From 3d7b43c5833b31bf44e1c3c1327c7c8fc3125354 Mon Sep 17 00:00:00 2001
From: Kopatz <7265381+Kropatz@users.noreply.github.com>
Date: Mon, 24 Jun 2024 10:01:15 +0200
Subject: [PATCH] update syncthing id

---
 flake.nix                        |  1 +
 modules/collections/laptop.nix   | 10 +++++++-
 modules/misc/default.nix         |  1 +
 modules/misc/firejail.nix        | 28 +++++++++++++++++++++
 modules/services/syncthing.nix   | 43 +++++++++++++++++++-------------
 pkgs/test-docker.nix             |  9 +++++++
 systems/laptop/configuration.nix |  2 ++
 users/kopatz/default.nix         |  2 +-
 8 files changed, 76 insertions(+), 20 deletions(-)
 create mode 100644 modules/misc/firejail.nix
 create mode 100644 pkgs/test-docker.nix

diff --git a/flake.nix b/flake.nix
index ba0c07a..bff664d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -99,6 +99,7 @@
             vars = import ./systems/userdata-default.nix
               // import ./systems/laptop/userdata.nix;
             pkgsVersion = nixpkgs-unstable;
+            home-manager-version = home-manager-unstable;
             inherit nix-colors;
           };
           modules = [
diff --git a/modules/collections/laptop.nix b/modules/collections/laptop.nix
index e53cf3a..a40677d 100644
--- a/modules/collections/laptop.nix
+++ b/modules/collections/laptop.nix
@@ -12,7 +12,10 @@
       ld.enable = true;
       settings.enable = true;
     };
-    misc = { podman.enable = true; };
+    misc = {
+      podman.enable = true;
+      firejail.enable = true;
+    };
     hardware = {
       firmware.enable = true;
       ssd.enable = true;
@@ -34,4 +37,9 @@
       shared.enable = true;
     };
   };
+  programs.firejail.wrappedBinaries = with pkgs;
+    let inherit (config.custom.misc.firejail) mk;
+    in lib.mkMerge [
+      (mk "Discord" { pkg = discord; })
+    ];
 }
diff --git a/modules/misc/default.nix b/modules/misc/default.nix
index 4b7c9d6..1f602c3 100644
--- a/modules/misc/default.nix
+++ b/modules/misc/default.nix
@@ -4,6 +4,7 @@
     ./packages-list.nix
     ./backup.nix
     ./btrfs.nix
+    ./firejail.nix
     ./cli-tools.nix
     ./docker.nix
     ./nftables.nix
diff --git a/modules/misc/firejail.nix b/modules/misc/firejail.nix
new file mode 100644
index 0000000..8e9908b
--- /dev/null
+++ b/modules/misc/firejail.nix
@@ -0,0 +1,28 @@
+{ lib, config, pkgs, ... }:
+
+let cfg = config.custom.misc.firejail;
+in {
+  options.custom.misc.firejail = {
+    enable = lib.mkEnableOption "Enables firejail";
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.firejail;
+      description = "Firejail package used";
+      readOnly = true; # is a constant from the upstream NixOS module for now
+    };
+    mk = lib.mkOption {
+      readOnly = true;
+      description = "Utility function to make a wrappedBinaries entry";
+      default = name:
+        { pkg, profile ? name, bin ? name }: {
+          ${bin} = {
+            executable = "${lib.getBin pkg}/bin/${bin}";
+            profile =
+              "${config.custom.misc.firejail.package}/etc/firejail/${profile}.profile";
+          };
+        };
+    };
+  };
+
+  config = lib.mkIf cfg.enable { programs.firejail.enable = true; };
+}
diff --git a/modules/services/syncthing.nix b/modules/services/syncthing.nix
index 5ecc9c4..4bd933d 100644
--- a/modules/services/syncthing.nix
+++ b/modules/services/syncthing.nix
@@ -1,12 +1,9 @@
 { config, pkgs, lib, ... }:
-let
-  basePath = "/synced";
-in 
-{
-  systemd.tmpfiles.rules = [
-      "d ${basePath} 0700 ${config.mainUser.name} users -"
-  ];
-  
+let basePath = "/synced";
+in {
+  systemd.tmpfiles.rules =
+    [ "d ${basePath} 0700 ${config.mainUser.name} users -" ];
+
   # check device id: syncthing cli --gui-address=/synced/gui-socket --gui-apikey=<key> show system
   environment.systemPackages = with pkgs; [ syncthing ];
 
@@ -27,46 +24,56 @@ in
 
       devices = {
         kop-pc = {
-          id = "DZKIUS7-WCGTYEV-4OKVSZU-MIVL2NC-N45AKZL-ABT3VN2-I7RXUMF-RF4CYAU";
+          id =
+            "DZKIUS7-WCGTYEV-4OKVSZU-MIVL2NC-N45AKZL-ABT3VN2-I7RXUMF-RF4CYAU";
           addresses = [ "tcp://192.168.0.11" ];
         };
         server = {
-          id = "HZUUQEQ-JOKYHTU-AVFVC3U-7KUAXVC-QY3OJTF-HGU7RZ3-5HA5TOE-VT4FNQB";
+          id =
+            "HZUUQEQ-JOKYHTU-AVFVC3U-7KUAXVC-QY3OJTF-HGU7RZ3-5HA5TOE-VT4FNQB";
           addresses = [ "tcp://192.168.0.6" "tcp://192.168.2.1" ];
         };
         mini-pc = {
-          id = "NKRWOR6-2YNLVY5-GH6TG7T-V3M4VHD-OFS4XR3-Q45CALD-JVSIBKU-JZBGRQ3";
+          id =
+            "NKRWOR6-2YNLVY5-GH6TG7T-V3M4VHD-OFS4XR3-Q45CALD-JVSIBKU-JZBGRQ3";
+          addresses = [ "tcp://192.168.0.10" "tcp://192.168.2.1" ];
+        };
+        mini-pc-proxmox = {
+          id =
+            "FK3DW4B-6Y7C25O-IDBSOMV-GOUSWZW-KQR7ELS-QUKS4UR-AFZXLZE-67QJXAX";
           addresses = [ "tcp://192.168.0.10" "tcp://192.168.2.1" ];
         };
         laptop = {
-          id = "5T6Y3WO-FOQYYFQ-5MLNDSZ-7APIDUG-6KM2ZZM-RTRXMWX-MCZKLMH-BYNDJAQ";
+          id =
+            "5T6Y3WO-FOQYYFQ-5MLNDSZ-7APIDUG-6KM2ZZM-RTRXMWX-MCZKLMH-BYNDJAQ";
           addresses = [ "tcp://192.168.2.22" ];
         };
         phone = {
-          id = "XFQ7MV6-MKBYQXH-WGYVQUB-BYJJPFJ-HJTNZEP-PXWAMYY-DMADWSU-PQOTVAI";
+          id =
+            "XFQ7MV6-MKBYQXH-WGYVQUB-BYJJPFJ-HJTNZEP-PXWAMYY-DMADWSU-PQOTVAI";
           addresses = [ "tcp://192.168.0.15" "tcp://192.168.2.20" ];
         };
       };
-
       folders."${basePath}/default" = {
         id = "default";
-        devices = [ "kop-pc" "server" "laptop" "mini-pc" "phone" ];
+        devices =
+          [ "kop-pc" "server" "laptop" "mini-pc" "mini-pc-proxmox" "phone" ];
         ignorePerms = false;
       };
 
       folders."${basePath}/books" = {
         id = "books";
-        devices = [ "kop-pc" "server" "laptop" "mini-pc" ];
+        devices = [ "kop-pc" "server" "laptop" "mini-pc" "mini-pc-proxmox" ];
       };
 
       folders."${basePath}/fh" = {
         id = "fh";
-        devices = [ "kop-pc" "server" "laptop" "mini-pc" ];
+        devices = [ "kop-pc" "server" "laptop" "mini-pc" "mini-pc-proxmox" ];
       };
 
       folders."${basePath}/work_drive" = {
         id = "work_drive";
-        devices = [ "kop-pc" "server" "laptop" "mini-pc" ];
+        devices = [ "kop-pc" "server" "laptop" "mini-pc" "mini-pc-proxmox" ];
       };
     };
   };
diff --git a/pkgs/test-docker.nix b/pkgs/test-docker.nix
new file mode 100644
index 0000000..d37fbdb
--- /dev/null
+++ b/pkgs/test-docker.nix
@@ -0,0 +1,9 @@
+{ dockerTools, hello }:
+dockerTools.buildLayeredImage {
+  name = "hello";
+  tag = "latest";
+
+  contents = [ hello ];
+
+  config.Cmd = [ "/bin/hello" ];
+}
diff --git a/systems/laptop/configuration.nix b/systems/laptop/configuration.nix
index 3747485..857b7eb 100644
--- a/systems/laptop/configuration.nix
+++ b/systems/laptop/configuration.nix
@@ -10,6 +10,8 @@
 	#<home-manager/nixos>
     ];
 
+
+  nixpkgs.config.permittedInsecurePackages = [ "electron-27.3.11" ];
   services.blueman.enable = true;
 
   hardware.bluetooth.enable = true; # enables support for Bluetooth
diff --git a/users/kopatz/default.nix b/users/kopatz/default.nix
index 48540d8..2b97407 100644
--- a/users/kopatz/default.nix
+++ b/users/kopatz/default.nix
@@ -24,7 +24,7 @@
     shell = pkgs.zsh;
     extraGroups = [ "networkmanager" "wheel" "docker" ];
     packages = with pkgs; [
-      discord
+      #discord
       brave
     ];
     openssh.authorizedKeys.keys = [ config.mainUser.sshKey ];