hektor/nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: hektor:e21411c2f9117579982e6c28b4d2e030e089261c
Branches Tags
hektor:main
...
compare: hektor:6684e2e7feb867507a91fb4d0703de00291deaea
Branches Tags
hektor:main

6 Commits
e21411c2f9 ... 6684e2e7fe

Author SHA1 Message Date
hektor
6684e2e7fe feat: set up git hooks 2026-02-07 14:25:39 +01:00
hektor
7f0726f443 fix: add ssh keys to agent for all hosts 2026-02-07 14:25:39 +01:00
hektor
cb8ac3b848 fix: resolve proxmark firmware flashing issues 2026-02-07 14:25:38 +01:00
hektor
3a1997f0c4 fix: set up ipv4 forwarding 2026-02-07 14:25:08 +01:00
hektor
a2a7c3c5a0 feat: add 'brightnessctl' to niri desktop 2026-02-07 14:25:08 +01:00
hektor
ce6940b048 flake.lock: Update 
Flake lock file updates:

• Updated input 'firefox-addons':
    'gitlab:rycee/nur-expressions/4f827ff035c6ddc58d04c45abe5b777d356b926a?dir=pkgs/firefox-addons&narHash=sha256-9Sqq/hxq8ZDLRSzu%2Bedn0OfWG%2BFAPWFpwMKaJobeLec%3D' (2026-02-03)
  → 'gitlab:rycee/nur-expressions/c7794d3f46304de5234008c31b5b28a9d5709184?dir=pkgs/firefox-addons&narHash=sha256-0iGDl/ct3rW%2Bh6%2BsLq4RZaze/U/aQo2L5sLLuyjuVTk%3D' (2026-02-04)
• Updated input 'home-manager':
    'github:nix-community/home-manager/984708c34d3495a518e6ab6b8633469bbca2f77a?narHash=sha256-gj1yP3spUb1vGtaF5qPhshd2j0cg4xf51pklDsIm19Q%3D' (2026-02-01)
  → 'github:nix-community/home-manager/04e5203db66417d548ae1ff188a9f591836dfaa7?narHash=sha256-R1WFtIvp38hS9x63dnijdJw1KyIiy30KGea6e6N7LHs%3D' (2026-02-05)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/cb369ef2efd432b3cdf8622b0ffc0a97a02f3137?narHash=sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU%3D' (2026-02-02)
  → 'github:nixos/nixpkgs/00c21e4c93d963c50d4c0c89bfa84ed6e0694df2?narHash=sha256-AYqlWrX09%2BHvGs8zM6ebZ1pwUqjkfpnv8mewYwAo%2BiM%3D' (2026-02-04)
• Updated input 'nvim':
    'path:./dots/.config/nvim'
  → 'path:./dots/.config/nvim'
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/f990b0a334e96d3ef9ca09d4bd92778b42fd84f9?narHash=sha256-NUVGVtYBTC96WhPh4Y3SVM7vf0o1z5W4uqRBn9v1pfo%3D' (2026-02-03)
  → 'github:Mic92/sops-nix/17eea6f3816ba6568b8c81db8a4e6ca438b30b7c?narHash=sha256-ktjWTq%2BD5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY%3D' (2026-02-03)
 2026-02-07 14:25:08 +01:00
14 changed files with 263 additions and 109 deletions
Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -8,3 +8,5 @@ result
result-* result-*
nixos-efi-vars.fd nixos-efi-vars.fd
/.pre-commit-config.yaml

84
flake.lock generated
View File

@@ -53,11 +53,11 @@
}, },
"locked": { "locked": {
"dir": "pkgs/firefox-addons", "dir": "pkgs/firefox-addons",
"lastModified": 1770091431, "lastModified": 1770177820,
"narHash": "sha256-9Sqq/hxq8ZDLRSzu+edn0OfWG+FAPWFpwMKaJobeLec=", "narHash": "sha256-0iGDl/ct3rW+h6+sLq4RZaze/U/aQo2L5sLLuyjuVTk=",
"owner": "rycee", "owner": "rycee",
"repo": "nur-expressions", "repo": "nur-expressions",
"rev": "4f827ff035c6ddc58d04c45abe5b777d356b926a", "rev": "c7794d3f46304de5234008c31b5b28a9d5709184",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@@ -83,6 +83,22 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1767039857,
"narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
"owner": "NixOS",
"repo": "flake-compat",
"rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
@@ -138,6 +154,49 @@
"type": "github" "type": "github"
} }
}, },
"git-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1769939035,
"narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "a8ca480175326551d6c4121498316261cbb5b260",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -145,11 +204,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1769978395, "lastModified": 1770263241,
"narHash": "sha256-gj1yP3spUb1vGtaF5qPhshd2j0cg4xf51pklDsIm19Q=", "narHash": "sha256-R1WFtIvp38hS9x63dnijdJw1KyIiy30KGea6e6N7LHs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "984708c34d3495a518e6ab6b8633469bbca2f77a", "rev": "04e5203db66417d548ae1ff188a9f591836dfaa7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -321,11 +380,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1770019141, "lastModified": 1770197578,
"narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=", "narHash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "cb369ef2efd432b3cdf8622b0ffc0a97a02f3137", "rev": "00c21e4c93d963c50d4c0c89bfa84ed6e0694df2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -579,6 +638,7 @@
"colmena": "colmena", "colmena": "colmena",
"disko": "disko", "disko": "disko",
"firefox-addons": "firefox-addons", "firefox-addons": "firefox-addons",
"git-hooks": "git-hooks",
"home-manager": "home-manager", "home-manager": "home-manager",
"nix-on-droid": "nix-on-droid", "nix-on-droid": "nix-on-droid",
"nix-secrets": "nix-secrets", "nix-secrets": "nix-secrets",
@@ -612,11 +672,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1770110318, "lastModified": 1770145881,
"narHash": "sha256-NUVGVtYBTC96WhPh4Y3SVM7vf0o1z5W4uqRBn9v1pfo=", "narHash": "sha256-ktjWTq+D5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "f990b0a334e96d3ef9ca09d4bd92778b42fd84f9", "rev": "17eea6f3816ba6568b8c81db8a4e6ca438b30b7c",
"type": "github" "type": "github"
}, },
"original": { "original": {

13
flake.nix
View File

@@ -43,6 +43,10 @@
url = "github:zhaofengli/colmena"; url = "github:zhaofengli/colmena";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
git-hooks = {
url = "github:cachix/git-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = outputs =
@@ -52,6 +56,7 @@
home-manager, home-manager,
nix-on-droid, nix-on-droid,
nixgl, nixgl,
git-hooks,
... ...
}@inputs: }@inputs:
let let
@@ -61,6 +66,10 @@
hostDirNames = utils.dirNames ./hosts; hostDirNames = utils.dirNames ./hosts;
system = "x86_64-linux"; system = "x86_64-linux";
dotsPath = ./dots; dotsPath = ./dots;
gitHooks = import ./git-hooks.nix {
inherit nixpkgs git-hooks system;
src = ./.;
};
in in
{ {
nix.nixPath = [ nix.nixPath = [
@@ -128,6 +137,10 @@
; ;
}; };
checks.${system} = gitHooks.checks;
formatter.${system} = gitHooks.formatter;
devShells.${system} = gitHooks.devShells;
images.sd-image-aarch64 = self.nixosConfigurations.sd-image-aarch64.config.system.build.sdImage; images.sd-image-aarch64 = self.nixosConfigurations.sd-image-aarch64.config.system.build.sdImage;
}; };
} }

44
git-hooks.nix Normal file
View File

@@ -0,0 +1,44 @@
{
nixpkgs,
git-hooks,
system,
src,
}:
let
pkgs = nixpkgs.legacyPackages.${system};
pre-commit-check = git-hooks.lib.${system}.run {
inherit src;
hooks = {
nixfmt.enable = true;
statix.enable = true;
deadnix.enable = true;
};
};
in
{
checks = {
inherit pre-commit-check;
};
formatter =
let
inherit (pre-commit-check) config;
inherit (config) package configFile;
script = ''
${pkgs.lib.getExe package} run --all-files --config ${configFile}
'';
in
pkgs.writeShellScriptBin "pre-commit-run" script;
devShells = {
default =
let
inherit (pre-commit-check) shellHook enabledPackages;
in
pkgs.mkShell {
inherit shellHook;
buildInputs = enabledPackages;
};
};
}

1
home/modules/desktop/niri/default.nix
View File

@@ -11,6 +11,7 @@
home = { home = {
file.".config/niri/config.kdl".source = ./config.kdl; file.".config/niri/config.kdl".source = ./config.kdl;
packages = with pkgs; [ packages = with pkgs; [
brightnessctl
wl-clipboard wl-clipboard
wlsunset wlsunset
]; ];

2
home/modules/git/default.nix
View File

@@ -21,6 +21,6 @@
}; };
programs.gh.enable = config.github.enable; programs.gh.enable = config.github.enable;
home.packages = with pkgs; lib.optionals (config.gitlab.enable) [ glab ]; home.packages = lib.optionals config.gitlab.enable [ pkgs.glab ];
}; };
} }

2
home/modules/nfc/proxmark3.nix
View File

@@ -15,7 +15,7 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
home.packages = [ home.packages = [
pkgs.proxmark3 (pkgs.proxmark3.override { withGeneric = true; })
]; ];
}; };
} }

35
home/modules/ssh.nix
View File

@@ -18,20 +18,25 @@ in
enable = true; enable = true;
enableDefaultConfig = false; enableDefaultConfig = false;
matchBlocks = lib.genAttrs hostsWithKeys ( matchBlocks =
hostname: lib.genAttrs hostsWithKeys (
let hostname:
hostConfig = outputs.nixosConfigurations.${hostname}.config; let
publicHostname = hostConfig.ssh.publicHostname; hostConfig = outputs.nixosConfigurations.${hostname}.config;
targetUser = hostConfig.ssh.username; inherit (hostConfig.ssh) publicHostname username;
in in
{ {
host = hostname; host = hostname;
user = targetUser; user = username;
} }
// lib.optionalAttrs (publicHostname != "") { // lib.optionalAttrs (publicHostname != "") {
hostname = publicHostname; hostname = publicHostname;
} }
); )
// {
"*" = {
addKeysToAgent = "yes";
};
};
}; };
} }

2
hosts/astyanax/default.nix
View File

@@ -40,6 +40,7 @@ in
(import ../../modules/secrets { inherit lib inputs config; }) (import ../../modules/secrets { inherit lib inputs config; })
../../modules/docker ../../modules/docker
../../modules/syncthing ../../modules/syncthing
../../modules/nfc
]; ];
home-manager.users.${username} = import ../../home/hosts/astyanax { home-manager.users.${username} = import ../../home/hosts/astyanax {
@@ -58,6 +59,7 @@ in
secrets.username = username; secrets.username = username;
docker.user = username; docker.user = username;
nfc.user = username;
nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_astyanax.path ]; nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_astyanax.path ];

120
hosts/eetion/default.nix
View File

@@ -13,28 +13,34 @@ in
../../modules/ssh/hardened-openssh.nix ../../modules/ssh/hardened-openssh.nix
]; ];
ssh.username = username; ssh = {
ssh.publicHostname = "eetion"; inherit username;
ssh.authorizedHosts = [ publicHostname = "eetion";
"andromache" authorizedHosts = [
"astyanax" "andromache"
]; "astyanax"
];
};
boot.loader = { boot.loader = {
grub.enable = false; grub.enable = false;
generic-extlinux-compatible.enable = true; generic-extlinux-compatible.enable = true;
}; };
networking.hostName = hostName; networking = {
networking.networkmanager.enable = true; inherit hostName;
networking.firewall = { networkmanager.enable = true;
enable = true; firewall = {
allowedTCPPorts = [ enable = true;
80 allowedTCPPorts = [
443 80
]; 443
];
};
}; };
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
users.users = { users.users = {
root.hashedPassword = "!"; root.hashedPassword = "!";
${username} = { ${username} = {
@@ -45,52 +51,54 @@ in
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
services.openssh = { services = {
enable = true; openssh = {
harden = true; enable = true;
harden = true;
};
paperless = {
enable = true;
passwordFile = "/etc/paperless-admin-pass";
settings = {
PAPERLESS_URL = "http://paperless.eetion";
};
};
# added (OPNSense) domain override to make this work on LAN
#
# host: eetion
# domain: <domain (e.g. lan)>
# ip address: <eetion-ip>
#
# host: paperless
# domain: eetion
# ip address: <eetion-ip>
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"eetion" = {
default = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5006";
};
};
"paperless.eetion" = {
locations."/" = {
proxyPass = "http://127.0.0.1:28981";
};
};
};
};
}; };
environment.etc."paperless-admin-pass".text = "admin"; environment.etc."paperless-admin-pass".text = "admin";
services.paperless = {
enable = true;
passwordFile = "/etc/paperless-admin-pass";
settings = {
PAPERLESS_URL = "http://paperless.eetion";
};
};
# added (OPNSense) domain override to make this work on LAN
#
# host: eetion
# domain: <domain (e.g. lan)>
# ip address: <eetion-ip>
#
# host: paperless
# domain: eetion
# ip address: <eetion-ip>
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"eetion" = {
default = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5006";
};
};
"paperless.eetion" = {
locations."/" = {
proxyPass = "http://127.0.0.1:28981";
};
};
};
};
virtualisation = { virtualisation = {
podman.enable = true; podman.enable = true;
oci-containers = { oci-containers = {

10
hosts/eetion/hard.nix
View File

@@ -5,10 +5,12 @@
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ ]; boot = {
boot.initrd.kernelModules = [ ]; initrd.availableKernelModules = [ ];
boot.kernelModules = [ ]; initrd.kernelModules = [ ];
boot.extraModulePackages = [ ]; kernelModules = [ ];
extraModulePackages = [ ];
};
fileSystems."/" = { fileSystems."/" = {
device = "/dev/disk/by-label/NIXOS_SD"; device = "/dev/disk/by-label/NIXOS_SD";

17
hosts/hecuba/default.nix
View File

@@ -1,8 +1,5 @@
{ {
lib,
inputs, inputs,
outputs,
config,
pkgs, pkgs,
... ...
}: }:
@@ -23,12 +20,14 @@ in
]; ];
networking.hostName = hostName; networking.hostName = hostName;
ssh.username = username; ssh = {
ssh.publicHostname = "server.hektormisplon.xyz"; inherit username;
ssh.authorizedHosts = [ publicHostname = "server.hektormisplon.xyz";
"andromache" authorizedHosts = [
"astyanax" "andromache"
]; "astyanax"
];
};
docker.user = username; docker.user = username;

24
modules/backups/default.nix
View File

@@ -28,23 +28,25 @@ in
}; };
config = { config = {
sops.secrets.b2_bucket_name = { }; sops = {
secrets.b2_bucket_name = { };
sops.templates."restic/repo-${config.networking.hostName}" = { templates."restic/repo-${config.networking.hostName}" = {
content = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}"; content = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}";
}; };
sops.templates."restic/b2-env-${config.networking.hostName}" = { templates."restic/b2-env-${config.networking.hostName}" = {
content = '' content = ''
B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"} B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"}
B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"} B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"}
''; '';
};
}; };
services.restic.backups.home = { services.restic.backups.home = {
repositoryFile = config.sops.templates."restic/repo-${config.networking.hostName}".path; repositoryFile = config.sops.templates."restic/repo-${config.networking.hostName}".path;
passwordFile = cfg.passwordFile; inherit (cfg) passwordFile;
paths = cfg.paths; inherit (cfg) paths;
timerConfig = { timerConfig = {
OnCalendar = "daily"; OnCalendar = "daily";
Persistent = true; Persistent = true;

16
modules/nfc/default.nix Normal file
View File

@@ -0,0 +1,16 @@
{ config, lib, ... }:
let
cfg = config.nfc;
in
{
options.nfc = {
user = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
};
};
config = lib.mkIf (cfg.user != null) {
users.users.${cfg.user}.extraGroups = [ "dialout" ];
};
}