hektor/nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: hektor:b4a6dea5d345aeeeefc241c54ab717c24458425b
Branches Tags
hektor:main
...
compare: hektor:10762e270dc80aa00c2f3af054d388bc6111251f
Branches Tags
hektor:main

11 Commits
b4a6dea5d3 ... 10762e270d

Author SHA1 Message Date
Hektor Misplon
10762e270d refactor: simplify bash configuration 2026-03-11 19:56:22 +01:00
Hektor Misplon
5cf9a84676 refactor: use 'import-as-enable' pattern 2026-03-11 19:55:23 +01:00
Hektor Misplon
e0dbd52386 feat(deploy): add deployment tags for each host 2026-03-11 19:55:23 +01:00
Hektor Misplon
f119f0b65a refactor(hosts): use modules/ssh with sensible defaults 2026-03-11 19:55:22 +01:00
Hektor Misplon
430cab5591 feat(ssh): add default module with enable+harden 2026-03-11 19:54:10 +01:00
Hektor Misplon
7ece87ee39 chore(ai): add 'mcp-nixos' 2026-03-11 19:54:10 +01:00
Hektor Misplon
6d7e4a49f2 feat: add 'infra' module (and use on work host) 2026-03-11 19:54:09 +01:00
Hektor Misplon
506291783f fix: use correct vscode no sandbox flag 2026-03-11 19:54:09 +01:00
Hektor Misplon
6771cd7c02 fix: resolve anki warning 2026-03-11 19:54:09 +01:00
Hektor Misplon
750e0c4edc feat: add database module 2026-03-11 19:54:08 +01:00
Hektor Misplon
dd8a485632 fix: remove signing keys 2026-03-11 19:38:43 +01:00
36 changed files with 172 additions and 248 deletions
Expand all files Collapse all files

7
.mcp.json Normal file
View File

@@ -0,0 +1,7 @@
{
"mcpServers": {
"nixos": {
"command": "mcp-nixos"
}
}
}

14
deploy/colmena.nix
View File

@@ -4,6 +4,10 @@
}:
let
inherit (inputs.nixpkgs) lib;
utils = import ../utils { inherit lib; };
hostDirNames = utils.dirNames ../hosts;
mkNode = hostname: tags: {
imports = [ ../hosts/${hostname} ];
deployment = {
@@ -13,6 +17,10 @@ let
inherit tags;
};
};
nodes = lib.genAttrs hostDirNames (hostname:
mkNode hostname (utils.hostMeta ../hosts/${hostname}).deployment.tags
);
in
inputs.colmena.lib.makeHive {
meta = {
@@ -24,9 +32,5 @@ inputs.colmena.lib.makeHive {
nodeSpecialArgs = builtins.mapAttrs (_: v: v._module.specialArgs or { }) self.nixosConfigurations;
};
astyanax = mkNode "astyanax" [ "local" ];
andromache = mkNode "andromache" [ "local" ];
vm = mkNode "vm" [ "local" ];
hecuba = mkNode "hecuba" [ "cloud" ];
eetion = mkNode "eetion" [ "arm" ];
inherit nodes;
}

8
home/hosts/andromache/default.nix
View File

@@ -47,12 +47,8 @@ in
cloud.hetzner.enable = true;
comms.signal.enable = true;
github.enable = true;
pandoc.enable = true;
shell.bash = {
enable = true;
aliases.lang-js = true;
};
shell.bash.aliases.lang-js = true;
shell.bash.addBinToPath = true;
programs = {
home-manager.enable = true;

9
home/hosts/astyanax/default.nix
View File

@@ -45,13 +45,8 @@ in
cloud.hetzner.enable = true;
comms.signal.enable = true;
github.enable = true;
nfc.proxmark3.enable = true;
pandoc.enable = true;
shell.bash = {
enable = true;
aliases.lang-js = true;
};
shell.bash.aliases.lang-js = true;
shell.bash.addBinToPath = true;
programs = {
home-manager.enable = true;

13
home/hosts/work/default.nix
View File

@@ -18,12 +18,14 @@ in
../../modules/bruno
../../modules/cloud
../../modules/comms
../../modules/database
../../modules/dconf
../../modules/desktop/niri
../../modules/direnv
../../modules/docker
../../modules/git
../../modules/go
../../modules/infra
../../modules/k8s
../../modules/k8s/k9s.nix
../../modules/keepassxc
@@ -100,16 +102,11 @@ in
claude-code.enable = true;
opencode.enable = true;
};
database.mssql.enable = true;
database.postgresql.enable = true;
github.enable = true;
gitlab.enable = true;
pandoc.enable = true;
secrets = {
enable = true;
vault.enable = true;
};
shell.bash.enable = true;
starship.enable = true;
secrets.vault.enable = true;
programs = {
gh.enable = true;

2
home/modules/anki/default.nix
View File

@@ -26,7 +26,7 @@ in
puppy-reinforcement
review-heatmap
];
sync = lib.mkIf sopsAvailable {
profiles."User 1".sync = lib.mkIf sopsAvailable {
usernameFile = "${sopsSecrets."anki_sync_user".path}";
keyFile = "${sopsSecrets."anki_sync_key".path}";
};

22
home/modules/database/default.nix Normal file
View File

@@ -0,0 +1,22 @@
{
config,
lib,
pkgs,
...
}:
{
options.database = {
mssql.enable = lib.mkEnableOption "MSSQL";
postgresql.enable = lib.mkEnableOption "PostgreSQL";
};
config = lib.mkMerge [
(lib.mkIf config.database.mssql.enable {
home.packages = [ (config.nixgl.wrap pkgs.dbeaver-bin) ];
})
(lib.mkIf config.database.postgresql.enable {
home.packages = [ (config.nixgl.wrap pkgs.pgadmin4-desktopmode) ];
})
];
}

21
home/modules/go/default.nix
View File

@@ -1,18 +1,7 @@
{ pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
{
options.go = {
enable = lib.mkEnableOption "go language";
};
config = lib.mkIf config.go.enable {
home.packages = with pkgs; [
go
gopls
];
};
home.packages = with pkgs; [
go
gopls
];
}

10
home/modules/infra/default.nix Normal file
View File

@@ -0,0 +1,10 @@
{ pkgs, ... }:
{
config = {
home.packages = with pkgs; [
opentofu
upbound
];
};
}

23
home/modules/nfc/proxmark3.nix
View File

@@ -1,21 +1,6 @@
{ pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.nfc.proxmark3;
in
{
options.nfc.proxmark3 = {
enable = lib.mkEnableOption "proxmark3 (iceman fork)";
};
config = lib.mkIf cfg.enable {
home.packages = [
(pkgs.proxmark3.override { withGeneric = true; })
];
};
home.packages = [
(pkgs.proxmark3.override { withGeneric = true; })
];
}

11
home/modules/nodejs.nix
View File

@@ -6,15 +6,12 @@
}:
{
options.nodejs = {
enable = lib.mkEnableOption "nodejs (and related packages)";
package = lib.mkOption {
type = lib.types.package;
default = pkgs.nodejs_24;
};
options.nodejs.package = lib.mkOption {
type = lib.types.package;
default = pkgs.nodejs_24;
};
config = lib.mkIf config.nodejs.enable {
config = {
home.packages = with pkgs; [
config.nodejs.package
pnpm

23
home/modules/pandoc/default.nix
View File

@@ -1,19 +1,8 @@
{ pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
{
options.pandoc = {
enable = lib.mkEnableOption "pandoc";
};
config = lib.mkIf config.pandoc.enable {
home.packages = with pkgs; [
haskellPackages.pandoc-crossref
pandoc
texliveSmall
];
};
home.packages = with pkgs; [
haskellPackages.pandoc-crossref
pandoc
texliveSmall
];
}

15
home/modules/secrets/default.nix
View File

@@ -1,20 +1,13 @@
{
config,
lib,
pkgs,
...
}:
{
options.secrets = {
enable = lib.mkEnableOption "secrets";
};
imports = [ ./vault.nix ];
config = lib.mkIf config.secrets.enable {
home.packages = with pkgs; [
sops
age
];
};
home.packages = with pkgs; [
sops
age
];
}

14
home/modules/shell/bash.nix
View File

@@ -9,38 +9,32 @@ let
inherit (config.home) username;
in
{
options.shell.bash = {
enable = lib.mkEnableOption "bash configuration";
imports = [ ./utils.nix ];
options.shell.bash = {
aliases = {
all = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Enable common aliases";
};
lang-js = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable JavaScript/Node.js aliases";
};
};
addBinToPath = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Add dots .bin directory to PATH";
default = false;
};
extraInit = lib.mkOption {
type = lib.types.lines;
default = "";
description = "Additional bash initialization";
};
};
config = lib.mkIf cfg.enable {
shell-utils.enable = lib.mkDefault true;
config = {
programs.bash = {
enable = true;
enableCompletion = true;

15
home/modules/shell/prompt.nix
View File

@@ -1,16 +1,3 @@
{
config,
lib,
...
}:
{
options.starship = {
enable = lib.mkEnableOption "starship prompt";
};
config = lib.mkIf config.starship.enable {
programs.starship = {
enable = true;
};
};
programs.starship.enable = true;
}

27
home/modules/shell/utils.nix
View File

@@ -1,26 +1,19 @@
{
config,
lib,
pkgs,
...
}:
{
options.shell-utils = {
enable = lib.mkEnableOption "shell utilities";
programs.fzf = {
enable = true;
enableBashIntegration = lib.mkDefault true;
};
config = lib.mkIf config.shell-utils.enable {
programs.fzf = {
enable = true;
enableBashIntegration = lib.mkDefault true;
};
home.packages = with pkgs; [
ripgrep
bat
jq
entr
parallel
];
};
home.packages = with pkgs; [
ripgrep
bat
jq
entr
parallel
];
}

2
home/modules/vscode.nix
View File

@@ -2,6 +2,6 @@
{
config = {
home.packages = [ (config.nixgl.wrap (config.wrapApp pkgs.vscode "--disable-gpu-sandbox")) ];
home.packages = [ (config.nixgl.wrap (config.wrapApp pkgs.vscode "--no-sandbox")) ];
};
}

17
hosts/andromache/default.nix
View File

@@ -35,7 +35,7 @@ in
../../modules/audio
../../modules/localization
../../modules/fonts
../../modules/ssh/hardened-openssh.nix
../../modules/ssh
../../modules/storage
../../modules/stylix
(import ../../modules/secrets { inherit lib inputs config; })
@@ -62,8 +62,6 @@ in
secrets.username = username;
docker.user = username;
nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_andromache.path ];
disko.devices = {
disk.data = {
type = "disk";
@@ -111,16 +109,9 @@ in
];
};
services = {
locate = {
enable = true;
package = pkgs.plocate;
};
openssh = {
enable = true;
harden = true;
};
services.locate = {
enable = true;
package = pkgs.plocate;
};
networking = {

4
hosts/andromache/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "local" ];
role = "desktop";
}

8
hosts/astyanax/default.nix
View File

@@ -34,7 +34,7 @@ in
../../modules/users
../../modules/localization
../../modules/fonts
../../modules/ssh/hardened-openssh.nix
../../modules/ssh
../../modules/storage
../../modules/stylix
(import ../../modules/secrets { inherit lib inputs config; })
@@ -61,8 +61,6 @@ in
nfc.user = username;
desktop.ly.enable = true;
nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_astyanax.path ];
hardware = {
cpu.intel.updateMicrocode = true;
# https://wiki.nixos.org/wiki/Intel_Graphics
@@ -100,10 +98,6 @@ in
services = {
fwupd.enable = true;
openssh = {
enable = true;
harden = true;
};
locate = {
enable = true;
package = pkgs.plocate;

4
hosts/astyanax/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "local" ];
role = "laptop";
}

9
hosts/eetion-02/default.nix
View File

@@ -10,7 +10,7 @@ in
{
imports = [
./hard.nix
../../modules/ssh/hardened-openssh.nix
../../modules/ssh
];
ssh = {
@@ -59,13 +59,6 @@ in
security.sudo.wheelNeedsPassword = false;
services = {
openssh = {
enable = true;
harden = true;
};
};
environment.systemPackages = with pkgs; [
vim
git

4
hosts/eetion-02/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "arm" ];
role = "embedded";
}

8
hosts/eetion/default.nix
View File

@@ -10,7 +10,8 @@ in
{
imports = [
./hard.nix
../../modules/ssh/hardened-openssh.nix
../../modules/ssh
# ../../modules/uptime-kuma
];
ssh = {
@@ -52,11 +53,6 @@ in
security.sudo.wheelNeedsPassword = false;
services = {
openssh = {
enable = true;
harden = true;
};
paperless = {
enable = true;
passwordFile = "/etc/paperless-admin-pass";

4
hosts/eetion/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "arm" ];
role = "embedded";
}

10
hosts/hecuba/default.nix
View File

@@ -15,9 +15,8 @@ in
inputs.disko.nixosModules.disko
../../modules/common
./hard.nix
../../modules/ssh/hardened-openssh.nix
../../modules/ssh
../../modules/docker
../../modules/uptime-kuma
];
networking.hostName = hostName;
@@ -32,8 +31,6 @@ in
docker.user = username;
my.uptime-kuma.enable = false;
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
@@ -78,9 +75,4 @@ in
enable = true;
maxretry = 5;
};
services.openssh = {
enable = true;
harden = true;
};
}

4
hosts/hecuba/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "cloud" ];
role = "server";
}

6
hosts/vm/default.nix
View File

@@ -24,7 +24,7 @@ in
../../modules/localization
../../modules/x
../../modules/fonts
../../modules/ssh/hardened-openssh.nix
../../modules/ssh
../../modules/storage
(import ../../modules/secrets {
inherit lib inputs config;
@@ -63,9 +63,5 @@ in
services = {
qemuGuest.enable = true;
spice-vdagentd.enable = true;
openssh = {
enable = true;
harden = true;
};
};
}

4
hosts/vm/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "local" ];
role = "vm";
}

18
images/sd-image-orange-pi-aarch64.nix
View File

@@ -12,7 +12,7 @@ let
in
{
imports = [
../modules/ssh/hardened-openssh.nix
../modules/ssh
];
ssh.username = username;
@@ -37,21 +37,5 @@ in
security.sudo.wheelNeedsPassword = false;
services.openssh = {
enable = true;
harden = true;
};
# sdImage.postBuildCommands =
# let
# bootloaderPackage = pkgs.ubootOrangePiZero2;
# bootloaderSubpath = "/u-boot-sunxi-with-spl.bin";
# in
# ''
# dd if=${bootloaderPackage}${bootloaderSubpath} of=$img \
# bs=8 seek=1024 \
# conv=notrunc
# '';
system.stateVersion = "26.05";
}

7
images/sd-image-raspberry-pi-aarch64.nix
View File

@@ -12,7 +12,7 @@ let
in
{
imports = [
../modules/ssh/hardened-openssh.nix
../modules/ssh
];
ssh.username = username;
@@ -60,11 +60,6 @@ in
security.sudo.wheelNeedsPassword = false;
services.openssh = {
enable = true;
harden = true;
};
environment.systemPackages = with pkgs; [
libraspberrypi
];

2
modules/secrets/default.nix
View File

@@ -29,8 +29,6 @@ in
"anki_sync_user".owner = config.users.users.${cfg.username}.name;
"anki_sync_key".owner = config.users.users.${cfg.username}.name;
"hcloud".owner = config.users.users.${cfg.username}.name;
"nix_signing_key_astyanax" = { };
"nix_signing_key_andromache" = { };
"opencode_api_key".owner = config.users.users.${cfg.username}.name;
# TODO: using shared secrets for now, but would be better to to per-host secrets
# To add per-host secrets:

10
modules/ssh/default.nix Normal file
View File

@@ -0,0 +1,10 @@
{ lib, ... }:
{
imports = [ ./hardened-openssh.nix ];
config.services.openssh = {
enable = lib.mkDefault true;
harden = lib.mkDefault true;
};
}

11
modules/syncthing/default.nix
View File

@@ -10,15 +10,12 @@ let
cfg = config.my.syncthing;
in
{
options.my.syncthing = {
enable = mkEnableOption "Syncthing file synchronization";
username = mkOption {
type = types.str;
default = "h";
};
options.my.syncthing.username = mkOption {
type = types.str;
default = "h";
};
config = mkIf cfg.enable {
config = {
users.groups.${cfg.username} = { };
users.users.${cfg.username}.extraGroups = [ cfg.username ];

49
modules/uptime-kuma/default.nix
View File

@@ -1,39 +1,30 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.my.uptime-kuma;
in
{
options.my.uptime-kuma.enable = lib.mkEnableOption "Uptime Kuma monitoring service (Docker container)";
config = lib.mkIf cfg.enable {
virtualisation.oci-containers = {
backend = "docker";
containers.uptime-kuma = {
image = "louislam/uptime-kuma:latest";
ports = [ "127.0.0.1:3001:3001" ];
volumes = [ "/var/lib/uptime-kuma:/app/data" ];
environment = {
TZ = "UTC";
UMASK = "0022";
};
extraOptions = [
"--network=proxiable"
];
virtualisation.oci-containers = {
backend = "docker";
containers.uptime-kuma = {
image = "louislam/uptime-kuma:latest";
ports = [ "127.0.0.1:3001:3001" ];
volumes = [ "/var/lib/uptime-kuma:/app/data" ];
environment = {
TZ = "UTC";
UMASK = "0022";
};
extraOptions = [
"--network=proxiable"
];
};
systemd.tmpfiles.settings."uptime-kuma" = {
"/var/lib/uptime-kuma".d = {
mode = "0755";
};
};
environment.systemPackages = with pkgs; [ docker-compose ];
};
systemd.tmpfiles.settings."uptime-kuma" = {
"/var/lib/uptime-kuma".d = {
mode = "0755";
};
};
environment.systemPackages = with pkgs; [ docker-compose ];
}

5
utils/default.nix
View File

@@ -3,4 +3,9 @@
{
dirNames =
path: builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir path));
hostMeta = hostDir:
if builtins.pathExists (hostDir + "/meta.nix")
then import (hostDir + "/meta.nix")
else throw "meta.nix required in ${hostDir}";
}