From 46973f2aa831fd87e9fd93bf09ec9264161930a4 Mon Sep 17 00:00:00 2001 From: Igor Rzegocki Date: Wed, 6 Nov 2024 21:20:07 +0100 Subject: [PATCH] feat(piecyk): various fixes --- machines/piecyk/configuration.nix | 5 + .../awesome/config/bindings/globalkeys.lua | 4 +- modules/apps/core.nix | 2 + modules/apps/firefox/default.nix | 1 + modules/apps/git/default.nix | 2 +- modules/apps/gnupg/default.nix | 7 + modules/apps/kitty/default.nix | 3 +- modules/apps/xorg/default.nix | 4 + modules/apps/yazi/default.nix | 31 ++ modules/system/apps/adguardhome/default.nix | 429 +++++++++--------- modules/system/apps/docker/default.nix | 5 + modules/system/apps/nginx/default.nix | 2 + modules/system/containers/homepage/custom.css | 5 - modules/system/containers/immich/config.json | 7 + modules/system/core.nix | 8 + modules/system/networking.nix | 7 + modules/system/ssh.nix | 1 - 17 files changed, 303 insertions(+), 220 deletions(-) diff --git a/machines/piecyk/configuration.nix b/machines/piecyk/configuration.nix index eee18b1..1e246d5 100644 --- a/machines/piecyk/configuration.nix +++ b/machines/piecyk/configuration.nix @@ -70,6 +70,10 @@ rec { name = "enp6s0"; bridge = true; }; + # ensure that homelab is available even if local DNS dies + extraHosts = '' + 10.100.20.1 deedee.home.arpa + ''; }; ssh = { @@ -116,6 +120,7 @@ rec { id = "igor@rzegocki.pl"; } ]; + rememberPasswordTime = 28800; }; ssh = { appendOptions = { diff --git a/modules/apps/awesome/config/bindings/globalkeys.lua b/modules/apps/awesome/config/bindings/globalkeys.lua index 79fe392..e74c74a 100644 --- a/modules/apps/awesome/config/bindings/globalkeys.lua +++ b/modules/apps/awesome/config/bindings/globalkeys.lua @@ -61,7 +61,9 @@ local globalkeys = gears.table.join( awful.util.spawn( [[sh -c ']] .. RC.vars.scrotPath - .. [[ -a "$(]] ..RC.vars.slopPath .. [[ -f "%x,%y,%w,%h")" -f "]] + .. [[ -a "$(]] + .. RC.vars.slopPath + .. [[ -f "%x,%y,%w,%h")" -f "]] .. home .. [[/Pictures/Screenshots/%Y-%m-%d-%H%M%S_\$wx\$h_scrot.png"']] ) diff --git a/modules/apps/core.nix b/modules/apps/core.nix index a18e3a9..23e1eb2 100644 --- a/modules/apps/core.nix +++ b/modules/apps/core.nix @@ -42,7 +42,9 @@ packages = [ pkgs.bzip2 pkgs.dnsutils + pkgs.file pkgs.jq + pkgs.lsof pkgs.nh pkgs.pwgen pkgs.silver-searcher diff --git a/modules/apps/firefox/default.nix b/modules/apps/firefox/default.nix index 756a758..58dc724 100644 --- a/modules/apps/firefox/default.nix +++ b/modules/apps/firefox/default.nix @@ -82,6 +82,7 @@ let # passwords "signon.autofillForms" = false; "signon.formlessCapture.enabled" = false; + "signon.rememberSignons" = false; "network.auth.subresource-http-auth-allow" = 1; # downloads diff --git a/modules/apps/git/default.nix b/modules/apps/git/default.nix index 2ea2431..c0fe6f5 100644 --- a/modules/apps/git/default.nix +++ b/modules/apps/git/default.nix @@ -67,7 +67,7 @@ in minus-style = "syntax ${base08-hex}"; plus-emph-style = "bold syntax ${base0B-hex}"; plus-style = "syntax ${base0B-hex}"; - syntax-theme = "catppuccin-mocha"; + syntax-theme = "base16-stylix"; }; }; }; diff --git a/modules/apps/gnupg/default.nix b/modules/apps/gnupg/default.nix index fecea4e..8992b92 100644 --- a/modules/apps/gnupg/default.nix +++ b/modules/apps/gnupg/default.nix @@ -52,6 +52,12 @@ in ); default = [ ]; }; + rememberPasswordTime = lib.mkOption { + type = lib.types.nullOr lib.types.int; + description = "Time in seconds, which password will be cached by gpg-agent (and not asked again)."; + default = null; + example = 3600; + }; }; config = lib.mkIf cfg.enable { @@ -89,6 +95,7 @@ in enable = true; enableScDaemon = true; + defaultCacheTtl = cfg.rememberPasswordTime; }; systemd.user.services.gnupg-create-socketdir = lib.mkIf cfg.enableYubikey { diff --git a/modules/apps/kitty/default.nix b/modules/apps/kitty/default.nix index 763037d..8694892 100644 --- a/modules/apps/kitty/default.nix +++ b/modules/apps/kitty/default.nix @@ -15,6 +15,8 @@ in config = lib.mkIf cfg.enable { stylix.targets.kitty.enable = true; + home.shellAliases.ssh = "${lib.getExe' config.programs.kitty.package "kitten"} ssh"; + programs.kitty = { enable = true; shellIntegration = { @@ -24,7 +26,6 @@ in environment = { LC_ALL = osConfig.i18n.defaultLocale; - TERM = "xterm-256color"; }; font.size = 12; diff --git a/modules/apps/xorg/default.nix b/modules/apps/xorg/default.nix index c824c0d..2e73c19 100644 --- a/modules/apps/xorg/default.nix +++ b/modules/apps/xorg/default.nix @@ -36,6 +36,10 @@ }; home = { + packages = [ + pkgs.roboto + ]; + sessionVariables = { XCOMPOSECACHE = "${config.xdg.cacheHome}/X11/xcompose"; }; diff --git a/modules/apps/yazi/default.nix b/modules/apps/yazi/default.nix index 4050ecc..54db2b7 100644 --- a/modules/apps/yazi/default.nix +++ b/modules/apps/yazi/default.nix @@ -19,6 +19,37 @@ in programs.yazi = { enable = true; enableZshIntegration = true; + keymap = { + manager = { + prepend_keymap = [ + { + on = "d"; + run = "remove --permanently"; + desc = "Remove permanently."; + } + ]; + }; + }; + settings = { + manager = { + ratio = [ + 1 + 3 + 6 + ]; + sort_by = "alphabetical"; + sort_sensitive = false; + sort_dir_first = true; + show_hidden = true; + show_symlink = true; + }; + preview = { + wrap = "yes"; + tab_size = 2; + max_width = 2700; + max_height = 2050; + }; + }; }; }; } diff --git a/modules/system/apps/adguardhome/default.nix b/modules/system/apps/adguardhome/default.nix index b5e5b8e..4b691c9 100644 --- a/modules/system/apps/adguardhome/default.nix +++ b/modules/system/apps/adguardhome/default.nix @@ -32,232 +32,239 @@ in }; }; - config = lib.mkIf cfg.enable { - sops.secrets."${cfg.adminPasswordSopsSecret}".restartUnits = [ "adguardhome.service" ]; + config = + let + webUIIP = config.mySystemApps.docker.network.public.hostIP; + in + lib.mkIf cfg.enable { + sops.secrets."${cfg.adminPasswordSopsSecret}".restartUnits = [ "adguardhome.service" ]; - services.adguardhome = { - enable = true; - mutableSettings = false; + services.adguardhome = { + enable = true; + mutableSettings = false; - settings = { - users = [ - { - name = "admin"; - password = "ADGUARDPASS"; # placeholder - } - ]; + host = webUIIP; - auth_attempts = 3; - block_auth_min = 3600; - - theme = if config.stylix.polarity == "either" then "auto" else "${config.stylix.polarity}"; - - dns = { - bind_hosts = [ "BINDHOST" ]; - port = 53; - protection_enabled = true; - filtering_enabled = true; - upstream_mode = "load_balance"; - upstream_dns = [ - "9.9.9.9" - "149.112.112.10" - ]; - bootstrap_dns = [ - "9.9.9.9" - "149.112.112.10" + settings = { + users = [ + { + name = "admin"; + password = "ADGUARDPASS"; # placeholder + } ]; - fallback_dns = [ - "1.1.1.1" - "1.1.0.0" - ]; - cache_size = 104857600; - cache_ttl_min = 60; - cache_optimistic = true; - }; - filtering = { - rewrites = - [ - { - domain = "*.${config.mySystem.rootDomain}"; - answer = "BINDHOST"; - } - ] - ++ (builtins.map (domain: { - inherit domain; - answer = builtins.getAttr domain cfg.customMappings; - }) (builtins.attrNames cfg.customMappings)); - }; + auth_attempts = 3; + block_auth_min = 3600; - filters = - let - urls = [ - { - name = "AdGuard DNS filter"; - url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"; - } - { - name = "AdAway Default Blocklist"; - url = "https://adaway.org/hosts.txt"; - } - { - name = "Big OISD"; - url = "https://big.oisd.nl"; - } - { - name = "Game Console Adblock List"; - url = "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/GameConsoleAdblockList.txt"; - } - { - name = "WindowsSpyBlocker - Hosts spy rules"; - url = "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"; - } - { - name = "Perflyst and Dandelion Sprout's Smart-TV Blocklist"; - url = "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt"; - } - { - name = "Mobile Filter"; - url = "https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_11_Mobile/filter.txt"; - } - { - name = "Fanboy's Social Blocking List"; - url = "https://secure.fanboy.co.nz/fanboy-social.txt"; - } - { - name = "Web Annoyances Ultralist"; - url = "https://raw.githubusercontent.com/yourduskquibbles/webannoyances/master/ultralist.txt"; - } - { - name = "NoCoin Filter List"; - url = "https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/nocoin.txt"; - } - { - name = "I don't care about cookies"; - url = "https://www.i-dont-care-about-cookies.eu/abp/"; - } - { - name = "osint"; - url = "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"; - } - { - name = "phishing army"; - url = "https://phishing.army/download/phishing_army_blocklist_extended.txt"; - } - { - name = "notrack malware"; - url = "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt"; - } - { - name = "EasyPrivacy"; - url = "https://v.firebog.net/hosts/Easyprivacy.txt"; - } - { - name = "Oficjalne Polskie Filtry do AdBlocka, uBlocka Origin i AdGuarda"; - url = "https://raw.githubusercontent.com/MajkiIT/polish-ads-filter/master/polish-adblock-filters/adblock.txt"; - } - { - name = "(suplement) Oficjalne Polskie Filtry do AdBlocka, uBlocka Origin i AdGuarda"; - url = "https://raw.githubusercontent.com/MajkiIT/polish-ads-filter/master/polish-adblock-filters/adblock_adguard.txt"; - } - { - name = "Polskie Filtry Społecznościowe"; - url = "https://raw.githubusercontent.com/MajkiIT/polish-ads-filter/master/adblock_social_filters/adblock_social_list.txt"; - } - { - name = "(suplement) Polskie Filtry Społecznościowe"; - url = "https://raw.githubusercontent.com/MajkiIT/polish-ads-filter/master/adblock_social_filters/social_filters_uB_AG.txt"; - } - { - name = "Polskie Filtry Elementów Irytujących"; - url = "https://raw.githubusercontent.com/FiltersHeroes/PolishAnnoyanceFilters/master/PPB.txt"; - } - { - name = "(suplement) Polskie Filtry Elementów Irytujących"; - url = "https://raw.githubusercontent.com/FiltersHeroes/PolishAnnoyanceFilters/master/PAF_supp.txt"; - } - { - name = "Polski Antyirytujący Dodatek Specjalny"; - url = "https://raw.githubusercontent.com/FiltersHeroes/PolishAntiAnnoyingSpecialSupplement/master/polish_rss_filters.txt"; - } - { - name = "KAD - Przekręty"; - url = "https://raw.githubusercontent.com/FiltersHeroes/KAD/master/KAD.txt"; - } - { - name = "Polskie Filtry Prywatności"; - url = "https://raw.githubusercontent.com/olegwukr/polish-privacy-filters/master/adblock.txt"; - } - { - name = "AlleBlock"; - url = "https://alleblock.pl/alleblock/alleblock.txt"; - } - { - name = "Polskie Filtry Anty-Adblockowe"; - url = "https://raw.githubusercontent.com/olegwukr/polish-privacy-filters/master/anti-adblock.txt"; - } - { - name = "(suplement) Polskie Filtry Anty-Adblockowe"; - url = "https://raw.githubusercontent.com/olegwukr/polish-privacy-filters/master/anti-adblock-suplement-adguard.txt"; - } + theme = if config.stylix.polarity == "either" then "auto" else "${config.stylix.polarity}"; + + dns = { + bind_hosts = [ "BINDHOST" ]; + port = 53; + protection_enabled = true; + filtering_enabled = true; + upstream_mode = "load_balance"; + upstream_dns = [ + "9.9.9.9" + "149.112.112.10" + ]; + bootstrap_dns = [ + "9.9.9.9" + "149.112.112.10" + ]; + fallback_dns = [ + "1.1.1.1" + "1.1.0.0" ]; + cache_size = 104857600; + cache_ttl_min = 60; + cache_optimistic = true; + }; + + filtering = { + rewrites = + [ + { + domain = "*.${config.mySystem.rootDomain}"; + answer = "BINDHOST"; + } + ] + ++ (builtins.map (domain: { + inherit domain; + answer = builtins.getAttr domain cfg.customMappings; + }) (builtins.attrNames cfg.customMappings)); + }; + + filters = + let + urls = [ + { + name = "AdGuard DNS filter"; + url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"; + } + { + name = "AdAway Default Blocklist"; + url = "https://adaway.org/hosts.txt"; + } + { + name = "Big OISD"; + url = "https://big.oisd.nl"; + } + { + name = "Game Console Adblock List"; + url = "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/GameConsoleAdblockList.txt"; + } + { + name = "WindowsSpyBlocker - Hosts spy rules"; + url = "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"; + } + { + name = "Perflyst and Dandelion Sprout's Smart-TV Blocklist"; + url = "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt"; + } + { + name = "Mobile Filter"; + url = "https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_11_Mobile/filter.txt"; + } + { + name = "Fanboy's Social Blocking List"; + url = "https://secure.fanboy.co.nz/fanboy-social.txt"; + } + { + name = "Web Annoyances Ultralist"; + url = "https://raw.githubusercontent.com/yourduskquibbles/webannoyances/master/ultralist.txt"; + } + { + name = "NoCoin Filter List"; + url = "https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/nocoin.txt"; + } + { + name = "I don't care about cookies"; + url = "https://www.i-dont-care-about-cookies.eu/abp/"; + } + { + name = "osint"; + url = "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"; + } + { + name = "phishing army"; + url = "https://phishing.army/download/phishing_army_blocklist_extended.txt"; + } + { + name = "notrack malware"; + url = "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt"; + } + { + name = "EasyPrivacy"; + url = "https://v.firebog.net/hosts/Easyprivacy.txt"; + } + { + name = "Oficjalne Polskie Filtry do AdBlocka, uBlocka Origin i AdGuarda"; + url = "https://raw.githubusercontent.com/MajkiIT/polish-ads-filter/master/polish-adblock-filters/adblock.txt"; + } + { + name = "(suplement) Oficjalne Polskie Filtry do AdBlocka, uBlocka Origin i AdGuarda"; + url = "https://raw.githubusercontent.com/MajkiIT/polish-ads-filter/master/polish-adblock-filters/adblock_adguard.txt"; + } + { + name = "Polskie Filtry Społecznościowe"; + url = "https://raw.githubusercontent.com/MajkiIT/polish-ads-filter/master/adblock_social_filters/adblock_social_list.txt"; + } + { + name = "(suplement) Polskie Filtry Społecznościowe"; + url = "https://raw.githubusercontent.com/MajkiIT/polish-ads-filter/master/adblock_social_filters/social_filters_uB_AG.txt"; + } + { + name = "Polskie Filtry Elementów Irytujących"; + url = "https://raw.githubusercontent.com/FiltersHeroes/PolishAnnoyanceFilters/master/PPB.txt"; + } + { + name = "(suplement) Polskie Filtry Elementów Irytujących"; + url = "https://raw.githubusercontent.com/FiltersHeroes/PolishAnnoyanceFilters/master/PAF_supp.txt"; + } + { + name = "Polski Antyirytujący Dodatek Specjalny"; + url = "https://raw.githubusercontent.com/FiltersHeroes/PolishAntiAnnoyingSpecialSupplement/master/polish_rss_filters.txt"; + } + { + name = "KAD - Przekręty"; + url = "https://raw.githubusercontent.com/FiltersHeroes/KAD/master/KAD.txt"; + } + { + name = "Polskie Filtry Prywatności"; + url = "https://raw.githubusercontent.com/olegwukr/polish-privacy-filters/master/adblock.txt"; + } + { + name = "AlleBlock"; + url = "https://alleblock.pl/alleblock/alleblock.txt"; + } + { + name = "Polskie Filtry Anty-Adblockowe"; + url = "https://raw.githubusercontent.com/olegwukr/polish-privacy-filters/master/anti-adblock.txt"; + } + { + name = "(suplement) Polskie Filtry Anty-Adblockowe"; + url = "https://raw.githubusercontent.com/olegwukr/polish-privacy-filters/master/anti-adblock-suplement-adguard.txt"; + } + ]; - buildList = id: url: { - enabled = true; - inherit id; - inherit (url) name; - inherit (url) url; - }; - in - lib.imap1 buildList urls; + buildList = id: url: { + enabled = true; + inherit id; + inherit (url) name; + inherit (url) url; + }; + in + lib.imap1 buildList urls; + }; }; - }; - users.users.${cfg.user} = { - isSystemUser = true; - group = "services"; - }; + users.users.${cfg.user} = { + isSystemUser = true; + group = "services"; + }; - systemd.services.adguardhome = { - preStart = lib.mkAfter '' - HASH="$(cat ${ - config.sops.secrets."${cfg.adminPasswordSopsSecret}".path - } | ${lib.getExe' pkgs.apacheHttpd "htpasswd"} -niB "" | cut -c 2-)" - MAINIP="$(${lib.getExe' pkgs.iproute2 "ip"} -4 addr show dev ${config.mySystem.networking.rootInterface} | grep -Po 'inet \K[\d.]+')" - ${lib.getExe pkgs.gnused} -i"" "s,ADGUARDPASS,'$HASH',g" "$STATE_DIRECTORY/AdGuardHome.yaml" - ${lib.getExe pkgs.gnused} -i"" "s,BINDHOST,'$MAINIP',g" "$STATE_DIRECTORY/AdGuardHome.yaml" - ''; - serviceConfig.User = cfg.user; - serviceConfig.Group = "services"; - }; + systemd.services.adguardhome = { + preStart = lib.mkAfter '' + HASH="$(cat ${ + config.sops.secrets."${cfg.adminPasswordSopsSecret}".path + } | ${lib.getExe' pkgs.apacheHttpd "htpasswd"} -niB "" | cut -c 2-)" + MAINIP="$(${lib.getExe' pkgs.iproute2 "ip"} -4 addr show dev ${config.mySystem.networking.rootInterface} | grep -Po 'inet \K[\d.]+')" + ${lib.getExe pkgs.gnused} -i"" "s,ADGUARDPASS,'$HASH',g" "$STATE_DIRECTORY/AdGuardHome.yaml" + ${lib.getExe pkgs.gnused} -i"" "s,BINDHOST,'$MAINIP',g" "$STATE_DIRECTORY/AdGuardHome.yaml" + ''; + serviceConfig.User = cfg.user; + serviceConfig.Group = "services"; + }; - services.nginx.virtualHosts.adguard = svc.mkNginxVHost { - host = "adguard"; - proxyPass = "http://127.0.0.1:${builtins.toString config.services.adguardhome.port}"; - useAuthelia = config.mySystemApps.authelia.enable; - }; + services.nginx.virtualHosts.adguard = svc.mkNginxVHost { + host = "adguard"; + proxyPass = "http://${webUIIP}:${builtins.toString config.services.adguardhome.port}"; + useAuthelia = config.mySystemApps.authelia.enable; + }; - networking.firewall.allowedUDPPorts = [ 53 ]; + networking.firewall.allowedUDPPorts = [ 53 ]; + networking.firewall.allowedTCPPorts = [ 3000 ]; - mySystemApps.homepage = { - services.Apps.AdGuardHome = svc.mkHomepage "adguard" // { - icon = "adguard-home.svg"; - container = null; - description = "Adguard filtering DNS"; - widget = { - type = "adguard"; - url = "http://host.docker.internal:${builtins.toString config.services.adguardhome.port}"; - username = "admin"; - password = "@@ADGUARD_PASSWORD@@"; - fields = [ - "queries" - "blocked" - "filtered" - "latency" - ]; + mySystemApps.homepage = { + services.Apps.AdGuardHome = svc.mkHomepage "adguard" // { + icon = "adguard-home.svg"; + container = null; + description = "Adguard filtering DNS"; + widget = { + type = "adguard"; + url = "http://${webUIIP}:${builtins.toString config.services.adguardhome.port}"; + username = "admin"; + password = "@@ADGUARD_PASSWORD@@"; + fields = [ + "queries" + "blocked" + "filtered" + "latency" + ]; + }; }; + secrets.ADGUARD_PASSWORD = config.sops.secrets."${cfg.adminPasswordSopsSecret}".path; }; - secrets.ADGUARD_PASSWORD = config.sops.secrets."${cfg.adminPasswordSopsSecret}".path; }; - }; } diff --git a/modules/system/apps/docker/default.nix b/modules/system/apps/docker/default.nix index 23948cb..e922749 100644 --- a/modules/system/apps/docker/default.nix +++ b/modules/system/apps/docker/default.nix @@ -61,6 +61,11 @@ in description = "Subnet of the public (with internet) network user by containers."; default = "172.31.0.0/16"; }; + hostIP = lib.mkOption { + type = lib.types.str; + description = "IP under which the host is reachable for given network."; + default = "172.31.0.1"; + }; }; }; default = { diff --git a/modules/system/apps/nginx/default.nix b/modules/system/apps/nginx/default.nix index bf0c979..e5b5fcb 100644 --- a/modules/system/apps/nginx/default.nix +++ b/modules/system/apps/nginx/default.nix @@ -46,6 +46,8 @@ in enable = true; package = pkgs.nginxStable.override { openssl = pkgs.libressl; }; + clientMaxBodySize = "0"; # disable file upload limits + recommendedBrotliSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; diff --git a/modules/system/containers/homepage/custom.css b/modules/system/containers/homepage/custom.css index 1bebe01..074e598 100644 --- a/modules/system/containers/homepage/custom.css +++ b/modules/system/containers/homepage/custom.css @@ -291,8 +291,3 @@ button[id$='-tab']:hover { .bookmark-group .bookmark-group-name { display: none; } - -/* Hide footer completely */ -#footer { - display: none; -} diff --git a/modules/system/containers/immich/config.json b/modules/system/containers/immich/config.json index e113d32..937d1a1 100644 --- a/modules/system/containers/immich/config.json +++ b/modules/system/containers/immich/config.json @@ -1,4 +1,11 @@ { + "backup": { + "database": { + "enabled": false, + "cronExpression": "0 02 * * *", + "keepLastAmount": 14 + } + }, "ffmpeg": { "crf": 23, "threads": 0, diff --git a/modules/system/core.nix b/modules/system/core.nix index 7fd34ea..1463067 100644 --- a/modules/system/core.nix +++ b/modules/system/core.nix @@ -110,6 +110,14 @@ in nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) config.mySystem.allowUnfree; + security.sudo = { + execWheelOnly = true; + extraConfig = lib.mkAfter '' + Defaults lecture="never" + Defaults env_keep += "TERM TERMINFO" + ''; + }; + stylix = rec { enable = true; autoEnable = false; diff --git a/modules/system/networking.nix b/modules/system/networking.nix index dedd77c..eb768de 100644 --- a/modules/system/networking.nix +++ b/modules/system/networking.nix @@ -42,6 +42,11 @@ in description = "Custom systemd.network config. If not set, DHCP4 on default interface will be configured."; default = null; }; + extraHosts = lib.mkOption { + type = lib.types.lines; + description = "Extra entries in /etc/hosts"; + default = ""; + }; rootInterface = lib.mkOption { type = lib.types.str; @@ -55,6 +60,8 @@ in config = lib.mkIf cfg.enable { networking = { + inherit (cfg) extraHosts; + hostName = cfg.hostname; dhcpcd.enable = false; enableIPv6 = false; diff --git a/modules/system/ssh.nix b/modules/system/ssh.nix index f536922..5c0886a 100644 --- a/modules/system/ssh.nix +++ b/modules/system/ssh.nix @@ -63,7 +63,6 @@ in execWheelOnly = true; extraConfig = lib.mkAfter '' Defaults:root,%wheel env_keep+=SSH_AUTH_SOCK - Defaults lecture="never" ''; };