# Nix Configurations

Repository structure:

- **host/**  
  One subdirectory per NixOS host, each containing its host-specific configuration.

- **mod/**  
  NixOS modules.  
  - **mod/common/**: Modules enabled by default on all hosts.  
  - **mod/desktop/**: Modules enabled on desktop hosts (i.e. hosts with `hd.desktop.enable = true`).

- **home/**  
  Home Manager modules. Home Manager is integrated into the system configuration via the `home` option defined in `mod/desktop/default.nix`.

- **bin/**  
  Helper scripts for generating parts of the configuration.

- **dotfiles/**  
  Raw configuration files deployed using Home Manager.

- **devshells/**  
  Nix development shells.

- **pki/**  
  Certificates used by the configuration.

- **secrets/**  
  Age-encrypted secrets managed and deployed via agenix.

- **var/**
  Shared data used across the configuration. `hosts.nix` is the single source
  of truth for per-host data (SSH keys, WireGuard config). Adding a new host
  means adding an entry there and running `bin/gen-syncthing-cert`.

## Network topology

WireGuard overlay network (onet, 10.10.11.0/24). Roam is the
hub and the only publicly reachable node; desktops peer with roam only.
Roam also runs a Mullvad WireGuard tunnel used as an egress for the torrent
container configured in table 1000.

## TODO

- **WireGuard key:** Manage `/var/secrets/wg.key` via agenix.
- **Forgejo:** Provision the `hd` user (with email, admin flag) and SSH keys via a systemd service.
- **Firefox sync server** (`host/roam/firefox-sync.nix`)**:** Containerize.
- **systemd-resolved** (`mod/desktop/network.nix`)**:** Enable DoH.
- **Remote builder** (`mod/build-machines.nix`)**:** declarative SSH jump server.
- **Restic backups** (`host/roam/backup.nix`)**:** Add incremental backups with a retention policy alongside rclone.
- **Roam system state** (`host/roam/backup.nix`)**:** Include PostgreSQL dumps (Forgejo, Nextcloud) in the backup script.
- **Backup monitoring** (`host/roam/backup.nix`)**:** Alert on backup job failure.