titaniumtown/dotfiles
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: titaniumtown:7f375e857488e040c8dda1764d82e47e998fd73f
Branches Tags
titaniumtown:main
titaniumtown:final-before-unify
...
compare: titaniumtown:final-before-unify
Branches Tags
titaniumtown:main
titaniumtown:final-before-unify

2 Commits
7f375e8574 ... final-befo

Author SHA1 Message Date
Simon Gardling
e9a44f677d update
All checks were successful
Build / build (push) Successful in 7m2s
 2026-04-17 23:26:43 -04:00
Simon Gardling
0c881602e9 yarn: fix steamos update flow 2026-04-17 23:26:15 -04:00
2 changed files with 79 additions and 23 deletions
Expand all files Collapse all files

24
flake.lock generated
View File

@@ -154,11 +154,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1776417523, "lastModified": 1776478519,
"narHash": "sha256-ZkPxUTluK1R3us7wPk2cgg1orqEF6XijBPSupJQboEM=", "narHash": "sha256-4TWCOVYe0iWEKuW7OH93nRI4Z7u68wNT6k9UJn0FZ5w=",
"owner": "nix-community", "owner": "nix-community",
"repo": "emacs-overlay", "repo": "emacs-overlay",
"rev": "f1d0032f0b9a95efab99f1be99c6054e18ed5039", "rev": "513e332b074507e1b46992952e7d83f329f2c22c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -307,11 +307,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1776373306, "lastModified": 1776454077,
"narHash": "sha256-iAJIzHngGZeLIkjzuuWI6VBsYJ1n89a/Esq0m8R1vjs=", "narHash": "sha256-7zSUFWsU0+jlD7WB3YAxQ84Z/iJurA5hKPm8EfEyGJk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "d401492e2acd4fea42f7705a3c266cea739c9c36", "rev": "565e5349208fe7d0831ef959103c9bafbeac0681",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -437,11 +437,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1776437995, "lastModified": 1776482297,
"narHash": "sha256-wcV5CIe5s2IsSCGJdPqy/Q+gcBSR76JMaIQDNpLXZAk=", "narHash": "sha256-KmsWPwtbO8vrlH/R9stIun0LKZ4PFSCCEdqWDeLgbTE=",
"owner": "numtide", "owner": "numtide",
"repo": "llm-agents.nix", "repo": "llm-agents.nix",
"rev": "c4a2f76e29485eaafc90eebec5ef12b50f4dc8a1", "rev": "66c76393570f8fc4730caa2dc2d2c470fe33a3c9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -740,11 +740,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1776395632, "lastModified": 1776481912,
"narHash": "sha256-Mi1uF5f2FsdBIvy+v7MtsqxD3Xjhd0ARJdwoqqqPtJo=", "narHash": "sha256-Xq7p+Ex3YHFAd+fFFLOYw2Wv67582X7SAmrEDtIDZQ4=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "8087ff1f47fff983a1fba70fa88b759f2fd8ae97", "rev": "e611106c527e8ab0adbb641183cda284411d575c",
"type": "github" "type": "github"
}, },
"original": { "original": {

78
system/system-yarn.nix
View File

@@ -75,12 +75,54 @@
# LACT (Linux AMDGPU Configuration Tool): https://github.com/ilya-zlobintsev/LACT # LACT (Linux AMDGPU Configuration Tool): https://github.com/ilya-zlobintsev/LACT
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
lact lact
jovian-stubs
]; ];
systemd.packages = with pkgs; [ lact ]; systemd.packages = with pkgs; [ lact ];
systemd.services.lactd.wantedBy = [ "multi-user.target" ]; systemd.services.lactd.wantedBy = [ "multi-user.target" ];
systemd.services.lactd.serviceConfig.ExecStartPre = "${lib.getExe pkgs.bash} -c \"sleep 3s\""; systemd.services.lactd.serviceConfig.ExecStartPre = "${lib.getExe pkgs.bash} -c \"sleep 3s\"";
# root-level service that applies a pending update. Triggered by
# steamos-update (via systemctl start) when the user accepts an update.
# Runs as root so it can write the system profile and boot entry.
systemd.services.pull-update-apply = {
description = "Apply pending NixOS update pulled from binary cache";
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.writeShellScript "pull-update-apply" ''
set -uo pipefail
export PATH=${
pkgs.lib.makeBinPath [
pkgs.curl
pkgs.coreutils
pkgs.nix
]
}
STORE_PATH=$(curl -sf --max-time 30 "https://nix-cache.sigkill.computer/deploy/yarn" || true)
if [ -z "$STORE_PATH" ]; then
echo "server unreachable"
exit 1
fi
echo "applying $STORE_PATH"
nix-store -r "$STORE_PATH" || { echo "fetch failed"; exit 1; }
nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" || { echo "profile set failed"; exit 1; }
"$STORE_PATH/bin/switch-to-configuration" boot || { echo "boot entry failed"; exit 1; }
echo "update applied; reboot required"
'';
};
};
# Allow primary user to start pull-update-apply.service without a password
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "pull-update-apply.service" &&
subject.user == "${username}") {
return polkit.Result.YES;
}
});
'';
nixpkgs.config.allowUnfreePredicate = nixpkgs.config.allowUnfreePredicate =
pkg: pkg:
builtins.elem (lib.getName pkg) [ builtins.elem (lib.getName pkg) [
@@ -106,7 +148,7 @@
final.lib.makeBinPath [ final.lib.makeBinPath [
final.curl final.curl
final.coreutils final.coreutils
final.nix final.systemd
] ]
} }
@@ -129,14 +171,15 @@
exit 0 exit 0
fi fi
>&2 echo "[steamos-update] downloading update..." # apply: trigger the root-running systemd service to install the update
nix-store -r "$STORE_PATH" || { >&2 echo "[steamos-update] fetch failed"; exit 1; } >&2 echo "[steamos-update] applying update..."
if systemctl start --wait pull-update-apply.service; then
>&2 echo "[steamos-update] installing update..." >&2 echo "[steamos-update] update installed, reboot to apply"
nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" || { >&2 echo "[steamos-update] profile set failed"; exit 1; } exit 0
"$STORE_PATH/bin/switch-to-configuration" boot || { >&2 echo "[steamos-update] boot entry failed"; exit 1; } else
>&2 echo "[steamos-update] apply failed; see 'journalctl -u pull-update-apply'"
>&2 echo "[steamos-update] update installed, reboot to apply" exit 1
fi
''; '';
in in
{ {
@@ -154,6 +197,12 @@
exit 0 exit 0
STUB STUB
# jupiter-biosupdate: no-op (not a real steam deck)
cat > $out/bin/jupiter-biosupdate << 'STUB'
#!/bin/sh
exit 0
STUB
# steamos-reboot: reboot the system # steamos-reboot: reboot the system
cat > $out/bin/steamos-reboot << 'STUB' cat > $out/bin/steamos-reboot << 'STUB'
#!/bin/sh #!/bin/sh
@@ -188,10 +237,17 @@
exec /run/wrappers/bin/pkexec "$@" exec /run/wrappers/bin/pkexec "$@"
STUB STUB
# sudo: pass through to doas # sudo: strip flags and run the command directly (no escalation).
# privileged ops are delegated to root systemd services via systemctl.
cat > $out/bin/sudo << 'STUB' cat > $out/bin/sudo << 'STUB'
#!/bin/sh #!/bin/sh
exec /run/wrappers/bin/doas "$@" while [ $# -gt 0 ]; do
case "$1" in
-*) shift ;;
*) break ;;
esac
done
exec "$@"
STUB STUB
find $out/bin -type f -exec chmod 755 {} + find $out/bin -type f -exec chmod 755 {} +