WIP: treewide: fixes for nixos 26.05

This commit is contained in:
2026-05-20 15:22:57 +09:00
parent 12b0871364
commit d4050cda3d
18 changed files with 36 additions and 150 deletions
+1 -3
View File
@@ -41,7 +41,6 @@ in {
./services/uptimed.nix
./services/userborn.nix
./services/userdbd.nix
./services/wpa_supplicant.nix
./services/xserver.nix
];
@@ -144,7 +143,6 @@ in {
services = {
udev.packages = with pkgs; [
yubikey-personalization
light
];
};
@@ -186,7 +184,7 @@ in {
man.enable = true;
nixos.enable = true;
man.generateCaches = true;
man.cache.enable = true;
};
# security.lockKernelModules = true;
+4 -6
View File
@@ -32,23 +32,21 @@
ghcid
# haskellPackages.Cabal_3_6_3_0
maven
nixfmt-rfc-style
nixfmt
nixpkgs-fmt
# nixpkgs-hammering
nodePackages.node2nix
nodePackages.npm
nodePackages.sass
nodePackages.typescript
nodePackages.yarn
nodejs
plantuml
python3
rustc
rustc
rustup
sass
sqlcheck
sqlint
sqlite
sqlite-web
typescript
yarn
]);
}
-63
View File
@@ -1,63 +0,0 @@
{ config, lib, ... }:
let
cfg = config.networking.wireless;
in
{
systemd.services.wpa_supplicant.serviceConfig = lib.mkIf (cfg.enable || config.networking.hostName == "xps16") {
RuntimeDirectory = [
"wpa_supplicant"
"wpa_supplicant/root-mnt"
];
RootDirectory = "/run/wpa_supplicant/root-mnt";
BindPaths = [
"/etc"
"/run/dbus/system_bus_socket"
"/tmp"
];
BindReadOnlyPaths = [
# "/bin/sh"
builtins.storeDir
];
# wpa_ctrl puts sockets in /tmp
PrivateTmp = false;
# PrivateTmp = lib.mkIf (configIsGenerated && !cfg.allowAuxiliaryImperativeNetworks) "disconnected";
CapabilityBoundingSet = [
"CAP_NET_ADMIN"
"CAP_BLOCK_SUSPEND"
"CAP_NET_RAW"
"CAP_CHOWN"
];
RestrictNamespaces = true;
SystemCallFilter = [
"@system-service"
"~@resources"
"@chown"
];
ProtectProc = "invisible";
SystemCallArchitectures = "native";
DeviceAllow = "/dev/rfkill";
DevicePolicy = "closed";
NoNewPrivileges = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectSystem = true;
ProtectHome = true;
MemoryDenyWriteExecute = true;
ProtectHostname = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_PACKET"
# "AF_ALG" # Used for 'linux' TLS backend
] ++ lib.optionals cfg.dbusControlled [
"AF_UNIX"
];
};
}
+1 -3
View File
@@ -86,9 +86,7 @@
docker.enable = true;
};
services.resolved.extraConfig = ''
MulticastDNS=no
'';
services.resolved.settings.Resolve.MulticastDNS = false;
services.zfs.trim.enable = true;
services.zfs.autoScrub.enable = true;
+1 -1
View File
@@ -7,7 +7,7 @@
defaults = {
email = "h7x4@nani.wtf";
dnsProvider = "cloudflare";
credentialsFile = config.sops.secrets."cloudflare/api-key".path;
credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE = config.sops.secrets."cloudflare/api-key".path;
dnsPropagationCheck = true;
};
certs."nani.wtf" = {