From 59e634a07194180e47168cde14563af38d464657 Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Wed, 1 May 2024 08:18:54 +0800 Subject: [PATCH] nixos/overlays: add tailscale hardening --- nixos/profiles/common/core/default.nix | 4 +--- overlays/default.nix | 9 ++++++--- overlays/nautilus.nix | 6 +++++- overlays/prismlauncher.nix | 6 +++++- overlays/sway.nix | 6 +++++- overlays/tailscale.nix | 14 ++++++++++++++ 6 files changed, 36 insertions(+), 9 deletions(-) create mode 100644 overlays/tailscale.nix diff --git a/nixos/profiles/common/core/default.nix b/nixos/profiles/common/core/default.nix index 7ee302e..d0bedce 100644 --- a/nixos/profiles/common/core/default.nix +++ b/nixos/profiles/common/core/default.nix @@ -23,9 +23,7 @@ ]; nixpkgs.overlays = [ - inputs.self.overlays.nautilus - inputs.self.overlays.prismlauncher - inputs.self.overlays.sway + inputs.self.overlays.patches ]; ### home-manager diff --git a/overlays/default.nix b/overlays/default.nix index 6d39ff6..aeaee72 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -4,7 +4,10 @@ let patches = (old.patches or []) ++ patches; }); in { - nautilus = import ./nautilus.nix {inherit addPatches;}; - prismlauncher = import ./prismlauncher.nix {inherit addPatches;}; - sway = import ./sway.nix {inherit addPatches;}; + patches = _final: prev: + {} + // import ./nautilus.nix {inherit addPatches prev;} + // import ./prismlauncher.nix {inherit addPatches prev;} + // import ./sway.nix {inherit addPatches prev;} + // import ./tailscale.nix {inherit addPatches prev;}; } diff --git a/overlays/nautilus.nix b/overlays/nautilus.nix index 738f4de..b415319 100644 --- a/overlays/nautilus.nix +++ b/overlays/nautilus.nix @@ -1,4 +1,8 @@ -{addPatches, ...}: _final: prev: { +{ + addPatches, + prev, + ... +}: { gnome = prev.gnome // { diff --git a/overlays/prismlauncher.nix b/overlays/prismlauncher.nix index 604590e..b711b45 100644 --- a/overlays/prismlauncher.nix +++ b/overlays/prismlauncher.nix @@ -1,4 +1,8 @@ -{addPatches, ...}: _final: prev: { +{ + addPatches, + prev, + ... +}: { prismlauncher = addPatches prev.prismlauncher [ # Offline mode for Prism Launcher # https://github.com/Misterio77/nix-config/blob/main/overlays/offline-mode-prism-launcher.diff diff --git a/overlays/sway.nix b/overlays/sway.nix index 8c3ee77..873c85e 100644 --- a/overlays/sway.nix +++ b/overlays/sway.nix @@ -1,4 +1,8 @@ -{addPatches, ...}: _final: prev: { +{ + addPatches, + prev, + ... +}: { sway-unwrapped = addPatches prev.sway-unwrapped [ # text_input: Implement input-method popups # https://github.com/swaywm/sway/pull/7226 diff --git a/overlays/tailscale.nix b/overlays/tailscale.nix new file mode 100644 index 0000000..c6b84f9 --- /dev/null +++ b/overlays/tailscale.nix @@ -0,0 +1,14 @@ +{ + addPatches, + prev, + ... +}: { + tailscale = addPatches prev.tailscale [ + # Reverts "cmd/tailscaled/tailscaled.service: revert recent hardening" + (prev.fetchpatch { + url = "https://github.com/tailscale/tailscale/commit/2889fabaefc50040507ead652d6d2b212f476c2b.patch"; + hash = "sha256-DPBrv7kjSVXhmptUGGzOkaP4iXi/Bym3lvqy4otL9HE="; + revert = true; + }) + ]; +}