Feat/audit improvements #24

2026-06-10T17:01:27+01:00

lyrathorpe commented

2026-06-10 17:01:27 +01:00

No description provided.

lyrathorpe added 11 commits 2026-06-10 17:01:27 +01:00

feat(nixos): add nixos-hardware profiles for the x86 hosts bdfc27cf93

T400 gets the generic lenovo-thinkpad + common-pc-laptop(-ssd) +
common-cpu-intel blocks (no t400-specific profile exists); this also
enables tlp and the tp_smapi/acpi_call battery tooling. Mac Pro 3,1 gets
common-pc-ssd + common-cpu-intel. nixos-hardware follows our nixpkgs to
keep a single nixpkgs in the closure.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(nixos): key-only sshd hardening on T400 and Mac Pro 93571386bd

New system/modules/ssh.nix disables password and keyboard-interactive
auth and root login, and installs the authorized key for the primary
user. Imported by the two hosts that run sshd; each still enables the
service and opens port 22 in its own config.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(nixos): physical-host services — power, bluetooth, OOM, firmware d172157101

- thermald on the x86 hosts (guarded; the Asahi MBP self-governs).
- T400 battery charge thresholds (75/80) via tp_smapi; tlp itself comes
  from the nixos-hardware profile.
- Bluetooth (bluez + powerOnBoot) and blueman on the laptops — the MBP
  already loads Apple BT firmware but bluez was never running.
- earlyoom + fwupd on the physical graphical hosts; zram on the Mac Pro.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(nixos): nix-ld + nix-community cache + font coverage (base layer) 2836ea1150

In common-nixos.nix (every NixOS host):
- programs.nix-ld for all hosts, not just WSL — foreign dynamic binaries
  (VS Code server, prebuilt toolchains) run on the dev boxes too. Removed
  the now-redundant per-host enable from the EDaaS config.
- nix-community.cachix.org substituter (merges with the Asahi cache).
- Noto sans + colour-emoji fonts and fontconfig defaultFonts mapping, so
  the WSL box (and anything asking fontconfig for "monospace") stops
  rendering tofu.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(sway): polkit agent, kanshi, night-light, idle-inhibit, lid policy ef0fc9a5c5

- Polkit authentication agent (lxqt-policykit) as a sway-session user
  service — programs.sway only enables the daemon, so GUI auth dialogs
  (nemo mount, NM/blueman) previously failed silently. Corrected the
  header comment that wrongly claimed the agent was handled system-side.
- kanshi for output/display management (safe internal-panel default; a
  documented template for docked/Cinema-Display profiles).
- gammastep night-light (manual location; adjust coordinates).
- inhibit_idle on fullscreen so video doesn't get blanked/locked.
- logind lid policy on the laptops: suspend on battery, lock on AC.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(nvim): format-on-save + telescope/gitsigns/which-key/trouble and QoL 5dd14a8e68

- conform-nvim format-on-save mirroring the repo's treefmt set (nixfmt,
  stylua, ruff, shfmt, prettier, gofumpt; LSP fallback for terraform).
- telescope (+fzf-native) with <leader>ff/fg/fb; trouble (<leader>xx).
- gitsigns, which-key, lualine (catppuccin), comment, autopairs,
  treesitter-textobjects.
- luasnip wired into cmp for snippet completion.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(home): work k8s/TF CLIs, shell + git polish, themed btop, lazygit 318c64a371

- work.nix: k9s, kubectx/kubens, stern, dyff, tflint, terraform-docs,
  yq-go for the EDaaS Kubernetes/Terraform workflow.
- shell.nix: btop themed Catppuccin Mocha (vendored theme; not bundled),
  hyperfine + sd, and the tmux extrakto plugin (prefix+Tab grab).
- git.nix: amend/fixup/undo aliases, commit-graph maintenance, and
  lazygit (themed). Corrected the stale work/default.nix doc references.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(darwin): declarative macOS defaults + Touch-ID sudo 8c058632ef

Touch ID now authorises sudo (via sudo_local, update-safe). Adds the
standard system.defaults blocks — dock autohide / no-recents, Finder
extensions + path bar + list view, dark mode, fast key repeat, trackpad
tap-to-click — so the Mac's UI is managed declaratively too.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

ci: run full nix flake check + add nix-community substituter 89850b37ce

Replace the formatting-only build with `nix flake check`, so deadnix,
statix and the pre-commit hooks are enforced in CI (not just local
hooks). Add the nix-community binary cache to the runner's nix config to
speed up the check closure. The explicit per-host eval pass is kept for
granular output.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs: document the audit improvements; fix remaining stale work refs 972b8f4c60

Update the home README (editor plugins + format-on-save, btop/lazygit/
hyperfine/sd, git aliases, tmux extrakto, fonts/emoji coverage),
KEYBINDINGS (telescope/trouble/comment), and the top README (shared
module layers + nix-flake-check CI). Correct the last work/default.nix
reference in default.nix.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

chore(mbp): set hostname to Lyra-Asahi

CI / flake (pull_request) Successful in 3m44s

Details

3e5a0958ab

Was Emma-Asahi; align with the lyrathorpe persona used across the configs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

lyrathorpe merged commit 6ee8852c3b into main

2026-06-10 17:08:25 +01:00

lyrathorpe deleted branch feat/audit-improvements

2026-06-10 17:08:26 +01:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lyrathorpe/nixfiles#24