From 265a299f24f031ad22793a78c575ea395ecf7c11 Mon Sep 17 00:00:00 2001
From: Alexander Wainwright <code@figtree.dev>
Date: Sat, 11 Apr 2026 11:21:56 +1000
Subject: [PATCH] fix: remove trusted-users escalation, restore comments, move
 man-db to core

- Remove alex from nix.settings.trusted-users in core.nix (was not in
  the original base.nix and widens attack surface by allowing arbitrary
  binary cache configuration without sudo)
- Restore useful comments in base.nix (zram explanation, earlyoom
  purpose, avahi/systemd-resolved notes)
- Move documentation.man.man-db.enable = false into core.nix so all
  hosts get it, remove redundant setting from wintermute and nightcity

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 hosts/modules/base.nix             | 10 +++++++---
 hosts/modules/core.nix             |  5 ++++-
 hosts/nightcity/configuration.nix  |  4 ----
 hosts/wintermute/configuration.nix |  2 --
 4 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/hosts/modules/base.nix b/hosts/modules/base.nix
index 9c31a2c..16c1e73 100644
--- a/hosts/modules/base.nix
+++ b/hosts/modules/base.nix
@@ -2,14 +2,15 @@
 {
   imports = [ ./core.nix ];
 
-  services.udev.packages = [ pkgs.rtl-sdr ];
-
+  # zram creates a compressed swap device backed by RAM, so swap pages are
+  # compressed in memory rather than written to disk.
   zramSwap.enable = true;
 
   boot.kernel.sysctl = {
     "vm.swappiness" = 10;
   };
 
+  # stop the system becoming unresponsive when out of ram
   services.earlyoom = {
     enable = true;
     freeMemThreshold = 10;
@@ -37,7 +38,7 @@
 
   services.avahi = {
     enable = true;
-    nssmdns4 = true;
+    nssmdns4 = true; # enable mDNS NSS lookups (.local resolution)
     nssmdns6 = true;
     publish = {
       enable = true;
@@ -45,6 +46,9 @@
       workstation = true;
     };
     openFirewall = true;
+    # if using systemd-resolved alongside avahi, also enable:
+    # services.resolved.enable = true;
+    # services.resolved.extraConfig = "MulticastDNS=yes";
   };
 
   environment.systemPackages = with pkgs; [
diff --git a/hosts/modules/core.nix b/hosts/modules/core.nix
index 159e9ce..3924b0f 100644
--- a/hosts/modules/core.nix
+++ b/hosts/modules/core.nix
@@ -21,7 +21,11 @@
 
   programs.fish.enable = true;
 
+  # generating man caches is very slow when fish is enabled and may not
+  # complete during activation. disabling breaks fish man completion and
+  # apropos but is otherwise harmless.
   documentation.man.generateCaches = false;
+  documentation.man.man-db.enable = false;
 
   time.timeZone = "Australia/Brisbane";
 
@@ -45,7 +49,6 @@
   nix.settings = {
     experimental-features = [ "nix-command" "flakes" ];
     auto-optimise-store = true;
-    trusted-users = [ "root" "alex" ];
   };
 
   nix.gc = {
diff --git a/hosts/nightcity/configuration.nix b/hosts/nightcity/configuration.nix
index bac0d0f..c3965ec 100644
--- a/hosts/nightcity/configuration.nix
+++ b/hosts/nightcity/configuration.nix
@@ -19,10 +19,6 @@
     privileged = true;
   };
 
-  documentation.man = {
-    man-db.enable = false;
-  };
-
   networking.firewall.allowedTCPPorts = [
     8000
   ];
diff --git a/hosts/wintermute/configuration.nix b/hosts/wintermute/configuration.nix
index f81c3ba..a5365e4 100644
--- a/hosts/wintermute/configuration.nix
+++ b/hosts/wintermute/configuration.nix
@@ -29,7 +29,5 @@
     openFirewall = true;
   };
 
-  documentation.man.man-db.enable = false;
-
   system.stateVersion = "25.11";
 }