From 0c2dcc07343afdfbbf1fc8632b2cbcfd16f0f417 Mon Sep 17 00:00:00 2001 From: Ryan Yin Date: Sat, 1 Nov 2025 20:01:22 +0800 Subject: [PATCH] feat: update nixpkgs-patched & nixpaks-common --- Justfile | 2 +- flake.nix | 2 - hardening/nixpaks/modules/common.nix | 306 +++++++++++++-------------- hosts/idols-ai/ai/ollama.nix | 11 +- 4 files changed, 153 insertions(+), 168 deletions(-) diff --git a/Justfile b/Justfile index 7b2e8e08..376cdb71 100644 --- a/Justfile +++ b/Justfile @@ -100,7 +100,7 @@ repair-store *paths: # Update all Nixpkgs inputs [group('nix')] up-nix: - nix flake update nixpkgs nixpkgs-stable nixpkgs-unstable nixpkgs-darwin nixpkgs-ollama + nix flake update nixpkgs nixpkgs-stable nixpkgs-unstable nixpkgs-darwin nixpkgs-patched ############################################################################ # diff --git a/flake.nix b/flake.nix index e8282c2d..d7390b0b 100644 --- a/flake.nix +++ b/flake.nix @@ -39,8 +39,6 @@ nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.05"; - nixpkgs-ollama.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs-patched.url = "github:ryan4yin/nixpkgs/nixos-unstable-patched"; # for macos diff --git a/hardening/nixpaks/modules/common.nix b/hardening/nixpaks/modules/common.nix index 44a23a45..d2ca4f18 100644 --- a/hardening/nixpaks/modules/common.nix +++ b/hardening/nixpaks/modules/common.nix @@ -1,191 +1,183 @@ # https://github.com/mnixry/nixos-config/blob/74913c2b90d06e31170bbbaa0074f915721da224/desktop/packages/nixpaks-common.nix +# https://github.com/Kraftland/portable/blob/09c4a4227538a3f42de208a6ecbdc938ac9c00dd/portable.sh { lib, - pkgs, sloth, config, ... }: +let + inherit (config.flatpak) appId; +in { config = { - dbus = - let - inherit (config.flatpak) appId; - in - { - # same usage as --see, --talk, --own - policies = { - "${appId}" = "own"; - "${appId}.*" = "own"; - "org.freedesktop.DBus" = "talk"; - "ca.desrt.dconf" = "talk"; - "org.gtk.vfs" = "talk"; - "org.gtk.vfs.*" = "talk"; - "org.freedesktop.appearance" = "talk"; - "org.freedesktop.appearance.*" = "talk"; - } - // (builtins.listToAttrs ( - map (id: lib.nameValuePair "org.kde.StatusNotifierItem-${toString id}-1" "own") ( - lib.lists.range 2 11 - ) - )) - // { - # --- MPRIS Media Control --- - # Allows the app to register as a media player. These are derived from the appID. - "org.mpris.MediaPlayer2.${appId}" = "own"; - "org.mpris.MediaPlayer2.${appId}.*" = "own"; - "org.mpris.MediaPlayer2.${lib.lists.last (lib.strings.splitString "." appId)}" = "own"; - "org.mpris.MediaPlayer2.${lib.lists.last (lib.strings.splitString "." appId)}.*" = "own"; - # Conditionally allows a custom, friendlier MPRIS name if 'mprisName' is set. - # "org.mpris.MediaPlayer2.${mprisName}" = "own"; - # "org.mpris.MediaPlayer2.${mprisName}.*" = "own"; + dbus = { + # `--see`: The bus name can be enumerated by the application. + # `--talk`: The application can send messages to, and receive replies and signals from, the bus name. + # `--own`: The application can own the bus name + policies = { + "${appId}" = "own"; + "${appId}.*" = "own"; + "org.freedesktop.DBus" = "talk"; + "ca.desrt.dconf" = "talk"; + "org.freedesktop.appearance" = "talk"; + "org.freedesktop.appearance.*" = "talk"; + } + // (builtins.listToAttrs ( + map (id: lib.nameValuePair "org.kde.StatusNotifierItem-${toString id}-1" "own") ( + lib.lists.range 2 29 + ) + )) + // { + # --- MPRIS Media Control --- + # Allows the app to register as a media player. These are derived from the appID. + "org.mpris.MediaPlayer2.${appId}" = "own"; + "org.mpris.MediaPlayer2.${appId}.*" = "own"; + "org.mpris.MediaPlayer2.${lib.lists.last (lib.strings.splitString "." appId)}" = "own"; + "org.mpris.MediaPlayer2.${lib.lists.last (lib.strings.splitString "." appId)}.*" = "own"; - # --- General Desktop Integration --- - "com.canonical.AppMenu.Registrar" = "talk"; # For Ubuntu AppMenu - "org.freedesktop.FileManager1" = "talk"; - "org.freedesktop.Notifications" = "talk"; + # --- General Desktop Integration --- + "com.canonical.AppMenu.Registrar" = "talk"; # For Ubuntu AppMenu + "org.freedesktop.FileManager1" = "talk"; + "org.freedesktop.Notifications" = "talk"; + "org.kde.StatusNotifierWatcher" = "talk"; - # --- Accessibility (a11y) --- - "org.a11y.Bus" = "see"; + # --- Accessibility (a11y) 无障碍服务 --- + "org.a11y.Bus" = "see"; - # --- Portal Access --- - # "org.freedesktop.portal.*" = "talk"; - "org.freedesktop.portal.Documents" = "talk"; - "org.freedesktop.portal.FileTransfer" = "talk"; - "org.freedesktop.portal.FileTransfer.*" = "talk"; - "org.freedesktop.portal.Notification" = "talk"; - "org.freedesktop.portal.OpenURI" = "talk"; - "org.freedesktop.portal.OpenURI.OpenFile" = "talk"; - "org.freedesktop.portal.OpenURI.OpenURI" = "talk"; - "org.freedesktop.portal.Print" = "talk"; - "org.freedesktop.portal.Request" = "see"; + # --- Portal Access --- + # "org.freedesktop.portal.*" = "talk"; + "org.freedesktop.portal.Documents" = "talk"; + "org.freedesktop.portal.FileTransfer" = "talk"; + "org.freedesktop.portal.FileTransfer.*" = "talk"; + "org.freedesktop.portal.Notification" = "talk"; + "org.freedesktop.portal.OpenURI" = "talk"; + "org.freedesktop.portal.OpenURI.OpenFile" = "talk"; + "org.freedesktop.portal.OpenURI.OpenURI" = "talk"; + "org.freedesktop.portal.Print" = "talk"; + "org.freedesktop.portal.Request" = "see"; - # --- Input Method Portals --- - "org.freedesktop.portal.Fcitx" = "talk"; - "org.freedesktop.portal.Fcitx.*" = "talk"; - "org.freedesktop.portal.IBus" = "talk"; - "org.freedesktop.portal.IBus.*" = "talk"; - }; - rules = { - # 'call' rules permit specific method calls on D-Bus interfaces. - call = { - # --- Accessibility --- - "org.a11y.Bus" = [ - "org.a11y.Bus.GetAddress@/org/a11y/bus" - "org.freedesktop.DBus.Properties.Get@/org/a11y/bus" - ]; + # --- Input Method Portals --- + "org.freedesktop.portal.Fcitx" = "talk"; + "org.freedesktop.portal.Fcitx.*" = "talk"; + "org.freedesktop.portal.IBus" = "talk"; + "org.freedesktop.portal.IBus.*" = "talk"; + }; + # '--call' rules permit specific method calls on D-Bus interfaces. + rules.call = { + # --- Accessibility (a11y) 无障碍服务 --- + "org.a11y.Bus" = [ + "org.a11y.Bus.GetAddress@/org/a11y/bus" + "org.freedesktop.DBus.Properties.Get@/org/a11y/bus" + ]; - # --- General Portal Rules --- - "org.freedesktop.FileManager1" = [ "*" ]; - "org.freedesktop.Notifications.*" = [ "*" ]; - "org.freedesktop.portal.Documents" = [ "*" ]; - "org.freedesktop.portal.FileTransfer" = [ "*" ]; - "org.freedesktop.portal.FileTransfer.*" = [ "*" ]; - "org.freedesktop.portal.Fcitx" = [ "*" ]; - "org.freedesktop.portal.Fcitx.*" = [ "*" ]; - "org.freedesktop.portal.IBus" = [ "*" ]; - "org.freedesktop.portal.IBus.*" = [ "*" ]; - "org.freedesktop.portal.Notification" = [ "*" ]; - "org.freedesktop.portal.OpenURI" = [ "*" ]; - "org.freedesktop.portal.OpenURI.OpenFile" = [ "*" ]; - "org.freedesktop.portal.OpenURI.OpenURI" = [ "*" ]; - "org.freedesktop.portal.Print" = [ "*" ]; - "org.freedesktop.portal.Request" = [ "*" ]; + # --- General Portal Rules --- + "org.freedesktop.FileManager1" = [ "*" ]; + "org.freedesktop.Notifications.*" = [ "*" ]; + "org.freedesktop.portal.Documents" = [ "*" ]; + "org.freedesktop.portal.FileTransfer" = [ "*" ]; + "org.freedesktop.portal.FileTransfer.*" = [ "*" ]; + "org.freedesktop.portal.Fcitx" = [ "*" ]; + "org.freedesktop.portal.Fcitx.*" = [ "*" ]; + "org.freedesktop.portal.IBus" = [ "*" ]; + "org.freedesktop.portal.IBus.*" = [ "*" ]; + "org.freedesktop.portal.Notification" = [ "*" ]; + "org.freedesktop.portal.OpenURI" = [ "*" ]; + "org.freedesktop.portal.OpenURI.OpenFile" = [ "*" ]; + "org.freedesktop.portal.OpenURI.OpenURI" = [ "*" ]; + "org.freedesktop.portal.Print" = [ "*" ]; + "org.freedesktop.portal.Request" = [ "*" ]; - # --- Main Desktop Portal Interface --- - # A comprehensive list of permissions for interacting with the desktop environment. - "org.freedesktop.portal.Desktop" = [ - # Device Access - "org.freedesktop.portal.Camera" - "org.freedesktop.portal.Camera.*" - "org.freedesktop.portal.Usb" - "org.freedesktop.portal.Usb.*" + # --- Main Desktop Portal Interface --- + # A comprehensive list of permissions for interacting with the desktop environment. + "org.freedesktop.portal.Desktop" = [ + # Properties & Settings + "org.freedesktop.DBus.Properties.GetAll" + "org.freedesktop.DBus.Properties.Get@/org/freedesktop/portal/desktop" + "org.freedesktop.portal.Session.Close" + "org.freedesktop.portal.Settings.ReadAll" + "org.freedesktop.portal.Settings.Read" + "org.freedesktop.portal.Account.GetUserInformation" - # File Chooser & Documents - "org.freedesktop.portal.Documents" - "org.freedesktop.portal.Documents.*" - "org.freedesktop.portal.FileChooser" - "org.freedesktop.portal.FileChooser.*" - "org.freedesktop.portal.FileTransfer" - "org.freedesktop.portal.FileTransfer.*" + # Network & Proxy + "org.freedesktop.portal.NetworkMonitor" + "org.freedesktop.portal.NetworkMonitor.*" + "org.freedesktop.portal.ProxyResolver.Lookup" + "org.freedesktop.portal.ProxyResolver.Lookup.*" - # Input Methods - "org.freedesktop.portal.Fcitx" - "org.freedesktop.portal.Fcitx.*" - "org.freedesktop.portal.IBus" - "org.freedesktop.portal.IBus.*" + # Screenshot / Screen Capture & Sharing + "org.freedesktop.portal.ScreenCast" + "org.freedesktop.portal.ScreenCast.*" + "org.freedesktop.portal.Screenshot" + "org.freedesktop.portal.Screenshot.Screenshot" - # Notifications & Printing - "org.freedesktop.portal.Notification" - "org.freedesktop.portal.Notification.*" - "org.freedesktop.portal.Print" - "org.freedesktop.portal.Print.*" + # Device Access(Camera / USB) + "org.freedesktop.portal.Camera" + "org.freedesktop.portal.Camera.*" + "org.freedesktop.portal.Usb" + "org.freedesktop.portal.Usb.*" - # Open/Launch Handlers - "org.freedesktop.portal.Email.ComposeEmail" - "org.freedesktop.portal.OpenURI" - "org.freedesktop.portal.OpenURI.*" + # Remote Desktop + "org.freedesktop.portal.RemoteDesktop" + "org.freedesktop.portal.RemoteDesktop.*" - # Properties & Session Management - "org.freedesktop.DBus.Properties.GetAll" - "org.freedesktop.DBus.Properties.Get@/org/freedesktop/portal/desktop" - "org.freedesktop.portal.Session.Close" + # File Operations + "org.freedesktop.portal.Documents" + "org.freedesktop.portal.Documents.*" + "org.freedesktop.portal.FileChooser" + "org.freedesktop.portal.FileChooser.*" + "org.freedesktop.portal.FileTransfer" + "org.freedesktop.portal.FileTransfer.*" - # Screen Capture & Sharing - "org.freedesktop.portal.RemoteDesktop" - "org.freedesktop.portal.RemoteDesktop.*" - "org.freedesktop.portal.ScreenCast" - "org.freedesktop.portal.ScreenCast.*" - "org.freedesktop.portal.Screenshot" - "org.freedesktop.portal.Screenshot.Screenshot" + # Notifications & Printing + "org.freedesktop.portal.Notification" + "org.freedesktop.portal.Notification.*" + "org.freedesktop.portal.Print" + "org.freedesktop.portal.Print.*" - # Secrets (Keyring) - "org.freedesktop.portal.Secret" - "org.freedesktop.portal.Secret.RetrieveSecret" + # Open/Launch Handlers + "org.freedesktop.portal.OpenURI" + "org.freedesktop.portal.OpenURI.*" + "org.freedesktop.portal.Email.ComposeEmail" - # Settings - "org.freedesktop.portal.Settings.Read" - "org.freedesktop.portal.Settings.ReadAll" + # Input Methods + "org.freedesktop.portal.Fcitx" + "org.freedesktop.portal.Fcitx.*" + "org.freedesktop.portal.IBus" + "org.freedesktop.portal.IBus.*" - # System Information - "org.freedesktop.portal.Account.GetUserInformation" - "org.freedesktop.portal.NetworkMonitor" - "org.freedesktop.portal.NetworkMonitor.*" - "org.freedesktop.portal.ProxyResolver.Lookup" - "org.freedesktop.portal.ProxyResolver.Lookup.*" + # Secrets (Keyring) + "org.freedesktop.portal.Secret" + "org.freedesktop.portal.Secret.RetrieveSecret" - # Generic Request Fallback - "org.freedesktop.portal.Request" + # Get/Update GlobalShortcuts + # "org.freedesktop.portal.GlobalShortcuts" + # "org.freedesktop.portal.GlobalShortcuts.*" - # --- Conditional Portal Rules --- - # These would be enabled based on config flags in a real implementation. + # -- get the user's location + # "org.freedesktop.portal.Location" + # "org.freedesktop.portal.Location.*" - # Enabled if 'allowGlobalShortcuts = true' - "org.freedesktop.portal.GlobalShortcuts" - "org.freedesktop.portal.GlobalShortcuts.*" + # -- inhibit the user session from ending, suspending, idling or getting switched away. + "org.freedesktop.portal.Inhibit" + "org.freedesktop.portal.Inhibit.*" - # Enabled if 'allowInhibit = true' - "org.freedesktop.portal.Inhibit" - "org.freedesktop.portal.Inhibit.*" - - # Enabled if 'XDG_CURRENT_DESKTOP = "GNOME"' - "org.freedesktop.portal.Location" - "org.freedesktop.portal.Location.*" - ]; - }; - - # 'broadcast' rules permit receiving signals from D-Bus names. - broadcast = { - "org.freedesktop.portal.*" = [ "@/org/freedesktop/portal/*" ]; - }; - }; - args = [ - "--filter" - "--sloppy-names" - "--log" + # Generic Request Fallback + "org.freedesktop.portal.Request" ]; }; + # 'broadcast' rules permit receiving signals from D-Bus names. + rules.broadcast = { + "org.freedesktop.portal.*" = [ "@/org/freedesktop/portal/*" ]; + }; + args = [ + "--filter" + "--sloppy-names" + "--log" + ]; + }; + etc.sslCertificates.enable = true; bubblewrap = { network = lib.mkDefault true; diff --git a/hosts/idols-ai/ai/ollama.nix b/hosts/idols-ai/ai/ollama.nix index 22266217..815529ac 100644 --- a/hosts/idols-ai/ai/ollama.nix +++ b/hosts/idols-ai/ai/ollama.nix @@ -1,19 +1,14 @@ { - pkgs, - nixpkgs-ollama, + pkgs-patched, ... }: let - pkgs-ollama = import nixpkgs-ollama { - inherit (pkgs) system; - # To use cuda, we need to allow the installation of non-free software - config.allowUnfree = true; - }; + in { services.ollama = rec { enable = true; - package = pkgs-ollama.ollama; + package = pkgs-patched.ollama; acceleration = "cuda"; host = "0.0.0.0"; port = 11434;