A common and reliable pattern in service unit files is thus:
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
Tim timhae
ageis
/ systemd_service_hardening.md
Last active
April 24, 2025 14:38
Options for hardening systemd service units
I did PCI passthrough on Archlinux and Debian with the old PCI-stub method (this was pre-4.0 era). And later I did PCI passthrough on the 4.1+ kernels on Arch and Ubuntu (16.10 I think?).
This is my attempt at doing the same on Nixos.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Edit this configuration file to define what should be installed on | |
| # your system. Help is available in the configuration.nix(5) man page | |
| # and in the NixOS manual (accessible by running ‘nixos-help’). | |
| { config, pkgs, ... }: | |
| { | |
| imports = | |
| [ # Include the results of the hardware scan. | |
| ./hardware-configuration.nix |
WhittlesJr
/ Readme.md
Last active
April 24, 2024 21:09
— forked from techhazard/Readme.md
NixOS: PCI Passthrough
I did PCI passthrough on Archlinux and Debian with the old PCI-stub method (this was pre-4.0 era). And later I did PCI passthrough on the 4.1+ kernels on Arch and Ubuntu (16.10 I think?).
This is my attempt at doing the same on Nixos.
GAS85
/ split_tunnel_VPN.md
Last active
October 4, 2024 12:58
Force Torrent/user Traffic through VPN Split Tunnel on Ubuntu 16.04
As per https://www.htpcguides.com/force-torrent-traffic-vpn-split-tunnel-debian-8-ubuntu-16-04/, but with few upgrades.
Everything in one script: https://github.com/GAS85/pia/blob/master/split_tunnel_VPN.sh
- Ubuntu 16.04
- Ubuntu 18.04
- Ubuntu 20.04 - DNS issue, different mechanism, read comments.
- Ubuntu 22.04 - DNS issue, different mechanism, read comments.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ;; ~/.spacemacs.d/init.el | |
| ;; ... | |
| ;; IMPORTANT: Make sure python-pipenv-activate is nil, or modify the below code. | |
| (defun dotspacemacs/user-config () | |
| ;; ... | |
| ;; fix nested pipenv module problem | |
| (advice-add 'pipenv--command :around #'mikemacs/my-setup-pipenv-default-directory) | |
| ;; ... | |
| ) |
Recently I noticed the number of the same two questions being asked again and again on different Haskell resources. The questions were “How to get a Haskell job” and “Why is it so hard to find Haskellers?” Although these two are coming from the opposite sides of the hiring process, the answer is really just one. There is a single reason, a single core problem that causes difficulties of hiring and being hired in the Haskell community, and we should clearly articulate this problem if we want to increase the Haskell adoption.
We all know that there are many people wishing to get a Haskell job. And a visible increase of Haskell jobs looks like there should be a high demand for Haskellers. The Haskell community has also grown like crazy past years. But still, why is it so difficult to hire and to be hired? Why can’t companies just hire any single person who demonstrates a deep knowledge of Haskell in blog posts, in chats, on forums, and in talks? And why do Haskell companies avoid hirin
inscapist
/ flake-direnv.md
Last active
August 9, 2024 17:24
Nix Flakes and Direnv on Mac OSX (Catalina)
This document is targeted at those who seek to build reproducible dev environment across machines, OS, and time.
It maybe easier for remote teams to work together and not spending hours each person setting up asdf/pyenv/rbenv, LSP servers, linters, runtime/libs. Nix is probably the closest thing to Docker in terms of development environment.
Flake is used here because it provides hermetic build, with absolutely no reliance on system environment (be it Arch/Catalina/Mojave). Also it freezes dependencies in flake.lock so builds are reproducible.
This gist provides the setup to develop Java/Clojure/Python applications on Nix. But it can be easily adapted to ruby, nodejs, haskell.
cyber-murmel
/ satisfactory.nix
Last active
December 1, 2024 20:52
Dedicated Satisfactory 5 Server on NixOS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {config, pkgs, lib, ...}: { | |
| users.users.satisfactory = { | |
| home = "/var/lib/satisfactory"; | |
| createHome = true; | |
| }; | |
| nixpkgs.config.allowUnfree = true; | |
| systemd.services.satisfactory = { | |
| wantedBy = [ "multi-user.target" ]; |
OlderNewer