hd/cfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cfg/README.md
Henri Dohmen 7beac309a4
TODOs in README
2026-04-11 20:30:38 +02:00

52 lines
2 KiB
Markdown
Raw Permalink Blame History

# Nix Configurations
Repository structure:
- **host/**
One subdirectory per NixOS host, each containing its host-specific configuration.
- **mod/**
NixOS modules.
- **mod/common/**: Modules enabled by default on all hosts.
- **mod/desktop/**: Modules enabled on desktop hosts (i.e. hosts with `hd.desktop.enable = true`).
- **home/**
Home Manager modules. Home Manager is integrated into the system configuration via the `home` option defined in `mod/desktop/default.nix`.
- **bin/**
Helper scripts for generating parts of the configuration.
- **dotfiles/**
Raw configuration files deployed using Home Manager.
- **devshells/**
Nix development shells.
- **pki/**
Certificates used by the configuration.
- **secrets/**
Age-encrypted secrets managed and deployed via agenix.
- **var/**
Shared data used across the configuration. `hosts.nix` is the single source
of truth for per-host data (SSH keys, WireGuard config). Adding a new host
means adding an entry there and running `bin/gen-syncthing-cert`.
## Network topology
WireGuard overlay network (onet, 10.10.11.0/24). Roam is the
hub and the only publicly reachable node; desktops peer with roam only.
Roam also runs a Mullvad WireGuard tunnel used as an egress for the torrent
container configured in table 1000.
## TODO
- **WireGuard key:** Manage `/var/secrets/wg.key` via agenix.
- **Forgejo:** Provision the `hd` user (with email, admin flag) and SSH keys via a systemd service.
- **Firefox sync server** (`host/roam/firefox-sync.nix`)**:** Containerize.
- **systemd-resolved** (`mod/desktop/network.nix`)**:** Enable DoH.
- **Remote builder** (`mod/build-machines.nix`)**:** declarative SSH jump server.
- **Restic backups** (`host/roam/backup.nix`)**:** Add incremental backups with a retention policy alongside rclone.
- **Roam system state** (`host/roam/backup.nix`)**:** Include PostgreSQL dumps (Forgejo, Nextcloud) in the backup script.
- **Backup monitoring** (`host/roam/backup.nix`)**:** Alert on backup job failure.
Reference in a new issue View git blame Copy permalink