| bin | ||
| devshells | ||
| dotfiles/emacs | ||
| home | ||
| host | ||
| mod | ||
| packages | ||
| pgp | ||
| pki | ||
| secrets | ||
| var | ||
| .gitignore | ||
| flake.lock | ||
| flake.nix | ||
| lib.nix | ||
| LICENSE | ||
| README.md | ||
| secrets.nix | ||
Nix Configurations
Repository structure:
-
host/
One subdirectory per NixOS host, each containing its host-specific configuration. -
mod/
NixOS modules.- mod/common/: Modules enabled by default on all hosts.
- mod/desktop/: Modules enabled on desktop hosts (i.e. hosts with
hd.desktop.enable = true).
-
home/
Home Manager modules. Home Manager is integrated into the system configuration via thehomeoption defined inmod/desktop/default.nix. -
bin/
Helper scripts for generating parts of the configuration. -
dotfiles/
Raw configuration files deployed using Home Manager. -
devshells/
Nix development shells. -
pki/
Certificates used by the configuration. -
secrets/
Age-encrypted secrets managed and deployed via agenix. -
var/ Shared data used across the configuration.
hosts.nixis the single source of truth for per-host data (SSH keys, WireGuard config). Adding a new host means adding an entry there and runningbin/gen-syncthing-cert.
Network topology
WireGuard overlay network (onet, 10.10.11.0/24). Roam is the hub and the only publicly reachable node; desktops peer with roam only. Roam also runs a Mullvad WireGuard tunnel used as an egress for the torrent container configured in table 1000.
TODO
- WireGuard key: Manage
/var/secrets/wg.keyvia agenix. - Forgejo: Provision the
hduser (with email, admin flag) and SSH keys via a systemd service. - Firefox sync server (
host/roam/firefox-sync.nix): Containerize. - systemd-resolved (
mod/desktop/network.nix): Enable DoH. - Remote builder (
mod/build-machines.nix): declarative SSH jump server.