From 6aa649eb01b97a384a057cfcba0ab7af06abb706 Mon Sep 17 00:00:00 2001
From: Tristan <tristan@tristans.cloud>
Date: Thu, 27 Apr 2023 16:33:37 +0100
Subject: [PATCH] rootfull docker, mkcert ca, bw scripts

---
 system/global/home.nix   |  9 ++++++-
 system/global/system.nix |  1 -
 system/work/home.nix     |  2 +-
 system/work/system.nix   | 55 ++++++++++++++++++++++++++++++++++++----
 4 files changed, 59 insertions(+), 8 deletions(-)

diff --git a/system/global/home.nix b/system/global/home.nix
index e749bbf..1cf6ea4 100644
--- a/system/global/home.nix
+++ b/system/global/home.nix
@@ -28,6 +28,11 @@ let
       fi
     '');
 
+    bwotpmenu = (pkgs.writeShellScriptBin "bwotpmenu" ''
+      items="$(rbw list)"
+      echo "$items" | ${ my-deps.menu } | xargs -I_ rbw code _ | wl-copy
+    '');
+
     bwmenu = (pkgs.writeShellScriptBin "bwmenu" ''
       items="$(rbw list)"
       echo "$items" | ${ my-deps.menu } | xargs -I_ rbw get _ | wl-copy
@@ -73,6 +78,7 @@ in
 
   home.packages = (with pkgs; [
     libnotify
+    dig
     wl-clipboard
     wofi
     du-dust
@@ -176,7 +182,8 @@ in
       bind = SUPER_SHIFT, V, togglegroup,
       bind = SUPER_SHIFT, space, changegroupactive,n
 
-      bind = SUPER_SHIFT, P, exec,${ my-scripts.bwmenu }/bin/bwmenu
+      bind = SUPER, P,       exec,${ my-scripts.bwmenu }/bin/bwmenu
+      bind = SUPER_SHIFT, P, exec,${ my-scripts.bwotpmenu }/bin/bwotpmenu
       bind = SUPER_SHIFT, S, exec,${ my-scripts.screenshot }/bin/screenshot
 
       bind =,XF86AudioRaiseVolume,  exec,${ my-deps.amixer } sset Master 5%+ && ${ my-deps.amixer } sset Master unmute
diff --git a/system/global/system.nix b/system/global/system.nix
index e453227..7d01900 100644
--- a/system/global/system.nix
+++ b/system/global/system.nix
@@ -93,7 +93,6 @@
     trash-cli
     wget
     unzip
-    networkmanager-openvpn
     (neovim.override {
       vimAlias = true;
       configure = {
diff --git a/system/work/home.nix b/system/work/home.nix
index 258c2f0..b70b37d 100644
--- a/system/work/home.nix
+++ b/system/work/home.nix
@@ -25,7 +25,7 @@ in
     (pkgs.makeDesktopItem {
       name = "teams";
       desktopName = "Microsoft Teams";
-      exec = "${brave-nightly}/opt/brave.com/brave-nightly/brave-browser-nightly --app-id=cifhbcnohmdccbgoicgdjpfamggdegmo --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations";
+      exec = "${brave-nightly}/opt/brave.com/brave-nightly/brave-browser-nightly --app-id=cifhbcnohmdccbgoicgdjpfamggdegmo --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations,WebRTCPipeWireCapturer";
       icon = "brave-cifhbcnohmdccbgoicgdjpfamggdegmo-Default";
     })
     (pkgs.makeDesktopItem {
diff --git a/system/work/system.nix b/system/work/system.nix
index 69d4e79..48310bf 100644
--- a/system/work/system.nix
+++ b/system/work/system.nix
@@ -22,17 +22,62 @@
   ];
 
 
-  networking.firewall.allowedTCPPorts = [ ];
+  networking = {
+    networkmanager = {
+      plugins = [ pkgs.networkmanager-openvpn ];
+    };
+  };
+  
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_unprivileged_port_start" = 53;
+  };
 
   system.stateVersion = "22.11"; # do not change
+  
+  security.pki.certificates = [
+    # mkcert root CA
+    ''
+    -----BEGIN CERTIFICATE-----
+    MIIEtTCCAx2gAwIBAgIQJFzbDr6Qu0RdwlB9iBsKjjANBgkqhkiG9w0BAQsFADBz
+    MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExJDAiBgNVBAsMG3RyaXN0
+    YW5ARkNTLVRyaXN0YW4tTml4Ym9vazErMCkGA1UEAwwibWtjZXJ0IHRyaXN0YW5A
+    RkNTLVRyaXN0YW4tTml4Ym9vazAeFw0yMzA0MjcwOTA5MDBaFw0zMzA0MjcwOTA5
+    MDBaMHMxHjAcBgNVBAoTFW1rY2VydCBkZXZlbG9wbWVudCBDQTEkMCIGA1UECwwb
+    dHJpc3RhbkBGQ1MtVHJpc3Rhbi1OaXhib29rMSswKQYDVQQDDCJta2NlcnQgdHJp
+    c3RhbkBGQ1MtVHJpc3Rhbi1OaXhib29rMIIBojANBgkqhkiG9w0BAQEFAAOCAY8A
+    MIIBigKCAYEA0rfztOVR6WnW/y/eSjVYPg9Hukegmj4JiPyYWWGwDU2WDFnZNL3h
+    g66YIngid/1tK/xau793oL5tSlxASCi/8v+UCu946p71iVnEM6GiI5bmLA2yV6DB
+    gbb6OQ5WCLfoOwOHW5jchlXpFstMsTGAyck3D8n0ndebQQc6YbOQG4RFyTftwI3g
+    2oy8Vl8NKyRL2V3NIPx16OkmLDhzo0bKHQAvPc+QUYfKRRn7UlUyfTy/ILwa0ezt
+    5KcggU/OMT68eFSp3LItUhRu1zSygCDk2zhJq8ieb5BypvSBWj/mSZtucpoasl72
+    txiRCN7yrGw21Z34KdqVF+mI0bWVEZESu1/93HzsEcy9SUX/tF11t/Zb5WAF3kFH
+    dk0UMRTayhKZuxCRmGIqjLrItUli2tDy+QTzNU0XZAaUokqk3to5GoXSij9H0MdJ
+    VRA8Y2Mdp+l16MMgLMG5gR9KVnCyM1bkqFJpR+xt8xyeAljI9hFVTyI4i36nUWoi
+    ITdpBUkaOSoVAgMBAAGjRTBDMA4GA1UdDwEB/wQEAwICBDASBgNVHRMBAf8ECDAG
+    AQH/AgEAMB0GA1UdDgQWBBQnpJfEOuRFXN0YJwf3R2EiWtApHDANBgkqhkiG9w0B
+    AQsFAAOCAYEAQx3kukopMjvybhbKsx/aU7CynjRCIbbONE10dX9fw7AtjQRB8Vcm
+    hlsW13MmM6DxroY6taWD8KLZxRNJeHoWdjN689sAbIlnaLrry7XDx5wtsBGfZh3j
+    vtFzSqHumxa1LjEQPUetTFp6YNgqDDyB53pU/Xfahwda8PCEOEqAsEveYyPqu0I1
+    MxNdPa/exE2HJxXZarWQ4pcqReykIVale+WbdOmSaT9cnA+E82hshhq3X6Aeti5s
+    DmIzY//L1LuNs0bXD4ECyMHA8Pgu3JyhnCIu8cxAKyOnM63P9iKZq5c9NASbvGgT
+    DNlxgyFqDQEI5k8Q2INM/6ZlJKcKRlIh1Nxd2PXl68IA0dWftBGydCGPPPcSdGCy
+    vA3XfPrgbuqdJjuPjQggMyajJsg2Y7b9YBL7XIBcwKqnSCxoDORGRQEy47sTaT8a
+    /BqBUuDPQbCF8MZcbsfwQP4pj8E/YyiSQCSZwQVpwVbZNBSOvcq28h0TEzDnAoHG
+    ey1rgb0TA5zi
+    -----END CERTIFICATE-----
+    ''
+  ];
+
+  # dangerous
+  users.users.tristan.extraGroups = [ "docker" ];
 
   virtualisation.docker = {
     enable = true;
     storageDriver = "btrfs";
-    rootless = {
-      enable = true;
-      setSocketVariable = true;
-    };
+    # rootless = {
+    #   enable = true;
+    #   setSocketVariable = true;
+    # };
   };
 
 }