diff options
Diffstat (limited to '')
-rw-r--r-- | modules/nixfiles/common/documentation.nix | 27 | ||||
-rw-r--r-- | modules/nixfiles/common/nix.nix | 10 | ||||
-rw-r--r-- | modules/nixfiles/common/security.nix | 19 | ||||
-rw-r--r-- | modules/nixfiles/common/users.nix | 2 | ||||
-rw-r--r-- | modules/nixfiles/docker.nix | 10 | ||||
-rw-r--r-- | modules/nixfiles/git.nix | 3 | ||||
-rw-r--r-- | modules/nixfiles/nsd.nix | 8 | ||||
-rw-r--r-- | modules/nixfiles/podman.nix | 9 | ||||
-rw-r--r-- | modules/nixfiles/profiles/headless.nix | 1 | ||||
-rw-r--r-- | modules/nixfiles/searx.nix | 2 |
10 files changed, 51 insertions, 40 deletions
diff --git a/modules/nixfiles/common/documentation.nix b/modules/nixfiles/common/documentation.nix index 344d59d..7f819a8 100644 --- a/modules/nixfiles/common/documentation.nix +++ b/modules/nixfiles/common/documentation.nix @@ -16,23 +16,16 @@ with lib; { info.enable = false; nixos.enable = true; - man = { - enable = true; - generateCaches = true; - man-db = { - enable = true; - manualPages = - (pkgs.buildEnv { - name = "man-paths"; - paths = with config; - environment.systemPackages ++ hm.home.packages; - pathsToLink = ["/share/man"]; - extraOutputsToInstall = ["man"]; - ignoreCollisions = true; - }) - .overrideAttrs (_: _: {__contentAddressed = true;}); - }; - }; + man.man-db.manualPages = + (pkgs.buildEnv { + name = "man-paths"; + paths = with config; + environment.systemPackages ++ hm.home.packages; + pathsToLink = ["/share/man"]; + extraOutputsToInstall = ["man"]; + ignoreCollisions = true; + }) + .overrideAttrs (_: _: {__contentAddressed = true;}); }; environment.sessionVariables = { diff --git a/modules/nixfiles/common/nix.nix b/modules/nixfiles/common/nix.nix index cc050f8..586f354 100644 --- a/modules/nixfiles/common/nix.nix +++ b/modules/nixfiles/common/nix.nix @@ -3,6 +3,7 @@ inputs, lib, pkgs, + pkgsRev, this, ... }: @@ -96,13 +97,8 @@ in { helm-secrets ]; }; - pgcli = super.pgcli.overrideAttrs (_: _: { - # https://github.com/NixOS/nixpkgs/pull/184533 - postPatch = '' - substituteInPlace setup.py \ - --replace "pgspecial>=1.13.1,<2.0.0" "pgspecial>=1.13.1" - ''; - }); + # https://github.com/NixOS/nixpkgs/pull/185824 + inherit (pkgsRev "c9c10940da779db387b8d6326c8c0bee598a0a87" "sha256-r08/Z8EYTNyyZW6lYQyq521OpgUH6ewZPpvDAiCkQaA=") iosevka; } // (with super; let np = nodePackages; diff --git a/modules/nixfiles/common/security.nix b/modules/nixfiles/common/security.nix index d47edc9..2ac5a22 100644 --- a/modules/nixfiles/common/security.nix +++ b/modules/nixfiles/common/security.nix @@ -4,16 +4,21 @@ _: { enable = true; execWheelOnly = true; wheelNeedsPassword = false; + # https://mwl.io/archives/1000 extraConfig = '' - Defaults env_keep+="SSH_CONNECTION SSH_CLIENT SSH_TTY" + Defaults env_keep += "SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK" ''; }; - polkit.extraConfig = '' - polkit.addRule(function (action, subject) { - if (subject.isInGroup('wheel')) - return polkit.Result.YES; - }); - ''; + polkit = { + enable = true; + # https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt + extraConfig = '' + polkit.addRule(function (action, subject) { + if (subject.isInGroup('wheel')) + return polkit.Result.YES; + }); + ''; + }; }; } diff --git a/modules/nixfiles/common/users.nix b/modules/nixfiles/common/users.nix index c761f55..a3626dd 100644 --- a/modules/nixfiles/common/users.nix +++ b/modules/nixfiles/common/users.nix @@ -9,7 +9,7 @@ with lib; { # This will unset the root password so that it would be impossible to # login as it directory. The root user will still be accessable via # `sudo`. - root.hashedPassword = "[REDACTED]"; + root.hashedPassword = "@HASHED_PASSWORD@"; ${my.username} = { isNormalUser = true; diff --git a/modules/nixfiles/docker.nix b/modules/nixfiles/docker.nix index d2e53d6..051b3c7 100644 --- a/modules/nixfiles/docker.nix +++ b/modules/nixfiles/docker.nix @@ -1,5 +1,6 @@ { config, + inputs, lib, pkgs, ... @@ -11,10 +12,18 @@ in { mkEnableOption "Whether to enable Docker."; config = mkIf cfg.enable { + assertions = [ + { + assertion = !config.nixfiles.modules.podman.enable; + message = "Pick only one!"; + } + ]; + secrets.containers-auth = { file = "${inputs.self}/secrets/containers-auth"; path = "${config.my.home}/.docker/config.json"; owner = my.username; + inherit (config.my) group; }; virtualisation.docker.enable = true; @@ -25,7 +34,6 @@ in { hm.programs.bash = { shellAliases.d = "${pkgs.docker}/bin/docker"; - initExtra = mkAfter '' _complete_alias d _docker docker ''; diff --git a/modules/nixfiles/git.nix b/modules/nixfiles/git.nix index 9008c2a..5f78465 100644 --- a/modules/nixfiles/git.nix +++ b/modules/nixfiles/git.nix @@ -17,16 +17,19 @@ in { file = "${inputs.self}/secrets/glab-cli-config"; path = "${config.dirs.config}/glab-cli/config.yml"; owner = my.username; + inherit (config.my) group; }; gh-hosts = { file = "${inputs.self}/secrets/gh-hosts"; path = "${config.dirs.config}/gh/hosts.yml"; owner = my.username; + inherit (config.my) group; }; hut = { file = "${inputs.self}/secrets/hut"; path = "${config.dirs.config}/hut/config"; owner = my.username; + inherit (config.my) group; }; }; diff --git a/modules/nixfiles/nsd.nix b/modules/nixfiles/nsd.nix index c8ed44b..7bb3c77 100644 --- a/modules/nixfiles/nsd.nix +++ b/modules/nixfiles/nsd.nix @@ -85,7 +85,7 @@ in { domain = my.domain.shire; extra = (mkEmailEntries { - dkimKey = "[DKIM]"; + dkimKey = "@DKIM_KEY@"; }) // { subdomains = rec { @@ -115,7 +115,7 @@ in { domain = my.domain.azahi; extra = (mkEmailEntries { - dkimKey = "[DKIM]"; + dkimKey = "@DKIM_KEY@"; }) // { subdomains = { @@ -128,7 +128,7 @@ in { domain = my.domain.gondor; extra = (mkEmailEntries { - dkimKey = "[DKIM]"; + dkimKey = "@DKIM_KEY@"; }) // { subdomains.frodo = ips "manwe"; @@ -138,7 +138,7 @@ in { domain = my.domain.rohan; extra = (mkEmailEntries { - dkimKey = "[DKIM]"; + dkimKey = "@DKIM_KEY@"; }) // { subdomains.frodo = ips "manwe"; diff --git a/modules/nixfiles/podman.nix b/modules/nixfiles/podman.nix index 6c8b7e5..ee9d4cb 100644 --- a/modules/nixfiles/podman.nix +++ b/modules/nixfiles/podman.nix @@ -12,10 +12,18 @@ in { mkEnableOption "Whether to enable Podman."; config = mkIf cfg.enable { + assertions = [ + { + assertion = !config.nixfiles.modules.docker.enable; + message = "Pick only one!"; + } + ]; + secrets.containers-auth = { file = "${inputs.self}/secrets/containers-auth"; path = "${config.dirs.config}/containers/auth.json"; owner = my.username; + inherit (config.my) group; }; virtualisation.podman.enable = true; @@ -26,7 +34,6 @@ in { hm.programs.bash = { shellAliases.p = "${pkgs.podman}/bin/podman"; - initExtra = mkAfter '' _complete_alias p __start_podman podman ''; diff --git a/modules/nixfiles/profiles/headless.nix b/modules/nixfiles/profiles/headless.nix index 9737344..4d940f8 100644 --- a/modules/nixfiles/profiles/headless.nix +++ b/modules/nixfiles/profiles/headless.nix @@ -58,7 +58,6 @@ in { defaultLocale = mkForce "C"; supportedLocales = mkForce ["en_US.UTF-8/UTF-8" "en_GB.UTF-8/UTF-8"]; }; - security.polkit.enable = false; services.udisks2.enable = false; xdg.sounds.enable = false; diff --git a/modules/nixfiles/searx.nix b/modules/nixfiles/searx.nix index a5bb005..d5d00a2 100644 --- a/modules/nixfiles/searx.nix +++ b/modules/nixfiles/searx.nix @@ -59,7 +59,7 @@ in { server = { bind_address = "127.0.0.1"; inherit (cfg) port; - secret_key = "@SECRET_KEY@"; + secret_key = "@SEARX_SECRET_KEY@"; base_url = false; image_proxy = false; default_http_headers = { |