fix(workstation): allow sudo caching across tty:s

[johnae]

No description provided.

[claude]

Claude finished @johnae's task —— View job

---

Pull Request Review

I've reviewed the changes in this PR that adds a workstation profile for NixOS. While the PR title mentions only the sudo caching change, this actually introduces an entire workstation configuration profile.

📋 Summary

This PR adds a new NixOS workstation profile (profiles/workstation.nix) with comprehensive desktop environment configuration, including the advertised sudo TTY caching feature.

✅ Positive Aspects

• Clean module structure: Well-organized imports and logical grouping of related configurations
• Comprehensive workstation setup: Includes all essential components for a modern Linux workstation (graphics, audio, networking, etc.)
• Good use of NixOS patterns: Proper use of lib.mkForce, conditional configurations, and package references

🔍 Code Quality & Best Practices

The code follows NixOS best practices well:

• Proper use of the module system with clear imports
• Consistent formatting and indentation
• Good separation of concerns between different service configurations

⚠️ Security Considerations

The sudo configuration change requires attention:

# Allow sudo credential caching across TTYs (useful for Zellij panes, etc.)
security.sudo.extraConfig = ''
  Defaults !tty_tickets
'';

Security implications of !tty_tickets:

• ✅ Convenience: Allows sudo authentication to persist across different terminal sessions/panes (useful for tmux, zellij, etc.)
• ⚠️ Risk: If an attacker gains access to one TTY session with cached sudo credentials, they can escalate privileges in any other TTY session for that user
• ⚠️ Mitigation needed: Consider adding timestamp_timeout to limit the duration of cached credentials:

  security.sudo.extraConfig = ''
    Defaults !tty_tickets
    Defaults timestamp_timeout=15  # Expire after 15 minutes
  '';

🐛 Potential Issues

1. Hardware-specific packages: The profile includes Intel-specific graphics drivers (intel-media-driver, intel-vaapi-driver) alongside AMD ROCm packages. This might cause issues on systems without the corresponding hardware. Consider making these conditional based on detected hardware.

2. Missing error handling: The polkit authentication agent service doesn't have a restart limit, which could lead to rapid restart loops if there's a persistent failure.

3. Hardcoded idle timeout: The 30-minute idle timeout for suspend-then-hibernate might be too aggressive for some workflows:

   IdleActionSec = "30min";

🚀 Performance Considerations

• Good use of iwd as the WiFi backend (generally faster than wpa_supplicant)
• Enabling powertop for power management optimization
• The persistence configuration for /var/cache/powertop ensures power profiling data survives reboots

🧪 Test Coverage

No tests were included with this configuration profile. Consider adding NixOS VM tests to verify:

• Sudo caching behavior across TTYs works as expected
• Essential services start correctly
• Graphics and audio subsystems initialize properly

💡 Suggestions for Improvement

1. Document the module: Add comments explaining the purpose and requirements of this profile at the top of the file
2. Make hardware support conditional: Use config.hardware.cpu.intel.updateMicrocode or similar checks
3. Add security timeout for sudo: As mentioned above, consider adding timestamp_timeout
4. Consider splitting: This is a large profile - consider splitting into smaller, focused modules (graphics.nix, audio.nix, security.nix)

📝 PR Description

The PR lacks a description. For better collaboration, consider adding:

• Why this change was needed (the use case for sudo caching across TTYs)
• Any testing performed
• Potential security trade-offs considered

---

Overall, this is a solid workstation configuration with one important security consideration regarding the sudo TTY caching. The change achieves its goal but should be deployed with awareness of the security implications.