jasmine/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: jasmine:6f64840eb142fa076364089484884365112ca666
Branches Tags
jasmine:master
..
compare: jasmine:c1d4fa52554f203d3dc71cff594e55ef6f8e08a6
Branches Tags
jasmine:master

No commits in common. "6f64840eb142fa076364089484884365112ca666" and "c1d4fa52554f203d3dc71cff594e55ef6f8e08a6" have entirely different histories.
6f64840eb1 ... c1d4fa5255

16 changed files with 302 additions and 82 deletions
Download patch file Download diff file Expand all files Collapse all files

233
CLAUDE.md Normal file
View file

@ -0,0 +1,233 @@
# CLAUDE.md
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## Build and Deployment Commands
### Building Configurations
```bash
# Build a NixOS configuration (creates ./result symlink)
just build <hostname>
# or
nixos-rebuild build --flake .#<hostname>
# Build home-manager configuration
home-manager build --flake .#sajenim@<hostname>
```
### Deploying Changes
```bash
# Apply NixOS configuration locally (requires sudo)
just switch <hostname>
# or
sudo nixos-rebuild switch --flake .#<hostname>
# Deploy to remote host
just deploy <hostname>
# or
nixos-rebuild switch --flake .#<hostname> --target-host <hostname> --use-remote-sudo
# Apply home-manager configuration
home-manager switch --flake .#sajenim@<hostname>
```
### Code Quality
```bash
# Format all Nix files using alejandra
nix fmt
# Check flake and evaluate all configurations
nix flake check
```
### Secret Management
```bash
# Rekey secrets using YubiKey (after adding/modifying secrets)
agenix-rekey edit <secret-name>
agenix-rekey rekey
```
## Architecture Overview
### Flake Structure
This is a NixOS flake-based configuration managing two hosts:
- **fuchsia**: Desktop workstation (gaming, development, XMonad)
- **viridian**: Server (multimedia, services, containers)
The flake follows the standard structure from Misterio77's starter configs.
### Configuration Layers
**NixOS System Configuration** (`nixos/`):
```
nixos/
├── common/
│ ├── global/ # Base system config for all hosts
│ │ ├── age.nix # Agenix secret management with YubiKey
│ │ ├── env.nix # Environment variables
│ │ ├── nix.nix # Nix daemon, flakes, garbage collection
│ │ └── ssh.nix # SSH server config
│ ├── optional/ # Opt-in features
│ │ ├── ephemeral-btrfs.nix # Impermanence with btrfs root wipe
│ │ ├── persist.nix # Persistence paths for ephemeral root
│ │ └── yubikey.nix # YubiKey support
│ └── users/ # User-specific system settings
├── fuchsia/
│ ├── configuration.nix
│ └── services/ # Desktop services (X11, pipewire, flatpak, etc.)
└── viridian/
├── configuration.nix
├── services/ # Server services (traefik, minecraft, IRC, etc.)
└── multimedia/ # *arr stack (sonarr, radarr, jellyfin, etc.)
```
**Home-Manager User Configuration** (`home-manager/`):
```
home-manager/sajenim/
├── global/ # Base home config
├── features/ # Modular user features
│ ├── cli/ # Shell, terminal utilities
│ ├── desktop/ # GUI applications, window manager
│ ├── editors/ # Text editors configuration
│ ├── games/ # Gaming-related configs
│ ├── printing/ # Printer utilities
│ └── university/ # Academic tools
├── fuchsia.nix # Desktop profile
└── viridian.nix # Server profile (minimal)
```
### Key Architectural Patterns
**Module Organization**: Configuration is split between:
- `nixos/common/global/`: Imported by ALL hosts (mandatory base config)
- `nixos/common/optional/`: Opt-in features imported per-host
- `nixos/<hostname>/`: Host-specific hardware and services
- `home-manager/sajenim/features/`: Composable user environment features
**Imports Pattern**: Each host's `configuration.nix` composes its full system by:
1. Importing `../common/global` (base system)
2. Importing selected `../common/optional/*` modules
3. Importing `../common/users/<username>` (user accounts)
4. Importing host-specific services from `./services/`
5. Setting host-specific options (hostname, firewall, etc.)
**Impermanence**: Uses opt-in persistence with ephemeral btrfs root:
- Root filesystem (`/`) wiped on every boot
- Only `/nix`, `/persist`, and `/boot` survive reboots
- Services must explicitly declare what to persist in `/persist`
- Secrets use persistent SSH keys at `/persist/etc/ssh/` for decryption
**Secret Management**:
- Encrypted with agenix using host SSH keys
- Master key stored on YubiKey for rekeying
- Rekeyed secrets stored in `nixos/common/global/secrets/rekeyed/<hostname>/`
- Decryption happens during system activation using persistent SSH keys
**Overlays**: Applied globally via `nixos/common/global/default.nix`:
- `additions`: Custom packages from `pkgs/`
- `modifications`: Patches to existing packages (e.g., dmenu theming)
- `unstable-packages`: Makes `pkgs.unstable.*` available for newer versions
**Unfree Packages**: Allowlist is centralized in `nixos/common/global/default.nix`
- Default policy: only free software
- Exceptions listed explicitly (steam, minecraft-server)
- Do NOT use `allowUnfreePredicate` in other modules (won't merge)
### Flake Inputs
External dependencies include:
- `nixpkgs` (25.05 stable), `nixpkgs-unstable`
- `home-manager` (follows nixpkgs)
- `agenix`, `agenix-rekey` (secret management)
- `impermanence` (ephemeral root filesystem)
- `crowdsec` (security)
- `nixvim` (personal Neovim config, external flake)
- `xmonad-config` (personal XMonad config, external flake)
- `nix-minecraft` (declarative Minecraft server)
Personal flakes (nixvim, xmonad-config) are maintained in separate repositories
and imported as flake inputs. They are updated independently via `nix flake update`.
## Working with This Configuration
### Adding a New Host
1. Create `nixos/<hostname>/` directory
2. Add `configuration.nix` and `hardware-configuration.nix`
3. Add SSH host keys (ed25519 and RSA) to the host directory
4. Update `flake.nix` to add the new `nixosConfiguration`
5. Configure secrets: update age.rekey to include new host key
### Adding a Service
Services are organized by host in `nixos/<hostname>/services/`:
- Create a subdirectory for complex services (e.g., `traefik/`)
- Each service gets its own `default.nix`
- Import in `nixos/<hostname>/services/default.nix` or `configuration.nix`
- Declare persistence paths if using ephemeral root
- Use agenix for any credentials
### Modifying Packages
- **Custom packages**: Add to `pkgs/` and reference in `pkgs/default.nix`
- **Patching packages**: Add patches to `overlays/patches/`, modify overlay in
`overlays/default.nix`
- **Unfree packages**: Add to allowlist in `nixos/common/global/default.nix`
### Testing Changes
1. **IMPORTANT**: Stage new files with git before building or checking
- Nix flakes only evaluate files tracked in git
- Run `git add <file>` for any new files before `nix flake check` or build
2. Build configuration: `just build <hostname>`
3. Check for evaluation errors: `nix flake check`
4. Review changes before switching
5. Switch: `just switch <hostname>` (local) or `just deploy <hostname>` (remote)
### Managing Secrets
- Secrets are encrypted per-host and stored in
`nixos/common/global/secrets/rekeyed/<hostname>/`
- Edit secrets: `agenix-rekey edit <secret-name>`
- After editing, rekey all hosts: `agenix-rekey rekey`
- YubiKey required for rekeying operations
- Host SSH keys at `/persist/etc/ssh/` are used for automatic decryption
## Important Conventions
### Network IP Allocation
This infrastructure uses the following IP range scheme to avoid conflicts:
**Allocated Ranges:**
- `192.168.50.0/24` - Home router/main LAN
- `10.1.0.0/24` - Internet sharing from fuchsia (Ethernet to printer)
- `10.2.0.0/24` - Reserved for future internet sharing from another host
- `10.3.0.0/24` - Reserved for future internet sharing from another host
- `10.39.179.0/24` - WireGuard VPN on Raspberry Pi
- `172.17.0.0/16` - Docker default bridge network (viridian)
**Conventions:**
- Internet connection sharing uses `10.N.0.0/24` where N is 1, 2, 3, etc.
- Gateway host is always `10.N.0.1`
- DHCP pools typically use `10.N.0.2` through `10.N.0.10`
- Keep VPN/tunnel ranges in the `10.30.0.0/16` and higher space
### Line Length
Keep all Nix code to a maximum of 100 characters per line for consistency.
### Module Naming
- System-level services: `nixos/<hostname>/services/<service-name>/default.nix`
- User-level features: `home-manager/sajenim/features/<category>/<feature>.nix`
### Persistence Declarations
When adding services to hosts with ephemeral root, declare persistence:
```nix
environment.persistence."/persist" = {
directories = [
"/var/lib/service-name"
];
files = [
"/var/lib/service-name/config.conf"
];
};
```
### Comments
This codebase uses structured comments to explain configuration choices:
- Block comments at file top explain module purpose
- Inline comments explain non-obvious configuration decisions
- Group related options with visual separators when helpful

97
flake.lock generated
View file

@ -8,11 +8,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1762618334,
"narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
"lastModified": 1761656077,
"narHash": "sha256-lsNWuj4Z+pE7s0bd2OKicOFq9bK86JE0ZGeKJbNqb94=",
"owner": "ryantm",
"repo": "agenix",
"rev": "fcdea223397448d35d9b31f798479227e80183f6",
"rev": "9ba0d85de3eaa7afeab493fed622008b6e4924f5",
"type": "github"
},
"original": {
@ -51,11 +51,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1766008910,
"narHash": "sha256-mrhbMNkrkvAPQsytce3zMeDF1UVkkcj8N/Bw9n4BFUo=",
"lastModified": 1762466517,
"narHash": "sha256-sFlWhpLBmORSIwdhIinu2nos0xhQkUzFkO3AOHRolps=",
"owner": "sadjow",
"repo": "claude-code-nix",
"rev": "e39652c800e82c4f8cae68ac0bacb7bdecace7f5",
"rev": "c75a19ff3b5de3edc68512b31c406338c3c3ce65",
"type": "github"
},
"original": {
@ -143,22 +143,6 @@
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1765121682,
"narHash": "sha256-4VBOP18BFeiPkyhy9o4ssBNQEvfvv1kXkasAYd0+rrA=",
"owner": "NixOS",
"repo": "flake-compat",
"rev": "65f23138d8d09a92e30f1e5c87611b23ef451bf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1747046372,
@ -480,16 +464,16 @@
]
},
"locked": {
"lastModified": 1765979862,
"narHash": "sha256-/r9/1KamvbHJx6I40H4HsSXnEcBAkj46ZwibhBx9kg0=",
"lastModified": 1758463745,
"narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "d3135ab747fd9dac250ffb90b4a7e80634eacbe9",
"rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-25.11",
"ref": "release-25.05",
"repo": "home-manager",
"type": "github"
}
@ -563,17 +547,16 @@
},
"nix-jetbrains-plugins": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_4",
"systems": "systems_4"
},
"locked": {
"lastModified": 1765666486,
"narHash": "sha256-BZfXO+5aUgGgGKr85UdVMTUsUi2rgufzK6/jgqoEVDI=",
"lastModified": 1761996900,
"narHash": "sha256-1XURw0oFac/jDYP/TjxOOO5DWABOQ6HOuAnXS7GGP5k=",
"owner": "theCapypara",
"repo": "nix-jetbrains-plugins",
"rev": "82c9b1d2e0f235d61f0941fdafd408a23483dc99",
"rev": "5a03f5a3d0ab9b465cdab58dc03da2a7b473bc8c",
"type": "github"
},
"original": {
@ -584,16 +567,16 @@
},
"nix-minecraft": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_4",
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1766023574,
"narHash": "sha256-vx7KhTqR/UBnBUXAei3DKXJ4Nq3p7yLw+kZ03/inm8I=",
"lastModified": 1762480864,
"narHash": "sha256-OD3/2nATIXFEyTq3cxGUjZyBf8YlCSpIX/iJzSJbWag=",
"owner": "Infinidoge",
"repo": "nix-minecraft",
"rev": "5e0cae13ca72d3e4ef0f101b01725e25441c4ebd",
"rev": "4f3414fdfce0ddf85c35e95d07809aeb93d2f0ad",
"type": "github"
},
"original": {
@ -650,11 +633,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1765779637,
"narHash": "sha256-KJ2wa/BLSrTqDjbfyNx70ov/HdgNBCBBSQP3BIzKnv4=",
"lastModified": 1762363567,
"narHash": "sha256-YRqMDEtSMbitIMj+JLpheSz0pwEr0Rmy5mC7myl17xs=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "1306659b587dc277866c7b69eb97e5f07864d8c4",
"rev": "ae814fd3904b621d8ab97418f1d0f2eb0d3716f4",
"type": "github"
},
"original": {
@ -698,11 +681,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1765934234,
"narHash": "sha256-pJjWUzNnjbIAMIc5gRFUuKCDQ9S1cuh3b2hKgA7Mc4A=",
"lastModified": 1762361079,
"narHash": "sha256-lz718rr1BDpZBYk7+G8cE6wee3PiBUpn8aomG/vLLiY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "af84f9d270d404c17699522fab95bbf928a2d92f",
"rev": "ffcdcf99d65c61956d882df249a9be53e5902ea5",
"type": "github"
},
"original": {
@ -729,11 +712,11 @@
},
"nixpkgs_4": {
"locked": {
"lastModified": 1765472234,
"narHash": "sha256-9VvC20PJPsleGMewwcWYKGzDIyjckEz8uWmT0vCDYK0=",
"lastModified": 1757745802,
"narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2fbfb1d73d239d2402a8fe03963e37aab15abe8b",
"rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1",
"type": "github"
},
"original": {
@ -761,16 +744,16 @@
},
"nixpkgs_6": {
"locked": {
"lastModified": 1765838191,
"narHash": "sha256-m5KWt1nOm76ILk/JSCxBM4MfK3rYY7Wq9/TZIIeGnT8=",
"lastModified": 1762233356,
"narHash": "sha256-cGS3lLTYusbEP/IJIWGgnkzIl+FA5xDvtiHyjalGr4k=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c6f52ebd45e5925c188d1a20119978aa4ffd5ef6",
"rev": "ca534a76c4afb2bdc07b681dbc11b453bab21af8",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-25.11",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
@ -809,11 +792,11 @@
},
"nixpkgs_9": {
"locked": {
"lastModified": 1761373498,
"narHash": "sha256-Q/uhWNvd7V7k1H1ZPMy/vkx3F8C13ZcdrKjO7Jv7v0c=",
"lastModified": 1748460289,
"narHash": "sha256-7doLyJBzCllvqX4gszYtmZUToxKvMUrg45EUWaUYmBg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6a08e6bb4e46ff7fcbb53d409b253f6bad8a28ce",
"rev": "96ec055edbe5ee227f28cdbc3f1ddf1df5965102",
"type": "github"
},
"original": {
@ -830,11 +813,11 @@
"nixvim": "nixvim_2"
},
"locked": {
"lastModified": 1765715781,
"narHash": "sha256-iwCEwl0ak3J/yy063UlqSxh+fyWCeDfW60HCcBWOuGA=",
"lastModified": 1760970422,
"narHash": "sha256-w1pRoU2z0xkkGb2SFl16x1GVzLVErzgPiWunS+JHI+c=",
"ref": "refs/heads/master",
"rev": "ea07178de031c25a16e007564ad61cc1fd8b98e1",
"revCount": 110,
"rev": "5e370bf24716430b66364666a9a512b07e249471",
"revCount": 109,
"type": "git",
"url": "https://git.sajenim.dev/jasmine/nixvim-config.git"
},
@ -940,11 +923,11 @@
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1765727347,
"narHash": "sha256-fiHH7CIgUSQgrPkcOzBK6B0ojDNbeFEc7IXdqGqm2IM=",
"lastModified": 1760908465,
"narHash": "sha256-ZdyNTh/O7W7ZJJr8bAeG2kQBFREZGTQ2wXCyzr9z+RQ=",
"owner": "Scrybbling-together",
"repo": "remarks",
"rev": "9a6673d55df96d4985f13bc523e680df750b6e73",
"rev": "b8bfd751cf82a47ce24763c5b220a1f4f5ab90a6",
"type": "github"
},
"original": {

4
flake.nix
View file

@ -3,12 +3,12 @@
inputs = {
# Nixpkgs
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
# Home manager
home-manager = {
url = "github:nix-community/home-manager/release-25.11";
url = "github:nix-community/home-manager/release-25.05";
inputs.nixpkgs.follows = "nixpkgs";
};

2
home-manager/sajenim/features/cli/default.nix
View file

@ -18,6 +18,6 @@
unstable.rmapi
]
++ [
inputs.remarks.packages.${pkgs.stdenv.hostPlatform.system}.default
inputs.remarks.packages.${pkgs.system}.default
];
}

10
home-manager/sajenim/features/cli/git.nix
View file

@ -1,14 +1,12 @@
{...}: {
programs.git = {
enable = true;
settings = {
userName = "jasmine";
userEmail = "its.jassy@pm.me";
extraConfig = {
init.defaultBranch = "master";
user = {
name = "jasmine";
email = "its.jassy@pm.me";
signingkey = "8563E358D4E8040E";
};
commit.gpgsign = "true";
user.signingkey = "8563E358D4E8040E";
};
};
}

2
home-manager/sajenim/features/cli/mpd.nix
View file

@ -2,7 +2,7 @@
# Install some applications for managing mpd
home.packages = with pkgs; [
mpc
mpc-cli
ncmpcpp
];

2
home-manager/sajenim/features/cli/ssh.nix
View file

@ -1,8 +1,6 @@
{...}: {
programs.ssh = {
enable = true;
enableDefaultConfig = false;
matchBlocks = {
"viridian" = {
hostname = "viridian.home.arpa";

4
home-manager/sajenim/features/cli/zsh.nix
View file

@ -1,4 +1,4 @@
{pkgs, config, ...}: {
{pkgs, ...}: {
imports = [
./direnv.nix
./starship.nix
@ -21,7 +21,7 @@
enableCompletion = true;
# Configuration directory
dotDir = "${config.xdg.configHome}/zsh";
dotDir = ".config/zsh";
shellAliases = {
# Single letter aliases

4
home-manager/sajenim/features/editors/default.nix
View file

@ -27,10 +27,10 @@
]
++ [
# Our personal neovim configuration.
inputs.nixvim.packages.${pkgs.stdenv.hostPlatform.system}.default
inputs.nixvim.packages.${pkgs.system}.default
]
# Install jetbrains IDEs with plugins
++ (with inputs.nix-jetbrains-plugins.lib."${pkgs.stdenv.hostPlatform.system}"; [
++ (with inputs.nix-jetbrains-plugins.lib."${system}"; [
(buildIdeWithPlugins pkgs.jetbrains "idea-ultimate" [
"IdeaVIM"
"gruvbox-material-dark"

2
nixos/common/users/sajenim/xmonad/default.nix
View file

@ -15,7 +15,7 @@
# Picture viewer
pkgs.xfce.ristretto
# Install our XMonad and Xmobar configuration
inputs.xmonad-config.packages.${pkgs.stdenv.hostPlatform.system}.default
inputs.xmonad-config.packages.${pkgs.system}.default
];
};

1
nixos/fuchsia/services/default.nix
View file

@ -6,6 +6,7 @@
./flatpak
./internet-sharing
./libinput
./printing
./snapper
./ssh
./udev

11
nixos/fuchsia/services/printing/default.nix Normal file
View file

@ -0,0 +1,11 @@
{...}: {
# Enable CUPS for printing services.
services.printing = {
enable = true;
# Connect to a remote CUPS server.
clientConf = ''
ServerName 192.168.50.249
ServerPort 631
'';
};
}

1
nixos/fuchsia/services/udev/default.nix
View file

@ -1,6 +1,7 @@
{pkgs, ...}: {
# Enable necessary udev rules.
services.udev.packages = with pkgs; [
android-udev-rules
openrgb
unstable.qmk-udev-rules
];

4
nixos/viridian/hardware-configuration.nix
View file

@ -39,10 +39,10 @@
enable = true;
extraPackages = with pkgs; [
intel-media-driver
vaapiIntel
vaapiVdpau
libvdpau-va-gl
libva-vdpau-driver
intel-compute-runtime
intel-vaapi-driver
];
};

5
nixos/viridian/services/crowdsec/default.nix
View file

@ -15,11 +15,6 @@ in {
inputs.crowdsec.overlays.default
];
disabledModules = [
"services/security/crowdsec.nix"
"services/security/crowdsec-firewall-bouncer.nix"
];
age.secrets.enrollment-key = {
rekeyFile = ./enrollment_key.age;
owner = "crowdsec";

2
overlays/default.nix
View file

@ -19,7 +19,7 @@
# be accessible through 'pkgs.unstable'
unstable-packages = final: _prev: {
unstable = import inputs.nixpkgs-unstable {
system = final.stdenv.hostPlatform.system;
system = final.system;
config.allowUnfree = false;
};
};