WIP: treewide: fixes for nixos 26.05
This commit is contained in:
@@ -41,7 +41,6 @@ in {
|
||||
./services/uptimed.nix
|
||||
./services/userborn.nix
|
||||
./services/userdbd.nix
|
||||
./services/wpa_supplicant.nix
|
||||
./services/xserver.nix
|
||||
];
|
||||
|
||||
@@ -144,7 +143,6 @@ in {
|
||||
services = {
|
||||
udev.packages = with pkgs; [
|
||||
yubikey-personalization
|
||||
light
|
||||
];
|
||||
};
|
||||
|
||||
@@ -186,7 +184,7 @@ in {
|
||||
man.enable = true;
|
||||
nixos.enable = true;
|
||||
|
||||
man.generateCaches = true;
|
||||
man.cache.enable = true;
|
||||
};
|
||||
|
||||
# security.lockKernelModules = true;
|
||||
|
||||
@@ -32,23 +32,21 @@
|
||||
ghcid
|
||||
# haskellPackages.Cabal_3_6_3_0
|
||||
maven
|
||||
nixfmt-rfc-style
|
||||
nixfmt
|
||||
nixpkgs-fmt
|
||||
# nixpkgs-hammering
|
||||
nodePackages.node2nix
|
||||
nodePackages.npm
|
||||
nodePackages.sass
|
||||
nodePackages.typescript
|
||||
nodePackages.yarn
|
||||
nodejs
|
||||
plantuml
|
||||
python3
|
||||
rustc
|
||||
rustc
|
||||
rustup
|
||||
sass
|
||||
sqlcheck
|
||||
sqlint
|
||||
sqlite
|
||||
sqlite-web
|
||||
typescript
|
||||
yarn
|
||||
]);
|
||||
}
|
||||
|
||||
@@ -1,63 +0,0 @@
|
||||
{ config, lib, ... }:
|
||||
let
|
||||
cfg = config.networking.wireless;
|
||||
in
|
||||
{
|
||||
systemd.services.wpa_supplicant.serviceConfig = lib.mkIf (cfg.enable || config.networking.hostName == "xps16") {
|
||||
RuntimeDirectory = [
|
||||
"wpa_supplicant"
|
||||
"wpa_supplicant/root-mnt"
|
||||
];
|
||||
RootDirectory = "/run/wpa_supplicant/root-mnt";
|
||||
BindPaths = [
|
||||
"/etc"
|
||||
"/run/dbus/system_bus_socket"
|
||||
"/tmp"
|
||||
];
|
||||
BindReadOnlyPaths = [
|
||||
# "/bin/sh"
|
||||
builtins.storeDir
|
||||
];
|
||||
|
||||
# wpa_ctrl puts sockets in /tmp
|
||||
PrivateTmp = false;
|
||||
# PrivateTmp = lib.mkIf (configIsGenerated && !cfg.allowAuxiliaryImperativeNetworks) "disconnected";
|
||||
|
||||
CapabilityBoundingSet = [
|
||||
"CAP_NET_ADMIN"
|
||||
"CAP_BLOCK_SUSPEND"
|
||||
"CAP_NET_RAW"
|
||||
"CAP_CHOWN"
|
||||
];
|
||||
RestrictNamespaces = true;
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@resources"
|
||||
"@chown"
|
||||
];
|
||||
ProtectProc = "invisible";
|
||||
SystemCallArchitectures = "native";
|
||||
DeviceAllow = "/dev/rfkill";
|
||||
DevicePolicy = "closed";
|
||||
NoNewPrivileges = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectSystem = true;
|
||||
ProtectHome = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
ProtectHostname = true;
|
||||
LockPersonality = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
"AF_NETLINK"
|
||||
"AF_PACKET"
|
||||
# "AF_ALG" # Used for 'linux' TLS backend
|
||||
] ++ lib.optionals cfg.dbusControlled [
|
||||
"AF_UNIX"
|
||||
];
|
||||
};
|
||||
}
|
||||
@@ -86,9 +86,7 @@
|
||||
docker.enable = true;
|
||||
};
|
||||
|
||||
services.resolved.extraConfig = ''
|
||||
MulticastDNS=no
|
||||
'';
|
||||
services.resolved.settings.Resolve.MulticastDNS = false;
|
||||
|
||||
services.zfs.trim.enable = true;
|
||||
services.zfs.autoScrub.enable = true;
|
||||
|
||||
@@ -7,7 +7,7 @@
|
||||
defaults = {
|
||||
email = "h7x4@nani.wtf";
|
||||
dnsProvider = "cloudflare";
|
||||
credentialsFile = config.sops.secrets."cloudflare/api-key".path;
|
||||
credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE = config.sops.secrets."cloudflare/api-key".path;
|
||||
dnsPropagationCheck = true;
|
||||
};
|
||||
certs."nani.wtf" = {
|
||||
|
||||
Reference in New Issue
Block a user