diff --git a/flake.lock b/flake.lock index ba70fc7..3fc2210 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1736955230, - "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", + "lastModified": 1745630506, + "narHash": "sha256-bHCFgGeu8XjWlVuaWzi3QONjDW3coZDqSHvnd4l7xus=", "owner": "ryantm", "repo": "agenix", - "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", + "rev": "96e078c646b711aee04b82ba01aefbff87004ded", "type": "github" }, "original": { @@ -72,11 +72,11 @@ "fromYaml": "fromYaml" }, "locked": { - "lastModified": 1732200724, - "narHash": "sha256-+R1BH5wHhfnycySb7Sy5KbYEaTJZWm1h+LW1OtyhiTs=", + "lastModified": 1745523430, + "narHash": "sha256-EAYWV+kXbwsH+8G/8UtmcunDeKwLwSOyfcmzZUkWE/c=", "owner": "SenchoPens", "repo": "base16.nix", - "rev": "153d52373b0fb2d343592871009a286ec8837aec", + "rev": "58bfe2553d937d8af0564f79d5b950afbef69717", "type": "github" }, "original": { @@ -180,11 +180,11 @@ ] }, "locked": { - "lastModified": 1700795494, - "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", "type": "github" }, "original": { @@ -236,11 +236,11 @@ "firefox-gnome-theme_2": { "flake": false, "locked": { - "lastModified": 1743774811, - "narHash": "sha256-oiHLDHXq7ymsMVYSg92dD1OLnKLQoU/Gf2F1GoONLCE=", + "lastModified": 1744642301, + "narHash": "sha256-5A6LL7T0lttn1vrKsNOKUk9V0ittdW0VEqh6AtefxJ4=", "owner": "rafaelmardojai", "repo": "firefox-gnome-theme", - "rev": "df53a7a31872faf5ca53dd0730038a62ec63ca9e", + "rev": "59e3de00f01e5adb851d824cf7911bd90c31083a", "type": "github" }, "original": { @@ -531,11 +531,11 @@ ] }, "locked": { - "lastModified": 1703113217, - "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", "owner": "nix-community", "repo": "home-manager", - "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", "type": "github" }, "original": { @@ -551,11 +551,11 @@ ] }, "locked": { - "lastModified": 1744833442, - "narHash": "sha256-BBMWW2m64Grcc5FlXz74+vdkUyCJOfUGnl+VcS/4x44=", + "lastModified": 1746369725, + "narHash": "sha256-m3ai7LLFYsymMK0uVywCceWfUhP0k3CALyFOfcJACqE=", "owner": "nix-community", "repo": "home-manager", - "rev": "c6b75d69b6994ba68ec281bd36faebcc56097800", + "rev": "1a1793f6d940d22c6e49753548c5b6cb7dc5545d", "type": "github" }, "original": { @@ -572,11 +572,11 @@ ] }, "locked": { - "lastModified": 1743869639, - "narHash": "sha256-Xhe3whfRW/Ay05z9m1EZ1/AkbV1yo0tm1CbgjtCi4rQ=", + "lastModified": 1746369725, + "narHash": "sha256-m3ai7LLFYsymMK0uVywCceWfUhP0k3CALyFOfcJACqE=", "owner": "nix-community", "repo": "home-manager", - "rev": "d094c6763c6ddb860580e7d3b4201f8f496a6836", + "rev": "1a1793f6d940d22c6e49753548c5b6cb7dc5545d", "type": "github" }, "original": { @@ -689,11 +689,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1744463964, - "narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=", + "lastModified": 1746328495, + "narHash": "sha256-uKCfuDs7ZM3QpCE/jnfubTg459CnKnJG/LwqEVEdEiw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650", + "rev": "979daf34c8cacebcd917d540070b52a3c2b9b16e", "type": "github" }, "original": { @@ -705,11 +705,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1743583204, - "narHash": "sha256-F7n4+KOIfWrwoQjXrL2wD9RhFYLs2/GGe/MQY1sSdlE=", + "lastModified": 1745930157, + "narHash": "sha256-y3h3NLnzRSiUkYpnfvnS669zWZLoqqI6NprtLQ+5dck=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2c8d3f48d33929642c1c12cd243df4cc7d2ce434", + "rev": "46e634be05ce9dc6d4db8e664515ba10b78151ae", "type": "github" }, "original": { @@ -729,11 +729,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1743884191, - "narHash": "sha256-foVcginhVvjg8ZnTzY5wwMeZ4wjJ8yX66PW5kgyivPE=", + "lastModified": 1746056780, + "narHash": "sha256-/emueQGaoT4vu0QjU9LDOG5roxRSfdY0K2KkxuzazcM=", "owner": "nix-community", "repo": "NUR", - "rev": "fde90f5f52e13eed110a0e53a2818a2b09e4d37c", + "rev": "d476cd0972dd6242d76374fcc277e6735715c167", "type": "github" }, "original": { @@ -750,11 +750,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1744830196, - "narHash": "sha256-za99eK3Xz6/NGPAWv4m5oVcRiklep+Xx70rYcj7sIcw=", + "lastModified": 1746393339, + "narHash": "sha256-7PXmCQfExrIOh8ISeruCWnmi3C1h/QjzfWyLA8FRRm8=", "owner": "wamserma", "repo": "flake-programs-sqlite", - "rev": "34d474ee18062e7c3b42dd3d79e62a7971ea4965", + "rev": "d61db790e37ccdb961510746bbfdf615fd085c99", "type": "github" }, "original": { @@ -832,11 +832,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1744668092, - "narHash": "sha256-XDmpI3ywMkypsHKRF2am6BzZ5OjwpQMulAe8L87Ek8U=", + "lastModified": 1746395987, + "narHash": "sha256-Na6MAPSWIWzxsgxwcxLhQ160ExvyyhCdC1JDcBA8vW8=", "owner": "danth", "repo": "stylix", - "rev": "38aff11a7097f4da6b95d4c4d2c0438f25a08d52", + "rev": "70f331c8e7da588e07e70cef15a114f9fcec3cee", "type": "github" }, "original": { @@ -942,11 +942,11 @@ "tinted-schemes": { "flake": false, "locked": { - "lastModified": 1742851696, - "narHash": "sha256-sR4K+OVFKeUOvNIqcCr5Br7NLxOBEwoAgsIyjsZmb8s=", + "lastModified": 1744974599, + "narHash": "sha256-Fg+rdGs5FAgfkYNCs74lnl8vkQmiZVdBsziyPhVqrlY=", "owner": "tinted-theming", "repo": "schemes", - "rev": "c37771c4ae8ff1667e27ddcf24991ebeb94a4e77", + "rev": "28c26a621123ad4ebd5bbfb34ab39421c0144bdd", "type": "github" }, "original": { @@ -958,11 +958,11 @@ "tinted-tmux": { "flake": false, "locked": { - "lastModified": 1743296873, - "narHash": "sha256-8IQulrb1OBSxMwdKijO9fB70ON//V32dpK9Uioy7FzY=", + "lastModified": 1745111349, + "narHash": "sha256-udV+nHdpqgkJI9D0mtvvAzbqubt9jdifS/KhTTbJ45w=", "owner": "tinted-theming", "repo": "tinted-tmux", - "rev": "af5152c8d7546dfb4ff6df94080bf5ff54f64e3a", + "rev": "e009f18a01182b63559fb28f1c786eb027c3dee9", "type": "github" }, "original": { diff --git a/modules/common/services/livekit.nix b/modules/common/services/livekit.nix deleted file mode 100644 index 91acdc2..0000000 --- a/modules/common/services/livekit.nix +++ /dev/null @@ -1,133 +0,0 @@ -{ - config, - lib, - pkgs, - utils, - ... -}: let - cfg = config.services.livekit; - format = pkgs.formats.json {}; -in { - meta.maintainers = with lib.maintainers; [quadradical]; - options.services.livekit = { - enable = lib.mkEnableOption "Enable the livekit server"; - package = lib.mkPackageOption pkgs "livekit" {}; - - keyFile = lib.mkOption { - type = lib.types.path; - description = '' - LiveKit key file, with syntax `APIkey: secret`. - The key and secret are used by other clients or services to connect to your Livekit instance. - ''; - }; - - openFirewall = lib.mkOption { - type = lib.types.bool; - default = false; - description = "Opens port range for LiveKit on the firewall."; - }; - - settings = lib.mkOption { - type = lib.types.submodule { - freeformType = format.type; - options = { - port = lib.mkOption { - type = lib.types.port; - default = 7880; - description = "Main TCP port for RoomService and RTC endpoint."; - }; - - rtc = { - port_range_start = lib.mkOption { - type = lib.types.int; - default = 50000; - description = "Start of UDP port range for WebRTC"; - }; - - port_range_end = lib.mkOption { - type = lib.types.int; - default = 51000; - description = "End of UDP port range for WebRTC"; - }; - - use_external_ip = lib.mkOption { - type = lib.types.bool; - default = false; - description = '' - When set to true, attempts to discover the host's public IP via STUN. - This is useful for cloud environments such as AWS & Google where hosts have an internal IP that maps to an external one - ''; - }; - }; - }; - }; - default = {}; - description = '' - LiveKit configuration file expressed in nix. - - For an example configuration, see . - For all possible values, see . - ''; - }; - }; - - config = lib.mkIf cfg.enable { - networking.firewall = lib.mkIf cfg.openFirewall { - allowedTCPPorts = [ - cfg.settings.port - ]; - allowedUDPPortRanges = [ - { - from = cfg.settings.rtc.port_range_start; - to = cfg.settings.rtc.port_range_end; - } - ]; - }; - - systemd.services.livekit = { - description = "LiveKit SFU server"; - documentation = ["https://docs.livekit.io"]; - wantedBy = ["multi-user.target"]; - wants = ["network-online.target"]; - after = ["network-online.target"]; - - serviceConfig = { - DynamicUser = true; - LockPersonality = true; - MemoryDenyWriteExecute = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - PrivateDevices = true; - PrivateMounts = true; - PrivateUsers = true; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_NETLINK" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - ProtectHome = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@privileged" - "~@resources" - ]; - LoadCredential = ["livekit-secrets:${cfg.keyFile}"]; - ExecStart = utils.escapeSystemdExecArgs [ - (lib.getExe cfg.package) - "--config=${format.generate "livekit.json" cfg.settings}" - "--key-file=/run/credentials/livekit.service/livekit-secrets" - ]; - Restart = "on-failure"; - RestartSec = 5; - UMask = "077"; - }; - }; - }; -} diff --git a/modules/common/services/lk-jwt-service.nix b/modules/common/services/lk-jwt-service.nix deleted file mode 100644 index 6038b0c..0000000 --- a/modules/common/services/lk-jwt-service.nix +++ /dev/null @@ -1,85 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - cfg = config.services.lk-jwt-service; -in { - meta.maintainers = [lib.maintainers.quadradical]; - options.services.lk-jwt-service = { - enable = lib.mkEnableOption "Enable lk-jwt-service"; - package = lib.mkPackageOption pkgs "lk-jwt-service" {}; - - livekitUrl = lib.mkOption { - type = lib.types.strMatching "^wss?://.*"; - example = "wss://example.com/livekit/sfu"; - description = '' - The public websocket URL for livekit. - The proto needs to be either `wss://` (recommended) or `ws://` (insecure). - ''; - }; - - keyFile = lib.mkOption { - type = lib.types.path; - description = '' - Path to your LiveKit key file, with syntax `APIkey: secret`. - For more information, see . - ''; - }; - - port = lib.mkOption { - type = lib.types.port; - default = 8080; - description = "Port that lk-jwt-service should listen on."; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.services.lk-jwt-service = { - description = "Minimal service to issue LiveKit JWTs for MatrixRTC"; - documentation = ["https://github.com/element-hq/lk-jwt-service"]; - wantedBy = ["multi-user.target"]; - wants = ["network-online.target"]; - after = ["network-online.target"]; - environment = { - LIVEKIT_URL = cfg.livekitUrl; - LIVEKIT_JWT_PORT = toString cfg.port; - LIVEKIT_KEY_FILE = "/run/credentials/lk-jwt-service.service/livekit-secrets"; - }; - - serviceConfig = { - DynamicUser = true; - LockPersonality = true; - MemoryDenyWriteExecute = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - PrivateDevices = true; - PrivateMounts = true; - PrivateUsers = true; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - ProtectHome = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@privileged" - "~@resources" - ]; - LoadCredential = ["livekit-secrets:${cfg.keyFile}"]; - ExecStart = lib.getExe cfg.package; - Restart = "on-failure"; - RestartSec = 5; - UMask = "077"; - }; - }; - }; -} diff --git a/modules/desktop/firefox/default.nix b/modules/desktop/firefox/default.nix index 080a9ae..c41eacf 100644 --- a/modules/desktop/firefox/default.nix +++ b/modules/desktop/firefox/default.nix @@ -131,6 +131,7 @@ "jid1-MnnxcxisBPnSXQ@jetpack" # Privacy Badger "frankerfacez@frankerfacez.com" "7esoorv3@alefvanoon.anonaddy.me" # LibRedirect + "{cf3dba12-a848-4f68-8e2d-f9fadc0721de}" # Google Lighthouse "{446900e4-71c2-419f-a6a7-df9c091e268b}" # Bitwarden "{4ce83447-8255-43c2-b8f7-e02eb8c2cc39}" # Draw on Page "{ac34afe8-3a2e-4201-b745-346c0cf6ec7d}" # Better Youtube Shorts