Add section headers and explanatory comments to clarify the purpose of each configuration block, with emphasis on the critical persistent path requirement for early boot secret decryption.
Fixes backup system authentication and hostname resolution issues.
Changes:
- Change PermitRootLogin from "no" to "prohibit-password" in global SSH config
(allows key-based root login for host-to-host backups while blocking passwords)
- Update fuchsia onsite backup to use viridian.home.arpa FQDN instead of shortname
- Update SSH knownHosts to use FQDNs (fuchsia.home.arpa, viridian.home.arpa)
(system-level config uses FQDNs, user shortcuts remain in home-manager)
This enables the complete 3-2-1 backup strategy with automated backups working
correctly between fuchsia and viridian, and fuchsia to BorgBase.
Restructures SSH trust relationships from global to host-specific configuration
for better locality of concern and principle of least privilege.
Changes:
- Collapse nixos/common/global/ssh/ back to ssh.nix (single-file module)
- Move internal host trust (fuchsia/viridian) to per-host services/ssh/
- Split BorgBase known hosts by repository (li9kg944 for fuchsia, r7ag7x1w for viridian)
- Add viridian SSH server config to accept backup connections from fuchsia
- Add fuchsia borgbackup passphrase for offsite backups
- Configure viridian to create /srv/borg-repo/fuchsia for remote backups
This enables the 3-2-1 backup strategy with fuchsia backing up to both viridian
(onsite) and BorgBase (offsite) with proper SSH authentication.
Migrate from path-based persistence (/persist/var/lib/*) to dedicated
BTRFS subvolumes for better data isolation and snapshot capabilities.
- Move valuable user-facing services to /srv/* with srv-* subvolumes:
- forgejo: git repositories and database
- opengist: paste data
- minecraft: game world data
- lighttpd: static web content
- containers: OCI container volumes
- Update home directory to use hm-sajenim subvolume on viridian disk
- Remove jupyterhub service (no longer in use)
- Update borgbackup paths to match new service locations
- Follow upstream service defaults where possible for maintainability
Services kept on /persist (disposable state):
- traefik, crowdsec, murmur
Restructured systemPackages list with alphabetically sorted categories to improve
maintainability and reduce vertical space. Added descriptive comments for all
environment configuration sections.
Add comprehensive inline documentation to both NixOS and Home Manager
global configuration files, explaining the purpose of each section,
overlay usage, unfree package policy, and configuration settings.
Move all allowUnfreePredicate declarations to global configs to prevent
the "last definition wins" merging issue. Unfree packages are now managed
in two central locations:
- NixOS system packages: nixos/common/global/default.nix
- Home Manager packages: home-manager/sajenim/global/default.nix
Added the necessary configurations and dependencies to enable Flatpak in the Fuchsia module.
This includes enabling the xdg portal for default settings and adding the flatpak service.
- Removed `protonup-ng` from home-manager configuration for games, as it is no longer used.
- Added `unstable.proton-ge-bin` to Steam's compatibility packages in the NixOS user configuration.
