hektor/nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: hektor:ea88fff4a4112fc42680954c74f1e0aa319b5a9f
Branches Tags
hektor:main
...
compare: hektor:49de518ad1589c9f93c4f7a52cec0e585ac47377
Branches Tags
hektor:main

5 Commits
ea88fff4a4 ... 49de518ad1

Author SHA1 Message Date
hektor
49de518ad1 chore: update lockfile 
Flake lock file updates:

• Updated input 'nvim':
    'path:./dots/.config/nvim'
  → 'path:./dots/.config/nvim'
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/1e89149dcfc229e7e2ae24a8030f124a31e4f24f?narHash=sha256-twBMKGQvaztZQxFxbZnkg7y/50BW9yjtCBWwdjtOZew%3D' (2026-02-01)
  → 'github:Mic92/sops-nix/f990b0a334e96d3ef9ca09d4bd92778b42fd84f9?narHash=sha256-NUVGVtYBTC96WhPh4Y3SVM7vf0o1z5W4uqRBn9v1pfo%3D' (2026-02-03)
 2026-02-03 23:02:45 +01:00
hektor
6c9312f509 feat: mute 'astyanax' speakers when disconnecting AC 2026-02-03 23:02:41 +01:00
hektor
3359426c48 fix: integrate keepassxc browser on all firefox-based browsers 2026-02-03 23:02:41 +01:00
hektor
0f0f038f5a feat: set up restic backups for 'andromache' and 'astyanax' 2026-02-03 23:02:41 +01:00
hektor
ab31842e58 feat: set up syncthing (with e-reader) 2026-02-03 22:59:30 +01:00
12 changed files with 277 additions and 57 deletions
Expand all files Collapse all files

30
flake.lock generated
View File

@@ -53,11 +53,11 @@
},
"locked": {
"dir": "pkgs/firefox-addons",
"lastModified": 1769745834,
"narHash": "sha256-/7EzWXFrHiF2LiuQPFUD1jhICcRa30QVa/uQCPu1Q/g=",
"lastModified": 1770091431,
"narHash": "sha256-9Sqq/hxq8ZDLRSzu+edn0OfWG+FAPWFpwMKaJobeLec=",
"owner": "rycee",
"repo": "nur-expressions",
"rev": "ec30ecfdee4b0df2325c2672db21684e806f4b69",
"rev": "4f827ff035c6ddc58d04c45abe5b777d356b926a",
"type": "gitlab"
},
"original": {
@@ -145,11 +145,11 @@
]
},
"locked": {
"lastModified": 1769776025,
"narHash": "sha256-70a1kVC08AMTvPc7iqQsJbbD4Y1fukakMVudz4oY9SM=",
"lastModified": 1769978395,
"narHash": "sha256-gj1yP3spUb1vGtaF5qPhshd2j0cg4xf51pklDsIm19Q=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "0fba737f8d5571d41467f3d99a878e11b8c0f0f0",
"rev": "984708c34d3495a518e6ab6b8633469bbca2f77a",
"type": "github"
},
"original": {
@@ -252,10 +252,10 @@
"nix-secrets": {
"flake": false,
"locked": {
"lastModified": 1769114809,
"narHash": "sha256-xRZeYJAq/AcEZqsevIn1POBswP4rFYhOsQxaJP6xxpM=",
"lastModified": 1770135527,
"narHash": "sha256-Fup9LiyL6bDID3x+rAB2nP99Xv2o9Is5NkTDbmIy6o0=",
"ref": "main",
"rev": "b14f3b416336bf44343941322745d6144582560e",
"rev": "521d144f8a8ff9fca8ccf492d7fbdd05d9a5fe37",
"shallow": true,
"type": "git",
"url": "ssh://git@github.com/hektor/nix-secrets"
@@ -321,11 +321,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1769461804,
"narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=",
"lastModified": 1770019141,
"narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
"rev": "cb369ef2efd432b3cdf8622b0ffc0a97a02f3137",
"type": "github"
},
"original": {
@@ -612,11 +612,11 @@
]
},
"locked": {
"lastModified": 1769469829,
"narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
"lastModified": 1770110318,
"narHash": "sha256-NUVGVtYBTC96WhPh4Y3SVM7vf0o1z5W4uqRBn9v1pfo=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
"rev": "f990b0a334e96d3ef9ca09d4bd92778b42fd84f9",
"type": "github"
},
"original": {

13
home/modules/browser/firefox-base.nix
View File

@@ -1,13 +1,20 @@
{ inputs, pkgs }:
{
config,
inputs,
pkgs,
}:
let
bookmarks = import ./bookmarks.nix;
in
{
nativeMessagingHosts = with pkgs; [
nativeMessagingHosts =
with pkgs;
[
tridactyl-native
];
]
++ lib.optionals config.programs.keepassxc.enable [ keepassxc ];
profiles = {
default = {
settings = {

10
home/modules/browser/firefox.nix
View File

@@ -1,10 +1,16 @@
{ config, lib, inputs, pkgs, ... }:
{
config,
lib,
inputs,
pkgs,
...
}:
{
config = lib.mkIf (config.browser.primary == "firefox" || config.browser.secondary == "firefox") {
programs.firefox = {
enable = true;
}
// (import ./firefox-base.nix { inherit inputs pkgs; });
// (import ./firefox-base.nix { inherit config inputs pkgs; });
};
}

10
home/modules/browser/librewolf.nix
View File

@@ -1,4 +1,10 @@
{ config, lib, inputs, pkgs, ... }:
{
config,
lib,
inputs,
pkgs,
...
}:
{
config =
@@ -7,6 +13,6 @@
programs.librewolf = {
enable = true;
}
// (import ./firefox-base.nix { inherit inputs pkgs; });
// (import ./firefox-base.nix { inherit config inputs pkgs; });
};
}

1
home/modules/keepassxc.nix
View File

@@ -7,5 +7,4 @@
Browser.Enabled = true;
};
};
# programs.firefox.nativeMessagingHosts = [ pkgs.keepassxc ]; # FIXME: Resolve 'Access error for config file $HOME/.config/keepassxc/keepassxc.ini' error
}

42
hosts/andromache/default.nix
View File

@@ -26,6 +26,7 @@ in
device = "/dev/nvme1n1";
})
../../modules/desktops/niri
../../modules/backups
../../modules/bluetooth
../../modules/keyboard
(import ../../modules/networking { inherit hostName; })
@@ -36,6 +37,7 @@ in
../../modules/ssh/hardened-openssh.nix
(import ../../modules/secrets { inherit lib inputs config; })
../../modules/docker
../../modules/syncthing
];
home-manager.users.${username} = import ../../home/hosts/andromache {
@@ -96,7 +98,6 @@ in
inputs.colmena.packages.${pkgs.system}.colmena
];
services = {
xserver = {
videoDrivers = [ "nvidia" ];
@@ -106,30 +107,33 @@ in
enable = true;
harden = true;
};
syncthing = {
enable = true;
openDefaultPorts = true;
settings = {
devices = {
# "device1" = {
# id = "DEVICE-ID-GOES-HERE";
# };
};
folders = {
"/home/${username}/sync" = {
id = "sync";
devices = [ ];
};
};
};
};
locate = {
enable = true;
package = pkgs.plocate;
};
};
my.syncthing = {
enable = true;
deviceNames = [
"boox"
"astyanax"
];
folders = {
readings = {
path = "/home/h/doc/readings";
id = "readings";
devices = [
{
device = "boox";
type = "receiveonly";
}
"astyanax"
];
};
};
};
networking = {
# TODO: generate unique hostId on actual host with: head -c 8 /etc/machine-id
hostId = "80eef97e";

34
hosts/astyanax/default.nix
View File

@@ -26,17 +26,20 @@ in
device = "/dev/nvme0n1";
})
../../modules/desktops/niri
../../modules/audio
../../modules/audio-automation
../../modules/backups
../../modules/bluetooth
../../modules/keyboard
(import ../../modules/networking { inherit hostName; })
../../modules/users
../../modules/audio
../../modules/localization
../../modules/fonts
../../modules/ssh/hardened-openssh.nix
# ../../modules/vpn/wireguard.nix
(import ../../modules/secrets { inherit lib inputs config; })
../../modules/docker
../../modules/syncthing
];
home-manager.users.${username} = import ../../home/hosts/astyanax {
@@ -99,21 +102,30 @@ in
enable = true;
harden = true;
};
syncthing = {
};
my.syncthing = {
enable = true;
openDefaultPorts = true;
deviceNames = [
"boox"
"andromache"
];
folders = {
"/home/h/sync" = {
id = "sync";
devices = [ ];
readings = {
path = "/home/h/doc/readings";
id = "readings";
devices = [
{
device = "boox";
type = "receiveonly";
}
"andromache"
];
};
};
devices = {
# "device1" = {
# id = "DEVICE-ID-GOES-HERE";
# };
};
};
services = {
locate = {
enable = true;
package = pkgs.plocate;

17
modules/audio-automation/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.libnotify ];
services.udev.extraRules = ''
SUBSYSTEM=="power_supply", ATTR{online}=="0", ACTION=="change", TAG+="systemd", ENV{SYSTEMD_USER_WANTS}+="mute-audio.service"
'';
systemd.user.services.mute-audio = {
description = "mute audio when switching to battery power";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.bash}/bin/bash -c '${pkgs.pulseaudio}/bin/pactl set-sink-mute $(${pkgs.pulseaudio}/bin/pactl get-default-sink) true && ${pkgs.libnotify}/bin/notify-send \"audio Muted\" \"switched to battery power\"'";
};
};
}

63
modules/backups/default.nix Normal file
View File

@@ -0,0 +1,63 @@
{
lib,
config,
...
}:
let
cfg = config.restic-backup;
in
{
options = {
restic-backup = {
repository = lib.mkOption {
type = lib.types.str;
default = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}";
};
passwordFile = lib.mkOption {
type = lib.types.str;
default = config.sops.secrets."restic_password".path;
};
paths = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ "/home" ];
};
};
};
config = {
sops.secrets.b2_bucket_name = { };
sops.templates."restic/repo-${config.networking.hostName}" = {
content = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}";
};
sops.templates."restic/b2-env-${config.networking.hostName}" = {
content = ''
B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"}
B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"}
'';
};
services.restic.backups.home = {
repositoryFile = config.sops.templates."restic/repo-${config.networking.hostName}".path;
passwordFile = cfg.passwordFile;
paths = cfg.paths;
timerConfig = {
OnCalendar = "daily";
Persistent = true;
};
initialize = true;
extraBackupArgs = [ "--one-file-system" ];
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 6"
"--keep-yearly 1"
];
environmentFile = config.sops.templates."restic/b2-env-${config.networking.hostName}".path;
};
};
}

16
modules/secrets/default.nix
View File

@@ -32,6 +32,15 @@ in
"nix_signing_key_astyanax" = { };
"nix_signing_key_andromache" = { };
"opencode_api_key".owner = config.users.users.${cfg.username}.name;
# TODO: using shared secrets for now, but would be better to to per-host secrets
# To add per-host secrets:
# "restic_password_${config.networking.hostName}" = { };
# "restic_b2_account_id_${config.networking.hostName}" = { };
# "restic_b2_account_key_${config.networking.hostName}" = { };
"restic_password" = { };
"b2_bucket_name" = { };
"b2_account_id" = { };
"b2_account_key" = { };
};
templates = {
@@ -86,6 +95,13 @@ in
}
'';
};
"restic/b2-env" = {
content = ''
B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"}
B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"}
'';
};
};
};
};

85
modules/syncthing/default.nix Normal file
View File

@@ -0,0 +1,85 @@
{
lib,
config,
...
}:
with lib;
let
cfg = config.my.syncthing;
allDevices = import ./devices.nix;
in
{
options.my.syncthing = {
enable = mkEnableOption "Syncthing file synchronization";
username = mkOption {
type = types.str;
default = "h";
};
deviceNames = mkOption {
type = types.listOf types.str;
default = [ ];
};
folders = mkOption {
type = types.attrsOf (
types.submodule {
options = {
path = mkOption { type = types.path; };
id = mkOption { type = types.str; };
devices = mkOption {
type = types.listOf (
types.either types.str (
types.submodule {
options = {
device = mkOption { type = types.str; };
type = mkOption {
type = types.str;
default = "sendreceive";
};
};
}
)
);
default = cfg.deviceNames;
};
};
}
);
default = { };
};
};
config = mkIf cfg.enable {
users.groups.${cfg.username} = { };
services.syncthing = {
enable = true;
user = cfg.username;
group = cfg.username;
configDir = "/home/${cfg.username}/.local/state/syncthing";
openDefaultPorts = true;
settings = {
options = {
localAnnounceEnabled = true;
globalAnnounceEnabled = true;
relaysEnabled = true;
urAccepted = -1;
};
devices = mapAttrs (name: id: { inherit id; }) (
filterAttrs (name: _: elem name cfg.deviceNames) allDevices
);
folders = mapAttrs (name: folder: {
inherit (folder) id path;
devices = map (
device:
if isString device then
allDevices.${device}
else
device // { deviceID = allDevices.${device.device}; }
) folder.devices;
}) cfg.folders;
};
};
};
}

5
modules/syncthing/devices.nix Normal file
View File

@@ -0,0 +1,5 @@
{
boox = "7B5E6PT-HWRQ3WH-OLOSWAZ-T3WNHND-VKUREIJ-AD5I4EA-UJR4M5E-OR5COA7";
andromache = "QNVYMOC-GAPIIF7-PKYBN22-PPNAWOF-UJWNUFD-6DXRAJA-AZSMPOS-ULMZWAU";
astyanax = "CSSFKEO-2T5PAO5-HX43E4E-UKARH4I-6FVHP36-6YC5WXX-VNMHXD3-WY3QKA7";
}