From be9cadd49f079f3e4a6cdd8bdee463436a21723b Mon Sep 17 00:00:00 2001
From: tzlil <tzlils@protonmail.com>
Date: Sun, 21 May 2023 19:20:18 +0300
Subject: fix nixinate, add mullvad firejail

---
 flake.lock            | 46 ++++++++++++++++------------------------------
 flake.nix             |  5 ++++-
 hosts/laptop/cfg.nix  |  7 +++++++
 hosts/vps/git.nix     |  8 ++++----
 mixins/cli.nix        |  8 ++++----
 profiles/network.nix  |  4 ++--
 profiles/security.nix |  4 +++-
 7 files changed, 40 insertions(+), 42 deletions(-)

diff --git a/flake.lock b/flake.lock
index e3a1200..8d34479 100644
--- a/flake.lock
+++ b/flake.lock
@@ -85,11 +85,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1684484967,
-        "narHash": "sha256-P3ftCqeJmDYS9LSr2gGC4XGGcp5vv8TOasJX6fVHWsw=",
+        "lastModified": 1684596126,
+        "narHash": "sha256-4RZZmygeEXpuBqEXGs38ZAcWjWKGwu13Iqbxub6wuJk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "b9a52ad20e58ebd003444915e35e3dd2c18fc715",
+        "rev": "27ef11f0218d9018ebb2948d40133df2b1de622d",
         "type": "github"
       },
       "original": {
@@ -115,7 +115,9 @@
     },
     "nixinate": {
       "inputs": {
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
         "lastModified": 1671116920,
@@ -149,27 +151,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1653060744,
-        "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "dfd82985c273aac6eced03625f454b334daae2e8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1684385584,
-        "narHash": "sha256-O7y0gK8OLIDqz+LaHJJyeu09IGiXlZIS3+JgEzGmmJA=",
+        "lastModified": 1684570954,
+        "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "48a0fb7aab511df92a17cf239c37f2bd2ec9ae3a",
+        "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3",
         "type": "github"
       },
       "original": {
@@ -187,11 +173,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1684490584,
-        "narHash": "sha256-Mb1Qy+py0OHJ42ZpUVO4KUPVUKuDp+Igt0U6hafvxD0=",
+        "lastModified": 1684603398,
+        "narHash": "sha256-ViwldcC0X2QR6pw1SI1BRl9U7+XL+8qyTelysh1MePE=",
         "owner": "wamserma",
         "repo": "flake-programs-sqlite",
-        "rev": "ad44c0a27f9418d2bee9a515e861abfe662e2118",
+        "rev": "f81a2062c106fa85b0b4ecd1fa60b196f041c284",
         "type": "github"
       },
       "original": {
@@ -207,7 +193,7 @@
         "home-manager": "home-manager_2",
         "impermanence": "impermanence",
         "nixinate": "nixinate",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_2",
         "programsdb": "programsdb",
         "viper-nix-common": "viper-nix-common"
       }
@@ -234,11 +220,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1684329129,
-        "narHash": "sha256-0SSHyWU/3Qy/wAj3DCn7eKfK3Hqq/+09JEbcU6b20Vg=",
+        "lastModified": 1684655198,
+        "narHash": "sha256-Rg2+w1ZQnA3XjLXxAV5O9C8d3po8deNnqwHPI1cW340=",
         "owner": "viperML",
         "repo": "nix-common",
-        "rev": "72566be990e4af366d0d0d2f40c26adfb6ebe545",
+        "rev": "f29f6f737ff4be5eeb6b56e494dcdfc1aa132acf",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 3a4cd31..9c5352a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -6,7 +6,10 @@
     impermanence.url = "github:nix-community/impermanence";
     agenix.url = "github:ryantm/agenix";
     hardware.url = "github:nixos/nixos-hardware";
-    nixinate.url = "github:matthewcroughan/nixinate";
+    nixinate = {
+      url = "github:matthewcroughan/nixinate";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     home-manager = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
diff --git a/hosts/laptop/cfg.nix b/hosts/laptop/cfg.nix
index 2b4023a..5b30561 100644
--- a/hosts/laptop/cfg.nix
+++ b/hosts/laptop/cfg.nix
@@ -111,6 +111,13 @@
       };
     };
 
+    programs.firejail.wrappedBinaries = {
+      mullvad-browser = {
+        executable = lib.getExe pkgs.mullvad-browser;
+        # profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+      };
+    };
+
     nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
     powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
     hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
diff --git a/hosts/vps/git.nix b/hosts/vps/git.nix
index 6882e69..d9c638d 100644
--- a/hosts/vps/git.nix
+++ b/hosts/vps/git.nix
@@ -43,9 +43,9 @@
             }
             handle /cgit.css {
               try_files ${pkgs.fetchurl {
-                url = "https://jeremias.stotter.eu/cgi-bin/cgit.cgi/cgit-dark/plain/cgit.css";
-                sha256 = "sha256-wqszujnWV5PRh3L23L1BFj/PKUElpyu1KhjqrHS8lCw=";
-              }} /
+            url = "https://jeremias.stotter.eu/cgi-bin/cgit.cgi/cgit-dark/plain/cgit.css";
+            sha256 = "sha256-wqszujnWV5PRh3L23L1BFj/PKUElpyu1KhjqrHS8lCw=";
+          }} /
               file_server
             }
             handle /favicon.ico {
@@ -74,7 +74,7 @@
             source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
             logo-link = "/";
             virtual-root = "/cgit";
-            readme=":README.md";
+            readme = ":README.md";
           })}
                 }
               }
diff --git a/mixins/cli.nix b/mixins/cli.nix
index 6e1f1f3..8853576 100644
--- a/mixins/cli.nix
+++ b/mixins/cli.nix
@@ -40,10 +40,10 @@
           userName = "tzlil";
           userEmail = "tzlils@protonmail.com";
           enable = true;
-	  extraConfig = {
-	  	push.autoSetupRemote = true;
-		init.defaultBranch = "master";
-	  };
+          extraConfig = {
+            push.autoSetupRemote = true;
+            init.defaultBranch = "master";
+          };
         };
         direnv = {
           enable = true;
diff --git a/profiles/network.nix b/profiles/network.nix
index c959824..461106f 100644
--- a/profiles/network.nix
+++ b/profiles/network.nix
@@ -17,7 +17,7 @@
       networkmanager.enable = true;
       useDHCP = false;
       nameservers = ["127.0.0.1" "::1"];
-      # networkmanager.dns = "none";
+      networkmanager.dns = "none";
       extraHosts = ''
         100.99.246.128 pc
         100.105.242.70 phone
@@ -49,7 +49,7 @@
         };
 
         # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
-        server_names = []; # tailscale magicdns
+        # server_names = [ ... ];
       };
     };
 
diff --git a/profiles/security.nix b/profiles/security.nix
index 9ae5cef..63c5fe4 100644
--- a/profiles/security.nix
+++ b/profiles/security.nix
@@ -7,16 +7,18 @@
 }: {
   imports = [];
   config = {
+    programs.firejail.enable = true;
     security.auditd.enable = true;
     security.audit.enable = true;
     security.audit.rules = [
       "-a exit,always -F arch=b64 -S execve"
     ];
 
+    # https://source.android.com/docs/security/test/scudo
     environment.memoryAllocator.provider = "scudo";
     environment.variables.SCUDO_OPTIONS = "ZeroContents=1";
 
-    # security.lockKernelModules = true;
+    security.lockKernelModules = true;
     security.protectKernelImage = true;
     security.allowSimultaneousMultithreading = false;
     security.forcePageTableIsolation = true;
-- 
cgit 1.4.1