sudo -> doas

common/firefox.nix

@@ -48,8 +48,11 @@ in
         OverrideFirstRunPage = "";
         OverridePostUpdatePage = "";
         DontCheckDefaultBrowser = true;
-        Preferences = lib.mkMerge ([ ]
+        Preferences = lib.mkMerge ([{
-          ++ lib.optionals cfg.sway.enable [{ "browser.tabs.inTitlebar" = 0; }]);
+          "pdfjs.enableScripting" = false;
+        }]
+        ++ lib.optional cfg.sway.enable { "browser.tabs.inTitlebar" = 0; }
+        );
       };
     };
   };

common/networking.nix

@@ -6,7 +6,6 @@ in
   config = with cfg; lib.mkIf (enable && network) {
     networking.networkmanager.enable = true;
     networking.useDHCP = lib.mkDefault true;
-    networking.firewall.enable = true;
 
     hardware.bluetooth.enable = true;
 
@@ -15,7 +14,7 @@ in
       bluetuith
     ];
 
-    services.blueman.enable = graphical;
+    services.blueman.enable = lib.mkIf graphical true;
 
     systemd.user.services.mpris-proxy = lib.mkIf sound {
       description = "Mpris proxy";

common/pass.nix

@@ -1,27 +0,0 @@
-{ pkgs, config, lib, ... }:
-let
-  cfg = config.grimmShared;
-in
-{
-  config = with cfg; lib.mkIf (enable && tooling.enable && tooling.pass) {
-    security.polkit.enable = true;
-
-    environment.systemPackages = with pkgs; [
-      mkpasswd
-      pinentry
-      gnupg
-      pass
-      libsecret
-      (writeShellScriptBin "passw" "pass $@")
-    ] ++ lib.optional graphical lxqt.lxqt-policykit;
-
-    services.passSecretService.enable = true;
-    programs.gnupg.agent = {
-      settings = {
-        # default-cache-ttl = 6000;
-      };
-      pinentryPackage = lib.mkForce pkgs.pinentry;
-      enable = true;
-    };
-  };
-}

common/security.nix

@@ -0,0 +1,38 @@
+{ pkgs, config, lib, ... }:
+let
+  cfg = config.grimmShared;
+in
+{
+  config = with cfg; lib.mkIf enable {
+    security.polkit.enable = true;
+    networking.firewall.enable = lib.mkIf network true;
+
+    security.doas.enable = true;
+    security.sudo.enable = false;
+    security.doas.extraRules = [{
+      users = lib.attrNames (lib.filterAttrs (n: v: v.isNormalUser) config.users.users);
+      keepEnv = true;
+      persist = true;
+    }];
+
+    environment.systemPackages = with pkgs; [
+      mkpasswd
+      gnupg
+      libsecret
+      vulnix
+      doas-sudo-shim # muscle memory
+    ] ++ lib.optionals (tooling.enable && tooling.pass) [
+      pass
+      (writeShellScriptBin "passw" "pass $@")
+    ] ++ lib.optional graphical lxqt.lxqt-policykit;
+
+    services.passSecretService.enable = lib.mkIf (tooling.enable && tooling.pass) true;
+    programs.gnupg.agent = {
+      settings = {
+        # default-cache-ttl = 6000;
+      };
+      pinentryPackage = with pkgs; lib.mkForce (if graphical then pinentry-qt else pinentry-tty);
+      enable = true;
+    };
+  };
+}

common/sound.nix

@@ -20,6 +20,8 @@ in
     environment.systemPackages = with pkgs; [
       pwvucontrol
       playerctl
+      openal
+      flite
       pulseaudio
     ];
   };

common/toolchains.nix

@@ -41,6 +41,7 @@ in
       powertop
       parted
       glib
+      glibc
     ] ++ lib.optionals cfg.graphical [
       qdirstat
       libva-utils

flake.lock

@@ -78,11 +78,11 @@
         "yafas": "yafas"
       },
       "locked": {
-        "lastModified": 1712743609,
+        "lastModified": 1713020398,
-        "narHash": "sha256-sbp5oZgxQGNegFqUGtsSvFyb2oZ86G/cCjwY137MnlU=",
+        "narHash": "sha256-fZ9snNCxKj5sJ/hymCW8aM8Lzlbzo/VYYfl/oNLh/jc=",
         "owner": "chaotic-cx",
         "repo": "nyx",
-        "rev": "ec3a7e608929f4570a5152c1226f54275452b731",
+        "rev": "f0e16565b38a473664977625680f08e7cc9dec50",
         "type": "github"
       },
       "original": {
@@ -138,11 +138,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712369716,
+        "lastModified": 1712765734,
-        "narHash": "sha256-9zs+0GTfSyGHdpiA6dPJXnDKAHmfr01OE9FxDE9KvPI=",
+        "narHash": "sha256-HakehmZVdhbXHNaTzoSwIHdvy1A3A7XXEIUHV2cC7d8=",
         "owner": "girlbossceo",
         "repo": "conduwuit",
-        "rev": "2516d44cb178547194a66fa9c44930ab9bddd910",
+        "rev": "7d92cad55f58ef55d5c95ecf3753e0fa75ab11e1",
         "type": "github"
       },
       "original": {
@@ -331,11 +331,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712521891,
+        "lastModified": 1712909442,
-        "narHash": "sha256-qJRkB7QZo2mdR/nABeHQKi3xkQxUsSGjVVQXTSHQocI=",
+        "narHash": "sha256-D+VrmsPLkEbxNcI7lp9rGFR33RumbQIyhhjJ4PooWBs=",
         "owner": "Jovian-Experiments",
         "repo": "Jovian-NixOS",
-        "rev": "ec53086c76303dc8880fa7ba06c45abcae8b3398",
+        "rev": "8886e3da78fcefb11935ea85da3d1572bf444c55",
         "type": "github"
       },
       "original": {
@@ -357,11 +357,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1712602331,
+        "lastModified": 1712983637,
-        "narHash": "sha256-pM6sB2ltcy7jtog/gv1tbpT1ZDTdmrxfXPE9mbp/zO8=",
+        "narHash": "sha256-PSoOKfevRvoVZdMqijl9VcaB5OqgCoAgQ8UpsEAdEDQ=",
         "owner": "martinvonz",
         "repo": "jj",
-        "rev": "13592ce49eaa245a740c7a8cd0ca8ea622c4fe95",
+        "rev": "82c85ba7542b0a5c938f53d71f9a481fc37eda1d",
         "type": "github"
       },
       "original": {
@@ -394,11 +394,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712600195,
+        "lastModified": 1712992043,
-        "narHash": "sha256-RvmOMmJjPc6if0kVLPXWyWIddzLG1yUPkL6PDrEvTrM=",
+        "narHash": "sha256-xUbqDxGiDab1et16JupBHpliGNpRSUcKfm++7t0UgBo=",
         "owner": "YaLTeR",
         "repo": "niri",
-        "rev": "e448cfb0efee0efbfc769662ee77ad22a347dc02",
+        "rev": "71be19b234d58f4ec447e921633506beb81a52c0",
         "type": "github"
       },
       "original": {
@@ -430,11 +430,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712452624,
+        "lastModified": 1712969975,
-        "narHash": "sha256-R35K+4krhK5B2fcV6W2HFe/uhXmP8YGTb35uZ+nDAxw=",
+        "narHash": "sha256-QckL3hBXRRwapLNbPdjy7+5WQNl2n2o7onmQRpyHwYs=",
         "owner": "fufexan",
         "repo": "nix-gaming",
-        "rev": "06314bbf8fedd83c7253442994a2f0c81d47988e",
+        "rev": "52f21f01ecbcc48d25c94a8a1e5c98cebf519a78",
         "type": "github"
       },
       "original": {
@@ -468,11 +468,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1712608508,
+        "lastModified": 1712791164,
-        "narHash": "sha256-vMZ5603yU0wxgyQeHJryOI+O61yrX2AHwY6LOFyV1gM=",
+        "narHash": "sha256-3sbWO1mbpWsLepZGbWaMovSO7ndZeFqDSdX0hZ9nVyw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4cba8b53da471aea2ab2b0c1f30a81e7c451f4b6",
+        "rev": "1042fd8b148a9105f3c0aca3a6177fd1d9360ba5",
         "type": "github"
       },
       "original": {

load_common.nix

@@ -236,8 +236,8 @@ in
     ./common/opengl.nix
     ./common/gaming.nix
     ./common/firefox.nix
-    ./common/pass.nix
     ./common/sway.nix
     ./common/cloudsync.nix
+    ./common/security.nix
   ];
 }

modules/xserver.nix

@@ -1,27 +1,14 @@
 {
-  # Enable the X11 windowing system.
+  services.displayManager = {
-  services.xserver = {
+    #      lightdm.enable = true;
-    enable = true;
+    sddm = {
-    videoDrivers = [ "nouveau" "fbdev" "modesetting" ];
+      enable = true;
-    #    videoDrivers = [ "nouveau" ];
+      wayland.enable = true;
-    displayManager = {
-      #      lightdm.enable = true;
-      sddm = {
-        enable = true;
-        wayland.enable = true;
-      };
-      defaultSession = "sway";
-    };
-    desktopManager = {
-      #      xfce.enable = true;
     };
+    defaultSession = "sway";
   };
 
   services.desktopManager = {
     plasma6.enable = true;
-    #      xfce.enable = true;
   };
-
-  # Enable touchpad support (enabled default in most desktopManager).
-  # services.xserver.libinput.enable = true;
 }