Well in Noctalia 5 this is no longer the case, everything is now more cleanly defined in a TOML-File

So how to switch? Well the old flake path, now points anyway to v5, if you haven’t specified a commit / branch, so one a flake update, you’d anyway be switched to 5.

But here the flake input anyway

noctalia = {
  url = "github:noctalia-dev/noctalia";
  inputs.nixpkgs.follows = "nixpkgs";
};

Config Format Change

Also the import Home Manager Import changed to: inputs.noctalia.homeModules.default from the previous noctalia-shell thing. Previously I had a noctalia.json in my config, loaded via noctalia-shell.settings = builtins.fromJSON ./noctalia.json;.

Now it looks like this:

{ inputs, ... }:

{
  imports = [ inputs.noctalia.homeModules.default ];

  programs.noctalia = {
    enable = true;
    settings = builtins.fromTOML (builtins.readFile ./config.toml);
  };
}

Loading a config.toml instead, also a few settings changed, so I kinda had to make my whole config from scratch. Luckily its pretty good documentated in the noctalia docs. The new config also allows having multiple bars instead of a single one and many more cool things, and also comes with extreme performance improvements by completely ditching qt & quickshell, and rewriting everything in C++ (Why not Rust? TT).

[theme]
mode              = "dark"
source            = "wallpaper"
wallpaper_scheme  = "m3-content"

[wallpaper]
enabled               = true
transition_on_startup = true
directory             = "~/Pictures/Wallpapers"

[nightlight]
enabled              = true
temperature_day      = 6500
temperature_night    = 3500

[location]
auto_locate = false
sunset      = "20:30"
sunrise     = "06:30"
...

pretty clean in my opinion.

Command Changes

The IPC commands also changed, so your window manager (e.g. niri) shortcuts will probably stop working. The new commands look like this: noctalia msg panel-toggle launcher

// Launcher
Mod+Space { spawn "noctalia" "msg" "panel-toggle" "launcher"; }

// Locker
CTRL+Alt+L { spawn "noctalia" "msg" "session" "lock"; }

If you need more keybindings with the new format, e.g. for volume etc. you might check out my current niri keybindings as reference. Note: these are based on ryan4yin’s nix config, which at the time of my writing still use noctalia v4 syntax.

And recently I came across a nice Blog about hardening NixOS from Xe Iaso’s blog. And well one thing especially seemed cool, so I wanted to share it.

NoExec for the Root FS

At the bottom of the blog is a part about having noexec for the root fs (which is a tmpfs anyway). Since all programs in NixOS life anyway in /nix/store and /nix is its own partition in the typical Impermancence Setup (I won’t talk about how to this now, as there are already many good blogs discussing this, and showing how it’s done; if you want to see my own setup, check my Codeberg out). So only the /nix parititon needs to be mounted without noexec, the rest can be noexec.

Additionally you can even add nodev and nosuid to the root fs, since devices should life under /dev, which is its own partition anyway (a temporary device fs). And suid (switch user id) requires the partition to allow executables anyway.

disko.devices.nodev = {
  "/" = {
    fsType = "tmpfs";
    mountOptions = [
      "size=50%"
      "mode=755"

      "noexec"
      "nodev"
      "nosuid"
    ];
  };
};

I use this setup for a while now and so far I haven’t run into any issues with it. So I can only recommend it to anyone, since its certainly not wrong, to minimise the attack surface (even though this is obviously not a here you go, don’t worry anymore about anything else). It just stops things like running a C Binary that is placed into e.g. /tmp via /tmp/malicious_binary but not sth like bash /tmp/malicious_script.sh

Boot Partition

These options can also be added to the /boot Parititon without issues.

content.partitions.esp = {
  name = "ESP";
  size = "1G";
  type = "EF00";

  content = {
    type = "filesystem";
    format = "vfat";
    mountpoint = "/boot";
    mountOptions = [
      "fmask=0177"
      "dmask=0077"
      "noexec"
      "nosuid"
      "nodev"
    ];
  };
};

Persistent Partition

Well if you don’t have any binaries you want to persist, you can also add these options there too, if you have some like through steam games, flatpaks etc. you can at least add the nodev and nosuid most of the times. Also if you’re writing code yourself that is compiled, you probably don’t want noexec for these files.

My config looks sth like: (Note: these are already btrfs subvolumes, since I encrypt my whole btrfs fs via luks, so using subvolumes is kinda convenient -> only one decrypt)

subvolumes = {
  "/persistent" = {
    mountOptions = [
      "subvol=persistent"
      "noatime"

      "nosuid"
      "nodev"
    ];
    mountpoint = "/persistent";
  };
  "/nix" = {
    mountOptions = [
      "subvol=nix"
      "noatime"
    ];
    mountpoint = "/nix";
  };
};

And honestly I also just wanna share a bit of what I’m doing with the world, maybe it’s even helpful to someone out there.

Well so here I am, I don’t know if this will have any future or I stop this already tomorrow, but as of now, I’m kinda motiviated. Ig this might even help me review things better as I’m going through them again sharing them.

As for this Blog, for now I’m settling with Hugo, it stroke me as one of the best solutions for managing such a blog, as for the theming, I’m not yet sure about. And the Server, unfortunately I wasn’t able to install NixOS and NixOS-Infect dind’t work, so I just choose Fedora which I’m also a bit familiar (used if for around a year or so as my daily driver).

The topics will probably mostly revolve around NixOS, Privacy-Focused and/or FOSS Projects, Security & potentially CTFs (I wanted to start for a real long time, but haven’t yet xD). And a lot about just the issues I encounter in my setup now and then and how I resolved them, nice tweaks I found etc.