manpage}`systemd.exec(5)` for more details. - ''; - type = lib.types.str; - }; - group = lib.mkOption { - default = default-user-name; - description = '' - The group under which servicepoint-tanks is run. - - This module utilizes systemd's DynamicUser feature. See the corresponding section in - {manpage}`systemd.exec(5)` for more details. - ''; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - users = { - users = lib.mkIf (cfg.user == default-user-name) { - "${default-user-name}" = { - isSystemUser = true; - group = cfg.group; - }; - }; - - groups = lib.mkIf (cfg.group == default-user-name) { - "${default-user-name}" = { }; - }; - }; - - systemd.services.sericepoint-tanks = { - description = "Run the servicepoint-tanks server"; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - - environment = { - ASPNETCORE_URLS = "${lib.strings.concatStringsSep ";" cfg.urls}"; - }; - - serviceConfig = { - User = cfg.user; - Group = cfg.group; - DynamicUser = true; - - Type = "exec"; - ExecStart = "${lib.getBin cfg.package}/bin/TanksServer"; - - # hardening - NoNewPrivileges = true; - CapabilityBoundingSet = null; - SystemCallFilter = [ - "@system-service" - "~@privileged" - ]; - SystemCallArchitectures = "native"; - AmbientCapabilities = ""; - PrivateMounts = true; - PrivateUsers = true; - PrivateTmp = true; - PrivateDevices = true; - ProtectHome = true; - ProtectClock = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - ProtectControlGroups = "strict"; - LockPersonality = true; - RemoveIPC = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictNamespaces = true; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - - # TODO: enable unix domain socket bind - # "AF_UNIX" - ]; - - # TODO: try fully AOT build with: - #MemoryDenyWriteExecute = true; - }; - }; - }; -} From 60dc4b72b0e7269f64cbfddf1e500416cd477f8e Mon Sep 17 00:00:00 2001 From: Vinzenz Schroeter Date: Thu, 23 Oct 2025 21:17:58 +0200 Subject: [PATCH 5/6] disable servicepoint-tanks --- nixosConfigurations/vinzenz-lpt2/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixosConfigurations/vinzenz-lpt2/default.nix b/nixosConfigurations/vinzenz-lpt2/default.nix index 8d42e68..a854e26 100644 --- a/nixosConfigurations/vinzenz-lpt2/default.nix +++ b/nixosConfigurations/vinzenz-lpt2/default.nix @@ -44,7 +44,7 @@ ]; services.servicepoint-tanks = { - enable = true; + enable = false; urls = [ "http://localhost:5666" "http://localhost:5667" From 00a12701b2721492bf950250153ec1a326b53c30 Mon Sep 17 00:00:00 2001 From: Vinzenz Schroeter Date: Thu, 23 Oct 2025 21:36:15 +0200 Subject: [PATCH 6/6] switch dotnet version for vscodium --- homeConfigurations/vinzenz/vscode.nix | 3 ++- nixosConfigurations/vinzenz-lpt2/default.nix | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/homeConfigurations/vinzenz/vscode.nix b/homeConfigurations/vinzenz/vscode.nix index 73a09f3..27b77fd 100644 --- a/homeConfigurations/vinzenz/vscode.nix +++ b/homeConfigurations/vinzenz/vscode.nix @@ -71,7 +71,8 @@ }; }; - "dotnetAcquisitionExtension.sharedExistingDotnetPath" = "${lib.getBin pkgs.dotnet-sdk}/bin/dotnet"; + "dotnetAcquisitionExtension.sharedExistingDotnetPath" = + "${lib.getBin pkgs.dotnetCorePackages.sdk_9_0}/bin/dotnet"; "\[makefile\]" = { "editor.insertSpaces" = false; diff --git a/nixosConfigurations/vinzenz-lpt2/default.nix b/nixosConfigurations/vinzenz-lpt2/default.nix index a854e26..38e9a3f 100644 --- a/nixosConfigurations/vinzenz-lpt2/default.nix +++ b/nixosConfigurations/vinzenz-lpt2/default.nix @@ -50,5 +50,8 @@ "http://localhost:5667" ]; }; + nixpkgs.config.permittedInsecurePackages = [ + "mbedtls-2.28.10" + ]; }; }