Gnome

[xfeusw]

Summary by Sourcery

Restructure the flake configuration to adopt flake-utils and modular inputs, introduce Wayland support, secrets management and theming, and comprehensively enhance security, developer tooling, performance settings, shell configuration, and host-specific GNOME deployment.

New Features:

• Add flake-utils, impermanence and nix-colors inputs for modular code structure and consistent theming
• Integrate nixpkgs-wayland overlay and optional Hyprland input for Wayland support
• Introduce sops-nix and .sops.yaml for encrypted secrets management
• Include Firefox addons via NUR and add Prism engines input for Node.js

Enhancements:

• Harden security with fail2ban, stricter SSH and firewall rules, kernel sysctl hardening, auditd and security packages
• Restructure outputs to inherit all inputs and apply global overlays including unstable, Wayland, and custom optimizations
• Overhaul Zsh configuration with expanded aliases, history settings, custom functions, FZF, Oh-My-Zsh plugins, and direnv integration
• Optimize Nix settings for performance and storage (GC, builders, sandboxing) and add a suite of Nix CLI utilities
• Refresh development environment with modern CLI, container, database, network, and benchmarking tools
• Refine the Acer host configuration: GNOME module imports, bootloader/boot options, localization, performance module, and automated upgrades
• Extend Node.js environment with Prisma engine binaries, OpenSSL integration, and session variables for schema tooling
• Update GNOME dconf extensions list to remove deprecated plugins and add new ones

[sourcery-ai]

Reviewer's Guide

This PR overhauls the Nix flake and host configurations by expanding inputs, refactoring outputs, enhancing security hardening and performance tuning, enriching shell and development environments, and modularizing host-specific settings with secrets management.

File-Level Changes

Change	Details	Files
Refactor flake.nix structure and inputs	Added community and utility flakes (nixpkgs-wayland, flake-utils, impermanence, nix-colors, firefox-addons, sops-nix, hyprland) Replaced manual outputs with inputs@ argument and unified inherit logic Configured global nixpkgs.overlays and multi-cache substituters and trusted keys	flake.nix
Extend security module	Enabled fail2ban with custom jails and bantime strategy Hardened SSH (ciphers, KexAlgorithms, logging and rate limits) Configured firewall extras (invalid packet drop, refined SSH rate limiting) Added sysctl/kernelParams hardening, blacklisted modules and auditd rules Expanded environment.systemPackages with security tools	modules/security.nix
Overhaul Zsh configuration	Boosted history size and extended options Expanded shellAliases with modern CLI, git, nix and development shortcuts Enhanced initContent: fzf, direnv, performance-lazy loading and custom helpers Updated oh-my-zsh plugins to include extract, z, direnv	home/xfeusw/shell/zsh.nix
Tune Nix and system performance	Replaced inputs-based nix-settings with pkgs-based config Enabled experimental features (ca-derivations, auto-allocate-uids) and sandbox Optimized builders, garbage collection, store maintenance and added nix daemon settings Introduced modules/performance.nix for zram, sysctl optimizations, fstrim and autoUpgrade policy	modules/nix-settings.nix modules/performance.nix
Enrich development and Node.js tooling	Added modern CLI, dev and Nix-specific packages in tools.nix Enabled direnv integration Integrated Prisma engines, OpenSSL, sessionVariables for Node.js in nodejs.nix	home/xfeusw/development/tools.nix home/xfeusw/development/languages/nodejs.nix
Restructure host-specific configuration	Replaced power module with performance and backup modules Modularized desktop (GNOME) and hardware imports Tweaked bootloader and kernelParams for faster and secure boot Integrated sops secrets.yaml and .sops.yaml for encrypted secrets Expanded i18n, timezone and stateVersion	hosts/acer/configuration.nix .sops.yaml hosts/acer/secrets.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `modules/security.nix:13-14` </location>
<code_context>
-      Defaults timestamp_timeout=30
-      Defaults pwfeedback
-    '';
+    sudo = {
+      extraConfig = ''
+        Defaults timestamp_timeout=15
+        Defaults pwfeedback
</code_context>

<issue_to_address>
**🚨 issue (security):** Consider the security implications of enabling 'insults' and verbose sudo logging.

Ensure 'Defaults insults' is appropriate for your environment. Secure and rotate /var/log/sudo.log to prevent exposure of sensitive data.
</issue_to_address>

### Comment 2
<location> `modules/security.nix:39-40` </location>
<code_context>
+      factor = "2";
+    };
+
+    jails = {
+      ssh = ''
+        enabled = true
+        port = 22
</code_context>

<issue_to_address>
**issue (bug_risk):** The fail2ban jail for SSH uses /var/log/auth.log, which may not exist on all NixOS setups.

NixOS typically uses /var/log/messages or journald for authentication logs. If /var/log/auth.log is missing, fail2ban won't work. Please verify the log path or use systemd-journal integration.
</issue_to_address>

### Comment 3
<location> `modules/performance.nix:61` </location>
<code_context>
+  # Power management for better performance/battery balance
+  powerManagement = {
+    enable = true;
+    cpuFreqGovernor = "schedutil";  # Better than ondemand
+  };
+}
</code_context>

<issue_to_address>
**issue:** Using 'schedutil' as the CPU frequency governor may not be supported on all kernels.

Verify kernel compatibility with 'schedutil' and implement a fallback to 'ondemand' or 'performance' if unsupported.
</issue_to_address>

### Comment 4
<location> `home/xfeusw/shell/zsh.nix:140-142` </location>
<code_context>
+      nix-locate() { nix-index --locate "$1" }
+
+      # Git helpers
+      git-clean-branches() {
+        git branch --merged | grep -v "\*\|main\|master\|develop" | xargs -r git branch -d
+      }
</code_context>

<issue_to_address>
**suggestion:** The git-clean-branches function may delete branches that are not protected.

Consider updating the exclusion list to include any additional branches you want to protect from deletion.

```suggestion
      git-clean-branches() {
        git branch --merged | grep -v "\*\|main\|master\|develop\|release\|staging\|production" | xargs -r git branch -d
      }
```
</issue_to_address>

### Comment 5
<location> `modules/nix-settings.nix:30` </location>
<code_context>
-      ];
+      # Sandbox settings
+      sandbox = true;
+      restrict-eval = false;
+
+      # Trusted users
</code_context>

<issue_to_address>
**🚨 issue (security):** Disabling restrict-eval may reduce security in multi-user environments.

Allowing arbitrary code evaluation can expose the system to risks from untrusted users. Please review whether this aligns with your security requirements.
</issue_to_address>

### Comment 6
<location> `modules/nix-settings.nix:33` </location>
<code_context>
+      restrict-eval = false;
+
+      # Trusted users
+      trusted-users = [ "root" "@wheel" ];
     };

</code_context>

<issue_to_address>
**🚨 issue (security):** Adding '@wheel' to trusted-users grants elevated Nix permissions to all wheel group members.

Verify that every wheel group member should have elevated Nix access, since this configuration enables privileged operations for all of them.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

🚨 issue (security): Consider the security implications of enabling 'insults' and verbose sudo logging.

Ensure 'Defaults insults' is appropriate for your environment. Secure and rotate /var/log/sudo.log to prevent exposure of sensitive data.

[sourcery-ai]

issue (bug_risk): The fail2ban jail for SSH uses /var/log/auth.log, which may not exist on all NixOS setups.

NixOS typically uses /var/log/messages or journald for authentication logs. If /var/log/auth.log is missing, fail2ban won't work. Please verify the log path or use systemd-journal integration.

[sourcery-ai]

issue: Using 'schedutil' as the CPU frequency governor may not be supported on all kernels.

Verify kernel compatibility with 'schedutil' and implement a fallback to 'ondemand' or 'performance' if unsupported.

[sourcery-ai]

suggestion: The git-clean-branches function may delete branches that are not protected.

Consider updating the exclusion list to include any additional branches you want to protect from deletion.

Suggested change

	git-clean-branches() {
	git branch --merged | grep -v "\*\|main\|master\|develop" | xargs -r git branch -d
	}
	git-clean-branches() {
	git branch --merged | grep -v "\*\|main\|master\|develop\|release\|staging\|production" | xargs -r git branch -d
	}

[sourcery-ai]

🚨 issue (security): Disabling restrict-eval may reduce security in multi-user environments.

Allowing arbitrary code evaluation can expose the system to risks from untrusted users. Please review whether this aligns with your security requirements.

[sourcery-ai]

🚨 issue (security): Adding '@wheel' to trusted-users grants elevated Nix permissions to all wheel group members.

Verify that every wheel group member should have elevated Nix access, since this configuration enables privileged operations for all of them.