security stuff in nixos-base

modules/features/nixos-base.nix

@@ -38,5 +38,9 @@
     networking.networkmanager.enable = true;
 
     services.openssh.enable = true;
+
+    security.polkit.enable = true; # polkit
+    services.gnome.gnome-keyring.enable = true; # secret service
+    security.pam.services.swaylock = {};
   };
 }

modules/hosts/john-p14s/configuration.nix

@@ -11,6 +11,7 @@
       imports = [
         self.modules.nixos.base
         self.modules.nixos.p14sHardware
+        self.modules.nixos.onepassword
       ];
 
       rebuild.flakeDir = flakeDir;
@@ -32,15 +33,6 @@
       security.pam.services.swaylock = {};
       security.pam.services.swaylock.fprintAuth = true;
 
-      programs._1password.enable = true;
-      programs._1password-gui = {
-        enable = true;
-        # Certain features, including CLI integration and system authentication support,
-        # require enabling PolKit integration on some desktop environments (e.g. Plasma).
-        polkitPolicyOwners = [ "john" ];
-        # TODO this should not be a hardcoded username
-      };
-
       # This value determines the NixOS release from which the default
       # settings for stateful data, like file locations and database versions
       # on your system were taken. It's perfectly fine and recommended to leave

modules/hosts/omen-nixos/configuration.nix

@@ -7,6 +7,7 @@
       self.modules.nixos.base
       self.modules.nixos.greetd
       self.modules.nixos.niri
+      self.modules.nixos.onepassword
     ];
 
     # Use the systemd-boot EFI boot loader.
@@ -112,6 +113,9 @@
     home-manager.users.john.imports = with inputs.self.modules.homeManager; [
       desktop
       # rebuild
+      {
+        my-vscode.enable = true;
+      }
     ];
   };
 

modules/programs/onepassword.nix

@@ -1,4 +1,15 @@
 { self, inputs, ... }: {
+  flake.modules.nixos.onepassword = { config, ... }: {
+    programs._1password.enable = true;
+    programs._1password-gui = {
+      enable = true;
+      # Certain features, including CLI integration and system authentication support,
+      # require enabling PolKit integration on some desktop environments (e.g. Plasma).
+      polkitPolicyOwners = [ "john" ];
+      # TODO this should not be a hardcoded username
+    };
+  };
+
   flake.modules.homeManager.onepassword = { config, ... }: {
     home.file.".config/1Password/ssh/agent.toml".text = ''
       # https://developer.1password.com/docs/ssh/agent/config