ragusa-it/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden NixOS config defaults and setup guidance #4

Merged
Copilot merged 13 commits from copilot/review-nixos-setup-issues into main 2026-02-01 21:17:59 +00:00
Conversation 2 Commits 13 Files Changed 5 +2 -3
2 changed files with 2 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 0a24c471aa - Show all commits

2
README.md
View File

@@ -63,7 +63,7 @@ Defaults are set in `flake.nix` and used across modules. Update them there:
| `time.timeZone` | `America/New_York` | `modules/common.nix` | | `time.timeZone` | `America/New_York` | `modules/common.nix` |
| `i18n.defaultLocale` | `en_US.UTF-8` | `modules/common.nix` | | `i18n.defaultLocale` | `en_US.UTF-8` | `modules/common.nix` |
Rename the default `hosts/atlas/` directory to match your hostname (e.g., `hosts/desktop/`), then update the `hostname` value in `flake.nix` to match. The flake uses it to locate `hosts/<hostname>/hardware-configuration.nix`. Rename the default `hosts/atlas/` directory to match your hostname (e.g., `hosts/desktop/`). After renaming the directory, update the `hostname` value in `flake.nix` to match. The flake uses it to locate `hosts/<hostname>/hardware-configuration.nix`.
### 3. Stage Files in Git ### 3. Stage Files in Git

3
flake.nix
View File

@@ -46,8 +46,7 @@
&& builtins.match "^nix" username == null && builtins.match "^nix" username == null
&& username != "root"; && username != "root";
hostConfig = ./hosts + "/${hostname}/hardware-configuration.nix"; hostConfig = ./hosts + "/${hostname}/hardware-configuration.nix";
passwordHashPath = assert usernameValid; passwordHashPath = assert usernameValid; "/etc/nixos/secrets/${username}/password.hash";
"/etc/nixos/secrets/${username}/password.hash";
specialArgs = { inherit inputs system hostname username usernameValid passwordHashPath; }; specialArgs = { inherit inputs system hostname username usernameValid passwordHashPath; };
copilot-pull-request-reviewer[bot] commented 2026-02-01 21:21:01 +00:00 (Migrated from github.com)
Review
Copy Link

The assertion for hostConfig will fail at evaluation time with a cryptic error if the path doesn't exist. The assert statement should provide a helpful error message to guide users. Consider using a let-binding with an abort statement that provides a clear message like: "Hardware configuration not found at ./hosts/${hostname}/hardware-configuration.nix. Please ensure the directory exists and contains the hardware configuration file."

    hostConfig =
      let
        hardwarePath = ./hosts + "/${hostname}/hardware-configuration.nix";
      in
      if builtins.pathExists hardwarePath then
        hardwarePath
      else
        builtins.abort "Hardware configuration not found at ./hosts/${hostname}/hardware-configuration.nix. Please ensure the directory exists and contains the hardware configuration file.";
The assertion for `hostConfig` will fail at evaluation time with a cryptic error if the path doesn't exist. The assert statement should provide a helpful error message to guide users. Consider using a let-binding with an abort statement that provides a clear message like: "Hardware configuration not found at ./hosts/${hostname}/hardware-configuration.nix. Please ensure the directory exists and contains the hardware configuration file." ```suggestion hostConfig = let hardwarePath = ./hosts + "/${hostname}/hardware-configuration.nix"; in if builtins.pathExists hardwarePath then hardwarePath else builtins.abort "Hardware configuration not found at ./hosts/${hostname}/hardware-configuration.nix. Please ensure the directory exists and contains the hardware configuration file."; ```
copilot-pull-request-reviewer[bot] commented 2026-02-01 21:21:01 +00:00 (Migrated from github.com)
Review
Copy Link

The passwordHashPath is hardcoded to a system location that may not exist on first installation, but there's no validation or assertion to check if this file exists. This will cause the system build to fail with an unclear error. Consider adding an assertion in common.nix to check if the password hash file exists, with a helpful error message directing users to the password setup instructions in the README. Alternatively, document that users must create this file before their first build.

    passwordHashPath =
      let
        path = "/etc/nixos/secrets/${username}/password.hash";
      in
      if builtins.pathExists path then
        path
      else
        builtins.throw ''
          Password hash file not found at ${path}.
          
          Please create this file before your first build.
          See the password setup instructions in the project README.
        '';
The `passwordHashPath` is hardcoded to a system location that may not exist on first installation, but there's no validation or assertion to check if this file exists. This will cause the system build to fail with an unclear error. Consider adding an assertion in `common.nix` to check if the password hash file exists, with a helpful error message directing users to the password setup instructions in the README. Alternatively, document that users must create this file before their first build. ```suggestion passwordHashPath = let path = "/etc/nixos/secrets/${username}/password.hash"; in if builtins.pathExists path then path else builtins.throw '' Password hash file not found at ${path}. Please create this file before your first build. See the password setup instructions in the project README. ''; ```
# Verify mango flake exports the expected module # Verify mango flake exports the expected module