fix: harden NixOS config and strip secrets from generated_home.nix

Co-authored-by: aider (openrouter/openai/gpt-5.2) <aider@aider.chat>
2026-02-08 13:58:05 +11:00
parent 45f457156a
commit 73bae4f9b9
2 changed files with 44 additions and 14 deletions
--- a/hosts/sam-4screen-desktop/configuration.nix
+++ b/hosts/sam-4screen-desktop/configuration.nix
@@ -1,10 +1,15 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:

 {
  imports = [
    ./hardware-configuration.nix
  ];

+  # ---
+  # Nix (enable flakes on the installed system)
+  # ---
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
  # ---
  # Bootloader / kernel
  # ---
@@ -30,7 +35,7 @@
      id = "Wired connection 1";
      type = "802-3-ethernet";
      interface-name = "enp0s31f6";
-      autoconnect = true;
+      autoconnect = "true";
    };

    ethernet = { };
@@ -40,8 +45,8 @@
      addresses = [ "192.168.20.27/24" ];
      gateway = "192.168.20.1";
      dns = "192.168.20.35;192.168.20.13;";
-      ignore-auto-dns = true;
-      never-default = false;
+      ignore-auto-dns = "true";
+      never-default = "false";
    };

    ipv6 = {
@@ -52,10 +57,13 @@
  # ---
  # Users
  # ---
+  programs.zsh.enable = true;
+
  users.users.sam = {
    isNormalUser = true;
    description = "Sam";
    extraGroups = [ "wheel" "networkmanager" "docker" "video" "render" ];
+    shell = pkgs.zsh;
  };

  # ---
@@ -67,6 +75,20 @@
  # flip this to true.
  services.openssh.settings.PasswordAuthentication = false;

+  # ---
+  # dconf (helps portals/GTK apps)
+  # ---
+  programs.dconf.enable = true;
+
+  # ---
+  # OpenGL (important for NVIDIA Wayland apps)
+  # ---
+  hardware.opengl = {
+    enable = true;
+    driSupport = true;
+    driSupport32Bit = true;
+  };
+
  # ---
  # Audio (PipeWire)
  # ---
@@ -76,6 +98,7 @@
    pulse.enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
+    wireplumber.enable = true;
  };

  # ---
@@ -100,7 +123,10 @@
    settings = {
      default_session = {
        user = "greeter";
-        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --remember --cmd 'niri --session'";
+        command =
+          "${pkgs.greetd.tuigreet}/bin/tuigreet --time --remember --cmd ${
+            lib.escapeShellArg "${pkgs.niri}/bin/niri --session"
+          }";
      };
    };
  };
@@ -126,6 +152,7 @@
  # ---
  services.xserver.videoDrivers = [ "nvidia" ];
  hardware.nvidia.modesetting.enable = true;
+  hardware.nvidia.nvidiaSettings = true;

  # ---
  # NixOS release compatibility