From 4622c52d5b7df45a12b5657f3af638020e86eb7c Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Fri, 30 Jan 2026 06:06:03 +0100 Subject: [PATCH 1/3] refactor(nix): extract common system configs into reusable modules Create 6 new NixOS modules to reduce duplication across system configs: - hardware/wooting: Wooting keyboard udev rules and Bluetooth compat - services/nginx-base: Common nginx server settings - services/acme-base: ACME certificate defaults - services/xremap: Key remapping with sensible defaults - system/no-sleep: Disable sleep/suspend/hibernate targets - system/kernel-tweaks: PM freeze timeout and zram configuration Update system configuration files to use these new modules. Co-Authored-By: Claude Opus 4.5 --- modules/nixos/hardware/wooting/default.nix | 25 +++++++++++ modules/nixos/services/acme-base/default.nix | 41 +++++++++++++++++ modules/nixos/services/nginx-base/default.nix | 42 ++++++++++++++++++ modules/nixos/services/xremap/default.nix | 44 +++++++++++++++++++ .../nixos/system/kernel-tweaks/default.nix | 29 ++++++++++++ modules/nixos/system/no-sleep/default.nix | 28 ++++++++++++ systems/aarch64-linux/m4nix/default.nix | 22 +++------- systems/aarch64-linux/rnix/default.nix | 22 +++------- systems/x86_64-linux/amd/default.nix | 34 +++++--------- systems/x86_64-linux/amd/xremap.nix | 44 +++++++------------ systems/x86_64-linux/mx/acme.nix | 14 ++---- systems/x86_64-linux/mx/default.nix | 3 +- systems/x86_64-linux/mx/nginx.nix | 18 +------- systems/x86_64-linux/nixtee1/default.nix | 16 +++---- systems/x86_64-linux/sgx-attic/default.nix | 12 +++-- systems/x86_64-linux/sgx/acme.nix | 12 ++--- systems/x86_64-linux/sgx/default.nix | 19 ++++---- systems/x86_64-linux/sgx/nginx.nix | 18 +------- systems/x86_64-linux/t15/default.nix | 5 +-- systems/x86_64-linux/x1/default.nix | 36 +++++---------- systems/x86_64-linux/x1/xremap.nix | 44 +++++++------------ 21 files changed, 310 insertions(+), 218 deletions(-) create mode 100644 modules/nixos/hardware/wooting/default.nix create mode 100644 modules/nixos/services/acme-base/default.nix create mode 100644 modules/nixos/services/nginx-base/default.nix create mode 100644 modules/nixos/services/xremap/default.nix create mode 100644 modules/nixos/system/kernel-tweaks/default.nix create mode 100644 modules/nixos/system/no-sleep/default.nix diff --git a/modules/nixos/hardware/wooting/default.nix b/modules/nixos/hardware/wooting/default.nix new file mode 100644 index 0000000..e5cc8f5 --- /dev/null +++ b/modules/nixos/hardware/wooting/default.nix @@ -0,0 +1,25 @@ +{ + config, + lib, + ... +}: +with lib; +with lib.metacfg; +let + cfg = config.metacfg.hardware.wooting; +in +{ + options.metacfg.hardware.wooting = with types; { + enable = mkBoolOpt false "Whether or not to enable Wooting keyboard support."; + enableBluetoothCompat = mkBoolOpt true "Disable ClassicBondedOnly for Bluetooth compatibility."; + }; + + config = mkIf cfg.enable { + hardware.bluetooth.input.General.ClassicBondedOnly = mkIf cfg.enableBluetoothCompat false; + + services.udev.extraRules = '' + KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e4c5", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl" + KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e489", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl" + ''; + }; +} diff --git a/modules/nixos/services/acme-base/default.nix b/modules/nixos/services/acme-base/default.nix new file mode 100644 index 0000000..d572848 --- /dev/null +++ b/modules/nixos/services/acme-base/default.nix @@ -0,0 +1,41 @@ +{ + config, + lib, + ... +}: +with lib; +with lib.metacfg; +let + cfg = config.metacfg.services.acmeBase; +in +{ + options.metacfg.services.acmeBase = with types; { + enable = mkBoolOpt false "Whether or not to enable ACME with common settings."; + email = mkOption { + type = types.str; + default = "harald@hoyer.xyz"; + description = "Registration email for ACME."; + }; + dnsProvider = mkOption { + type = types.str; + default = "cloudflare"; + description = "DNS provider for ACME DNS-01 challenge."; + }; + credentialsFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to the credentials file for the DNS provider."; + }; + }; + + config = mkIf cfg.enable { + security.acme = { + acceptTerms = true; + defaults = { + email = cfg.email; + dnsProvider = cfg.dnsProvider; + credentialsFile = mkIf (cfg.credentialsFile != null) cfg.credentialsFile; + }; + }; + }; +} diff --git a/modules/nixos/services/nginx-base/default.nix b/modules/nixos/services/nginx-base/default.nix new file mode 100644 index 0000000..6b2dd52 --- /dev/null +++ b/modules/nixos/services/nginx-base/default.nix @@ -0,0 +1,42 @@ +{ + config, + lib, + ... +}: +with lib; +with lib.metacfg; +let + cfg = config.metacfg.services.nginxBase; +in +{ + options.metacfg.services.nginxBase = with types; { + enable = mkBoolOpt false "Whether or not to enable nginx with common settings."; + clientMaxBodySize = mkOption { + type = types.str; + default = "1000M"; + description = "Maximum allowed size of the client request body."; + }; + enableAcmeGroup = mkBoolOpt true "Add nginx user to acme group."; + enableVcombinedLog = mkBoolOpt true "Enable vcombined log format."; + }; + + config = mkIf cfg.enable { + users.users.nginx.extraGroups = mkIf cfg.enableAcmeGroup [ "acme" ]; + + services.nginx = { + enable = true; + clientMaxBodySize = cfg.clientMaxBodySize; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + appendHttpConfig = mkIf cfg.enableVcombinedLog '' + log_format vcombined '$host:$server_port ' + '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + access_log /var/log/nginx/access.log vcombined; + ''; + }; + }; +} diff --git a/modules/nixos/services/xremap/default.nix b/modules/nixos/services/xremap/default.nix new file mode 100644 index 0000000..6f22f38 --- /dev/null +++ b/modules/nixos/services/xremap/default.nix @@ -0,0 +1,44 @@ +{ + config, + lib, + ... +}: +with lib; +with lib.metacfg; +let + cfg = config.metacfg.services.xremap; +in +{ + options.metacfg.services.xremap = with types; { + enable = mkBoolOpt false "Whether or not to enable xremap key remapping."; + userName = mkOption { + type = types.str; + default = "harald"; + description = "User to run xremap as."; + }; + withGnome = mkBoolOpt true "Enable GNOME support."; + deviceNames = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "List of device names to remap."; + }; + config = mkOption { + type = types.attrs; + default = { }; + description = "Xremap configuration."; + }; + }; + + config = { + services.xremap = { + enable = cfg.enable; + userName = mkIf cfg.enable cfg.userName; + serviceMode = mkIf cfg.enable "user"; + withGnome = mkIf cfg.enable cfg.withGnome; + deviceNames = mkIf cfg.enable cfg.deviceNames; + config = mkIf cfg.enable cfg.config; + }; + + users.users.${cfg.userName}.extraGroups = mkIf cfg.enable [ "input" ]; + }; +} diff --git a/modules/nixos/system/kernel-tweaks/default.nix b/modules/nixos/system/kernel-tweaks/default.nix new file mode 100644 index 0000000..0443809 --- /dev/null +++ b/modules/nixos/system/kernel-tweaks/default.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + ... +}: +with lib; +with lib.metacfg; +let + cfg = config.metacfg.system.kernelTweaks; +in +{ + options.metacfg.system.kernelTweaks = with types; { + enable = mkBoolOpt false "Whether or not to enable desktop kernel optimizations."; + pmFreezeTimeout = mkOption { + type = types.int; + default = 30000; + description = "PM freeze timeout in milliseconds."; + }; + enableZram = mkBoolOpt true "Enable zram swap."; + }; + + config = mkIf cfg.enable { + boot.kernel.sysctl = { + "power.pm_freeze_timeout" = cfg.pmFreezeTimeout; + }; + + zramSwap.enable = cfg.enableZram; + }; +} diff --git a/modules/nixos/system/no-sleep/default.nix b/modules/nixos/system/no-sleep/default.nix new file mode 100644 index 0000000..9e12659 --- /dev/null +++ b/modules/nixos/system/no-sleep/default.nix @@ -0,0 +1,28 @@ +{ + config, + lib, + ... +}: +with lib; +with lib.metacfg; +let + cfg = config.metacfg.system.noSleep; +in +{ + options.metacfg.system.noSleep = with types; { + enable = mkBoolOpt false "Whether or not to disable all sleep targets."; + disableGdmAutoSuspend = mkBoolOpt false "Disable GDM auto-suspend."; + ignoreLidSwitch = mkBoolOpt false "Ignore lid switch events."; + }; + + config = mkIf cfg.enable { + systemd.targets.sleep.enable = false; + systemd.targets.suspend.enable = false; + systemd.targets.hibernate.enable = false; + systemd.targets.hybrid-sleep.enable = false; + + services.displayManager.gdm.autoSuspend = mkIf cfg.disableGdmAutoSuspend false; + + services.logind.settings.Login.HandleLidSwitch = mkIf cfg.ignoreLidSwitch "ignore"; + }; +} diff --git a/systems/aarch64-linux/m4nix/default.nix b/systems/aarch64-linux/m4nix/default.nix index d8cd570..f8a6934 100644 --- a/systems/aarch64-linux/m4nix/default.nix +++ b/systems/aarch64-linux/m4nix/default.nix @@ -9,7 +9,13 @@ with lib.metacfg; services.spice-autorandr.enable = true; services.spice-vdagentd.enable = true; + services.resolved.enable = true; + services.resolved.extraConfig = '' + ResolveUnicastSingleLabel=yes + ''; + metacfg = { + system.noSleep.enable = true; base.enable = true; gui.enable = true; nix-ld.enable = true; @@ -34,13 +40,6 @@ with lib.metacfg; ]; }; - # Disable the GNOME3/GDM auto-suspend feature that cannot be disabled in GUI! - # If no user is logged in, the machine will power down after 20 minutes. - systemd.targets.sleep.enable = false; - systemd.targets.suspend.enable = false; - systemd.targets.hibernate.enable = false; - systemd.targets.hybrid-sleep.enable = false; - environment.systemPackages = with pkgs; [ azure-cli desktop-file-utils @@ -60,16 +59,11 @@ with lib.metacfg; services.ratbagd.enable = true; - services.resolved.enable = true; - #services.resolved.dnssec = "allow-downgrade"; - services.resolved.extraConfig = '' - ResolveUnicastSingleLabel=yes - ''; - virtualisation = { docker.enable = true; podman.dockerCompat = false; libvirtd.enable = false; + rosetta.enable = true; }; system.autoUpgrade = { @@ -78,7 +72,5 @@ with lib.metacfg; allowReboot = false; }; - virtualisation.rosetta.enable = true; - system.stateVersion = "25.05"; } diff --git a/systems/aarch64-linux/rnix/default.nix b/systems/aarch64-linux/rnix/default.nix index d8cd570..f8a6934 100644 --- a/systems/aarch64-linux/rnix/default.nix +++ b/systems/aarch64-linux/rnix/default.nix @@ -9,7 +9,13 @@ with lib.metacfg; services.spice-autorandr.enable = true; services.spice-vdagentd.enable = true; + services.resolved.enable = true; + services.resolved.extraConfig = '' + ResolveUnicastSingleLabel=yes + ''; + metacfg = { + system.noSleep.enable = true; base.enable = true; gui.enable = true; nix-ld.enable = true; @@ -34,13 +40,6 @@ with lib.metacfg; ]; }; - # Disable the GNOME3/GDM auto-suspend feature that cannot be disabled in GUI! - # If no user is logged in, the machine will power down after 20 minutes. - systemd.targets.sleep.enable = false; - systemd.targets.suspend.enable = false; - systemd.targets.hibernate.enable = false; - systemd.targets.hybrid-sleep.enable = false; - environment.systemPackages = with pkgs; [ azure-cli desktop-file-utils @@ -60,16 +59,11 @@ with lib.metacfg; services.ratbagd.enable = true; - services.resolved.enable = true; - #services.resolved.dnssec = "allow-downgrade"; - services.resolved.extraConfig = '' - ResolveUnicastSingleLabel=yes - ''; - virtualisation = { docker.enable = true; podman.dockerCompat = false; libvirtd.enable = false; + rosetta.enable = true; }; system.autoUpgrade = { @@ -78,7 +72,5 @@ with lib.metacfg; allowReboot = false; }; - virtualisation.rosetta.enable = true; - system.stateVersion = "25.05"; } diff --git a/systems/x86_64-linux/amd/default.nix b/systems/x86_64-linux/amd/default.nix index 08b0b84..c48ddf6 100644 --- a/systems/x86_64-linux/amd/default.nix +++ b/systems/x86_64-linux/amd/default.nix @@ -18,21 +18,17 @@ with lib.metacfg; 22000 ]; - services.tailscale.enable = true; - services.cratedocs-mcp.enable = true; services.openssh = { enable = true; }; - hardware.bluetooth.input.General.ClassicBondedOnly = false; - services.udev.extraRules = '' - KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e4c5", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl" - KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e489", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl" - ''; + services.tailscale.enable = true; + services.resolved.enable = true; metacfg = { + hardware.wooting.enable = true; base.enable = true; gui.enable = true; nix-ld.enable = true; @@ -59,15 +55,21 @@ with lib.metacfg; "dialout" "tss" ]; + system.kernelTweaks.enable = true; + }; + + system.autoUpgrade = { + enable = true; + operation = "boot"; + allowReboot = false; }; nixpkgs.config.permittedInsecurePackages = [ "electron-27.3.11" ]; - # Kernel tuning + # Additional kernel tuning beyond the module defaults boot.kernel.sysctl = { - "power.pm_freeze_timeout" = 30000; # Reduce swap usage (you have zram) "vm.swappiness" = 10; # Prefer keeping directory/inode caches @@ -111,32 +113,18 @@ with lib.metacfg; # zram swap with zstd compression for better performance zramSwap = { - enable = true; algorithm = "zstd"; memoryPercent = 50; }; services.ratbagd.enable = true; - services.resolved.enable = true; - - #services.resolved.dnssec = "allow-downgrade"; - #services.resolved.extraConfig = '' - # ResolveUnicastSingleLabel=yes - #''; - virtualisation = { libvirtd.enable = true; docker.enable = true; podman.dockerCompat = false; }; - system.autoUpgrade = { - enable = true; - operation = "boot"; - allowReboot = false; - }; - services.trezord.enable = true; services.ollama = { diff --git a/systems/x86_64-linux/amd/xremap.nix b/systems/x86_64-linux/amd/xremap.nix index 64a45c0..c28dd0a 100644 --- a/systems/x86_64-linux/amd/xremap.nix +++ b/systems/x86_64-linux/amd/xremap.nix @@ -1,33 +1,21 @@ -# In /etc/nixos/configuration.nix { ... }: { - users.users.harald.extraGroups = [ "input" ]; - - # Enable the xremap service - services.xremap.enable = true; - services.xremap.userName = "harald"; # Replace with your username - services.xremap.serviceMode = "user"; # Run as user service, not system-wide - services.xremap.withGnome = true; - - # Add a specific configuration block to select your keyboard(s) by name - services.xremap.deviceNames = [ - # Use the name found in the log output: "Hangsheng MonsGeek Keyboard System Control" - "Hangsheng MonsGeek Keyboard" - "HS Galaxy100 Keyboard" - # You can usually shorten the name slightly to match the device you want - ]; - - # Define your remapping configuration using Nix's attribute set format - services.xremap.config = { - keymap = [ - { - remap = { - # Map Alt+C (LeftAlt-C) to Ctrl+C (LeftControl-C) - LeftAlt-C = "COPY"; - LeftAlt-V = "PASTE"; - LeftAlt-X = "CUT"; - }; - } + metacfg.services.xremap = { + enable = true; + deviceNames = [ + "Hangsheng MonsGeek Keyboard" + "HS Galaxy100 Keyboard" ]; + config = { + keymap = [ + { + remap = { + LeftAlt-C = "COPY"; + LeftAlt-V = "PASTE"; + LeftAlt-X = "CUT"; + }; + } + ]; + }; }; } diff --git a/systems/x86_64-linux/mx/acme.nix b/systems/x86_64-linux/mx/acme.nix index 069bb2d..ee338c4 100644 --- a/systems/x86_64-linux/mx/acme.nix +++ b/systems/x86_64-linux/mx/acme.nix @@ -1,6 +1,4 @@ { - pkgs, - lib, config, ... }: @@ -9,14 +7,9 @@ sopsFile = ../../../.secrets/hetzner/internetbs.yaml; # bring your own password file }; - security.acme = { - acceptTerms = true; - defaults = { - email = "harald@hoyer.xyz"; - dnsProvider = "cloudflare"; - credentialsFile = config.sops.secrets.internetbs.path; - }; - certs = { + metacfg.services.acmeBase.credentialsFile = config.sops.secrets.internetbs.path; + + security.acme.certs = { "surfsite.org" = { extraDomainNames = [ "*.surfsite.org" ]; }; @@ -71,5 +64,4 @@ extraDomainNames = [ "*.harald-hoyer.de" ]; }; }; - }; } diff --git a/systems/x86_64-linux/mx/default.nix b/systems/x86_64-linux/mx/default.nix index e8ce185..d2130c7 100644 --- a/systems/x86_64-linux/mx/default.nix +++ b/systems/x86_64-linux/mx/default.nix @@ -22,6 +22,8 @@ services.tailscale.enable = true; metacfg = { + services.nginxBase.enable = true; + services.acmeBase.enable = true; emailOnFailure.enable = true; base.enable = true; nix.enable = true; @@ -42,7 +44,6 @@ dates = "04:00"; operation = "switch"; allowReboot = true; - # flake = lib.mkForce "git+file:///var/lib/gitea/repositories/harald/nixcfg.git#mx"; flake = lib.mkForce "/root/nixcfg/.#mx"; }; diff --git a/systems/x86_64-linux/mx/nginx.nix b/systems/x86_64-linux/mx/nginx.nix index 26556bf..e71eb46 100644 --- a/systems/x86_64-linux/mx/nginx.nix +++ b/systems/x86_64-linux/mx/nginx.nix @@ -1,21 +1,6 @@ { ... }: { - users.users.nginx.extraGroups = [ "acme" ]; - services.nginx = { - enable = true; - clientMaxBodySize = "1000M"; - appendHttpConfig = '' - log_format vcombined '$host:$server_port ' - '$remote_addr - $remote_user [$time_local] ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; - access_log /var/log/nginx/access.log vcombined; - ''; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - virtualHosts = { + services.nginx.virtualHosts = { "00000" = { useACMEHost = "hoyer.xyz"; serverName = "_"; @@ -157,5 +142,4 @@ forceSSL = true; }; }; - }; } diff --git a/systems/x86_64-linux/nixtee1/default.nix b/systems/x86_64-linux/nixtee1/default.nix index 4ca3282..6c879ae 100644 --- a/systems/x86_64-linux/nixtee1/default.nix +++ b/systems/x86_64-linux/nixtee1/default.nix @@ -6,8 +6,6 @@ { imports = [ ./hardware-configuration.nix ]; - services.tailscale.enable = true; - boot.kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest; boot.loader.systemd-boot.enable = false; # Bootloader. @@ -18,6 +16,8 @@ security.tpm2.enable = false; security.tpm2.abrmd.enable = false; + services.tailscale.enable = true; + metacfg = { base.enable = true; nix-ld.enable = true; @@ -37,12 +37,6 @@ podman.dockerCompat = false; }; - system.autoUpgrade = { - enable = true; - operation = "switch"; - allowReboot = true; - }; - networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. networking.firewall.allowPing = true; @@ -66,5 +60,11 @@ } ]; + system.autoUpgrade = { + enable = true; + operation = "switch"; + allowReboot = true; + }; + system.stateVersion = "25.05"; } diff --git a/systems/x86_64-linux/sgx-attic/default.nix b/systems/x86_64-linux/sgx-attic/default.nix index 5cd7e1d..896c57c 100644 --- a/systems/x86_64-linux/sgx-attic/default.nix +++ b/systems/x86_64-linux/sgx-attic/default.nix @@ -1,7 +1,5 @@ { - pkgs, lib, - config, ... }: with lib; @@ -17,17 +15,17 @@ with lib.metacfg; nix.enable = true; }; - virtualisation = { - docker.enable = true; - podman.dockerCompat = false; - }; - system.autoUpgrade = { enable = true; operation = "switch"; allowReboot = true; }; + virtualisation = { + docker.enable = true; + podman.dockerCompat = false; + }; + security.tpm2.enable = false; security.tpm2.abrmd.enable = false; diff --git a/systems/x86_64-linux/sgx/acme.nix b/systems/x86_64-linux/sgx/acme.nix index b3e1272..76df2ef 100644 --- a/systems/x86_64-linux/sgx/acme.nix +++ b/systems/x86_64-linux/sgx/acme.nix @@ -7,14 +7,9 @@ sopsFile = ../../../.secrets/sgx/internetbs.yaml; # bring your own password file }; - security.acme = { - acceptTerms = true; - defaults = { - email = "harald@hoyer.xyz"; - dnsProvider = "cloudflare"; - credentialsFile = config.sops.secrets.internetbs.path; - }; - certs = { + metacfg.services.acmeBase.credentialsFile = config.sops.secrets.internetbs.path; + + security.acme.certs = { "internal.hoyer.world" = { extraDomainNames = [ "openwebui.hoyer.world" @@ -23,5 +18,4 @@ ]; }; }; - }; } diff --git a/systems/x86_64-linux/sgx/default.nix b/systems/x86_64-linux/sgx/default.nix index 0a95eef..e4ecaa8 100644 --- a/systems/x86_64-linux/sgx/default.nix +++ b/systems/x86_64-linux/sgx/default.nix @@ -12,8 +12,6 @@ ./wyoming.nix ]; - services.tailscale.enable = true; - boot.tmp.useTmpfs = false; sops.secrets.pccs.sopsFile = ../../../.secrets/sgx/pccs.yaml; @@ -23,7 +21,16 @@ claude-code ]; + services.tailscale.enable = true; + metacfg = { + services.nginxBase.enable = true; + services.acmeBase.enable = true; + system.noSleep = { + enable = true; + disableGdmAutoSuspend = true; + ignoreLidSwitch = true; + }; emailOnFailure.enable = true; base.enable = true; gui.enable = true; @@ -58,13 +65,5 @@ allowReboot = true; }; - systemd.targets.sleep.enable = false; - systemd.targets.suspend.enable = false; - systemd.targets.hibernate.enable = false; - systemd.targets.hybrid-sleep.enable = false; - services.displayManager.gdm.autoSuspend = false; - - services.logind.settings.Login.HandleLidSwitch = "ignore"; - system.stateVersion = "23.11"; } diff --git a/systems/x86_64-linux/sgx/nginx.nix b/systems/x86_64-linux/sgx/nginx.nix index 0c685c0..52f1cdc 100644 --- a/systems/x86_64-linux/sgx/nginx.nix +++ b/systems/x86_64-linux/sgx/nginx.nix @@ -3,22 +3,7 @@ ... }: { - users.users.nginx.extraGroups = [ "acme" ]; - services.nginx = { - enable = true; - clientMaxBodySize = "1000M"; - appendHttpConfig = '' - log_format vcombined '$host:$server_port ' - '$remote_addr - $remote_user [$time_local] ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; - access_log /var/log/nginx/access.log vcombined; - ''; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - virtualHosts = { + services.nginx.virtualHosts = { "openwebui.hoyer.world" = { enableACME = false; useACMEHost = "internal.hoyer.world"; @@ -48,5 +33,4 @@ }; }; }; - }; } diff --git a/systems/x86_64-linux/t15/default.nix b/systems/x86_64-linux/t15/default.nix index cce5666..9e39ddc 100644 --- a/systems/x86_64-linux/t15/default.nix +++ b/systems/x86_64-linux/t15/default.nix @@ -2,6 +2,8 @@ { imports = [ ./hardware-configuration.nix ]; + services.resolved.enable = true; + metacfg = { base.enable = true; gui.enable = true; @@ -27,9 +29,6 @@ system.stateVersion = "23.11"; - services.resolved.enable = true; - #services.resolved.dnssec = "allow-downgrade"; - sops.age.sshKeyPaths = [ "/persist/ssh/ssh_host_ed25519_key" ]; sops.secrets.backup-s3.sopsFile = ../../../.secrets/t15/backup-s3.yaml; sops.secrets.backup-pw.sopsFile = ../../../.secrets/t15/backup-s3.yaml; diff --git a/systems/x86_64-linux/x1/default.nix b/systems/x86_64-linux/x1/default.nix index 96122d9..84fbaea 100644 --- a/systems/x86_64-linux/x1/default.nix +++ b/systems/x86_64-linux/x1/default.nix @@ -20,8 +20,6 @@ with lib.metacfg; programs.ccache.enable = true; nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; - services.tailscale.enable = true; - services.cratedocs-mcp.enable = true; sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ]; @@ -45,13 +43,11 @@ with lib.metacfg; ]; }; - hardware.bluetooth.input.General.ClassicBondedOnly = false; - services.udev.extraRules = '' - KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e4c5", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl" - KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e489", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl" - ''; + services.tailscale.enable = true; + services.resolved.enable = true; metacfg = { + hardware.wooting.enable = true; base.enable = true; gui.enable = true; nix-ld.enable = true; @@ -77,17 +73,19 @@ with lib.metacfg; "dialout" "tss" ]; + system.kernelTweaks.enable = true; + }; + + system.autoUpgrade = { + enable = true; + operation = "boot"; + allowReboot = false; }; nixpkgs.config.permittedInsecurePackages = [ "electron-27.3.11" ]; - # increase freezing timeout - boot.kernel.sysctl = { - "power.pm_freeze_timeout" = 30000; - }; - environment.systemPackages = with pkgs; [ attic-client azure-cli @@ -112,26 +110,12 @@ with lib.metacfg; vscode ]; - zramSwap.enable = true; - services.ratbagd.enable = true; - services.resolved.enable = true; - #services.resolved.dnssec = "allow-downgrade"; - #services.resolved.extraConfig = '' - # ResolveUnicastSingleLabel=yes - #''; - virtualisation = { libvirtd.enable = true; }; - system.autoUpgrade = { - enable = true; - operation = "boot"; - allowReboot = false; - }; - services.trezord.enable = true; services.ollama = { diff --git a/systems/x86_64-linux/x1/xremap.nix b/systems/x86_64-linux/x1/xremap.nix index 64a45c0..c28dd0a 100644 --- a/systems/x86_64-linux/x1/xremap.nix +++ b/systems/x86_64-linux/x1/xremap.nix @@ -1,33 +1,21 @@ -# In /etc/nixos/configuration.nix { ... }: { - users.users.harald.extraGroups = [ "input" ]; - - # Enable the xremap service - services.xremap.enable = true; - services.xremap.userName = "harald"; # Replace with your username - services.xremap.serviceMode = "user"; # Run as user service, not system-wide - services.xremap.withGnome = true; - - # Add a specific configuration block to select your keyboard(s) by name - services.xremap.deviceNames = [ - # Use the name found in the log output: "Hangsheng MonsGeek Keyboard System Control" - "Hangsheng MonsGeek Keyboard" - "HS Galaxy100 Keyboard" - # You can usually shorten the name slightly to match the device you want - ]; - - # Define your remapping configuration using Nix's attribute set format - services.xremap.config = { - keymap = [ - { - remap = { - # Map Alt+C (LeftAlt-C) to Ctrl+C (LeftControl-C) - LeftAlt-C = "COPY"; - LeftAlt-V = "PASTE"; - LeftAlt-X = "CUT"; - }; - } + metacfg.services.xremap = { + enable = true; + deviceNames = [ + "Hangsheng MonsGeek Keyboard" + "HS Galaxy100 Keyboard" ]; + config = { + keymap = [ + { + remap = { + LeftAlt-C = "COPY"; + LeftAlt-V = "PASTE"; + LeftAlt-X = "CUT"; + }; + } + ]; + }; }; } From 0523639f2aab13d5a90813adce6c85e0baf0178c Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Fri, 30 Jan 2026 11:52:59 +0100 Subject: [PATCH 2/3] feat(nix): add nvtop package to amd system - Added `nvtopPackages.amd` to the package list for better GPU monitoring on AMD systems. - Enhances system configuration by enabling real-time visualization of GPU usage. --- systems/x86_64-linux/amd/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/systems/x86_64-linux/amd/default.nix b/systems/x86_64-linux/amd/default.nix index c48ddf6..795fe5d 100644 --- a/systems/x86_64-linux/amd/default.nix +++ b/systems/x86_64-linux/amd/default.nix @@ -103,6 +103,7 @@ with lib.metacfg; kubectl kubectx logseq + nvtopPackages.amd obsidian piper-tts tipp10 From eb10ad018ff6bc81e9f85a2eb8673896cf133da7 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Fri, 30 Jan 2026 11:53:03 +0100 Subject: [PATCH 3/3] chore(nix): update flake.lock - Updated flake.lock to incorporate the latest revisions for locked dependencies. - Includes updates for `homebrew`, `sops-nix`, `nixos-hardware`, `rust-overlay`, and more. - Ensures the system remains aligned with the most recent upstream changes. --- flake.lock | 88 +++++++++++++++++++++++++++--------------------------- 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/flake.lock b/flake.lock index da101c7..644d00b 100644 --- a/flake.lock +++ b/flake.lock @@ -19,16 +19,16 @@ "brew-src": { "flake": false, "locked": { - "lastModified": 1763638478, - "narHash": "sha256-n/IMowE9S23ovmTkKX7KhxXC2Yq41EAVFR2FBIXPcT8=", + "lastModified": 1769363988, + "narHash": "sha256-BiGPeulrDVetXP+tjxhMcGLUROZAtZIhU5m4MqawCfM=", "owner": "Homebrew", "repo": "brew", - "rev": "fbfdbaba008189499958a7aeb1e2c36ab10c067d", + "rev": "d01011cac6d72032c75fd2cd9489909e95d9faf2", "type": "github" }, "original": { "owner": "Homebrew", - "ref": "5.0.3", + "ref": "5.0.12", "repo": "brew", "type": "github" } @@ -134,11 +134,11 @@ ] }, "locked": { - "lastModified": 1768923567, - "narHash": "sha256-GVJ0jKsyXLuBzRMXCDY6D5J8wVdwP1DuQmmvYL/Vw/Q=", + "lastModified": 1769524058, + "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=", "owner": "nix-community", "repo": "disko", - "rev": "00395d188e3594a1507f214a2f15d4ce5c07cb28", + "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d", "type": "github" }, "original": { @@ -421,11 +421,11 @@ ] }, "locked": { - "lastModified": 1768949235, - "narHash": "sha256-TtjKgXyg1lMfh374w5uxutd6Vx2P/hU81aEhTxrO2cg=", + "lastModified": 1769580047, + "narHash": "sha256-tNqCP/+2+peAXXQ2V8RwsBkenlfWMERb+Uy6xmevyhM=", "owner": "nix-community", "repo": "home-manager", - "rev": "75ed713570ca17427119e7e204ab3590cc3bf2a5", + "rev": "366d78c2856de6ab3411c15c1cb4fb4c2bf5c826", "type": "github" }, "original": { @@ -454,11 +454,11 @@ "homebrew-cask": { "flake": false, "locked": { - "lastModified": 1769077283, - "narHash": "sha256-alvFQmhX8POHxBP3/jResx6AJ06X+k6SF4/CiNndpPA=", + "lastModified": 1769770011, + "narHash": "sha256-Z+qyxP9dQVk1xBJKJvrvKg2/8SGnYEUArs5vJuhc4ZE=", "owner": "homebrew", "repo": "homebrew-cask", - "rev": "4a8185e145fa4fc8326705c666d608c3ee761612", + "rev": "4b98892b8c059ebc23e6516c917f6b01741a2969", "type": "github" }, "original": { @@ -470,11 +470,11 @@ "homebrew-core": { "flake": false, "locked": { - "lastModified": 1769077518, - "narHash": "sha256-QtWC5CcY9xzfjcThSwZgise9RXbM2vZmw+Tot67RiJo=", + "lastModified": 1769769028, + "narHash": "sha256-9RhJZXZO/PJ7A+917XRROv8xPtzHlPthtAMhunUAfM0=", "owner": "homebrew", "repo": "homebrew-core", - "rev": "2ac083c750fa2a6999ad05a7352e8edbd7abd969", + "rev": "95b2944276a57b176eadc835575c3b591f88999f", "type": "github" }, "original": { @@ -562,11 +562,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1768906339, - "narHash": "sha256-iwkHIz2IYRcELkBoKXQUHlP0bFGmrHIz/roJUVYsyx8=", + "lastModified": 1769716128, + "narHash": "sha256-CAsiyTNjI0WmtJstw3kGyL7Q1jPCn7AsO6Ms47G+x3w=", "owner": "NotAShelf", "repo": "nvf", - "rev": "18c55d3bebf2c704970b4ea6fd0261808bec8d94", + "rev": "866b983c4047b87bcdca6ab3673ed7bd602f0251", "type": "github" }, "original": { @@ -580,11 +580,11 @@ "brew-src": "brew-src" }, "locked": { - "lastModified": 1764473698, - "narHash": "sha256-C91gPgv6udN5WuIZWNehp8qdLqlrzX6iF/YyboOj6XI=", + "lastModified": 1769437432, + "narHash": "sha256-8d7KnCpT2LweRvSzZYEGd9IM3eFX+A78opcnDM0+ndk=", "owner": "zhaofengli-wip", "repo": "nix-homebrew", - "rev": "6a8ab60bfd66154feeaa1021fc3b32684814a62a", + "rev": "a5409abd0d5013d79775d3419bcac10eacb9d8c5", "type": "github" }, "original": { @@ -595,11 +595,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1768736227, - "narHash": "sha256-qgGq7CfrYKc3IBYQ7qp0Z/ZXndQVC5Bj0N8HW9mS2rM=", + "lastModified": 1769302137, + "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "d447553bcbc6a178618d37e61648b19e744370df", + "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8", "type": "github" }, "original": { @@ -642,11 +642,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1768940263, - "narHash": "sha256-sJERJIYTKPFXkoz/gBaBtRKke82h4DkX3BBSsKbfbvI=", + "lastModified": 1769598131, + "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3ceaaa8bc963ced4d830e06ea2d0863b6490ff03", + "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211", "type": "github" }, "original": { @@ -748,11 +748,11 @@ ] }, "locked": { - "lastModified": 1769050281, - "narHash": "sha256-1H8DN4UZgEUqPUA5ecHOufLZMscJ4IlcGaEftaPtpBY=", + "lastModified": 1769742225, + "narHash": "sha256-roSD/OJ3x9nF+Dxr+/bLClX3U8FP9EkCQIFpzxKjSUM=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "6deef0585c52d9e70f96b6121207e1496d4b0c49", + "rev": "bcdd8d37594f0e201639f55889c01c827baf5c75", "type": "github" }, "original": { @@ -835,11 +835,11 @@ ] }, "locked": { - "lastModified": 1768863606, - "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=", + "lastModified": 1769469829, + "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2", + "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff", "type": "github" }, "original": { @@ -932,11 +932,11 @@ }, "unstable": { "locked": { - "lastModified": 1768886240, - "narHash": "sha256-C2TjvwYZ2VDxYWeqvvJ5XPPp6U7H66zeJlRaErJKoEM=", + "lastModified": 1769461804, + "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0", + "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d", "type": "github" }, "original": { @@ -949,16 +949,16 @@ "xremap": { "flake": false, "locked": { - "lastModified": 1766606475, - "narHash": "sha256-FPZ4iQA/vVZGzbO8i8lTK8i9A3zs9BLqMvTMeAVv9rQ=", + "lastModified": 1769021727, + "narHash": "sha256-2wylBk3+Zu1pHa41dhKwvUtxOVyHSMRDfOD9fIp8x2I=", "owner": "k0kubun", "repo": "xremap", - "rev": "cdc744d873c19899ef21f329c4305b4b5e53d459", + "rev": "890e0a6ca92e90f3bcbd1e235abcf2192e233a46", "type": "github" }, "original": { "owner": "k0kubun", - "ref": "v0.14.8", + "ref": "v0.14.10", "repo": "xremap", "type": "github" } @@ -971,11 +971,11 @@ "xremap": "xremap" }, "locked": { - "lastModified": 1767318478, - "narHash": "sha256-h3oE50RedA8DRGrFU+Hv2kirt4rmzdaC9oSD+MSg9Ms=", + "lastModified": 1769636170, + "narHash": "sha256-X000Dgg053Dv9NIzm1b9QYSAHYtW2jHMVALQezui7L0=", "owner": "xremap", "repo": "nix-flake", - "rev": "9a2224aa01a3c86e94b398c33329c8ff6496dc5d", + "rev": "00bc6dd4275d4b003a17ef7f5f271ba87f73d698", "type": "github" }, "original": {