diff --git a/flake.lock b/flake.lock index 644d00b..da101c7 100644 --- a/flake.lock +++ b/flake.lock @@ -19,16 +19,16 @@ "brew-src": { "flake": false, "locked": { - "lastModified": 1769363988, - "narHash": "sha256-BiGPeulrDVetXP+tjxhMcGLUROZAtZIhU5m4MqawCfM=", + "lastModified": 1763638478, + "narHash": "sha256-n/IMowE9S23ovmTkKX7KhxXC2Yq41EAVFR2FBIXPcT8=", "owner": "Homebrew", "repo": "brew", - "rev": "d01011cac6d72032c75fd2cd9489909e95d9faf2", + "rev": "fbfdbaba008189499958a7aeb1e2c36ab10c067d", "type": "github" }, "original": { "owner": "Homebrew", - "ref": "5.0.12", + "ref": "5.0.3", "repo": "brew", "type": "github" } @@ -134,11 +134,11 @@ ] }, "locked": { - "lastModified": 1769524058, - "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=", + "lastModified": 1768923567, + "narHash": "sha256-GVJ0jKsyXLuBzRMXCDY6D5J8wVdwP1DuQmmvYL/Vw/Q=", "owner": "nix-community", "repo": "disko", - "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d", + "rev": "00395d188e3594a1507f214a2f15d4ce5c07cb28", "type": "github" }, "original": { @@ -421,11 +421,11 @@ ] }, "locked": { - "lastModified": 1769580047, - "narHash": "sha256-tNqCP/+2+peAXXQ2V8RwsBkenlfWMERb+Uy6xmevyhM=", + "lastModified": 1768949235, + "narHash": "sha256-TtjKgXyg1lMfh374w5uxutd6Vx2P/hU81aEhTxrO2cg=", "owner": "nix-community", "repo": "home-manager", - "rev": "366d78c2856de6ab3411c15c1cb4fb4c2bf5c826", + "rev": "75ed713570ca17427119e7e204ab3590cc3bf2a5", "type": "github" }, "original": { @@ -454,11 +454,11 @@ "homebrew-cask": { "flake": false, "locked": { - "lastModified": 1769770011, - "narHash": "sha256-Z+qyxP9dQVk1xBJKJvrvKg2/8SGnYEUArs5vJuhc4ZE=", + "lastModified": 1769077283, + "narHash": "sha256-alvFQmhX8POHxBP3/jResx6AJ06X+k6SF4/CiNndpPA=", "owner": "homebrew", "repo": "homebrew-cask", - "rev": "4b98892b8c059ebc23e6516c917f6b01741a2969", + "rev": "4a8185e145fa4fc8326705c666d608c3ee761612", "type": "github" }, "original": { @@ -470,11 +470,11 @@ "homebrew-core": { "flake": false, "locked": { - "lastModified": 1769769028, - "narHash": "sha256-9RhJZXZO/PJ7A+917XRROv8xPtzHlPthtAMhunUAfM0=", + "lastModified": 1769077518, + "narHash": "sha256-QtWC5CcY9xzfjcThSwZgise9RXbM2vZmw+Tot67RiJo=", "owner": "homebrew", "repo": "homebrew-core", - "rev": "95b2944276a57b176eadc835575c3b591f88999f", + "rev": "2ac083c750fa2a6999ad05a7352e8edbd7abd969", "type": "github" }, "original": { @@ -562,11 +562,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1769716128, - "narHash": "sha256-CAsiyTNjI0WmtJstw3kGyL7Q1jPCn7AsO6Ms47G+x3w=", + "lastModified": 1768906339, + "narHash": "sha256-iwkHIz2IYRcELkBoKXQUHlP0bFGmrHIz/roJUVYsyx8=", "owner": "NotAShelf", "repo": "nvf", - "rev": "866b983c4047b87bcdca6ab3673ed7bd602f0251", + "rev": "18c55d3bebf2c704970b4ea6fd0261808bec8d94", "type": "github" }, "original": { @@ -580,11 +580,11 @@ "brew-src": "brew-src" }, "locked": { - "lastModified": 1769437432, - "narHash": "sha256-8d7KnCpT2LweRvSzZYEGd9IM3eFX+A78opcnDM0+ndk=", + "lastModified": 1764473698, + "narHash": "sha256-C91gPgv6udN5WuIZWNehp8qdLqlrzX6iF/YyboOj6XI=", "owner": "zhaofengli-wip", "repo": "nix-homebrew", - "rev": "a5409abd0d5013d79775d3419bcac10eacb9d8c5", + "rev": "6a8ab60bfd66154feeaa1021fc3b32684814a62a", "type": "github" }, "original": { @@ -595,11 +595,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1769302137, - "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=", + "lastModified": 1768736227, + "narHash": "sha256-qgGq7CfrYKc3IBYQ7qp0Z/ZXndQVC5Bj0N8HW9mS2rM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8", + "rev": "d447553bcbc6a178618d37e61648b19e744370df", "type": "github" }, "original": { @@ -642,11 +642,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1769598131, - "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=", + "lastModified": 1768940263, + "narHash": "sha256-sJERJIYTKPFXkoz/gBaBtRKke82h4DkX3BBSsKbfbvI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211", + "rev": "3ceaaa8bc963ced4d830e06ea2d0863b6490ff03", "type": "github" }, "original": { @@ -748,11 +748,11 @@ ] }, "locked": { - "lastModified": 1769742225, - "narHash": "sha256-roSD/OJ3x9nF+Dxr+/bLClX3U8FP9EkCQIFpzxKjSUM=", + "lastModified": 1769050281, + "narHash": "sha256-1H8DN4UZgEUqPUA5ecHOufLZMscJ4IlcGaEftaPtpBY=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "bcdd8d37594f0e201639f55889c01c827baf5c75", + "rev": "6deef0585c52d9e70f96b6121207e1496d4b0c49", "type": "github" }, "original": { @@ -835,11 +835,11 @@ ] }, "locked": { - "lastModified": 1769469829, - "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=", + "lastModified": 1768863606, + "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff", + "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2", "type": "github" }, "original": { @@ -932,11 +932,11 @@ }, "unstable": { "locked": { - "lastModified": 1769461804, - "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=", + "lastModified": 1768886240, + "narHash": "sha256-C2TjvwYZ2VDxYWeqvvJ5XPPp6U7H66zeJlRaErJKoEM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d", + "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0", "type": "github" }, "original": { @@ -949,16 +949,16 @@ "xremap": { "flake": false, "locked": { - "lastModified": 1769021727, - "narHash": "sha256-2wylBk3+Zu1pHa41dhKwvUtxOVyHSMRDfOD9fIp8x2I=", + "lastModified": 1766606475, + "narHash": "sha256-FPZ4iQA/vVZGzbO8i8lTK8i9A3zs9BLqMvTMeAVv9rQ=", "owner": "k0kubun", "repo": "xremap", - "rev": "890e0a6ca92e90f3bcbd1e235abcf2192e233a46", + "rev": "cdc744d873c19899ef21f329c4305b4b5e53d459", "type": "github" }, "original": { "owner": "k0kubun", - "ref": "v0.14.10", + "ref": "v0.14.8", "repo": "xremap", "type": "github" } @@ -971,11 +971,11 @@ "xremap": "xremap" }, "locked": { - "lastModified": 1769636170, - "narHash": "sha256-X000Dgg053Dv9NIzm1b9QYSAHYtW2jHMVALQezui7L0=", + "lastModified": 1767318478, + "narHash": "sha256-h3oE50RedA8DRGrFU+Hv2kirt4rmzdaC9oSD+MSg9Ms=", "owner": "xremap", "repo": "nix-flake", - "rev": "00bc6dd4275d4b003a17ef7f5f271ba87f73d698", + "rev": "9a2224aa01a3c86e94b398c33329c8ff6496dc5d", "type": "github" }, "original": { diff --git a/modules/nixos/hardware/wooting/default.nix b/modules/nixos/hardware/wooting/default.nix deleted file mode 100644 index e5cc8f5..0000000 --- a/modules/nixos/hardware/wooting/default.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ - config, - lib, - ... -}: -with lib; -with lib.metacfg; -let - cfg = config.metacfg.hardware.wooting; -in -{ - options.metacfg.hardware.wooting = with types; { - enable = mkBoolOpt false "Whether or not to enable Wooting keyboard support."; - enableBluetoothCompat = mkBoolOpt true "Disable ClassicBondedOnly for Bluetooth compatibility."; - }; - - config = mkIf cfg.enable { - hardware.bluetooth.input.General.ClassicBondedOnly = mkIf cfg.enableBluetoothCompat false; - - services.udev.extraRules = '' - KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e4c5", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl" - KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e489", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl" - ''; - }; -} diff --git a/modules/nixos/services/acme-base/default.nix b/modules/nixos/services/acme-base/default.nix deleted file mode 100644 index d572848..0000000 --- a/modules/nixos/services/acme-base/default.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ - config, - lib, - ... -}: -with lib; -with lib.metacfg; -let - cfg = config.metacfg.services.acmeBase; -in -{ - options.metacfg.services.acmeBase = with types; { - enable = mkBoolOpt false "Whether or not to enable ACME with common settings."; - email = mkOption { - type = types.str; - default = "harald@hoyer.xyz"; - description = "Registration email for ACME."; - }; - dnsProvider = mkOption { - type = types.str; - default = "cloudflare"; - description = "DNS provider for ACME DNS-01 challenge."; - }; - credentialsFile = mkOption { - type = types.nullOr types.path; - default = null; - description = "Path to the credentials file for the DNS provider."; - }; - }; - - config = mkIf cfg.enable { - security.acme = { - acceptTerms = true; - defaults = { - email = cfg.email; - dnsProvider = cfg.dnsProvider; - credentialsFile = mkIf (cfg.credentialsFile != null) cfg.credentialsFile; - }; - }; - }; -} diff --git a/modules/nixos/services/nginx-base/default.nix b/modules/nixos/services/nginx-base/default.nix deleted file mode 100644 index 6b2dd52..0000000 --- a/modules/nixos/services/nginx-base/default.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ - config, - lib, - ... -}: -with lib; -with lib.metacfg; -let - cfg = config.metacfg.services.nginxBase; -in -{ - options.metacfg.services.nginxBase = with types; { - enable = mkBoolOpt false "Whether or not to enable nginx with common settings."; - clientMaxBodySize = mkOption { - type = types.str; - default = "1000M"; - description = "Maximum allowed size of the client request body."; - }; - enableAcmeGroup = mkBoolOpt true "Add nginx user to acme group."; - enableVcombinedLog = mkBoolOpt true "Enable vcombined log format."; - }; - - config = mkIf cfg.enable { - users.users.nginx.extraGroups = mkIf cfg.enableAcmeGroup [ "acme" ]; - - services.nginx = { - enable = true; - clientMaxBodySize = cfg.clientMaxBodySize; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - appendHttpConfig = mkIf cfg.enableVcombinedLog '' - log_format vcombined '$host:$server_port ' - '$remote_addr - $remote_user [$time_local] ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; - access_log /var/log/nginx/access.log vcombined; - ''; - }; - }; -} diff --git a/modules/nixos/services/xremap/default.nix b/modules/nixos/services/xremap/default.nix deleted file mode 100644 index 6f22f38..0000000 --- a/modules/nixos/services/xremap/default.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ - config, - lib, - ... -}: -with lib; -with lib.metacfg; -let - cfg = config.metacfg.services.xremap; -in -{ - options.metacfg.services.xremap = with types; { - enable = mkBoolOpt false "Whether or not to enable xremap key remapping."; - userName = mkOption { - type = types.str; - default = "harald"; - description = "User to run xremap as."; - }; - withGnome = mkBoolOpt true "Enable GNOME support."; - deviceNames = mkOption { - type = types.listOf types.str; - default = [ ]; - description = "List of device names to remap."; - }; - config = mkOption { - type = types.attrs; - default = { }; - description = "Xremap configuration."; - }; - }; - - config = { - services.xremap = { - enable = cfg.enable; - userName = mkIf cfg.enable cfg.userName; - serviceMode = mkIf cfg.enable "user"; - withGnome = mkIf cfg.enable cfg.withGnome; - deviceNames = mkIf cfg.enable cfg.deviceNames; - config = mkIf cfg.enable cfg.config; - }; - - users.users.${cfg.userName}.extraGroups = mkIf cfg.enable [ "input" ]; - }; -} diff --git a/modules/nixos/system/kernel-tweaks/default.nix b/modules/nixos/system/kernel-tweaks/default.nix deleted file mode 100644 index 0443809..0000000 --- a/modules/nixos/system/kernel-tweaks/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - config, - lib, - ... -}: -with lib; -with lib.metacfg; -let - cfg = config.metacfg.system.kernelTweaks; -in -{ - options.metacfg.system.kernelTweaks = with types; { - enable = mkBoolOpt false "Whether or not to enable desktop kernel optimizations."; - pmFreezeTimeout = mkOption { - type = types.int; - default = 30000; - description = "PM freeze timeout in milliseconds."; - }; - enableZram = mkBoolOpt true "Enable zram swap."; - }; - - config = mkIf cfg.enable { - boot.kernel.sysctl = { - "power.pm_freeze_timeout" = cfg.pmFreezeTimeout; - }; - - zramSwap.enable = cfg.enableZram; - }; -} diff --git a/modules/nixos/system/no-sleep/default.nix b/modules/nixos/system/no-sleep/default.nix deleted file mode 100644 index 9e12659..0000000 --- a/modules/nixos/system/no-sleep/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - config, - lib, - ... -}: -with lib; -with lib.metacfg; -let - cfg = config.metacfg.system.noSleep; -in -{ - options.metacfg.system.noSleep = with types; { - enable = mkBoolOpt false "Whether or not to disable all sleep targets."; - disableGdmAutoSuspend = mkBoolOpt false "Disable GDM auto-suspend."; - ignoreLidSwitch = mkBoolOpt false "Ignore lid switch events."; - }; - - config = mkIf cfg.enable { - systemd.targets.sleep.enable = false; - systemd.targets.suspend.enable = false; - systemd.targets.hibernate.enable = false; - systemd.targets.hybrid-sleep.enable = false; - - services.displayManager.gdm.autoSuspend = mkIf cfg.disableGdmAutoSuspend false; - - services.logind.settings.Login.HandleLidSwitch = mkIf cfg.ignoreLidSwitch "ignore"; - }; -} diff --git a/systems/aarch64-linux/m4nix/default.nix b/systems/aarch64-linux/m4nix/default.nix index f8a6934..d8cd570 100644 --- a/systems/aarch64-linux/m4nix/default.nix +++ b/systems/aarch64-linux/m4nix/default.nix @@ -9,13 +9,7 @@ with lib.metacfg; services.spice-autorandr.enable = true; services.spice-vdagentd.enable = true; - services.resolved.enable = true; - services.resolved.extraConfig = '' - ResolveUnicastSingleLabel=yes - ''; - metacfg = { - system.noSleep.enable = true; base.enable = true; gui.enable = true; nix-ld.enable = true; @@ -40,6 +34,13 @@ with lib.metacfg; ]; }; + # Disable the GNOME3/GDM auto-suspend feature that cannot be disabled in GUI! + # If no user is logged in, the machine will power down after 20 minutes. + systemd.targets.sleep.enable = false; + systemd.targets.suspend.enable = false; + systemd.targets.hibernate.enable = false; + systemd.targets.hybrid-sleep.enable = false; + environment.systemPackages = with pkgs; [ azure-cli desktop-file-utils @@ -59,11 +60,16 @@ with lib.metacfg; services.ratbagd.enable = true; + services.resolved.enable = true; + #services.resolved.dnssec = "allow-downgrade"; + services.resolved.extraConfig = '' + ResolveUnicastSingleLabel=yes + ''; + virtualisation = { docker.enable = true; podman.dockerCompat = false; libvirtd.enable = false; - rosetta.enable = true; }; system.autoUpgrade = { @@ -72,5 +78,7 @@ with lib.metacfg; allowReboot = false; }; + virtualisation.rosetta.enable = true; + system.stateVersion = "25.05"; } diff --git a/systems/aarch64-linux/rnix/default.nix b/systems/aarch64-linux/rnix/default.nix index f8a6934..d8cd570 100644 --- a/systems/aarch64-linux/rnix/default.nix +++ b/systems/aarch64-linux/rnix/default.nix @@ -9,13 +9,7 @@ with lib.metacfg; services.spice-autorandr.enable = true; services.spice-vdagentd.enable = true; - services.resolved.enable = true; - services.resolved.extraConfig = '' - ResolveUnicastSingleLabel=yes - ''; - metacfg = { - system.noSleep.enable = true; base.enable = true; gui.enable = true; nix-ld.enable = true; @@ -40,6 +34,13 @@ with lib.metacfg; ]; }; + # Disable the GNOME3/GDM auto-suspend feature that cannot be disabled in GUI! + # If no user is logged in, the machine will power down after 20 minutes. + systemd.targets.sleep.enable = false; + systemd.targets.suspend.enable = false; + systemd.targets.hibernate.enable = false; + systemd.targets.hybrid-sleep.enable = false; + environment.systemPackages = with pkgs; [ azure-cli desktop-file-utils @@ -59,11 +60,16 @@ with lib.metacfg; services.ratbagd.enable = true; + services.resolved.enable = true; + #services.resolved.dnssec = "allow-downgrade"; + services.resolved.extraConfig = '' + ResolveUnicastSingleLabel=yes + ''; + virtualisation = { docker.enable = true; podman.dockerCompat = false; libvirtd.enable = false; - rosetta.enable = true; }; system.autoUpgrade = { @@ -72,5 +78,7 @@ with lib.metacfg; allowReboot = false; }; + virtualisation.rosetta.enable = true; + system.stateVersion = "25.05"; } diff --git a/systems/x86_64-linux/amd/default.nix b/systems/x86_64-linux/amd/default.nix index 795fe5d..08b0b84 100644 --- a/systems/x86_64-linux/amd/default.nix +++ b/systems/x86_64-linux/amd/default.nix @@ -18,17 +18,21 @@ with lib.metacfg; 22000 ]; + services.tailscale.enable = true; + services.cratedocs-mcp.enable = true; services.openssh = { enable = true; }; - services.tailscale.enable = true; - services.resolved.enable = true; + hardware.bluetooth.input.General.ClassicBondedOnly = false; + services.udev.extraRules = '' + KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e4c5", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl" + KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e489", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl" + ''; metacfg = { - hardware.wooting.enable = true; base.enable = true; gui.enable = true; nix-ld.enable = true; @@ -55,21 +59,15 @@ with lib.metacfg; "dialout" "tss" ]; - system.kernelTweaks.enable = true; - }; - - system.autoUpgrade = { - enable = true; - operation = "boot"; - allowReboot = false; }; nixpkgs.config.permittedInsecurePackages = [ "electron-27.3.11" ]; - # Additional kernel tuning beyond the module defaults + # Kernel tuning boot.kernel.sysctl = { + "power.pm_freeze_timeout" = 30000; # Reduce swap usage (you have zram) "vm.swappiness" = 10; # Prefer keeping directory/inode caches @@ -103,7 +101,6 @@ with lib.metacfg; kubectl kubectx logseq - nvtopPackages.amd obsidian piper-tts tipp10 @@ -114,18 +111,32 @@ with lib.metacfg; # zram swap with zstd compression for better performance zramSwap = { + enable = true; algorithm = "zstd"; memoryPercent = 50; }; services.ratbagd.enable = true; + services.resolved.enable = true; + + #services.resolved.dnssec = "allow-downgrade"; + #services.resolved.extraConfig = '' + # ResolveUnicastSingleLabel=yes + #''; + virtualisation = { libvirtd.enable = true; docker.enable = true; podman.dockerCompat = false; }; + system.autoUpgrade = { + enable = true; + operation = "boot"; + allowReboot = false; + }; + services.trezord.enable = true; services.ollama = { diff --git a/systems/x86_64-linux/amd/xremap.nix b/systems/x86_64-linux/amd/xremap.nix index c28dd0a..64a45c0 100644 --- a/systems/x86_64-linux/amd/xremap.nix +++ b/systems/x86_64-linux/amd/xremap.nix @@ -1,21 +1,33 @@ +# In /etc/nixos/configuration.nix { ... }: { - metacfg.services.xremap = { - enable = true; - deviceNames = [ - "Hangsheng MonsGeek Keyboard" - "HS Galaxy100 Keyboard" + users.users.harald.extraGroups = [ "input" ]; + + # Enable the xremap service + services.xremap.enable = true; + services.xremap.userName = "harald"; # Replace with your username + services.xremap.serviceMode = "user"; # Run as user service, not system-wide + services.xremap.withGnome = true; + + # Add a specific configuration block to select your keyboard(s) by name + services.xremap.deviceNames = [ + # Use the name found in the log output: "Hangsheng MonsGeek Keyboard System Control" + "Hangsheng MonsGeek Keyboard" + "HS Galaxy100 Keyboard" + # You can usually shorten the name slightly to match the device you want + ]; + + # Define your remapping configuration using Nix's attribute set format + services.xremap.config = { + keymap = [ + { + remap = { + # Map Alt+C (LeftAlt-C) to Ctrl+C (LeftControl-C) + LeftAlt-C = "COPY"; + LeftAlt-V = "PASTE"; + LeftAlt-X = "CUT"; + }; + } ]; - config = { - keymap = [ - { - remap = { - LeftAlt-C = "COPY"; - LeftAlt-V = "PASTE"; - LeftAlt-X = "CUT"; - }; - } - ]; - }; }; } diff --git a/systems/x86_64-linux/mx/acme.nix b/systems/x86_64-linux/mx/acme.nix index ee338c4..069bb2d 100644 --- a/systems/x86_64-linux/mx/acme.nix +++ b/systems/x86_64-linux/mx/acme.nix @@ -1,4 +1,6 @@ { + pkgs, + lib, config, ... }: @@ -7,9 +9,14 @@ sopsFile = ../../../.secrets/hetzner/internetbs.yaml; # bring your own password file }; - metacfg.services.acmeBase.credentialsFile = config.sops.secrets.internetbs.path; - - security.acme.certs = { + security.acme = { + acceptTerms = true; + defaults = { + email = "harald@hoyer.xyz"; + dnsProvider = "cloudflare"; + credentialsFile = config.sops.secrets.internetbs.path; + }; + certs = { "surfsite.org" = { extraDomainNames = [ "*.surfsite.org" ]; }; @@ -64,4 +71,5 @@ extraDomainNames = [ "*.harald-hoyer.de" ]; }; }; + }; } diff --git a/systems/x86_64-linux/mx/default.nix b/systems/x86_64-linux/mx/default.nix index d2130c7..e8ce185 100644 --- a/systems/x86_64-linux/mx/default.nix +++ b/systems/x86_64-linux/mx/default.nix @@ -22,8 +22,6 @@ services.tailscale.enable = true; metacfg = { - services.nginxBase.enable = true; - services.acmeBase.enable = true; emailOnFailure.enable = true; base.enable = true; nix.enable = true; @@ -44,6 +42,7 @@ dates = "04:00"; operation = "switch"; allowReboot = true; + # flake = lib.mkForce "git+file:///var/lib/gitea/repositories/harald/nixcfg.git#mx"; flake = lib.mkForce "/root/nixcfg/.#mx"; }; diff --git a/systems/x86_64-linux/mx/nginx.nix b/systems/x86_64-linux/mx/nginx.nix index e71eb46..26556bf 100644 --- a/systems/x86_64-linux/mx/nginx.nix +++ b/systems/x86_64-linux/mx/nginx.nix @@ -1,6 +1,21 @@ { ... }: { - services.nginx.virtualHosts = { + users.users.nginx.extraGroups = [ "acme" ]; + services.nginx = { + enable = true; + clientMaxBodySize = "1000M"; + appendHttpConfig = '' + log_format vcombined '$host:$server_port ' + '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + access_log /var/log/nginx/access.log vcombined; + ''; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { "00000" = { useACMEHost = "hoyer.xyz"; serverName = "_"; @@ -142,4 +157,5 @@ forceSSL = true; }; }; + }; } diff --git a/systems/x86_64-linux/nixtee1/default.nix b/systems/x86_64-linux/nixtee1/default.nix index 6c879ae..4ca3282 100644 --- a/systems/x86_64-linux/nixtee1/default.nix +++ b/systems/x86_64-linux/nixtee1/default.nix @@ -6,6 +6,8 @@ { imports = [ ./hardware-configuration.nix ]; + services.tailscale.enable = true; + boot.kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest; boot.loader.systemd-boot.enable = false; # Bootloader. @@ -16,8 +18,6 @@ security.tpm2.enable = false; security.tpm2.abrmd.enable = false; - services.tailscale.enable = true; - metacfg = { base.enable = true; nix-ld.enable = true; @@ -37,6 +37,12 @@ podman.dockerCompat = false; }; + system.autoUpgrade = { + enable = true; + operation = "switch"; + allowReboot = true; + }; + networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. networking.firewall.allowPing = true; @@ -60,11 +66,5 @@ } ]; - system.autoUpgrade = { - enable = true; - operation = "switch"; - allowReboot = true; - }; - system.stateVersion = "25.05"; } diff --git a/systems/x86_64-linux/sgx-attic/default.nix b/systems/x86_64-linux/sgx-attic/default.nix index 896c57c..5cd7e1d 100644 --- a/systems/x86_64-linux/sgx-attic/default.nix +++ b/systems/x86_64-linux/sgx-attic/default.nix @@ -1,5 +1,7 @@ { + pkgs, lib, + config, ... }: with lib; @@ -15,17 +17,17 @@ with lib.metacfg; nix.enable = true; }; + virtualisation = { + docker.enable = true; + podman.dockerCompat = false; + }; + system.autoUpgrade = { enable = true; operation = "switch"; allowReboot = true; }; - virtualisation = { - docker.enable = true; - podman.dockerCompat = false; - }; - security.tpm2.enable = false; security.tpm2.abrmd.enable = false; diff --git a/systems/x86_64-linux/sgx/acme.nix b/systems/x86_64-linux/sgx/acme.nix index 76df2ef..b3e1272 100644 --- a/systems/x86_64-linux/sgx/acme.nix +++ b/systems/x86_64-linux/sgx/acme.nix @@ -7,9 +7,14 @@ sopsFile = ../../../.secrets/sgx/internetbs.yaml; # bring your own password file }; - metacfg.services.acmeBase.credentialsFile = config.sops.secrets.internetbs.path; - - security.acme.certs = { + security.acme = { + acceptTerms = true; + defaults = { + email = "harald@hoyer.xyz"; + dnsProvider = "cloudflare"; + credentialsFile = config.sops.secrets.internetbs.path; + }; + certs = { "internal.hoyer.world" = { extraDomainNames = [ "openwebui.hoyer.world" @@ -18,4 +23,5 @@ ]; }; }; + }; } diff --git a/systems/x86_64-linux/sgx/default.nix b/systems/x86_64-linux/sgx/default.nix index e4ecaa8..0a95eef 100644 --- a/systems/x86_64-linux/sgx/default.nix +++ b/systems/x86_64-linux/sgx/default.nix @@ -12,6 +12,8 @@ ./wyoming.nix ]; + services.tailscale.enable = true; + boot.tmp.useTmpfs = false; sops.secrets.pccs.sopsFile = ../../../.secrets/sgx/pccs.yaml; @@ -21,16 +23,7 @@ claude-code ]; - services.tailscale.enable = true; - metacfg = { - services.nginxBase.enable = true; - services.acmeBase.enable = true; - system.noSleep = { - enable = true; - disableGdmAutoSuspend = true; - ignoreLidSwitch = true; - }; emailOnFailure.enable = true; base.enable = true; gui.enable = true; @@ -65,5 +58,13 @@ allowReboot = true; }; + systemd.targets.sleep.enable = false; + systemd.targets.suspend.enable = false; + systemd.targets.hibernate.enable = false; + systemd.targets.hybrid-sleep.enable = false; + services.displayManager.gdm.autoSuspend = false; + + services.logind.settings.Login.HandleLidSwitch = "ignore"; + system.stateVersion = "23.11"; } diff --git a/systems/x86_64-linux/sgx/nginx.nix b/systems/x86_64-linux/sgx/nginx.nix index 52f1cdc..0c685c0 100644 --- a/systems/x86_64-linux/sgx/nginx.nix +++ b/systems/x86_64-linux/sgx/nginx.nix @@ -3,7 +3,22 @@ ... }: { - services.nginx.virtualHosts = { + users.users.nginx.extraGroups = [ "acme" ]; + services.nginx = { + enable = true; + clientMaxBodySize = "1000M"; + appendHttpConfig = '' + log_format vcombined '$host:$server_port ' + '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + access_log /var/log/nginx/access.log vcombined; + ''; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { "openwebui.hoyer.world" = { enableACME = false; useACMEHost = "internal.hoyer.world"; @@ -33,4 +48,5 @@ }; }; }; + }; } diff --git a/systems/x86_64-linux/t15/default.nix b/systems/x86_64-linux/t15/default.nix index 9e39ddc..cce5666 100644 --- a/systems/x86_64-linux/t15/default.nix +++ b/systems/x86_64-linux/t15/default.nix @@ -2,8 +2,6 @@ { imports = [ ./hardware-configuration.nix ]; - services.resolved.enable = true; - metacfg = { base.enable = true; gui.enable = true; @@ -29,6 +27,9 @@ system.stateVersion = "23.11"; + services.resolved.enable = true; + #services.resolved.dnssec = "allow-downgrade"; + sops.age.sshKeyPaths = [ "/persist/ssh/ssh_host_ed25519_key" ]; sops.secrets.backup-s3.sopsFile = ../../../.secrets/t15/backup-s3.yaml; sops.secrets.backup-pw.sopsFile = ../../../.secrets/t15/backup-s3.yaml; diff --git a/systems/x86_64-linux/x1/default.nix b/systems/x86_64-linux/x1/default.nix index 84fbaea..96122d9 100644 --- a/systems/x86_64-linux/x1/default.nix +++ b/systems/x86_64-linux/x1/default.nix @@ -20,6 +20,8 @@ with lib.metacfg; programs.ccache.enable = true; nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; + services.tailscale.enable = true; + services.cratedocs-mcp.enable = true; sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ]; @@ -43,11 +45,13 @@ with lib.metacfg; ]; }; - services.tailscale.enable = true; - services.resolved.enable = true; + hardware.bluetooth.input.General.ClassicBondedOnly = false; + services.udev.extraRules = '' + KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e4c5", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl" + KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e489", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl" + ''; metacfg = { - hardware.wooting.enable = true; base.enable = true; gui.enable = true; nix-ld.enable = true; @@ -73,19 +77,17 @@ with lib.metacfg; "dialout" "tss" ]; - system.kernelTweaks.enable = true; - }; - - system.autoUpgrade = { - enable = true; - operation = "boot"; - allowReboot = false; }; nixpkgs.config.permittedInsecurePackages = [ "electron-27.3.11" ]; + # increase freezing timeout + boot.kernel.sysctl = { + "power.pm_freeze_timeout" = 30000; + }; + environment.systemPackages = with pkgs; [ attic-client azure-cli @@ -110,12 +112,26 @@ with lib.metacfg; vscode ]; + zramSwap.enable = true; + services.ratbagd.enable = true; + services.resolved.enable = true; + #services.resolved.dnssec = "allow-downgrade"; + #services.resolved.extraConfig = '' + # ResolveUnicastSingleLabel=yes + #''; + virtualisation = { libvirtd.enable = true; }; + system.autoUpgrade = { + enable = true; + operation = "boot"; + allowReboot = false; + }; + services.trezord.enable = true; services.ollama = { diff --git a/systems/x86_64-linux/x1/xremap.nix b/systems/x86_64-linux/x1/xremap.nix index c28dd0a..64a45c0 100644 --- a/systems/x86_64-linux/x1/xremap.nix +++ b/systems/x86_64-linux/x1/xremap.nix @@ -1,21 +1,33 @@ +# In /etc/nixos/configuration.nix { ... }: { - metacfg.services.xremap = { - enable = true; - deviceNames = [ - "Hangsheng MonsGeek Keyboard" - "HS Galaxy100 Keyboard" + users.users.harald.extraGroups = [ "input" ]; + + # Enable the xremap service + services.xremap.enable = true; + services.xremap.userName = "harald"; # Replace with your username + services.xremap.serviceMode = "user"; # Run as user service, not system-wide + services.xremap.withGnome = true; + + # Add a specific configuration block to select your keyboard(s) by name + services.xremap.deviceNames = [ + # Use the name found in the log output: "Hangsheng MonsGeek Keyboard System Control" + "Hangsheng MonsGeek Keyboard" + "HS Galaxy100 Keyboard" + # You can usually shorten the name slightly to match the device you want + ]; + + # Define your remapping configuration using Nix's attribute set format + services.xremap.config = { + keymap = [ + { + remap = { + # Map Alt+C (LeftAlt-C) to Ctrl+C (LeftControl-C) + LeftAlt-C = "COPY"; + LeftAlt-V = "PASTE"; + LeftAlt-X = "CUT"; + }; + } ]; - config = { - keymap = [ - { - remap = { - LeftAlt-C = "COPY"; - LeftAlt-V = "PASTE"; - LeftAlt-X = "CUT"; - }; - } - ]; - }; }; }