Direnv instant 2 #3723
Direnv instant 2 #3723
Conversation
Flake lock file updates:
• Updated input 'nixpkgs':
'git+https://github.com/Mic92/nixpkgs?ref=main&rev=00f377a6b442e00513079ceba1160a814a0e8173&shallow=1' (2025-10-05)
→ 'git+https://github.com/Mic92/nixpkgs?ref=main&rev=803e43c91accdf64fcf8702506cd915ec92378b4&shallow=1' (2025-10-31)
Mic92
force-pushed
the
direnv-instant-2
branch
from
d6c4e94 to
cca4dc4
Compare
|
Warning Rate limit exceeded@Mic92 has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 5 minutes and 27 seconds before requesting another review. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (10)
WalkthroughThis pull request performs a systematic overhaul across multiple configuration domains. It standardizes platform detection by replacing Possibly related PRs
Pre-merge checks and finishing touches❌ Failed checks (3 warnings)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Mic92
force-pushed
the
direnv-instant-2
branch
from
cca4dc4 to
dbd043e
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 6
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
machines/eve/modules/n8n/default.nix (2)
9-14: Add error handling for dynamic module loading.The dynamic module resolution lacks error handling. If the
pnpmDirdoesn't exist,router@directory isn't found, or the directory structure changes in future n8n versions, the hook will crash n8n startup with a cryptic error.Apply this diff to add defensive error handling:
- const n8nBasePath = '${pkgs.n8n}/lib/n8n'; - const pnpmDir = resolve(n8nBasePath, 'node_modules/.pnpm'); - const routerDir = fs.readdirSync(pnpmDir).find(dir => dir.startsWith('router@')); - - const Layer = require(resolve(pnpmDir, routerDir, 'node_modules/router/lib/layer')); - const { issueCookie } = require(resolve(n8nBasePath, 'packages/cli/dist/auth/jwt')); + const n8nBasePath = '${pkgs.n8n}/lib/n8n'; + const pnpmDir = resolve(n8nBasePath, 'node_modules/.pnpm'); + + if (!fs.existsSync(pnpmDir)) { + throw new Error(`n8n pnpm directory not found: ''${pnpmDir}`); + } + + const routerDir = fs.readdirSync(pnpmDir).find(dir => dir.startsWith('router@')); + if (!routerDir) { + throw new Error('router module not found in n8n dependencies'); + } + + const Layer = require(resolve(pnpmDir, routerDir, 'node_modules/router/lib/layer')); + const { issueCookie } = require(resolve(n8nBasePath, 'packages/cli/dist/auth/jwt'));
42-42: Fix typo in error message.There's an extra single quote before
${email}in the error message.Apply this diff:
- res.end(`User ''${email} not found, please have an admin invite the user first.`) + res.end(`User '${email}' not found, please have an admin invite the user first.`)
🧹 Nitpick comments (5)
pkgs/cewe-fotowelt/generate-sources.py (1)
42-42: Good refactor: explicit unused variable.Renaming
requiredto_requiredfollows Python conventions and makes it clear that this field is intentionally extracted but not used. This improves code clarity and prevents linter warnings.pkgs/vcal/vcal_cli/reply.py (2)
36-36: Good refactoring: unused variable properly marked.Prefixing with underscore correctly indicates the variable is intentionally unused, following Python conventions.
198-198: Good refactoring: unused variable properly marked.Prefixing with underscore correctly indicates the variable is intentionally unused, following Python conventions. The stdout from msmtp is appropriately ignored since error messages are captured via stderr (line 204).
nixosModules/phpldapadmin/default.nix (2)
396-412: Consider simplifying the sessions table existence check.The current implementation uses a complex
psqlcommand with multiple conditional strings to check if the sessions table exists. While functional, this could be fragile if the PostgreSQL output format changes or if connection parameters vary.Consider using Laravel's artisan command to handle this more reliably:
- # Create sessions table migration if it doesn't exist in the database - # Check by querying the database directly - if ! ${lib.optionalString cfg.database.createLocally "${config.services.postgresql.package}/bin/"}psql \ - ${lib.optionalString cfg.database.createLocally "-h /run/postgresql"} \ - ${ - lib.optionalString ( - !cfg.database.createLocally - ) "-h ${cfg.database.host} -p ${toString cfg.database.port}" - } \ - -U ${cfg.database.user} \ - -d ${cfg.database.name} \ - -tAc "SELECT to_regclass('public.sessions');" 2>/dev/null | grep -q sessions; then - # Table doesn't exist, create migration if not already present - if ! ls ${stateDir}/app/database/migrations/*_create_sessions_table.php 2>/dev/null; then - ${phpldapadmin.php}/bin/php artisan session:table - fi - fi + # Always ensure the sessions table migration exists (idempotent) + if ! ls ${stateDir}/app/database/migrations/*_create_sessions_table.php 2>/dev/null; then + ${phpldapadmin.php}/bin/php artisan session:table + fiThis relies on
artisan migrate(line 415) to handle whether the table actually needs creation, which is Laravel's designed behavior.
417-425: Consider checking column type before altering.The
ALTER TABLEcommand uses|| trueto suppress errors, which may hide legitimate issues. While the operation is idempotent, you could make it more explicit by checking the current column type first.Apply this diff to check before altering:
# Fix sessions table user_id column for LDAP UUIDs # Laravel's default session migration uses bigint, but LDAP uses UUIDs (strings) ${lib.optionalString cfg.database.createLocally '' ${config.services.postgresql.package}/bin/psql \ -h /run/postgresql \ -U ${cfg.database.user} \ -d ${cfg.database.name} \ - -c "ALTER TABLE sessions ALTER COLUMN user_id TYPE varchar(255);" 2>/dev/null || true + -tAc "SELECT data_type FROM information_schema.columns WHERE table_name='sessions' AND column_name='user_id';" | grep -q varchar || \ + ${config.services.postgresql.package}/bin/psql \ + -h /run/postgresql \ + -U ${cfg.database.user} \ + -d ${cfg.database.name} \ + -c "ALTER TABLE sessions ALTER COLUMN user_id TYPE varchar(255);" ''}This avoids silent error suppression while maintaining idempotency.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
flake.lockis excluded by!**/*.lock
📒 Files selected for processing (50)
darwinModules/hyprspace.nix(1 hunks)darwinModules/nix-daemon.nix(1 hunks)flake.nix(1 hunks)home-manager/common.nix(3 hunks)home-manager/desktop.nix(1 hunks)home-manager/flake-module.nix(2 hunks)home-manager/modules/ai.nix(1 hunks)home-manager/modules/neovim/default.nix(1 hunks)home-manager/modules/neovim/flake-module.nix(1 hunks)home/bin/update-nixpkgs-fork(1 hunks)machines/bernie/configuration.nix(3 hunks)machines/dorits-laptop/configuration.nix(2 hunks)machines/eve/configuration.nix(1 hunks)machines/eve/modules/authelia.nix(6 hunks)machines/eve/modules/freshrss.nix(1 hunks)machines/eve/modules/gitea/default.nix(1 hunks)machines/eve/modules/goatcounter.nix(2 hunks)machines/eve/modules/kanidm/README.md(0 hunks)machines/eve/modules/kanidm/default.nix(0 hunks)machines/eve/modules/mastodon-hnbot.nix(1 hunks)machines/eve/modules/n8n/default.nix(1 hunks)machines/eve/modules/nextcloud.nix(1 hunks)machines/eve/modules/phpldapadmin.nix(2 hunks)machines/eve/modules/shadowsocks.nix(0 hunks)machines/eve/modules/tt-rss.nix(0 hunks)machines/eve/modules/vaultwarden.nix(1 hunks)machines/evo/configuration.nix(1 hunks)machines/turingmachine/modules/packages.nix(1 hunks)nixosModules/hyprspace.nix(1 hunks)nixosModules/nix-daemon.nix(1 hunks)nixosModules/openldap/default.nix(1 hunks)nixosModules/phpldapadmin/default.nix(6 hunks)nixosModules/phpldapadmin/package.nix(3 hunks)nixosModules/phpldapadmin/phpldapadmin-password-helper.patch(1 hunks)nixosModules/ssh3.nix(0 hunks)nixosModules/update-prefetch.nix(1 hunks)nixosModules/zfs.nix(1 hunks)pkgs/cewe-fotowelt/generate-sources.py(1 hunks)pkgs/images/base-config.nix(1 hunks)pkgs/ssh3/default.nix(0 hunks)pkgs/vcal/vcal_cli/reply.py(2 hunks)vars/per-machine/eve/authelia/identity-validation-reset-password-jwt-secret/machines/eve(1 hunks)vars/per-machine/eve/authelia/identity-validation-reset-password-jwt-secret/secret(1 hunks)vars/per-machine/eve/authelia/identity-validation-reset-password-jwt-secret/users/joerg(1 hunks)vars/per-machine/eve/phpldapadmin/app-key/machines/eve(1 hunks)vars/per-machine/eve/phpldapadmin/app-key/secret(1 hunks)vars/per-machine/eve/phpldapadmin/app-key/users/joerg(1 hunks)vars/per-machine/eve/phpldapadmin/bind-password/machines/eve(1 hunks)vars/per-machine/eve/phpldapadmin/bind-password/secret(1 hunks)vars/per-machine/eve/phpldapadmin/bind-password/users/joerg(1 hunks)
💤 Files with no reviewable changes (6)
- machines/eve/modules/kanidm/default.nix
- machines/eve/modules/tt-rss.nix
- machines/eve/modules/shadowsocks.nix
- machines/eve/modules/kanidm/README.md
- nixosModules/ssh3.nix
- pkgs/ssh3/default.nix
🔇 Additional comments (44)
machines/turingmachine/modules/packages.nix (1)
9-9: LGTM! Platform detection update aligns with PR objectives.The change from
pkgs.hostPlatform.systemtopkgs.stdenv.hostPlatform.systemis consistent with the broader platform detection updates across the codebase described in the PR summary.machines/eve/modules/n8n/default.nix (1)
60-77: LGTM! Clean consolidation to environment variables.The migration from nested settings to environment variables is well-structured. The SSO configuration (EXTERNAL_HOOK_FILES, N8N_FORWARD_AUTH_HEADER, N8N_SSO_HOSTNAME) properly integrates with the custom hook implementation.
machines/bernie/configuration.nix (2)
112-112: LGTM! Package rename follows nixpkgs conventions.The rename from
ubuntu_font_familytoubuntu-classicaligns with current nixpkgs naming conventions.
123-123: LGTM! Package rename follows nixpkgs conventions.The rename from
poppler_utilstopoppler-utilsaligns with current nixpkgs naming conventions.vars/per-machine/eve/phpldapadmin/bind-password/users/joerg (1)
1-1: LGTM! Same sops reference pattern.This follows the same sops secret reference pattern as the app-key file, pointing to the user's sops directory.
pkgs/images/base-config.nix (1)
89-89: LGTM! Platform detection updated to use stdenv.The change from
pkgs.hostPlatform.systemtopkgs.stdenv.hostPlatform.systemaligns with the broader platform detection refactoring across the repository and follows Nix best practices.machines/dorits-laptop/configuration.nix (3)
78-78: LGTM! Package renamed to match nixpkgs convention.The change from
ubuntu_font_familytoubuntu-classicfollows nixpkgs naming conventions.
87-87: LGTM! Package renamed to follow kebab-case convention.The change from
poppler_utilstopoppler-utilsaligns with nixpkgs kebab-case naming convention.
89-89: LGTM! Platform detection updated consistently.The change to
pkgs.stdenv.hostPlatform.systemis consistent with the broader platform detection refactoring across the repository.machines/eve/modules/gitea/default.nix (1)
85-85: LGTM! Platform detection updated to use stdenv.The change from
pkgs.hostPlatform.systemtopkgs.stdenv.hostPlatform.systemis consistent with the platform detection refactoring throughout the PR.vars/per-machine/eve/phpldapadmin/app-key/users/joerg (1)
1-1: LGTM! Sops secret path verified.The relative path
../../../../../../sops/users/joergcorrectly references the existing sops user directory. Verification confirms the target exists.machines/eve/modules/nextcloud.nix (1)
10-10: The web search result is incomplete. Let me gather more detailed information about Nextcloud 32 breaking changes.Backup and test the upgrade before applying in production.
The system address book may be disabled during upgrade if you have more than 5000 users, to prevent performance issues, but can be re-enabled via command line or administration interface. Follow standard upgrade procedures: ensure you're on the latest Nextcloud 31 point release, enable maintenance mode, and allow background migrations to complete before returning to service.
nixosModules/zfs.nix (1)
15-15: Verification confirms the review comment is factually accurate—the change fromzfsUnstabletozfs_unstablewas made and follows nixpkgs naming convention.However, when validating whether
zfs_unstablepackage exists, the package could not be resolved. While the commit message "nixpkgs fixes" indicates this was an intentional update, manual verification is needed to ensurezfs_unstableis available in your nixpkgs version or custom fork (github:Mic92/nixpkgs?ref=main) and that the system builds/evaluates correctly.home-manager/modules/neovim/flake-module.nix (1)
56-56: Verify thattaploincludes LSP functionality or configure it properly.The default
taplopackage in nixpkgs does not include the language server feature; it must be enabled via Cargo featurelsp. The original package nametaplo-lspsuggests it provided LSP by default, but the replacement with plaintaplomay break this functionality unless explicitly configured.Check:
- Whether
taploin this configuration has thelspfeature enabled (look forcargoBuildFeaturesor similar override)- If not configured, either enable the lsp feature or confirm LSP functionality works as intended
machines/eve/modules/mastodon-hnbot.nix (1)
9-9: LGTM: Platform detection updated to use stdenv.hostPlatform.The change from
pkgs.hostPlatform.systemtopkgs.stdenv.hostPlatform.systemaligns with Nixpkgs conventions and is consistent with similar updates across this PR.darwinModules/nix-daemon.nix (1)
11-11: LGTM: Consistent platform detection update.The update to
pkgs.stdenv.hostPlatform.systemmaintains consistency with the broader refactoring across this PR.machines/eve/modules/vaultwarden.nix (1)
115-115: LGTM: Platform detection aligned with PR-wide changes.The update to
pkgs.stdenv.hostPlatform.systemfor the vaultwarden_ldap binary path is consistent with the platform detection refactoring throughout this PR.vars/per-machine/eve/phpldapadmin/app-key/machines/eve (1)
1-1: LGTM: SOPS reference follows standard pattern.The relative path reference to the SOPS machine configuration is consistent with the per-machine secret structure used elsewhere in the repository.
home/bin/update-nixpkgs-fork (1)
17-17: LGTM: Improved portability using $HOME.Replacing the hardcoded absolute path with
$HOMEmakes the script more portable and maintainable.nixosModules/hyprspace.nix (1)
70-70: LGTM: Platform detection update in runtimeInputs.The change to
pkgs.stdenv.hostPlatform.systemaligns with the consistent platform detection refactoring across this PR.nixosModules/update-prefetch.nix (1)
28-28: LGTM: Platform detection updated in URL constructions.Both curl URL constructions now use
pkgs.stdenv.hostPlatform.system, maintaining consistency with the platform detection refactoring throughout this PR.Also applies to: 33-33
vars/per-machine/eve/phpldapadmin/bind-password/secret (1)
1-22: LGTM: Properly formatted SOPS-encrypted secret.The secret file follows the standard SOPS structure with multiple AGE recipients, ensuring proper encryption and redundancy for the phpldapadmin LDAP bind password.
machines/eve/modules/authelia.nix (1)
65-70: Confirm the SMTP password secret path.
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILEpoints to the generated LDAP bind-password secret. Unless the SMTP account intentionally reuses that credential, Authelia will attempt to log in to mail.thalheim.io with the LDAP password and SMTP delivery will fail. Please double-check and wire this to the actual SMTP password secret (e.g., a dedicated SOPS/clan var).machines/eve/modules/goatcounter.nix (2)
17-19: Platform detection update looks correct.The change from
pkgs.hostPlatform.systemtopkgs.stdenv.hostPlatform.systemaligns with the broader pattern across this PR to standardize platform detection using stdenv's host platform.
44-44: Platform detection update looks correct.The change from
pkgs.hostPlatform.systemtopkgs.stdenv.hostPlatform.systemis consistent with the updated ExecStart path above and follows the PR's standardization pattern.home-manager/common.nix (2)
15-15: Platform detection update looks correct.The change from
pkgs.hostPlatform.systemtopkgs.stdenv.hostPlatform.systemaligns with the PR's standardization pattern for consistent platform detection.
95-95: Platform detection update looks correct.The change from
pkgs.hostPlatform.systemtopkgs.stdenv.hostPlatform.systemfor the nix-output-monitor conditional is consistent with the PR's standardization pattern.nixosModules/nix-daemon.nix (1)
11-11: Platform detection update looks correct.The change from
pkgs.hostPlatform.systemtopkgs.stdenv.hostPlatform.systemis consistent with the PR's standardization pattern for platform detection across the codebase.vars/per-machine/eve/authelia/identity-validation-reset-password-jwt-secret/users/joerg (1)
1-1: SOPS reference path resolves correctly—no action needed.The verification confirms that the relative path
../../../../../../sops/users/joergexists and resolves successfully to the target SOPS user file. The path traversal depth is accurate, and the reference is valid.vars/per-machine/eve/authelia/identity-validation-reset-password-jwt-secret/machines/eve (1)
1-1: Path resolution verified—no changes needed.The relative path
../../../../../../sops/machines/everesolves correctly to an existing file in the repository. The target SOPS machine file exists and the path traversal depth is accurate.machines/eve/configuration.nix (1)
54-54: All phpldapadmin module verification checks passed.The module file exists at
machines/eve/modules/phpldapadmin.nix, correctly imports the dependency fromnixosModules/phpldapadmin, and is properly configured with all necessary service options enabled.flake.nix (1)
53-53: I need to verify if theframework-amd-ai-300-seriesmodule exists in the upstream nixos-hardware repository, as this is a critical piece given the fork/branch change.Now let me verify the other two modules are available upstream:
Verified: switch to upstream nixos-hardware is safe.
The
framework-amd-ai-300-seriesmodule is available in the upstream NixOS/nixos-hardware repository. Bothframework-13th-gen-intelandlenovo-thinkpad-x13smodules are also present in upstream nixos-hardware. All three hardware configurations in the codebase will continue to work without issues.vars/per-machine/eve/authelia/identity-validation-reset-password-jwt-secret/secret (1)
1-21: SOPS secret looks goodThe document is properly wrapped in SOPS metadata with encrypted
data,mac, and age recipients, so it should decrypt cleanly for the targeted machines and users. Nice work keeping the format consistent.home-manager/flake-module.nix (1)
71-72: Consistent host platform detectionMoving the Home Manager binary lookup and conditional home configurations over to
pkgs.stdenv.hostPlatform.systemkeeps everything in line with current nixpkgs guidance for cross-awareness. Thanks for tightening that up.Also applies to: 107-111
darwinModules/hyprspace.nix (1)
39-42: Hyprspace default matches host platformGood call switching the default package to
pkgs.stdenv.hostPlatform.system; it keeps the Darwin module aligned with the rest of the tree’s platform handling.home-manager/modules/ai.nix (1)
10-19: AI tools follow the same host platform ruleUpdating both the toolset binding and exported packages to
pkgs.stdenv.hostPlatform.systemkeeps the module portable across systems without surprises. Looks solid to me.nixosModules/openldap/default.nix (1)
48-92: Double-check the expanded LDAP ACL surfaceGranting the Authelia service account write access to
userPasswordis the right hook for password-reset flows, and Authelia’s own docs call out that permission as a requirement for the reset feature. The follow-up{7}to * by users readrule now gives every authenticated bind read visibility across the tree, which mirrors the common OpenLDAP examples but does broaden what ordinary users can enumerate. Please confirm that this level of directory disclosure matches your security posture (e.g., no sensitive attributes stored unmasked, TLS enforced everywhere). If you need to trim that exposure, consider scoping the read rule to specific subtrees or attribute sets. Let me know if you’d like help sketching alternative clauses.nixosModules/phpldapadmin/package.nix (1)
68-85: LGTM!The patch application and frontend asset integration in
postInstallare correctly implemented. The writable directory structure setup is also appropriate for Laravel applications.machines/eve/modules/phpldapadmin.nix (3)
19-19: Verify the single-component base DN is intentional.The LDAP base DN is configured as
"dc=eve", which is unusually simple (single component). Typically, base DNs have multiple components like"dc=example,dc=com". Ensure this matches your actual LDAP directory structure.
30-84: LGTM!The custom template definition is well-structured with appropriate auto-fill behaviors and uses ARGON2ID for password hashing, which is a secure modern algorithm.
103-124: LGTM!The generator correctly produces both secrets with appropriate handling:
- The
app-keyusesprintfto avoid trailing newlines in the formatted output- The
bind-passwordis generated with sufficient entropy (32 bytes, base64-encoded)- Both secrets have proper ownership configured
nixosModules/phpldapadmin/default.nix (3)
13-23: LGTM!The custom templates package correctly generates individual JSON files for each template definition using
builtins.toJSON. The heredoc approach ensures proper escaping.
143-200: LGTM!The LDAP configuration options are comprehensive and well-documented with sensible defaults and helpful examples.
366-384: LGTM!The rsync-based synchronization with proper exclusions and the symlink setup for writable directories is well-implemented. Using
chmod -R u+wto make the copied files writable is necessary since the Nix store is read-only.
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
nixosModules/limine.nix (1)
42-48: Document the security trade-off of--disable-landlock.The
--disable-landlockflag disables Linux's Landlock LSM security feature. While this may be necessary for the Nix sandbox environment, it's worth documenting why this trade-off is acceptable and whether there are alternative approaches.Consider adding a more detailed comment explaining:
- Why landlock interferes with the sandbox
- What security guarantees are being relaxed
- Whether this is a known sbctl limitation in sandboxed environments
script = '' - # Generate secure boot keys (disable landlock since we're in a Nix sandbox) + # Generate secure boot keys + # --disable-landlock is required because Landlock LSM interferes with + # directory access patterns in the Nix sandbox environment. + # This is a known limitation when running sbctl in isolated build contexts. sbctl --disable-landlock create-keys
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
flake.lockis excluded by!**/*.lock
📒 Files selected for processing (31)
flake.nix(2 hunks)home/.claude/settings.json(2 hunks)home/.gitconfig(1 hunks)machines/turingmachine/configuration.nix(1 hunks)nixosModules/lanzaboote.nix(1 hunks)nixosModules/limine.nix(1 hunks)pkgs/cewe-fotowelt/sources.nix(1 hunks)vars/per-machine/turingmachine/secureboot/KEK.key/machines/turingmachine(1 hunks)vars/per-machine/turingmachine/secureboot/KEK.key/secret(1 hunks)vars/per-machine/turingmachine/secureboot/KEK.key/users/joerg(1 hunks)vars/per-machine/turingmachine/secureboot/KEK.pem/value(1 hunks)vars/per-machine/turingmachine/secureboot/PK.key/machines/turingmachine(1 hunks)vars/per-machine/turingmachine/secureboot/PK.key/secret(1 hunks)vars/per-machine/turingmachine/secureboot/PK.key/users/joerg(1 hunks)vars/per-machine/turingmachine/secureboot/PK.pem/value(1 hunks)vars/per-machine/turingmachine/secureboot/db.key/machines/turingmachine(1 hunks)vars/per-machine/turingmachine/secureboot/db.key/secret(1 hunks)vars/per-machine/turingmachine/secureboot/db.key/users/joerg(1 hunks)vars/per-machine/turingmachine/secureboot/db.pem/value(1 hunks)vars/per-machine/turingmachine/secureboot/keys/KEK/KEK.key/machines/turingmachine(1 hunks)vars/per-machine/turingmachine/secureboot/keys/KEK/KEK.key/secret(1 hunks)vars/per-machine/turingmachine/secureboot/keys/KEK/KEK.key/users/joerg(1 hunks)vars/per-machine/turingmachine/secureboot/keys/KEK/KEK.pem/value(1 hunks)vars/per-machine/turingmachine/secureboot/keys/PK/PK.key/machines/turingmachine(1 hunks)vars/per-machine/turingmachine/secureboot/keys/PK/PK.key/secret(1 hunks)vars/per-machine/turingmachine/secureboot/keys/PK/PK.key/users/joerg(1 hunks)vars/per-machine/turingmachine/secureboot/keys/PK/PK.pem/value(1 hunks)vars/per-machine/turingmachine/secureboot/keys/db/db.key/machines/turingmachine(1 hunks)vars/per-machine/turingmachine/secureboot/keys/db/db.key/secret(1 hunks)vars/per-machine/turingmachine/secureboot/keys/db/db.key/users/joerg(1 hunks)vars/per-machine/turingmachine/secureboot/keys/db/db.pem/value(1 hunks)
✅ Files skipped from review due to trivial changes (14)
- vars/per-machine/turingmachine/secureboot/keys/PK/PK.key/users/joerg
- vars/per-machine/turingmachine/secureboot/db.pem/value
- vars/per-machine/turingmachine/secureboot/keys/KEK/KEK.key/machines/turingmachine
- vars/per-machine/turingmachine/secureboot/db.key/users/joerg
- vars/per-machine/turingmachine/secureboot/keys/KEK/KEK.key/users/joerg
- vars/per-machine/turingmachine/secureboot/keys/db/db.key/machines/turingmachine
- vars/per-machine/turingmachine/secureboot/PK.key/machines/turingmachine
- vars/per-machine/turingmachine/secureboot/KEK.key/machines/turingmachine
- vars/per-machine/turingmachine/secureboot/keys/PK/PK.key/machines/turingmachine
- vars/per-machine/turingmachine/secureboot/keys/db/db.key/users/joerg
- vars/per-machine/turingmachine/secureboot/PK.key/users/joerg
- vars/per-machine/turingmachine/secureboot/keys/KEK/KEK.key/secret
- vars/per-machine/turingmachine/secureboot/keys/db/db.pem/value
- vars/per-machine/turingmachine/secureboot/keys/PK/PK.pem/value
🚧 Files skipped from review as they are similar to previous changes (1)
- flake.nix
🔇 Additional comments (19)
home/.claude/settings.json (2)
3-3: Clarify the model identifier notation.The model value
"sonnet[1m]"uses an unusual suffix notation. Please confirm that[1m]is a valid/recognized format for your Claude configuration system, or document what it signifies (e.g., version, feature flag, thinking mode variant).
17-17: Extended thinking mode has been disabled.The
alwaysThinkingEnabledsetting is nowfalse, which disables Claude's extended thinking. This is a functional preference change—please verify this aligns with your intended configuration for this environment.home/.gitconfig (1)
130-132: Consistent SSH GitHub remotesEnabling the
[email protected]rewrite keeps GitHub traffic on SSH and lines up with the rest of this config. Looks good.pkgs/cewe-fotowelt/sources.nix (2)
6-6: Version bump looks correct.The version update from 8.0.4 to 8.0.5 is consistent with the URL changes in the source entries below.
14-15: Source entry updates look correct.All these source entries have been properly updated with new 8.0.5 URLs and corresponding SHA256 hashes.
Also applies to: 21-22, 28-29, 35-36, 42-43, 49-50, 63-64, 70-71
nixosModules/lanzaboote.nix (1)
1-5: LGTM! Module import pattern looks correct.The addition of
selfparameter and the direct import of the lanzaboote NixOS module creates a clean wrapper pattern that provides standardized defaults while delegating the core functionality to the upstream module.nixosModules/limine.nix (3)
17-24: LGTM! Limine bootloader configuration is appropriate.The configuration enables secure boot with a custom sbctl config, sets reasonable defaults for editor and generations, and uses removable EFI installation which is suitable for certain hardware configurations.
52-55: Verify theL+symlink behavior is intended.The
L+tmpfiles directive will forcefully replace any existing/var/lib/sbctl/keysdirectory or file with the symlink. Ensure this is the intended behavior, especially for systems upgrading from a previous secure boot setup.If this module might be applied to systems with existing secure boot keys, consider whether a warning or migration path is needed.
6-14: Original review comment is incorrect; code is appropriate for the use case.The directory structure assumption is not fragile. The generator definition explicitly creates files within
keys/PK/,keys/KEK/, andkeys/db/subdirectories, then moves the entirekeysdirectory to output. The tripledirOfcorrectly navigates from$out/keys/PK/PK.keyback to$out(the secureboot activation directory), which is then used with/keysappended. This structure is stable and defined explicitly in the generator itself, not assumed.(Note: The inline comment at lines 7–8 is misleading—it claims "one level" but the code performs three levels—but that is a documentation issue separate from code correctness.)
machines/turingmachine/configuration.nix (1)
41-42: No critical issues found—bootloader migration is properly configured.Verification confirms:
- ✓ Limine bootloader properly enabled with secure boot via
clan.core.vars.generators.secureboot- ✓ Secure boot keys (PK, KEK, db) are generated and configured with sbctl
- ✓ No conflicting boot configurations in turingmachine
- ✓ Change is isolated and intentional (lanzaboote commented out, not orphaned)
The migration from Lanzaboote to Limine appears sound. Note: Lanzaboote remains defined in
flake.nixas an unused input; consider removing it if not needed elsewhere.vars/per-machine/turingmachine/secureboot/KEK.key/users/joerg (1)
1-1: Relative pointer looks correct.The reference depth lines up with the other secure-boot user links in this tree. No changes needed.
vars/per-machine/turingmachine/secureboot/keys/KEK/KEK.pem/value (1)
1-28: PEM content looks well-formed.The new KEK certificate parses as a standard PEM block; no issues noted.
vars/per-machine/turingmachine/secureboot/db.key/machines/turingmachine (1)
1-1: Machine mapping path aligns with the pattern.This mirrors the other secure-boot machine references, so we're good here.
vars/per-machine/turingmachine/secureboot/PK.pem/value (1)
1-28: PK certificate addition looks fine.The block is a valid PEM envelope and follows our secure-boot layout.
vars/per-machine/turingmachine/secureboot/db.key/secret (1)
1-22: SOPS secret structure matches our standard.The encrypted payload and metadata look consistent with the other per-machine secrets.
vars/per-machine/turingmachine/secureboot/KEK.pem/value (1)
1-28: LGTM! KEK certificate properly formatted.The PEM certificate structure is valid and correctly stored as plaintext, which is appropriate since certificates are public data. The 5-year validity period (2025-2030) is reasonable for secure boot keys.
vars/per-machine/turingmachine/secureboot/KEK.key/secret (1)
1-22: LGTM! KEK private key properly encrypted.The SOPS encryption structure is correct, with three AGE recipients ensuring the private key is securely stored. This properly corresponds to the public KEK certificate.
vars/per-machine/turingmachine/secureboot/PK.key/secret (1)
1-22: SOPS encryption structure is correct.The private key is properly encrypted with SOPS using three AGE recipients. See the comment on
secureboot/keys/PK/PK.key/secretregarding potential path duplication.vars/per-machine/turingmachine/secureboot/keys/db/db.key/secret (1)
1-22: LGTM! Signature database key properly encrypted.The SOPS encryption structure is correct, with consistent AGE recipients matching the other secure boot secrets. This completes the secure boot key hierarchy (PK, KEK, db).
Mic92
force-pushed
the
direnv-instant-2
branch
2 times, most recently
from
8b63e9b to
1219bcc
Compare
This patch allows templates to specify a default password hash algorithm via the 'helper' attribute. This ensures new user entries use a secure hash (ARGON2ID) by default instead of cleartext. The patch modifies the password field template to check for a 'helper' attribute in the template configuration before falling back to the existing behavior of detecting the hash from the password value.
Update vars via generator secureboot for machine turingmachine
Mic92
force-pushed
the
direnv-instant-2
branch
from
1219bcc to
91b0613
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
nixosModules/phpldapadmin/default.nix (1)
40-47: Fix DB password sourcing for external databases.With
createLocally = falseand apasswordFile, the generated.envline becomesDB_PASSWORD=/path/to/secret, so Laravel will literally try to authenticate using the path string. The follow-upartisan migrate(and the app itself) will therefore fail against any external DB that requires a password. Please read the file contents at runtime instead of writing the path.@@ - DB_PASSWORD = cfg.database.passwordFile; + DB_PASSWORD = ""; @@ - ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "${n}=${v}") dbConfig)} + ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "${n}=${v}") dbConfig)} + ${lib.optionalString (!cfg.database.createLocally && cfg.database.passwordFile != null) '' + DB_PASSWORD=$(< ${cfg.database.passwordFile}) + ''}Also applies to: 339-365
♻️ Duplicate comments (5)
pkgs/cewe-fotowelt/sources.nix (1)
54-58: Startscreen hash still not updated—previous concern persists.The URL was updated to version 8.0.5, but the hash on line 57 remains unchanged. This mismatch will cause a build failure during fetch verification. Please re-run
generate-sources.pyto regenerate the correct hash for all entries.vars/per-machine/turingmachine/secureboot/keys/PK/PK.key/secret (1)
1-22: Verify removal of stale flat-level duplicate key files.This nested path file (
keys/PK/PK.key/secret) is the correct canonical location for the PK secret. However, a previous review identified that flat-level duplicates atsecureboot/PK.key/secret,secureboot/KEK.key/secret, andsecureboot/db.key/secretcontain stale encrypted content and should be removed to prevent confusion.Please confirm whether those flat-level duplicates have been cleaned up.
Run the following script to verify the flat-level duplicates are removed:
#!/bin/bash # Check if stale flat-level secureboot key files still exist find vars/per-machine/turingmachine/secureboot -maxdepth 2 -type f -name "secret" -path "*/secureboot/*.key/secret" | grep -v "/keys/"If the script returns any files, those are the stale duplicates that should be deleted.
vars/per-machine/turingmachine/secureboot/keys/KEK/KEK.key/secret (1)
1-22: SOPS-encrypted secret structure is correct.This KEK secret file is properly formatted with valid SOPS encryption structure. Like the PK secret, this nested path version (
keys/KEK/KEK.key/secret) is the canonical location. The same verification from the PK file review applies—ensure the flat-level duplicate atsecureboot/KEK.key/secrethas been removed.home-manager/desktop.nix (1)
21-21: Revert to correct package name -ubuntu-classicdoes not exist.As flagged in previous reviews,
ubuntu-classicis not a valid nixpkgs package. The correct package name isubuntu_font_family.Apply this diff:
- ubuntu-classic + ubuntu_font_familymachines/bernie/configuration.nix (1)
112-112: Revert to correct package name -ubuntu-classicdoes not exist.As flagged in previous reviews,
ubuntu-classicis not a valid nixpkgs package. The correct package name isubuntu_font_family.Apply this diff:
- ubuntu-classic + ubuntu_font_family
🧹 Nitpick comments (5)
nixosModules/limine.nix (4)
7-16: Fragile path computation with multipledirOfcalls.The computation of
securebootDirusing three nesteddirOfcalls is brittle and tightly couples the code to a specific directory structure. If the clan vars path structure changes, this will silently break.Consider either:
- Using a more explicit configuration option for the secureboot directory path
- Adding runtime assertions to validate the directory structure
- Documenting the exact directory structure assumption in the module's options
Example of adding a validation:
securebootDir = let computed = dirOf (dirOf (dirOf config.clan.core.vars.generators.secureboot.files."keys/PK/PK.key".path)); keysPath = "${computed}/keys/PK/PK.key"; in # This will fail at evaluation if the structure is wrong assert builtins.pathExists keysPath || throw "Expected secureboot keys at ${keysPath}"; computed;
19-26: Hard-coded bootloader configuration limits reusability.This module hard-codes all Limine bootloader settings without exposing configuration options. Since this is in
nixosModules/, it appears to be intended for reuse across multiple machines, but the fixed values prevent customization.Consider wrapping these in a
configsection with correspondingoptionsto make this module reusable, or document that this is intentionally machine-specific.Example structure:
{ options.myBootloader = { maxGenerations = mkOption { type = types.int; default = 20; description = "Maximum number of boot generations to keep"; }; # ... other options }; config = { boot.loader.limine = { enable = true; maxGenerations = config.myBootloader.maxGenerations; # ... }; }; }
44-50: Add error handling to key generation script.The script assumes
/var/lib/sbctl/keyswill exist aftersbctl create-keysruns and that themvcommand will succeed. If the script fails partway through, keys could be left in an inconsistent state.Consider adding error handling:
script = '' + set -euo pipefail + # Generate secure boot keys (disable landlock since we're in a Nix sandbox) sbctl --disable-landlock create-keys + # Verify keys were created + if [ ! -d /var/lib/sbctl/keys ]; then + echo "Error: sbctl failed to create keys directory" + exit 1 + fi + # Move entire keys directory to output mv /var/lib/sbctl/keys "$out/keys" '';
44-50: Expand comment to document security implications of disabling Landlock.The comment correctly identifies that
--disable-landlockis necessary in the Nix sandbox environment. However, it should explicitly document the security trade-off: disabling Landlock removes the LSM sandbox that would restrict sbctl's file access, increasing risk if the process were compromised or buggy. While this is acceptable here (one-time generation in a controlled sandbox during activation), the security rationale should be clear to future maintainers.Suggested enhancement to line 45 comment:
# Disable landlock: Nix sandbox prevents standard path declarations needed for Landlock's # per-process restrictions. Trade-off: sbctl runs without LSM confinement (increases # attack surface if compromised), acceptable here since this is one-time key generation # in a controlled environment during system activation.machines/turingmachine/configuration.nix (1)
40-41: Remove commented code instead of leaving it in place.The lanzaboote import is commented out rather than removed. Commented code should generally be removed since version control preserves history. If you need to reference the old configuration, you can always check the git history.
Apply this diff:
- #../../nixosModules/lanzaboote.nix ../../nixosModules/limine.nix
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
flake.lockis excluded by!**/*.lock
📒 Files selected for processing (58)
darwinModules/hyprspace.nix(1 hunks)darwinModules/nix-daemon.nix(1 hunks)flake.nix(2 hunks)home-manager/common.nix(3 hunks)home-manager/desktop.nix(1 hunks)home-manager/flake-module.nix(2 hunks)home-manager/modules/neovim/default.nix(1 hunks)home-manager/modules/neovim/flake-module.nix(1 hunks)home/.claude/settings.json(2 hunks)home/.gitconfig(1 hunks)machines/bernie/configuration.nix(3 hunks)machines/dorits-laptop/configuration.nix(2 hunks)machines/eve/configuration.nix(1 hunks)machines/eve/modules/authelia.nix(6 hunks)machines/eve/modules/gitea/default.nix(1 hunks)machines/eve/modules/goatcounter.nix(2 hunks)machines/eve/modules/kanidm/README.md(0 hunks)machines/eve/modules/kanidm/default.nix(0 hunks)machines/eve/modules/mastodon-hnbot.nix(1 hunks)machines/eve/modules/n8n/default.nix(1 hunks)machines/eve/modules/nextcloud.nix(1 hunks)machines/eve/modules/phpldapadmin.nix(2 hunks)machines/eve/modules/shadowsocks.nix(0 hunks)machines/eve/modules/tt-rss.nix(0 hunks)machines/eve/modules/vaultwarden.nix(1 hunks)machines/turingmachine/configuration.nix(1 hunks)machines/turingmachine/modules/packages.nix(1 hunks)nixosModules/hyprspace.nix(1 hunks)nixosModules/lanzaboote.nix(1 hunks)nixosModules/limine.nix(1 hunks)nixosModules/nix-daemon.nix(1 hunks)nixosModules/openldap/default.nix(1 hunks)nixosModules/phpldapadmin/default.nix(6 hunks)nixosModules/phpldapadmin/package.nix(2 hunks)nixosModules/phpldapadmin/phpldapadmin-password-helper.patch(1 hunks)nixosModules/update-prefetch.nix(1 hunks)nixosModules/zfs.nix(1 hunks)pkgs/cewe-fotowelt/sources.nix(1 hunks)pkgs/images/base-config.nix(1 hunks)vars/per-machine/eve/authelia/identity-validation-reset-password-jwt-secret/machines/eve(1 hunks)vars/per-machine/eve/authelia/identity-validation-reset-password-jwt-secret/secret(1 hunks)vars/per-machine/eve/authelia/identity-validation-reset-password-jwt-secret/users/joerg(1 hunks)vars/per-machine/eve/phpldapadmin/app-key/secret(1 hunks)vars/per-machine/eve/phpldapadmin/bind-password/machines/eve(1 hunks)vars/per-machine/eve/phpldapadmin/bind-password/secret(1 hunks)vars/per-machine/eve/phpldapadmin/bind-password/users/joerg(1 hunks)vars/per-machine/turingmachine/secureboot/keys/KEK/KEK.key/machines/turingmachine(1 hunks)vars/per-machine/turingmachine/secureboot/keys/KEK/KEK.key/secret(1 hunks)vars/per-machine/turingmachine/secureboot/keys/KEK/KEK.key/users/joerg(1 hunks)vars/per-machine/turingmachine/secureboot/keys/KEK/KEK.pem/value(1 hunks)vars/per-machine/turingmachine/secureboot/keys/PK/PK.key/machines/turingmachine(1 hunks)vars/per-machine/turingmachine/secureboot/keys/PK/PK.key/secret(1 hunks)vars/per-machine/turingmachine/secureboot/keys/PK/PK.key/users/joerg(1 hunks)vars/per-machine/turingmachine/secureboot/keys/PK/PK.pem/value(1 hunks)vars/per-machine/turingmachine/secureboot/keys/db/db.key/machines/turingmachine(1 hunks)vars/per-machine/turingmachine/secureboot/keys/db/db.key/secret(1 hunks)vars/per-machine/turingmachine/secureboot/keys/db/db.key/users/joerg(1 hunks)vars/per-machine/turingmachine/secureboot/keys/db/db.pem/value(1 hunks)
💤 Files with no reviewable changes (4)
- machines/eve/modules/tt-rss.nix
- machines/eve/modules/kanidm/README.md
- machines/eve/modules/kanidm/default.nix
- machines/eve/modules/shadowsocks.nix
✅ Files skipped from review due to trivial changes (2)
- vars/per-machine/turingmachine/secureboot/keys/db/db.pem/value
- vars/per-machine/eve/phpldapadmin/bind-password/machines/eve
🚧 Files skipped from review as they are similar to previous changes (35)
- nixosModules/hyprspace.nix
- machines/eve/modules/gitea/default.nix
- vars/per-machine/eve/phpldapadmin/bind-password/users/joerg
- machines/eve/modules/goatcounter.nix
- vars/per-machine/turingmachine/secureboot/keys/PK/PK.pem/value
- machines/eve/modules/mastodon-hnbot.nix
- vars/per-machine/turingmachine/secureboot/keys/db/db.key/machines/turingmachine
- machines/dorits-laptop/configuration.nix
- vars/per-machine/eve/authelia/identity-validation-reset-password-jwt-secret/users/joerg
- vars/per-machine/eve/phpldapadmin/bind-password/secret
- pkgs/images/base-config.nix
- nixosModules/phpldapadmin/phpldapadmin-password-helper.patch
- home/.gitconfig
- vars/per-machine/turingmachine/secureboot/keys/KEK/KEK.pem/value
- vars/per-machine/turingmachine/secureboot/keys/PK/PK.key/users/joerg
- vars/per-machine/turingmachine/secureboot/keys/KEK/KEK.key/machines/turingmachine
- machines/eve/modules/n8n/default.nix
- machines/eve/modules/nextcloud.nix
- home-manager/modules/neovim/default.nix
- home-manager/flake-module.nix
- vars/per-machine/eve/authelia/identity-validation-reset-password-jwt-secret/machines/eve
- darwinModules/hyprspace.nix
- flake.nix
- nixosModules/nix-daemon.nix
- vars/per-machine/turingmachine/secureboot/keys/db/db.key/users/joerg
- vars/per-machine/eve/authelia/identity-validation-reset-password-jwt-secret/secret
- vars/per-machine/turingmachine/secureboot/keys/KEK/KEK.key/users/joerg
- home/.claude/settings.json
- vars/per-machine/eve/phpldapadmin/app-key/secret
- nixosModules/zfs.nix
- vars/per-machine/turingmachine/secureboot/keys/PK/PK.key/machines/turingmachine
- vars/per-machine/turingmachine/secureboot/keys/db/db.key/secret
- home-manager/modules/neovim/flake-module.nix
- home-manager/common.nix
- nixosModules/lanzaboote.nix
🔇 Additional comments (16)
machines/eve/modules/authelia.nix (7)
34-49: LGTM! Good refactoring with thegensecret()helper.The URL-safe base64 secret generation is correctly implemented and eliminates code duplication.
75-79: LGTM! Password management features enabled correctly.Enabling password changes and resets follows Authelia best practices.
95-98: LGTM! New domain added correctly.The session cookie configuration for devkid.net is consistent with the existing thalheim.io setup.
110-110: LGTM! SMTP username configured correctly.
129-129: LGTM! Correct LDAP organizational unit for groups.Moving groups from
ou=userstoou=groupsaligns with standard LDAP directory structure.
135-143: LGTM! FreshRSS access control configured correctly.Group-based restriction with one-factor authentication is appropriate for RSS readers.
144-149: LGTM! n8n access control configured correctly.Group-based restriction is properly configured.
machines/bernie/configuration.nix (2)
123-123: Verify the package name change based on your nixpkgs version.The nixpkgs package attribute has transitioned from
poppler_utilstopoppler-utilsin recent versions. The change from underscores to hyphens reflects nixpkgs' modernization of attribute naming conventions. However, which name is correct depends on your target nixpkgs version—ensurepoppler-utilsis available in the specific nixpkgs channel or commit you're using.
28-28: The module name is correct and requires no changes.The flake module name for the Lenovo ThinkPad X13 Intel variant in nixos-hardware is
lenovo-thinkpad-x13-intel, which matches the code change. The-intelsuffix is part of the official module name and should not be removed.Likely an incorrect or invalid review comment.
nixosModules/limine.nix (1)
53-57: Verify tmpfiles ordering with key generation.The tmpfiles rule creates a symlink to
${securebootDir}/keys, but there's no explicit guarantee that the keys have been generated before tmpfiles rules are processed. While the keys are markedneededFor = "activation", it would be safer to add explicit ordering or validation.Consider testing this during initial deployment to ensure:
- Keys are generated before the symlink is created
- The symlink target exists when the symlink is created
- The system activates successfully on first boot
You could also add a tmpfiles rule condition or systemd ordering to make the dependency explicit.
machines/turingmachine/configuration.nix (1)
40-41: Migration verification complete—no issues found.The turingmachine configuration has successfully migrated from lanzaboote to limine:
- ✅ lanzaboote import is commented out (line 40)
- ✅ limine import is active (line 41) and properly configured with
boot.loader.limineand secure boot enabled- ✅ No
boot.loader.systemd-bootconfiguration present in turingmachine/configuration.nix- ✅ No conflicting boot loader settings
The commented-out lanzaboote import (line 40) could optionally be removed entirely for code cleanliness, though the codebase follows a pattern of commenting unused imports rather than deleting them (see qtile, keyd, spora examples in the same file).
machines/eve/modules/vaultwarden.nix (1)
112-116: Consistent host-platform lookupSwitching to
pkgs.stdenv.hostPlatform.systemkeeps this service aligned with the flake inputs and avoids surprises when evaluating on alternate hosts.darwinModules/nix-daemon.nix (1)
11-11: Align nix package selection with stdenv host platformThis keeps the daemon’s package resolution in sync with the rest of the tree’s platform handling—nice tidy-up.
nixosModules/update-prefetch.nix (1)
28-34: Host-platform normalizationUsing
pkgs.stdenv.hostPlatform.systemin both download URLs makes the prefetch logic consistent across evaluation contexts.machines/turingmachine/modules/packages.nix (1)
9-9: Consistent package lookupAdopting
pkgs.stdenv.hostPlatform.systemhere ensures Sengi follows the same resolution rule as the rest of the fleet.nixosModules/phpldapadmin/package.nix (1)
22-92: Version reuse for the frontend build looks greatPlumbing the frontend derivation through
finalAttrs.versioneliminates the old duplication hazard and keeps the asset pipeline straightforward.
Mic92
force-pushed
the
direnv-instant-2
branch
from
91b0613 to
925be53
Compare
No description provided.