hektor/nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: hektor:b4a6dea5d345aeeeefc241c54ab717c24458425b
Branches Tags
hektor:main
...
compare: hektor:10762e270dc80aa00c2f3af054d388bc6111251f
Branches Tags
hektor:main

11 Commits
b4a6dea5d3 ... 10762e270d

Author SHA1 Message Date
Hektor Misplon
10762e270d refactor: simplify bash configuration 2026-03-11 19:56:22 +01:00
Hektor Misplon
5cf9a84676 refactor: use 'import-as-enable' pattern 2026-03-11 19:55:23 +01:00
Hektor Misplon
e0dbd52386 feat(deploy): add deployment tags for each host 2026-03-11 19:55:23 +01:00
Hektor Misplon
f119f0b65a refactor(hosts): use modules/ssh with sensible defaults 2026-03-11 19:55:22 +01:00
Hektor Misplon
430cab5591 feat(ssh): add default module with enable+harden 2026-03-11 19:54:10 +01:00
Hektor Misplon
7ece87ee39 chore(ai): add 'mcp-nixos' 2026-03-11 19:54:10 +01:00
Hektor Misplon
6d7e4a49f2 feat: add 'infra' module (and use on work host) 2026-03-11 19:54:09 +01:00
Hektor Misplon
506291783f fix: use correct vscode no sandbox flag 2026-03-11 19:54:09 +01:00
Hektor Misplon
6771cd7c02 fix: resolve anki warning 2026-03-11 19:54:09 +01:00
Hektor Misplon
750e0c4edc feat: add database module 2026-03-11 19:54:08 +01:00
Hektor Misplon
dd8a485632 fix: remove signing keys 2026-03-11 19:38:43 +01:00
36 changed files with 172 additions and 248 deletions
Expand all files Collapse all files

7
.mcp.json Normal file
View File

@@ -0,0 +1,7 @@
{
"mcpServers": {
"nixos": {
"command": "mcp-nixos"
}
}
}

14
deploy/colmena.nix
View File

@@ -4,6 +4,10 @@
}: }:
let let
inherit (inputs.nixpkgs) lib;
utils = import ../utils { inherit lib; };
hostDirNames = utils.dirNames ../hosts;
mkNode = hostname: tags: { mkNode = hostname: tags: {
imports = [ ../hosts/${hostname} ]; imports = [ ../hosts/${hostname} ];
deployment = { deployment = {
@@ -13,6 +17,10 @@ let
inherit tags; inherit tags;
}; };
}; };
nodes = lib.genAttrs hostDirNames (hostname:
mkNode hostname (utils.hostMeta ../hosts/${hostname}).deployment.tags
);
in in
inputs.colmena.lib.makeHive { inputs.colmena.lib.makeHive {
meta = { meta = {
@@ -24,9 +32,5 @@ inputs.colmena.lib.makeHive {
nodeSpecialArgs = builtins.mapAttrs (_: v: v._module.specialArgs or { }) self.nixosConfigurations; nodeSpecialArgs = builtins.mapAttrs (_: v: v._module.specialArgs or { }) self.nixosConfigurations;
}; };
astyanax = mkNode "astyanax" [ "local" ]; inherit nodes;
andromache = mkNode "andromache" [ "local" ];
vm = mkNode "vm" [ "local" ];
hecuba = mkNode "hecuba" [ "cloud" ];
eetion = mkNode "eetion" [ "arm" ];
} }

8
home/hosts/andromache/default.nix
View File

@@ -47,12 +47,8 @@ in
cloud.hetzner.enable = true; cloud.hetzner.enable = true;
comms.signal.enable = true; comms.signal.enable = true;
github.enable = true; github.enable = true;
pandoc.enable = true; shell.bash.aliases.lang-js = true;
shell.bash.addBinToPath = true;
shell.bash = {
enable = true;
aliases.lang-js = true;
};
programs = { programs = {
home-manager.enable = true; home-manager.enable = true;

9
home/hosts/astyanax/default.nix
View File

@@ -45,13 +45,8 @@ in
cloud.hetzner.enable = true; cloud.hetzner.enable = true;
comms.signal.enable = true; comms.signal.enable = true;
github.enable = true; github.enable = true;
nfc.proxmark3.enable = true; shell.bash.aliases.lang-js = true;
pandoc.enable = true; shell.bash.addBinToPath = true;
shell.bash = {
enable = true;
aliases.lang-js = true;
};
programs = { programs = {
home-manager.enable = true; home-manager.enable = true;

13
home/hosts/work/default.nix
View File

@@ -18,12 +18,14 @@ in
../../modules/bruno ../../modules/bruno
../../modules/cloud ../../modules/cloud
../../modules/comms ../../modules/comms
../../modules/database
../../modules/dconf ../../modules/dconf
../../modules/desktop/niri ../../modules/desktop/niri
../../modules/direnv ../../modules/direnv
../../modules/docker ../../modules/docker
../../modules/git ../../modules/git
../../modules/go ../../modules/go
../../modules/infra
../../modules/k8s ../../modules/k8s
../../modules/k8s/k9s.nix ../../modules/k8s/k9s.nix
../../modules/keepassxc ../../modules/keepassxc
@@ -100,16 +102,11 @@ in
claude-code.enable = true; claude-code.enable = true;
opencode.enable = true; opencode.enable = true;
}; };
database.mssql.enable = true;
database.postgresql.enable = true;
github.enable = true; github.enable = true;
gitlab.enable = true; gitlab.enable = true;
pandoc.enable = true; secrets.vault.enable = true;
secrets = {
enable = true;
vault.enable = true;
};
shell.bash.enable = true;
starship.enable = true;
programs = { programs = {
gh.enable = true; gh.enable = true;

2
home/modules/anki/default.nix
View File

@@ -26,7 +26,7 @@ in
puppy-reinforcement puppy-reinforcement
review-heatmap review-heatmap
]; ];
sync = lib.mkIf sopsAvailable { profiles."User 1".sync = lib.mkIf sopsAvailable {
usernameFile = "${sopsSecrets."anki_sync_user".path}"; usernameFile = "${sopsSecrets."anki_sync_user".path}";
keyFile = "${sopsSecrets."anki_sync_key".path}"; keyFile = "${sopsSecrets."anki_sync_key".path}";
}; };

22
home/modules/database/default.nix Normal file
View File

@@ -0,0 +1,22 @@
{
config,
lib,
pkgs,
...
}:
{
options.database = {
mssql.enable = lib.mkEnableOption "MSSQL";
postgresql.enable = lib.mkEnableOption "PostgreSQL";
};
config = lib.mkMerge [
(lib.mkIf config.database.mssql.enable {
home.packages = [ (config.nixgl.wrap pkgs.dbeaver-bin) ];
})
(lib.mkIf config.database.postgresql.enable {
home.packages = [ (config.nixgl.wrap pkgs.pgadmin4-desktopmode) ];
})
];
}

13
home/modules/go/default.nix
View File

@@ -1,18 +1,7 @@
{ pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}:
{
options.go = {
enable = lib.mkEnableOption "go language";
};
config = lib.mkIf config.go.enable {
home.packages = with pkgs; [ home.packages = with pkgs; [
go go
gopls gopls
]; ];
};
} }

10
home/modules/infra/default.nix Normal file
View File

@@ -0,0 +1,10 @@
{ pkgs, ... }:
{
config = {
home.packages = with pkgs; [
opentofu
upbound
];
};
}

17
home/modules/nfc/proxmark3.nix
View File

@@ -1,21 +1,6 @@
{ pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}:
let
cfg = config.nfc.proxmark3;
in
{
options.nfc.proxmark3 = {
enable = lib.mkEnableOption "proxmark3 (iceman fork)";
};
config = lib.mkIf cfg.enable {
home.packages = [ home.packages = [
(pkgs.proxmark3.override { withGeneric = true; }) (pkgs.proxmark3.override { withGeneric = true; })
]; ];
};
} }

7
home/modules/nodejs.nix
View File

@@ -6,15 +6,12 @@
}: }:
{ {
options.nodejs = { options.nodejs.package = lib.mkOption {
enable = lib.mkEnableOption "nodejs (and related packages)";
package = lib.mkOption {
type = lib.types.package; type = lib.types.package;
default = pkgs.nodejs_24; default = pkgs.nodejs_24;
}; };
};
config = lib.mkIf config.nodejs.enable { config = {
home.packages = with pkgs; [ home.packages = with pkgs; [
config.nodejs.package config.nodejs.package
pnpm pnpm

13
home/modules/pandoc/default.nix
View File

@@ -1,19 +1,8 @@
{ pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}:
{
options.pandoc = {
enable = lib.mkEnableOption "pandoc";
};
config = lib.mkIf config.pandoc.enable {
home.packages = with pkgs; [ home.packages = with pkgs; [
haskellPackages.pandoc-crossref haskellPackages.pandoc-crossref
pandoc pandoc
texliveSmall texliveSmall
]; ];
};
} }

7
home/modules/secrets/default.nix
View File

@@ -1,20 +1,13 @@
{ {
config,
lib, lib,
pkgs, pkgs,
... ...
}: }:
{ {
options.secrets = {
enable = lib.mkEnableOption "secrets";
};
imports = [ ./vault.nix ]; imports = [ ./vault.nix ];
config = lib.mkIf config.secrets.enable {
home.packages = with pkgs; [ home.packages = with pkgs; [
sops sops
age age
]; ];
};
} }

14
home/modules/shell/bash.nix
View File

@@ -9,38 +9,32 @@ let
inherit (config.home) username; inherit (config.home) username;
in in
{ {
options.shell.bash = { imports = [ ./utils.nix ];
enable = lib.mkEnableOption "bash configuration";
options.shell.bash = {
aliases = { aliases = {
all = lib.mkOption { all = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = true; default = true;
description = "Enable common aliases";
}; };
lang-js = lib.mkOption { lang-js = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = false; default = false;
description = "Enable JavaScript/Node.js aliases";
}; };
}; };
addBinToPath = lib.mkOption { addBinToPath = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = true; default = false;
description = "Add dots .bin directory to PATH";
}; };
extraInit = lib.mkOption { extraInit = lib.mkOption {
type = lib.types.lines; type = lib.types.lines;
default = ""; default = "";
description = "Additional bash initialization";
}; };
}; };
config = lib.mkIf cfg.enable { config = {
shell-utils.enable = lib.mkDefault true;
programs.bash = { programs.bash = {
enable = true; enable = true;
enableCompletion = true; enableCompletion = true;

15
home/modules/shell/prompt.nix
View File

@@ -1,16 +1,3 @@
{ {
config, programs.starship.enable = true;
lib,
...
}:
{
options.starship = {
enable = lib.mkEnableOption "starship prompt";
};
config = lib.mkIf config.starship.enable {
programs.starship = {
enable = true;
};
};
} }

7
home/modules/shell/utils.nix
View File

@@ -1,15 +1,9 @@
{ {
config,
lib, lib,
pkgs, pkgs,
... ...
}: }:
{ {
options.shell-utils = {
enable = lib.mkEnableOption "shell utilities";
};
config = lib.mkIf config.shell-utils.enable {
programs.fzf = { programs.fzf = {
enable = true; enable = true;
enableBashIntegration = lib.mkDefault true; enableBashIntegration = lib.mkDefault true;
@@ -22,5 +16,4 @@
entr entr
parallel parallel
]; ];
};
} }

2
home/modules/vscode.nix
View File

@@ -2,6 +2,6 @@
{ {
config = { config = {
home.packages = [ (config.nixgl.wrap (config.wrapApp pkgs.vscode "--disable-gpu-sandbox")) ]; home.packages = [ (config.nixgl.wrap (config.wrapApp pkgs.vscode "--no-sandbox")) ];
}; };
} }

13
hosts/andromache/default.nix
View File

@@ -35,7 +35,7 @@ in
../../modules/audio ../../modules/audio
../../modules/localization ../../modules/localization
../../modules/fonts ../../modules/fonts
../../modules/ssh/hardened-openssh.nix ../../modules/ssh
../../modules/storage ../../modules/storage
../../modules/stylix ../../modules/stylix
(import ../../modules/secrets { inherit lib inputs config; }) (import ../../modules/secrets { inherit lib inputs config; })
@@ -62,8 +62,6 @@ in
secrets.username = username; secrets.username = username;
docker.user = username; docker.user = username;
nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_andromache.path ];
disko.devices = { disko.devices = {
disk.data = { disk.data = {
type = "disk"; type = "disk";
@@ -111,18 +109,11 @@ in
]; ];
}; };
services = { services.locate = {
locate = {
enable = true; enable = true;
package = pkgs.plocate; package = pkgs.plocate;
}; };
openssh = {
enable = true;
harden = true;
};
};
networking = { networking = {
# TODO: generate unique hostId on actual host with: head -c 8 /etc/machine-id # TODO: generate unique hostId on actual host with: head -c 8 /etc/machine-id
hostId = "80eef97e"; hostId = "80eef97e";

4
hosts/andromache/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "local" ];
role = "desktop";
}

8
hosts/astyanax/default.nix
View File

@@ -34,7 +34,7 @@ in
../../modules/users ../../modules/users
../../modules/localization ../../modules/localization
../../modules/fonts ../../modules/fonts
../../modules/ssh/hardened-openssh.nix ../../modules/ssh
../../modules/storage ../../modules/storage
../../modules/stylix ../../modules/stylix
(import ../../modules/secrets { inherit lib inputs config; }) (import ../../modules/secrets { inherit lib inputs config; })
@@ -61,8 +61,6 @@ in
nfc.user = username; nfc.user = username;
desktop.ly.enable = true; desktop.ly.enable = true;
nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_astyanax.path ];
hardware = { hardware = {
cpu.intel.updateMicrocode = true; cpu.intel.updateMicrocode = true;
# https://wiki.nixos.org/wiki/Intel_Graphics # https://wiki.nixos.org/wiki/Intel_Graphics
@@ -100,10 +98,6 @@ in
services = { services = {
fwupd.enable = true; fwupd.enable = true;
openssh = {
enable = true;
harden = true;
};
locate = { locate = {
enable = true; enable = true;
package = pkgs.plocate; package = pkgs.plocate;

4
hosts/astyanax/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "local" ];
role = "laptop";
}

9
hosts/eetion-02/default.nix
View File

@@ -10,7 +10,7 @@ in
{ {
imports = [ imports = [
./hard.nix ./hard.nix
../../modules/ssh/hardened-openssh.nix ../../modules/ssh
]; ];
ssh = { ssh = {
@@ -59,13 +59,6 @@ in
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
services = {
openssh = {
enable = true;
harden = true;
};
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
vim vim
git git

4
hosts/eetion-02/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "arm" ];
role = "embedded";
}

8
hosts/eetion/default.nix
View File

@@ -10,7 +10,8 @@ in
{ {
imports = [ imports = [
./hard.nix ./hard.nix
../../modules/ssh/hardened-openssh.nix ../../modules/ssh
# ../../modules/uptime-kuma
]; ];
ssh = { ssh = {
@@ -52,11 +53,6 @@ in
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
services = { services = {
openssh = {
enable = true;
harden = true;
};
paperless = { paperless = {
enable = true; enable = true;
passwordFile = "/etc/paperless-admin-pass"; passwordFile = "/etc/paperless-admin-pass";

4
hosts/eetion/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "arm" ];
role = "embedded";
}

10
hosts/hecuba/default.nix
View File

@@ -15,9 +15,8 @@ in
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
../../modules/common ../../modules/common
./hard.nix ./hard.nix
../../modules/ssh/hardened-openssh.nix ../../modules/ssh
../../modules/docker ../../modules/docker
../../modules/uptime-kuma
]; ];
networking.hostName = hostName; networking.hostName = hostName;
@@ -32,8 +31,6 @@ in
docker.user = username; docker.user = username;
my.uptime-kuma.enable = false;
fileSystems."/" = { fileSystems."/" = {
device = "/dev/disk/by-label/nixos"; device = "/dev/disk/by-label/nixos";
fsType = "ext4"; fsType = "ext4";
@@ -78,9 +75,4 @@ in
enable = true; enable = true;
maxretry = 5; maxretry = 5;
}; };
services.openssh = {
enable = true;
harden = true;
};
} }

4
hosts/hecuba/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "cloud" ];
role = "server";
}

6
hosts/vm/default.nix
View File

@@ -24,7 +24,7 @@ in
../../modules/localization ../../modules/localization
../../modules/x ../../modules/x
../../modules/fonts ../../modules/fonts
../../modules/ssh/hardened-openssh.nix ../../modules/ssh
../../modules/storage ../../modules/storage
(import ../../modules/secrets { (import ../../modules/secrets {
inherit lib inputs config; inherit lib inputs config;
@@ -63,9 +63,5 @@ in
services = { services = {
qemuGuest.enable = true; qemuGuest.enable = true;
spice-vdagentd.enable = true; spice-vdagentd.enable = true;
openssh = {
enable = true;
harden = true;
};
}; };
} }

4
hosts/vm/meta.nix Normal file
View File

@@ -0,0 +1,4 @@
{
deployment.tags = [ "local" ];
role = "vm";
}

18
images/sd-image-orange-pi-aarch64.nix
View File

@@ -12,7 +12,7 @@ let
in in
{ {
imports = [ imports = [
../modules/ssh/hardened-openssh.nix ../modules/ssh
]; ];
ssh.username = username; ssh.username = username;
@@ -37,21 +37,5 @@ in
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
services.openssh = {
enable = true;
harden = true;
};
# sdImage.postBuildCommands =
# let
# bootloaderPackage = pkgs.ubootOrangePiZero2;
# bootloaderSubpath = "/u-boot-sunxi-with-spl.bin";
# in
# ''
# dd if=${bootloaderPackage}${bootloaderSubpath} of=$img \
# bs=8 seek=1024 \
# conv=notrunc
# '';
system.stateVersion = "26.05"; system.stateVersion = "26.05";
} }

7
images/sd-image-raspberry-pi-aarch64.nix
View File

@@ -12,7 +12,7 @@ let
in in
{ {
imports = [ imports = [
../modules/ssh/hardened-openssh.nix ../modules/ssh
]; ];
ssh.username = username; ssh.username = username;
@@ -60,11 +60,6 @@ in
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
services.openssh = {
enable = true;
harden = true;
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
libraspberrypi libraspberrypi
]; ];

2
modules/secrets/default.nix
View File

@@ -29,8 +29,6 @@ in
"anki_sync_user".owner = config.users.users.${cfg.username}.name; "anki_sync_user".owner = config.users.users.${cfg.username}.name;
"anki_sync_key".owner = config.users.users.${cfg.username}.name; "anki_sync_key".owner = config.users.users.${cfg.username}.name;
"hcloud".owner = config.users.users.${cfg.username}.name; "hcloud".owner = config.users.users.${cfg.username}.name;
"nix_signing_key_astyanax" = { };
"nix_signing_key_andromache" = { };
"opencode_api_key".owner = config.users.users.${cfg.username}.name; "opencode_api_key".owner = config.users.users.${cfg.username}.name;
# TODO: using shared secrets for now, but would be better to to per-host secrets # TODO: using shared secrets for now, but would be better to to per-host secrets
# To add per-host secrets: # To add per-host secrets:

10
modules/ssh/default.nix Normal file
View File

@@ -0,0 +1,10 @@
{ lib, ... }:
{
imports = [ ./hardened-openssh.nix ];
config.services.openssh = {
enable = lib.mkDefault true;
harden = lib.mkDefault true;
};
}

7
modules/syncthing/default.nix
View File

@@ -10,15 +10,12 @@ let
cfg = config.my.syncthing; cfg = config.my.syncthing;
in in
{ {
options.my.syncthing = { options.my.syncthing.username = mkOption {
enable = mkEnableOption "Syncthing file synchronization";
username = mkOption {
type = types.str; type = types.str;
default = "h"; default = "h";
}; };
};
config = mkIf cfg.enable { config = {
users.groups.${cfg.username} = { }; users.groups.${cfg.username} = { };
users.users.${cfg.username}.extraGroups = [ cfg.username ]; users.users.${cfg.username}.extraGroups = [ cfg.username ];

9
modules/uptime-kuma/default.nix
View File

@@ -1,17 +1,9 @@
{ {
config,
lib,
pkgs, pkgs,
... ...
}: }:
let
cfg = config.my.uptime-kuma;
in
{ {
options.my.uptime-kuma.enable = lib.mkEnableOption "Uptime Kuma monitoring service (Docker container)";
config = lib.mkIf cfg.enable {
virtualisation.oci-containers = { virtualisation.oci-containers = {
backend = "docker"; backend = "docker";
containers.uptime-kuma = { containers.uptime-kuma = {
@@ -35,5 +27,4 @@ in
}; };
environment.systemPackages = with pkgs; [ docker-compose ]; environment.systemPackages = with pkgs; [ docker-compose ];
};
} }

5
utils/default.nix
View File

@@ -3,4 +3,9 @@
{ {
dirNames = dirNames =
path: builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir path)); path: builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir path));
hostMeta = hostDir:
if builtins.pathExists (hostDir + "/meta.nix")
then import (hostDir + "/meta.nix")
else throw "meta.nix required in ${hostDir}";
} }