hd/cfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sudo -> doas

Browse source
This commit is contained in:
Henri Dohmen 2025-07-02 22:40:07 +02:00
parent f1a1dd5d53
commit b497b6405d
5 changed files with 38 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

1
host/nix.nix
View file

@ -13,6 +13,5 @@
trusted-users = [ "root" ]; trusted-users = [ "root" ];
auto-optimise-store = true; auto-optimise-store = true;
}; };
nixpkgs.config.allowUnfree = false; nixpkgs.config.allowUnfree = false;
} }

7
host/roam/default.nix
View file

@ -9,6 +9,13 @@
./services.nix ./services.nix
]; ];
security = {
acme = {
acceptTerms = true;
defaults.email = "acme@henri-dohmen.de";
};
};
# ====== DON'T CHANGE ====== # ====== DON'T CHANGE ======
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }

9
host/roam/security.nix
View file

@ -1,9 +0,0 @@
{ ... }:
{
security = {
acme = {
acceptTerms = true;
defaults.email = "acme@henri-dohmen.de";
};
};
}

6
mod/desktop/default.nix
View file

@ -15,9 +15,10 @@ in
./fonts.nix ./fonts.nix
./gpg.nix ./gpg.nix
./network.nix ./network.nix
./security.nix
./services.nix ./services.nix
./window-manager.nix
./software ./software
./window-manager.nix
inputs.nixos-config-hidden.nixosModules.pc inputs.nixos-config-hidden.nixosModules.pc
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
{ {
@ -45,6 +46,7 @@ in
fonts.enable = true; fonts.enable = true;
gpg.enable = true; gpg.enable = true;
network.enable = true; network.enable = true;
security.enable = true;
services.enable = true; services.enable = true;
software.enable = true; software.enable = true;
wm.enable = true; wm.enable = true;
@ -70,7 +72,5 @@ in
home.stateVersion = config.system.stateVersion; home.stateVersion = config.system.stateVersion;
imports = [ ../../mod-hm ]; imports = [ ../../mod-hm ];
}; };
security.protectKernelImage = true;
}; };
} }

28
mod/desktop/security.nix Normal file
View file

@ -0,0 +1,28 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.desktop.security;
inherit (lib) mkEnableOption mkIf;
in
{
options.desktop.security.enable = mkEnableOption "Security";
config = mkIf cfg.enable {
security.protectKernelImage = true;
security.sudo.enable = false;
security.doas = {
enable = true;
extraRules = [
{
groups = [ "wheel" ];
persist = true;
keepEnv = true;
}
];
};
};
}