From 511793cba498f52b0f92904965ea5c9afa8b6ea4 Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Thu, 18 Jun 2026 12:06:20 +0100 Subject: Reduce Arch package surface --- nix/common.nix | 1 + nix/host.nix | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 52 insertions(+), 6 deletions(-) (limited to 'nix') diff --git a/nix/common.nix b/nix/common.nix index 2a71de4..c1cf551 100644 --- a/nix/common.nix +++ b/nix/common.nix @@ -117,6 +117,7 @@ doxygen # Docs + less tldr man-db man-pages diff --git a/nix/host.nix b/nix/host.nix index ca8bcc4..de68230 100644 --- a/nix/host.nix +++ b/nix/host.nix @@ -43,6 +43,37 @@ let platforms = platforms.all; }; }; + pass-secret-service-rust = pkgs.rustPlatform.buildRustPackage rec { + pname = "pass-secret-service"; + version = "0.7.0"; + + src = pkgs.fetchFromGitHub { + owner = "grimsteel"; + repo = "pass-secret-service"; + rev = "v${version}"; + hash = "sha256-cBDGxF1ETyszwHZJwN8n+lwKcpOU8Xt1XTOGbUHj9UI="; + }; + + cargoHash = "sha256-Ko8LlgPG6kl+pZ47jrFnKdc+9i7/eh9DMRtG2SWQGjQ="; + nativeBuildInputs = [ pkgs.makeWrapper ]; + + postInstall = '' + wrapProgram "$out/bin/pass-secret-service" \ + --prefix PATH : "${lib.makeBinPath [ pkgs.gnupg ]}" + ''; + + meta = { + description = "Implementation of org.freedesktop.secrets using pass"; + homepage = "https://github.com/grimsteel/pass-secret-service"; + license = lib.licenses.gpl3Only; + platforms = lib.platforms.linux; + mainProgram = "pass-secret-service"; + }; + }; + arkenfox-userjs-profile = pkgs.runCommand "arkenfox-userjs-profile-${pkgs.arkenfox-userjs.version}" { } '' + install -Dm644 ${pkgs.arkenfox-userjs}/user.js $out/share/arkenfox-userjs/user.js + install -Dm644 ${pkgs.arkenfox-userjs}/user.cfg $out/share/arkenfox-userjs/user.cfg + ''; in { imports = [ ./common.nix ]; @@ -50,6 +81,11 @@ in home.username = builtins.getEnv "USER"; home.homeDirectory = builtins.getEnv "HOME"; + # Keep Nix's compiler out of PATH, but make it available to host Neovim for + # nvim-treesitter parser builds. The Nix-provided Neovim loads these parser + # .so files, so using the Nix compiler wrapper is the coherent ABI choice. + home.sessionVariables.NVIM_TREESITTER_CC = "${pkgs.stdenv.cc}/bin/cc"; + home.packages = with pkgs; [ # ── Thunderbird helpers ─────────────────────────────────────────────────── # external-editor-revived is the native-messaging host that lets the @@ -71,6 +107,13 @@ in # `protonmail-bridge-core`. protonmail-bridge + # ── Secrets portal ──────────────────────────────────────────────────────── + # Grimsteel's Rust org.freedesktop.secrets provider backed by pass. This is + # not nixpkgs' Python `pass-secret-service`; the repo-owned user unit at + # dot_config/systemd/user/pass-secret-service.service uses the Rust binary + # name and the PASSWORD_STORE_DIR drop-in. + pass-secret-service-rust + # ── Wayland session: bars, launchers, notifiers, daemons ────────────────── # Pure user-session GUIs/daemons — no system unit, no D-Bus activation # file under /usr/share/dbus-1, no login-manager session entry. The @@ -136,13 +179,15 @@ in # testing. sparrow - # chezmoi & paru — both are pure user CLIs. `paru` wraps pacman+makepkg - # but doesn't link them; it just shells out. bootstrap.sh installs a - # one-shot pacman `chezmoi` for the very first `chezmoi init --apply`, - # then `paru -Rns chezmoi paru` after the first nix-switch drops the - # pacman copies (the nix-profile copies on PATH take over). + # ── Browser hardening ──────────────────────────────────────────────────── + # Upstream Arkenfox user.js from nixpkgs, re-exposed under share/ so the + # chezmoi Firefox/LibreWolf deploy hook can render it with + # firefox/user-overrides.js into the Flatpak profile. + arkenfox-userjs-profile + + # Dotfile manager. bootstrap.sh uses the pacman `just` only long enough + # to run nix-switch; after that, this nix-profile copy is on PATH. chezmoi - paru # ── OCR ────────────────────────────────────────────────────────────────── # Override merges eng + por language data into a single derivation, -- cgit v1.3.1