Address PR review feedback: security, documentation, and configuration improvements

Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com>
2026-02-01 19:50:18 +00:00
parent 41de438583
commit df02e01ce8
6 changed files with 84 additions and 42 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,9 @@
 {
  description = "NixOS - Isolated Gaming & Dev configurations";

+  # SECURITY NOTE: After first build, commit flake.lock to pin inputs to specific
+  # commits. Update via `nix flake update` only from trusted sources.
+  # This protects against supply-chain attacks from upstream changes.
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

@@ -24,13 +27,18 @@
  outputs = { self, nixpkgs, mango, quickshell, noctalia, ... }@inputs:
  let
    system = "x86_64-linux";
+    lib = nixpkgs.lib;
    specialArgs = { inherit inputs system; };

+    # Verify mango flake exports the expected module
+    mangoModule = assert lib.hasAttrByPath [ "nixosModules" "mango" ] mango;
+      mango.nixosModules.mango;
+
    # IMPORTANT: Replace <hostname> with actual hostname
    commonModules = [
      ./hosts/<hostname>/hardware-configuration.nix
      ./modules/common.nix
-      mango.nixosModules.mango
+      mangoModule
    ];
  in {
    nixosConfigurations = {