chore: new tailscale system tray, fix warnings

2025-03-15 19:15:46 +01:00 · 2025-03-15 19:15:46 +01:00 · f4dd2fb01a
commit f4dd2fb01a
parent 77bf1ebd43
5 changed files with 31 additions and 22 deletions
--- a/home/graphical/vscode/default.nix
+++ b/home/graphical/vscode/default.nix
@ -12,23 +12,18 @@ in
  config = mkIf cfg.enable {
    programs.vscode = {
      package = pkgs.vscode;
-      enableUpdateCheck = false;
-      extensions = with pkgs.vscode-extensions; [
-        rust-lang.rust-analyzer
-        ms-vscode-remote.remote-ssh
-        ms-vscode-remote.remote-ssh-edit
-        tamasfe.even-better-toml
-      ];
-      userSettings = {
-        editor.formatOnSave = true;
-        terminal.integrated.inheritEnv = false;
-        git.autofetch = true;
-        remote.SSH = {
-          connectTimeout = 60;
-          useLocalServer = true;
-          remotePlatform = {
-            "192.168.122.152" = "linux";
-          };
+      default = {
+        enableUpdateCheck = false;
+        extensions = with pkgs.vscode-extensions; [
+          rust-lang.rust-analyzer
+          ms-vscode-remote.remote-ssh
+          ms-vscode-remote.remote-ssh-edit
+          tamasfe.even-better-toml
+        ];
+        userSettings = {
+          editor.formatOnSave = true;
+          terminal.integrated.inheritEnv = false;
+          git.autofetch = true;
        };
      };
    };
--- a/home/terminal/git/default.nix
+++ b/home/terminal/git/default.nix
@ -16,7 +16,7 @@
        editor = "${pkgs.neovim}/bin/nvim";
      };
      init = {
-        defaultBranch = "master";
+        defaultBranch = "main";
      };
      merge = {
        conflictstyle = "diff3";
--- a/options/services/nysh.nix
+++ b/options/services/nysh.nix
@ -33,7 +33,6 @@ in
        Type = "simple";
        ExecStart = "/bin/sh -lc ${cfg.package}/bin/nysh";
        Restart = "on-failure";
-
        NoNewPrivileges = true;
      };
    };
--- a/options/services/tailscale.nix
+++ b/options/services/tailscale.nix
@ -18,6 +18,7 @@ let
    enum
    bool
    ;
+  inherit (lib.my) getExe;
  cfg = config.modules.services.tailscale;
 in
 {
@ -86,14 +87,29 @@ in
      description = "tailscale system tray";
      wantedBy = [ "graphical-session.target" ];
      after = [ "graphical-session.target" ];
-      path = [ pkgs.polkit ];
+      path = with pkgs; [
+        polkit
+        tailscale
+      ];
      serviceConfig = {
        Type = "simple";
-        ExecStart = "/bin/sh -lc ${pkgs.tailscale-systray}/bin/tailscale-systray";
+        ExecStart = getExe pkgs.tail-tray;
        Restart = "on-failure";
        RestartSec = 1;
        TimeoutStopSec = 10;
        IPAddressDeny = "any";
+        NoNewPrivileges = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap";
+        #  ProtectControlGroups = true;
+        #RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
      };
    };
  };
--- a/users/ny/default.nix
+++ b/users/ny/default.nix
@ -26,7 +26,6 @@ in
    ]
    ++ (with pkgs; [
      keepassxc
-      digikam
      fragments
      element-desktop
      libreoffice