chore: bump lock

flake.lock

@@ -52,11 +52,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740485968,
+        "lastModified": 1741786315,
-        "narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=",
+        "narHash": "sha256-VT65AE2syHVj6v/DGB496bqBnu1PXrrzwlw07/Zpllc=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940",
+        "rev": "0d8c6ad4a43906d14abd5c60e0ffe7b587b213de",
         "type": "github"
       },
       "original": {
@@ -163,11 +163,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740199244,
+        "lastModified": 1742070442,
-        "narHash": "sha256-BiNUbNWLcG8AuKiAZmJ8tS+fr+JO8vGwB7QQ54cezKk=",
+        "narHash": "sha256-xPDSLswRazXLlceqc2+VdbKKG2m/OXCjTzU9O/Bs4ZQ=",
         "owner": "feel-co",
         "repo": "hjem",
-        "rev": "829109220c14352990bee4cf092f4918f45fb6a1",
+        "rev": "ae49a5a2e013c710d2b2cf046ae365d08eae75b3",
         "type": "github"
       },
       "original": {
@@ -206,11 +206,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1741579508,
+        "lastModified": 1741955947,
-        "narHash": "sha256-skRbH+UF2ES+msEa+KWi7AQFX73S+QsGlPsyCU6XyE0=",
+        "narHash": "sha256-2lbURKclgKqBNm7hVRtWh0A7NrdsibD0EaWhahUVhhY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "744f749dd6fbc1489591ea370b95156858629cb9",
+        "rev": "4e12151c9e014e2449e0beca2c0e9534b96a26b4",
         "type": "github"
       },
       "original": {
@@ -221,11 +221,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1741325094,
+        "lastModified": 1741792691,
-        "narHash": "sha256-RUAdT8dZ6k/486vnu3tiNRrNW6+Q8uSD2Mq7gTX4jlo=",
+        "narHash": "sha256-f0BVt1/cvA0DQ/q3rB+HY4g4tKksd03ZkzI4xehC2Ew=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "b48cc4dab0f9711af296fc367b6108cf7b8ccb16",
+        "rev": "e1f12151258b12c567f456d8248e4694e9390613",
         "type": "github"
       },
       "original": {
@@ -265,11 +265,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1741379970,
+        "lastModified": 1741851582,
-        "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=",
+        "narHash": "sha256-cPfs8qMccim2RBgtKGF+x9IBCduRvd/N5F4nYpU0TVE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "36fd87baa9083f34f7f5027900b62ee6d09b1f2f",
+        "rev": "6607cf789e541e7873d40d3a8f7815ea92204f32",
         "type": "github"
       },
       "original": {

home/graphical/vscode/default.nix

@@ -12,6 +12,7 @@ in
   config = mkIf cfg.enable {
     programs.vscode = {
       package = pkgs.vscode;
+      profiles.default = {
         enableUpdateCheck = false;
         extensions = with pkgs.vscode-extensions; [
           rust-lang.rust-analyzer
@@ -23,12 +24,6 @@ in
           editor.formatOnSave = true;
           terminal.integrated.inheritEnv = false;
           git.autofetch = true;
-        remote.SSH = {
-          connectTimeout = 60;
-          useLocalServer = true;
-          remotePlatform = {
-            "192.168.122.152" = "linux";
-          };
         };
       };
     };

home/terminal/git/default.nix

@@ -16,7 +16,7 @@
         editor = "${pkgs.neovim}/bin/nvim";
       };
       init = {
-        defaultBranch = "master";
+        defaultBranch = "main";
       };
       merge = {
         conflictstyle = "diff3";

hosts/nihilus/default.nix

@@ -15,7 +15,6 @@
     server = {
       rsync-daemon = {
         enable = true;
-        port = 9523;
         openFirewall = true;
         location = "/mnt/backups";
         address = "100.64.0.6";

options/server/rsync-daemon/default.nix

@@ -26,7 +26,7 @@ in
       default = false;
       description = "Whether to open the firewall";
     };
-    port = mkPortOption 9523 "rsyncd";
+    port = mkPortOption 873 "rsyncd";
     address = mkOption {
       type = nonEmptyStr;
       default = "0.0.0.0";
@@ -80,6 +80,7 @@ in
 
     modules.fixes.services.rsyncd = {
       enable = true;
+      inherit (cfg) port;
       socketActivated = true;
       settings = {
         globalSection = {

options/services/nysh.nix

@@ -33,7 +33,6 @@ in
         Type = "simple";
         ExecStart = "/bin/sh -lc ${cfg.package}/bin/nysh";
         Restart = "on-failure";
-
         NoNewPrivileges = true;
       };
     };

options/services/tailscale.nix

@@ -18,6 +18,7 @@ let
     enum
     bool
     ;
+  inherit (lib.my) getExe;
   cfg = config.modules.services.tailscale;
 in
 {
@@ -86,14 +87,29 @@ in
       description = "tailscale system tray";
       wantedBy = [ "graphical-session.target" ];
       after = [ "graphical-session.target" ];
-      path = [ pkgs.polkit ];
+      path = with pkgs; [
+        polkit
+        tailscale
+      ];
       serviceConfig = {
         Type = "simple";
-        ExecStart = "/bin/sh -lc ${pkgs.tailscale-systray}/bin/tailscale-systray";
+        ExecStart = getExe pkgs.tail-tray;
         Restart = "on-failure";
         RestartSec = 1;
         TimeoutStopSec = 10;
         IPAddressDeny = "any";
+        NoNewPrivileges = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap";
+        #  ProtectControlGroups = true;
+        #RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
       };
     };
   };

users/ny/default.nix

@@ -26,7 +26,6 @@ in
     ]
     ++ (with pkgs; [
       keepassxc
-      digikam
       fragments
       element-desktop
       libreoffice