diff --git a/home/graphical/vscode/default.nix b/home/graphical/vscode/default.nix
index 219e80f..88c6714 100644
--- a/home/graphical/vscode/default.nix
+++ b/home/graphical/vscode/default.nix
@@ -12,23 +12,18 @@ in
config = mkIf cfg.enable {
programs.vscode = {
package = pkgs.vscode;
- enableUpdateCheck = false;
- extensions = with pkgs.vscode-extensions; [
- rust-lang.rust-analyzer
- ms-vscode-remote.remote-ssh
- ms-vscode-remote.remote-ssh-edit
- tamasfe.even-better-toml
- ];
- userSettings = {
- editor.formatOnSave = true;
- terminal.integrated.inheritEnv = false;
- git.autofetch = true;
- remote.SSH = {
- connectTimeout = 60;
- useLocalServer = true;
- remotePlatform = {
- "192.168.122.152" = "linux";
- };
+ profiles.default = {
+ enableUpdateCheck = false;
+ extensions = with pkgs.vscode-extensions; [
+ rust-lang.rust-analyzer
+ ms-vscode-remote.remote-ssh
+ ms-vscode-remote.remote-ssh-edit
+ tamasfe.even-better-toml
+ ];
+ userSettings = {
+ editor.formatOnSave = true;
+ terminal.integrated.inheritEnv = false;
+ git.autofetch = true;
};
};
};
diff --git a/home/terminal/git/default.nix b/home/terminal/git/default.nix
index 4530c33..4ee2724 100644
--- a/home/terminal/git/default.nix
+++ b/home/terminal/git/default.nix
@@ -16,7 +16,7 @@
editor = "${pkgs.neovim}/bin/nvim";
};
init = {
- defaultBranch = "master";
+ defaultBranch = "main";
};
merge = {
conflictstyle = "diff3";
diff --git a/options/services/nysh.nix b/options/services/nysh.nix
index abafc33..07c3c6c 100644
--- a/options/services/nysh.nix
+++ b/options/services/nysh.nix
@@ -33,7 +33,6 @@ in
Type = "simple";
ExecStart = "/bin/sh -lc ${cfg.package}/bin/nysh";
Restart = "on-failure";
-
NoNewPrivileges = true;
};
};
diff --git a/options/services/tailscale.nix b/options/services/tailscale.nix
index 33eb999..941c312 100644
--- a/options/services/tailscale.nix
+++ b/options/services/tailscale.nix
@@ -18,6 +18,7 @@ let
enum
bool
;
+ inherit (lib.my) getExe;
cfg = config.modules.services.tailscale;
in
{
@@ -86,14 +87,29 @@ in
description = "tailscale system tray";
wantedBy = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
- path = [ pkgs.polkit ];
+ path = with pkgs; [
+ polkit
+ tailscale
+ ];
serviceConfig = {
Type = "simple";
- ExecStart = "/bin/sh -lc ${pkgs.tailscale-systray}/bin/tailscale-systray";
+ ExecStart = getExe pkgs.tail-tray;
Restart = "on-failure";
RestartSec = 1;
TimeoutStopSec = 10;
IPAddressDeny = "any";
+ NoNewPrivileges = true;
+ ProtectClock = true;
+ ProtectKernelTunables = true;
+ ProtectKernelModules = true;
+ ProtectKernelLogs = true;
+ SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap";
+ # ProtectControlGroups = true;
+ #RestrictNamespaces = true;
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ RestrictRealtime = true;
+ RestrictSUIDSGID = true;
};
};
};
diff --git a/users/ny/default.nix b/users/ny/default.nix
index 0d5996a..d855773 100644
--- a/users/ny/default.nix
+++ b/users/ny/default.nix
@@ -26,7 +26,6 @@ in
]
++ (with pkgs; [
keepassxc
- digikam
fragments
element-desktop
libreoffice