From 9813812dfcba40347b094ac62bbe65c7206bb893 Mon Sep 17 00:00:00 2001 From: rope Date: Tue, 30 Jun 2026 20:00:32 +0100 Subject: [PATCH] Move insecure-pnpm/broadcom-sta allowance to common.nix (vesktop on all hosts) Co-Authored-By: Claude Opus 4.8 --- common.nix | 6 ++++++ hosts/hardware/FredOS-Macbook.nix | 3 +-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/common.nix b/common.nix index bac046e..2d07bff 100644 --- a/common.nix +++ b/common.nix @@ -91,6 +91,12 @@ # Allow unfree packages nixpkgs.config.allowUnfree = true; + # vesktop (multiple hosts) builds with pnpm via fetchPnpmDeps, which nixpkgs + # marks insecure (build-time only, hash-pinned FOD — not in PATH). broadcom-sta + # is Macbook-only Wi-Fi but allowing it everywhere is harmless (absent on others). + nixpkgs.config.allowInsecurePredicate = pkg: + lib.any (p: lib.hasPrefix p (lib.getName pkg)) [ "broadcom-sta" "pnpm" ]; + # Flakes — nixos-rebuild self-enables these, but plain `nix eval` / # `nix flake check` on the hosts need them too. nix.settings.experimental-features = [ "nix-command" "flakes" ]; diff --git a/hosts/hardware/FredOS-Macbook.nix b/hosts/hardware/FredOS-Macbook.nix index a045388..39af88d 100644 --- a/hosts/hardware/FredOS-Macbook.nix +++ b/hosts/hardware/FredOS-Macbook.nix @@ -55,8 +55,7 @@ }) ]; - nixpkgs.config.allowInsecurePredicate = pkg: - lib.any (p: lib.hasPrefix p (lib.getName pkg)) [ "broadcom-sta" "pnpm" ]; + # allowInsecurePredicate (broadcom-sta + pnpm) lives in common.nix now. services.xserver.deviceSection = lib.mkDefault '' Option "TearFree" "true"