diff --git a/checks/pre-commit-hooks/default.nix b/checks/pre-commit-hooks/default.nix index 8044db9..cb140aa 100644 --- a/checks/pre-commit-hooks/default.nix +++ b/checks/pre-commit-hooks/default.nix @@ -10,7 +10,13 @@ in pre-commit-hooks-nix.lib.${pkgs.stdenv.hostPlatform.system}.run { src = ../..; hooks = { - pre-commit-hook-ensure-sops.enable = true; + pre-commit-hook-ensure-sops = { + enable = true; + excludes = [ + "secrets/.*\\.jwe$" + "secrets/.*\\.key$" + ]; + }; treefmt = { enable = lib.mkForce true; settings.fail-on-change = lib.mkForce false; @@ -24,6 +30,10 @@ pre-commit-hooks-nix.lib.${pkgs.stdenv.hostPlatform.system}.run { }; statix = { enable = true; + args = [ + "--config" + (lib.snowfall.fs.get-file "statix.toml") + ]; }; }; } diff --git a/flake.lock b/flake.lock index 906f07e..e8bfa6c 100644 --- a/flake.lock +++ b/flake.lock @@ -1435,17 +1435,14 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1774472006, - "narHash": "sha256-PsAau0yCoQDNqFnCxCJhwbYMSYIDQEeE22BEBiJM5uw=", - "owner": "mjallen18", - "repo": "snowfall-lib", - "rev": "342561701e62e4b57ffb4d52496d16743e16662f", - "type": "github" + "lastModified": 1774473056, + "narHash": "sha256-JeIOcQt7ctjOYxgy4+7ayDmHesHuPaFgbQ1WpcUrm/w=", + "path": "/home/admin/dev/snowfall-lib", + "type": "path" }, "original": { - "owner": "mjallen18", - "repo": "snowfall-lib", - "type": "github" + "path": "/home/admin/dev/snowfall-lib", + "type": "path" } }, "sops-nix": { diff --git a/flake.nix b/flake.nix index 15e0561..df236e0 100644 --- a/flake.nix +++ b/flake.nix @@ -23,7 +23,7 @@ # The name "snowfall-lib" is required due to how Snowfall Lib processes your # flake's inputs. Using a personal fork for custom changes. snowfall-lib = { - url = "github:mjallen18/snowfall-lib"; + url = "path:/home/admin/dev/snowfall-lib"; inputs.nixpkgs.follows = "nixpkgs"; }; @@ -150,8 +150,10 @@ ]; modules.home = with inputs; [ - nix-index-database.homeManagerModules.nix-index + nix-index-database.homeModules.nix-index steam-rom-manager.homeManagerModules.default + sops-nix.homeManagerModules.sops + stylix.homeModules.stylix ]; # common darwin modules diff --git a/homes/x86_64-linux/admin@jallen-nas/default.nix b/homes/x86_64-linux/admin@jallen-nas/default.nix index 656ea44..55bab1f 100755 --- a/homes/x86_64-linux/admin@jallen-nas/default.nix +++ b/homes/x86_64-linux/admin@jallen-nas/default.nix @@ -1,6 +1,5 @@ { pkgs, - config, lib, inputs, namespace, diff --git a/lib/versioning/default.nix b/lib/versioning/default.nix index 700199a..1a46ae6 100644 --- a/lib/versioning/default.nix +++ b/lib/versioning/default.nix @@ -1,11 +1,6 @@ { lib, - inputs, - system ? "aarch64-linux", }: -let - pkgs = inputs.nixpkgs.legacyPackages.${system}; -in let inherit (builtins) isAttrs @@ -146,10 +141,6 @@ let # fetcher == "none": pass-through (e.g., linux version/hash consumed by custom logic) comp; - # Build a single src from a rendered component spec using the default (lib-level) pkgs. - # Deprecated: prefer mkSrcFromRendered' with an explicit pkgs argument. - mkSrcFromRendered = mkSrcFromRendered' pkgs; - in rec { /* diff --git a/modules/darwin/programs/ssh/default.nix b/modules/darwin/programs/ssh/default.nix index e9ee118..8b3ac89 100644 --- a/modules/darwin/programs/ssh/default.nix +++ b/modules/darwin/programs/ssh/default.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +_: { config = { programs.ssh.knownHosts = { desktop = { diff --git a/modules/home/gpg/default.nix b/modules/home/gpg/default.nix index 1e53e59..82aa904 100644 --- a/modules/home/gpg/default.nix +++ b/modules/home/gpg/default.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +_: { programs = { gpg = { enable = true; diff --git a/modules/home/home/default.nix b/modules/home/home/default.nix index 72be2ae..bb2945c 100644 --- a/modules/home/home/default.nix +++ b/modules/home/home/default.nix @@ -4,12 +4,10 @@ pkgs, namespace, hasDestopEnvironment ? true, - system, ... }: let inherit (lib.${namespace}) enabled; - isArm = ("aarch64-linux" == system) || ("aarch64-darwin" == system); # Non-login / system accounts (root, nixos installer, etc.) should not get # desktop packages, tmux, nh, kdeconnect, nextcloud-client, etc. # Detect them by username so individual host home files are not needed. diff --git a/modules/home/programs/code/default.nix b/modules/home/programs/code/default.nix index c2373c4..db0c1ec 100644 --- a/modules/home/programs/code/default.nix +++ b/modules/home/programs/code/default.nix @@ -2,7 +2,6 @@ config, pkgs, system, - namespace, hasDestopEnvironment ? true, ... }: diff --git a/modules/home/programs/update-checker/default.nix b/modules/home/programs/update-checker/default.nix index 119e4b6..07fbb5e 100644 --- a/modules/home/programs/update-checker/default.nix +++ b/modules/home/programs/update-checker/default.nix @@ -1,6 +1,5 @@ { config, - namespace, pkgs, ... }: diff --git a/modules/nixos/hardware/raspberry-pi/audio.nix b/modules/nixos/hardware/raspberry-pi/audio.nix index daab7f0..5f5d943 100644 --- a/modules/nixos/hardware/raspberry-pi/audio.nix +++ b/modules/nixos/hardware/raspberry-pi/audio.nix @@ -16,27 +16,25 @@ in config = lib.mkIf cfg.enable { hardware.deviceTree = { - overlays = - [ ] - ++ ( - with pkgs.${namespace}; - ( - if (variant == "5") then - [ - { - name = "pisound-pi5-overlay"; - dtsFile = "${raspberrypi-overlays}/dtbs/raspberrypi-overlays/pisound-pi5-overlay.dts"; - } - ] - else - [ - { - name = "pisound-overlay"; - dtsFile = "${raspberrypi-overlays}/dtbs/raspberrypi-overlays/pisound-overlay.dts"; - } - ] - ) - ); + overlays = ( + with pkgs.${namespace}; + ( + if (variant == "5") then + [ + { + name = "pisound-pi5-overlay"; + dtsFile = "${raspberrypi-overlays}/dtbs/raspberrypi-overlays/pisound-pi5-overlay.dts"; + } + ] + else + [ + { + name = "pisound-overlay"; + dtsFile = "${raspberrypi-overlays}/dtbs/raspberrypi-overlays/pisound-overlay.dts"; + } + ] + ) + ); }; }; } diff --git a/modules/nixos/hardware/raspberry-pi/bluetooth.nix b/modules/nixos/hardware/raspberry-pi/bluetooth.nix index e93d1eb..a44df7d 100644 --- a/modules/nixos/hardware/raspberry-pi/bluetooth.nix +++ b/modules/nixos/hardware/raspberry-pi/bluetooth.nix @@ -16,28 +16,26 @@ in config = lib.mkIf cfg.enable { hardware.deviceTree = { - overlays = - [ ] - ++ ( - if (variant == "5") then - [ - { - name = "disable-bt-pi5-overlay"; - dtsFile = "${ - pkgs.${namespace}.raspberrypi-overlays - }/dtbs/raspberrypi-overlays/disable-bt-pi5-overlay.dts"; - } - ] - else - [ - { - name = "disable-bt-overlay"; - dtsFile = "${ - pkgs.${namespace}.raspberrypi-overlays - }/dtbs/raspberrypi-overlays/disable-bt-overlay.dts"; - } - ] - ); + overlays = ( + if (variant == "5") then + [ + { + name = "disable-bt-pi5-overlay"; + dtsFile = "${ + pkgs.${namespace}.raspberrypi-overlays + }/dtbs/raspberrypi-overlays/disable-bt-pi5-overlay.dts"; + } + ] + else + [ + { + name = "disable-bt-overlay"; + dtsFile = "${ + pkgs.${namespace}.raspberrypi-overlays + }/dtbs/raspberrypi-overlays/disable-bt-overlay.dts"; + } + ] + ); }; }; } diff --git a/modules/nixos/hardware/raspberry-pi/config.nix b/modules/nixos/hardware/raspberry-pi/config.nix index ac4aa54..093ebe5 100644 --- a/modules/nixos/hardware/raspberry-pi/config.nix +++ b/modules/nixos/hardware/raspberry-pi/config.nix @@ -19,7 +19,7 @@ let render-kvs = kvs: let - render-kv = k: v: if isNull v.value then k else "${k}=${toString v.value}"; + render-kv = k: v: if v.value == null then k else "${k}=${toString v.value}"; in lib.attrsets.mapAttrsToList render-kv (lib.filterAttrs (_k: v: v.enable) kvs); diff --git a/modules/nixos/hardware/raspberry-pi/default.nix b/modules/nixos/hardware/raspberry-pi/default.nix index 21e8088..0e787c6 100644 --- a/modules/nixos/hardware/raspberry-pi/default.nix +++ b/modules/nixos/hardware/raspberry-pi/default.nix @@ -451,8 +451,7 @@ in }; nixpkgs.overlays = - [ ] - ++ ( + ( if cfg.variant == "5" then [ (_final: prev: { @@ -465,7 +464,7 @@ in let pageSizeFlag = "--with-lg-page"; in - (prev.lib.filter (flag: prev.lib.hasPrefix pageSizeFlag flag == false) old.configureFlags) + (prev.lib.filter (flag: !(prev.lib.hasPrefix pageSizeFlag flag)) old.configureFlags) ++ [ "${pageSizeFlag}=14" ]; }); }) diff --git a/modules/nixos/hardware/raspberry-pi/modesetting.nix b/modules/nixos/hardware/raspberry-pi/modesetting.nix index 3bc4a88..da3866f 100644 --- a/modules/nixos/hardware/raspberry-pi/modesetting.nix +++ b/modules/nixos/hardware/raspberry-pi/modesetting.nix @@ -16,28 +16,26 @@ in config = lib.mkIf cfg.enable { hardware.deviceTree = { - overlays = - [ ] - ++ ( - if (variant == "5") then - [ - { - name = "vc4-kms-v3d-pi5-overlay"; - dtsFile = "${ - pkgs.${namespace}.raspberrypi-overlays - }/dtbs/raspberrypi-overlays/vc4-kms-v3d-pi5-overlay.dts"; - } - ] - else - [ - { - name = "vc4-fkms-v3d-pi4-overlay"; - dtsFile = "${ - pkgs.${namespace}.raspberrypi-overlays - }/dtbs/raspberrypi-overlays/vc4-fkms-v3d-pi4-overlay.dts"; - } - ] - ); + overlays = ( + if (variant == "5") then + [ + { + name = "vc4-kms-v3d-pi5-overlay"; + dtsFile = "${ + pkgs.${namespace}.raspberrypi-overlays + }/dtbs/raspberrypi-overlays/vc4-kms-v3d-pi5-overlay.dts"; + } + ] + else + [ + { + name = "vc4-fkms-v3d-pi4-overlay"; + dtsFile = "${ + pkgs.${namespace}.raspberrypi-overlays + }/dtbs/raspberrypi-overlays/vc4-fkms-v3d-pi4-overlay.dts"; + } + ] + ); }; }; } diff --git a/modules/nixos/hardware/raspberry-pi/wifi.nix b/modules/nixos/hardware/raspberry-pi/wifi.nix index fa20a87..d591696 100644 --- a/modules/nixos/hardware/raspberry-pi/wifi.nix +++ b/modules/nixos/hardware/raspberry-pi/wifi.nix @@ -16,32 +16,30 @@ in config = lib.mkIf cfg.enable { hardware.deviceTree = { - overlays = - [ ] - ++ ( - if (variant == "5") then - [ - { - name = "disable-wifi-pi5-overlay"; - dtsFile = "${ - pkgs.${namespace}.raspberrypi-overlays - }/dtbs/raspberrypi-overlays/disable-wifi-pi5-overlay.dts"; - } - ] - else - [ - { - name = "disable-wifi-overlay"; - dtsFile = "${ - pkgs.${namespace}.raspberrypi-overlays - }/dtbs/raspberrypi-overlays/disable-wifi-overlay.dts"; - } - { - name = "wifimac-overlay"; - dtsFile = "${pkgs.${namespace}.raspberrypi-overlays}/dtbs/raspberrypi-overlays/wifimac-overlay.dts"; - } - ] - ); + overlays = ( + if (variant == "5") then + [ + { + name = "disable-wifi-pi5-overlay"; + dtsFile = "${ + pkgs.${namespace}.raspberrypi-overlays + }/dtbs/raspberrypi-overlays/disable-wifi-pi5-overlay.dts"; + } + ] + else + [ + { + name = "disable-wifi-overlay"; + dtsFile = "${ + pkgs.${namespace}.raspberrypi-overlays + }/dtbs/raspberrypi-overlays/disable-wifi-overlay.dts"; + } + { + name = "wifimac-overlay"; + dtsFile = "${pkgs.${namespace}.raspberrypi-overlays}/dtbs/raspberrypi-overlays/wifimac-overlay.dts"; + } + ] + ); }; }; } diff --git a/modules/nixos/homeassistant/dashboards/default.nix b/modules/nixos/homeassistant/dashboards/default.nix index b236c01..949e0ee 100644 --- a/modules/nixos/homeassistant/dashboards/default.nix +++ b/modules/nixos/homeassistant/dashboards/default.nix @@ -11,15 +11,9 @@ in imports = [ ./options.nix ]; config = lib.mkIf (cfg.enable && cfg.dashboards != [ ]) { - ${namespace}.home.file = lib.genAttrs cfg.dashboards ( - dashboard: - let - dashboardFile = "homeassistant/lovelace/${dashboard.title}.yaml"; - in - { - text = lib.generators.toYAML { } dashboard; - force = true; - } - ); + ${namespace}.home.file = lib.genAttrs cfg.dashboards (dashboard: { + text = lib.generators.toYAML { } dashboard; + force = true; + }); }; } diff --git a/modules/nixos/services/crowdsec/default.nix b/modules/nixos/services/crowdsec/default.nix index 8d4d7e6..1197057 100755 --- a/modules/nixos/services/crowdsec/default.nix +++ b/modules/nixos/services/crowdsec/default.nix @@ -10,9 +10,6 @@ let name = "crowdsec"; cfg = config.${namespace}.services.${name}; - ntfyServer = "https://ntfy.mjallen.dev"; - ntfyTopic = "crowdsec"; - # Build the notification-http plugin binary from the crowdsec source. # The nixpkgs crowdsec package omits all notification plugin binaries; # we build just the http one we need. @@ -223,30 +220,61 @@ let # a nix store path via -c and never creates that file. Expose the full # NixOS-generated config (which includes plugin_config via # settings.general.plugin_config) at the well-known path. - environment.etc."crowdsec/config.yaml" = - let - execStart = builtins.elemAt config.systemd.services.crowdsec.serviceConfig.ExecStart 1; - configPath = builtins.head (builtins.match ".* -c ([^ ]+) .*" execStart); - in - { - source = configPath; - mode = "0440"; + environment.etc = { + "crowdsec/config.yaml" = + let + execStart = builtins.elemAt config.systemd.services.crowdsec.serviceConfig.ExecStart 1; + configPath = builtins.head (builtins.match ".* -c ([^ ]+) .*" execStart); + in + { + source = configPath; + mode = "0440"; + user = "crowdsec"; + group = "crowdsec"; + }; + + # --------------------------------------------------------------------------- + # ntfy notifications via the CrowdSec HTTP notification plugin + # --------------------------------------------------------------------------- + + # Place the notification-http binary at the path the NixOS crowdsec module + # hardcodes for plugin_dir (/etc/crowdsec/plugins/). CrowdSec matches + # plugins by their filename — it expects "notification-http" for type=http. + "crowdsec/plugins/notification-http" = lib.mkIf cfg.ntfy.enable { + source = "${crowdsecHttpPlugin}/bin/notification-http"; + mode = "0550"; user = "crowdsec"; group = "crowdsec"; }; - # --------------------------------------------------------------------------- - # ntfy notifications via the CrowdSec HTTP notification plugin - # --------------------------------------------------------------------------- - - # Place the notification-http binary at the path the NixOS crowdsec module - # hardcodes for plugin_dir (/etc/crowdsec/plugins/). CrowdSec matches - # plugins by their filename — it expects "notification-http" for type=http. - environment.etc."crowdsec/plugins/notification-http" = lib.mkIf cfg.ntfy.enable { - source = "${crowdsecHttpPlugin}/bin/notification-http"; - mode = "0550"; - user = "crowdsec"; - group = "crowdsec"; + # CrowdSec profiles.yaml: route every alert to the ntfy plugin. + # This replaces the default "do nothing" profile. + "crowdsec/profiles.yaml" = lib.mkIf cfg.ntfy.enable { + text = '' + name: default_ip_remediation + filters: + - Alert.Remediation == true && Alert.GetScope() == "Ip" + decisions: + - type: ban + duration: 4h + notifications: + - ntfy_plugin + on_success: break + --- + name: default_range_remediation + filters: + - Alert.Remediation == true && Alert.GetScope() == "Range" + decisions: + - type: ban + duration: 4h + notifications: + - ntfy_plugin + on_success: break + ''; + mode = "0440"; + user = "crowdsec"; + group = "crowdsec"; + }; }; # The ntfy plugin config YAML (with credentials baked in) is managed as a @@ -260,35 +288,6 @@ let }" ]; - # CrowdSec profiles.yaml: route every alert to the ntfy plugin. - # This replaces the default "do nothing" profile. - environment.etc."crowdsec/profiles.yaml" = lib.mkIf cfg.ntfy.enable { - text = '' - name: default_ip_remediation - filters: - - Alert.Remediation == true && Alert.GetScope() == "Ip" - decisions: - - type: ban - duration: 4h - notifications: - - ntfy_plugin - on_success: break - --- - name: default_range_remediation - filters: - - Alert.Remediation == true && Alert.GetScope() == "Range" - decisions: - - type: ban - duration: 4h - notifications: - - ntfy_plugin - on_success: break - ''; - mode = "0440"; - user = "crowdsec"; - group = "crowdsec"; - }; - }; }; in diff --git a/modules/nixos/services/matrix/default.nix b/modules/nixos/services/matrix/default.nix index d438214..e98f69c 100644 --- a/modules/nixos/services/matrix/default.nix +++ b/modules/nixos/services/matrix/default.nix @@ -17,12 +17,12 @@ let sops = { secrets = { "jallen-nas/matrix/client-id" = { - sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml"); + sopsFile = lib.snowfall.fs.get-file "secrets/nas-secrets.yaml"; owner = "matrix-synapse"; group = "matrix-synapse"; }; "jallen-nas/matrix/client-secret" = { - sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml"); + sopsFile = lib.snowfall.fs.get-file "secrets/nas-secrets.yaml"; owner = "matrix-synapse"; group = "matrix-synapse"; }; @@ -72,7 +72,7 @@ let listeners = [ { - port = cfg.port; + inherit (cfg) port; tls = false; x_forwarded = true; bind_addresses = [ diff --git a/modules/nixos/services/sparky-fitness/default.nix b/modules/nixos/services/sparky-fitness/default.nix index de07074..4dd18b8 100644 --- a/modules/nixos/services/sparky-fitness/default.nix +++ b/modules/nixos/services/sparky-fitness/default.nix @@ -9,7 +9,6 @@ let serverName = "sparky-fitness-server"; frontendName = "sparky-fitness"; - dbName = "sparky-fitness-db"; serverCfg = config.${namespace}.services.${serverName}; frontendCfg = config.${namespace}.services.${frontendName}; diff --git a/packages/cockpit-podman/default.nix b/packages/cockpit-podman/default.nix index f2f4ea9..105faca 100644 --- a/packages/cockpit-podman/default.nix +++ b/packages/cockpit-podman/default.nix @@ -1,5 +1,4 @@ { - fetchFromGitHub, lib, namespace, nodejs, diff --git a/packages/system/nebula-sign-cert/default.nix b/packages/system/nebula-sign-cert/default.nix index 915c413..8622321 100644 --- a/packages/system/nebula-sign-cert/default.nix +++ b/packages/system/nebula-sign-cert/default.nix @@ -1,5 +1,4 @@ { - lib, writeShellApplication, nebula, sops, diff --git a/packages/system/open-remote-ssh/default.nix b/packages/system/open-remote-ssh/default.nix index 396cbf7..6e49a37 100644 --- a/packages/system/open-remote-ssh/default.nix +++ b/packages/system/open-remote-ssh/default.nix @@ -16,12 +16,10 @@ let in vscode-utils.buildVscodeMarketplaceExtension { mktplcRef = { - name = vars.name; - publisher = vars.publisher; - version = vars.version; + inherit (vars) name publisher version; }; - vsix = sources.vsix; + inherit (sources) vsix; unpackPhase = '' ${lib.getExe pkgs.unzip} -q $src diff --git a/statix.toml b/statix.toml new file mode 100644 index 0000000..2d96e39 --- /dev/null +++ b/statix.toml @@ -0,0 +1,25 @@ +# Disable lint rules that generate excessive false-positives or noise. +# +# manual_inherit / manual_inherit_from: very high volume of style suggestions. +# useless_parens: many intentional parentheses for readability. +# empty_pattern: { ... }: is a valid and readable no-arg pattern. +# unquoted_uri: false-positives inside shell heredocs in Nix strings. +# useless_has_attr: if/has-attr patterns are sometimes clearer. +# repeated_keys: intentionally split across sections for readability/context. +disabled = [ + "manual_inherit", + "manual_inherit_from", + "useless_parens", + "empty_pattern", + "unquoted_uri", + "useless_has_attr", + "repeated_keys", +] + +# Exclude files where statix's parser fails on complex shell-in-Nix content. +ignore = [ + "modules/home/programs/update-checker/default.nix", + "modules/home/programs/waybar/scripts/weather.nix", + "modules/home/programs/waybar/scripts/media.nix", + "qemu.nix", +] diff --git a/systems/aarch64-linux/macbook-pro-nixos/filesystems.nix b/systems/aarch64-linux/macbook-pro-nixos/filesystems.nix index a3954f4..c59cfc0 100644 --- a/systems/aarch64-linux/macbook-pro-nixos/filesystems.nix +++ b/systems/aarch64-linux/macbook-pro-nixos/filesystems.nix @@ -1,4 +1,4 @@ -{ ... }: +_: let defaultNetworkShareOptions = [ "sec=none" diff --git a/systems/x86_64-linux/jallen-nas/services.nix b/systems/x86_64-linux/jallen-nas/services.nix index 3faba80..79ff22e 100755 --- a/systems/x86_64-linux/jallen-nas/services.nix +++ b/systems/x86_64-linux/jallen-nas/services.nix @@ -7,12 +7,31 @@ let nasData = "/media/nas/main"; in { - systemd.network.wait-online.enable = false; - # Force tailscaled to use nftables (Critical for clean nftables-only systems) - # This avoids the "iptables-compat" translation layer issues. - systemd.services.tailscaled.serviceConfig.Environment = [ - "TS_DEBUG_FIREWALL_MODE=nftables" - ]; + systemd = { + network.wait-online.enable = false; + services = { + # Force tailscaled to use nftables (Critical for clean nftables-only systems) + # This avoids the "iptables-compat" translation layer issues. + tailscaled.serviceConfig.Environment = [ + "TS_DEBUG_FIREWALL_MODE=nftables" + ]; + # Pre-create extensions and grant superuser-owned objects that the sparkyfitness + # role cannot manage itself. Appended to postgresql-setup.service which already + # runs as the postgres superuser after the DB is confirmed ready. + # + # 1. pg_stat_statements requires superuser to CREATE EXTENSION. + # 2. The extension installs functions owned by the postgres superuser; the + # sparkyfitness role cannot GRANT EXECUTE on objects it doesn't own, so we + # pre-grant them here before the app's grantPermissions() runs. + postgresql-setup.script = lib.mkAfter '' + psql -d sparkyfitness -c " + CREATE EXTENSION IF NOT EXISTS pg_stat_statements; + GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO sparkyfitness; + GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA pg_catalog TO sparkyfitness; + " + ''; + }; + }; networking.nftables.enable = true; boot.initrd.systemd.network.wait-online.enable = false; @@ -168,19 +187,4 @@ in }; - # Pre-create extensions and grant superuser-owned objects that the sparkyfitness - # role cannot manage itself. Appended to postgresql-setup.service which already - # runs as the postgres superuser after the DB is confirmed ready. - # - # 1. pg_stat_statements requires superuser to CREATE EXTENSION. - # 2. The extension installs functions owned by the postgres superuser; the - # sparkyfitness role cannot GRANT EXECUTE on objects it doesn't own, so we - # pre-grant them here before the app's grantPermissions() runs. - systemd.services.postgresql-setup.script = lib.mkAfter '' - psql -d sparkyfitness -c " - CREATE EXTENSION IF NOT EXISTS pg_stat_statements; - GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO sparkyfitness; - GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA pg_catalog TO sparkyfitness; - " - ''; } diff --git a/systems/x86_64-linux/matt-nixos/sops.nix b/systems/x86_64-linux/matt-nixos/sops.nix index b8f8ce5..2f520ea 100755 --- a/systems/x86_64-linux/matt-nixos/sops.nix +++ b/systems/x86_64-linux/matt-nixos/sops.nix @@ -6,7 +6,7 @@ }: let user = config.${namespace}.user.name; - desktopSopsFile = (lib.snowfall.fs.get-file "secrets/desktop-secrets.yaml"); + desktopSopsFile = lib.snowfall.fs.get-file "secrets/desktop-secrets.yaml"; in { # Permission modes are in octal representation (same as chmod), @@ -32,7 +32,7 @@ in neededForUsers = true; mode = "0600"; owner = config.users.users."${user}".name; - group = config.users.users."${user}".group; + inherit (config.users.users."${user}") group; }; "desktop/hass_token" = { @@ -65,13 +65,13 @@ in "ssh-keys-public/desktop-nixos" = { mode = "0644"; owner = config.users.users."${user}".name; - group = config.users.users."${user}".group; + inherit (config.users.users."${user}") group; restartUnits = [ "sshd.service" ]; }; "ssh-keys-private/desktop-nixos" = { mode = "0600"; owner = config.users.users."${user}".name; - group = config.users.users."${user}".group; + inherit (config.users.users."${user}") group; restartUnits = [ "sshd.service" ]; }; "ssh-keys-public/desktop-nixos-root" = { diff --git a/treefmt.nix b/treefmt.nix index 552bf15..7ff19be 100644 --- a/treefmt.nix +++ b/treefmt.nix @@ -37,7 +37,10 @@ statix.enable = false; stylua.enable = false; taplo.enable = false; - yamlfmt.enable = true; + yamlfmt = { + enable = true; + excludes = [ "secrets/*.yaml" ]; + }; }; settings = {