about summary refs log tree commit diff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/nixfiles/common/documentation.nix27
-rw-r--r--modules/nixfiles/common/nix.nix10
-rw-r--r--modules/nixfiles/common/security.nix19
-rw-r--r--modules/nixfiles/common/users.nix2
-rw-r--r--modules/nixfiles/docker.nix10
-rw-r--r--modules/nixfiles/git.nix3
-rw-r--r--modules/nixfiles/nsd.nix8
-rw-r--r--modules/nixfiles/podman.nix9
-rw-r--r--modules/nixfiles/profiles/headless.nix1
-rw-r--r--modules/nixfiles/searx.nix2
10 files changed, 51 insertions, 40 deletions
diff --git a/modules/nixfiles/common/documentation.nix b/modules/nixfiles/common/documentation.nix
index 344d59d..7f819a8 100644
--- a/modules/nixfiles/common/documentation.nix
+++ b/modules/nixfiles/common/documentation.nix
@@ -16,23 +16,16 @@ with lib; {
         info.enable = false;
         nixos.enable = true;
 
-        man = {
-          enable = true;
-          generateCaches = true;
-          man-db = {
-            enable = true;
-            manualPages =
-              (pkgs.buildEnv {
-                name = "man-paths";
-                paths = with config;
-                  environment.systemPackages ++ hm.home.packages;
-                pathsToLink = ["/share/man"];
-                extraOutputsToInstall = ["man"];
-                ignoreCollisions = true;
-              })
-              .overrideAttrs (_: _: {__contentAddressed = true;});
-          };
-        };
+        man.man-db.manualPages =
+          (pkgs.buildEnv {
+            name = "man-paths";
+            paths = with config;
+              environment.systemPackages ++ hm.home.packages;
+            pathsToLink = ["/share/man"];
+            extraOutputsToInstall = ["man"];
+            ignoreCollisions = true;
+          })
+          .overrideAttrs (_: _: {__contentAddressed = true;});
       };
 
       environment.sessionVariables = {
diff --git a/modules/nixfiles/common/nix.nix b/modules/nixfiles/common/nix.nix
index cc050f8..586f354 100644
--- a/modules/nixfiles/common/nix.nix
+++ b/modules/nixfiles/common/nix.nix
@@ -3,6 +3,7 @@
   inputs,
   lib,
   pkgs,
+  pkgsRev,
   this,
   ...
 }:
@@ -96,13 +97,8 @@ in {
               helm-secrets
             ];
           };
-          pgcli = super.pgcli.overrideAttrs (_: _: {
-            # https://github.com/NixOS/nixpkgs/pull/184533
-            postPatch = ''
-              substituteInPlace setup.py \
-                --replace "pgspecial>=1.13.1,<2.0.0" "pgspecial>=1.13.1"
-            '';
-          });
+          # https://github.com/NixOS/nixpkgs/pull/185824
+          inherit (pkgsRev "c9c10940da779db387b8d6326c8c0bee598a0a87" "sha256-r08/Z8EYTNyyZW6lYQyq521OpgUH6ewZPpvDAiCkQaA=") iosevka;
         }
         // (with super; let
           np = nodePackages;
diff --git a/modules/nixfiles/common/security.nix b/modules/nixfiles/common/security.nix
index d47edc9..2ac5a22 100644
--- a/modules/nixfiles/common/security.nix
+++ b/modules/nixfiles/common/security.nix
@@ -4,16 +4,21 @@ _: {
       enable = true;
       execWheelOnly = true;
       wheelNeedsPassword = false;
+      # https://mwl.io/archives/1000
       extraConfig = ''
-        Defaults env_keep+="SSH_CONNECTION SSH_CLIENT SSH_TTY"
+        Defaults env_keep += "SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK"
       '';
     };
 
-    polkit.extraConfig = ''
-      polkit.addRule(function (action, subject) {
-        if (subject.isInGroup('wheel'))
-          return polkit.Result.YES;
-      });
-    '';
+    polkit = {
+      enable = true;
+      # https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt
+      extraConfig = ''
+        polkit.addRule(function (action, subject) {
+          if (subject.isInGroup('wheel'))
+            return polkit.Result.YES;
+        });
+      '';
+    };
   };
 }
diff --git a/modules/nixfiles/common/users.nix b/modules/nixfiles/common/users.nix
index c761f55..a3626dd 100644
--- a/modules/nixfiles/common/users.nix
+++ b/modules/nixfiles/common/users.nix
@@ -9,7 +9,7 @@ with lib; {
       # This will unset the root password so that it would be impossible to
       # login as it directory. The root user will still be accessable via
       # `sudo`.
-      root.hashedPassword = "[REDACTED]";
+      root.hashedPassword = "@HASHED_PASSWORD@";
 
       ${my.username} = {
         isNormalUser = true;
diff --git a/modules/nixfiles/docker.nix b/modules/nixfiles/docker.nix
index d2e53d6..051b3c7 100644
--- a/modules/nixfiles/docker.nix
+++ b/modules/nixfiles/docker.nix
@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -11,10 +12,18 @@ in {
     mkEnableOption "Whether to enable Docker.";
 
   config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = !config.nixfiles.modules.podman.enable;
+        message = "Pick only one!";
+      }
+    ];
+
     secrets.containers-auth = {
       file = "${inputs.self}/secrets/containers-auth";
       path = "${config.my.home}/.docker/config.json";
       owner = my.username;
+      inherit (config.my) group;
     };
 
     virtualisation.docker.enable = true;
@@ -25,7 +34,6 @@ in {
 
     hm.programs.bash = {
       shellAliases.d = "${pkgs.docker}/bin/docker";
-
       initExtra = mkAfter ''
         _complete_alias d _docker docker
       '';
diff --git a/modules/nixfiles/git.nix b/modules/nixfiles/git.nix
index 9008c2a..5f78465 100644
--- a/modules/nixfiles/git.nix
+++ b/modules/nixfiles/git.nix
@@ -17,16 +17,19 @@ in {
         file = "${inputs.self}/secrets/glab-cli-config";
         path = "${config.dirs.config}/glab-cli/config.yml";
         owner = my.username;
+        inherit (config.my) group;
       };
       gh-hosts = {
         file = "${inputs.self}/secrets/gh-hosts";
         path = "${config.dirs.config}/gh/hosts.yml";
         owner = my.username;
+        inherit (config.my) group;
       };
       hut = {
         file = "${inputs.self}/secrets/hut";
         path = "${config.dirs.config}/hut/config";
         owner = my.username;
+        inherit (config.my) group;
       };
     };
 
diff --git a/modules/nixfiles/nsd.nix b/modules/nixfiles/nsd.nix
index c8ed44b..7bb3c77 100644
--- a/modules/nixfiles/nsd.nix
+++ b/modules/nixfiles/nsd.nix
@@ -85,7 +85,7 @@ in {
                 domain = my.domain.shire;
                 extra =
                   (mkEmailEntries {
-                    dkimKey = "[DKIM]";
+                    dkimKey = "@DKIM_KEY@";
                   })
                   // {
                     subdomains = rec {
@@ -115,7 +115,7 @@ in {
                 domain = my.domain.azahi;
                 extra =
                   (mkEmailEntries {
-                    dkimKey = "[DKIM]";
+                    dkimKey = "@DKIM_KEY@";
                   })
                   // {
                     subdomains = {
@@ -128,7 +128,7 @@ in {
                 domain = my.domain.gondor;
                 extra =
                   (mkEmailEntries {
-                    dkimKey = "[DKIM]";
+                    dkimKey = "@DKIM_KEY@";
                   })
                   // {
                     subdomains.frodo = ips "manwe";
@@ -138,7 +138,7 @@ in {
                 domain = my.domain.rohan;
                 extra =
                   (mkEmailEntries {
-                    dkimKey = "[DKIM]";
+                    dkimKey = "@DKIM_KEY@";
                   })
                   // {
                     subdomains.frodo = ips "manwe";
diff --git a/modules/nixfiles/podman.nix b/modules/nixfiles/podman.nix
index 6c8b7e5..ee9d4cb 100644
--- a/modules/nixfiles/podman.nix
+++ b/modules/nixfiles/podman.nix
@@ -12,10 +12,18 @@ in {
     mkEnableOption "Whether to enable Podman.";
 
   config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = !config.nixfiles.modules.docker.enable;
+        message = "Pick only one!";
+      }
+    ];
+
     secrets.containers-auth = {
       file = "${inputs.self}/secrets/containers-auth";
       path = "${config.dirs.config}/containers/auth.json";
       owner = my.username;
+      inherit (config.my) group;
     };
 
     virtualisation.podman.enable = true;
@@ -26,7 +34,6 @@ in {
 
     hm.programs.bash = {
       shellAliases.p = "${pkgs.podman}/bin/podman";
-
       initExtra = mkAfter ''
         _complete_alias p __start_podman podman
       '';
diff --git a/modules/nixfiles/profiles/headless.nix b/modules/nixfiles/profiles/headless.nix
index 9737344..4d940f8 100644
--- a/modules/nixfiles/profiles/headless.nix
+++ b/modules/nixfiles/profiles/headless.nix
@@ -58,7 +58,6 @@ in {
       defaultLocale = mkForce "C";
       supportedLocales = mkForce ["en_US.UTF-8/UTF-8" "en_GB.UTF-8/UTF-8"];
     };
-    security.polkit.enable = false;
     services.udisks2.enable = false;
     xdg.sounds.enable = false;
 
diff --git a/modules/nixfiles/searx.nix b/modules/nixfiles/searx.nix
index a5bb005..d5d00a2 100644
--- a/modules/nixfiles/searx.nix
+++ b/modules/nixfiles/searx.nix
@@ -59,7 +59,7 @@ in {
           server = {
             bind_address = "127.0.0.1";
             inherit (cfg) port;
-            secret_key = "@SECRET_KEY@";
+            secret_key = "@SEARX_SECRET_KEY@";
             base_url = false;
             image_proxy = false;
             default_http_headers = {

Consider giving Nix/NixOS a try! <3