harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: harald:eb10ad018ff6bc81e9f85a2eb8673896cf133da7
Branches Tags
harald:main
harald:1
harald:b24.05
..
compare: harald:ea849f2488567c58def2e8090cf830103717b328
Branches Tags
harald:main
harald:1
harald:b24.05

No commits in common. "eb10ad018ff6bc81e9f85a2eb8673896cf133da7" and "ea849f2488567c58def2e8090cf830103717b328" have entirely different histories.
eb10ad018f ... ea849f2488

22 changed files with 262 additions and 355 deletions
Download patch file Download diff file Expand all files Collapse all files

88
flake.lock generated
View file

@ -19,16 +19,16 @@
"brew-src": {
"flake": false,
"locked": {
"lastModified": 1769363988,
"narHash": "sha256-BiGPeulrDVetXP+tjxhMcGLUROZAtZIhU5m4MqawCfM=",
"lastModified": 1763638478,
"narHash": "sha256-n/IMowE9S23ovmTkKX7KhxXC2Yq41EAVFR2FBIXPcT8=",
"owner": "Homebrew",
"repo": "brew",
"rev": "d01011cac6d72032c75fd2cd9489909e95d9faf2",
"rev": "fbfdbaba008189499958a7aeb1e2c36ab10c067d",
"type": "github"
},
"original": {
"owner": "Homebrew",
"ref": "5.0.12",
"ref": "5.0.3",
"repo": "brew",
"type": "github"
}
@ -134,11 +134,11 @@
]
},
"locked": {
"lastModified": 1769524058,
"narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
"lastModified": 1768923567,
"narHash": "sha256-GVJ0jKsyXLuBzRMXCDY6D5J8wVdwP1DuQmmvYL/Vw/Q=",
"owner": "nix-community",
"repo": "disko",
"rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
"rev": "00395d188e3594a1507f214a2f15d4ce5c07cb28",
"type": "github"
},
"original": {
@ -421,11 +421,11 @@
]
},
"locked": {
"lastModified": 1769580047,
"narHash": "sha256-tNqCP/+2+peAXXQ2V8RwsBkenlfWMERb+Uy6xmevyhM=",
"lastModified": 1768949235,
"narHash": "sha256-TtjKgXyg1lMfh374w5uxutd6Vx2P/hU81aEhTxrO2cg=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "366d78c2856de6ab3411c15c1cb4fb4c2bf5c826",
"rev": "75ed713570ca17427119e7e204ab3590cc3bf2a5",
"type": "github"
},
"original": {
@ -454,11 +454,11 @@
"homebrew-cask": {
"flake": false,
"locked": {
"lastModified": 1769770011,
"narHash": "sha256-Z+qyxP9dQVk1xBJKJvrvKg2/8SGnYEUArs5vJuhc4ZE=",
"lastModified": 1769077283,
"narHash": "sha256-alvFQmhX8POHxBP3/jResx6AJ06X+k6SF4/CiNndpPA=",
"owner": "homebrew",
"repo": "homebrew-cask",
"rev": "4b98892b8c059ebc23e6516c917f6b01741a2969",
"rev": "4a8185e145fa4fc8326705c666d608c3ee761612",
"type": "github"
},
"original": {
@ -470,11 +470,11 @@
"homebrew-core": {
"flake": false,
"locked": {
"lastModified": 1769769028,
"narHash": "sha256-9RhJZXZO/PJ7A+917XRROv8xPtzHlPthtAMhunUAfM0=",
"lastModified": 1769077518,
"narHash": "sha256-QtWC5CcY9xzfjcThSwZgise9RXbM2vZmw+Tot67RiJo=",
"owner": "homebrew",
"repo": "homebrew-core",
"rev": "95b2944276a57b176eadc835575c3b591f88999f",
"rev": "2ac083c750fa2a6999ad05a7352e8edbd7abd969",
"type": "github"
},
"original": {
@ -562,11 +562,11 @@
"systems": "systems_2"
},
"locked": {
"lastModified": 1769716128,
"narHash": "sha256-CAsiyTNjI0WmtJstw3kGyL7Q1jPCn7AsO6Ms47G+x3w=",
"lastModified": 1768906339,
"narHash": "sha256-iwkHIz2IYRcELkBoKXQUHlP0bFGmrHIz/roJUVYsyx8=",
"owner": "NotAShelf",
"repo": "nvf",
"rev": "866b983c4047b87bcdca6ab3673ed7bd602f0251",
"rev": "18c55d3bebf2c704970b4ea6fd0261808bec8d94",
"type": "github"
},
"original": {
@ -580,11 +580,11 @@
"brew-src": "brew-src"
},
"locked": {
"lastModified": 1769437432,
"narHash": "sha256-8d7KnCpT2LweRvSzZYEGd9IM3eFX+A78opcnDM0+ndk=",
"lastModified": 1764473698,
"narHash": "sha256-C91gPgv6udN5WuIZWNehp8qdLqlrzX6iF/YyboOj6XI=",
"owner": "zhaofengli-wip",
"repo": "nix-homebrew",
"rev": "a5409abd0d5013d79775d3419bcac10eacb9d8c5",
"rev": "6a8ab60bfd66154feeaa1021fc3b32684814a62a",
"type": "github"
},
"original": {
@ -595,11 +595,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1769302137,
"narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=",
"lastModified": 1768736227,
"narHash": "sha256-qgGq7CfrYKc3IBYQ7qp0Z/ZXndQVC5Bj0N8HW9mS2rM=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8",
"rev": "d447553bcbc6a178618d37e61648b19e744370df",
"type": "github"
},
"original": {
@ -642,11 +642,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1769598131,
"narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=",
"lastModified": 1768940263,
"narHash": "sha256-sJERJIYTKPFXkoz/gBaBtRKke82h4DkX3BBSsKbfbvI=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211",
"rev": "3ceaaa8bc963ced4d830e06ea2d0863b6490ff03",
"type": "github"
},
"original": {
@ -748,11 +748,11 @@
]
},
"locked": {
"lastModified": 1769742225,
"narHash": "sha256-roSD/OJ3x9nF+Dxr+/bLClX3U8FP9EkCQIFpzxKjSUM=",
"lastModified": 1769050281,
"narHash": "sha256-1H8DN4UZgEUqPUA5ecHOufLZMscJ4IlcGaEftaPtpBY=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "bcdd8d37594f0e201639f55889c01c827baf5c75",
"rev": "6deef0585c52d9e70f96b6121207e1496d4b0c49",
"type": "github"
},
"original": {
@ -835,11 +835,11 @@
]
},
"locked": {
"lastModified": 1769469829,
"narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
"lastModified": 1768863606,
"narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
"rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
"type": "github"
},
"original": {
@ -932,11 +932,11 @@
},
"unstable": {
"locked": {
"lastModified": 1769461804,
"narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=",
"lastModified": 1768886240,
"narHash": "sha256-C2TjvwYZ2VDxYWeqvvJ5XPPp6U7H66zeJlRaErJKoEM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
"rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0",
"type": "github"
},
"original": {
@ -949,16 +949,16 @@
"xremap": {
"flake": false,
"locked": {
"lastModified": 1769021727,
"narHash": "sha256-2wylBk3+Zu1pHa41dhKwvUtxOVyHSMRDfOD9fIp8x2I=",
"lastModified": 1766606475,
"narHash": "sha256-FPZ4iQA/vVZGzbO8i8lTK8i9A3zs9BLqMvTMeAVv9rQ=",
"owner": "k0kubun",
"repo": "xremap",
"rev": "890e0a6ca92e90f3bcbd1e235abcf2192e233a46",
"rev": "cdc744d873c19899ef21f329c4305b4b5e53d459",
"type": "github"
},
"original": {
"owner": "k0kubun",
"ref": "v0.14.10",
"ref": "v0.14.8",
"repo": "xremap",
"type": "github"
}
@ -971,11 +971,11 @@
"xremap": "xremap"
},
"locked": {
"lastModified": 1769636170,
"narHash": "sha256-X000Dgg053Dv9NIzm1b9QYSAHYtW2jHMVALQezui7L0=",
"lastModified": 1767318478,
"narHash": "sha256-h3oE50RedA8DRGrFU+Hv2kirt4rmzdaC9oSD+MSg9Ms=",
"owner": "xremap",
"repo": "nix-flake",
"rev": "00bc6dd4275d4b003a17ef7f5f271ba87f73d698",
"rev": "9a2224aa01a3c86e94b398c33329c8ff6496dc5d",
"type": "github"
},
"original": {

25
modules/nixos/hardware/wooting/default.nix
View file

@ -1,25 +0,0 @@
{
config,
lib,
...
}:
with lib;
with lib.metacfg;
let
cfg = config.metacfg.hardware.wooting;
in
{
options.metacfg.hardware.wooting = with types; {
enable = mkBoolOpt false "Whether or not to enable Wooting keyboard support.";
enableBluetoothCompat = mkBoolOpt true "Disable ClassicBondedOnly for Bluetooth compatibility.";
};
config = mkIf cfg.enable {
hardware.bluetooth.input.General.ClassicBondedOnly = mkIf cfg.enableBluetoothCompat false;
services.udev.extraRules = ''
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e4c5", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e489", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
'';
};
}

41
modules/nixos/services/acme-base/default.nix
View file

@ -1,41 +0,0 @@
{
config,
lib,
...
}:
with lib;
with lib.metacfg;
let
cfg = config.metacfg.services.acmeBase;
in
{
options.metacfg.services.acmeBase = with types; {
enable = mkBoolOpt false "Whether or not to enable ACME with common settings.";
email = mkOption {
type = types.str;
default = "harald@hoyer.xyz";
description = "Registration email for ACME.";
};
dnsProvider = mkOption {
type = types.str;
default = "cloudflare";
description = "DNS provider for ACME DNS-01 challenge.";
};
credentialsFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "Path to the credentials file for the DNS provider.";
};
};
config = mkIf cfg.enable {
security.acme = {
acceptTerms = true;
defaults = {
email = cfg.email;
dnsProvider = cfg.dnsProvider;
credentialsFile = mkIf (cfg.credentialsFile != null) cfg.credentialsFile;
};
};
};
}

42
modules/nixos/services/nginx-base/default.nix
View file

@ -1,42 +0,0 @@
{
config,
lib,
...
}:
with lib;
with lib.metacfg;
let
cfg = config.metacfg.services.nginxBase;
in
{
options.metacfg.services.nginxBase = with types; {
enable = mkBoolOpt false "Whether or not to enable nginx with common settings.";
clientMaxBodySize = mkOption {
type = types.str;
default = "1000M";
description = "Maximum allowed size of the client request body.";
};
enableAcmeGroup = mkBoolOpt true "Add nginx user to acme group.";
enableVcombinedLog = mkBoolOpt true "Enable vcombined log format.";
};
config = mkIf cfg.enable {
users.users.nginx.extraGroups = mkIf cfg.enableAcmeGroup [ "acme" ];
services.nginx = {
enable = true;
clientMaxBodySize = cfg.clientMaxBodySize;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
appendHttpConfig = mkIf cfg.enableVcombinedLog ''
log_format vcombined '$host:$server_port '
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log vcombined;
'';
};
};
}

44
modules/nixos/services/xremap/default.nix
View file

@ -1,44 +0,0 @@
{
config,
lib,
...
}:
with lib;
with lib.metacfg;
let
cfg = config.metacfg.services.xremap;
in
{
options.metacfg.services.xremap = with types; {
enable = mkBoolOpt false "Whether or not to enable xremap key remapping.";
userName = mkOption {
type = types.str;
default = "harald";
description = "User to run xremap as.";
};
withGnome = mkBoolOpt true "Enable GNOME support.";
deviceNames = mkOption {
type = types.listOf types.str;
default = [ ];
description = "List of device names to remap.";
};
config = mkOption {
type = types.attrs;
default = { };
description = "Xremap configuration.";
};
};
config = {
services.xremap = {
enable = cfg.enable;
userName = mkIf cfg.enable cfg.userName;
serviceMode = mkIf cfg.enable "user";
withGnome = mkIf cfg.enable cfg.withGnome;
deviceNames = mkIf cfg.enable cfg.deviceNames;
config = mkIf cfg.enable cfg.config;
};
users.users.${cfg.userName}.extraGroups = mkIf cfg.enable [ "input" ];
};
}

29
modules/nixos/system/kernel-tweaks/default.nix
View file

@ -1,29 +0,0 @@
{
config,
lib,
...
}:
with lib;
with lib.metacfg;
let
cfg = config.metacfg.system.kernelTweaks;
in
{
options.metacfg.system.kernelTweaks = with types; {
enable = mkBoolOpt false "Whether or not to enable desktop kernel optimizations.";
pmFreezeTimeout = mkOption {
type = types.int;
default = 30000;
description = "PM freeze timeout in milliseconds.";
};
enableZram = mkBoolOpt true "Enable zram swap.";
};
config = mkIf cfg.enable {
boot.kernel.sysctl = {
"power.pm_freeze_timeout" = cfg.pmFreezeTimeout;
};
zramSwap.enable = cfg.enableZram;
};
}

28
modules/nixos/system/no-sleep/default.nix
View file

@ -1,28 +0,0 @@
{
config,
lib,
...
}:
with lib;
with lib.metacfg;
let
cfg = config.metacfg.system.noSleep;
in
{
options.metacfg.system.noSleep = with types; {
enable = mkBoolOpt false "Whether or not to disable all sleep targets.";
disableGdmAutoSuspend = mkBoolOpt false "Disable GDM auto-suspend.";
ignoreLidSwitch = mkBoolOpt false "Ignore lid switch events.";
};
config = mkIf cfg.enable {
systemd.targets.sleep.enable = false;
systemd.targets.suspend.enable = false;
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
services.displayManager.gdm.autoSuspend = mkIf cfg.disableGdmAutoSuspend false;
services.logind.settings.Login.HandleLidSwitch = mkIf cfg.ignoreLidSwitch "ignore";
};
}

22
systems/aarch64-linux/m4nix/default.nix
View file

@ -9,13 +9,7 @@ with lib.metacfg;
services.spice-autorandr.enable = true;
services.spice-vdagentd.enable = true;
services.resolved.enable = true;
services.resolved.extraConfig = ''
ResolveUnicastSingleLabel=yes
'';
metacfg = {
system.noSleep.enable = true;
base.enable = true;
gui.enable = true;
nix-ld.enable = true;
@ -40,6 +34,13 @@ with lib.metacfg;
];
};
# Disable the GNOME3/GDM auto-suspend feature that cannot be disabled in GUI!
# If no user is logged in, the machine will power down after 20 minutes.
systemd.targets.sleep.enable = false;
systemd.targets.suspend.enable = false;
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
environment.systemPackages = with pkgs; [
azure-cli
desktop-file-utils
@ -59,11 +60,16 @@ with lib.metacfg;
services.ratbagd.enable = true;
services.resolved.enable = true;
#services.resolved.dnssec = "allow-downgrade";
services.resolved.extraConfig = ''
ResolveUnicastSingleLabel=yes
'';
virtualisation = {
docker.enable = true;
podman.dockerCompat = false;
libvirtd.enable = false;
rosetta.enable = true;
};
system.autoUpgrade = {
@ -72,5 +78,7 @@ with lib.metacfg;
allowReboot = false;
};
virtualisation.rosetta.enable = true;
system.stateVersion = "25.05";
}

22
systems/aarch64-linux/rnix/default.nix
View file

@ -9,13 +9,7 @@ with lib.metacfg;
services.spice-autorandr.enable = true;
services.spice-vdagentd.enable = true;
services.resolved.enable = true;
services.resolved.extraConfig = ''
ResolveUnicastSingleLabel=yes
'';
metacfg = {
system.noSleep.enable = true;
base.enable = true;
gui.enable = true;
nix-ld.enable = true;
@ -40,6 +34,13 @@ with lib.metacfg;
];
};
# Disable the GNOME3/GDM auto-suspend feature that cannot be disabled in GUI!
# If no user is logged in, the machine will power down after 20 minutes.
systemd.targets.sleep.enable = false;
systemd.targets.suspend.enable = false;
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
environment.systemPackages = with pkgs; [
azure-cli
desktop-file-utils
@ -59,11 +60,16 @@ with lib.metacfg;
services.ratbagd.enable = true;
services.resolved.enable = true;
#services.resolved.dnssec = "allow-downgrade";
services.resolved.extraConfig = ''
ResolveUnicastSingleLabel=yes
'';
virtualisation = {
docker.enable = true;
podman.dockerCompat = false;
libvirtd.enable = false;
rosetta.enable = true;
};
system.autoUpgrade = {
@ -72,5 +78,7 @@ with lib.metacfg;
allowReboot = false;
};
virtualisation.rosetta.enable = true;
system.stateVersion = "25.05";
}

35
systems/x86_64-linux/amd/default.nix
View file

@ -18,17 +18,21 @@ with lib.metacfg;
22000
];
services.tailscale.enable = true;
services.cratedocs-mcp.enable = true;
services.openssh = {
enable = true;
};
services.tailscale.enable = true;
services.resolved.enable = true;
hardware.bluetooth.input.General.ClassicBondedOnly = false;
services.udev.extraRules = ''
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e4c5", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e489", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
'';
metacfg = {
hardware.wooting.enable = true;
base.enable = true;
gui.enable = true;
nix-ld.enable = true;
@ -55,21 +59,15 @@ with lib.metacfg;
"dialout"
"tss"
];
system.kernelTweaks.enable = true;
};
system.autoUpgrade = {
enable = true;
operation = "boot";
allowReboot = false;
};
nixpkgs.config.permittedInsecurePackages = [
"electron-27.3.11"
];
# Additional kernel tuning beyond the module defaults
# Kernel tuning
boot.kernel.sysctl = {
"power.pm_freeze_timeout" = 30000;
# Reduce swap usage (you have zram)
"vm.swappiness" = 10;
# Prefer keeping directory/inode caches
@ -103,7 +101,6 @@ with lib.metacfg;
kubectl
kubectx
logseq
nvtopPackages.amd
obsidian
piper-tts
tipp10
@ -114,18 +111,32 @@ with lib.metacfg;
# zram swap with zstd compression for better performance
zramSwap = {
enable = true;
algorithm = "zstd";
memoryPercent = 50;
};
services.ratbagd.enable = true;
services.resolved.enable = true;
#services.resolved.dnssec = "allow-downgrade";
#services.resolved.extraConfig = ''
# ResolveUnicastSingleLabel=yes
#'';
virtualisation = {
libvirtd.enable = true;
docker.enable = true;
podman.dockerCompat = false;
};
system.autoUpgrade = {
enable = true;
operation = "boot";
allowReboot = false;
};
services.trezord.enable = true;
services.ollama = {

22
systems/x86_64-linux/amd/xremap.nix
View file

@ -1,15 +1,28 @@
# In /etc/nixos/configuration.nix
{ ... }:
{
metacfg.services.xremap = {
enable = true;
deviceNames = [
users.users.harald.extraGroups = [ "input" ];
# Enable the xremap service
services.xremap.enable = true;
services.xremap.userName = "harald"; # Replace with your username
services.xremap.serviceMode = "user"; # Run as user service, not system-wide
services.xremap.withGnome = true;
# Add a specific configuration block to select your keyboard(s) by name
services.xremap.deviceNames = [
# Use the name found in the log output: "Hangsheng MonsGeek Keyboard System Control"
"Hangsheng MonsGeek Keyboard"
"HS Galaxy100 Keyboard"
# You can usually shorten the name slightly to match the device you want
];
config = {
# Define your remapping configuration using Nix's attribute set format
services.xremap.config = {
keymap = [
{
remap = {
# Map Alt+C (LeftAlt-C) to Ctrl+C (LeftControl-C)
LeftAlt-C = "COPY";
LeftAlt-V = "PASTE";
LeftAlt-X = "CUT";
@ -17,5 +30,4 @@
}
];
};
};
}

14
systems/x86_64-linux/mx/acme.nix
View file

@ -1,4 +1,6 @@
{
pkgs,
lib,
config,
...
}:
@ -7,9 +9,14 @@
sopsFile = ../../../.secrets/hetzner/internetbs.yaml; # bring your own password file
};
metacfg.services.acmeBase.credentialsFile = config.sops.secrets.internetbs.path;
security.acme.certs = {
security.acme = {
acceptTerms = true;
defaults = {
email = "harald@hoyer.xyz";
dnsProvider = "cloudflare";
credentialsFile = config.sops.secrets.internetbs.path;
};
certs = {
"surfsite.org" = {
extraDomainNames = [ "*.surfsite.org" ];
};
@ -64,4 +71,5 @@
extraDomainNames = [ "*.harald-hoyer.de" ];
};
};
};
}

3
systems/x86_64-linux/mx/default.nix
View file

@ -22,8 +22,6 @@
services.tailscale.enable = true;
metacfg = {
services.nginxBase.enable = true;
services.acmeBase.enable = true;
emailOnFailure.enable = true;
base.enable = true;
nix.enable = true;
@ -44,6 +42,7 @@
dates = "04:00";
operation = "switch";
allowReboot = true;
# flake = lib.mkForce "git+file:///var/lib/gitea/repositories/harald/nixcfg.git#mx";
flake = lib.mkForce "/root/nixcfg/.#mx";
};

18
systems/x86_64-linux/mx/nginx.nix
View file

@ -1,6 +1,21 @@
{ ... }:
{
services.nginx.virtualHosts = {
users.users.nginx.extraGroups = [ "acme" ];
services.nginx = {
enable = true;
clientMaxBodySize = "1000M";
appendHttpConfig = ''
log_format vcombined '$host:$server_port '
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log vcombined;
'';
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"00000" = {
useACMEHost = "hoyer.xyz";
serverName = "_";
@ -142,4 +157,5 @@
forceSSL = true;
};
};
};
}

16
systems/x86_64-linux/nixtee1/default.nix
View file

@ -6,6 +6,8 @@
{
imports = [ ./hardware-configuration.nix ];
services.tailscale.enable = true;
boot.kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;
boot.loader.systemd-boot.enable = false;
# Bootloader.
@ -16,8 +18,6 @@
security.tpm2.enable = false;
security.tpm2.abrmd.enable = false;
services.tailscale.enable = true;
metacfg = {
base.enable = true;
nix-ld.enable = true;
@ -37,6 +37,12 @@
podman.dockerCompat = false;
};
system.autoUpgrade = {
enable = true;
operation = "switch";
allowReboot = true;
};
networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
networking.firewall.allowPing = true;
@ -60,11 +66,5 @@
}
];
system.autoUpgrade = {
enable = true;
operation = "switch";
allowReboot = true;
};
system.stateVersion = "25.05";
}

12
systems/x86_64-linux/sgx-attic/default.nix
View file

@ -1,5 +1,7 @@
{
pkgs,
lib,
config,
...
}:
with lib;
@ -15,17 +17,17 @@ with lib.metacfg;
nix.enable = true;
};
virtualisation = {
docker.enable = true;
podman.dockerCompat = false;
};
system.autoUpgrade = {
enable = true;
operation = "switch";
allowReboot = true;
};
virtualisation = {
docker.enable = true;
podman.dockerCompat = false;
};
security.tpm2.enable = false;
security.tpm2.abrmd.enable = false;

12
systems/x86_64-linux/sgx/acme.nix
View file

@ -7,9 +7,14 @@
sopsFile = ../../../.secrets/sgx/internetbs.yaml; # bring your own password file
};
metacfg.services.acmeBase.credentialsFile = config.sops.secrets.internetbs.path;
security.acme.certs = {
security.acme = {
acceptTerms = true;
defaults = {
email = "harald@hoyer.xyz";
dnsProvider = "cloudflare";
credentialsFile = config.sops.secrets.internetbs.path;
};
certs = {
"internal.hoyer.world" = {
extraDomainNames = [
"openwebui.hoyer.world"
@ -18,4 +23,5 @@
];
};
};
};
}

19
systems/x86_64-linux/sgx/default.nix
View file

@ -12,6 +12,8 @@
./wyoming.nix
];
services.tailscale.enable = true;
boot.tmp.useTmpfs = false;
sops.secrets.pccs.sopsFile = ../../../.secrets/sgx/pccs.yaml;
@ -21,16 +23,7 @@
claude-code
];
services.tailscale.enable = true;
metacfg = {
services.nginxBase.enable = true;
services.acmeBase.enable = true;
system.noSleep = {
enable = true;
disableGdmAutoSuspend = true;
ignoreLidSwitch = true;
};
emailOnFailure.enable = true;
base.enable = true;
gui.enable = true;
@ -65,5 +58,13 @@
allowReboot = true;
};
systemd.targets.sleep.enable = false;
systemd.targets.suspend.enable = false;
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
services.displayManager.gdm.autoSuspend = false;
services.logind.settings.Login.HandleLidSwitch = "ignore";
system.stateVersion = "23.11";
}

18
systems/x86_64-linux/sgx/nginx.nix
View file

@ -3,7 +3,22 @@
...
}:
{
services.nginx.virtualHosts = {
users.users.nginx.extraGroups = [ "acme" ];
services.nginx = {
enable = true;
clientMaxBodySize = "1000M";
appendHttpConfig = ''
log_format vcombined '$host:$server_port '
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log vcombined;
'';
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"openwebui.hoyer.world" = {
enableACME = false;
useACMEHost = "internal.hoyer.world";
@ -33,4 +48,5 @@
};
};
};
};
}

5
systems/x86_64-linux/t15/default.nix
View file

@ -2,8 +2,6 @@
{
imports = [ ./hardware-configuration.nix ];
services.resolved.enable = true;
metacfg = {
base.enable = true;
gui.enable = true;
@ -29,6 +27,9 @@
system.stateVersion = "23.11";
services.resolved.enable = true;
#services.resolved.dnssec = "allow-downgrade";
sops.age.sshKeyPaths = [ "/persist/ssh/ssh_host_ed25519_key" ];
sops.secrets.backup-s3.sopsFile = ../../../.secrets/t15/backup-s3.yaml;
sops.secrets.backup-pw.sopsFile = ../../../.secrets/t15/backup-s3.yaml;

36
systems/x86_64-linux/x1/default.nix
View file

@ -20,6 +20,8 @@ with lib.metacfg;
programs.ccache.enable = true;
nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
services.tailscale.enable = true;
services.cratedocs-mcp.enable = true;
sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ];
@ -43,11 +45,13 @@ with lib.metacfg;
];
};
services.tailscale.enable = true;
services.resolved.enable = true;
hardware.bluetooth.input.General.ClassicBondedOnly = false;
services.udev.extraRules = ''
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e4c5", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e489", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
'';
metacfg = {
hardware.wooting.enable = true;
base.enable = true;
gui.enable = true;
nix-ld.enable = true;
@ -73,19 +77,17 @@ with lib.metacfg;
"dialout"
"tss"
];
system.kernelTweaks.enable = true;
};
system.autoUpgrade = {
enable = true;
operation = "boot";
allowReboot = false;
};
nixpkgs.config.permittedInsecurePackages = [
"electron-27.3.11"
];
# increase freezing timeout
boot.kernel.sysctl = {
"power.pm_freeze_timeout" = 30000;
};
environment.systemPackages = with pkgs; [
attic-client
azure-cli
@ -110,12 +112,26 @@ with lib.metacfg;
vscode
];
zramSwap.enable = true;
services.ratbagd.enable = true;
services.resolved.enable = true;
#services.resolved.dnssec = "allow-downgrade";
#services.resolved.extraConfig = ''
# ResolveUnicastSingleLabel=yes
#'';
virtualisation = {
libvirtd.enable = true;
};
system.autoUpgrade = {
enable = true;
operation = "boot";
allowReboot = false;
};
services.trezord.enable = true;
services.ollama = {

22
systems/x86_64-linux/x1/xremap.nix
View file

@ -1,15 +1,28 @@
# In /etc/nixos/configuration.nix
{ ... }:
{
metacfg.services.xremap = {
enable = true;
deviceNames = [
users.users.harald.extraGroups = [ "input" ];
# Enable the xremap service
services.xremap.enable = true;
services.xremap.userName = "harald"; # Replace with your username
services.xremap.serviceMode = "user"; # Run as user service, not system-wide
services.xremap.withGnome = true;
# Add a specific configuration block to select your keyboard(s) by name
services.xremap.deviceNames = [
# Use the name found in the log output: "Hangsheng MonsGeek Keyboard System Control"
"Hangsheng MonsGeek Keyboard"
"HS Galaxy100 Keyboard"
# You can usually shorten the name slightly to match the device you want
];
config = {
# Define your remapping configuration using Nix's attribute set format
services.xremap.config = {
keymap = [
{
remap = {
# Map Alt+C (LeftAlt-C) to Ctrl+C (LeftControl-C)
LeftAlt-C = "COPY";
LeftAlt-V = "PASTE";
LeftAlt-X = "CUT";
@ -17,5 +30,4 @@
}
];
};
};
}