neovim: Use rust-analyzer configuration from docs

This changes the used parsers from an allowlist to a denylist.

machines/fuuko/configuration.nix

@@ -36,11 +36,6 @@
 
   services.nginx = {
     enable = true;
-
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
   };
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton "keys";

machines/nazuna/configuration.nix

@@ -15,14 +15,7 @@
 
   system.stateVersion = "23.05";
 
-  services.nginx = {
-    enable = true;
-
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-  };
+  services.nginx.enable = true;
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton "keys";
 

machines/okarin/configuration.nix

@@ -22,11 +22,6 @@
   services.nginx = {
     enable = true;
 
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-
     virtualHosts."okarin.sbruder.xyz" = {
       enableACME = true;
       forceSSL = true;

machines/renge/configuration.nix

@@ -41,11 +41,6 @@
   services.nginx = {
     enable = true;
 
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-
     virtualHosts."sbruder.de" = {
       enableACME = true;
       forceSSL = true;

machines/vueko/configuration.nix

@@ -42,11 +42,6 @@
   services.nginx = {
     enable = true;
 
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-
     virtualHosts = {
       "vueko.sbruder.de" = {
         enableACME = true;

machines/vueko/services/fuuko-proxy.nix

@@ -6,10 +6,13 @@
       enableACME = true;
       forceSSL = true;
 
-      locations."/".extraConfig = ''
-        proxy_pass http://fuuko.vpn.sbruder.de/;
-        proxy_set_header Host ${fqdn};
-      '';
+      locations."/" = {
+        extraConfig = ''
+          proxy_pass http://fuuko.vpn.sbruder.de/;
+          proxy_set_header Host ${fqdn};
+        '';
+        proxyWebsockets = true;
+      };
     })
     [
       "languagetool.sbruder.de"

modules/default.nix

@@ -38,6 +38,7 @@
     ./network-manager.nix
     ./nginx-interactive-index
     ./nginx.nix
+    ./nitrokey.nix
     ./nix.nix
     ./office.nix
     ./pipewire.nix
@@ -97,10 +98,6 @@
       # Support for exotic file systems
       boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";
 
-      # Authentication/Encryption agents
-      programs.gnupg.agent.enable = true;
-      programs.ssh.startAgent = true;
-
       # When this is set to true (default), routing everything through a
       # wireguard tunnel does not work.
       networking.firewall.checkReversePath = false;

modules/gui.nix

@@ -52,4 +52,7 @@ lib.mkIf config.sbruder.gui.enable {
       mode = "440";
     };
   };
+
+  # required for pinentry-gnome3
+  services.dbus.packages = [ pkgs.gcr ];
 }

modules/media-proxy.nix

@@ -1,6 +1,5 @@
 { config, lib, pkgs, ... }:
 let
-  port = 8888;
   services = {
     "media" = config.sops.secrets.media-proxy-auth.path;
     "media-sb" = config.sops.secrets.media-proxy-auth.path;
@@ -24,37 +23,27 @@ in
       enable = true;
       commonHttpConfig = ''
         map $http_referer $media_proxy_referer {
-            ~^http://localhost:8888/ "";
+            ~^http://.*\.localhost/ "";
             default                  $http_referer;
         }
       '';
-      virtualHosts.media-proxy = {
-        serverName = "localhost";
-        listen = [
-          { inherit port; addr = "127.0.0.1"; }
-          { inherit port; addr = "[::1]"; }
-        ];
-        locations = {
-          "/".extraConfig = ''
-            rewrite ^/__nginx-interactive-index-assets__/(.*)$ /media/__nginx-interactive-index-assets__/$1;
-          '';
-        } // lib.mapAttrs'
-          (name: secret: {
-            name = "/${name}/";
-            value = {
-              proxyPass = "https://${name}.sbruder.de/";
-              proxyWebsockets = true;
-              extraConfig = ''
-                proxy_buffering off;
-                include ${secret};
-                charset utf-8;
-                proxy_set_header Referer $media_proxy_referer;
-                proxy_set_header Origin $media_proxy_referer;
-              '';
-            };
-          })
-          services;
-      };
+      virtualHosts = lib.mapAttrs'
+        (name: secret: lib.nameValuePair "${name}.localhost" {
+          locations."/" = {
+            proxyPass = "https://${name}.sbruder.de/";
+            proxyWebsockets = true;
+            # they interfere here, as the host needs to be changed
+            recommendedProxySettings = false;
+            extraConfig = ''
+              proxy_buffering off;
+              include ${secret};
+              charset utf-8;
+              proxy_set_header Referer $media_proxy_referer;
+              proxy_set_header Origin $media_proxy_referer;
+            '';
+          };
+        })
+        services;
     };
   };
 }

modules/nginx.nix

@@ -6,6 +6,7 @@ in
   options.sbruder.nginx = {
     hardening.enable = lib.mkEnableOption "nginx hardening";
     privacy.enable = (lib.mkEnableOption "nginx privacy options") // { default = true; };
+    recommended.enable = (lib.mkEnableOption "recommended options") // { default = true; };
   };
 
   config = lib.mkMerge [
@@ -26,5 +27,13 @@ in
         access_log off;
       '';
     })
+    (lib.mkIf cfg.recommended.enable {
+      services.nginx = {
+        recommendedGzipSettings = lib.mkDefault true;
+        recommendedOptimisation = lib.mkDefault true;
+        recommendedProxySettings = lib.mkDefault true;
+        recommendedTlsSettings = lib.mkDefault true;
+      };
+    })
   ];
 }

modules/nitrokey.nix

@@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }:
+
+{
+  hardware.nitrokey.enable = true;
+} // (lib.mkIf config.sbruder.gui.enable {
+  environment.systemPackages = with pkgs; [
+    # both depend on pypemicro, which is not needed, but nixpkgs requires it
+    # (even though it could have been optional: https://github.com/NixOS/nixpkgs/pull/183099#discussion_r933226708)
+    #nitrokey-app2
+    #pynitrokey
+  ];
+})

modules/qbittorrent/default.nix

@@ -97,6 +97,7 @@ in
           # Avoid using nscd (leaks dns)
           InaccessiblePaths = [
             "/run/nscd"
+            "/etc/nsswitch.conf"
           ];
           # Make correct resolv.conf available for unit
           BindReadOnlyPaths = [

modules/unfree.nix

@@ -30,6 +30,11 @@ in
         "makemkv" # exception: runs in sandbox, only way to get DRM garbage to work properly
         "p7zip" # exception: rar source code is not free, but available; p7zip with `enableUnfree` includes it
 
+        # exception: used for programming the NitroKey,
+        # available under essentially a 3-BSD license with two additional restrictions:
+        # one usage restriction and one (pointless as the source is available) reverse engineering restriction
+        "nrfutil"
+
         # games (okay if they run sandboxed)
         "osu-lazer" # also is free except for one dependency
         "steam"

pkgs/imprint/index.html

@@ -27,17 +27,17 @@
 
     <p>
       Simon Bruder<br>
-      Appartement 447<br>
-      Nürnberger Platz 1<br>
-      01187 Dresden<br>
+      ℅ Block Services<br>
+      Stuttgarter Str. 106<br>
+      70736 Fellbach<br>
     </p>
 
     <h2>Kontakt</h2>
 
     <ul>
       <li>E-Mail: <img class="mail" src="mail.svg"></li>
-      <li>Telefon: +49 152 56561414</li>
-      <li>Fax: +49 351 89672619<sup>a</sup></li>
+      <li>Telefon: +49&nbsp;351&nbsp;41886715</li>
+      <li>Telefax: +49&nbsp;351&nbsp;89672619<sup>a</sup></li>
     </ul>
     <div class="fineprint">
       <ol class="footnotes">

users/simon/modules/gpg.nix

@@ -1,3 +1,5 @@
+{ nixosConfig, ... }:
+
 {
   programs.gpg = {
     enable = true;
@@ -5,4 +7,17 @@
       default-key = "47E7559E037A35652DBBF8AA8D3C82F9F309F8EC";
     };
   };
+
+  services.gpg-agent = rec {
+    enable = true;
+    enableZshIntegration = true;
+    enableSshSupport = true;
+
+    pinentryFlavor = if nixosConfig.sbruder.gui.enable then "gnome3" else "curses";
+
+    defaultCacheTtl = 300;
+    defaultCacheTtlSsh = defaultCacheTtl;
+    maxCacheTtl = 1800;
+    maxCacheTtlSsh = maxCacheTtl;
+  };
 }

users/simon/modules/librewolf.nix

@@ -18,10 +18,10 @@ lib.mkIf nixosConfig.sbruder.gui.enable {
       "browser.uidensity" = 1; # more compact layout
       "identity.fxaccounts.enabled" = true;
       "middlemouse.paste" = false;
-      "network.http.referer.XOriginPolicy" = 2;
       "privacy.clearOnShutdown.history" = false;
       "webgl.disabled" = false; # requires installing CanvasBlocker
 
+      #"network.http.referer.XOriginPolicy" = 2; # breaks sites that include images from restrictive sources
       #"privacy.resistFingerprinting.letterboxing" = true; # quite annoying
     };
   };

users/simon/modules/neovim/default.nix

@@ -87,7 +87,7 @@ in
       nvim-jdtls
       nvim-lspconfig
       nvim-solarized-lua
-      nvim-treesitter
+      nvim-treesitter.withAllGrammars
       nvim-web-devicons
       plantuml-syntax
       plenary-nvim
@@ -111,29 +111,7 @@ in
   xdg.configFile = {
     "nvim/lua/init.lua".source = ./init.lua;
     "nvim/lua/snippets.lua".source = pkgs.callPackage ./snippets.nix { };
-  } // (lib.mapAttrs'
-    (name: path: lib.nameValuePair "nvim/parser/${lib.removePrefix "tree-sitter-" name}.so" { source = "${path}/parser"; })
-    ({
-      inherit (pkgs.tree-sitter.builtGrammars)
-        #tree-sitter-bash
-        tree-sitter-c
-        tree-sitter-cpp
-        tree-sitter-css
-        tree-sitter-dot
-        tree-sitter-go
-        tree-sitter-haskell
-        tree-sitter-html
-        tree-sitter-json
-        #tree-sitter-latex # incompatible with VimTeX
-        tree-sitter-lua
-        tree-sitter-nix
-        tree-sitter-perl
-        tree-sitter-python
-        tree-sitter-rust
-        tree-sitter-scss
-        tree-sitter-toml
-        tree-sitter-yaml;
-    }));
+  };
 
   home.sessionVariables.EDITOR = "nvim";
 }

users/simon/modules/neovim/init.lua

@@ -351,9 +351,23 @@ lsp.rust_analyzer.setup {
     on_attach = on_attach,
     settings = {
         ['rust-analyzer'] = {
+            cargo = {
+                buildScripts = {
+                    enable = true,
+                },
+            },
             checkOnSave = {
                 command = 'clippy',
             },
+            imports = {
+                granularity = {
+                    group = "module",
+                },
+                prefix = "self",
+            },
+            procMacro = {
+                enable = true
+            },
         },
     },
 }
@@ -421,13 +435,17 @@ require('trouble').setup {}
 
 -- Tree Sitter
 require('nvim-treesitter.configs').setup {
-  highlight = {
-    enable = true,
-    additional_vim_regex_highlighting = false,
-  },
-  indent = {
-    enable = true,
-  },
+    highlight = {
+        enable = true,
+        additional_vim_regex_highlighting = false,
+        disable = {
+            'gitcommit', -- only for “conventional commits”
+            'latex', -- incompatible with VimTeX
+        },
+    },
+    indent = {
+        enable = true,
+    },
 }
 
 -- VimTeX

users/simon/modules/sway/default.nix

@@ -73,8 +73,11 @@ in
           xkb_options = "compose:caps";
           xkb_numlock = "enable";
         };
+        "type:touchpad" = {
+          click_method = "clickfinger";
+          tap = "enabled";
+        };
       } // (lib.optionalAttrs (nixosConfig.networking.hostName == "mayushii") {
-        "type:touchpad".events = "disabled";
         "2:10:TPPS/2_Elan_TrackPoint".pointer_accel = "-0.15";
       });