rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move insecure-pnpm/broadcom-sta allowance to common.nix (vesktop on all hosts)

Browse source 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
rope 2026-06-30 20:00:32 +01:00
parent 7d0c729e91
commit 9813812dfc
2 changed files with 7 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
common.nix
View file

@ -91,6 +91,12 @@
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# vesktop (multiple hosts) builds with pnpm via fetchPnpmDeps, which nixpkgs
# marks insecure (build-time only, hash-pinned FOD — not in PATH). broadcom-sta
# is Macbook-only Wi-Fi but allowing it everywhere is harmless (absent on others).
nixpkgs.config.allowInsecurePredicate = pkg:
lib.any (p: lib.hasPrefix p (lib.getName pkg)) [ "broadcom-sta" "pnpm" ];
# Flakes — nixos-rebuild self-enables these, but plain `nix eval` /
# `nix flake check` on the hosts need them too.
nix.settings.experimental-features = [ "nix-command" "flakes" ];

3
hosts/hardware/FredOS-Macbook.nix
View file

@ -55,8 +55,7 @@
})
];
nixpkgs.config.allowInsecurePredicate = pkg:
lib.any (p: lib.hasPrefix p (lib.getName pkg)) [ "broadcom-sta" "pnpm" ];
# allowInsecurePredicate (broadcom-sta + pnpm) lives in common.nix now.
services.xserver.deviceSection = lib.mkDefault ''
Option "TearFree" "true"