fix: harden NixOS config and strip secrets from generated_home.nix

Co-authored-by: aider (openrouter/openai/gpt-5.2) <aider@aider.chat>

hosts/sam-4screen-desktop/configuration.nix

@@ -1,10 +1,15 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   imports = [
     ./hardware-configuration.nix
   ];
 
+  # ---
+  # Nix (enable flakes on the installed system)
+  # ---
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
   # ---
   # Bootloader / kernel
   # ---
@@ -30,7 +35,7 @@
       id = "Wired connection 1";
       type = "802-3-ethernet";
       interface-name = "enp0s31f6";
-      autoconnect = true;
+      autoconnect = "true";
     };
 
     ethernet = { };
@@ -40,8 +45,8 @@
       addresses = [ "192.168.20.27/24" ];
       gateway = "192.168.20.1";
       dns = "192.168.20.35;192.168.20.13;";
-      ignore-auto-dns = true;
+      ignore-auto-dns = "true";
-      never-default = false;
+      never-default = "false";
     };
 
     ipv6 = {
@@ -52,10 +57,13 @@
   # ---
   # Users
   # ---
+  programs.zsh.enable = true;
+
   users.users.sam = {
     isNormalUser = true;
     description = "Sam";
     extraGroups = [ "wheel" "networkmanager" "docker" "video" "render" ];
+    shell = pkgs.zsh;
   };
 
   # ---
@@ -67,6 +75,20 @@
   # flip this to true.
   services.openssh.settings.PasswordAuthentication = false;
 
+  # ---
+  # dconf (helps portals/GTK apps)
+  # ---
+  programs.dconf.enable = true;
+
+  # ---
+  # OpenGL (important for NVIDIA Wayland apps)
+  # ---
+  hardware.opengl = {
+    enable = true;
+    driSupport = true;
+    driSupport32Bit = true;
+  };
+
   # ---
   # Audio (PipeWire)
   # ---
@@ -76,6 +98,7 @@
     pulse.enable = true;
     alsa.enable = true;
     alsa.support32Bit = true;
+    wireplumber.enable = true;
   };
 
   # ---
@@ -100,7 +123,10 @@
     settings = {
       default_session = {
         user = "greeter";
-        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --remember --cmd 'niri --session'";
+        command =
+          "${pkgs.greetd.tuigreet}/bin/tuigreet --time --remember --cmd ${
+            lib.escapeShellArg "${pkgs.niri}/bin/niri --session"
+          }";
       };
     };
   };
@@ -126,6 +152,7 @@
   # ---
   services.xserver.videoDrivers = [ "nvidia" ];
   hardware.nvidia.modesetting.enable = true;
+  hardware.nvidia.nvidiaSettings = true;
 
   # ---
   # NixOS release compatibility

results/generated_home.nix

@@ -90,14 +90,18 @@
   # ---
   # 5. ENVIRONMENT & API KEYS
   # ---
-  # WARNING: Storing secrets in plain text is a security risk.
+  # SECURITY: Do NOT store secrets in git-tracked Nix files.
-  # Consider using a tool like sops-nix for production environments.
+  # Use a local-only file such as:
-  home.sessionVariables = {
+  #   ~/.config/environment.d/10-secrets.conf
-    OPENAI_API_KEY = "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";
+  # or adopt sops-nix / agenix later.
-    TAVILY_API_KEY = "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";
+  #
-    DEEPSEEK_API_KEY = "sk-26c66e4dd5b34017bd66f7aef748c625";
+  # Example (DO NOT COMMIT):
-  };
+  # home.sessionVariables = {
-
+  #   OPENAI_API_KEY = "…";
+  #   TAVILY_API_KEY = "…";
+  #   DEEPSEEK_API_KEY = "…";
+  # };
+  
   # Add custom binary paths to your environment
   home.sessionPath = [
     # For the 'opencode' CLI tool
@@ -117,4 +121,3 @@
   # This section is a placeholder for linking config files from a Git repo.
   # e.g., home.file.".config/nvim/init.vim".source = ./config/nvim/init.vim;
 }
-