m3tam3re/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

stt, mem0, rofi-project-opener

Browse Source
This commit is contained in:
m3tm3re
2026-01-02 15:12:26 +01:00
parent 6ac20b65f4
commit 841d7abbe7
21 changed files with 562 additions and 531 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
hosts/AGENTS.md
View File

@@ -1,64 +0,0 @@
# hosts/ - NixOS Host Configurations
Host-specific NixOS system configurations. Each `m3-*` directory is a complete host.
## Structure
```
hosts/
├── common/ # Shared by ALL hosts
│ ├── extraServices/ # Toggle-able services (ollama, podman, flatpak)
│ ├── users/ # User definitions
│ ├── ports.nix # Central port registry
│ └── default.nix # Overlays, nix settings, home-manager integration
└── m3-*/ # Per-host configurations
├── default.nix # Entry point (imports common + enables extraServices)
├── configuration.nix # Core system (boot, networking, stateVersion)
├── hardware-configuration.nix
├── programs.nix # Host-specific packages
├── secrets.nix # Agenix secret declarations
└── services/ # Service configs
└── containers/ # OCI container definitions (m3-atlas only has many)
```
## Adding a New Host
1. Create `hosts/m3-<name>/` with required files
2. Add to `flake.nix` nixosConfigurations
3. Create matching `home/m3tam3re/m3-<name>.nix`
## Host Quick Reference
| Host | extraServices | Has disko | Key services/ files |
|------|---------------|-----------|---------------------|
| m3-atlas | podman | Yes | traefik, postgres, gitea, containers/* |
| m3-helios | - | Yes | adguard, traefik, containers/homarr |
| m3-ares | podman | No | wireguard, tailscale, sound |
| m3-kratos | podman, ollama | No | wireguard, tailscale, sound |
| m3-aether | - | Yes | cloud-init (minimal) |
## extraServices Pattern
Enable in host's `default.nix`:
```nix
extraServices = {
podman.enable = true;
ollama.enable = true;
flatpak.enable = false;
virtualisation.enable = false;
};
```
## Port Allocation
ALWAYS check `common/ports.nix` before adding new services. Register new ports there.
## Secrets Declaration
Each host's `secrets.nix` declares only secrets it needs:
```nix
age.secrets.service-name = {
file = ../../secrets/service-name.age;
owner = "optional-user";
};
```

76
hosts/common/AGENTS.md Normal file
View File

@@ -0,0 +1,76 @@
# COMMON HOST CONFIGURATION
**Shared base configuration and abstractions for all hosts**
## OVERVIEW
Common imports, overlays, and custom patterns (extraServices, ports) used across 6 hosts.
## STRUCTURE
```
common/
├── default.nix # Base imports, overlays, nix settings
├── ports.nix # Centralized port registry
├── extraServices/ # Optional service modules
│ ├── default.nix
│ ├── flatpak.nix
│ ├── ollama.nix
│ ├── podman.nix
│ └── virtualisation.nix
└── users/
├── default.nix
└── m3tam3re.nix # Primary user definition
```
## WHERE TO LOOK
| Task | Location | Notes |
|------|----------|-------|
| Add port definition | ports.nix | Use config.m3ta.ports.get |
| Enable optional service | Host config extraServices | Boolean flags |
| Modify overlays | default.nix lines 27-36 | 5 overlay sources |
| Add new user | users/ | Shared across all hosts |
## CONVENTIONS
### Port Registry Pattern
```nix
# Define in ports.nix
definitions = {
myservice = 3099;
};
# Access in host config
config.m3ta.ports.get "myservice" # Returns 3099
```
### extraServices Abstraction
Host configs enable via boolean:
```nix
extraServices = {
podman.enable = true; # Container runtime
ollama.enable = true; # LLM inference
flatpak.enable = false; # Flatpak apps
virtualisation.enable = true; # QEMU/KVM
};
```
### Overlay Precedence (bottom overrides top)
1. stable-packages (nixpkgs-stable)
2. locked-packages (nixpkgs-locked)
3. pinned-packages (nixpkgs-45570c2, nixpkgs-9e58ed7)
4. master-packages (nixpkgs-master)
5. m3ta-nixpkgs (local custom overlay)
## ANTI-PATTERNS
- **DON'T** add host-specific logic to common/ - belongs in hosts/<name>/
- **DON'T** bypass port registry - hardcoded ports break consistency
- **DON'T** modify user shell globally - set per-user if needed
## NOTES
- Nix GC runs weekly, keeps 30 days
- Trusted users: root, m3tam3re
- Default shell: Nushell (set line 77)
- Home-manager integrated at common level, not per-host
- TODO on line 69: ports should only return actually used ports

1
hosts/m3-ares/services/default.nix
View File

@@ -33,7 +33,6 @@
userServices = true;
};
};
displayManager.gdm.enable = true;
};
systemd.sleep.extraConfig = ''
AllowSuspend=no

63
hosts/m3-atlas/services/AGENTS.md
View File

@@ -1,63 +0,0 @@
# services/ - m3-atlas Service Configurations
Main server services including Traefik reverse proxy and containerized apps.
## Container Network
- **Network**: `web` (podman network)
- **Subnet**: `10.89.0.0/24`
- **Gateway/Postgres**: `10.89.0.1`
- **DNS Challenge**: GoDaddy via Traefik
## Adding a New Container
1. Pick next available IP from registry (currently: `10.89.0.22`)
2. Register port in `hosts/common/ports.nix`
3. Create `containers/<service>.nix`:
```nix
{config, ...}: {
virtualisation.oci-containers.containers."service" = {
image = "registry/image:tag";
environmentFiles = [config.age.secrets.service-env.path];
ports = ["127.0.0.1:PORT:PORT"];
volumes = ["service_data:/data"];
extraOptions = [
"--add-host=postgres:10.89.0.1"
"--ip=10.89.0.XX"
"--network=web"
];
};
services.traefik.dynamicConfigOptions.http = {
services.service.loadBalancer.servers = [{ url = "http://localhost:PORT/"; }];
routers.service = {
rule = "Host(`service.domain.com`)";
tls.certResolver = "godaddy";
service = "service";
entrypoints = "websecure";
};
};
}
```
4. Import in `containers/default.nix`
5. Add secret to `secrets.nix` and root `secrets.nix`
6. Update IP registry in root AGENTS.md
## Service Files (non-container)
| File | Purpose |
|------|---------|
| traefik.nix | Reverse proxy, TLS, entrypoints |
| postgres.nix | Native PostgreSQL for containers |
| tailscale.nix | Mesh VPN |
| gitea.nix | Native Gitea (not containerized) |
| minio.nix | S3-compatible storage |
## Traefik Patterns
- HTTP redirect to HTTPS: automatic via `web` entrypoint
- TLS: `certResolver = "godaddy"` (DNS challenge)
- Auth middleware: `middlewares = ["auth"]` (basic auth)
- Domain redirects: See `traefik.nix` middlewares

85
hosts/m3-atlas/services/containers/AGENTS.md Normal file
View File

@@ -0,0 +1,85 @@
# CONTAINER SERVICES (m3-atlas)
**Container orchestration with Podman + Traefik reverse proxy**
## OVERVIEW
11 containerized services on dedicated `web` network (10.89.0.0/24) with Traefik SSL termination.
## STRUCTURE
```
containers/
├── default.nix # Network setup + service imports
├── baserow.nix # 10.89.0.10 - No-code database
├── ghost.nix # 10.89.0.11 - Blog platform
├── kestra.nix # 10.89.0.12 - Workflow orchestration
├── littlelink.nix # 10.89.0.13 - Link aggregator
├── matomo.nix # 10.89.0.14 - Analytics
├── restreamer.nix # 10.89.0.15 - Video streaming
├── slash.nix # 10.89.0.16 - Link shortener
└── slash-nemoti.nix # 10.89.0.17 - Personal link shortener
```
## WHERE TO LOOK
| Task | Action | Notes |
|------|--------|-------|
| Add container | Copy existing .nix, increment IP | Must update default.nix imports |
| Fix networking | Check IP conflicts in 10.89.0.0/24 | Gateway always 10.89.0.1 |
| Debug Traefik | Check router rules in service file | Domain must match DNS |
| Access database | Use `--add-host=mysql:10.89.0.1` | Gateway IP for host services |
## CONVENTIONS
### Container Definition Template
```nix
virtualisation.oci-containers.containers.<name> = {
image = "registry/image:tag";
ports = ["127.0.0.1:<external>:<internal>"];
volumes = ["/var/lib/<service>:/data"];
environmentFiles = [config.age.secrets.<name>-env.path];
extraOptions = [
"--network=web"
"--ip=10.89.0.<sequential>"
"--add-host=mysql:10.89.0.1" # If DB needed
];
};
```
### Traefik Integration
```nix
services.traefik.dynamicConfigOptions.http = {
services.<name>.loadBalancer.servers = [{
url = "http://127.0.0.1:<port>";
}];
routers.<name> = {
rule = "Host(`<subdomain>.m3ta.dev`)";
service = "<name>";
tls.certResolver = "godaddy";
};
# Legacy redirect (if needed)
routers.<name>-old = {
rule = "Host(`<subdomain>.m3tam3re.com`)";
service = "<name>";
middlewares = ["redirect-m3ta"];
};
};
```
### IP Allocation
- **10.89.0.1**: Gateway (host)
- **10.89.0.10-17**: Assigned containers
- **10.89.0.18+**: Available for new services
## ANTI-PATTERNS
- **DON'T** expose ports publicly - bind to 127.0.0.1 only
- **DON'T** skip static IP assignment - routing breaks without it
- **DON'T** hardcode secrets - use age-encrypted env files
- **DON'T** forget to add imports to default.nix
## NOTES
- Network created via activation script in default.nix
- All services behind Traefik - no direct external access
- MySQL/PostgreSQL run on host, accessed via gateway IP
- Secrets pattern: `<service>-env.age` with environment variables

1
hosts/m3-kratos/services/default.nix
View File

@@ -1,6 +1,7 @@
{
imports = [
./containers
./mem0.nix
./n8n.nix
./postgres.nix
./sound.nix

23
hosts/m3-kratos/services/mem0.nix Normal file
View File

@@ -0,0 +1,23 @@
{
m3ta.mem0 = {
enable = true;
port = 8000;
host = "127.0.0.1";
# LLM Configuration
llm = {
provider = "openai";
apiKeyFile = "/var/lib/mem0/openai-api-key-1"; # Use agenix or sops-nix
};
# Vector Storage Configuration
vectorStore = {
provider = "qdrant"; # or "chroma", "pinecone", etc.
config = {
host = "localhost";
port = 6333;
collection_name = "mem0_alice";
};
};
};
}