hektor/nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: hektor:e21411c2f9117579982e6c28b4d2e030e089261c
Branches Tags
hektor:main
...
compare: hektor:6684e2e7feb867507a91fb4d0703de00291deaea
Branches Tags
hektor:main

6 Commits
e21411c2f9 ... 6684e2e7fe

Author SHA1 Message Date
hektor
6684e2e7fe feat: set up git hooks 2026-02-07 14:25:39 +01:00
hektor
7f0726f443 fix: add ssh keys to agent for all hosts 2026-02-07 14:25:39 +01:00
hektor
cb8ac3b848 fix: resolve proxmark firmware flashing issues 2026-02-07 14:25:38 +01:00
hektor
3a1997f0c4 fix: set up ipv4 forwarding 2026-02-07 14:25:08 +01:00
hektor
a2a7c3c5a0 feat: add 'brightnessctl' to niri desktop 2026-02-07 14:25:08 +01:00
hektor
ce6940b048 flake.lock: Update 
Flake lock file updates:

• Updated input 'firefox-addons':
    'gitlab:rycee/nur-expressions/4f827ff035c6ddc58d04c45abe5b777d356b926a?dir=pkgs/firefox-addons&narHash=sha256-9Sqq/hxq8ZDLRSzu%2Bedn0OfWG%2BFAPWFpwMKaJobeLec%3D' (2026-02-03)
  → 'gitlab:rycee/nur-expressions/c7794d3f46304de5234008c31b5b28a9d5709184?dir=pkgs/firefox-addons&narHash=sha256-0iGDl/ct3rW%2Bh6%2BsLq4RZaze/U/aQo2L5sLLuyjuVTk%3D' (2026-02-04)
• Updated input 'home-manager':
    'github:nix-community/home-manager/984708c34d3495a518e6ab6b8633469bbca2f77a?narHash=sha256-gj1yP3spUb1vGtaF5qPhshd2j0cg4xf51pklDsIm19Q%3D' (2026-02-01)
  → 'github:nix-community/home-manager/04e5203db66417d548ae1ff188a9f591836dfaa7?narHash=sha256-R1WFtIvp38hS9x63dnijdJw1KyIiy30KGea6e6N7LHs%3D' (2026-02-05)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/cb369ef2efd432b3cdf8622b0ffc0a97a02f3137?narHash=sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU%3D' (2026-02-02)
  → 'github:nixos/nixpkgs/00c21e4c93d963c50d4c0c89bfa84ed6e0694df2?narHash=sha256-AYqlWrX09%2BHvGs8zM6ebZ1pwUqjkfpnv8mewYwAo%2BiM%3D' (2026-02-04)
• Updated input 'nvim':
    'path:./dots/.config/nvim'
  → 'path:./dots/.config/nvim'
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/f990b0a334e96d3ef9ca09d4bd92778b42fd84f9?narHash=sha256-NUVGVtYBTC96WhPh4Y3SVM7vf0o1z5W4uqRBn9v1pfo%3D' (2026-02-03)
  → 'github:Mic92/sops-nix/17eea6f3816ba6568b8c81db8a4e6ca438b30b7c?narHash=sha256-ktjWTq%2BD5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY%3D' (2026-02-03)
 2026-02-07 14:25:08 +01:00
14 changed files with 263 additions and 109 deletions
Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -8,3 +8,5 @@ result
result-*
nixos-efi-vars.fd
/.pre-commit-config.yaml

84
flake.lock generated
View File

@@ -53,11 +53,11 @@
},
"locked": {
"dir": "pkgs/firefox-addons",
"lastModified": 1770091431,
"narHash": "sha256-9Sqq/hxq8ZDLRSzu+edn0OfWG+FAPWFpwMKaJobeLec=",
"lastModified": 1770177820,
"narHash": "sha256-0iGDl/ct3rW+h6+sLq4RZaze/U/aQo2L5sLLuyjuVTk=",
"owner": "rycee",
"repo": "nur-expressions",
"rev": "4f827ff035c6ddc58d04c45abe5b777d356b926a",
"rev": "c7794d3f46304de5234008c31b5b28a9d5709184",
"type": "gitlab"
},
"original": {
@@ -83,6 +83,22 @@
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1767039857,
"narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
"owner": "NixOS",
"repo": "flake-compat",
"rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
@@ -138,6 +154,49 @@
"type": "github"
}
},
"git-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1769939035,
"narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "a8ca480175326551d6c4121498316261cbb5b260",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@@ -145,11 +204,11 @@
]
},
"locked": {
"lastModified": 1769978395,
"narHash": "sha256-gj1yP3spUb1vGtaF5qPhshd2j0cg4xf51pklDsIm19Q=",
"lastModified": 1770263241,
"narHash": "sha256-R1WFtIvp38hS9x63dnijdJw1KyIiy30KGea6e6N7LHs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "984708c34d3495a518e6ab6b8633469bbca2f77a",
"rev": "04e5203db66417d548ae1ff188a9f591836dfaa7",
"type": "github"
},
"original": {
@@ -321,11 +380,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1770019141,
"narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=",
"lastModified": 1770197578,
"narHash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "cb369ef2efd432b3cdf8622b0ffc0a97a02f3137",
"rev": "00c21e4c93d963c50d4c0c89bfa84ed6e0694df2",
"type": "github"
},
"original": {
@@ -579,6 +638,7 @@
"colmena": "colmena",
"disko": "disko",
"firefox-addons": "firefox-addons",
"git-hooks": "git-hooks",
"home-manager": "home-manager",
"nix-on-droid": "nix-on-droid",
"nix-secrets": "nix-secrets",
@@ -612,11 +672,11 @@
]
},
"locked": {
"lastModified": 1770110318,
"narHash": "sha256-NUVGVtYBTC96WhPh4Y3SVM7vf0o1z5W4uqRBn9v1pfo=",
"lastModified": 1770145881,
"narHash": "sha256-ktjWTq+D5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "f990b0a334e96d3ef9ca09d4bd92778b42fd84f9",
"rev": "17eea6f3816ba6568b8c81db8a4e6ca438b30b7c",
"type": "github"
},
"original": {

13
flake.nix
View File

@@ -43,6 +43,10 @@
url = "github:zhaofengli/colmena";
inputs.nixpkgs.follows = "nixpkgs";
};
git-hooks = {
url = "github:cachix/git-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
@@ -52,6 +56,7 @@
home-manager,
nix-on-droid,
nixgl,
git-hooks,
...
}@inputs:
let
@@ -61,6 +66,10 @@
hostDirNames = utils.dirNames ./hosts;
system = "x86_64-linux";
dotsPath = ./dots;
gitHooks = import ./git-hooks.nix {
inherit nixpkgs git-hooks system;
src = ./.;
};
in
{
nix.nixPath = [
@@ -128,6 +137,10 @@
;
};
checks.${system} = gitHooks.checks;
formatter.${system} = gitHooks.formatter;
devShells.${system} = gitHooks.devShells;
images.sd-image-aarch64 = self.nixosConfigurations.sd-image-aarch64.config.system.build.sdImage;
};
}

44
git-hooks.nix Normal file
View File

@@ -0,0 +1,44 @@
{
nixpkgs,
git-hooks,
system,
src,
}:
let
pkgs = nixpkgs.legacyPackages.${system};
pre-commit-check = git-hooks.lib.${system}.run {
inherit src;
hooks = {
nixfmt.enable = true;
statix.enable = true;
deadnix.enable = true;
};
};
in
{
checks = {
inherit pre-commit-check;
};
formatter =
let
inherit (pre-commit-check) config;
inherit (config) package configFile;
script = ''
${pkgs.lib.getExe package} run --all-files --config ${configFile}
'';
in
pkgs.writeShellScriptBin "pre-commit-run" script;
devShells = {
default =
let
inherit (pre-commit-check) shellHook enabledPackages;
in
pkgs.mkShell {
inherit shellHook;
buildInputs = enabledPackages;
};
};
}

1
home/modules/desktop/niri/default.nix
View File

@@ -11,6 +11,7 @@
home = {
file.".config/niri/config.kdl".source = ./config.kdl;
packages = with pkgs; [
brightnessctl
wl-clipboard
wlsunset
];

2
home/modules/git/default.nix
View File

@@ -21,6 +21,6 @@
};
programs.gh.enable = config.github.enable;
home.packages = with pkgs; lib.optionals (config.gitlab.enable) [ glab ];
home.packages = lib.optionals config.gitlab.enable [ pkgs.glab ];
};
}

2
home/modules/nfc/proxmark3.nix
View File

@@ -15,7 +15,7 @@ in
config = lib.mkIf cfg.enable {
home.packages = [
pkgs.proxmark3
(pkgs.proxmark3.override { withGeneric = true; })
];
};
}

35
home/modules/ssh.nix
View File

@@ -18,20 +18,25 @@ in
enable = true;
enableDefaultConfig = false;
matchBlocks = lib.genAttrs hostsWithKeys (
hostname:
let
hostConfig = outputs.nixosConfigurations.${hostname}.config;
publicHostname = hostConfig.ssh.publicHostname;
targetUser = hostConfig.ssh.username;
in
{
host = hostname;
user = targetUser;
}
// lib.optionalAttrs (publicHostname != "") {
hostname = publicHostname;
}
);
matchBlocks =
lib.genAttrs hostsWithKeys (
hostname:
let
hostConfig = outputs.nixosConfigurations.${hostname}.config;
inherit (hostConfig.ssh) publicHostname username;
in
{
host = hostname;
user = username;
}
// lib.optionalAttrs (publicHostname != "") {
hostname = publicHostname;
}
)
// {
"*" = {
addKeysToAgent = "yes";
};
};
};
}

2
hosts/astyanax/default.nix
View File

@@ -40,6 +40,7 @@ in
(import ../../modules/secrets { inherit lib inputs config; })
../../modules/docker
../../modules/syncthing
../../modules/nfc
];
home-manager.users.${username} = import ../../home/hosts/astyanax {
@@ -58,6 +59,7 @@ in
secrets.username = username;
docker.user = username;
nfc.user = username;
nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_astyanax.path ];

120
hosts/eetion/default.nix
View File

@@ -13,28 +13,34 @@ in
../../modules/ssh/hardened-openssh.nix
];
ssh.username = username;
ssh.publicHostname = "eetion";
ssh.authorizedHosts = [
"andromache"
"astyanax"
];
ssh = {
inherit username;
publicHostname = "eetion";
authorizedHosts = [
"andromache"
"astyanax"
];
};
boot.loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
};
networking.hostName = hostName;
networking.networkmanager.enable = true;
networking.firewall = {
enable = true;
allowedTCPPorts = [
80
443
];
networking = {
inherit hostName;
networkmanager.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [
80
443
];
};
};
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
users.users = {
root.hashedPassword = "!";
${username} = {
@@ -45,52 +51,54 @@ in
security.sudo.wheelNeedsPassword = false;
services.openssh = {
enable = true;
harden = true;
services = {
openssh = {
enable = true;
harden = true;
};
paperless = {
enable = true;
passwordFile = "/etc/paperless-admin-pass";
settings = {
PAPERLESS_URL = "http://paperless.eetion";
};
};
# added (OPNSense) domain override to make this work on LAN
#
# host: eetion
# domain: <domain (e.g. lan)>
# ip address: <eetion-ip>
#
# host: paperless
# domain: eetion
# ip address: <eetion-ip>
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"eetion" = {
default = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5006";
};
};
"paperless.eetion" = {
locations."/" = {
proxyPass = "http://127.0.0.1:28981";
};
};
};
};
};
environment.etc."paperless-admin-pass".text = "admin";
services.paperless = {
enable = true;
passwordFile = "/etc/paperless-admin-pass";
settings = {
PAPERLESS_URL = "http://paperless.eetion";
};
};
# added (OPNSense) domain override to make this work on LAN
#
# host: eetion
# domain: <domain (e.g. lan)>
# ip address: <eetion-ip>
#
# host: paperless
# domain: eetion
# ip address: <eetion-ip>
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"eetion" = {
default = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5006";
};
};
"paperless.eetion" = {
locations."/" = {
proxyPass = "http://127.0.0.1:28981";
};
};
};
};
virtualisation = {
podman.enable = true;
oci-containers = {

10
hosts/eetion/hard.nix
View File

@@ -5,10 +5,12 @@
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot = {
initrd.availableKernelModules = [ ];
initrd.kernelModules = [ ];
kernelModules = [ ];
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/disk/by-label/NIXOS_SD";

17
hosts/hecuba/default.nix
View File

@@ -1,8 +1,5 @@
{
lib,
inputs,
outputs,
config,
pkgs,
...
}:
@@ -23,12 +20,14 @@ in
];
networking.hostName = hostName;
ssh.username = username;
ssh.publicHostname = "server.hektormisplon.xyz";
ssh.authorizedHosts = [
"andromache"
"astyanax"
];
ssh = {
inherit username;
publicHostname = "server.hektormisplon.xyz";
authorizedHosts = [
"andromache"
"astyanax"
];
};
docker.user = username;

24
modules/backups/default.nix
View File

@@ -28,23 +28,25 @@ in
};
config = {
sops.secrets.b2_bucket_name = { };
sops = {
secrets.b2_bucket_name = { };
sops.templates."restic/repo-${config.networking.hostName}" = {
content = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}";
};
templates."restic/repo-${config.networking.hostName}" = {
content = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}";
};
sops.templates."restic/b2-env-${config.networking.hostName}" = {
content = ''
B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"}
B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"}
'';
templates."restic/b2-env-${config.networking.hostName}" = {
content = ''
B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"}
B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"}
'';
};
};
services.restic.backups.home = {
repositoryFile = config.sops.templates."restic/repo-${config.networking.hostName}".path;
passwordFile = cfg.passwordFile;
paths = cfg.paths;
inherit (cfg) passwordFile;
inherit (cfg) paths;
timerConfig = {
OnCalendar = "daily";
Persistent = true;

16
modules/nfc/default.nix Normal file
View File

@@ -0,0 +1,16 @@
{ config, lib, ... }:
let
cfg = config.nfc;
in
{
options.nfc = {
user = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
};
};
config = lib.mkIf (cfg.user != null) {
users.users.${cfg.user}.extraGroups = [ "dialout" ];
};
}