From 6a7c3d8f7fbf0f721ba3d4904b3151e3f9c9c13f Mon Sep 17 00:00:00 2001 From: ulic-youthlic Date: Tue, 24 Jun 2025 21:42:12 +0800 Subject: [PATCH 01/12] (pkgs): Add new package `radicle-ci-broker` --- overlays/additions/default.nix | 1 + overlays/additions/radicle-ci-broker.nix | 5 +++++ pkgs/_sources/generated.json | 28 ++++++++++++++++++++---- pkgs/_sources/generated.nix | 22 +++++++++++++++---- pkgs/default.nix | 1 + pkgs/nvfetcher.toml | 4 ++++ pkgs/radicle-ci-broker.nix | 20 +++++++++++++++++ 7 files changed, 73 insertions(+), 8 deletions(-) create mode 100644 overlays/additions/radicle-ci-broker.nix create mode 100644 pkgs/radicle-ci-broker.nix diff --git a/overlays/additions/default.nix b/overlays/additions/default.nix index 337723a..4bccbc2 100644 --- a/overlays/additions/default.nix +++ b/overlays/additions/default.nix @@ -5,6 +5,7 @@ in ./TrackersListCollection.nix ./OuterWildsTextAdventure.nix ./editor-runtime.nix + ./radicle-ci-broker.nix ] |> map (file: import file args) |> (overlays: (lib.composeManyExtensions overlays) final prev) diff --git a/overlays/additions/radicle-ci-broker.nix b/overlays/additions/radicle-ci-broker.nix new file mode 100644 index 0000000..e22b36a --- /dev/null +++ b/overlays/additions/radicle-ci-broker.nix @@ -0,0 +1,5 @@ +{outputs, ...}: _final: prev: let + inherit (prev.stdenv.hostPlatform) system; +in { + inherit (outputs.packages.${system}) radicle-ci-broker; +} diff --git a/pkgs/_sources/generated.json b/pkgs/_sources/generated.json index 6996eb0..f6dfebd 100644 --- a/pkgs/_sources/generated.json +++ b/pkgs/_sources/generated.json @@ -22,7 +22,7 @@ }, "TrackersListCollection": { "cargoLocks": null, - "date": "2025-06-22", + "date": "2025-06-25", "extract": null, "name": "TrackersListCollection", "passthru": null, @@ -34,14 +34,14 @@ "name": null, "owner": "XIU2", "repo": "TrackersListCollection", - "rev": "5a0135a913cd27cea026bd558d0319da3630f327", - "sha256": "sha256-YllDv9VEmBCWV0YrdD2yO54foDy/m+9FR2NBwEpSiCY=", + "rev": "f3079ce280d1597cc2b3adfd0a04e0632736e5f7", + "sha256": "sha256-GSG49cgGexdhn87tr8c6bCk0ySzsLWC23cWo6UvHDqE=", "sparseCheckout": [ "all.txt" ], "type": "github" }, - "version": "5a0135a913cd27cea026bd558d0319da3630f327" + "version": "f3079ce280d1597cc2b3adfd0a04e0632736e5f7" }, "cliphist": { "cargoLocks": null, @@ -130,6 +130,26 @@ }, "version": "Serif2.003" }, + "radicle-ci-broker": { + "cargoLocks": null, + "date": "2025-06-18", + "extract": null, + "name": "radicle-ci-broker", + "passthru": null, + "pinned": false, + "src": { + "deepClone": false, + "fetchSubmodules": false, + "leaveDotGit": false, + "name": null, + "rev": "d824691e1aeccd557b2deeb2cdfb18d275e15f3e", + "sha256": "sha256-bj+JR26bqBE/WBcIbIUZU0r9JqgkEIGSb8nv3GdF72Q=", + "sparseCheckout": [], + "type": "git", + "url": "https://seed.radicle.garden/zwTxygwuz5LDGBq255RA2CbNGrz8.git" + }, + "version": "d824691e1aeccd557b2deeb2cdfb18d275e15f3e" + }, "spotx": { "cargoLocks": null, "date": "2025-06-18", diff --git a/pkgs/_sources/generated.nix b/pkgs/_sources/generated.nix index 0182b75..a478d2d 100644 --- a/pkgs/_sources/generated.nix +++ b/pkgs/_sources/generated.nix @@ -15,18 +15,18 @@ }; TrackersListCollection = { pname = "TrackersListCollection"; - version = "5a0135a913cd27cea026bd558d0319da3630f327"; + version = "f3079ce280d1597cc2b3adfd0a04e0632736e5f7"; src = fetchFromGitHub { owner = "XIU2"; repo = "TrackersListCollection"; - rev = "5a0135a913cd27cea026bd558d0319da3630f327"; + rev = "f3079ce280d1597cc2b3adfd0a04e0632736e5f7"; fetchSubmodules = false; deepClone = false; leaveDotGit = false; sparseCheckout = [ "all.txt" ]; - sha256 = "sha256-YllDv9VEmBCWV0YrdD2yO54foDy/m+9FR2NBwEpSiCY="; + sha256 = "sha256-GSG49cgGexdhn87tr8c6bCk0ySzsLWC23cWo6UvHDqE="; }; - date = "2025-06-22"; + date = "2025-06-25"; }; cliphist = { pname = "cliphist"; @@ -82,6 +82,20 @@ sha256 = "sha256-mfbBSdJrUCZiUUmsmndtEW6H3z6KfBn+dEftBySf2j4="; }; }; + radicle-ci-broker = { + pname = "radicle-ci-broker"; + version = "d824691e1aeccd557b2deeb2cdfb18d275e15f3e"; + src = fetchgit { + url = "https://seed.radicle.garden/zwTxygwuz5LDGBq255RA2CbNGrz8.git"; + rev = "d824691e1aeccd557b2deeb2cdfb18d275e15f3e"; + fetchSubmodules = false; + deepClone = false; + leaveDotGit = false; + sparseCheckout = [ ]; + sha256 = "sha256-bj+JR26bqBE/WBcIbIUZU0r9JqgkEIGSb8nv3GdF72Q="; + }; + date = "2025-06-18"; + }; spotx = { pname = "spotx"; version = "181fd7fc8fe838237660a46ae096570d869bc30f"; diff --git a/pkgs/default.nix b/pkgs/default.nix index ac99da1..54bf3e0 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -21,6 +21,7 @@ in QQ = callPackage ./QQ.nix {}; editor-runtime = callPackage ./editor-runtime.nix {}; cliphist = callPackage ./cliphist.nix {}; + radicle-ci-broker = callPackage ./radicle-ci-broker.nix {}; noto-serif-cjk = callPackage ./noto-serif-cjk.nix {}; noto-sans-cjk = callPackage ./noto-sans-cjk.nix {}; diff --git a/pkgs/nvfetcher.toml b/pkgs/nvfetcher.toml index 64f3aa8..fa0debf 100644 --- a/pkgs/nvfetcher.toml +++ b/pkgs/nvfetcher.toml @@ -37,3 +37,7 @@ fetch.github = "top-mind/OuterWildsTextAdventureWeb" [cliphist] src.git = "https://github.com/sentriz/cliphist.git" fetch.github = "sentriz/cliphist" + +[radicle-ci-broker] +src.git = "https://seed.radicle.garden/zwTxygwuz5LDGBq255RA2CbNGrz8.git" +fetch.git = "https://seed.radicle.garden/zwTxygwuz5LDGBq255RA2CbNGrz8.git" diff --git a/pkgs/radicle-ci-broker.nix b/pkgs/radicle-ci-broker.nix new file mode 100644 index 0000000..9fdc0a9 --- /dev/null +++ b/pkgs/radicle-ci-broker.nix @@ -0,0 +1,20 @@ +{ + rustPlatform, + srcs, + git, +}: let + inherit (srcs) radicle-ci-broker; +in + rustPlatform.buildRustPackage (finalAttrs: { + pname = "radicle-ci-broker"; + version = "0-unstable-${radicle-ci-broker.date}-git${radicle-ci-broker.version}"; + inherit (radicle-ci-broker) src; + nativeBuildInputs = [git]; + + cargoLock = { + lockFile = "${finalAttrs.src}/Cargo.lock"; + allowBuiltinFetchGit = true; + }; + + doCheck = false; + }) From c09b1a93bd11a61ac50fff396bb30249841c4797 Mon Sep 17 00:00:00 2001 From: ulic-youthlic Date: Tue, 24 Jun 2025 21:42:12 +0800 Subject: [PATCH 02/12] machine(Tytonidae): Enable system feature `gccarch-alderlake` --- nixos/configurations/Tytonidae/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/configurations/Tytonidae/default.nix b/nixos/configurations/Tytonidae/default.nix index d0e5a4c..8de89aa 100644 --- a/nixos/configurations/Tytonidae/default.nix +++ b/nixos/configurations/Tytonidae/default.nix @@ -113,7 +113,7 @@ nvidiaBusId = "PCI:1:0:0"; }; }; - nix = {settings = {system-features = ["gccarch-x86-64-v3"];};}; + nix = {settings = {system-features = ["gccarch-alderlake"];};}; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions From 7b56295ae67d389ca03ade34d325976c33566b5a Mon Sep 17 00:00:00 2001 From: ulic-youthlic Date: Tue, 24 Jun 2025 21:42:12 +0800 Subject: [PATCH 03/12] machine(Akun): Enable system feature `gccarch-skylake` --- nixos/configurations/Akun/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/configurations/Akun/default.nix b/nixos/configurations/Akun/default.nix index 9f2fba5..de4b6ec 100644 --- a/nixos/configurations/Akun/default.nix +++ b/nixos/configurations/Akun/default.nix @@ -70,6 +70,7 @@ loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; }; + nix = {settings = {system-features = ["gccarch-skylake"];};}; system.stateVersion = "24.11"; } From fcbba87fd0fd1b742f6731153891b101e943f2c0 Mon Sep 17 00:00:00 2001 From: ulic-youthlic Date: Tue, 24 Jun 2025 21:42:12 +0800 Subject: [PATCH 04/12] machine(Cape): Enable system feature `gccarch-ivybridge` --- nixos/configurations/Cape/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nixos/configurations/Cape/default.nix b/nixos/configurations/Cape/default.nix index b34fe32..fed3ec2 100644 --- a/nixos/configurations/Cape/default.nix +++ b/nixos/configurations/Cape/default.nix @@ -62,6 +62,11 @@ boot.loader.grub = { enable = true; }; + nix = { + settings = { + system-features = ["gccarch-ivybridge"]; + }; + }; system.stateVersion = "24.11"; } From 456ca850181e5f571dfbea915a55f1afab29af38 Mon Sep 17 00:00:00 2001 From: ulic-youthlic Date: Tue, 24 Jun 2025 21:42:12 +0800 Subject: [PATCH 05/12] machine(Tytonidae): Refactor hardware configuration --- nixos/configurations/Tytonidae/default.nix | 11 ------ nixos/configurations/Tytonidae/hardware.nix | 37 +++++++++++---------- 2 files changed, 19 insertions(+), 29 deletions(-) diff --git a/nixos/configurations/Tytonidae/default.nix b/nixos/configurations/Tytonidae/default.nix index 8de89aa..8dcedca 100644 --- a/nixos/configurations/Tytonidae/default.nix +++ b/nixos/configurations/Tytonidae/default.nix @@ -1,5 +1,4 @@ { - lib, pkgs, inputs, ... @@ -104,16 +103,6 @@ loader.efi.canTouchEfiVariables = true; initrd.systemd.enable = true; }; - hardware.nvidia = { - modesetting.enable = true; - open = true; - prime = { - reverseSync.enable = lib.mkDefault true; - intelBusId = "PCI:0:2:0"; - nvidiaBusId = "PCI:1:0:0"; - }; - }; - nix = {settings = {system-features = ["gccarch-alderlake"];};}; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/nixos/configurations/Tytonidae/hardware.nix b/nixos/configurations/Tytonidae/hardware.nix index 8fd23ca..0a988ca 100644 --- a/nixos/configurations/Tytonidae/hardware.nix +++ b/nixos/configurations/Tytonidae/hardware.nix @@ -1,27 +1,28 @@ -{pkgs, ...}: { +{ + pkgs, + lib, + ... +}: { nixpkgs.config.cudaSupport = true; services = { hardware.bolt.enable = true; fstrim.enable = true; }; + nix = {settings = {system-features = ["gccarch-alderlake"];};}; hardware = { - graphics = { - extraPackages = with pkgs; [ - vaapiIntel - libva - libvdpau-va-gl - vaapiVdpau - ocl-icd - intel-ocl - intel-compute-runtime - nvidia-vaapi-driver - intel-media-driver - ]; - extraPackages32 = with pkgs.pkgsi686Linux; [ - vaapiVdpau - libvdpau-va-gl - intel-media-driver - ]; + graphics.package = pkgs.mesa_git; + intelgpu = { + driver = "xe"; + vaapiDriver = "intel-media-driver"; + }; + nvidia = { + modesetting.enable = true; + open = true; + prime = { + reverseSync.enable = lib.mkDefault true; + intelBusId = "PCI:0:2:0"; + nvidiaBusId = "PCI:1:0:0"; + }; }; }; } From 05fd6ec54ddf8e8a5dc74ea6c2ba8564fe8d98be Mon Sep 17 00:00:00 2001 From: ulic-youthlic Date: Tue, 24 Jun 2025 21:42:12 +0800 Subject: [PATCH 06/12] machine(Akun): Refactor hardware configuration --- nixos/configurations/Akun/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/nixos/configurations/Akun/default.nix b/nixos/configurations/Akun/default.nix index de4b6ec..9fc6cb9 100644 --- a/nixos/configurations/Akun/default.nix +++ b/nixos/configurations/Akun/default.nix @@ -69,8 +69,16 @@ kernelPackages = pkgs.linuxPackages_cachyos; loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; + kernelParams = ["i915.enable_guc=2"]; }; nix = {settings = {system-features = ["gccarch-skylake"];};}; + hardware = { + graphics.package = pkgs.mesa_git; + intelgpu = { + vaapiDriver = "intel-vaapi-driver"; + enableHybridCodec = true; + }; + }; system.stateVersion = "24.11"; } From 409848ed04c585e60ea031c702ef1711a8029218 Mon Sep 17 00:00:00 2001 From: ulic-youthlic Date: Tue, 24 Jun 2025 21:42:12 +0800 Subject: [PATCH 07/12] module(obs): Refactor obs-studio module from hmModule into nixosModule --- home/david/configurations/Akun/default.nix | 1 - home/david/configurations/Tytonidae/default.nix | 1 - home/modules/programs/default.nix | 1 - nixos/configurations/Akun/default.nix | 1 + nixos/configurations/Tytonidae/default.nix | 1 + nixos/modules/programs/default.nix | 1 + {home => nixos}/modules/programs/obs.nix | 6 ++---- 7 files changed, 5 insertions(+), 7 deletions(-) rename {home => nixos}/modules/programs/obs.nix (86%) diff --git a/home/david/configurations/Akun/default.nix b/home/david/configurations/Akun/default.nix index 308530f..20ac93a 100644 --- a/home/david/configurations/Akun/default.nix +++ b/home/david/configurations/Akun/default.nix @@ -35,7 +35,6 @@ sops.enable = true; mpv.enable = true; atuin.enable = true; - obs.enable = true; chromium.enable = true; thunderbird.enable = true; # espanso.enable = true; diff --git a/home/david/configurations/Tytonidae/default.nix b/home/david/configurations/Tytonidae/default.nix index aa9aa6b..299ca11 100644 --- a/home/david/configurations/Tytonidae/default.nix +++ b/home/david/configurations/Tytonidae/default.nix @@ -39,7 +39,6 @@ kvm.enable = true; atuin.enable = true; thunderbird.enable = true; - obs.enable = true; chromium.enable = true; espanso.enable = true; ion.enable = true; diff --git a/home/modules/programs/default.nix b/home/modules/programs/default.nix index cac7555..51ce6b1 100644 --- a/home/modules/programs/default.nix +++ b/home/modules/programs/default.nix @@ -11,7 +11,6 @@ ./wluma.nix ./niri.nix ./starship - ./obs.nix ./fuzzel.nix ./mpv.nix ./swaylock.nix diff --git a/nixos/configurations/Akun/default.nix b/nixos/configurations/Akun/default.nix index 9fc6cb9..81ce43b 100644 --- a/nixos/configurations/Akun/default.nix +++ b/nixos/configurations/Akun/default.nix @@ -32,6 +32,7 @@ kanata.enable = true; tailscale.enable = true; wshowkeys.enable = true; + obs.enable = true; }; }; programs.gnupg.agent = { diff --git a/nixos/configurations/Tytonidae/default.nix b/nixos/configurations/Tytonidae/default.nix index 8dcedca..9940421 100644 --- a/nixos/configurations/Tytonidae/default.nix +++ b/nixos/configurations/Tytonidae/default.nix @@ -51,6 +51,7 @@ juicity.client.enable = true; owncast.enable = true; wshowkeys.enable = true; + obs.enable = true; }; }; diff --git a/nixos/modules/programs/default.nix b/nixos/modules/programs/default.nix index a69c343..62986ad 100644 --- a/nixos/modules/programs/default.nix +++ b/nixos/modules/programs/default.nix @@ -26,5 +26,6 @@ ./radicle.nix ./wshowkeys.nix ./bash.nix + ./obs.nix ]; } diff --git a/home/modules/programs/obs.nix b/nixos/modules/programs/obs.nix similarity index 86% rename from home/modules/programs/obs.nix rename to nixos/modules/programs/obs.nix index 5314ed7..6567780 100644 --- a/home/modules/programs/obs.nix +++ b/nixos/modules/programs/obs.nix @@ -1,7 +1,7 @@ { pkgs, - config, lib, + config, ... }: let cfg = config.youthlic.programs.obs; @@ -16,11 +16,9 @@ in { enable = true; plugins = with pkgs.obs-studio-plugins; [ obs-source-record - obs-vaapi - obs-vkcapture - obs-webkitgtk obs-pipewire-audio-capture ]; + enableVirtualCamera = true; }; }; } From 6f54efddbb73942ee8c4fe3336bd17218277f083 Mon Sep 17 00:00:00 2001 From: ulic-youthlic Date: Tue, 24 Jun 2025 21:42:12 +0800 Subject: [PATCH 08/12] secrets(access-token): Refresh github access token --- secrets/general.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/secrets/general.yaml b/secrets/general.yaml index a6a7b59..b64fd5d 100644 --- a/secrets/general.yaml +++ b/secrets/general.yaml @@ -4,7 +4,7 @@ rustypaste: delete: ENC[AES256_GCM,data:fbhJiJhh4YSMZQ6/dfquesJE0sNSn2PUkbjtJmisj5qHtsM=,iv:M1R7giNyLhbj98iiCPENQy44Ixqnie1PHlNcsVs5TLs=,tag:zdBbZ4NR7D4HxsxCizTliw==,type:str] miniflux: ENC[AES256_GCM,data:8u9ElF2LAsIZmq7U8oZJM367y6EAy0si4ZXhpdisYa/PjV70SybUWhrahBft86QB71l8KtLUVuF3Ins=,iv:q7vJzxZICGNv/IaHKDpV50Pc9P4rIwcvfz2+uS1AnyI=,tag:ycwVU3RqfBoXRZQMv653xQ==,type:str] atuin-key: ENC[AES256_GCM,data:e3K7/7BaeXuR+vHJdtO79UQp3XRvROcD8ISkuCp3KGCSlBKUM3GuCwhIeFoIl0fOUqVYOzcCAcjsH2nBRqcXhtS8jhM=,iv:Mh3jsu6mdj0VOLSIoNz/0awyydVf7q3/E7iB7CJi+UA=,tag:xuHhUmK/J2stdjRrtbhQSw==,type:str] -access-tokens: ENC[AES256_GCM,data:Y1qJQaOYHIednHAYpcMVWk+5j5E27QDXrlTAfu/jt7prCxucrQHV7GR2xp7TrXPENDD/lkx9IrRsEKCF7FKIwMDSsfXu5mHt5iRv1dI5itXSlxs4R+r11/rj8S7CHWG/ajOlOwxGyQKHf8O6Q2pHxnDsI7aP7qlC,iv:yrkY/Bb4+ZiLXaTNQ5VD+UO1jf8HfoqEloBCoSRR7l0=,tag:U53qyWVbrKI5tZVagyJSxQ==,type:str] +access-tokens: ENC[AES256_GCM,data:/KBOmXN4LgRmO0axaeKqtmKy0W16OZQt6faNL/T7hxXYw1bDzImNNH4BAg6Lu6Tf15jaMgsqtr9eL3SRjVs7RelRhh7snaJVsrIs59bZ9awn5UvH4rHI0ktXvXwQnKMdwrHnrYURcCWOf+7s99I+50U1o1cDmJF0,iv:rhKP7qccP4DVxzgsaq3rEU39E9zn9EqNV9XzTJfs3O0=,tag:ezX0he1kidCkBGxeQHZNQw==,type:str] matrix-telegram-bot: ENC[AES256_GCM,data:4G9JSR4l3043SM63gvJr0xBFuS11eoesi9rrobTxN9HpEGNklYDWHH/+Bm7P/2Bxnye3CiO/Z8KffvbjH8slRHLtbSpo8lRsfi9uRAbeMl7aXe/nTjpN078QSN3WXXc9XqYq0sxwNKPrnW3bmPQsHUiykZ3Go5A9Qw1iIPvPpXITyNbeD0gA+2CBB7PIURI7X0PIgSfUtMFZvl2J9znqCnlfC41bj6aC3sywsEkpuFJiMEojrwl+XmVS/u4eNMq8KiofVn9QlGx5gdGZ9LfZZdc+8E6u5GovqP2JTwwfaeZPzdwdZ2YsdoAvmgAusMfjCNZvHF7msLsOyNJW4592ZC7+fHhRbkKnVKc3OwA4ILWd9Jl0p0BoS0Ckn3V5nUQFgxVJ2O0yd/FLFaEqbeBLHNqC6u9CTYk82Uy23ilXQYKIc9h2wQkM329E6j9Mk0f9uavoYVPkpz6ahLzcni2W26FUkeaZ7PkrHmHWfJvvvi32GB4+q1m0phPmcd3cKVhXhbhLXiBcx2Rj7Q==,iv:Br0w0SiYajFr8p5CZEg47x3KpJ+AOleHthsEc3ho4YI=,tag:k+wptcSnNzfefF66Ug824Q==,type:str] matrix-reg-token: ENC[AES256_GCM,data:Cr5560L9gQo/tKUz1sQOAg5dckI6SyDxeNyrjW4oI6qkV8bxUrMaAGnVkkeF9TF9FgAnRb+7Lm+axd2SmkPWnqrLll2NzLC01zXht9Mq9RroAPXFraEV1X1Ge1qAAtkr,iv:42r93HLVDKuDCOYlfem7oi3gcHfhDYiNbFKOCHxim+o=,tag:9hWGQrWHsv2eYNgFlHtfeA==,type:str] ssh-private-key: @@ -54,7 +54,7 @@ sops: a1Y1NU9CK2h1SS83VW42bzBMa01yMXMKI1DBtgNlkNCrxUQvnD6a45mQKNfg5gM4 Zb5buo9Jofj4dn/HFwng3T3gxKTrP2Dh74CAH4L0M5yrF9fzk5TCcQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-12T11:16:40Z" - mac: ENC[AES256_GCM,data:+c/i6oH4tOoBr8Uouej+v3lYGMbTjo3bti23Lh6IKA+o79pennRj9v7FEv21DcEwdlH+ebFvZgZwqS5c6cnbQFJkSKLPq15ecQXWEXAPklCV5C0tF3CHy5SgJxaQExYqcbq4/vdrWgKb1Bk53H32KfP1hzPdrr1aFe0jS8IZOSk=,iv:10G6Oc2Azeur1mt4pMj3kEI7g2CeDzhlUPfwz43C0QE=,tag:fN20RLv7pebWBV+trSSXsQ==,type:str] + lastmodified: "2025-06-27T15:03:19Z" + mac: ENC[AES256_GCM,data:G166RcgIytsJj7tVt40YNLPn3rmQu0KTIDmUECY3M7ft/+M1wz1JDlFKj7l8e1/xqa+FIE+Sny5yT/WLRUpbtv1fG4lJeqmJqbOoYiOOPgxR8Sse/aA+RU08ZvyYBV1Shm+NThjVjzJQWpwaDISYHkdUiwQ7bt+l5XXIJiveOoY=,iv:I4MkRMke8+quCnMhE6F1d/uhHXFV2blFk3pH+HRMs/k=,tag:r8LCUbaPsddtUghMUSYYww==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 From 4f13efdab2c21936d7f9f4f9463e0f6477db97cd Mon Sep 17 00:00:00 2001 From: ulic-youthlic Date: Tue, 24 Jun 2025 21:42:12 +0800 Subject: [PATCH 09/12] overlay(lix): Fix lix cve with patch --- overlays/modifications/default.nix | 2 + overlays/modifications/fix-lix/default.nix | 5 + .../fix-lix/fix-cve-2025-52992.diff | 267 ++++++++++++++++++ 3 files changed, 274 insertions(+) create mode 100644 overlays/modifications/fix-lix/default.nix create mode 100644 overlays/modifications/fix-lix/fix-cve-2025-52992.diff diff --git a/overlays/modifications/default.nix b/overlays/modifications/default.nix index 2f18ea8..a555650 100644 --- a/overlays/modifications/default.nix +++ b/overlays/modifications/default.nix @@ -11,6 +11,8 @@ in # ./QQ.nix ./helix.nix ./cliphist.nix + + ./fix-lix ] |> map (file: import file args) |> (overlays: (lib.composeManyExtensions overlays) final prev) diff --git a/overlays/modifications/fix-lix/default.nix b/overlays/modifications/fix-lix/default.nix new file mode 100644 index 0000000..c1aa41c --- /dev/null +++ b/overlays/modifications/fix-lix/default.nix @@ -0,0 +1,5 @@ +{...}: _final: prev: { + lix = prev.lix.overrideAttrs { + patches = [./fix-cve-2025-52992.diff]; + }; +} diff --git a/overlays/modifications/fix-lix/fix-cve-2025-52992.diff b/overlays/modifications/fix-lix/fix-cve-2025-52992.diff new file mode 100644 index 0000000..a9d1b71 --- /dev/null +++ b/overlays/modifications/fix-lix/fix-cve-2025-52992.diff @@ -0,0 +1,267 @@ +diff --git a/doc/manual/rl-next/correct-cleanup-redirected-stores.md b/doc/manual/rl-next/correct-cleanup-redirected-stores.md +new file mode 100644 +index 000000000..a5d4a55a8 +--- /dev/null ++++ b/doc/manual/rl-next/correct-cleanup-redirected-stores.md +@@ -0,0 +1,18 @@ ++--- ++synopsis: "Correct cleanup in redirected stores" ++issues: [] ++cls: [3493] ++category: "Fixes" ++credits: ["horrors"] ++--- ++ ++Following CVE-2025-52992, the Lix team implemented automatic cleanup of ++*scratch outputs*, store paths written but not yet registered (e.g. ++`/nix/store/...`). ++ ++In setups using redirected stores, cleanup was mistakenly applied to the ++logical store path (always under `/nix/store`) rather than the actual physical ++location on disk. ++ ++This could result in accidental deletion from the system ++store instead of the intended redirected store. +diff --git a/doc/manual/rl-next/infallible-build-dirs.md b/doc/manual/rl-next/infallible-build-dirs.md +new file mode 100644 +index 000000000..563d4fcde +--- /dev/null ++++ b/doc/manual/rl-next/infallible-build-dirs.md +@@ -0,0 +1,25 @@ ++--- ++synopsis: "Fallback to safe temp dir when build-dir is unwritable" ++issues: [fj#876] ++cls: [3501] ++category: "Fixes" ++credits: ["raito", "horrors"] ++--- ++ ++Non-daemon builds started failing with a permission error after introducing the `build-dir` option: ++ ++``` ++$ nix build --store ~/scratch nixpkgs#hello --rebuild ++error: creating directory '/nix/var/nix/builds/nix-build-hello-2.12.2.drv-0': Permission denied ++``` ++ ++This happens because: ++ ++1. These builds are not run via the daemon, which owns `/nix/var/nix/builds`. ++2. The user lacks permissions for that path. ++ ++We considered making `build-dir` a store-level option and defaulting it to `/nix/var/nix/builds` for chroot stores, but opted instead for a fallback: if the default fails, Nix now creates a safe build directory under `/tmp`. ++ ++To avoid CVE-2025-52991, the fallback uses an extra path component between `/tmp` and the build dir. ++ ++**Note**: this fallback clutters `/tmp` with build directories that are not cleaned up. To prevent this, explicitly set `build-dir` to a path managed by Lix, even for local workloads. +diff --git a/doc/manual/rl-next/valid-outputs-deletion.md b/doc/manual/rl-next/valid-outputs-deletion.md +new file mode 100644 +index 000000000..f56112f41 +--- /dev/null ++++ b/doc/manual/rl-next/valid-outputs-deletion.md +@@ -0,0 +1,22 @@ ++--- ++synopsis: "Do not delete valid outputs after build" ++issues: [fj#883] ++cls: [3494] ++category: "Fixes" ++credits: ["horrors"] ++--- ++ ++In response to CVE-2025-52992, the Lix team introduced automatic deletion of ++*scratch outputs*, store paths written but not yet registered (e.g. in ++`/nix/store`). ++ ++However, the control flow distinguishing scratch outputs from valid ones is ++complex. A logic error caused valid outputs, especially those obtained via ++closure copies (e.g. remote builds), to be deleted post-build. ++ ++This led to breakage in Lix and could potentially render entire systems ++unusable by removing critical libraries. ++ ++We are sorry for the severity of this bug and are taking steps to prevent its ++recurrence. If your system is affected, please reach out on our support ++channels for recovery assistance. +diff --git a/lix/libstore/build/local-derivation-goal.cc b/lix/libstore/build/local-derivation-goal.cc +index c866a3b66..247943e5c 100644 +--- a/lix/libstore/build/local-derivation-goal.cc ++++ b/lix/libstore/build/local-derivation-goal.cc +@@ -487,17 +487,47 @@ try { + }); + } + +- createDirs(settings.buildDir.get()); +- +- /* Create a temporary directory where the build will take +- place. */ +- tmpDir = createTempDir( +- settings.buildDir.get(), +- "nix-build-" + std::string(drvPath.name()), +- false, +- false, +- 0700 +- ); ++ try { ++ auto buildDir = worker.buildDirOverride.value_or(settings.buildDir.get()); ++ ++ createDirs(buildDir); ++ ++ /* Create a temporary directory where the build will take ++ place. */ ++ tmpDir = ++ createTempDir(buildDir, "nix-build-" + std::string(drvPath.name()), false, false, 0700); ++ } catch (SysError & e) { ++ /* ++ * Fallback to the global tmpdir and create a safe space there ++ * only if it's a permission error. ++ */ ++ if (e.errNo != EACCES) { ++ throw; ++ } ++ ++ auto globalTmp = defaultTempDir(); ++ createDirs(globalTmp); ++#if __APPLE__ ++ /* macOS filesystem namespacing does not exist, to avoid breaking builds, we need to weaken ++ * the mode bits on the top-level directory. This avoids issues like ++ * https://github.com/NixOS/nix/pull/11031. */ ++ constexpr int toplevelDirMode = 0755; ++#else ++ constexpr int toplevelDirMode = 0700; ++#endif ++ auto nixBuildsTmp = ++ createTempDir(globalTmp, fmt("nix-builds-%s", geteuid()), false, false, toplevelDirMode); ++ warn( ++ "Failed to use the system-wide build directory '%s', falling back to a temporary " ++ "directory inside '%s'", ++ settings.buildDir.get(), ++ nixBuildsTmp ++ ); ++ worker.buildDirOverride = nixBuildsTmp; ++ tmpDir = createTempDir( ++ nixBuildsTmp, "nix-build-" + std::string(drvPath.name()), false, false, 0700 ++ ); ++ } + /* The TOCTOU between the previous mkdir call and this open call is unavoidable due to + * POSIX semantics.*/ + tmpDirFd = AutoCloseFD{open(tmpDir.c_str(), O_RDONLY | O_NOFOLLOW | O_DIRECTORY)}; +@@ -538,7 +568,9 @@ try { + /* Schedule this scratch output path for automatic deletion + * if we do not cancel it, e.g. when registering the outputs. + */ +- scratchOutputsCleaner.insert_or_assign(outputName, worker.store.printStorePath(scratchPath)); ++ scratchOutputsCleaner.emplace( ++ outputName, worker.store.toRealPath(worker.store.printStorePath(scratchPath)) ++ ); + + /* Substitute output placeholders with the scratch output paths. + We'll use during the build. */ +@@ -1739,6 +1771,11 @@ try { + before this for loop. */ + if (*scratchPath != finalStorePath) + outputRewrites[std::string { scratchPath->hashPart() }] = std::string { finalStorePath.hashPart() }; ++ /* Cancel automatic deletion of that output if it was a scratch output that we just ++ * registered. */ ++ if (auto cleaner = scratchOutputsCleaner.extract(outputName)) { ++ cleaner.mapped().cancel(); ++ } + }; + + auto orifu = get(outputReferencesIfUnregistered, outputName); +@@ -2063,10 +2100,6 @@ try { + the next iteration */ + if (newInfo.ca) { + TRY_AWAIT(localStore.registerValidPaths({{newInfo.path, newInfo}})); +- /* Cancel automatic deletion of that output if it was a scratch output. */ +- if (auto cleaner = scratchOutputsCleaner.extract(outputName)) { +- cleaner.mapped().cancel(); +- } + } + + infos.emplace(outputName, std::move(newInfo)); +@@ -2107,13 +2140,6 @@ try { + infos2.insert_or_assign(newInfo.path, newInfo); + } + TRY_AWAIT(localStore.registerValidPaths(infos2)); +- +- /* Cancel automatic deletion of that output if it was a scratch output that we just registered. */ +- for (auto & [outputName, _ ] : infos) { +- if (auto cleaner = scratchOutputsCleaner.extract(outputName)) { +- cleaner.mapped().cancel(); +- } +- } + } + + /* In case of a fixed-output derivation hash mismatch, throw an +diff --git a/lix/libstore/build/worker.hh b/lix/libstore/build/worker.hh +index 7fc3d1fe9..d9dc36e34 100644 +--- a/lix/libstore/build/worker.hh ++++ b/lix/libstore/build/worker.hh +@@ -195,6 +195,7 @@ public: + Store & store; + Store & evalStore; + AsyncSemaphore substitutions, localBuilds; ++ std::optional buildDirOverride; + + private: + kj::TaskSet children; +diff --git a/tests/functional/build.sh b/tests/functional/build.sh +index 58fba83aa..fc83f61f3 100644 +--- a/tests/functional/build.sh ++++ b/tests/functional/build.sh +@@ -174,3 +174,8 @@ test "$(<<<"$out" grep -E '^error:' | wc -l)" = 3 + <<<"$out" grepQuiet -E "error: 2 dependencies of derivation '.*-x4\\.drv' failed to build" + <<<"$out" grepQuiet -vE "hash mismatch in fixed-output derivation '.*-x3\\.drv'" + <<<"$out" grepQuiet -vE "hash mismatch in fixed-output derivation '.*-x2\\.drv'" ++ ++# Ensure when if the system build dir is inaccessible, we can still build things ++BUILD_DIR=$(mktemp -d) ++chmod 0000 "$BUILD_DIR" ++nix --build-dir "$BUILD_DIR" build -E 'with import ./config.nix; mkDerivation { name = "test"; buildCommand = "echo rawr > $out"; }' --impure --no-link +diff --git a/tests/functional/linux-sandbox.sh b/tests/functional/linux-sandbox.sh +index 82f363a09..526605e5f 100644 +--- a/tests/functional/linux-sandbox.sh ++++ b/tests/functional/linux-sandbox.sh +@@ -81,3 +81,10 @@ testCert present fixed-output "$certsymlink" + + # Symlinks should be added in the sandbox directly and not followed + nix-sandbox-build symlink-derivation.nix ++ ++# Regression fj#883: derivations outputs disappearing after rebuild ++# build the derivation for both its outputs and delete one of them. ++# simulates substitution or copying only one output from a builder. ++nix-store --delete $(nix-sandbox-build --no-out-link ./regression-fj883.nix -A base.lib) ++# build a derivation depending on previous one. this should succeed ++nix-sandbox-build --no-out-link ./regression-fj883.nix -A downstream +diff --git a/tests/functional/regression-fj883.nix b/tests/functional/regression-fj883.nix +new file mode 100644 +index 000000000..2317145b7 +--- /dev/null ++++ b/tests/functional/regression-fj883.nix +@@ -0,0 +1,15 @@ ++with import ./config.nix; ++ ++rec { ++ base = mkDerivation { ++ name = "base"; ++ outputs = [ "out" "lib" ]; ++ buildCommand = "echo > $out; echo > $lib"; ++ }; ++ ++ downstream = mkDerivation { ++ name = "downstream"; ++ deps = [ base.out base.lib ]; ++ buildCommand = "echo $deps > $out"; ++ }; ++} +diff --git a/version.json b/version.json +index 22b83defe..a39a6e7e2 100644 +--- a/version.json ++++ b/version.json +@@ -1,5 +1,5 @@ + { +- "version": "2.93.1", +- "official_release": true, ++ "version": "2.93.2", ++ "official_release": false, + "release_name": "Bici Bici" + } From f6110a9a842cc04ca0d3e025ebc6c5a25160ecf7 Mon Sep 17 00:00:00 2001 From: ulic-youthlic Date: Tue, 24 Jun 2025 21:42:12 +0800 Subject: [PATCH 10/12] module(kvm): Add virtiofsd driver for kvm --- nixos/modules/programs/kvm.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/programs/kvm.nix b/nixos/modules/programs/kvm.nix index a72510b..9dc2817 100644 --- a/nixos/modules/programs/kvm.nix +++ b/nixos/modules/programs/kvm.nix @@ -26,6 +26,7 @@ in { virtualisation = { libvirtd = { enable = true; + qemu.vhostUserPackages = with pkgs; [virtiofsd]; }; spiceUSBRedirection = { enable = true; From 50ab06e01c7c59c71874a9ead5775f11da15531a Mon Sep 17 00:00:00 2001 From: ulic-youthlic Date: Tue, 24 Jun 2025 21:42:12 +0800 Subject: [PATCH 11/12] Add alacritty configuration and use it as default --- home/david/configurations/Akun/default.nix | 1 + .../configurations/Tytonidae/default.nix | 1 + home/david/modules/programs/niri/config.nix | 12 ++++++-- .../modules/programs/alacritty/alacritty.toml | 28 +++++++++++++++++ home/modules/programs/alacritty/default.nix | 30 +++++++++++++++++++ home/modules/programs/default.nix | 1 + nixos/modules/gui/niri.nix | 2 +- 7 files changed, 72 insertions(+), 3 deletions(-) create mode 100644 home/modules/programs/alacritty/alacritty.toml create mode 100644 home/modules/programs/alacritty/default.nix diff --git a/home/david/configurations/Akun/default.nix b/home/david/configurations/Akun/default.nix index 20ac93a..8d6d1cb 100644 --- a/home/david/configurations/Akun/default.nix +++ b/home/david/configurations/Akun/default.nix @@ -37,6 +37,7 @@ atuin.enable = true; chromium.enable = true; thunderbird.enable = true; + alacritty.enable = true; # espanso.enable = true; }; }; diff --git a/home/david/configurations/Tytonidae/default.nix b/home/david/configurations/Tytonidae/default.nix index 299ca11..f693cf1 100644 --- a/home/david/configurations/Tytonidae/default.nix +++ b/home/david/configurations/Tytonidae/default.nix @@ -42,6 +42,7 @@ chromium.enable = true; espanso.enable = true; ion.enable = true; + alacritty.enable = true; }; }; diff --git a/home/david/modules/programs/niri/config.nix b/home/david/modules/programs/niri/config.nix index e9e45ab..2856153 100644 --- a/home/david/modules/programs/niri/config.nix +++ b/home/david/modules/programs/niri/config.nix @@ -35,7 +35,7 @@ polkit-kde-agent = getExe' pkgs.kdePackages.polkit-kde-agent-1 "polkit-kde-agent"; wpctl = getExe' pkgs.wireplumber "wpctl"; swaybg = getExe pkgs.swaybg; - ghostty = getExe config.programs.ghostty.package; + alacritty = getExe config.programs.alacritty.package; wl-paste = getExe' pkgs.wl-clipboard "wl-paste"; cliphist = getExe' pkgs.cliphist "cliphist"; cliphist-fuzzel-img = getExe' pkgs.cliphist "cliphist-fuzzel-img"; @@ -57,7 +57,7 @@ in ]) (plain "Mod+T" [ (spawn [ - ghostty + alacritty ]) ]) (plain "Mod+Shift+T" [ @@ -471,6 +471,10 @@ in app-id = "^com\\.mitchellh\\.ghostty$"; is-active = true; } + { + app-id = "^Alacritty$"; + is-active = true; + } ]) (leaf "draw-border-with-background" [false]) ]) @@ -480,6 +484,10 @@ in app-id = "^com\\.mitchellh\\.ghostty$"; is-active = false; } + { + app-id = "^Alacritty$"; + is-active = false; + } ]) (leaf "opacity" [0.8]) (leaf "draw-border-with-background" [false]) diff --git a/home/modules/programs/alacritty/alacritty.toml b/home/modules/programs/alacritty/alacritty.toml new file mode 100644 index 0000000..be05835 --- /dev/null +++ b/home/modules/programs/alacritty/alacritty.toml @@ -0,0 +1,28 @@ +[general] +ipc_socket = true +live_config_reload = true + +[window] +dynamic_padding = true +opacity = 0.8 +blur = true + +[scrolling] +history = 100000 +multiplier = 5 + +[font] +size = 16 + +[bell] +duration = 1 + +[selection] +save_to_clipboard = true + +[terminal] +osc52 = "CopyPaste" + +[mouse] +hide_when_typing = true + diff --git a/home/modules/programs/alacritty/default.nix b/home/modules/programs/alacritty/default.nix new file mode 100644 index 0000000..affa2f9 --- /dev/null +++ b/home/modules/programs/alacritty/default.nix @@ -0,0 +1,30 @@ +{ + lib, + config, + pkgs, + ... +}: let + cfg = config.youthlic.programs.alacritty; +in { + options = { + youthlic.programs.alacritty = { + enable = lib.mkEnableOption "alacritty"; + }; + }; + config = lib.mkIf cfg.enable { + programs.alacritty = { + enable = true; + package = pkgs.alacritty_git; + settings = + (./alacritty.toml |> builtins.readFile |> builtins.fromTOML) + // { + colors = lib.mkForce {}; + font.size = lib.mkForce 16; + window.opacity = lib.mkForce 0.8; + general.import = [ + "${pkgs.alacritty-theme}/share/alacritty-theme/gruvbox_dark.toml" + ]; + }; + }; + }; +} diff --git a/home/modules/programs/default.nix b/home/modules/programs/default.nix index 51ce6b1..e631004 100644 --- a/home/modules/programs/default.nix +++ b/home/modules/programs/default.nix @@ -30,5 +30,6 @@ ./fzf.nix ./eza.nix ./ion.nix + ./alacritty ]; } diff --git a/nixos/modules/gui/niri.nix b/nixos/modules/gui/niri.nix index dd23430..54e71e8 100644 --- a/nixos/modules/gui/niri.nix +++ b/nixos/modules/gui/niri.nix @@ -29,7 +29,7 @@ in { terminal-exec = { enable = true; settings = { - default = ["com.mitchellh.ghostty.desktop"]; + default = ["Alacritty.desktop"]; }; }; mime = { From 10ca88ec40e5a15ad744ef50a509ed9e28c2fe8a Mon Sep 17 00:00:00 2001 From: ulic-youthlic Date: Tue, 24 Jun 2025 21:42:12 +0800 Subject: [PATCH 12/12] module(helix): Change helix theme to gruvbox_dark_soft --- home/modules/programs/helix/config.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/modules/programs/helix/config.toml b/home/modules/programs/helix/config.toml index 0f1705e..df1b944 100644 --- a/home/modules/programs/helix/config.toml +++ b/home/modules/programs/helix/config.toml @@ -1,4 +1,4 @@ -theme = "ayu_dark" +theme = "gruvbox_dark_hard" [editor] line-number = "relative"