hektor/nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: hektor:10762e270dc80aa00c2f3af054d388bc6111251f
Branches Tags
hektor:main
...
compare: hektor:b4a6dea5d345aeeeefc241c54ab717c24458425b
Branches Tags
hektor:main

11 Commits
10762e270d ... b4a6dea5d3

Author SHA1 Message Date
Hektor Misplon
b4a6dea5d3 fix: use 'colmenaHive' instead of 'colmena' 2026-03-11 19:59:32 +01:00
Hektor Misplon
54529a516a refactor: simplify bash configuration 2026-03-11 19:59:32 +01:00
Hektor Misplon
2d898bde96 refactor: use 'import-as-enable' pattern 2026-03-11 19:59:32 +01:00
Hektor Misplon
e5bb37783e feat(deploy): add deployment tags for each host 2026-03-11 19:59:32 +01:00
Hektor Misplon
1806ed1ddc refactor(hosts): use modules/ssh with sensible defaults 2026-03-11 19:59:32 +01:00
Hektor Misplon
c70effa792 feat(ssh): add default module with enable+harden 2026-03-11 19:59:32 +01:00
Hektor Misplon
58eef9c477 chore(ai): add 'mcp-nixos' 2026-03-11 19:59:32 +01:00
Hektor Misplon
67b0077157 feat: add 'infra' module (and use on work host) 2026-03-11 19:59:32 +01:00
Hektor Misplon
ba6f0168b8 fix: use correct vscode no sandbox flag 2026-03-11 19:59:32 +01:00
Hektor Misplon
d8605c9c3f fix: resolve anki warning 2026-03-11 19:59:32 +01:00
Hektor Misplon
39f0df3f65 feat: add database module 2026-03-11 19:59:32 +01:00
36 changed files with 173 additions and 243 deletions
Expand all files Collapse all files

7
.mcp.json Normal file
View File

@@ -0,0 +1,7 @@
{
"mcpServers": {
"nixos": {
"command": "mcp-nixos"
}
}
}

14
deploy/colmena.nix
View File

@@ -4,6 +4,10 @@
}:
let
inherit (inputs.nixpkgs) lib;
utils = import ../utils { inherit lib; };
hostDirNames = utils.dirNames ../hosts;
mkNode = hostname: tags: {
imports = [ ../hosts/${hostname} ];
deployment = {
@@ -13,6 +17,10 @@ let
inherit tags;
};
};
nodes = lib.genAttrs hostDirNames (hostname:
mkNode hostname (utils.hostMeta ../hosts/${hostname}).deployment.tags
);
in
inputs.colmena.lib.makeHive {
meta = {
@@ -24,9 +32,5 @@ inputs.colmena.lib.makeHive {
nodeSpecialArgs = builtins.mapAttrs (_: v: v._module.specialArgs or { }) self.nixosConfigurations;
};
astyanax = mkNode "astyanax" [ "local" ];
andromache = mkNode "andromache" [ "local" ];
vm = mkNode "vm" [ "local" ];
hecuba = mkNode "hecuba" [ "cloud" ];
eetion = mkNode "eetion" [ "arm" ];
inherit nodes;
}

2
flake.nix
View File

@@ -130,7 +130,7 @@
apps.${system}.colmena = inputs.colmena.apps.${system}.default;
colmena = import ./deploy/colmena.nix {
colmenaHive = import ./deploy/colmena.nix {
inherit
self
inputs

8
home/hosts/andromache/default.nix
View File

@@ -47,12 +47,8 @@ in
cloud.hetzner.enable = true;
comms.signal.enable = true;
github.enable = true;
pandoc.enable = true;
shell.bash = {
enable = true;
aliases.lang-js = true;
};
shell.bash.aliases.lang-js = true;
shell.bash.addBinToPath = true;
programs = {
home-manager.enable = true;

9
home/hosts/astyanax/default.nix
View File

@@ -45,13 +45,8 @@ in
cloud.hetzner.enable = true;
comms.signal.enable = true;
github.enable = true;
nfc.proxmark3.enable = true;
pandoc.enable = true;
shell.bash = {
enable = true;
aliases.lang-js = true;
};
shell.bash.aliases.lang-js = true;
shell.bash.addBinToPath = true;
programs = {
home-manager.enable = true;

13
home/hosts/work/default.nix
View File

@@ -18,12 +18,14 @@ in
../../modules/bruno
../../modules/cloud
../../modules/comms
../../modules/database
../../modules/dconf
../../modules/desktop/niri
../../modules/direnv
../../modules/docker
../../modules/git
../../modules/go
../../modules/infra
../../modules/k8s
../../modules/k8s/k9s.nix
../../modules/keepassxc
@@ -100,16 +102,11 @@ in
claude-code.enable = true;
opencode.enable = true;
};
database.mssql.enable = true;
database.postgresql.enable = true;
github.enable = true;
gitlab.enable = true;
pandoc.enable = true;
secrets = {
enable = true;
vault.enable = true;
};
shell.bash.enable = true;
starship.enable = true;
secrets.vault.enable = true;
programs = {
gh.enable = true;

2
home/modules/anki/default.nix
View File

@@ -26,7 +26,7 @@ in
puppy-reinforcement
review-heatmap
];
sync = lib.mkIf sopsAvailable {
profiles."User 1".sync = lib.mkIf sopsAvailable {
usernameFile = "${sopsSecrets."anki_sync_user".path}";
keyFile = "${sopsSecrets."anki_sync_key".path}";
};

22
home/modules/database/default.nix Normal file
View File

@@ -0,0 +1,22 @@
{
config,
lib,
pkgs,
...
}:
{
options.database = {
mssql.enable = lib.mkEnableOption "MSSQL";
postgresql.enable = lib.mkEnableOption "PostgreSQL";
};
config = lib.mkMerge [
(lib.mkIf config.database.mssql.enable {
home.packages = [ (config.nixgl.wrap pkgs.dbeaver-bin) ];
})
(lib.mkIf config.database.postgresql.enable {
home.packages = [ (config.nixgl.wrap pkgs.pgadmin4-desktopmode) ];
})
];
}

13
home/modules/go/default.nix
View File

@@ -1,18 +1,7 @@
{ pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
{
options.go = {
enable = lib.mkEnableOption "go language";
};
config = lib.mkIf config.go.enable {
home.packages = with pkgs; [
go
gopls
];
};
}

10
home/modules/infra/default.nix Normal file
View File

@@ -0,0 +1,10 @@
{ pkgs, ... }:
{
config = {
home.packages = with pkgs; [
opentofu
upbound
];
};
}

17
home/modules/nfc/proxmark3.nix
View File

@@ -1,21 +1,6 @@
{ pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.nfc.proxmark3;
in
{
options.nfc.proxmark3 = {
enable = lib.mkEnableOption "proxmark3 (iceman fork)";
};
config = lib.mkIf cfg.enable {
home.packages = [
(pkgs.proxmark3.override { withGeneric = true; })
];
};
}

7
home/modules/nodejs.nix
View File

@@ -6,15 +6,12 @@
}:
{
options.nodejs = {
enable = lib.mkEnableOption "nodejs (and related packages)";
package = lib.mkOption {
options.nodejs.package = lib.mkOption {
type = lib.types.package;
default = pkgs.nodejs_24;
};
};
config = lib.mkIf config.nodejs.enable {
config = {
home.packages = with pkgs; [
config.nodejs.package
pnpm

13
home/modules/pandoc/default.nix
View File

@@ -1,19 +1,8 @@
{ pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
{
options.pandoc = {
enable = lib.mkEnableOption "pandoc";
};
config = lib.mkIf config.pandoc.enable {
home.packages = with pkgs; [
haskellPackages.pandoc-crossref
pandoc
texliveSmall
];
};
}

7
home/modules/secrets/default.nix
View File

@@ -1,20 +1,13 @@
{
config,
lib,
pkgs,
...
}:
{
options.secrets = {
enable = lib.mkEnableOption "secrets";
};
imports = [ ./vault.nix ];
config = lib.mkIf config.secrets.enable {
home.packages = with pkgs; [
sops
age
];
};
}

14
home/modules/shell/bash.nix
View File

@@ -9,38 +9,32 @@ let
inherit (config.home) username;
in
{
options.shell.bash = {
enable = lib.mkEnableOption "bash configuration";
imports = [ ./utils.nix ];
options.shell.bash = {
aliases = {
all = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Enable common aliases";
};
lang-js = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable JavaScript/Node.js aliases";
};
};
addBinToPath = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Add dots .bin directory to PATH";
default = false;
};
extraInit = lib.mkOption {
type = lib.types.lines;
default = "";
description = "Additional bash initialization";
};
};
config = lib.mkIf cfg.enable {
shell-utils.enable = lib.mkDefault true;
config = {
programs.bash = {
enable = true;
enableCompletion = true;

15
home/modules/shell/prompt.nix
View File

@@ -1,16 +1,3 @@
{
config,
lib,
...
}:
{
options.starship = {
enable = lib.mkEnableOption "starship prompt";
};
config = lib.mkIf config.starship.enable {
programs.starship = {
enable = true;
};
};
programs.starship.enable = true;
}

7
home/modules/shell/utils.nix
View File

@@ -1,15 +1,9 @@
{
config,
lib,
pkgs,
...
}:
{
options.shell-utils = {
enable = lib.mkEnableOption "shell utilities";
};
config = lib.mkIf config.shell-utils.enable {
programs.fzf = {
enable = true;
enableBashIntegration = lib.mkDefault true;
@@ -22,5 +16,4 @@
entr
parallel
];
};
}

2
home/modules/vscode.nix
View File

@@ -2,6 +2,6 @@
{
config = {
home.packages = [ (config.nixgl.wrap (config.wrapApp pkgs.vscode "--disable-gpu-sandbox")) ];
home.packages = [ (config.nixgl.wrap (config.wrapApp pkgs.vscode "--no-sandbox")) ];
};
}

11
hosts/andromache/default.nix
View File

@@ -35,7 +35,7 @@ in
../../modules/audio
../../modules/localization
../../modules/fonts
../../modules/ssh/hardened-openssh.nix
../../modules/ssh
../../modules/storage
../../modules/stylix
(import ../../modules/secrets { inherit lib inputs config; })
@@ -111,18 +111,11 @@ in
];
};
services = {
locate = {
services.locate = {
enable = true;
package = pkgs.plocate;
};
openssh = {
enable = true;
harden = true;
};
};
networking = {
# TODO: generate unique hostId on actual host with: head -c 8 /etc/machine-id
hostId = "80eef97e";

4
hosts/andromache/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "local" ];
role = "desktop";
}

6
hosts/astyanax/default.nix
View File

@@ -34,7 +34,7 @@ in
../../modules/users
../../modules/localization
../../modules/fonts
../../modules/ssh/hardened-openssh.nix
../../modules/ssh
../../modules/storage
../../modules/stylix
(import ../../modules/secrets { inherit lib inputs config; })
@@ -100,10 +100,6 @@ in
services = {
fwupd.enable = true;
openssh = {
enable = true;
harden = true;
};
locate = {
enable = true;
package = pkgs.plocate;

4
hosts/astyanax/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "local" ];
role = "laptop";
}

9
hosts/eetion-02/default.nix
View File

@@ -10,7 +10,7 @@ in
{
imports = [
./hard.nix
../../modules/ssh/hardened-openssh.nix
../../modules/ssh
];
ssh = {
@@ -59,13 +59,6 @@ in
security.sudo.wheelNeedsPassword = false;
services = {
openssh = {
enable = true;
harden = true;
};
};
environment.systemPackages = with pkgs; [
vim
git

4
hosts/eetion-02/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "arm" ];
role = "embedded";
}

8
hosts/eetion/default.nix
View File

@@ -10,7 +10,8 @@ in
{
imports = [
./hard.nix
../../modules/ssh/hardened-openssh.nix
../../modules/ssh
# ../../modules/uptime-kuma
];
ssh = {
@@ -52,11 +53,6 @@ in
security.sudo.wheelNeedsPassword = false;
services = {
openssh = {
enable = true;
harden = true;
};
paperless = {
enable = true;
passwordFile = "/etc/paperless-admin-pass";

4
hosts/eetion/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "arm" ];
role = "embedded";
}

10
hosts/hecuba/default.nix
View File

@@ -15,9 +15,8 @@ in
inputs.disko.nixosModules.disko
../../modules/common
./hard.nix
../../modules/ssh/hardened-openssh.nix
../../modules/ssh
../../modules/docker
../../modules/uptime-kuma
];
networking.hostName = hostName;
@@ -32,8 +31,6 @@ in
docker.user = username;
my.uptime-kuma.enable = false;
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
@@ -78,9 +75,4 @@ in
enable = true;
maxretry = 5;
};
services.openssh = {
enable = true;
harden = true;
};
}

4
hosts/hecuba/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "cloud" ];
role = "server";
}

6
hosts/vm/default.nix
View File

@@ -24,7 +24,7 @@ in
../../modules/localization
../../modules/x
../../modules/fonts
../../modules/ssh/hardened-openssh.nix
../../modules/ssh
../../modules/storage
(import ../../modules/secrets {
inherit lib inputs config;
@@ -63,9 +63,5 @@ in
services = {
qemuGuest.enable = true;
spice-vdagentd.enable = true;
openssh = {
enable = true;
harden = true;
};
};
}

4
hosts/vm/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "local" ];
role = "vm";
}

18
images/sd-image-orange-pi-aarch64.nix
View File

@@ -12,7 +12,7 @@ let
in
{
imports = [
../modules/ssh/hardened-openssh.nix
../modules/ssh
];
ssh.username = username;
@@ -37,21 +37,5 @@ in
security.sudo.wheelNeedsPassword = false;
services.openssh = {
enable = true;
harden = true;
};
# sdImage.postBuildCommands =
# let
# bootloaderPackage = pkgs.ubootOrangePiZero2;
# bootloaderSubpath = "/u-boot-sunxi-with-spl.bin";
# in
# ''
# dd if=${bootloaderPackage}${bootloaderSubpath} of=$img \
# bs=8 seek=1024 \
# conv=notrunc
# '';
system.stateVersion = "26.05";
}

7
images/sd-image-raspberry-pi-aarch64.nix
View File

@@ -12,7 +12,7 @@ let
in
{
imports = [
../modules/ssh/hardened-openssh.nix
../modules/ssh
];
ssh.username = username;
@@ -60,11 +60,6 @@ in
security.sudo.wheelNeedsPassword = false;
services.openssh = {
enable = true;
harden = true;
};
environment.systemPackages = with pkgs; [
libraspberrypi
];

10
modules/ssh/default.nix Normal file
View File

@@ -0,0 +1,10 @@
{ lib, ... }:
{
imports = [ ./hardened-openssh.nix ];
config.services.openssh = {
enable = lib.mkDefault true;
harden = lib.mkDefault true;
};
}

7
modules/syncthing/default.nix
View File

@@ -10,15 +10,12 @@ let
cfg = config.my.syncthing;
in
{
options.my.syncthing = {
enable = mkEnableOption "Syncthing file synchronization";
username = mkOption {
options.my.syncthing.username = mkOption {
type = types.str;
default = "h";
};
};
config = mkIf cfg.enable {
config = {
users.groups.${cfg.username} = { };
users.users.${cfg.username}.extraGroups = [ cfg.username ];

9
modules/uptime-kuma/default.nix
View File

@@ -1,17 +1,9 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.my.uptime-kuma;
in
{
options.my.uptime-kuma.enable = lib.mkEnableOption "Uptime Kuma monitoring service (Docker container)";
config = lib.mkIf cfg.enable {
virtualisation.oci-containers = {
backend = "docker";
containers.uptime-kuma = {
@@ -35,5 +27,4 @@ in
};
environment.systemPackages = with pkgs; [ docker-compose ];
};
}

5
utils/default.nix
View File

@@ -3,4 +3,9 @@
{
dirNames =
path: builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir path));
hostMeta = hostDir:
if builtins.pathExists (hostDir + "/meta.nix")
then import (hostDir + "/meta.nix")
else throw "meta.nix required in ${hostDir}";
}