nixos/overlays: add tailscale hardening

2024-05-01 08:18:54 +08:00 · 2024-05-01 08:18:54 +08:00 · 59e634a071
commit 59e634a071
parent 68f3d1e340
6 changed files with 36 additions and 9 deletions
--- a/nixos/profiles/common/core/default.nix
+++ b/nixos/profiles/common/core/default.nix
@ -23,9 +23,7 @@
  ];

  nixpkgs.overlays = [
-    inputs.self.overlays.nautilus
-    inputs.self.overlays.prismlauncher
-    inputs.self.overlays.sway
+    inputs.self.overlays.patches
  ];

  ### home-manager
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -4,7 +4,10 @@ let
      patches = (old.patches or []) ++ patches;
    });
 in {
-  nautilus = import ./nautilus.nix {inherit addPatches;};
-  prismlauncher = import ./prismlauncher.nix {inherit addPatches;};
-  sway = import ./sway.nix {inherit addPatches;};
+  patches = _final: prev:
+    {}
+    // import ./nautilus.nix {inherit addPatches prev;}
+    // import ./prismlauncher.nix {inherit addPatches prev;}
+    // import ./sway.nix {inherit addPatches prev;}
+    // import ./tailscale.nix {inherit addPatches prev;};
 }
--- a/overlays/nautilus.nix
+++ b/overlays/nautilus.nix
@ -1,4 +1,8 @@
-{addPatches, ...}: _final: prev: {
+{
+  addPatches,
+  prev,
+  ...
+}: {
  gnome =
    prev.gnome
    // {
--- a/overlays/prismlauncher.nix
+++ b/overlays/prismlauncher.nix
@ -1,4 +1,8 @@
-{addPatches, ...}: _final: prev: {
+{
+  addPatches,
+  prev,
+  ...
+}: {
  prismlauncher = addPatches prev.prismlauncher [
    # Offline mode for Prism Launcher
    # https://github.com/Misterio77/nix-config/blob/main/overlays/offline-mode-prism-launcher.diff
--- a/overlays/sway.nix
+++ b/overlays/sway.nix
@ -1,4 +1,8 @@
-{addPatches, ...}: _final: prev: {
+{
+  addPatches,
+  prev,
+  ...
+}: {
  sway-unwrapped = addPatches prev.sway-unwrapped [
    # text_input: Implement input-method popups
    # https://github.com/swaywm/sway/pull/7226
--- a/overlays/tailscale.nix
+++ b/overlays/tailscale.nix
@ -0,0 +1,14 @@
+{
+  addPatches,
+  prev,
+  ...
+}: {
+  tailscale = addPatches prev.tailscale [
+    # Reverts "cmd/tailscaled/tailscaled.service: revert recent hardening"
+    (prev.fetchpatch {
+      url = "https://github.com/tailscale/tailscale/commit/2889fabaefc50040507ead652d6d2b212f476c2b.patch";
+      hash = "sha256-DPBrv7kjSVXhmptUGGzOkaP4iXi/Bym3lvqy4otL9HE=";
+      revert = true;
+    })
+  ];
+}