commit 6349621e2d2a69a8104a1451e36f83273937a8b5
parent 1c25881f19553d4a5abd96923eb9ac02924efb48
Author: Katja (zaphyra) <git@ctu.cx>
Date: Mon, 9 Jun 2025 15:12:17 +0200
parent 1c25881f19553d4a5abd96923eb9ac02924efb48
Author: Katja (zaphyra) <git@ctu.cx>
Date: Mon, 9 Jun 2025 15:12:17 +0200
config/nixos/modules: refactor `security`
7 files changed, 36 insertions(+), 36 deletions(-)
diff --git a/config/nixos/modules/presets/base.nix b/config/nixos/modules/presets/base.nix @@ -54,9 +54,9 @@ in sops.enable = lib.mkDefault true; security = { - enable = lib.mkDefault true; - kernel = lib.mkDefault true; - networking = lib.mkDefault true; + nix.enable = lib.mkDefault true; + kernel.enable = lib.mkDefault true; + networking.enable = lib.mkDefault true; }; services = {
diff --git a/config/nixos/modules/security/enable.nix b/config/nixos/modules/security/enable.nix @@ -1,23 +0,0 @@ -{ - pov, - config, - lib, - ... -}: -let - inherit (lib) types; - cfg = lib.getAttrFromPath pov config; - -in -{ - - option = { - type = types.bool; - default = false; - }; - - config = lib.mkIf cfg.enable { - nix.settings.allowed-users = lib.mkDefault [ "@users" ]; - }; - -}
diff --git a/config/nixos/modules/security/kernel.nix b/config/nixos/modules/security/kernel.nix @@ -1,5 +1,5 @@ { - pov, + povSelf, hostConfig, config, lib, @@ -7,17 +7,17 @@ }: let inherit (lib) types; - cfg = lib.getAttrFromPath pov config; + cfg = lib.getAttrFromPath povSelf config; in { - option = { + options.enable = { type = types.bool; default = false; }; - config = lib.mkIf (cfg.enable && cfg.kernel) { + config = lib.mkIf cfg.enable { environment = { # memoryAllocator.provider = mkDefault "scudo"; # Breaks stuff # variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; # Breaks stuff
diff --git a/config/nixos/modules/security/networking.nix b/config/nixos/modules/security/networking.nix @@ -1,21 +1,21 @@ { - pov, + povSelf, config, lib, ... }: let inherit (lib) types; - cfg = lib.getAttrFromPath pov config; + cfg = lib.getAttrFromPath povSelf config; in { - option = { + options.enable = { type = types.bool; default = false; }; - config = lib.mkIf (cfg.enable && cfg.networking) { + config = lib.mkIf cfg.enable { boot.kernel.sysctl = { # Enable strict reverse path filtering (that is, do not attempt to route # packets that "obviously" do not belong to the iface's network; dropped
diff --git a/config/nixos/modules/security/nix.nix b/config/nixos/modules/security/nix.nix @@ -0,0 +1,23 @@ +{ + povSelf, + config, + lib, + ... +}: +let + inherit (lib) types; + cfg = lib.getAttrFromPath povSelf config; + +in +{ + + options.enable = { + type = types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + nix.settings.allowed-users = lib.mkForce [ "@users" ]; + }; + +}
diff --git a/hosts/novus/default.nix b/hosts/novus/default.nix @@ -54,7 +54,7 @@ }; modules = { - security.kernel = false; + security.kernel.enable = false; filesystem = { impermanence.system.enable = true; impermanence.home.enable = true;
diff --git a/hosts/polaris/default.nix b/hosts/polaris/default.nix @@ -54,7 +54,7 @@ }; modules = { - security.kernel = false; + security.kernel.enable = false; filesystem = { impermanence.system.enable = true; impermanence.home.enable = true;