feat(preservation): add .openclaw, harden home dir permissions

Signed-off-by: Ryan Yin <xiaoyin_c@qq.com>
2026-04-21 08:21:24 +02:00 · 2026-02-25 22:22:34 +08:00
parent a52f48fbbe
commit 1222bb25d0
3 changed files with 21 additions and 10 deletions
--- a/hosts/idols-ai/preservation.nix
+++ b/hosts/idols-ai/preservation.nix
@@ -1,5 +1,6 @@
 {
  preservation,
+  lib,
  pkgs,
  myvars,
  ...
@@ -148,6 +149,7 @@ in
        # ai agents
        ".claude"
        ".gemini"
+        ".openclaw"

        # nvim
        ".local/share/nvim"
@@ -230,10 +232,15 @@ in
          directory = ".pki";
          mode = "0700";
        }
-
-        ".local/share/password-store"
-        # gnmome keyrings
-        ".local/share/keyrings"
+        {
+          directory = ".local/share/password-store";
+          mode = "0700";
+        }
+        {
+          # gnmome keyrings
+          directory = ".local/share/keyrings";
+          mode = "0700";
+        }

        # ======================================
        # Games / Media
@@ -291,7 +298,10 @@ in
        ".local/share/containers"
        ".local/share/flatpak"
        # flatpak/nixpak app's data
-        ".var"
+        {
+          directory = ".var";
+          mode = "0700";
+        }

        # ======================================
        # Misc
@@ -358,8 +368,8 @@ in
    let
      permission = {
        user = username;
-        group = "users";
-        mode = "0755";
+        group = lib.mkForce username;
+        mode = lib.mkForce "0750";
      };
    in
    {
--- a/hosts/k8s/kubevirt-shoryu/preservation.nix
+++ b/hosts/k8s/kubevirt-shoryu/preservation.nix
@@ -1,5 +1,6 @@
 {
  preservation,
+  lib,
  pkgs,
  myvars,
  ...
@@ -74,8 +75,8 @@ in
    let
      permission = {
        user = username;
-        group = "users";
-        mode = "0755";
+        group = lib.mkForce username;
+        mode = lib.mkForce "0750";
      };
    in
    {