don/NixOS-Configs
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Activity

Apply all pending changes excluding .sops.yaml

Browse source
This commit is contained in:
Don Harper 2026-05-05 14:20:58 -05:00
parent 7b04942bb2
commit 89929ac69a
20 changed files with 439 additions and 167 deletions
Download patch file Download diff file Expand all files Collapse all files

9
.vscode/settings.json vendored Normal file
View file

@ -0,0 +1,9 @@
{
"chat.tools.terminal.autoApprove": {
"nix": true,
"cp": true,
"mkdir": true,
"git add": true,
"git commit": true
}
}

191
README.md
View file

@ -1,4 +1,193 @@
# NixOS-Configs
My NixOS configs
My NixOS system configurations managed with Nix flakes, home-manager, and colmena for multi-host deployment.
## Overview
This repository contains NixOS configurations for multiple hosts including workstations, servers, and Raspberry Pi systems. It uses:
- **Nix Flakes** for reproducible builds and dependency management
- **home-manager** for user environment configuration
- **colmena** for multi-host deployment
- **sops-nix** for secrets management
- **Role-based configuration** for modular host setup
## Host Categories
### Workstations
- `loki` - Framework AMD AI 300 (primary development machine)
- `book` - Google Pixelbook 2017
- `dragon` - Custom workstation
- `ace` - Acer C720
- `eve` - Google Pixelbook 2017 (eMMC)
- `pocket2` - Mobile workstation
- `smaug` - ThinkPad x260
### Servers
- `w1` - Hetzner VPS
- `fred` - Acer server
- `harper` - Server
- `harper2` - Server
- `nuwww` - Web server
- `www2` - Web server
- `pihole` - Pi-hole server
### Raspberry Pi Systems
- `pi1` - Raspberry Pi
- `display` - Pi 4 with kiosk display
### Virtual Machines
- `vm` - Generic VM
- `vm1` - VM configuration
## Quick Start
### Prerequisites
- Nix with flakes enabled
- Age key for secrets decryption (see secrets section)
### Building a Host
```bash
# Test build without installing
just test <hostname>
# Apply configuration to host
just switch <hostname>
# Apply and reboot
just bootswitch <hostname>
```
### Updating
```bash
# Update flake.lock
just update
# Apply updates to all hosts
just world
```
### Available Commands
- `just test <host>` - Build and validate configuration
- `just switch <host>` - Apply configuration
- `just boot <host>` - Apply configuration for next boot
- `just world` - Deploy to all hosts
- `just workstation` - Deploy to workstation hosts
- `just server` - Deploy to server hosts
- `just web` - Deploy to web hosts
- `just clean <host>` - Clean old generations and optimize store
- `just update` - Update flake.lock
- `just format` - Format Nix code
## Configuration Structure
### Host Configuration
Each host in `hosts/<hostname>/` follows this pattern:
```nix
{
imports = [ ../templates/workstation.nix ]; # Base template
networking.hostName = "hostname";
variables.address = "100.72.x.x"; # Tailscale IP
roles = {
gui.enable = true;
games.enable = true;
wm = "sway";
};
}
```
### Roles
Hosts are configured using role-based modules:
- `gui` - Graphical user interface packages
- `games` - Gaming packages and Steam
- `citrix` - Citrix Workspace client
- `zoom` - Zoom client
- `kvm` - Virtualization support
- `kmscon` - Console improvements
- `auto-cpufreq` - CPU power management
### Window Managers
- `sway` - Wayland compositor (default for workstations)
- `gnome` - GNOME desktop environment
### Home Manager
User configurations are managed separately:
- `home/common/` - Common packages and settings for all users
- `home/gui/` - GUI-specific user configuration
- `home/work/` - Work-related packages and settings
## Secrets Management
Secrets are encrypted using sops-nix with Age keys.
### Setup
1. Generate Age key pair:
```bash
nix run nixpkgs#age -- -generate-keypair
```
2. Add public key to `.sops.yaml`:
```yaml
keys:
- &host_<name> <public_key>
creation_rules:
- path_regex: secrets.yaml$
key_groups:
- age:
- *host_<name>
```
3. Encrypt secrets:
```bash
sops --encrypt secrets.yaml > secrets.yaml.enc
```
### Usage in Configuration
```nix
# In host configuration
sops.secrets."service/password".path
```
## Development
### Adding a New Host
1. Create `hosts/<hostname>/default.nix`
2. Add hardware configuration if needed
3. Import appropriate template (`workstation.nix`, `server.nix`, etc.)
4. Configure roles and variables
5. Add to `flake.nix` outputs
6. Test with `just test <hostname>`
### Template Types
- `hosts/templates/workstation.nix` - Full desktop/workstation
- `hosts/templates/server.nix` - Server configuration
- `hosts/templates/pi-server.nix` - Raspberry Pi server
### Code Quality
- Format code: `just format`
- Check configuration: `nix flake check`
- Validate secrets: Ensure `.sops.yaml` has correct public keys
## Troubleshooting
### Common Issues
- **Build fails**: Check `nix flake show` for syntax errors
- **Secrets not found**: Verify Age key is in `~/.config/sops/age/keys.txt`
- **Network issues**: Check Tailscale connectivity
- **Home manager conflicts**: Remove backup files: `locate home-manager-backup | xargs rm`
### Logs
Build logs are saved to `nixos-switch.log`. Check this file for detailed error information.
## Contributing
1. Test changes on a single host first
2. Update documentation for new features
3. Clean up FIXME/DELME comments
4. Format code before committing

122
flake.nix
View file

@ -39,17 +39,34 @@
...
}: let
inherit (self) outputs;
lib = nixpkgs.lib // home-manager.lib;
nixpkgsPkg = import inputs.nixpkgs {
system = "x86_64-linux";
config = {
allowUnfree = true;
};
};
lib = inputs.nixpkgs.lib // home-manager.lib;
# Helper for consistent specialArgs across all configurations
mkSpecialArgs = { }: {
inherit inputs outputs;
};
# Helper for nixosSystem configuration
mkNixosSystem = { modules, system ? "x86_64-linux" }: lib.nixosSystem {
inherit system;
specialArgs = mkSpecialArgs { };
modules = [ { nixpkgs.config.allowUnfree = true; } ] ++ modules;
};
in {
inherit lib;
nixpkgs.config.allowUnfree = true;
config.allowUnfree = true;
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) ["widevine-cdm"];
# Remove redundant allowUnfreePredicate - allowUnfree covers all unfree packages
# nixpkgs.config.allowUnfreePredicate = pkg:
# builtins.elem (lib.getName pkg) ["widevine-cdm"];
colmena = {
meta = {
nixpkgs = import nixpkgs {stdenv.hostPlatform.system = "x86_64-linux";};
specialArgs = {inherit inputs outputs;};
nixpkgs = nixpkgsPkg;
specialArgs = mkSpecialArgs { };
};
# ace = import ./hosts/ace/colmena.nix; # Acer C720
book = import ./hosts/book/colmena.nix; # Google Pixelbook 2017 w/ nvme.
@ -66,87 +83,32 @@
nixosConfigurations = {
# clients
ace = lib.nixosSystem {
modules = [./hosts/ace];
specialArgs = {inherit inputs outputs;};
};
dragon = lib.nixosSystem {
modules = [./hosts/dragon];
specialArgs = {inherit inputs outputs;};
};
book = lib.nixosSystem {
modules = [./hosts/book];
specialArgs = {inherit inputs outputs;};
};
loki = lib.nixosSystem {
modules = [./hosts/loki];
specialArgs = {inherit inputs outputs;};
};
pocket2 = lib.nixosSystem {
modules = [./hosts/pocket2];
specialArgs = {inherit inputs outputs;};
};
smaug = lib.nixosSystem {
modules = [./hosts/smaug];
specialArgs = {inherit inputs outputs;};
};
t2 = lib.nixosSystem {
modules = [./hosts/t2];
specialArgs = {inherit inputs outputs;};
};
pi1 = lib.nixosSystem {
modules = [./hosts/pi1];
specialArgs = {inherit inputs outputs;};
};
ace = mkNixosSystem { modules = [./hosts/ace]; };
dragon = mkNixosSystem { modules = [./hosts/dragon]; };
book = mkNixosSystem { modules = [./hosts/book]; };
loki = mkNixosSystem { modules = [./hosts/loki]; };
pocket2 = mkNixosSystem { modules = [./hosts/pocket2]; };
smaug = mkNixosSystem { modules = [./hosts/smaug]; };
t2 = mkNixosSystem { modules = [./hosts/t2]; };
pi1 = mkNixosSystem { modules = [./hosts/pi1]; };
# servers
display = lib.nixosSystem {
modules = [./hosts/display];
specialArgs = {inherit inputs outputs;};
};
fred = lib.nixosSystem {
modules = [./hosts/fred];
specialArgs = {inherit inputs outputs;};
};
vm = lib.nixosSystem {
display = mkNixosSystem { modules = [./hosts/display]; };
fred = mkNixosSystem { modules = [./hosts/fred]; };
vm = mkNixosSystem {
modules = [
"${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix"
"${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix"
./hosts/vm
];
specialArgs = {inherit inputs outputs;};
};
harper2 = lib.nixosSystem {
modules = [./hosts/harper2];
specialArgs = {inherit inputs outputs;};
};
harper = lib.nixosSystem {
modules = [./hosts/harper];
specialArgs = {inherit inputs outputs;};
};
nuwww = lib.nixosSystem {
modules = [./hosts/nuwww];
specialArgs = {inherit inputs outputs;};
};
pihole = lib.nixosSystem {
modules = [./hosts/pihole];
specialArgs = {inherit inputs outputs;};
};
www2 = lib.nixosSystem {
modules = [./hosts/www2];
specialArgs = {inherit inputs outputs;};
};
w1 = lib.nixosSystem {
modules = [./hosts/w1];
specialArgs = {inherit inputs outputs;};
};
# w2 = lib.nixosSystem {
# modules = [./hosts/w2];
# specialArgs = {
# inherit inputs outputs;
# };
# };
harper2 = mkNixosSystem { modules = [./hosts/harper2]; };
harper = mkNixosSystem { modules = [./hosts/harper]; };
nuwww = mkNixosSystem { modules = [./hosts/nuwww]; };
pihole = mkNixosSystem { modules = [./hosts/pihole]; };
www2 = mkNixosSystem { modules = [./hosts/www2]; };
w1 = mkNixosSystem { modules = [./hosts/w1]; };
# w2 = mkNixosSystem { modules = [./hosts/w2]; };
};
};
}

3
home/default.nix
View file

@ -3,6 +3,7 @@
outputs,
pkgs,
pkgs-stable,
lib,
...
}: {
imports = [inputs.home-manager.nixosModules.home-manager];
@ -26,7 +27,7 @@
home = {
username = "don";
homeDirectory = "/home/don";
stateVersion = "25.11";
stateVersion = lib.mkDefault "25.11";
};
programs = {
home-manager = {enable = true;};

6
home/gui/default.nix
View file

@ -23,9 +23,12 @@ in {
./terminals.nix
];
fonts = {fontconfig = {enable = true;};};
nixpkgs.config.allowUnfree = true;
nixpkgs.overlays = [
(final: prev: {
qutebrowser = prev.qutebrowser.override {enableWideVine = true;};
qutebrowser = prev.qutebrowser.override {
enableWideVine = true;
};
})
];
home.packages = with pkgs; [
@ -68,7 +71,6 @@ in {
# telegram-desktop
texlive.combined.scheme-medium
# watchmate
widevine-cdm
wlsunset
# yt-dlp
];

3
home/gui/qutebrowser.nix
View file

@ -244,9 +244,6 @@
};
};
qt = {
args = [
"widevine-path=${pkgs.widevine-cdm}/share/google/chrome/WidevineCdm/_platform_specific/linux_x64/libwidevinecdm.so"
];
workarounds = {remove_service_workers = true;};
};
spellcheck = {languages = ["en-US"];};

37
home/work/citrix.nix
View file

@ -1,44 +1,11 @@
{
lib,
config,
pkgs,
inputs,
outputs,
home-manager,
...
}:
{ lib, config, pkgs, inputs, outputs, home-manager, ... }:
with lib; let
cfg = config.roles.citrix;
# FIXME : remove when new version of Citrix is released
pkgs =
# DELME
import (builtins.fetchTarball {
# DELME
url = "https://github.com/NixOS/nixpkgs/archive/29b6e7097f50955f49a81d2665fb21c94c43df19.tar.gz"; # DELME
sha256 = "0zrkfxj130gbgixgk8yaxk5d9s5ppj667x38n4vys4zxw5r60bjz"; # DELME
}) {
# DELME
config = {
# DELME
allowUnfree = true; # DELME
allowInsecure = true; # DELME
permittedInsecurePackages = [
# DELME
"libsoup-2.74.3" # DELME
]; # DELME
}; # DELME
}; # DELME
citrix_workspace_overlay = pkgs.citrix_workspace; # DELME
in {
options.roles.citrix = {enable = lib.mkEnableOption "citrix tools";};
config = mkIf cfg.enable {
# FIXME : remove when new version of Citrix is released
# home-manager.users.don.home.packages = with pkgs; [citrix_workspace];
home-manager.users.don.home.packages = with pkgs; [citrix_workspace_overlay]; # DELME
home-manager.users.don.home.packages = with pkgs; [citrix_workspace];
nixpkgs.config.permittedInsecurePackages = ["libsoup-2.74.3"];
# home-manager.users.don.home.packages = with pkgs;
# [ citrix_workspace_24_11_0 ];
home-manager.users.don.home.file."ICAClient" = {
recursive = true;
source = ./files/citrix;

48
home/work/citrix.nix.backup Normal file
View file

@ -0,0 +1,48 @@
{
lib,
config,
pkgs,
inputs,
outputs,
home-manager,
...
}:
with lib; let
cfg = config.roles.citrix;
# FIXME : remove when new version of Citrix is released
pkgs =
# DELME
import (builtins.fetchTarball {
# DELME
url = "https://github.com/NixOS/nixpkgs/archive/29b6e7097f50955f49a81d2665fb21c94c43df19.tar.gz"; # DELME
sha256 = "0zrkfxj130gbgixgk8yaxk5d9s5ppj667x38n4vys4zxw5r60bjz"; # DELME
}) {
# DELME
config = {
# DELME
allowUnfree = true; # DELME
allowInsecure = true; # DELME
permittedInsecurePackages = [
# DELME
"libsoup-2.74.3" # DELME
]; # DELME
}; # DELME
}; # DELME
citrix_workspace_overlay = pkgs.citrix_workspace; # DELME
in {
options.roles.citrix = {enable = lib.mkEnableOption "citrix tools";};
config = mkIf cfg.enable {
# FIXME : remove when new version of Citrix is released
# home-manager.users.don.home.packages = with pkgs; [citrix_workspace];
home-manager.users.don.home.packages = with pkgs; [citrix_workspace_overlay]; # DELME
nixpkgs.config.permittedInsecurePackages = ["libsoup-2.74.3"];
# home-manager.users.don.home.packages = with pkgs;
# [ citrix_workspace_24_11_0 ];
home-manager.users.don.home.file."ICAClient" = {
recursive = true;
source = ./files/citrix;
target = ".ICAClient";
};
};
}

20
hosts/book/default.nix
View file

@ -1,29 +1,21 @@
{
inputs,
outputs,
lib,
config,
pkgs,
...
}: {
{ inputs, outputs, lib, config, pkgs, ... }: {
imports = [
../templates/workstation.nix
inputs.nixos-hardware.nixosModules.google-pixelbook
inputs.sops-nix.nixosModules.sops
./hardware-configuration.nix
# ../disko/mmcblk.nix
../workstation
];
# Host-specific configuration
networking.hostName = "book";
variables.address = "100.72.121.75";
variables.swayScale = "1.5";
# Enable roles for this host
roles = {
citrix.enable = false;
zoom.enable = false;
gui.enable = true;
kmscon.enable = true;
auto-cpufreq.enable = true;
gnome-calendar.enable = true;
};
wm = {sway.enable = true;};
wm.sway.enable = true;
}

23
hosts/common/boot.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }: {
# Common boot configuration
boot = {
loader = {
systemd-boot = {
enable = true;
configurationLimit = 10;
};
efi.canTouchEfiVariables = true;
timeout = 3;
};
# Plymouth for boot splash
plymouth.enable = true;
# Kernel parameters
kernelParams = ["quiet" "splash"];
# Console settings
consoleLogLevel = 0;
initrd.verbose = false;
};
}

21
hosts/common/networking.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, lib, pkgs, ... }: {
# Common networking configuration
networking = {
networkmanager.enable = true;
enableIPv6 = true;
useDHCP = false;
dhcpcd.enable = false;
};
# Firewall
networking.firewall = {
enable = true;
allowPing = true;
};
# DNS
networking.nameservers = [
"1.1.1.1"
"8.8.8.8"
];
}

15
hosts/display/default.nix
View file

@ -1,20 +1,15 @@
{
inputs,
outputs,
lib,
config,
pkgs,
...
}: {
{ inputs, outputs, lib, config, pkgs, ... }: {
imports = [
../templates/server.nix
inputs.nixos-hardware.nixosModules.raspberry-pi-4
inputs.sops-nix.nixosModules.sops
./hardware-configuration.nix
../pi-server
./kiosk.nix
];
# Host-specific configuration
networking.hostName = "display";
variables.address = "100.72.208.107";
nixpkgs.overlays = [
(final: super: {
makeModulesClosure = x:

2
hosts/fred/default.nix
View file

@ -17,7 +17,7 @@
networking.hostName = "fred";
variables.address = "100.72.236.170";
boot = {
binfmt.emulatedSystems = ["aarch64-linux"];
binfmt.emulatedSystems = lib.optional (config.system != "aarch64-linux") [ "aarch64-linux" ];
loader = {
systemd-boot = {enable = true;};
efi = {

24
hosts/loki/default.nix
View file

@ -1,22 +1,16 @@
{
inputs,
outputs,
lib,
config,
pkgs,
...
}: {
{ inputs, outputs, lib, config, pkgs, ... }: {
imports = [
../templates/workstation.nix
inputs.nixos-hardware.nixosModules.framework-amd-ai-300-series
inputs.sops-nix.nixosModules.sops
./hardware-configuration.nix
# ../disko/nvme.nix
../workstation
];
# Host-specific configuration
networking.hostName = "loki";
variables.address = "100.72.0.1";
variables.swayScale = "1.2";
# Enable roles for this host
roles = {
citrix.enable = true;
zoom.enable = true;
@ -26,9 +20,9 @@
games.enable = true;
auto-cpufreq.enable = true;
gnome-calendar.enable = true;
primary.enable = false;
lmstudio.enable = true;
ollama.enable = true;
};
primary.enable = false;
lmstudio.enable = true;
ollama.enable = true;
wm = {sway.enable = true;};
wm.sway.enable = true;
}

26
hosts/roles/default.nix Normal file
View file

@ -0,0 +1,26 @@
{ lib, ... }: {
options.roles = {
citrix = lib.mkEnableOption "Citrix Workspace client";
zoom = lib.mkEnableOption "Zoom client";
gui = lib.mkEnableOption "GUI environment";
games = lib.mkEnableOption "Gaming packages and Steam";
kvm = lib.mkEnableOption "Virtualization support (libvirtd, waydroid)";
kmscon = lib.mkEnableOption "Console improvements";
auto-cpufreq = lib.mkEnableOption "CPU power management";
gnome-calendar = lib.mkEnableOption "GNOME Calendar integration";
tlp = lib.mkEnableOption "TLP power management";
wine = lib.mkEnableOption "Wine for Windows compatibility";
# Window manager selection
wm = lib.mkOption {
type = lib.types.enum ["sway" "gnome" "none"];
default = "none";
description = "Window manager to enable";
};
# Special host-specific roles
primary = lib.mkEnableOption "Primary workstation designation";
lmstudio = lib.mkEnableOption "LM Studio AI tools";
ollama = lib.mkEnableOption "Ollama AI server";
};
}

2
hosts/server/default.nix
View file

@ -65,7 +65,7 @@ in {
# Bootloader.
boot = {
binfmt.emulatedSystems = ["aarch64-linux"];
binfmt.emulatedSystems = lib.optional (config.system != "aarch64-linux") [ "aarch64-linux" ];
kernelPackages = pkgs.linuxPackages_latest;
kernelParams = ["consoleblank=60"];
#loader = {

23
hosts/templates/server.nix Normal file
View file

@ -0,0 +1,23 @@
{ inputs, outputs, lib, config, pkgs, ... }: {
imports = [
inputs.sops-nix.nixosModules.sops
../server
../common/boot.nix
../common/networking.nix
../common/tailscale.nix
../../home/pi-server.nix
../../modules/beszel-agent.nix
];
config = {
# Common server setup
nix.settings.trusted-users = ["root" "don"];
# Server-specific Nix settings
nix.gc = {
automatic = true;
dates = "daily";
options = "--delete-older-than 7d";
};
};
}

17
hosts/templates/workstation.nix Normal file
View file

@ -0,0 +1,17 @@
{ inputs, outputs, lib, config, pkgs, ... }: {
imports = [
inputs.sops-nix.nixosModules.sops
../workstation
../common/boot.nix
../common/networking.nix
../common/tailscale.nix
../../home
../../home/gui
../wm/sway
];
config = {
# Common workstation setup
nix.settings.trusted-users = ["root" "don"];
};
}

6
hosts/workstation/default.nix
View file

@ -164,14 +164,14 @@ in {
# Bootloader.
boot = {
binfmt.emulatedSystems = ["aarch64-linux"];
binfmt.emulatedSystems = lib.optional (config.system != "aarch64-linux") [ "aarch64-linux" ];
# kernelPackages = pkgs.linuxPackages_latest;
kernelPackages = pkgs.linuxPackages_zen;
kernelParams = ["consoleblank=60" "mem_sleep_default=deep"];
# extraModulePackages = [config.boot.kernelPackages.ddcci-driver];
# kernelModules = ["i2c-dev" "ddcci_backlight"];
loader =
if (pkgs.hostPlatform != lib.mkDefault "aarch64-linux")
if config.system != "aarch64-linux"
then {
systemd-boot = {enable = true;};
efi = {
@ -314,7 +314,7 @@ in {
fonts.packages = with pkgs; [
anonymousPro
font-awesome
# jetbrains-mono # FIXME Causing build error? 2026-02-25
jetbrains-mono
nerd-fonts.symbols-only
nerd-fonts.roboto-mono
nerd-fonts.monaspace

8
justfile
View file

@ -1,5 +1,5 @@
HOSTNAME := `hostname -s`
nixcmd := "nix --extra-experimental-features flakes --extra-experimental-features nix-command"
nixcmd := "nix --extra-experimental-features nix-command"
# Do as test build without installing
test hostname=(HOSTNAME):
@ -72,6 +72,12 @@ update:
@{{nixcmd}} flake update &> nixos-switch.log || ( cat nixos-switch.log && false )
@rm -f nixos-switch.log
# Check flake configuration
check:
@echo "Checking flake configuration"
@{{nixcmd}} flake check &> nixos-switch.log || ( cat nixos-switch.log && false )
@rm -f nixos-switch.log
# Clean up
clean hostname=(HOSTNAME):
@echo "Cleaning old entries and store"