hd/cfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
254 commits 2 branches 0 tags 649 KiB
  • Nix 96.4%
  • Emacs Lisp 2.1%
  • Shell 1.5%
Find a file
Exact
Henri Dohmen c6c7a78cc4
 cyberjack driver fixes
2026-06-23 10:49:14 +02:00
bin nix packages for repo scripts, automatic SAN for self-signed cert, and ed25519 2026-04-13 09:39:29 +02:00
devshells maintenance 2025-11-01 11:58:11 +01:00
dotfiles/emacs emacs packages using nix 2025-11-23 13:30:43 +01:00
home major refactor 2025-12-23 23:05:32 +01:00
host cyberjack driver fixes 2026-06-23 10:49:14 +02:00
mod cyberjack driver & ausweisapp 2026-06-23 10:36:19 +02:00
packages fix dns, add sonarr/radarr 2026-05-09 23:00:00 +02:00
pgp gpg changes 2026-06-22 14:16:57 +02:00
pki add prowlarr 2026-05-09 23:12:07 +02:00
secrets add prowlarr 2026-05-09 23:12:07 +02:00
var add prowlarr 2026-05-09 23:12:07 +02:00
.gitignore vm + cleanup 2026-02-06 20:06:09 +01:00
flake.lock bump nixpkgs-stable 2026-06-16 20:50:46 +02:00
flake.nix bump nixpkgs-stable 2026-06-16 20:50:46 +02:00
lib.nix refactor 2026-04-29 14:14:29 +02:00
LICENSE qbittorrent wip 2026-03-23 00:04:05 +01:00
README.md update TODOs 2026-05-10 11:43:06 +02:00
secrets.nix auto-generated interal mail credentials 2026-04-26 13:31:49 +02:00

README.md

Nix Configurations

Repository structure:

  • host/
    One subdirectory per NixOS host, each containing its host-specific configuration.

  • mod/
    NixOS modules.

    • mod/common/: Modules enabled by default on all hosts.
    • mod/desktop/: Modules enabled on desktop hosts (i.e. hosts with hd.desktop.enable = true).

  • home/
    Home Manager modules. Home Manager is integrated into the system configuration via the home option defined in mod/desktop/default.nix.

  • bin/
    Helper scripts for generating parts of the configuration.

  • dotfiles/
    Raw configuration files deployed using Home Manager.

  • devshells/
    Nix development shells.

  • pki/
    Certificates used by the configuration.

  • secrets/
    Age-encrypted secrets managed and deployed via agenix.

  • var/ Shared data used across the configuration. hosts.nix is the single source of truth for per-host data (SSH keys, WireGuard config). Adding a new host means adding an entry there and running bin/gen-syncthing-cert.

Network topology

WireGuard overlay network (onet, 10.10.11.0/24). Roam is the hub and the only publicly reachable node; desktops peer with roam only. Roam also runs a Mullvad WireGuard tunnel used as an egress for the torrent container configured in table 1000.

TODO

  • WireGuard key: Manage /var/secrets/wg.key via agenix.
  • Forgejo: Provision the hd user (with email, admin flag) and SSH keys via a systemd service.
  • Remote builder (mod/build-machines.nix): declarative SSH jump server.
  • Restic backups (host/roam/backup.nix): Add incremental backups with a retention policy alongside rclone.
  • Roam system state (host/roam/backup.nix): Include PostgreSQL dumps (Forgejo, Nextcloud) in the backup script.
  • Backup monitoring (host/roam/backup.nix): Alert on backup job failure.