my nix configs
Harald Hoyer
e0d2a2f50d
End-to-end verified: aqbanking-cli fetches Sparda Südwest transactions via FinTS PIN/TAN + SecureGo+, exports CSV using a custom decimal-amount profile, POSTs to firefly-iii-data-importer's autoupload endpoint, which creates transactions in Firefly III via API. Changes vs. previous WIP commit: - firefly/access_token sops slot for the importer's Firefly III API auth (FIREFLY_III_ACCESS_TOKEN_FILE — was the missing piece causing 401s from the API after the autoupload secret authenticated) - nginx fastcgi_read_timeout=600s on the importer vhost (prevents 504 while PHP-FPM is still processing the batch) - PHP-FPM max_execution_time=600s + memory_limit=512M on the importer pool (PHP's stock 30s aborts mid-import for batches > ~50 transactions) - timer re-enabled, wantedBy=[timers.target] Caveats baked into a code comment: - Sparda online-banking PIN must be [A-Za-z0-9] only. aqbanking 6.8.2's -P pinfile mangles `:`, `+`, `'`, `?`, `@`, `%`, `*`; bank locks the access (3 soft / 9 hard strikes) on rejected attempts. Same applies whenever the sops secret is rotated. - Bulk historical imports beyond the PSD2 90-day window need interactive SCA approval per ~30-day chunk and cannot run from the timer; the daily 35-day rolling window stays inside the no-SCA region. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .secrets | ||
| homes | ||
| lib | ||
| modules | ||
| overlays | ||
| packages | ||
| systems | ||
| .gitattributes | ||
| .gitignore | ||
| .sops.yaml | ||
| CLAUDE.md | ||
| flake.lock | ||
| flake.nix | ||
| README.md | ||
NixOS Configuration
A modular NixOS configuration setup for multiple systems.
Project Structure
modules/: Reusable NixOS/Darwin modulescommon.nix: Common module imports and definitionsnixos/: NixOS-specific moduleshome/: Home Manager integration for NixOSnix/: Nix package manager configurationnix-ld/: Dynamic linking supportnetwork/: Network configuration modulesresolved/: DNS resolution configuration
security/: Security-related modulesssh-host-keys/: SSH host key management
services/: Service configuration modulesbase/: Basic system configurationgui/: Graphical interface setuphomeprinter/: Home printer supportpodman/: Container runtimesecureboot/: Secure boot configuration
sgx/: Intel SGX supportaesmd_dcap/: SGX AESMD DCAP servicepccs/: SGX Provisioning Certificate Caching Service
system/: System configuration modulesauto-upgrade/: Automatic system upgradeslimits/: System resource limitszram/: ZRAM swap configuration
tools/: Common tools configurationdirenv/: Direnv integrationgit/: Git configuration
user/: User account configurationvirtualization/: Virtualization support
home/: Home Manager modulescli-apps/: Command-line applicationsgui/: GUI application configurationtools/: User tools configurationuser/: User preferences
darwin/: Darwin-specific moduleshome/,nix/,security/, etc.
systems/: Individual system configurationsx86_64-linux/: Linux systems on x86_64aarch64-linux/: Linux systems on ARMx86_64-darwin/: macOS systems on x86_64aarch64-darwin/: macOS systems on ARM
homes/: Home Manager configurations for each user/systemlib/: Helper functions and utilitiesoverlays/: Nixpkgs overlayspackages/: Custom packages
Using the Configurations
Install a system via nixos-anywhere
$ nix run github:numtide/nixos-anywhere -- \
--flake 'git+https://git.hoyer.xyz/harald/nixcfg'.#hostname \
root@hostname --no-reboot --tty -i $HOME/.ssh/id_ed25519
... enter disk password
$ ssh -t root@hostname systemd-cryptenroll /dev/luksdev --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=1,15
Update NixOS system
$ nixos-rebuild --use-remote-sudo -L --show-trace --refresh --flake git+https://git.hoyer.xyz/harald/nixcfg boot
Update macOS system
$ darwin-rebuild -L --show-trace --refresh --flake git+https://git.hoyer.xyz/harald/nixcfg switch
Update home-manager configuration
$ nix --refresh run 'git+https://git.hoyer.xyz/harald/nixcfg' -- \
switch -b backup --flake 'git+https://git.hoyer.xyz/harald/nixcfg'