m3tam3re/nixos-config
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: m3tam3re:4c9988a7afe7eeae44f62d08754c6a84ac71e054
Branches Tags
m3tam3re:master m3tam3re:feat/rustfs-migration
..
compare: m3tam3re:feat/rustfs-migration
Branches Tags
m3tam3re:feat/rustfs-migration m3tam3re:master

277 Commits
4c9988a7af ... feat/rustf

Author SHA1 Message Date
m3ta-chiron
b7dd7f2bf7 feat: migrate m3-atlas from MinIO to RustFS 
- Replace minio.nix with rustfs.nix using rustfs-flake NixOS module
- Add rustfs flake input (github:rustfs/rustfs-flake)
- Reuse same ports (API: 3008, Console: 3007) and data dir (/var/storage/s3)
- Add separate agenix secrets for access-key and secret-key
- Keep Traefik routes unchanged (s3.m3tam3re.com, minio.m3tam3re.com)
- MinIO had 6 unfixed CVEs and is abandoned upstream
 2026-05-02 11:44:32 +02:00
m3tam3re
90e417525b Merge pull request 'feat: integrate m3ta-home for centralized user profiles' (#9) from feat/m3ta-home-integration into master 
Reviewed-on: #9
 2026-05-02 11:02:54 +02:00
m3ta-chiron
a455789bee refactor: remove old home/ directory (77 files migrated to m3ta-home) 
All home-manager configuration is now centralized in the m3ta-home repo:
- profiles/base/     ← shell, CLI tools, secrets
- profiles/contexts/ ← desktop, server
- profiles/sets/     ← coding, gaming, media
- users/             ← identities, preferences

Per-host overrides (monitors, XDG/MIME) remain in hosts/<name>/home.nix.
Central user integration via hosts/common/users/m3tam3re.nix.
 2026-05-02 11:01:12 +02:00
m3ta-chiron
2078d6bccd docs: update AGENTS.md for m3ta-home integration, work identity, new structure 2026-05-02 10:54:42 +02:00
m3ta-chiron
5cbb975c78 feat: complete host home.nix files + add m3-daedalus, clean up m3tam3re.nix 
- hosts/m3-kratos/home.nix: XDG/MIME defaults + dual DP Hyprland monitors
- hosts/m3-ares/home.nix: XDG/MIME defaults + eDP+HDMI Hyprland monitors
- hosts/m3-daedalus/home.nix: XDG/MIME defaults (no Hyprland)
- hosts/common/users/m3tam3re.nix: refactored hostFlags into let binding,
  added m3-daedalus profile (desktop/coding+media, no gaming/Hyprland)
 2026-05-02 10:41:12 +02:00
m3ta-chiron
f2ecd13780 fix: set home-manager.useGlobalPkgs=true for m3ta-nixpkgs overlays 2026-05-02 10:08:50 +02:00
m3ta-chiron
ab1bdc9848 feat: integrate m3ta-home for centralized user profiles 2026-05-02 09:53:27 +02:00
m3tam3re
1692a34f6e Merge pull request 'feat: enable orchestrator + switch TTS to Edge (Katja voice)' (#8) from feature/orchestrator-edge-tts into master 
Reviewed-on: #8
 2026-05-01 16:15:13 +02:00
m3ta-chiron
2403e54039 feat: enable orchestrator + switch TTS to Edge (Seraphina voice) 
- Enable delegation.orchestrator_enabled with max_spawn_depth=2
- Switch TTS from ElevenLabs (paid) to Edge TTS (free)
- Voice: de-DE-SeraphinaMultilingualNeural — friendly, multilingual German female
- No API key required
 2026-05-01 16:06:49 +02:00
m3tm3re
3e8c95944c chore: hermes update 2026-05-01 12:06:23 +02:00
m3ta-chiron
fbc555feeb feat: pi guardrails 2026-04-29 20:14:07 +02:00
m3ta-chiron
6a5d8f0011 feat(agents): add strict security hardening for Pi and OpenCode 
Pi Guardrails:
- Enables @aliou/pi-guardrails with strict default config
- Sets onboarding.completed = true to skip onboarding prompt
- Enables pathAccess in ask mode for /nix/store and /tmp
- Adds noAccess policies for: SSH keys, GPG keys, AWS config,
  Kubernetes config, cloud CLI configs (gh/gcloud/1password/sops),
  agenix secrets, Pi auth/sessions, env files, private keys/certs
- Adds auto-deny patterns for env leakage commands:
  env, printenv, /proc/*/environ, GPG secret exports,
  ssh-add -D, password manager reads

OpenCode permissions:
- Adds permission section with global security rules
- external_directory: ask by default, allow /nix/store and /tmp
- read/edit: allow by default, deny SSH/GPG/AWS/Kube/cloud configs,
  agenix secrets, Pi auth/sessions, env files, private keys/certs
- glob: restrict sensitive path patterns
- grep: deny SSH/GPG/agenix, ask for PASSWORD/SECRET/API_KEY/PRIVATE_KEY
- bash: ask by default, allow safe git/nix commands,
  deny env/printenv/proc/GPG secret/sudo/ssh-add deletion/curl|sh
- webfetch: ask by default, allow github/nixos search
- doom_loop: ask
 2026-04-29 19:48:29 +02:00
m3tam3re
9c3d10836f Merge pull request 'fix: add uv to hermes-agent service PATH' (#7) from fix/hermes-agent-uv-path into master 
Reviewed-on: #7
 2026-04-29 16:24:17 +02:00
m3ta-chiron
a615ab61e8 fix: add uv to hermes-agent service PATH 
Add pkgs.uv to systemd.services.hermes-agent.path so that CronJobs
and terminal sessions can execute PEP 723 scripts via 'uv run'
(e.g. garmin-daily.py for Garmin Connect health data).

Also adds uv to environment.systemPackages for general availability.
 2026-04-29 16:18:41 +02:00
m3ta-chiron
193b8c0115 fix(git-identity): use existing gitea SSH key for agent commits 
The m3ta-chiron SSH key was not accepted by Gitea.
Using the existing gitea key instead for push authentication.
 2026-04-27 19:52:11 +02:00
m3tm3re
f76c4dd5d4 chore: smlink pip to uv pip 2026-04-27 19:36:52 +02:00
m3tm3re
05dc6bf608 chore: smlink pip to uv pip 2026-04-27 19:07:26 +02:00
m3tam3re
d524864fc3 Merge pull request 'feature/agent-git-identity' (#6) from feature/agent-git-identity into master 
Reviewed-on: #6
 2026-04-27 17:55:06 +02:00
m3tm3re
09e2ba8538 chore: AGENTS + nixpkgs input urls 2026-04-27 17:53:08 +02:00
m3tm3re
a427f319d4 feat(agents): add gitIdentity config and git-identity rule 
- coding.agents.gitIdentity enabled with m3ta-chiron identity
- coding.agents.pi.codingRules.concerns includes 'git-identity'
- Uses feature/agent-git-identity branches for m3ta-nixpkgs and agents
 2026-04-27 13:24:34 +02:00
m3tm3re
936eb13794 feat: add global skills to hermes environment 2026-04-26 15:14:54 +02:00
m3tm3re
5b0e6cbd5d feat(hermes-agent): add copy-hermes-skills systemd service 2026-04-26 14:37:43 +02:00
m3tm3re
2302810d11 chore: update beads issue state and gitignore docs/plans 2026-04-26 14:35:38 +02:00
m3tm3re
25ac47a422 feat(hermes-agent): add mkOpencodeSkills integration for skills provisioning 
- Add inputs parameter to module signature for flake input access
- Define hermesSkills via inputs.agents.lib.mkOpencodeSkills
- Includes customSkills from agents flake and external skills:
  - skills-basecamp (basecamp/basecamp-cli)
  - skills-anthropic (anthropics/skills)
  - skills-kestra (kestra-io/agent-skills)
- Verified with nixos-rebuild dry-run --flake .#m3-hermes (no errors)
 2026-04-26 14:35:06 +02:00
m3tm3re
e6cfcc346b docs(agents): expand Beads workflow documentation 
- Add 6-step core workflow with examples
- Document slash commands for agent integration
- Add 'Why Beads?' section emphasizing persistence
- Note to avoid bd edit in agent contexts
- Include dependency linking examples
 2026-04-26 14:12:30 +02:00
m3tm3re
09bc9da6d9 chore: complete AGENTS.md documentation 
- Add comprehensive project documentation to AGENTS.md
- Remove stale docs from docs/ directory
- Update agent configs (agents.nix, pi.nix)
- Update python.nix language config
- Update .gitignore
 2026-04-26 14:10:54 +02:00
m3tm3re
eb06533174 Merge feature/home-profile-restructuring: home-manager profile refactoring 
Refactor home-manager configuration structure:
- Reorganize from features/ to base/coding/desktop/server/profiles/
- Add language runtime modules (go, js, python, rust, typescript)
- Add LSP server configuration
- Add gaming and media profiles
- Add shell modules (fish, nushell, starship)
- Consolidate editor and git configuration
 2026-04-26 13:53:00 +02:00
m3tm3re
0d81b0e5e9 chore: add beads issue tracker configuration 2026-04-26 13:49:23 +02:00
m3tm3re
0ea8b8d2eb feat(home): extract CLI tools into modular home/base structure 
- Add individual modules for: bat, carapace, direnv, eza, fzf, lf, nitch,
  television, zellij, zellij-ps, zoxide
- Centralize in home/base/cli-tools/ with default.nix aggregator
- Simplify home/base/packages by removing extracted tools
 2026-04-26 13:49:17 +02:00
m3tm3re
30a9a23de2 refactor: add language runtimes module and cleanup agent config 
- Add home/coding/languages/ with Python, JavaScript, Rust, Go, TypeScript
- Move bun/nodejs from agents.nix to languages/javascript.nix
- Move python3 with packages to languages/python.nix
- Move npm config to javascript.nix (broader context)
- Add language options to m3-ares and m3-kratos host configs
- Move pyrefly from agents.nix to lsp/servers.nix
- Remove duplicate python3 reference (build conflict fix)
- Remove unused base/secrets/cli-tools/ duplicates
 2026-04-26 13:20:22 +02:00
m3tm3re
6d0149ee6e feat: add AMD GPU tools, media packages, and productivity module 
Task 3 - Gaming profile:
- Add gpu.nix with ROCm runtime/smi/info and vulkan-tools
- Import gpu.nix in gaming profile aggregator

Task 4 - Media profile:
- Add unimatrix to yt-dlp.nix packages
- (plexamp, webcord, mpv config were already present)

Task 5 - Desktop apps:
- Add productivity.nix with pomodoro-timer
- Import productivity.nix in desktop apps aggregator
 2026-04-26 12:32:47 +02:00
m3tm3re
d19b87f8cd feat: add coding packages module (bruno, insomnia) 2026-04-26 12:29:14 +02:00
m3tm3re
8f5d076d7b fix: make base modules enabled by default; document lazylib→lazygit 
- All base/* modules now use (mkEnableOption "...") // { default = true; }
  so they activate automatically when imported — no explicit .enable = true
  required in host configs
- packages.nix: add comment documenting that lazylib does not exist in
  nixpkgs; lazygit is the correct and intended package
- zellij-ps.nix: clarify that cli.zellij-ps namespace is intentional —
  it is the home-manager module convention from m3ta-nixpkgs
- nix flake check passes (warnings are pre-existing)
 2026-04-26 12:16:44 +02:00
m3tm3re
3c9a107608 feat: add missing packages and programs to base cli-tools 
- packages.nix: essential packages (jq, ripgrep, fd, htop, coreutils,
  lazygit, httpie, just, devenv, gcc, go, sqlite, sqlite-vec, nix-index,
  nix-update, progress, comma, fabric-ai, llm, basecamp, hyprpaper-random,
  libnotify, trash-cli, unzip, zip, yazi)
- bat.nix: bat with nix-colors derived syntax theme
- carapace.nix: multi-shell completion (fish, nushell, bash)
- direnv.nix: automatic env loading with nix-direnv
- eza.nix: modern ls with icons, git status, long format
- lf.nix: terminal file manager with bat preview
- zoxide.nix: smarter cd with fish and nushell integration
- zellij-ps.nix: project session manager wrapping cli.zellij-ps
 2026-04-26 12:06:36 +02:00
m3tm3re
cc01c1d0aa fix(agents): make videoDrivers optional with safe default 
For standalone Home Manager evaluation where videoDrivers may be absent
 2026-04-26 11:37:17 +02:00
m3tm3re
d59a6b82b6 chore: remove features.old archive and format all files 
- Delete home/features.old/ (archived old flat feature modules)
- All content migrated to new profile-based structure
- Run alejandra formatter over 13 changed files
- nix flake check passes cleanly
 2026-04-26 11:29:49 +02:00
m3tm3re
d44bdad73a refactor: archive old features directory to features.old 
The new profile-based structure (home/base, home/desktop, home/server,
home/profiles/, home/coding) is fully operational and imported via
home/lib/mkHomeConfig. The legacy home/features directory is no longer
referenced anywhere in the configuration.

Archived rather than deleted to preserve history for reference.
 2026-04-26 11:22:17 +02:00
m3tm3re
797ffb2b8a fix: assert unknown profiles in mkHomeConfig; move agent modules to coding/agents 
- home/lib/default.nix: add assertion for unknown profile names instead of
  silently filtering them out; remove unused 'inherit (lib) optional'
- home/coding/agents/{opencode,pi}.nix: moved from home/features/coding/
  to co-locate with agents.nix (eliminating cross-directory back-references)
- home/coding/agents/agents.nix: update imports to ./opencode.nix and ./pi.nix
- home/features/coding/: remove now-dead default.nix (nothing imported it)
 2026-04-26 11:17:03 +02:00
m3tm3re
73bd2b1f2e fix: spec review - add missing fish module to base/shell 
- Create home/base/shell/fish.nix
- Add to base/shell/default.nix imports
- Migrate remaining hosts from features.cli.fish to base.shell.fish
 2026-04-26 11:09:50 +02:00
m3tm3re
f3749c5679 feat: implement profile system with mkHomeConfig and context constraints 
- Add home/lib/default.nix with mkHomeConfig utility
  - Loads base + common modules always
  - Maps profiles (coding, gaming, media) to module imports
  - Enforces desktop/server mutual exclusion via assertion
  - Context must be 'desktop', 'server', or null

- Migrate all per-host home configs to new profile system
  - m3-ares: context=desktop, profiles=[coding, gaming, media]
  - m3-kratos: context=desktop, profiles=[coding, gaming, media]
  - m3-atlas: context=server, profiles=[coding]
  - m3-helios: context=server, profiles=[]
  - m3-hermes: context=server, profiles=[]
  - m3-aether: context=server, profiles=[]
  - m3-daedalus: context=desktop, profiles=[coding, media]

- Replace features.* options with new namespaces:
  - features.cli.* -> base.shell.* / base.cliTools.* / base.secrets
  - features.desktop.* -> desktop.wm.* / desktop.apps.* / desktop.theme.*
  - gaming/media moved to profiles.gaming.* / profiles.media.*

- Fix home/coding/editor/neovim.nix: remove duplicate option declaration
  (coding.editors.neovim.enable already declared by m3ta-nixpkgs)

- Fix home/coding/lsp/servers.nix: replace removed nodePackages.typescript-language-server
  with typescript-language-server

- Fix home/desktop/theme/wallpapers.nix: correct relative path
  (was ../../.. which resolved to project root, should be ../..)
 2026-04-26 11:03:43 +02:00
m3tm3re
9908b9e335 fix: code review fixes 
- Fix hardcoded user path in webapps.nix (use homeDirectory)
- Normalize wallpapers option to use .enable suffix
- Remove duplicate FZF keybind declaration
- Update comments to match actual implementation
 2026-04-26 10:49:01 +02:00
m3tm3re
06b430e067 fix: code review fixes 
- Fix hardcoded user path in webapps.nix (use homeDirectory)
- Normalize wallpapers option to use .enable suffix
- Remove duplicate FZF keybind declaration
- Update comments to match actual implementation
 2026-04-26 10:48:52 +02:00
m3tm3re
1b5bcae686 feat: create new home/ directory structure for profile-based config 
New structure:
- home/base/        - Always loaded (shell, cli-tools, secrets)
- home/coding/      - Profile-independent dev tooling (editor, lsp, git, agents)
- home/profiles/    - Freely combinable profiles (gaming, media)
- home/desktop/     - Desktop-only (wm, apps, theme)
- home/server/      - Minimal server stub

Migration sources:
- home/features/cli/ → home/base/{shell,cli-tools,secrets}
- home/features/desktop/hyprland,wayland,rofi → home/desktop/wm/
- home/features/desktop/obsidian,office,webapps,crypto → home/desktop/apps/
- home/features/desktop/fonts,theme,wallpapers → home/desktop/theme/
- gaming.nix split → home/profiles/gaming/{steam,gamescope}
- media.nix split  → home/profiles/media/{obs,ffmpeg,yt-dlp,kdenlive,handbrake}

Option namespaces updated:
- features.cli.*  → base.shell.* / base.cliTools.* / base.secrets
- features.desktop.* → desktop.wm.* / desktop.apps.* / desktop.theme.*
- features.desktop.gaming → profiles.gaming.*
- features.desktop.media  → profiles.media.*

Verified: nix flake check passes (warnings only)
 2026-04-26 10:37:03 +02:00
m3tm3re
b1eb50a350 chore: add .worktrees to gitignore 
For isolated feature development
 2026-04-26 10:27:13 +02:00
m3tm3re
383f4ef56f feat: tuwunel matrix server + hermes update 2026-04-24 21:38:57 +02:00
m3tm3re
d47680aef7 chore: n8n update 2026-04-22 19:26:10 +02:00
m3tm3re
047b60a6a8 refactor: update Pi agent configuration and devShell 
- Switch model provider from zai/glm-5.1 to minimax/MiniMax-M2.7
- Add coding rules for Nix language and standard concerns
- Add linting tools (statix, deadnix) to devShell
- Simplify devShell configuration
- Update AGENTS.md project rules
 2026-04-22 17:59:23 +02:00
m3tm3re
382b4c8c98 chore: hermes update 2026-04-21 19:00:49 +02:00
m3tam3re
90fbdfe346 Merge pull request 'feat: pi-agent wrapper' (#5) from feature/pi-agent-wrapper into master 
Reviewed-on: #5
 2026-04-14 18:51:44 +02:00
m3tm3re
7e0d60c95b feat: pi-agent wrapper 2026-04-14 18:36:55 +02:00
m3tam3re
e289698960 Merge pull request 'feat: containerized pi agent' (#4) from feature/pi-agent-containerized into master 
Reviewed-on: #4
 2026-04-13 21:31:03 +02:00
m3tm3re
24e39d19e3 feat: containerized pi agent 2026-04-13 21:28:13 +02:00
m3tam3re
197704ee95 Merge pull request 'fix/evaluation-warnings-opencode-neovim' (#3) from fix/evaluation-warnings-opencode-neovim into master 
Reviewed-on: #3
 2026-04-13 19:40:38 +02:00
m3tm3re
53a30c7af3 chore: ignore .pi-lens artifacts and untrack cached files 2026-04-13 19:35:58 +02:00
m3tm3re
4684c5dc3e chore: include local changes and bump home-manager state to 26.05 2026-04-13 19:23:49 +02:00
m3tm3re
55aac2c910 fix: silence nix evaluation warnings for neovim/opencode/system 2026-04-13 19:18:25 +02:00
m3tam3re
fa608ae399 Merge pull request 'fix(hermes): inject matrix-nio via PYTHONPATH in container' (#2) from fix/matrix-nio-pythonpath into master 
Reviewed-on: #2
 2026-04-13 17:00:10 +02:00
m3tam3re
717e7b0291 Merge pull request 'feat: config with agents rework' (#1) from feature/agents-rework into master 
Reviewed-on: #1
 2026-04-13 16:56:56 +02:00
m3tm3re
40507bb930 feat: config with agents rework 2026-04-13 16:53:33 +02:00
m3tm3re
7bf686481c feat: config with agents rework 2026-04-13 16:44:18 +02:00
Chiron Agent
3868f69958 fix(hermes): inject matrix-nio via PYTHONPATH in container 
matrix-nio is installed in the container's writable venv layer
(~/.venv) but the hermes process uses the read-only Nix store Python.
This adds PYTHONPATH and LD_LIBRARY_PATH as container-level env vars
so matrix-nio + libolm (e2e encryption) are importable.
 2026-04-11 05:17:51 +00:00
m3tm3re
ab3332e45b feat: hermes agent for m3-ares 2026-04-09 19:56:19 +02:00
m3tm3re
c92868308b chore: initialize taskplane tasks 2026-04-08 20:44:51 +02:00
m3tm3re
6a58b3656a flake update + hermes workaround for upstream bug 2026-04-08 17:48:27 +02:00
sascha.koenig
6853bb3063 +m3-hermes 2026-04-07 06:19:05 +02:00
m3tm3re
38c27eff1c +basic hermes config 2026-04-06 18:44:07 +02:00
m3tm3re
d9d4b6cd85 feat: add openwork to desktop packages, update flake inputs and misc config 2026-04-03 12:45:55 +02:00
m3tm3re
44c0234739 chore: update mcp config 2026-03-31 13:30:47 +02:00
m3tm3re
4f0a92e43b fix: nushell tv warning m3-atlas 2026-03-28 10:29:05 +01:00
m3tm3re
87939ce630 feat: implement agent skills 2026-03-28 10:17:29 +01:00
m3tm3re
1bc1616a4f m3-ares update 2026-03-22 17:21:25 +01:00
m3tm3re
43523cf2d8 +television, flake-update 2026-03-21 09:39:19 +01:00
m3tm3re
08baa5ee83 updated agents input 2026-03-14 10:07:21 +01:00
m3tm3re
114644ce63 updated agents input 2026-03-14 10:06:47 +01:00
m3tm3re
411c67d2c6 add mcps to home-config; +ghostty 2026-03-14 09:26:13 +01:00
m3tm3re
e9f20d7dda chore: rekey secrets 2026-03-10 04:38:25 +01:00
m3tm3re
4ae2bb0f48 chore: flake update 2026-03-07 11:44:04 +01:00
m3tm3re
b08be9132b feat: litellm provider for opncode 2026-03-03 20:07:25 +01:00
m3tm3re
e4195230a5 chore: fix netbird ssh 2026-03-02 19:24:28 +01:00
m3tm3re
674ce6957c feat: authentik 2026-02-28 10:06:42 +01:00
m3tm3re
a9022a4f55 refactor(netbird): use port registry and named IP variables 2026-02-27 16:03:12 +01:00
m3tm3re
fa9747f3e9 refactor(ports): add netbird port definitions 2026-02-27 16:03:08 +01:00
m3tm3re
4920029c65 +openspec 2026-02-18 17:57:21 +01:00
m3tm3re
a12958b68f chore: flake update 2026-02-18 16:28:31 +01:00
m3tm3re
2e550b91f5 feat(opencode): integrate rules into default devShell 
- Switch agents input to local path for development
- Add default devShell with Opencode rules integration
- Update .gitignore to exclude generated Opencode files
- Upgrade opencode to v1.2.6
 2026-02-17 20:11:14 +01:00
m3tm3re
1d3564f360 feat(opencode): deploy rules/ to ~/.config/opencode/rules/ via home-manager 
- Add xdg.configFile entry for opencode/rules
- Rules deployed alongside skills, commands, context, prompts

Refs: T4 of rules-system plan
 2026-02-17 18:59:43 +01:00
m3tm3re
8ead26a791 update opencode config, secrets, tailscale, and agents input 
- opencode: remove deprecated google_auth, add git_master config,
  experimental truncation, use glm-4.6v for multimodal-looker,
  upgrade categories to glm-5, remove opencode-memory plugin
- m3-atlas: add ref/exa/outline/basecamp secret declarations
- m3-kratos: enable tailscale with ssh and reset flags
- agents: switch back to remote git input
 2026-02-17 08:54:13 +01:00
m3tm3re
87baf2377f +opencode-memory 2026-02-16 19:57:16 +01:00
m3tm3re
7b9caedaa4 headscale ssh acl 2026-02-16 18:59:34 +01:00
m3tm3re
105e573c53 Switch to local m3ta-nixpkgs and enable services 
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
 2026-02-15 18:16:11 +01:00
m3tm3re
eda9f2a1f9 Enable mem0 and qdrant services on m3-ares 
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
 2026-02-15 18:15:37 +01:00
m3tm3re
f3536919f0 Update OpenCode configuration and add sqlite tools 
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
 2026-02-15 18:15:00 +01:00
m3tm3re
5c0fe5abda apply updates from m3ta-nixpkgs 2026-02-11 19:59:59 +01:00
m3tm3re
f80e907277 +td +sidecar 2026-02-10 20:08:32 +01:00
m3tm3re
ffed020289 + Obsidian 2026-02-05 09:01:35 +01:00
m3tm3re
a7ac2232ee flake update 2026-02-05 08:05:20 +01:00
m3tm3re
c28c1953d0 hyprland opaque keybinding fix 2026-02-04 16:51:00 +01:00
m3tm3re
f7a1591451 merge flake inputs 2026-01-26 20:53:49 +01:00
m3tm3re
b6dab69d42 chore folder renaming for opencode: skill -> skills, command -> sommands 2026-01-26 20:50:39 +01:00
m3tm3re
b6fa6c1bcf oh-my-opencode model structure for v3.x 2026-01-24 18:09:42 +01:00
m3tm3re
2449532b30 chore: update dependencies, add basecamp secrets, improve desktop environment 
- Update opencode to v1.1.34
- Add new opencode agents (Prometheus, Metis, Momus, Atlas) and categories
- Switch m3ta-nixpkgs back to local path
- Add basecamp client credentials for m3-ares and m3-kratos
- Set NIXOS_OZONE_WL=1 for better Wayland app support in Hyprland
- Remove redundant wrl.enable from flatpak portal config
 2026-01-23 18:14:08 +01:00
m3tm3re
39d2b5a609 chore: optimize gitea runner 2026-01-21 17:59:58 +01:00
m3tm3re
3b2d19f8a6 fix: jq + curl to gitea action runner 2026-01-20 21:17:08 +01:00
m3tm3re
4439e6d173 model changes opencode 2026-01-19 19:26:37 +01:00
m3tm3re
048244f122 fix(m3-ares): use stable tuxedo-drivers module to work around nixpkgs#480391 
The unstable tuxedo-drivers module has a type error where cfg.settings
(a set) is passed directly to lib.any which expects a list. This was
introduced in commit 15d9ec6 and fixed in a77e30e, but the fix hasn't
propagated to our nixpkgs input yet.

Workaround: disable the unstable module and import from nixpkgs-stable.
 2026-01-19 19:24:34 +01:00
m3tm3re
09e93ef6f0 flake update 2026-01-17 10:17:48 +01:00
m3tm3re
dd59d2a56d fix: add nodejs to gitea runner hostPackages 
- Enables actions/checkout@v4 to work on self-hosted nixos runner
- Fixes: nixpkgs-5yn (Gitea Actions runner missing Node.js)
 2026-01-15 19:06:42 +01:00
m3tm3re
f9415c05f9 Add Gitea Actions Runner and update OpenCode config 
- Add Gitea Actions Runner service on m3-atlas with nixos:host label
- Configure agenix secret for runner token
- Add Antigravity provider models to OpenCode config
- Switch m3ta-nixpkgs to local path for development
 2026-01-14 20:55:23 +01:00
m3tm3re
e1de4805ce bd sync: 2026-01-13 20:51:49 2026-01-13 20:51:49 +01:00
m3tm3re
f482759c2e bd sync: 2026-01-13 20:51:30 2026-01-13 20:51:30 +01:00
m3tm3re
ad35d27135 opencode -> 1.1.14 2026-01-12 20:25:22 +01:00
m3tm3re
18ef6174bb opencode config changes 2026-01-11 13:13:07 +01:00
m3tm3re
9dfaccb77e feat: add wallpaper feature with 5 new wallpapers 
- Add wallpapers.nix module for wallpaper management
- Update hyprland and rofi configs
- Update m3-ares and m3-kratos user configs
- Update flake inputs
 2026-01-10 18:09:58 +01:00
m3tm3re
5e4e007b67 opencode update 2026-01-10 06:14:02 +01:00
m3tm3re
1316d3268f chore: update opencode, hyprland config, and disable qdrant 
- Remove opencode-anthropic-auth plugin from opencode config
- Add XDG environment variables for Hyprland session awareness
- Disable qdrant service on m3-ares host
 2026-01-09 18:18:45 +01:00
m3tm3re
b76db4800a Agents input update 2026-01-09 14:38:02 +01:00
m3tm3re
5ff19bccbe Claude Max login fix for opencode 2026-01-09 14:36:17 +01:00
m3tm3re
5713202dc9 chore: update flake inputs and adjust configs 
- Update flake inputs (home-manager, HyprPanel, nixpkgs variants, NUR, AGENTS)
- Switch OpenCode agents to opencode/ model provider
- Remove webcord package from media config
- Fix thunar plugins namespace (xfce.* → pkgs.*)
- Upgrade m3-kratos kernel to 6.18
- Disable ADB and qdrant service on m3-kratos
- Enable qdrant overlay using stable nixpkgs
 2026-01-09 12:56:07 +01:00
m3tm3re
4b386040db fix(hyprland): update window rules to new syntax 
- Replace old windowrule format with new match: prefix syntax
- Fix property names: initialTitle → initial_title
- Fix effect names: idleinhibit → idle_inhibit, noanim → no_anim, etc.
- Replace noborder with decorate off (correct effect)
- Fix pomodoro move expression to use monitor_h variable
- Apply fixes across all host configs (m3-ares, m3-kratos, m3-daedalus)
 2026-01-09 12:30:20 +01:00
m3tm3re
e7a02dc45e Opencode model setup to Opencode Zen 2026-01-09 10:28:17 +01:00
m3tm3re
9566e6cd77 + beads opencode plugin 2026-01-08 04:47:31 +01:00
m3tm3re
c1f274d63a adjusted auto-enabled MCPs for opencode 2026-01-07 19:31:00 +01:00
m3tm3re
1092fc98a5 Basecamp MCP 2026-01-07 19:08:33 +01:00
m3tm3re
b2fff7b104 anytype-key m3-ares 2026-01-07 04:49:43 +01:00
m3tm3re
c8752086a2 Opencode permissions + agent configs 2026-01-06 08:54:17 +01:00
m3tm3re
175f971809 project-launcher changes 2026-01-06 05:54:19 +01:00
m3tm3re
bb85c4b40d m3ta-nixpkgs update 2026-01-04 04:02:36 +01:00
m3tm3re
21957d895c m3ta-nixpkgs update 2026-01-04 04:01:56 +01:00
m3tm3re
ffd26b3139 merge 2026-01-04 03:52:38 +01:00
m3tm3re
b2cdc7db2a opencode hm config 2026-01-04 03:49:13 +01:00
m3tm3re
eab4c26ca4 nodejs to bun aliases 2026-01-03 11:12:01 +01:00
m3tm3re
f615f3bd6a nvidia fix m3-ares 2026-01-03 09:31:59 +01:00
m3tm3re
841d7abbe7 stt, mem0, rofi-project-opener 2026-01-02 15:12:26 +01:00
m3tm3re
6ac20b65f4 AGENTS.md: add hierarchical documentation for hosts, home, features, services 2025-12-29 18:55:52 +01:00
m3tm3re
460fc927ec +AGENTS.md for AI coding agents 2025-12-28 11:28:19 +01:00
m3tm3re
949e017b22 add bun to PATH and packages, remove opencode 2025-12-28 10:25:23 +01:00
m3tm3re
27d162f3ae flake update 2025-12-27 09:52:19 +01:00
Sascha Koenig
90a5e53510 m3-atlas to 26.05 2025-12-23 12:58:52 +01:00
Sascha Koenig
5d707efe7b re-enabled ollama 2025-12-23 09:53:46 +01:00
Sascha Koenig
2f4273c86f +fabric +opencode 2025-12-23 09:31:59 +01:00
Sascha Koenig
436928b187 flake update 2025-12-23 09:25:17 +01:00
Sascha Koenig
f529c59400 flake url fix m3ta-nixpkgs 2025-12-11 07:07:18 +01:00
Sascha Koenig
0e6ea7e6a3 flake update 2025-12-11 07:04:52 +01:00
Sascha Koenig
aaf82b29da flake update 2025-11-29 12:48:52 +01:00
m3tm3re
d24c6b28f8 flake update 2025-10-28 16:44:52 +01:00
m3tam3re
8f4b39d277 flake update 2025-10-05 14:38:50 +02:00
m3tam3re
dea4ca9377 added ports module from m3ta-nixpkgs / prep for rewrite 2025-10-05 12:24:27 +02:00
m3tam3re
6cd1fdd651 beginning of bigger restructure, m3ta-nixpkgs input 2025-10-03 19:14:37 +02:00
m3tam3re
b66553888b beginning of bigger restructure, m3ta-nixpkgs input 2025-10-03 14:55:24 +02:00
m3tam3re
35becfdea4 +crush 2025-09-29 18:58:19 +02:00
m3tam3re
b2ad6005bc +hyprland cfg 2025-09-15 18:11:00 +02:00
m3tam3re
150dd20d32 +gamemoderun 2025-09-14 16:58:40 +02:00
m3tam3re
bab10c3273 +tuxedo backlight 2025-09-08 04:40:19 +02:00
m3tam3re
d5e13e2099 gnome m3-ares 2025-09-06 21:19:11 +02:00
m3tam3re
20706ce6a3 rofi dmenu exec 2025-09-04 20:23:31 +02:00
m3tam3re
e9baa42695 keybindings + rofi fix 2025-09-04 18:21:56 +02:00
m3tam3re
2e6bf051f0 keybindings + rofi fix 2025-09-04 18:15:37 +02:00
Sascha Koenig
a5f544e8d3 flake update 2025-09-04 15:37:14 +02:00
m3tam3re
a81aee81b1 flake update 2025-09-04 15:36:53 +02:00
m3tam3re
d2c127c396 AZ ssh config 2025-09-04 15:04:11 +02:00
m3tam3re
846a88475a more nix-colors; nushell fzf fix 2025-09-02 20:18:42 +02:00
m3tam3re
bbb79160ae nix-colors 2025-08-30 14:32:25 +02:00
m3tam3re
cc0f4c66ce Msty Studio version number 2025-08-30 09:09:30 +02:00
m3tam3re
7c355127c7 +Msty Studio 2025-08-30 09:05:58 +02:00
m3tam3re
6ce51f5cf2 cleanup 2025-08-28 20:33:23 +02:00
m3tam3re
d96e054ef3 cleanup 2025-08-28 20:31:25 +02:00
m3tam3re
7a3f368aca + webapp launcher, hyprland config changes 2025-08-28 20:28:10 +02:00
Sascha Koenig
9e44101016 hyprpaper randomizer 2025-08-24 11:57:40 +02:00
Sascha Koenig
d5b06c496d minor changes 2025-08-14 11:10:59 +02:00
Sascha Koenig
669ed55dc0 minor changes 2025-08-14 10:51:24 +02:00
Sascha Koenig
578bfd527f some refactoring 2025-07-20 19:30:57 +02:00
Sascha Koenig
2715ddc617 flake update 2025-07-20 14:26:14 +02:00
Sascha Koenig
eedf92819c baserow upgrade 2025-07-15 17:37:38 +02:00
Sascha Koenig
0ff5c04d23 outline config + paperless overlay 2025-07-10 19:31:32 +02:00
Sascha Koenig
55e8c6cae5 +outine, flake update 2025-07-10 06:55:08 +02:00
Sascha Koenig
b54213cfbb flake update 2025-07-03 19:06:08 +02:00
Sascha Koenig
a11ee7ee02 +m3-daedalus 2025-06-24 20:13:48 +02:00
Sascha Koenig
8c9860674b hyprland stream-boxes 2025-05-21 14:24:30 +02:00
Sascha Koenig
e1719204e9 tailscale key rotation 2025-05-20 09:35:04 +02:00
Sascha Koenig
72ceffc61d nushell fzf 2025-05-19 21:03:09 +02:00
Sascha Koenig
22cbc7c5a2 flake update 2025-05-19 17:27:39 +02:00
Sascha Koenig
68ecbd3bf1 +builder for proxmox nixos-template 2025-05-19 12:53:05 +02:00
Sascha Koenig
f85332f321 gitea fix 2025-05-18 13:03:39 +02:00
Sascha Koenig
040d03423d mesa 25.0.6 overlay for doom the dark ages 2025-05-17 15:21:21 +02:00
Sascha Koenig
cf731e7309 rm wl-clipboard pin 2025-05-15 09:50:08 +02:00
Sascha Koenig
e0aa2783bb postgres upgrade@m3-atlas 2025-05-13 05:32:59 +02:00
Sascha Koenig
7854d75742 flake update 2025-05-12 11:22:29 +02:00
Sascha Koenig
80cff4278d port changes for gitea 2025-05-12 10:33:27 +02:00
Sascha Koenig
f33bfec02e vw conf @m3-atlas 2025-05-08 09:45:25 +02:00
Sascha Koenig
20bdd1c7b6 Paperless Service @m3-atlas 2025-05-08 08:20:16 +02:00
Sascha Koenig
7fec29f602 +vautwarden, +slash@nemoti 2025-05-08 00:15:04 +02:00
m3tam3re
a3a85c3596 +Tailscale @m3-ares 2025-05-06 13:23:55 +02:00
m3tam3re
279d00ae82 Headscale and Tailscale config modules 2025-05-06 13:22:39 +02:00
m3tam3re
ad87c67161 Headscale and Tailscale config modules 2025-05-05 11:44:32 +02:00
m3tam3re
53ce9740bd nushell dir_fuzzy 2025-05-05 01:58:36 +02:00
m3tam3re
881a65263d +skim functions for nushell 2025-05-04 19:00:11 +02:00
m3tam3re
32503965ab +Nushell 2025-05-04 10:53:18 +02:00
m3tam3re
3d52c0576e -fastfetch;+nitch 2025-04-30 14:47:05 +02:00
m3tam3re
cc38372ee0 experimental msty-sidecar 2025-04-29 15:05:08 +02:00
m3tam3re
e461fc494a flake update; msty update; +headscale config 2025-04-29 13:36:01 +02:00
m3tam3re
5a5b434efd m3ta.dev www fix for traefik 2025-04-24 16:57:30 +02:00
m3tam3re
d69a9b9b38 + work-timer 2025-04-21 15:00:21 +02:00
m3tam3re
b6e8a1614b traefik domain redirects 2025-04-18 15:59:06 +02:00
m3tam3re
f560c59be5 +code2prompt, removed temprorary overlays 2025-04-18 10:53:05 +02:00
m3tam3re
01a2cbc808 m3-atlas: n8n - nixos, ghost update 2025-04-16 14:06:02 +02:00
m3tam3re
9b6e6a6992 flake update 2025-04-15 09:41:22 +02:00
m3tam3re
02f8b6d787 +ssh config zed for self-host-playbook 2025-04-10 19:16:46 +02:00
m3tam3re
40d6c9692a flake update 2025-04-10 11:36:42 +02:00
m3tam3re
374a17e6fc +experimental pangolin config for m3-atlas 2025-04-07 19:45:20 +02:00
m3tam3re
b1e1a95a1c flake update 2025-03-28 11:32:08 +01:00
m3tam3re
74e7ee8364 lock OVMF 2025-03-28 10:00:43 +01:00
m3tam3re
c32a94b82c Hyprland config change due to 0.48 update 2025-03-27 09:29:24 +01:00
m3tam3re
0e6ea2bacb n8n override fix 2025-03-26 12:24:36 +01:00
m3tam3re
8a2b5438af +vivaldi flake update 2025-03-26 11:54:49 +01:00
m3tam3re
81ee763318 flatpak fix attempt 2025-03-26 06:12:35 +01:00
m3tam3re
1c0b67c2a0 Update flake.lock 2025-03-24 13:05:41 +01:00
m3tam3re
42aa44a56b obs-browser 2025-03-24 13:05:28 +01:00
m3tam3re
466cbaf048 n8n-env, obs-plugins 2025-03-18 11:56:09 +01:00
m3tam3re
b47e20afad flake update / brave fix 2025-03-18 09:32:28 +01:00
m3tam3re
e93bdf20a3 restreamer setup 2025-03-15 14:23:47 +01:00
m3tam3re
779473317d +matomo 2025-03-14 17:32:08 +01:00
m3tam3re
39782b6eb9 flake update 2025-03-14 10:52:22 +01:00
m3tam3re
960ea9503d flake update 2025-03-13 11:30:48 +01:00
m3tam3re
df41024693 playbook ssh config 2025-03-12 14:20:44 +01:00
m3tam3re
73fd3ef108 flake update 2025-03-10 09:37:17 +01:00
m3tam3re
221ffed715 let's try warp 2025-03-05 09:23:39 +01:00
m3tam3re
3637aee724 +warp-terminal 2025-03-04 23:27:10 +01:00
m3tam3re
c0e8cfd773 msty fix licensing 2025-03-04 14:54:59 +01:00
m3tam3re
ede0af92cd fix msty license persistence 2025-03-04 06:14:49 +01:00
m3tam3re
f812a1de83 secrets update 2025-03-03 10:16:17 +01:00
m3tam3re
eb84e24369 +MSTY 2025-03-02 16:14:43 +01:00
m3tam3re
d51894816c pin to fix anytype error 2025-03-01 15:43:00 +01:00
m3tam3re
c7fb70c88d neofetch to fastfetch 2025-03-01 15:01:19 +01:00
m3tam3re
2db7d8c1fd +slash 2025-02-28 15:56:53 +01:00
m3tam3re
ce168609ca flake update 2025-02-28 09:55:27 +01:00
m3tam3re
842b01b647 n8n-env-fix 2025-02-24 14:57:19 +01:00
m3tam3re
fa734b5c85 ghost-env-fix 2025-02-24 14:51:43 +01:00
m3tam3re
a4d8d6890c +crypto 2025-02-24 09:48:13 +01:00
m3tam3re
262902c018 n8n@m3-atlas 2025-02-23 19:07:14 +01:00
m3tam3re
2ffd84eb4e ssh_config 2025-02-22 11:03:03 +01:00
m3tam3re
39e1187948 headscale + tailscale 2025-02-21 14:07:29 +01:00
m3tam3re
74d4940e27 traffic dns fix 2025-02-20 15:47:16 +01:00
m3tam3re
25b1fa76d7 flake update 2025-02-18 19:39:32 +01:00
m3tam3re
b281290bef flake update 2025-02-18 19:37:50 +01:00
m3tam3re
e02d76f981 +NFS 2025-02-17 06:44:42 +01:00
m3tam3re
9bcb33e58a @zed config changes 2025-02-17 06:36:50 +01:00
m3tam3re
994f7f6f74 NFS @m3-kratos 2025-02-15 14:08:39 +01:00
m3tam3re
e98e224af9 merge 2025-02-14 13:53:28 +01:00
m3tam3re
b2e01747e5 flake update 2025-02-14 13:44:29 +01:00
m3tam3re
75ae18b73e @n8n updatr to 1.78 2025-02-14 09:32:40 +01:00
m3tam3re
4a48ee92cb @hyprland +uwsm 2025-02-12 18:10:26 +01:00
m3tam3re
e0dda1eb0a @hyprland +uwsm 2025-02-12 11:12:32 +01:00
m3tam3re
bd97658bd2 steam stuff @m3-ares 2025-02-06 06:44:21 +01:00
m3tam3re
8785824cde +some python stuff 2025-02-05 13:17:58 +01:00
m3tam3re
f5ca531962 +s3 @m3-atlas 2025-02-03 18:37:07 +01:00
m3tam3re
446be80ef1 +nfs mount @m3-atlas 2025-02-03 17:54:53 +01:00
m3tam3re
28ab56d302 n8n@1.77 / pnpm_9 2025-02-03 08:25:49 +01:00
m3tam3re
190fb2d6d1 flake update 2025-02-02 15:41:21 +01:00
m3tam3re
e4b87c6908 rocblas workaround 2025-01-28 09:57:26 +01:00
m3tam3re
65a69df52b flake update, -n8n @m3-ares 2025-01-28 09:09:17 +01:00
m3tam3re
e75166e5fc +onsomnia 2025-01-26 12:32:28 +01:00
m3tam3re
c18b2d1f94 -spotify 2025-01-25 13:16:10 +01:00
m3tam3re
a39436da6f m3-ares: fix early boot lvm warning 2025-01-24 14:58:44 +01:00
m3tam3re
05c614d3b1 +ollama AMD fix, ... rollback 2025-01-24 14:54:19 +01:00
m3tam3re
b3c4a9b3ba -ollama AMD fix, not needed anymore 2025-01-21 10:04:14 +01:00
m3tam3re
4c0c2181ef postgres initialScript redundancy removed 2025-01-20 11:36:17 +01:00
m3tam3re
6606d63a20 postgres settings m3-kratos 2025-01-16 15:19:29 +01:00
m3tam3re
38187bc92c +m3-atlas 2025-01-15 18:19:03 +01:00
m3tam3re
4f39502228 secrets rekey 2025-01-15 09:45:56 +01:00
m3tam3re
5e128fb2bc gamecope fix m3-ares 2025-01-13 09:13:01 +01:00
m3tam3re
85515be4f0 gamecope fix m3-ares 2025-01-11 06:38:42 +01:00
m3tam3re
a9453ed3a0 flake update 2025-01-09 10:04:13 +01:00
m3tam3re
61588df0b3 +gamescope 2025-01-08 14:35:09 +01:00
m3tam3re
e94c5d4df8 gamecope m3-ares 2025-01-08 08:58:29 +01:00
m3tam3re
5c2ba374f9 -tuxedo drivers 2024-12-16 11:28:41 +01:00
m3tam3re
0d7efd1c33 +gamescope 2024-12-16 09:16:54 +01:00
m3tam3re
157fc4d38c +upower for m3-ares 2024-12-10 10:23:05 +01:00
186 changed files with 6711 additions and 2079 deletions
Expand all files Collapse all files

73
.beads/.gitignore vendored Normal file
View File

@@ -0,0 +1,73 @@
# Dolt database (managed by Dolt, not git)
dolt/
embeddeddolt/
# Runtime files
bd.sock
bd.sock.startlock
sync-state.json
last-touched
.exclusive-lock
# Daemon runtime (lock, log, pid)
daemon.*
# Interactions log (runtime, not versioned)
interactions.jsonl
# Push state (runtime, per-machine)
push-state.json
# Lock files (various runtime locks)
*.lock
# Credential key (encryption key for federation peer auth — never commit)
.beads-credential-key
# Local version tracking (prevents upgrade notification spam after git ops)
.local_version
# Worktree redirect file (contains relative path to main repo's .beads/)
# Must not be committed as paths would be wrong in other clones
redirect
# Sync state (local-only, per-machine)
# These files are machine-specific and should not be shared across clones
.sync.lock
export-state/
export-state.json
# Ephemeral store (SQLite - wisps/molecules, intentionally not versioned)
ephemeral.sqlite3
ephemeral.sqlite3-journal
ephemeral.sqlite3-wal
ephemeral.sqlite3-shm
# Dolt server management (auto-started by bd)
dolt-server.pid
dolt-server.log
dolt-server.lock
dolt-server.port
dolt-server.activity
# Corrupt backup directories (created by bd doctor --fix recovery)
*.corrupt.backup/
# Backup data (auto-exported JSONL, local-only)
backup/
# Per-project environment file (Dolt connection config, GH#2520)
.env
# Legacy files (from pre-Dolt versions)
*.db
*.db?*
*.db-journal
*.db-wal
*.db-shm
db.sqlite
bd.db
# NOTE: Do NOT add negation patterns here.
# They would override fork protection in .git/info/exclude.
# Config files (metadata.json, config.yaml) are tracked by git by default
# since no pattern above ignores them.

81
.beads/README.md Normal file
View File

@@ -0,0 +1,81 @@
# Beads - AI-Native Issue Tracking
Welcome to Beads! This repository uses **Beads** for issue tracking - a modern, AI-native tool designed to live directly in your codebase alongside your code.
## What is Beads?
Beads is issue tracking that lives in your repo, making it perfect for AI coding agents and developers who want their issues close to their code. No web UI required - everything works through the CLI and integrates seamlessly with git.
**Learn more:** [github.com/steveyegge/beads](https://github.com/steveyegge/beads)
## Quick Start
### Essential Commands
```bash
# Create new issues
bd create "Add user authentication"
# View all issues
bd list
# View issue details
bd show <issue-id>
# Update issue status
bd update <issue-id> --claim
bd update <issue-id> --status done
# Sync with Dolt remote
bd dolt push
```
### Working with Issues
Issues in Beads are:
- **Git-native**: Stored in Dolt database with version control and branching
- **AI-friendly**: CLI-first design works perfectly with AI coding agents
- **Branch-aware**: Issues can follow your branch workflow
- **Always in sync**: Auto-syncs with your commits
## Why Beads?
**AI-Native Design**
- Built specifically for AI-assisted development workflows
- CLI-first interface works seamlessly with AI coding agents
- No context switching to web UIs
🚀 **Developer Focused**
- Issues live in your repo, right next to your code
- Works offline, syncs when you push
- Fast, lightweight, and stays out of your way
🔧 **Git Integration**
- Automatic sync with git commits
- Branch-aware issue tracking
- Dolt-native three-way merge resolution
## Get Started with Beads
Try Beads in your own projects:
```bash
# Install Beads
curl -sSL https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh | bash
# Initialize in your repo
bd init
# Create your first issue
bd create "Try out Beads"
```
## Learn More
- **Documentation**: [github.com/steveyegge/beads/docs](https://github.com/steveyegge/beads/tree/main/docs)
- **Quick Start Guide**: Run `bd quickstart`
- **Examples**: [github.com/steveyegge/beads/examples](https://github.com/steveyegge/beads/tree/main/examples)
---
*Beads: Issue tracking that moves at the speed of thought*

56
.beads/config.yaml Normal file
View File

@@ -0,0 +1,56 @@
# Beads Configuration File
# This file configures default behavior for all bd commands in this repository
# All settings can also be set via environment variables (BD_* prefix)
# or overridden with command-line flags
# Issue prefix for this repository (used by bd init)
# If not set, bd init will auto-detect from directory name
# Example: issue-prefix: "myproject" creates issues like "myproject-1", "myproject-2", etc.
# issue-prefix: ""
# Use no-db mode: JSONL-only, no Dolt database
# When true, bd will use .beads/issues.jsonl as the source of truth
# no-db: false
# Enable JSON output by default
# json: false
# Feedback title formatting for mutating commands (create/update/close/dep/edit)
# 0 = hide titles, N > 0 = truncate to N characters
# output:
# title-length: 255
# Default actor for audit trails (overridden by BEADS_ACTOR or --actor)
# actor: ""
# Export events (audit trail) to .beads/events.jsonl on each flush/sync
# When enabled, new events are appended incrementally using a high-water mark.
# Use 'bd export --events' to trigger manually regardless of this setting.
# events-export: false
# Multi-repo configuration (experimental - bd-307)
# Allows hydrating from multiple repositories and routing writes to the correct database
# repos:
# primary: "." # Primary repo (where this database lives)
# additional: # Additional repos to hydrate from (read-only)
# - ~/beads-planning # Personal planning repo
# - ~/work-planning # Work planning repo
# JSONL backup (periodic export for off-machine recovery)
# Auto-enabled when a git remote exists. Override explicitly:
# backup:
# enabled: false # Disable auto-backup entirely
# interval: 15m # Minimum time between auto-exports
# git-push: false # Disable git push (export locally only)
# git-repo: "" # Separate git repo for backups (default: project repo)
# Integration settings (access with 'bd config get/set')
# These are stored in the database, not in this file:
# - jira.url
# - jira.project
# - linear.url
# - linear.api-key
# - github.org
# - github.repo
sync.remote: "git+ssh://gitea@code.m3ta.dev/m3tam3re/nixos-config.git"

24
.beads/hooks/post-checkout Executable file
View File

@@ -0,0 +1,24 @@
#!/usr/bin/env sh
# --- BEGIN BEADS INTEGRATION v1.0.2 ---
# This section is managed by beads. Do not remove these markers.
if command -v bd >/dev/null 2>&1; then
export BD_GIT_HOOK=1
_bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
if command -v timeout >/dev/null 2>&1; then
timeout "$_bd_timeout" bd hooks run post-checkout "$@"
_bd_exit=$?
if [ $_bd_exit -eq 124 ]; then
echo >&2 "beads: hook 'post-checkout' timed out after ${_bd_timeout}s — continuing without beads"
_bd_exit=0
fi
else
bd hooks run post-checkout "$@"
_bd_exit=$?
fi
if [ $_bd_exit -eq 3 ]; then
echo >&2 "beads: database not initialized — skipping hook 'post-checkout'"
_bd_exit=0
fi
if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
fi
# --- END BEADS INTEGRATION v1.0.2 ---

24
.beads/hooks/post-merge Executable file
View File

@@ -0,0 +1,24 @@
#!/usr/bin/env sh
# --- BEGIN BEADS INTEGRATION v1.0.2 ---
# This section is managed by beads. Do not remove these markers.
if command -v bd >/dev/null 2>&1; then
export BD_GIT_HOOK=1
_bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
if command -v timeout >/dev/null 2>&1; then
timeout "$_bd_timeout" bd hooks run post-merge "$@"
_bd_exit=$?
if [ $_bd_exit -eq 124 ]; then
echo >&2 "beads: hook 'post-merge' timed out after ${_bd_timeout}s — continuing without beads"
_bd_exit=0
fi
else
bd hooks run post-merge "$@"
_bd_exit=$?
fi
if [ $_bd_exit -eq 3 ]; then
echo >&2 "beads: database not initialized — skipping hook 'post-merge'"
_bd_exit=0
fi
if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
fi
# --- END BEADS INTEGRATION v1.0.2 ---

24
.beads/hooks/pre-commit Executable file
View File

@@ -0,0 +1,24 @@
#!/usr/bin/env sh
# --- BEGIN BEADS INTEGRATION v1.0.2 ---
# This section is managed by beads. Do not remove these markers.
if command -v bd >/dev/null 2>&1; then
export BD_GIT_HOOK=1
_bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
if command -v timeout >/dev/null 2>&1; then
timeout "$_bd_timeout" bd hooks run pre-commit "$@"
_bd_exit=$?
if [ $_bd_exit -eq 124 ]; then
echo >&2 "beads: hook 'pre-commit' timed out after ${_bd_timeout}s — continuing without beads"
_bd_exit=0
fi
else
bd hooks run pre-commit "$@"
_bd_exit=$?
fi
if [ $_bd_exit -eq 3 ]; then
echo >&2 "beads: database not initialized — skipping hook 'pre-commit'"
_bd_exit=0
fi
if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
fi
# --- END BEADS INTEGRATION v1.0.2 ---

24
.beads/hooks/pre-push Executable file
View File

@@ -0,0 +1,24 @@
#!/usr/bin/env sh
# --- BEGIN BEADS INTEGRATION v1.0.2 ---
# This section is managed by beads. Do not remove these markers.
if command -v bd >/dev/null 2>&1; then
export BD_GIT_HOOK=1
_bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
if command -v timeout >/dev/null 2>&1; then
timeout "$_bd_timeout" bd hooks run pre-push "$@"
_bd_exit=$?
if [ $_bd_exit -eq 124 ]; then
echo >&2 "beads: hook 'pre-push' timed out after ${_bd_timeout}s — continuing without beads"
_bd_exit=0
fi
else
bd hooks run pre-push "$@"
_bd_exit=$?
fi
if [ $_bd_exit -eq 3 ]; then
echo >&2 "beads: database not initialized — skipping hook 'pre-push'"
_bd_exit=0
fi
if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
fi
# --- END BEADS INTEGRATION v1.0.2 ---

24
.beads/hooks/prepare-commit-msg Executable file
View File

@@ -0,0 +1,24 @@
#!/usr/bin/env sh
# --- BEGIN BEADS INTEGRATION v1.0.2 ---
# This section is managed by beads. Do not remove these markers.
if command -v bd >/dev/null 2>&1; then
export BD_GIT_HOOK=1
_bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
if command -v timeout >/dev/null 2>&1; then
timeout "$_bd_timeout" bd hooks run prepare-commit-msg "$@"
_bd_exit=$?
if [ $_bd_exit -eq 124 ]; then
echo >&2 "beads: hook 'prepare-commit-msg' timed out after ${_bd_timeout}s — continuing without beads"
_bd_exit=0
fi
else
bd hooks run prepare-commit-msg "$@"
_bd_exit=$?
fi
if [ $_bd_exit -eq 3 ]; then
echo >&2 "beads: database not initialized — skipping hook 'prepare-commit-msg'"
_bd_exit=0
fi
if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
fi
# --- END BEADS INTEGRATION v1.0.2 ---

3
.beads/issues.jsonl Normal file
View File

@@ -0,0 +1,3 @@
{"id":"home-profile-restructuring-edz","title":"Create copy-hermes-skills systemd service","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:44:42Z","started_at":"2026-04-26T12:36:30Z","closed_at":"2026-04-26T12:44:42Z","close_reason":"Created systemd service in hosts/m3-hermes/services/hermes-agent.nix - copies skills to /var/lib/hermes/.agents/skills before hermes-agent starts","labels":["hermes-agent","nixos"],"dependencies":[{"issue_id":"home-profile-restructuring-edz","depends_on_id":"home-profile-restructuring-ycz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":1,"comment_count":0}
{"id":"home-profile-restructuring-ycz","title":"Build hermes-agent skills using mkOpencodeSkills","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":2,"created_at":"2026-04-26T12:30:09Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:35:15Z","started_at":"2026-04-26T12:31:35Z","closed_at":"2026-04-26T12:35:15Z","close_reason":"Added inputs to module signature and defined hermesSkills via inputs.agents.lib.mkOpencodeSkills with basecamp, anthropic, and kestra external skills. Verified with nixos-rebuild dry-run --flake .#m3-hermes (no errors).","labels":["hermes-agent","nixos"],"dependency_count":0,"dependent_count":1,"comment_count":0}
{"id":"home-profile-restructuring-cxa","title":"Verify skills available at /var/lib/hermes/.agents/skills","status":"closed","priority":2,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:50:58Z","started_at":"2026-04-26T12:38:15Z","closed_at":"2026-04-26T12:50:58Z","close_reason":"Manually verified - skills are present at /var/lib/hermes/.agents/skills on m3-hermes","labels":["hermes-agent","testing"],"dependencies":[{"issue_id":"home-profile-restructuring-cxa","depends_on_id":"home-profile-restructuring-edz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":0,"comment_count":0}

7
.beads/metadata.json Normal file
View File

@@ -0,0 +1,7 @@
{
"database": "dolt",
"backend": "dolt",
"dolt_mode": "embedded",
"dolt_database": "home_profile_restructuring",
"project_id": "664fc7e3-94eb-4874-aab6-e47835abe9d8"
}

3
.gitattributes vendored Normal file
View File

@@ -0,0 +1,3 @@
# Use bd merge for beads JSONL files
.beads/issues.jsonl merge=beads

46
.gitignore vendored Normal file
View File

@@ -0,0 +1,46 @@
# Sisyphus work session data
.sisyphus/
# Editor files
*~
.*.swp
.*.swo
.*.swx
# Build artifacts
result
result-*
.direnv/
# IDE
.vscode/
.idea/
*.iml
# OS
.DS_Store
Thumbs.db
# Opencode rules
.opencode-rules
opencode.json
# AI agent state
.sidecar/
.sidecar-*
.sisyphus/
.sidecar-agent
.sidecar-task
.sidecar-pr
.sidecar-start.sh
.sidecar-base
.td-root
.cache
.pi*
.worktrees/
docs/plans/
# Beads / Dolt files (added by bd init)
.dolt/
*.db
.beads-credential-key

445
AGENTS.md Normal file
View File

@@ -0,0 +1,445 @@
# Agent Instructions
This project uses **bd** (beads) for issue tracking. Run `bd prime` for full workflow context.
## Quick Reference
```bash
bd ready # Find available work
bd show <id> # View issue details
bd update <id> --claim # Claim work atomically
bd close <id> # Complete work
bd dolt push # Push beads data to remote
```
## Non-Interactive Shell Commands
**ALWAYS use non-interactive flags** with file operations to avoid hanging on confirmation prompts.
Shell commands like `cp`, `mv`, and `rm` may be aliased to include `-i` (interactive) mode on some systems, causing the agent to hang indefinitely waiting for y/n input.
**Use these forms instead:**
```bash
# Force overwrite without prompting
cp -f source dest # NOT: cp source dest
mv -f source dest # NOT: mv source dest
rm -f file # NOT: rm file
# For recursive operations
rm -rf directory # NOT: rm -r directory
cp -rf source dest # NOT: cp -r source dest
```
**Other commands that may prompt:**
- `scp` - use `-o BatchMode=yes` for non-interactive
- `ssh` - use `-o BatchMode=yes` to fail instead of prompting
- `apt-get` - use `-y` flag
- `brew` - use `HOMEBREW_NO_AUTO_UPDATE=1` env var
<!-- BEGIN BEADS INTEGRATION v:1 profile:minimal hash:ca08a54f -->
## Beads Issue Tracker
This project uses **bd (beads)** for persistent task tracking. Run `bd prime` for full workflow context.
### Why Beads?
- **Prefer Beads over ad-hoc markdown TODO lists** — Beads provides structured, queryable, shareable issue tracking with dependency management
- **Never use `bd edit`** — it opens an interactive editor which blocks agent workflows
- **Use flags and stdin instead** — `bd update <id> --claim`, `bd create --title "..." --estimate 2`
### Slash Commands (Agent Workflow)
| Command | Purpose |
|---------|---------|
| `/beads:ready` | Find unblocked issues |
| `/beads:create` | Create a new issue |
| `/beads:update` | Update an issue (claim, status) |
| `/beads:close` | Close completed work |
| `/beads:stats` | Project-level snapshot |
### Core Workflow (6 Steps)
#### 1. Find Unblocked Work
```bash
bd ready --json
```
Lists issues with no blocking dependencies that are ready to work on.
#### 2. Claim Work
```bash
bd update <id> --claim
```
Atomically assigns the issue to you (sets status to "in-progress").
#### 3. Inspect Details
```bash
bd show <id>
```
View full issue details including:
- Description and acceptance criteria
- Blocking/blocked-by dependencies
- Time estimates
- Status history
#### 4. Create Newly Discovered Work
```bash
# Create a new issue
bd create \
--title "Fix audio on m3-helios" \
--estimate 2 \
--priority high \
--labels nixos,audio
# Link dependencies
bd dep <id> --blocks <blocked-id> # This issue blocks another
bd dep <id> --after <after-id> # This issue after another completes
bd dep <id> --requires <requires-id> # This issue requires another
```
#### 5. Complete Work
```bash
bd close <id> --reason "Added PulseAudio fallback to configuration.nix"
```
Provide a concise summary of what was done. The `--reason` is mandatory.
#### 6. Project Snapshot
```bash
bd status --json # Current state of all issues
bd stats # Metrics: velocity, cycle time, bottlenecks
```
### Example Complete Workflow
```bash
# Start session - find work
bd ready --json
# Claim available issue
bd update 42 --claim
# Do the work...
# Discover something else needed
bd create --title "Document hermes-agent setup" --estimate 1
# Link as related
bd dep 43 --after 42
# Complete original
bd close 42 --reason "Added Hyprland idle timeout config"
# Close related
bd close 43 --reason "Added setup docs to AGENTS.md"
# Push state to remote
bd dolt push
```
### Rules
- Use `bd` for ALL task tracking — do NOT use TodoWrite, TaskCreate, or markdown TODO lists
- Run `bd prime` for detailed command reference and session close protocol
- Use `bd remember` for persistent knowledge — do NOT use MEMORY.md files
## Session Completion
**When ending a work session**, you MUST complete ALL steps below. Work is NOT complete until `git push` succeeds.
**MANDATORY WORKFLOW:**
1. **File issues for remaining work** - Create issues for anything that needs follow-up
2. **Run quality gates** (if code changed) - Tests, linters, builds
3. **Update issue status** - Close finished work, update in-progress items
4. **PUSH TO REMOTE** - This is MANDATORY:
```bash
git pull --rebase
bd dolt push
git push
git status # MUST show "up to date with origin"
```
5. **Clean up** - Clear stashes, prune remote branches
6. **Verify** - All changes committed AND pushed
7. **Hand off** - Provide context for next session
**CRITICAL RULES:**
- Work is NOT complete until `git push` succeeds
- NEVER stop before pushing - that leaves work stranded locally
- NEVER say "ready to push when you are" - YOU must push
- If push fails, resolve and retry until it succeeds
<!-- END BEADS INTEGRATION -->
# Project Agent
**Workspace Path:** `/home/m3tam3re/p/NIX/nixos-config`
_(Note to Pi: Your file write/edit tools run in a different directory by default. You MUST use absolute paths starting with the Workspace Path above for ALL file operations!)_
**Generated:** 2026-04-26
---
## Stack
| Component | Version/Source |
| ---------------- | --------------------------------- |
| **Nixpkgs** | nixos-unstable + 25.05 stable |
| **Home Manager** | github:nix-community/home-manager |
| **m3ta-home** | code.m3ta.dev/m3tam3re/m3ta-home |
| **m3ta-nixpkgs** | code.m3ta.dev/m3tam3re/nixpkgs |
| **Agenix** | github:ryantm/agenix |
| **Disko** | github:nix-community/disko |
| **NUR** | github:nix-community/NUR |
| **Formatter** | alejandra |
| **Linters** | statix, deadnix |
| **IDE** | nixd |
| **Hermes Agent** | NousResearch/hermes-agent |
| **LLM Agents** | numtide/llm-agents.nix |
---
## Structure
```
nixos-config/
├── flake.nix # Entry point: hosts, overlays, dev shells, m3ta-home input
├── coding-rules.json # Opencode rules configuration
├── hosts/ # Per-host NixOS configurations
│ ├── common/ # Shared across all hosts
│ │ ├── users/
│ │ │ └── m3tam3re.nix # ← Central user + m3ta-home integration
│ │ ├── default.nix # Shared NixOS settings, overlays, home-manager setup
│ │ ├── ports.nix # Network ports config
│ │ └── extraServices/ # Common service toggles
│ ├── m3-ares/ # TUXEDO laptop (desktop)
│ │ └── home.nix # Hyprland: eDP-1 + HDMI, XDG/MIME
│ ├── m3-kratos/ # AMD desktop (desktop)
│ │ └── home.nix # Hyprland: dual DP, XDG/MIME
│ ├── m3-daedalus/ # Portable laptop (desktop, no Hyprland)
│ │ └── home.nix # XDG/MIME only
│ ├── m3-atlas/ # Primary server (server + coding)
│ ├── m3-helios/ # AdGuard DNS server (minimal server)
│ ├── m3-hermes/ # Secondary server (minimal server)
│ └── m3-aether/ # Cloud VM (minimal server)
├── modules/ # Reusable NixOS modules
│ └── nixos/ # NixOS-specific modules
├── overlays/ # Package overlays (stable/locked/master/pinned)
│ ├── default.nix
│ └── mods/
├── pkgs/ # Custom packages
├── secrets/ # Encrypted secrets (agenix)
│ └── secrets.nix
├── .opencode-rules/ # Opencode AI rules
│ ├── concerns/
│ ├── languages/nix.md
│ └── USAGE.md
└── .pi/ # Agent configuration
```
### Home-Manager Integration
Home-Manager configs are managed centrally in the **`m3ta-home`** repository:
- **Repo**: `code.m3ta.dev/m3tam3re/m3ta-home`
- **Docs**: See m3ta-home README for full documentation
What lives where:
| Concern | Location | Why |
|---------|----------|-----|
| Shell, CLI tools, editors, apps | `m3ta-home/profiles/` | Portable across all hosts |
| User identity (git, SSH, JJ) | `m3ta-home/users/` | Switchable: private vs work |
| Feature flags (enable/disable) | `nixos-config/hosts/common/users/m3tam3re.nix` | Per-host decisions |
| Monitor layouts, window rules | `nixos-config/hosts/<name>/home.nix` | Hardware-specific |
| XDG/MIME defaults | `nixos-config/hosts/<name>/home.nix` | Host-specific preferences |
| NixOS overlays | `nixos-config/overlays/` | System-level package management |
#### Host → Profile Mapping
Defined in `hosts/common/users/m3tam3re.nix`:
```nix
hostProfiles = {
# Desktop hosts
m3-ares = { context = "desktop"; sets = ["coding" "gaming" "media"]; };
m3-kratos = { context = "desktop"; sets = ["coding" "gaming" "media"]; };
m3-daedalus = { context = "desktop"; sets = ["coding" "media"]; };
# Server hosts
m3-atlas = { context = "server"; sets = ["coding"]; };
m3-helios = { context = "server"; sets = []; };
m3-hermes = { context = "server"; sets = []; };
m3-aether = { context = "server"; sets = []; };
};
```
#### Work Identity Use Case
The same `m3ta-home` repo supports a **work identity** for company machines:
```nix
# On a work NixOS machine:
(m3ta-lib.mkHome {
user = "m3tam3re";
identity = "work"; # ← switches git to sascha.koenig, SSH to AZ hosts
context = "desktop";
sets = ["coding"];
})
```
This provides the familiar shell/editor/CLI setup but with work git credentials and SSH configuration.
---
## Commands
| Action | Command | Notes |
| -------------------- | ---------------------------------------------------------------------- | ------------------------------------------------- |
| **Enter dev shell** | `nix develop` | Includes alejandra, nixd, agenix, statix, deadnix |
| **Build host** | `sudo nixos-rebuild switch --flake .#m3-ares` | Replace hostname as needed |
| **Dry run build** | `sudo nixos-rebuild dry-run --flake .#m3-ares` | Validate without applying |
| **List hosts** | `nix flake show` | Shows all NixOS configurations |
| **Update flake** | `sudo nixos-rebuild switch --flake .#m3-ares --update-input nixpkgs` | Update specific input |
| **Format code** | `alejandra .` | Run before committing |
| **Check lint** | `statix check .` | Run statix for antipatterns |
| **Remove dead code** | `deadnix -w .` | Clean up unused let bindings |
| **Build ISO** | `nix build .#nixosConfigurations.m3-ares.config.system.build.isoImage` | Generate install ISO |
---
## Conventions
### Formatting & Style
- **Formatter:** `alejandra` (mandatory, run before commits)
- **Indentation:** 2 spaces (alejandra default)
- **Variables:** camelCase (e.g., `maxRetryAttempts`)
- **Types/Modules:** PascalCase (e.g., `MyService`)
- **Constants:** UPPER_SNAKE_CASE (e.g., `MAX_RETRIES`)
- **Files:** hyphen-case (e.g., `my-file.nix`)
### Nix Module Patterns
```nix
{ config, lib, pkgs, ... }:
{
options.myService.enable = lib.mkEnableOption "my service";
config = lib.mkIf config.myService.enable {
services.myService.enable = true;
};
}
```
### Conditionals
```nix
config = lib.mkMerge [
(lib.mkIf cfg.enable { ... })
(lib.mkIf cfg.extraConfig { ... })
];
```
### Anti-Patterns (AVOID)
- **Never use `with pkgs;`** — always use explicit package references
- **Never use `builtins.fetchTarball`** — use flake inputs instead
- **Never use `import <nixpkgs>`** — always use inputs
- **Never use `builtins.getAttr/hasAttr`** — use `lib.attrByPath` or `lib.optionalAttrs`
- **Avoid anonymous functions in config** — extract to named lets
### Imports
- Use flake inputs for dependencies (e.g., `inputs.home-manager.nixosModules.home-manager`)
- Import relative paths with `./` or `../`
- Never use absolute paths in imports
### Secrets
- Secrets managed via **agenix** in `secrets/` directory
- Never commit plaintext secrets
- Use `.nix` extension for secret files
### Flake Input URLs
All `code.m3ta.dev` inputs use **SSH** URLs:
```nix
url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/<repo>";
```
Anonymous HTTPS git on Gitea is unreliable and prompts for auth. SSH works with configured keys.
---
## Key Files
| File | Purpose |
| ---------------------------------- | ------------------------------------------------------------------------------------------ |
| `flake.nix` | Central entry point defining all hosts, overlays, packages, dev shells, and nixpkgs config |
| `hosts/common/default.nix` | Shared Nix settings, nixpkgs overlays, home-manager setup (`useGlobalPkgs = true`) |
| `hosts/common/users/m3tam3re.nix` | User definition + m3ta-home mkHome integration + per-host feature flags |
| `hosts/<name>/home.nix` | Host-specific overrides: monitors, workspaces, window rules, XDG/MIME |
| `overlays/default.nix` | Package version overrides (stable/locked/master branches) |
| `.opencode-rules/languages/nix.md` | Nix-specific conventions and patterns |
---
## What to Avoid
1. **Don't modify `flake.lock`** directly — use `nix flake update`
2. **Don't use impure operations** — this is a pure flake-based config
3. **Don't commit without formatting** — always run `alejandra .` first
4. **Don't add packages to hosts directly** — prefer adding to overlays or using NUR
5. **Don't hardcode paths** — use `inputs` and relative imports
6. **Don't create monolithic modules** — keep functions under 20 lines
7. **Don't skip the dry-run** — always test with `--dry-run` before switching
8. **Don't use lib.mkDefault lightly** — understand the precedence implications
---
## Notes
### Adding a New Host
1. Add entry to `flake.nix` → `nixosConfigurations`
2. Create directory in `hosts/` with:
- `default.nix` — imports common + specific configs
- `configuration.nix` — host-specific system config
- `hardware-configuration.nix` — from `nixos-generate-config`
- `programs.nix`, `services/`, `secrets.nix` as needed
3. Add entry to `hostProfiles` in `hosts/common/users/m3tam3re.nix`
4. Add feature flags in the `hostFlags` section
5. Create `hosts/<name>/home.nix` if the host needs monitor/XDG overrides
6. Run `sudo nixos-generate-config --dir ./hosts/new-host` first time
### Adding a New Package
1. For simple packages: add to appropriate overlay in `overlays/default.nix`
2. For complex packages: create in `pkgs/` directory
3. For upstream packages: use NUR or add as flake input
### Adding a New Home-Manager Feature
1. Create the module in `m3ta-home` under the appropriate profile directory
2. Add the import to the parent `default.nix` in m3ta-home
3. Enable it per-host via feature flags in `hosts/common/users/m3tam3re.nix`
### Development Workflow
1. Edit config files
2. Run `alejandra .` to format
3. Run `statix check .` for linting
4. Run `sudo nixos-rebuild dry-run --flake .#m3-ares`
5. If successful: `sudo nixos-rebuild switch --flake .#m3-ares`
### Remote Building
```bash
# Build on remote machine
nix copy --to ssh://user@host .#nixosConfigurations.m3-ares.config.system.build.toplevel
ssh user@host 'sudo nixos-rebuild switch --flake /nix/store/...-closure'
```

1
coding-rules.json Normal file
View File

@@ -0,0 +1 @@
{"$schema":"https://opencode.ai/config.json","instructions":[".opencode-rules/concerns/coding-style.md",".opencode-rules/concerns/naming.md",".opencode-rules/concerns/documentation.md",".opencode-rules/concerns/testing.md",".opencode-rules/concerns/git-workflow.md",".opencode-rules/concerns/project-structure.md",".opencode-rules/languages/nix.md"]}

1381
flake.lock generated
View File

File diff suppressed because it is too large Load Diff

132
flake.nix
View File

@@ -16,10 +16,20 @@
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs-b69de56.url = "github:nixos/nixpkgs/b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.11";
nixpkgs-45570c2.url = "github:nixos/nixpkgs/45570c299dc2b63c8c574c4cd77f0b92f7e2766e";
nixpkgs-locked.url = "github:nixos/nixpkgs/2744d988fa116fc6d46cdfa3d1c936d0abd7d121";
nixpkgs-9e58ed7.url = "github:nixos/nixpkgs/9e58ed7ba759d81c98f033b7f5eba21ca68f53b0";
nixpkgs-master.url = "github:nixos/nixpkgs/master";
m3ta-nixpkgs.url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/nixpkgs";
llm-agents.url = "github:numtide/llm-agents.nix";
#
nur = {
url = "github:nix-community/NUR";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix.url = "github:ryantm/agenix";
disko = {
@@ -27,21 +37,58 @@
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-generators = {url = "github:nix-community/nixos-generators";};
hyprpanel.url = "github:Jas-SinghFSU/HyprPanel";
rose-pine-hyprcursor.url = "github:ndom91/rose-pine-hyprcursor";
nix-colors.url = "github:misterio77/nix-colors";
dotfiles = {
url = "git+https://code.m3tam3re.com/m3tam3re/dotfiles.git";
m3ta-home = {
url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/m3ta-home";
inputs.nixpkgs.follows = "nixpkgs";
};
agents = {
# url = "path:/home/m3tam3re/p/AI/AGENTS";
url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/AGENTS";
};
## Skills
skills-basecamp = {
url = "github:basecamp/basecamp-cli";
flake = false;
};
skills-anthropic = {
url = "github:anthropics/skills";
flake = false;
};
skills-kestra = {
url = "github:kestra-io/agent-skills";
flake = false;
};
skills-superpowers = {
url = "github:obra/superpowers";
flake = false;
};
skills-vercel = {
url = "github:vercel-labs/skills";
flake = false;
};
hermes-agent.url = "github:NousResearch/hermes-agent/v2026.4.30";
rustfs = {
url = "github:rustfs/rustfs-flake";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = {
self,
agenix,
dotfiles,
home-manager,
nixpkgs,
m3ta-nixpkgs,
nur,
agents,
...
} @ inputs: let
inherit (self) outputs;
@@ -53,51 +100,114 @@
"x86_64-darwin"
];
forAllSystems = nixpkgs.lib.genAttrs systems;
allOverlays = import ./overlays {inherit inputs outputs;};
in {
packages =
forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system});
overlays = import ./overlays {inherit inputs outputs;};
overlays = builtins.removeAttrs allOverlays ["mkLlmAgentsOverlay"];
lib.mkLlmAgentsOverlay = allOverlays.mkLlmAgentsOverlay;
homeManagerModules = import ./modules/home-manager;
nixosConfigurations = {
m3-ares = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs outputs;
system = "x86_64-linux";
hostname = "m3-ares";
};
modules = [
./hosts/m3-ares
agenix.nixosModules.default
m3ta-nixpkgs.nixosModules.default
inputs.hermes-agent.nixosModules.default
];
};
m3-atlas = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs outputs;
system = "x86_64-linux";
};
modules = [
./hosts/m3-atlas
inputs.disko.nixosModules.disko
agenix.nixosModules.default
m3ta-nixpkgs.nixosModules.default
inputs.rustfs.nixosModules.rustfs
];
};
m3-kratos = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs outputs;
system = "x86_64-linux";
hostname = "m3-kratos";
};
modules = [
./hosts/m3-kratos
agenix.nixosModules.default
nur.modules.nixos.default
m3ta-nixpkgs.nixosModules.default
inputs.hermes-agent.nixosModules.default
];
};
m3-helios = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs outputs;};
system = "x86_64-linux";
specialArgs = {
inherit inputs outputs;
system = "x86_64-linux";
};
modules = [
./hosts/m3-helios
inputs.disko.nixosModules.disko
agenix.nixosModules.default
m3ta-nixpkgs.nixosModules.default
];
};
m3-hermes = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs outputs;
system = "x86_64-linux";
};
modules = [
./hosts/m3-hermes
inputs.disko.nixosModules.disko
agenix.nixosModules.default
m3ta-nixpkgs.nixosModules.default
inputs.hermes-agent.nixosModules.default
];
};
};
homeConfigurations = {
"m3tam3re@m3-ares" = home-manager.lib.homeManagerConfiguration {
"m3tam3re@m3-daedalus" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages."x86_64-linux";
extraSpecialArgs = {
inherit inputs outputs;
hostname = "m3-ares";
system = "x86_64-linux";
hostname = "m3-daedalus";
};
modules = [./home/m3tam3re/m3tam3re-ares.nix];
modules = [./home/m3tam3re/m3-daedalus.nix];
};
};
devShells = forAllSystems (system: let
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true; # Allow unfree packages in devShell
};
m3taLib = m3ta-nixpkgs.lib.x86_64-linux;
rules = m3taLib.coding-rules.mkCodingRules {
inherit agents;
languages = ["nix"];
};
in {
default = pkgs.mkShell {
buildInputs = with pkgs; [
alejandra
nixd
openssh
agenix.packages.${system}.default
statix
deadnix
];
inherit (rules) instructions shellHook;
};
});
};
}

47
home/common/default.nix
View File

@@ -1,47 +0,0 @@
{
lib,
outputs,
pkgs,
...
}: {
imports = [
(import
../../modules/home-manager/zellij-ps.nix)
]; #imports = builtins.attrValues outputs.homeManagerModules;
nixpkgs = {
# You can add overlays here
overlays = [
# Add overlays your own flake exports (from overlays and pkgs dir):
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.stable-packages
outputs.overlays.pinned-packages
outputs.overlays.master-packages
# You can also add overlays exported from other flakes:
# neovim-nightly-overlay.overlays.default
# Or define it inline, for example:
# (final: prev: {
# hi = final.hello.overrideAttrs (oldAttrs: {
# patches = [ ./change-hello-to-hi.patch ];
# });
# })
];
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
# Workaround for https://github.com/nix-community/home-manager/issues/2942
allowUnfreePredicate = _: true;
};
};
nix = {
package = lib.mkDefault pkgs.nix;
settings = {
experimental-features = ["nix-command" "flakes"];
warn-dirty = false;
};
};
}

85
home/features/cli/default.nix
View File

@@ -1,85 +0,0 @@
{
config,
pkgs,
...
}: {
imports = [
./fish.nix
./fzf.nix
./neofetch.nix
./secrets.nix
./starship.nix
./zellij.nix
];
programs.zoxide = {
enable = true;
enableFishIntegration = true;
};
programs.neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
vimdiffAlias = true;
withNodeJs = true;
withPython3 = true;
};
programs.bat = {enable = true;};
programs.eza = {
enable = true;
enableFishIntegration = true;
enableBashIntegration = true;
extraOptions = ["-l" "--icons" "--git" "-a"];
};
programs.lf = {
enable = true;
settings = {
preview = true;
drawbox = true;
hidden = true;
icons = true;
theme = "Dracula";
previewer = "bat";
};
};
home.packages = with pkgs; [
alejandra
bc
comma
coreutils
devenv
direnv
fabric-ai
fd
gcc
go
htop
httpie
jq
just
lazygit
llm
lf
nix-index
procs
progress
ripgrep
rocmPackages.rocm-smi
rocmPackages.rocminfo
tldr
trash-cli
unimatrix
unzip
wttrbar
wireguard-tools
yazi
zellij-ps
zip
];
}

73
home/features/cli/fish.nix
View File

@@ -1,73 +0,0 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.features.cli.fish;
in {
options.features.cli.fish.enable = mkEnableOption "enable fish shell";
config = mkIf cfg.enable {
programs.fish = {
enable = true;
loginShellInit = ''
set -x NIX_PATH nixpkgs=channel:nixos-unstable
set -x NIX_LOG info
set -x WEBKIT_DISABLE_COMPOSITING_MODE 1
set -x TERMINAL kitty
set -x EDITOR nvim
set -x VISUAL zed
set -x XDG_DATA_HOME $HOME/.local/share
set -x FZF_CTRL_R_OPTS "
--preview='bat --color=always -n {}'
--preview-window up:3:hidden:wrap
--bind 'ctrl-/:toggle-preview'
--bind 'ctrl-y:execute-silent(echo -n {2..} | wl-copy)+abort'
--color header:bold
--header 'Press CTRL-Y to copy command into clipboard'"
set -x FZF_DEFAULT_COMMAND fd --type f --exclude .git --follow --hidden
set -x FZF_CTRL_T_COMMAND "$FZF_DEFAULT_COMMAND"
set -x FLAKE $HOME/p/nixos/nixos-config
if test (tty) = "/dev/tty1"
exec Hyprland &> /dev/null
end
'';
shellAbbrs = {
".." = "cd ..";
"..." = "cd ../..";
b = "yazi";
ls = "eza";
l = "eza -l --icons --git -a";
lt = "eza --tree --level=2 --long --icons --git";
grep = "rg";
ps = "procs";
just = "just --unstable";
fs = "du -ah . | sort -hr | head -n 10";
n = "nix";
nd = "nix develop -c $SHELL";
ns = "nix shell";
nsn = "nix shell nixpkgs#";
nb = "nix build";
nbn = "nix build nixpkgs#";
nf = "nix flake";
nr = "sudo nixos-rebuild --flake .";
nrs = "sudo nixos-rebuild switch --flake .#(uname -n)";
snr = "sudo nixos-rebuild --flake .";
snrs = "sudo nixos-rebuild --flake . switch";
hm = "home-manager --flake .";
hms = "home-manager --flake . switch";
hmr = "cd ~/projects/nix-configurations; nix flake lock --update-input dotfiles; home-manager --flake .#(whoami)@(hostname) switch";
tsu = "sudo tailscale up";
tsd = "sudo tailscale down";
vi = "nvim";
vim = "nvim";
};
};
};
}

37
home/features/cli/fzf.nix
View File

@@ -1,37 +0,0 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.features.cli.fzf;
in {
options.features.cli.fzf.enable = mkEnableOption "enable fuzzy finder";
config = mkIf cfg.enable {
programs.fzf = {
enable = true;
enableFishIntegration = true;
colors = {
"fg" = "#f8f8f2";
"bg" = "#282a36";
"hl" = "#bd93f9";
"fg+" = "#f8f8f2";
"bg+" = "#44475a";
"hl+" = "#bd93f9";
"info" = "#ffb86c";
"prompt" = "#50fa7b";
"pointer" = "#ff79c6";
"marker" = "#ff79c6";
"spinner" = "#ffb86c";
"header" = "#6272a4";
};
defaultOptions = [
"--preview='bat --color=always -n {}'"
"--bind 'ctrl-/:toggle-preview'"
];
defaultCommand = "fd --type f --exclude .git --follow --hidden";
changeDirWidgetCommand = "fd --type d --exclude .git --follow --hidden";
};
};
}

15
home/features/cli/neofetch.nix
View File

@@ -1,15 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.cli.neofetch;
in {
options.features.cli.neofetch.enable = mkEnableOption "enable neofetch";
config = mkIf cfg.enable {
home.packages = with pkgs; [neofetch];
};
}

21
home/features/cli/secrets.nix
View File

@@ -1,21 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.cli.secrets;
in {
options.features.cli.secrets.enable = mkEnableOption "enable secrets";
config = mkIf cfg.enable {
programs.password-store = {
enable = true;
package =
pkgs.pass-wayland.withExtensions
(exts: [exts.pass-otp exts.pass-import]);
};
home.packages = with pkgs; [pinentry];
};
}

17
home/features/cli/starship.nix
View File

@@ -1,17 +0,0 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.features.cli.starship;
in {
options.features.cli.starship.enable = mkEnableOption "enable starship prompt";
config = mkIf cfg.enable {
programs.starship = {
enable = true;
enableFishIntegration = true;
};
};
}

16
home/features/cli/zellij.nix
View File

@@ -1,16 +0,0 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.features.cli.zellij;
in {
options.features.cli.zellij.enable = mkEnableOption "enable tmux";
config = mkIf cfg.enable {
programs.zellij = {
enable = true;
};
};
}

8
home/features/coding/default.nix
View File

@@ -1,8 +0,0 @@
{pkgs, ...}: {
home.packages = with pkgs; [
nixd
alejandra
tailwindcss
tailwindcss-language-server
];
}

3
home/features/desktop/coding.nix
View File

@@ -1,3 +0,0 @@
{pkgs, ...}: {
home.packages = with pkgs; [pinned.bruno zed-editor];
}

128
home/features/desktop/default.nix
View File

@@ -1,128 +0,0 @@
{pkgs, ...}: {
imports = [
./coding.nix
./fonts.nix
./gaming.nix
./hyprland.nix
./media.nix
./office.nix
./rofi.nix
./theme.nix
./wayland.nix
./wofi.nix
];
xdg = {
enable = true;
configFile."mimeapps.list".force = true;
mimeApps = {
enable = true;
associations.added = {
"application/zip" = ["org.gnome.FileRoller.desktop"];
"application/csv" = ["calc.desktop"];
"application/pdf" = ["okularApplication_pdf.desktop"];
};
defaultApplications = {
"application/zip" = ["org.gnome.FileRoller.desktop"];
"application/csv" = ["calc.desktop"];
"application/pdf" = ["okularApplication_pdf.desktop"];
"application/md" = ["nvim.desktop"];
"application/text" = ["nvim.desktop"];
"x-scheme-handler/http" = ["io.github.zen_browser.zen"];
"x-scheme-handler/https" = ["io.github.zen_browser.zen"];
};
};
userDirs = {
enable = true;
createDirectories = true;
};
};
home.sessionVariables = {
WEBKIT_DISABLE_COMPOSITING_MODE = "1";
NIXOS_OZONE_WL = "1";
TERMINAL = "kitty";
QT_QPA_PLATFORM = "wayland";
};
home.sessionPath = ["\${XDG_BIN_HOME}" "\${HOME}/.cargo/bin" "$HOME/.npm-global/bin"];
fonts.fontconfig.enable = true;
services.mako = {
enable = true;
backgroundColor = "#282a36";
textColor = "#80FFEA";
borderColor = "#9742b5";
width = 400;
height = 150;
padding = "10,20";
borderRadius = 8;
borderSize = 1;
margin = "20,20";
};
programs.kitty = {
enable = true;
shellIntegration = {
enableFishIntegration = true;
enableBashIntegration = true;
};
font = {name = "Fira Code";};
themeFile = "Dracula";
settings = {copy_on_select = "yes";};
};
home.pointerCursor = {
gtk.enable = true;
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Ice";
size = 20;
};
home.packages = with pkgs; [
appimage-run
anytype
# blueberry
brave
# brightnessctl
# clipman
distrobox
# eww
# firefox-devedition
file-roller
hyprpanel
seahorse
sushi
# glib
# google-chrome
# gsettings-desktop-schemas
# graphviz
# ksnip
nwg-look
# pamixer
# pavucontrol
# libsForQt5.qtstyleplugins
# stable.nyxt
# pcmanfm
protonmail-desktop
rose-pine-hyprcursor
# qt5ct
# qt6.qtwayland
#rustdesk
# socat
# unrar
# unzip
# usbutils
# v4l-utils
remmina
slack
telegram-desktop
ungoogled-chromium
# wl-clipboard
# wlogout
# wtype
# xdg-utils
# ydotool
# zip
];
}

23
home/features/desktop/fonts.nix
View File

@@ -1,23 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.desktop.fonts;
in {
options.features.desktop.fonts.enable =
mkEnableOption "install additional fonts for desktop apps";
config = mkIf cfg.enable {
home.packages = with pkgs; [
fira-code
fira-code-symbols
nerd-fonts.fira-code
font-manager
font-awesome_5
noto-fonts
];
};
}

20
home/features/desktop/gaming.nix
View File

@@ -1,20 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.desktop.gaming;
in {
options.features.desktop.gaming.enable =
mkEnableOption "install gaming related stuff";
config = mkIf cfg.enable {
home.packages = with pkgs; [
goverlay
mangohud
protonup-ng
];
};
}

184
home/features/desktop/hyprland.nix
View File

@@ -1,184 +0,0 @@
{
wayland.windowManager.hyprland = {
settings = {
xwayland = {
force_zero_scaling = true;
};
exec-once = [
"hyprpanel"
"hyprpaper"
"hypridle"
"wl-paste -p -t text --watch clipman store -P --histpath=\"~/.local/share/clipman-primary.json\""
];
env = [
"XCURSOR_SIZE,32"
"HYPRCURSOR_THEME,Bibata-Modern-Ice"
"WLR_NO_HARDWARE_CURSORS,1"
"GTK_THEME,Dracula"
];
input = {
kb_layout = "de,us";
kb_variant = "";
kb_model = "";
kb_rules = "";
kb_options = "ctrl:nocaps";
follow_mouse = 1;
};
general = {
gaps_in = 5;
gaps_out = 5;
border_size = 1;
"col.active_border" = "rgba(9742b5ee) rgba(9742b5ee) 45deg";
"col.inactive_border" = "rgba(595959aa)";
layout = "dwindle";
};
decoration = {
shadow = {
enabled = true;
range = 60;
render_power = 3;
color = "rgba(1E202966)";
offset = "1 2";
scale = 0.97;
};
rounding = 8;
blur = {
enabled = true;
size = 3;
passes = 3;
};
active_opacity = 0.9;
inactive_opacity = 0.5;
};
animations = {
enabled = true;
bezier = "myBezier, 0.05, 0.9, 0.1, 1.05";
animation = [
"windows, 1, 7, myBezier"
"windowsOut, 1, 7, default, popin 80%"
"border, 1, 10, default"
"borderangle, 1, 8, default"
"fade, 1, 7, default"
"workspaces, 1, 6, default"
];
};
dwindle = {
pseudotile = true;
preserve_split = true;
};
master = {
new_status = "master";
};
gestures = {
workspace_swipe = false;
};
device = [
{
name = "epic-mouse-v1";
sensitivity = -0.5;
}
{
name = "zsa-technology-labs-moonlander-mark-i";
kb_layout = "us";
}
{
name = "keychron-keychron-k7";
kb_layout = "us";
}
];
windowrule = [
"float, file_progress"
"float, confirm"
"float, dialog"
"float, download"
"float, notification"
"float, error"
"float, splash"
"float, confirmreset"
"float, title:Open File"
"float, title:branchdialog"
"float, Lxappearance"
"float, Wofi"
"float, dunst"
"animation none,Wofi"
"float,viewnior"
"float,feh"
"float, pavucontrol-qt"
"float, pavucontrol"
"float, file-roller"
"fullscreen, wlogout"
"float, title:wlogout"
"fullscreen, title:wlogout"
"idleinhibit focus, mpv"
"idleinhibit fullscreen, firefox"
"float, title:^(Media viewer)$"
"float, title:^(Volume Control)$"
"float, title:^(Picture-in-Picture)$"
"size 800 600, title:^(Volume Control)$"
"move 75 44%, title:^(Volume Control)$"
];
"$mainMod" = "SUPER";
bind = [
"$mainMod, return, exec, kitty -e zellij-ps"
"$mainMod, t, exec, kitty -e fish -c 'neofetch; exec fish'"
"$mainMod SHIFT, e, exec, kitty -e zellij_nvim"
"$mainMod, o, exec, hyprctl setprop activewindow opaque toggle"
"$mainMod, b, exec, thunar"
"$mainMod, Escape, exec, wlogout -p layer-shell"
"$mainMod, Space, togglefloating"
"$mainMod, q, killactive"
"$mainMod, M, exit"
"$mainMod, F, fullscreen"
"$mainMod, V, togglefloating"
"$mainMod, D, exec, rofi -show"
"$mainMod SHIFT, S, exec, bemoji"
"$mainMod, P, exec, rofi-pass"
"$mainMod SHIFT, P, pseudo"
"$mainMod, J, togglesplit"
"$mainMod, h, movefocus, l"
"$mainMod, l, movefocus, r"
"$mainMod, k, movefocus, u"
"$mainMod, j, movefocus, d"
"$mainMod, 1, workspace, 1"
"$mainMod, 2, workspace, 2"
"$mainMod, 3, workspace, 3"
"$mainMod, 4, workspace, 4"
"$mainMod, 5, workspace, 5"
"$mainMod, 6, workspace, 6"
"$mainMod, 7, workspace, 7"
"$mainMod, 8, workspace, 8"
"$mainMod, 9, workspace, 9"
"$mainMod, 0, workspace, 10"
"$mainMod SHIFT, 1, movetoworkspace, 1"
"$mainMod SHIFT, 2, movetoworkspace, 2"
"$mainMod SHIFT, 3, movetoworkspace, 3"
"$mainMod SHIFT, 4, movetoworkspace, 4"
"$mainMod SHIFT, 5, movetoworkspace, 5"
"$mainMod SHIFT, 6, movetoworkspace, 6"
"$mainMod SHIFT, 7, movetoworkspace, 7"
"$mainMod SHIFT, 8, movetoworkspace, 8"
"$mainMod SHIFT, 9, movetoworkspace, 9"
"$mainMod SHIFT, 0, movetoworkspace, 10"
"$mainMod, mouse_down, workspace, e+1"
"$mainMod, mouse_up, workspace, e-1"
];
bindm = [
"$mainMod, mouse:272, movewindow"
"$mainMod, mouse:273, resizewindow"
];
};
};
}

54
home/features/desktop/media.nix
View File

@@ -1,54 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.desktop.media;
in {
options.features.desktop.media.enable =
mkEnableOption "enable media features";
config = mkIf cfg.enable {
home.packages = with pkgs; [
# handbrake
# kdePackages.kdenlive
# makemkv
# mediainfo
amf
blueberry
ffmpeg_6-full
gst_all_1.gstreamer
gst_all_1.gst-vaapi
handbrake
inkscape
kdePackages.kdenlive
krita
makemkv
mpv
pamixer
pavucontrol
qpwgraph
v4l-utils
plexamp
spotify
# uxplay
# vlc
# webcord
# yt-dlp
unimatrix
];
programs.obs-studio = {
enable = true;
plugins = with pkgs.obs-studio-plugins; [
input-overlay
obs-gstreamer
obs-vaapi
obs-vkcapture
wlrobs
];
};
};
}

18
home/features/desktop/office.nix
View File

@@ -1,18 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.desktop.office;
in {
options.features.desktop.office.enable =
mkEnableOption "install office and paperwork stuff";
config = mkIf cfg.enable {
home.packages = with pkgs; [
libreoffice-fresh
];
};
}

38
home/features/desktop/rofi.nix
View File

@@ -1,38 +0,0 @@
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.features.desktop.rofi;
in {
options.features.desktop.rofi.enable = mkEnableOption "enable rofi";
config = mkIf cfg.enable {
programs.rofi = with pkgs; {
enable = true;
package = rofi.override {
plugins = [
rofi-calc
rofi-emoji
rofi-file-browser
];
};
pass = {
enable = true;
package = rofi-pass-wayland;
};
terminal = "\${pkgs.kitty}/bin/kitty";
font = "Fira Code";
extraConfig = {
show-icons = true;
disable-history = false;
modi = "drun,calc,emoji,filebrowser";
kb-primary-paste = "Control+V,Shift+Insert";
kb-secondary-paste = "Control+v,Insert";
};
theme = "dracula";
};
};
}

17
home/features/desktop/theme.nix
View File

@@ -1,17 +0,0 @@
{pkgs, ...}: {
qt = {
enable = true;
platformTheme.name = "gtk";
};
gtk = {
enable = true;
theme = {
name = "Dracula";
package = pkgs.dracula-theme;
};
iconTheme = {
name = "Dracula";
package = pkgs.dracula-icon-theme;
};
};
}

286
home/features/desktop/wayland.nix
View File

@@ -1,286 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.desktop.wayland;
in {
options.features.desktop.wayland.enable = mkEnableOption "wayland extra tools and config";
config = mkIf cfg.enable {
programs.waybar = {
enable = true;
style = ''
@define-color background-darker rgba(30, 31, 41, 230);
@define-color background #282a36;
@define-color selection #44475a;
@define-color foreground #f8f8f2;
@define-color comment #6272a4;
@define-color cyan #8be9fd;
@define-color green #50fa7b;
@define-color orange #ffb86c;
@define-color pink #ff79c6;
@define-color purple #bd93f9;
@define-color red #ff5555;
@define-color yellow #f1fa8c;
* {
border: none;
border-radius: 0;
font-family: FiraCode Nerd Font;
font-weight: bold;
font-size: 14px;
min-height: 0;
}
window#waybar {
background: rgba(21, 18, 27, 0);
color: #cdd6f4;
}
tooltip {
background: #1e1e2e;
border-radius: 10px;
border-width: 2px;
border-style: solid;
border-color: #11111b;
}
#workspaces button {
padding: 5px;
color: #313244;
margin-right: 5px;
}
#workspaces button.active {
color: #11111b;
background: #a6e3a1;
border-radius: 10px;
}
#workspaces button.focused {
color: #a6adc8;
background: #eba0ac;
border-radius: 10px;
}
#workspaces button.urgent {
color: #11111b;
background: #a6e3a1;
border-radius: 10px;
}
#workspaces button:hover {
background: #11111b;
color: #cdd6f4;
border-radius: 10px;
}
#custom-language,
#custom-updates,
#custom-caffeine,
#custom-weather,
#window,
#clock,
#battery,
#pulseaudio,
#network,
#workspaces,
#tray,
#backlight {
background: #1e1e2e;
padding: 0px 10px;
margin: 3px 0px;
margin-top: 10px;
border: 1px solid #181825;
}
#tray {
border-radius: 10px;
margin-right: 10px;
}
#workspaces {
background: #1e1e2e;
border-radius: 10px;
margin-left: 10px;
padding-right: 0px;
padding-left: 5px;
}
#custom-caffeine {
color: #89dceb;
border-radius: 10px 0px 0px 10px;
border-right: 0px;
margin-left: 10px;
}
#custom-language {
color: #f38ba8;
border-left: 0px;
border-right: 0px;
}
#custom-updates {
color: #f5c2e7;
border-left: 0px;
border-right: 0px;
}
#window {
border-radius: 10px;
margin-left: 60px;
margin-right: 60px;
}
#clock {
color: #fab387;
border-radius: 10px 0px 0px 10px;
margin-left: 0px;
border-right: 0px;
}
#network {
color: #f9e2af;
border-left: 0px;
border-right: 0px;
}
#pulseaudio {
color: #89b4fa;
border-left: 0px;
border-right: 0px;
}
#pulseaudio.microphone {
color: #cba6f7;
border-left: 0px;
border-right: 0px;
}
#battery {
color: #a6e3a1;
border-radius: 0 10px 10px 0;
margin-right: 10px;
border-left: 0px;
}
#custom-weather {
border-radius: 0px 10px 10px 0px;
border-right: 0px;
margin-left: 0px;
}
'';
settings = {
mainbar = {
layer = "top";
position = "top";
mod = "dock";
exclusive = true;
passthrough = false;
gtk-layer-shell = true;
height = 0;
modules-left = ["clock" "custom/weather" "hyprland/workspaces"];
modules-center = ["hyprland/window"];
modules-right = [
"tray"
"custom/language"
"battery"
"backlight"
"pulseaudio"
"pulseaudio#microphone"
];
"hyprland/window" = {
format = "👉 {}";
seperate-outputs = true;
};
"hyprland/workspaces" = {
disable-scroll = true;
all-outputs = true;
on-click = "activate";
format = " {name} {icon} ";
on-scroll-up = "hyprctl dispatch workspace e+1";
on-scroll-down = "hyprctl dispatch workspace e-1";
format-icons = {
"1" = "";
"2" = "";
"3" = "";
"4" = "";
"5" = "";
"6" = "";
"7" = "";
};
persistent_workspaces = {
"1" = [];
"2" = [];
"3" = [];
"4" = [];
};
};
"custom/weather" = {
format = "{}°C";
tooltip = true;
interval = 3600;
exec = "wttrbar --location Pockau-Lengefeld";
return-type = "json";
};
tray = {
icon-size = 13;
spacing = 10;
};
clock = {
format = " {:%R %d/%m}";
tooltip-format = "<big>{:%Y %B}</big>\n<tt><small>{calendar}</small></tt>";
};
pulseaudio = {
format = "{icon} {volume}%";
tooltip = false;
format-muted = " Muted";
on-click = "pamixer -t";
on-scroll-up = "pamixer -i 5";
on-scroll-down = "pamixer -d 5";
scroll-step = 5;
format-icons = {
headphone = "";
hands-free = "";
headset = "";
phone = "";
portable = "";
car = "";
default = ["" "" ""];
};
};
"pulseaudio#microphone" = {
format = "{format_source}";
format-source = " {volume}%";
format-source-muted = " Muted";
on-click = "pamixer --default-source -t";
on-scroll-up = "pamixer --default-source -i 5";
on-scroll-down = "pamixer --default-source -d 5";
scroll-step = 5;
};
};
};
};
home.packages = with pkgs; [
grim
hyprcursor
hyprlock
hyprpaper
qt6.qtwayland
slurp
waypipe
wl-clipboard
wf-recorder
wl-mirror
wl-clipboard
wlogout
wtype
ydotool
];
};
}

6
home/features/desktop/wofi.nix
View File

@@ -1,6 +0,0 @@
{pkgs, ...}: {
home.packages = with pkgs; [
wofi
bemoji
];
}

26
home/m3tam3re/dotfiles/default.nix
View File

@@ -1,26 +0,0 @@
{
pkgs,
inputs,
...
}: {
home.file.".config/bat" = {
source = "${inputs.dotfiles}/bat";
recursive = true;
};
home.file.".config/nyxt" = {
source = "${inputs.dotfiles}/nyxt";
recursive = true;
};
# home.file.".config/hypr" = {
# source = "${inputs.dotfiles}/hypr";
# recursive = true;
# };
home.file.".config/nvim" = {
source = "${inputs.dotfiles}/nvim";
recursive = true;
};
home.file.".config/zellij" = {
source = "${inputs.dotfiles}/zellij";
recursive = true;
};
}

115
home/m3tam3re/home-server.nix
View File

@@ -1,115 +0,0 @@
# This is a default home.nix generated by the follwing hone-manager command
#
# home-manager init ./
{
config,
lib,
pkgs,
...
}: {
# Home Manager needs a bit of information about you and the paths it should
# manage.
home.username = lib.mkDefault "your-name";
home.homeDirectory = lib.mkDefault "/home/${config.home.username}";
# This value determines the Home Manager release that your configuration is
# compatible with. This helps avoid breakage when a new Home Manager release
# introduces backwards incompatible changes.
#
# You should not change this value, even if you update Home Manager. If you do
# want to update the value, then make sure to first check the Home Manager
# release notes.
home.stateVersion = "24.11"; # Please read the comment before changing.
# The home.packages option allows you to install Nix packages into your
# environment.
home.packages = with pkgs; [
# # Adds the 'hello' command to your environment. It prints a friendly
# # "Hello, world!" when run.
# pkgs.hello
# # It is sometimes useful to fine-tune packages, for example, by applying
# # overrides. You can do that directly here, just don't forget the
# # parentheses. Maybe you want to install Nerd Fonts with a limited number of
# # fonts?
# (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
# # You can also create simple shell scripts directly inside your
# # configuration. For example, this adds a command 'my-hello' to your
# # environment:
# (pkgs.writeShellScriptBin "my-hello" ''
# echo "Hello, ${config.home.username}!"
# '')
];
# Home Manager is pretty good at managing dotfiles. The primary way to manage
# plain files is through 'home.file'.
home.file = {
# # Building this configuration will create a copy of 'dotfiles/screenrc' in
# # the Nix store. Activating the configuration will then make '~/.screenrc' a
# # symlink to the Nix store copy.
# ".screenrc".source = dotfiles/screenrc;
# # You can also set the file content immediately.
# ".gradle/gradle.properties".text = ''
# org.gradle.console=verbose
# org.gradle.daemon.idletimeout=3600000
# '';
};
# Home Manager can also manage your environment variables through
# 'home.sessionVariables'. If you don't want to manage your shell through Home
# Manager then you have to manually source 'hm-session-vars.sh' located at
# either
#
# ~/.nix-profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# /etc/profiles/per-user/m3tam3re/etc/profile.d/hm-session-vars.sh
#
home.sessionVariables = {
# EDITOR = "emacs";
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
programs.git = {
enable = true;
userName = "m3tam3re";
userEmail = "m@m3tam3re.com";
aliases = {st = "status";};
extraConfig = {
core.excludesfile = "~/.gitignore_global";
init.defaultBranch = "master";
};
};
programs.zellij-ps = {
enable = true;
projectFolders = [
"${config.home.homeDirectory}/p/c"
"${config.home.homeDirectory}/p"
"${config.home.homeDirectory}/.config"
];
layout = ''
layout {
pane size=1 borderless=true {
plugin location="zellij:tab-bar"
}
pane size="70%" command="nvim"
pane split_direction="vertical" {
pane
pane command="unimatrix"
}
pane size=1 borderless=true {
plugin location="zellij:status-bar"
}
}
'';
};
}

121
home/m3tam3re/home.nix
View File

@@ -1,121 +0,0 @@
# This is a default home.nix generated by the follwing hone-manager command
#
# home-manager init ./
{
config,
lib,
pkgs,
...
}: {
# Home Manager needs a bit of information about you and the paths it should
# manage.
home.username = lib.mkDefault "your-name";
home.homeDirectory = lib.mkDefault "/home/${config.home.username}";
# This value determines the Home Manager release that your configuration is
# compatible with. This helps avoid breakage when a new Home Manager release
# introduces backwards incompatible changes.
#
# You should not change this value, even if you update Home Manager. If you do
# want to update the value, then make sure to first check the Home Manager
# release notes.
home.stateVersion = "24.11"; # Please read the comment before changing.
# The home.packages option allows you to install Nix packages into your
# environment.
home.packages = with pkgs; [
aider-chat-env
libgtop
# # Adds the 'hello' command to your environment. It prints a friendly
# # "Hello, world!" when run.
# pkgs.hello
# # It is sometimes useful to fine-tune packages, for example, by applying
# # overrides. You can do that directly here, just don't forget the
# # parentheses. Maybe you want to install Nerd Fonts with a limited number of
# # fonts?
# (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
# # You can also create simple shell scripts directly inside your
# # configuration. For example, this adds a command 'my-hello' to your
# # environment:
# (pkgs.writeShellScriptBin "my-hello" ''
# echo "Hello, ${config.home.username}!"
# '')
];
# Home Manager is pretty good at managing dotfiles. The primary way to manage
# plain files is through 'home.file'.
home.file = {
# # Building this configuration will create a copy of 'dotfiles/screenrc' in
# # the Nix store. Activating the configuration will then make '~/.screenrc' a
# # symlink to the Nix store copy.
# ".screenrc".source = dotfiles/screenrc;
# # You can also set the file content immediately.
# ".gradle/gradle.properties".text = ''
# org.gradle.console=verbose
# org.gradle.daemon.idletimeout=3600000
# '';
};
# Home Manager can also manage your environment variables through
# 'home.sessionVariables'. If you don't want to manage your shell through Home
# Manager then you have to manually source 'hm-session-vars.sh' located at
# either
#
# ~/.nix-profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# /etc/profiles/per-user/m3tam3re/etc/profile.d/hm-session-vars.sh
#
home.sessionVariables = {
# EDITOR = "emacs";
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
programs.git = {
enable = true;
difftastic.enable = true;
userName = "m3tam3re";
userEmail = "m@m3tam3re.com";
aliases = {
st = "status";
logd = "log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
};
extraConfig = {
core.excludesfile = "~/.gitignore_global";
init.defaultBranch = "master";
};
};
programs.zellij-ps = {
enable = true;
projectFolders = [
"${config.home.homeDirectory}/p/c"
"${config.home.homeDirectory}/p"
"${config.home.homeDirectory}/.config"
];
layout = ''
layout {
pane size=1 borderless=true {
plugin location="zellij:tab-bar"
}
pane size="70%" command="nvim"
pane split_direction="vertical" {
pane
pane command="unimatrix"
}
pane size=1 borderless=true {
plugin location="zellij:status-bar"
}
}
'';
};
}

97
home/m3tam3re/m3-ares.nix
View File

@@ -1,97 +0,0 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.features.desktop.hyprland;
in {
imports = [
../common
./dotfiles
./home.nix
../features/cli
../features/coding
../features/desktop
#./services/librechat.nix
];
options.features.desktop.hyprland.enable =
mkEnableOption "enable Hyprland";
config = mkMerge [
# Base configuration
{
xdg = {
# TODO: better structure
enable = true;
configFile."mimeapps.list".force = true;
mimeApps = {
enable = true;
associations.added = {
"application/zip" = ["org.gnome.FileRoller.desktop"];
"application/csv" = ["calc.desktop"];
"application/pdf" = ["okularApplication_pdf.desktop"];
"x-scheme-handler/http" = ["io.github.zen_browser.zen.desktop"];
"x-scheme-handler/https" = ["io.github.zen_browser.zen.desktop"];
};
defaultApplications = {
"application/zip" = ["org.gnome.FileRoller.desktop"];
"application/csv" = ["calc.desktop"];
"application/pdf" = ["okularApplication_pdf.desktop"];
"application/md" = ["nvim.desktop"];
"application/text" = ["nvim.desktop"];
"x-scheme-handler/http" = ["io.github.zen_browser.zen.desktop"];
"x-scheme-handler/https" = ["io.github.zen_browser.zen.desktop"];
};
};
};
features = {
cli = {
fish.enable = true;
fzf.enable = true;
neofetch.enable = true;
secrets.enable = true;
starship.enable = true;
};
desktop = {
gaming.enable = true;
hyprland.enable = true;
media.enable = true;
office.enable = true;
rofi.enable = true;
fonts.enable = true;
wayland.enable = true;
};
};
}
(mkIf cfg.enable {
wayland.windowManager.hyprland = {
enable = true;
settings = {
monitor = [
"eDP-1,preferred,0x0,1.25"
"HDMI-A-1,2560x1440@144,2560x0,1"
];
workspace = [
"1, monitor:DP-1, default:true"
"2, monitor:DP-1"
"3, monitor:DP-1"
"4, monitor:DP-2"
"5, monitor:DP-1"
"6, monitor:DP-2"
"7, monitor:DP-2"
];
windowrulev2 = [
"workspace 1,class:dev.zed.Zed"
"workspace 2,class:(com.obsproject.Studio)"
"workspace 4,opacity 1.0, class:(chromium-browser)"
"workspace 4,opacity 1.0, class:(zen-alpha)"
];
};
};
})
];
}

17
home/m3tam3re/m3-helios.nix
View File

@@ -1,17 +0,0 @@
{
imports = [
../common
../features/cli
./home-server.nix
];
features = {
cli = {
fish.enable = true;
fzf.enable = true;
neofetch.enable = true;
secrets.enable = false;
starship.enable = true;
};
};
}

97
home/m3tam3re/m3-kratos.nix
View File

@@ -1,97 +0,0 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.features.desktop.hyprland;
in {
imports = [
../common
./dotfiles
./home.nix
../features/cli
../features/coding
../features/desktop
./services/librechat.nix
];
options.features.desktop.hyprland.enable =
mkEnableOption "enable Hyprland";
config = mkMerge [
# Base configuration
{
xdg = {
# TODO: better structure
enable = true;
configFile."mimeapps.list".force = true;
mimeApps = {
enable = true;
associations.added = {
"application/zip" = ["org.gnome.FileRoller.desktop"];
"application/csv" = ["calc.desktop"];
"application/pdf" = ["okularApplication_pdf.desktop"];
"x-scheme-handler/http" = ["io.github.zen_browser.zen.desktop"];
"x-scheme-handler/https" = ["io.github.zen_browser.zen.desktop"];
};
defaultApplications = {
"application/zip" = ["org.gnome.FileRoller.desktop"];
"application/csv" = ["calc.desktop"];
"application/pdf" = ["okularApplication_pdf.desktop"];
"application/md" = ["nvim.desktop"];
"application/text" = ["nvim.desktop"];
"x-scheme-handler/http" = ["io.github.zen_browser.zen.desktop"];
"x-scheme-handler/https" = ["io.github.zen_browser.zen.desktop"];
};
};
};
features = {
cli = {
fish.enable = true;
fzf.enable = true;
neofetch.enable = true;
secrets.enable = true;
starship.enable = true;
};
desktop = {
gaming.enable = true;
hyprland.enable = true;
media.enable = true;
office.enable = true;
rofi.enable = true;
fonts.enable = true;
wayland.enable = true;
};
};
}
(mkIf cfg.enable {
wayland.windowManager.hyprland = {
enable = true;
settings = {
monitor = [
"DP-1,2560x1440@144,0x0,1"
"DP-2,2560x1440@144,2560x0,1"
];
workspace = [
"1, monitor:DP-1, default:true"
"2, monitor:DP-1"
"3, monitor:DP-1"
"4, monitor:DP-2"
"5, monitor:DP-1"
"6, monitor:DP-2"
"7, monitor:DP-2"
];
windowrulev2 = [
"workspace 1,class:dev.zed.Zed"
"workspace 2,class:(com.obsproject.Studio)"
"workspace 4,opacity 1.0, class:(chromium-browser)"
"workspace 4,opacity 1.0, class:(zen-alpha)"
];
};
};
})
];
}

18
home/m3tam3re/services/librechat.nix
View File

@@ -1,18 +0,0 @@
{
systemd.user.services.librechat = {
Unit = {
Description = "LibreChat Start";
After = ["network-online.target"];
Wants = ["network-online.target"];
};
Install = {WantedBy = ["default.target"];};
Service = {
Type = "oneshot";
RemainAfterExit = "yes";
WorkingDirectory = "/home/m3tam3re/p/r/ai/LibreChat";
ExecStart = "/run/current-system/sw/bin/podman-compose up -d";
ExecStop = "/run/current-system/sw/bin/podman-compose down";
Restart = "on-failure";
};
};
}

76
hosts/common/AGENTS.md Normal file
View File

@@ -0,0 +1,76 @@
# COMMON HOST CONFIGURATION
**Shared base configuration and abstractions for all hosts**
## OVERVIEW
Common imports, overlays, and custom patterns (extraServices, ports) used across 6 hosts.
## STRUCTURE
```
common/
├── default.nix # Base imports, overlays, nix settings
├── ports.nix # Centralized port registry
├── extraServices/ # Optional service modules
│ ├── default.nix
│ ├── flatpak.nix
│ ├── ollama.nix
│ ├── podman.nix
│ └── virtualisation.nix
└── users/
├── default.nix
└── m3tam3re.nix # Primary user definition
```
## WHERE TO LOOK
| Task | Location | Notes |
|------|----------|-------|
| Add port definition | ports.nix | Use config.m3ta.ports.get |
| Enable optional service | Host config extraServices | Boolean flags |
| Modify overlays | default.nix lines 27-36 | 5 overlay sources |
| Add new user | users/ | Shared across all hosts |
## CONVENTIONS
### Port Registry Pattern
```nix
# Define in ports.nix
definitions = {
myservice = 3099;
};
# Access in host config
config.m3ta.ports.get "myservice" # Returns 3099
```
### extraServices Abstraction
Host configs enable via boolean:
```nix
extraServices = {
podman.enable = true; # Container runtime
ollama.enable = true; # LLM inference
flatpak.enable = false; # Flatpak apps
virtualisation.enable = true; # QEMU/KVM
};
```
### Overlay Precedence (bottom overrides top)
1. stable-packages (nixpkgs-stable)
2. locked-packages (nixpkgs-locked)
3. pinned-packages (nixpkgs-45570c2, nixpkgs-9e58ed7)
4. master-packages (nixpkgs-master)
5. m3ta-nixpkgs (local custom overlay)
## ANTI-PATTERNS
- **DON'T** add host-specific logic to common/ - belongs in hosts/<name>/
- **DON'T** bypass port registry - hardcoded ports break consistency
- **DON'T** modify user shell globally - set per-user if needed
## NOTES
- Nix GC runs weekly, keeps 30 days
- Trusted users: root, m3tam3re
- Default shell: Nushell (set line 77)
- Home-manager integrated at common level, not per-host
- TODO on line 69: ports should only return actually used ports

22
hosts/common/default.nix
View File

@@ -1,31 +1,45 @@
# Common configuration for all hosts
{
config,
pkgs,
lib,
inputs,
outputs,
system,
...
}: {
imports = [
./extraServices
./ports.nix
./users
inputs.home-manager.nixosModules.home-manager
];
environment.pathsToLink = ["/share/xdg-desktop-portal" "/share/applications"];
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = {inherit inputs outputs;};
extraSpecialArgs = {
inherit inputs outputs system;
videoDrivers = config.services.xserver.videoDrivers or [];
};
};
nixpkgs = {
# You can add overlays here
overlays = [
# Add overlays your own flake exports (from overlays and pkgs dir):
outputs.overlays.additions
outputs.overlays.modifications
#outputs.overlays.additions
#outputs.overlays.modifications
outputs.overlays.stable-packages
outputs.overlays.locked-packages
outputs.overlays.pinned-packages
outputs.overlays.master-packages
inputs.m3ta-nixpkgs.overlays.default
inputs.m3ta-nixpkgs.overlays.modifications
(outputs.lib.mkLlmAgentsOverlay system)
# You can also add overlays exported from other flakes:
# neovim-nightly-overlay.overlays.default
@@ -64,5 +78,5 @@
((lib.filterAttrs (_: lib.isType "flake")) inputs);
nixPath = ["/etc/nix/path"];
};
users.defaultUserShell = pkgs.fish;
users.defaultUserShell = pkgs.nushell;
}

6
hosts/common/extraServices/flatpak.nix
View File

@@ -7,14 +7,16 @@
with lib; let
cfg = config.extraServices.flatpak;
in {
options.extraServices.flatpak.enable = mkEnableOption "enable podman";
options.extraServices.flatpak.enable = mkEnableOption "enable flatpak";
config = mkIf cfg.enable {
services.flatpak.enable = true;
xdg.portal = {
# xdg desktop intergration (required for flatpak)
enable = true;
extraPortals = [pkgs.xdg-desktop-portal-gtk];
extraPortals = with pkgs; [
xdg-desktop-portal-hyprland
];
config.common.default = "*";
};
};

13
hosts/common/extraServices/ollama.nix
View File

@@ -1,6 +1,7 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
@@ -11,14 +12,18 @@ in {
config = mkIf cfg.enable {
services.ollama = {
enable = true;
acceleration =
package =
if config.services.xserver.videoDrivers == ["amdgpu"]
then "rocm"
then pkgs.ollama-rocm
else if config.services.xserver.videoDrivers == ["nvidia"]
then "cuda"
else null;
then pkgs.ollama-cuda
else pkgs.ollama-cpu;
host = "[::]";
openFirewall = true;
environmentVariables = {
OLLAMA_ORIGINS = "https://msty.studio";
OLLAMA_HOST = "0.0.0.0";
};
};
nixpkgs.config = {
rocmSupport = config.services.xserver.videoDrivers == ["amdgpu"];

17
hosts/common/extraServices/virtualisation.nix
View File

@@ -17,22 +17,13 @@ in {
package = pkgs.qemu_kvm;
runAsRoot = true;
swtpm.enable = true;
ovmf = {
enable = true;
packages = [
(pkgs.OVMF.override {
secureBoot = true;
tpmSupport = true;
})
.fd
];
};
};
};
};
programs.virt-manager.enable = true;
environment.systemPackages = with pkgs; [
OVMFFull
];
systemd.services.virt-secret-init-encryption.enable = false;
environment = {
systemPackages = [pkgs.qemu];
};
};
}

75
hosts/common/ports.nix Normal file
View File

@@ -0,0 +1,75 @@
{config, ...}: {
m3ta.ports = {
enable = true;
definitions = {
# System services
ssh = 22;
# Web & proxy services
traefik = 80;
traefik-ssl = 443;
# Databases
postgres = 5432;
mysql = 3306;
redis = 6379;
# VPN & networking
wireguard = 51820;
tailscale = 41641;
headscale = 3009;
netbird-stun = 3478;
netbird-proxy = 8443;
netbird-metrics = 9090;
netbird-health = 9000;
# Containers & web apps
gitea = 3030;
baserow = 3001;
ghost = 3002;
wastebin = 3003;
littlelink = 3004;
searx = 3005;
restreamer = 3006;
paperless = 3012;
vaultwarden = 3013;
slash = 3010;
slash-nemoti = 3016;
kestra = 3018;
outline = 3019;
authentik = 3023;
tuwunel = 3024;
# Home automation
homarr = 7575;
# DNS
adguardhome = 53;
};
hostOverrides = {
# Host-specific overrides
m3-ares = {
# Any custom port overrides for m3-ares
};
m3-atlas = {
# Any custom port overrides for m3-atlas
};
m3-helios = {
# Any custom port overrides for m3-helios
};
m3-kratos = {
# Any custom port overrides for m3-kratos
};
};
};
environment.etc."info/all-ports.json" = {
text = builtins.toJSON {
hostname = config.networking.hostName;
ports = config.m3ta.ports.all; # TODO should only return actually used ports
};
};
}

232
hosts/common/users/m3tam3re.nix
View File

@@ -1,11 +1,211 @@
# hosts/common/users/m3tam3re.nix — Central user definition with m3ta-home integration.
#
# This module:
# 1. Creates the m3tam3re NixOS user
# 2. Loads the m3ta-home profile system via mkHome
# 3. Sets per-host feature flags based on a host profile mapping
# 4. Imports per-host home.nix overrides (monitors, HW-specific config)
#
# To add a new host:
# 1. Add entry to hostProfiles below
# 2. Add feature flags in the hostFlags section
# 3. Create hosts/<hostname>/home.nix if the host needs overrides (monitors, etc.)
{
config,
pkgs,
inputs,
...
}: {
}: let
hostname = config.networking.hostName;
# ── Per-host profile mapping ──
# Determines which m3ta-home context and sets each host gets.
hostProfiles = {
# ── Desktop hosts ──
m3-ares = {
context = "desktop";
sets = ["coding" "gaming" "media"];
};
m3-kratos = {
context = "desktop";
sets = ["coding" "gaming" "media"];
};
m3-daedalus = {
context = "desktop";
sets = ["coding" "media"];
};
# ── Server hosts ──
m3-atlas = {
context = "server";
sets = ["coding"];
};
m3-helios = {
context = "server";
sets = [];
};
m3-hermes = {
context = "server";
sets = [];
};
m3-aether = {
context = "server";
sets = [];
};
};
profile = hostProfiles.${hostname} or {
context = "server";
sets = [];
};
m3ta-lib = inputs.m3ta-home.lib;
# Check if a per-host home.nix exists
hostHomeFile = ./../../${hostname}/home.nix;
hostHomeExists = builtins.pathExists hostHomeFile;
# ── Per-host feature flags ──
# These enable/disable specific m3ta-home modules per host.
hostFlags =
if hostname == "m3-ares" || hostname == "m3-kratos"
then {
# Full desktop workstation
base = {
shell = {
fish.enable = true;
nushell.enable = true;
starship.enable = true;
};
cliTools = {
fzf.enable = true;
nitch.enable = true;
television.enable = true;
};
secrets.enable = true;
};
desktop = {
wm = {
hyprland.enable = true;
rofi.enable = true;
wayland.enable = true;
};
apps = {
crypto.enable = true;
obsidian.enable = true;
office.enable = true;
};
theme = {
fonts.enable = true;
wallpapers.enable = true;
};
};
coding = {
editors = {
neovim.enable = true;
zed.enable = true;
};
lsp.enable = true;
packages.enable = true;
languages = {
python.enable = true;
javascript.enable = true;
rustToolchain.enable = true;
go.enable = true;
typescript.enable = true;
};
};
profiles.gaming = {
steam.enable = true;
gamescope.enable = true;
};
profiles.media = {
obs.enable = true;
ffmpeg.enable = true;
kdenlive.enable = true;
ytDlp.enable = true;
};
}
else if hostname == "m3-daedalus"
then {
# Portable laptop — desktop without gaming, no Hyprland
base = {
shell = {
fish.enable = true;
nushell.enable = true;
starship.enable = true;
};
cliTools = {
fzf.enable = true;
nitch.enable = true;
television.enable = true;
};
secrets.enable = true;
};
desktop = {
wm = {
hyprland.enable = false;
wayland.enable = false;
};
apps = {
crypto.enable = false;
obsidian.enable = true;
office.enable = false;
};
theme = {
fonts.enable = true;
wallpapers.enable = false;
};
};
coding = {
editors = {
neovim.enable = true;
zed.enable = true;
};
lsp.enable = true;
packages.enable = true;
languages = {
python.enable = true;
javascript.enable = true;
rustToolchain.enable = true;
go.enable = true;
typescript.enable = true;
};
};
profiles.media = {
ytDlp.enable = true;
};
}
else if hostname == "m3-atlas"
then {
# Primary server — coding capable
base = {
shell = {
nushell.enable = true;
starship.enable = true;
};
cliTools = {
fzf.enable = true;
nitch.enable = true;
zellij.enable = true;
};
};
coding.editors.neovim.enable = true;
}
else {
# m3-helios, m3-hermes, m3-aether — minimal server
base = {
shell = {
fish.enable = true;
starship.enable = true;
};
cliTools = {
fzf.enable = true;
nitch.enable = true;
};
};
};
in {
# ── NixOS user definition ──
users.users.m3tam3re = {
#initialHashedPassword = "$y$j9T$IoChbWGYRh.rKfmm0G86X0$bYgsWqDRkvX.EBzJTX.Z0RsTlwspADpvEF3QErNyCMC";
password = "12345";
isNormalUser = true;
description = "m3tam3re";
@@ -20,12 +220,34 @@
"input"
"kvm"
"qemu-libvirtd"
"adbusers"
];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZcjCKl0DRuOUOMXbM0GKY5JjvmyFpVZ/tRlTKWu/zp razr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZbg/Z9mnflXuLahGY8WOSBMqbgeqVIkIwRkquys1Ml sascha.koenig@azintec.com"
];
packages = [inputs.home-manager.packages.${pkgs.system}.default];
packages = [inputs.home-manager.packages.${pkgs.stdenv.hostPlatform.system}.default];
};
# ── Home-Manager configuration via m3ta-home ──
home-manager.users.m3tam3re = {
imports =
[
# Load m3ta-home composition engine
(m3ta-lib.mkHome {
user = "m3tam3re";
identity = "private";
inherit (profile) context sets;
})
# Per-host feature flags
hostFlags
]
# Per-host home.nix (Hyprland monitors, XDG/MIME, HW-specific overrides)
++ (
if hostHomeExists
then [hostHomeFile]
else []
);
};
home-manager.users.m3tam3re =
import ../../../home/m3tam3re/${config.networking.hostName}.nix;
}

111
hosts/m3-aether/configuration.nix Normal file
View File

@@ -0,0 +1,111 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{pkgs, ...}: {
imports = [
# Include the results of the hardware scan.
./disko-config.nix
./hardware-configuration.nix
];
# Bootloader.
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
};
networking.hostName = "m3-helios"; # Define your hostname.
networking.hostId = "3ebf1cd3";
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.networkmanager.enable =
true; # Easiest to use and most distros use this by default.
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkb.options in tty.
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Enable the GNOME Desktop Environment.
# services.xserver.displayManager.gdm.enable = true;
# services.xserver.desktopManager.gnome.enable = true;
# Configure keymap in X11
# services.xserver.xkb.layout = "us";
# services.xserver.xkb.options = "eurosign:e,caps:escape";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# hardware.pulseaudio.enable = true;
# OR
# Enable touchpad support (enabled default in most desktopManager).
# services.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [neovim git];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.fstrim = {
enable = true; # For SSD/thin-provisioned storage
interval = "weekly";
};
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.11"; # Did you read the comment?
}

50
hosts/m3-aether/default.nix Normal file
View File

@@ -0,0 +1,50 @@
# A staring point is the basic NIXOS configuration generated by the ISO installer.
# On an existing NIXOS install you can use the following command in your flakes basedir:
# sudo nixos-generate-config --dir ./hosts/m3tam3re
#
# Please make sure to change the first couple of lines in your configuration.nix:
# { config, inputs, ouputs, lib, pkgs, ... }:
#
# {
# imports = [ # Include the results of the hardware scan.
# ./hardware-configuration.nix
# inputs.home-manager.nixosModules.home-manager
# ];
# ...
#
# Moreover please update the packages option in your user configuration and add the home-manager options:
# users.users = {
# m3tam3re = {
# isNormalUser = true;
# initialPassword = "12345";
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# packages = [ inputs.home-manager.packages.${pkgs.system}.default ];
# };
# };
#
# home-manager = {
# useUserPackages = true;
# extraSpecialArgs = { inherit inputs outputs; };
# users.m3tam3re =
# import ../../home/m3tam3re/${config.networking.hostName}.nix;
# };
#
# Please also change your hostname accordingly:
#:w
# networking.hostName = "nixos"; # Define your hostname.
{
imports = [
../common
./configuration.nix
./programs.nix
./secrets.nix
./services
];
extraServices = {
flatpak.enable = true;
ollama.enable = false;
podman.enable = true;
virtualisation.enable = false;
};
}

39
hosts/m3-aether/disko-config.nix Normal file
View File

@@ -0,0 +1,39 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for GRUB MBR
priority = 1;
};
esp = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["defaults" "umask=0077"];
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
mountOptions = ["noatime" "nodiratime" "discard"];
};
};
};
};
};
};
};
}

28
hosts/m3-aether/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,28 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

14
hosts/m3-aether/programs.nix Normal file
View File

@@ -0,0 +1,14 @@
{pkgs, ...}: {
programs.nix-ld.enable = true;
programs.nix-ld.libraries = with pkgs; [
# Add any missing dynamic libraries for unpackaged programs
# here, NOT in environment.systemPackages
];
programs.fish.enable = true;
programs.nh = {
enable = true;
clean.enable = true;
clean.extraArgs = "--keep-since 4d --keep 3";
flake = "/home/m3tam3re/p/nixos/nixos-config";
};
}

15
hosts/m3-aether/secrets.nix Normal file
View File

@@ -0,0 +1,15 @@
{
age = {
secrets = {
traefik = {
file = ../../secrets/traefik.age;
mode = "770";
owner = "traefik";
};
m3tam3re-secrets = {
file = ../../secrets/m3tam3re-secrets.age;
owner = "m3tam3re";
};
};
};
}

7
hosts/m3-aether/services/cloud-init.nix Normal file
View File

@@ -0,0 +1,7 @@
{
services.cloud-init = {
enable = true;
ext4.enable = true;
network.enable = true;
};
}

5
hosts/m3-aether/services/default.nix Normal file
View File

@@ -0,0 +1,5 @@
{
imports = [
./cloud-init.nix
];
}

32
hosts/m3-ares/configuration.nix
View File

@@ -1,11 +1,7 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{
config,
pkgs,
...
}: {
{pkgs, ...}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
@@ -13,7 +9,6 @@
specialisation = {
"NVIDIA".configuration = {
boot.kernelParams = ["nvidia.NVreg_PreserveVideoMemoryAllocations=1"];
system.nixos.tags = ["NVIDIA"];
services.xserver.videoDrivers = ["nvidia"];
hardware.nvidia-container-toolkit.enable = true;
@@ -23,18 +18,23 @@
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.memtest86.enable = true;
boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback];
boot.kernelModules = ["v4l2loopback"];
boot.initrd.services.lvm.enable = false;
# boot.kernelModules = [];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.extraModprobeConfig = ''
options kvm_intel nested=1
options kvm_intel emulate_invalid_guest_state=0
options kvm ignore_msrs=1
options v4l2loopback exclusive_caps=1 max_buffers=2
'';
boot.blacklistedKernelModules = ["nova_core"];
# CRITICAL FIX #4: Kernel parameters to prevent nouveau from loading early
networking.hostName = "m3-ares"; # Define your hostname.
# warp-terminal update fix
# networking.extraHosts = ''
# 127.0.0.1 releases.warp.dev
# 127.0.0.1 app.warp.dev
# '';
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.networkmanager.enable =
@@ -60,7 +60,7 @@
# Enable the GNOME Desktop Environment.
# services.xserver.displayManager.gdm.enable = true;
# services.xserver.desktopManager.gnome.enable = true;
# displayManager.gdm.enable = true;
# Configure keymap in X11
# services.xserver.xkb.layout = "us";
# services.xserver.xkb.options = "eurosign:e,caps:escape";
@@ -92,7 +92,13 @@
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh = {
enable = true;
settings.PermitRootLogin = "no";
settings = {
PasswordAuthentication = false;
};
};
services.fstrim.enable = true;
# Open ports in the firewall.

8
hosts/m3-ares/default.nix
View File

@@ -44,14 +44,8 @@
extraServices = {
flatpak.enable = true;
ollama.enable = true;
ollama.enable = false;
podman.enable = true;
virtualisation.enable = true;
};
services.ollama = {
environmentVariables = {
HCC_AMDGPU_TARGET = "gfx1100";
};
rocmOverrideGfx = "11.0.0";
};
}

9
hosts/m3-ares/hardware-configuration.nix
View File

@@ -13,6 +13,7 @@
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.supportedFilesystems = ["nfs"];
fileSystems."/" = {
device = "/dev/disk/by-uuid/3a50bf0a-024b-488b-aa11-56b32f2fb54d";
@@ -44,7 +45,13 @@
};
fileSystems."/mnt/skynet-bkg" = {
device = "100.94.135.99:/volume3/bkg";
device = "192.168.1.100:/volume3/bkg";
fsType = "nfs";
options = ["noauto" "x-systemd.automount"];
};
fileSystems."/mnt/skynet" = {
device = "192.168.1.100:/volume3/m3-skynet";
fsType = "nfs";
options = ["noauto" "x-systemd.automount"];
};

72
hosts/m3-ares/hardware.nix
View File

@@ -1,30 +1,58 @@
{
hardware = {
nvidia = {
prime = {
offload.enable = false;
config,
pkgs,
inputs,
...
}: {
# Workaround for tuxedo-drivers module bug in unstable (nixpkgs#480391)
# The unstable module has a type error - use stable module until fix propagates
# disabledModules = [ "hardware/tuxedo-drivers.nix" ];
# imports =
# [ "${inputs.nixpkgs-stable}/nixos/modules/hardware/tuxedo-drivers.nix" ];
# Bus ID of the Intel GPU. You can find it using lspci, either under 3D or VGA
intelBusId = "PCI:0:2:0";
hardware.nvidia = {
prime = {
offload.enable = false;
# Bus ID of the NVIDIA GPU. You can find it using lspci, either under 3D or VGA
nvidiaBusId = "PCI:1:0:0";
};
modesetting.enable = true;
powerManagement.finegrained = false;
powerManagement.enable = true;
open = false;
dynamicBoost.enable = true;
nvidiaSettings = true;
# Bus ID of the Intel GPU. You can find it using lspci, either under 3D or VGA
intelBusId = "PCI:0:2:0";
# Bus ID of the NVIDIA GPU. You can find it using lspci, either under 3D or VGA
nvidiaBusId = "PCI:1:0:0";
};
bluetooth.enable = true;
tuxedo-rs.enable = true;
tuxedo-rs.tailor-gui.enable = true;
tuxedo-drivers.enable = true;
keyboard.zsa.enable = true;
graphics.enable = true;
modesetting.enable = true;
powerManagement.finegrained = false;
powerManagement.enable = true;
open = false;
dynamicBoost.enable = true;
nvidiaSettings = true;
package = config.boot.kernelPackages.nvidiaPackages.production;
};
hardware.tuxedo-drivers.enable = true;
hardware.bluetooth.enable = true;
hardware.keyboard.zsa.enable = true;
hardware.graphics.enable = true;
services.hardware.bolt.enable = true;
services.auto-cpufreq.enable = true;
services.tlp.enable = true;
services.tlp = {
enable = true;
settings = {
START_CHARGE_THRESH_BAT0 = 75;
STOP_CHARGE_THRESH_BAT0 = 80;
};
};
environment.systemPackages = with pkgs; [tuxedo-backlight];
security.sudo.extraRules = [
{
users = ["@wheel"];
commands = [
{
command = "/run/current-system/sw/bin/set-backlight";
options = ["NOPASSWD"];
}
];
}
];
}

71
hosts/m3-ares/home.nix Normal file
View File

@@ -0,0 +1,71 @@
# hosts/m3-ares/home.nix — Host-specific home-manager overrides.
# TUXEDO laptop: eDP-1 + HDMI-A-1 external monitor.
# Everything else (shell, editors, gaming, media, theme, etc.) comes from
# m3ta-home via the profile mapping in hosts/common/users/m3tam3re.nix.
{
config,
lib,
...
}:
with lib; {
config = mkMerge [
# ── XDG / MIME defaults ──
{
xdg = {
enable = true;
configFile."mimeapps.list".force = true;
mimeApps = {
enable = true;
associations.added = {
"application/zip" = ["org.gnome.FileRoller.desktop"];
"application/csv" = ["calc.desktop"];
"application/pdf" = ["vivaldi-stable.desktop"];
"x-scheme-handler/http" = ["vivaldi-stable.desktop"];
"x-scheme-handler/https" = ["vivaldi-stable.desktop"];
};
defaultApplications = {
"application/zip" = ["org.gnome.FileRoller.desktop"];
"application/csv" = ["calc.desktop"];
"application/pdf" = ["vivaldi-stable.desktop"];
"application/md" = ["dev.zed.Zed.desktop"];
"application/text" = ["dev.zed.Zed.desktop"];
"x-scheme-handler/http" = ["vivaldi-stable.desktop"];
"x-scheme-handler/https" = ["vivaldi-stable.desktop"];
};
};
};
}
# ── Hyprland monitor layout ──
(mkIf config.desktop.wm.hyprland.enable {
wayland.windowManager.hyprland = {
enable = true;
settings = {
exec-once = ["tuxedo-backlight"];
monitor = [
"eDP-1,preferred,0x0,1.25"
"HDMI-A-1,1920x1080@120,2560x0,1"
];
workspace = [
"1, monitor:eDP-1, default:true"
"2, monitor:eDP-1"
"3, monitor:eDP-1"
"4, monitor:HDMI-A-1"
"5, monitor:HDMI-A-1,border:false,rounding:false"
"6, monitor:HDMI-A-1"
];
windowrule = [
"match:class dev.zed.Zed, workspace 1"
"match:class Msty, workspace 1"
"match:class ^(com.obsproject.Studio)$, workspace 2"
"match:class ^(brave-browser)$, workspace 4, opacity 1.0"
"match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0"
"match:class ^steam_app_\\d+$, fullscreen on"
"match:class ^steam_app_\\d+$, workspace 5"
"match:class ^steam_app_\\d+$, idle_inhibit focus"
];
};
};
})
];
}

14
hosts/m3-ares/programs.nix
View File

@@ -7,16 +7,28 @@
programs.hyprland = {
enable = true;
xwayland.enable = true;
withUWSM = true;
};
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
gamescopeSession = {
enable = true;
args = [
"-W 1920"
"-H 1080"
];
};
};
programs.gamescope = {
enable = true;
capSysNice = true;
};
programs.fish.enable = true;
programs.thunar = {
enable = true;
plugins = with pkgs.xfce; [thunar-archive-plugin thunar-volman];
plugins = with pkgs; [thunar-archive-plugin thunar-volman];
};
programs.gnupg.agent = {
enable = true;

28
hosts/m3-ares/secrets.nix
View File

@@ -1,6 +1,10 @@
{
age = {
secrets = {
anytype-key = {
file = ../../secrets/anytype-key-ares.age;
owner = "m3tam3re";
};
wg-DE = {
file = ../../secrets/wg-DE.age;
path = "/etc/wireguard/DE.conf";
@@ -21,11 +25,35 @@
file = ../../secrets/wg-BR.age;
path = "/etc/wireguard/BR.conf";
};
ref-key = {
file = ../../secrets/ref-key.age;
owner = "m3tam3re";
};
exa-key = {
file = ../../secrets/exa-key.age;
owner = "m3tam3re";
};
outline-key = {
file = ../../secrets/outline-key.age;
owner = "m3tam3re";
};
basecamp-client-id = {
file = ../../secrets/basecamp-client-id.age;
owner = "m3tam3re";
};
basecamp-client-secret = {
file = ../../secrets/basecamp-client-secret.age;
owner = "m3tam3re";
};
tailscale-key.file = ../../secrets/tailscale-key.age;
m3tam3re-secrets = {
file = ../../secrets/m3tam3re-secrets.age;
owner = "m3tam3re";
};
hermes-env = {
file = ../../secrets/hermes-env.age;
owner = "m3tam3re";
};
};
};
}

37
hosts/m3-ares/services/default.nix
View File

@@ -1,20 +1,44 @@
{
{pkgs, ...}: {
imports = [
./containers
./n8n.nix
./hermes-agent.nix
./netbird.nix
#./n8n.nix
./mem0.nix
./postgres.nix
./restic.nix
./sound.nix
./udev.nix
#./wireguard.nix
./wireguard.nix
];
# console.useXkbConfig = true;
# services.xserver.xkb = {
# layout = "de,us";
# options = "ctrl:nocaps";
# };
# optional, falls du auch die TTY-Konsole deutsch willst:
services = {
hypridle.enable = true;
espanso = {
enable = true;
package = pkgs.espanso-wayland;
};
printing.enable = true;
gvfs.enable = true;
trezord.enable = true;
gnome.gnome-keyring.enable = true;
qdrant.enable = true;
# qdrant = {
# enable = true;
# settings = {
# service = {
# host = "0.0.0.0";
# };
# };
# };
upower.enable = true;
avahi = {
enable = true;
nssmdns4 = true;
@@ -24,11 +48,6 @@
userServices = true;
};
};
displayManager.gdm.enable = true;
};
systemd.sleep.extraConfig = ''
AllowSuspend=no
AllowHibernation=no
AllowHybridSleep=no
AllowSuspendThenHibernate=no
'';
}

184
hosts/m3-ares/services/hermes-agent.nix Normal file
View File

@@ -0,0 +1,184 @@
{config, ...}: let
# Default ElevenLabs voice: Bella (German-capable female)
elevenlabsVoiceId = "hpp4J3VqNfWAUOO0d1Us";
in {
services.hermes-agent = {
enable = true;
addToSystemPackages = true;
# Secrets via agenix
environmentFiles = [config.age.secrets."hermes-env".path];
# Non-secret environment variables
environment = {
GLM_BASE_URL = "https://api.z.ai/api/coding/paas/v4/";
};
settings = {
# ── Model ──────────────────────────────────────────────────────────
model = {
default = "glm-5.1";
provider = "zai";
};
credential_pool_strategies = {
zai = "fill_first";
};
toolsets = ["all"];
# ── Agent ──────────────────────────────────────────────────────────
agent = {
max_turns = 90;
gateway_timeout = 1800;
tool_use_enforcement = "auto";
};
# ── Terminal ───────────────────────────────────────────────────────
terminal = {
backend = "ssh";
modal_mode = "auto";
cwd = ".";
timeout = 180;
persistent_shell = true;
};
# ── Browser ────────────────────────────────────────────────────────
browser = {
inactivity_timeout = 120;
command_timeout = 30;
cloud_provider = "local";
};
# ── Checkpoints / Compression ──────────────────────────────────────
checkpoints = {
enabled = true;
max_snapshots = 50;
};
file_read_max_chars = 100000;
compression = {
enabled = true;
threshold = 0.5;
target_ratio = 0.2;
protect_last_n = 20;
};
# ── Display ────────────────────────────────────────────────────────
display = {
compact = false;
personality = "kawaii";
resume_display = "full";
busy_input_mode = "interrupt";
inline_diffs = true;
skin = "default";
tool_progress = "all";
};
# ── TTS / STT / Voice ──────────────────────────────────────────────
tts = {
provider = "elevenlabs";
elevenlabs = {
voice_id = elevenlabsVoiceId;
model_id = "eleven_multilingual_v2";
};
};
stt = {
enabled = true;
provider = "local";
local = {model = "base";};
};
voice = {
record_key = "ctrl+b";
max_recording_seconds = 120;
silence_threshold = 200;
silence_duration = 3.0;
};
# ── Memory ─────────────────────────────────────────────────────────
memory = {
memory_enabled = true;
user_profile_enabled = true;
memory_char_limit = 2200;
user_char_limit = 1375;
};
# ── Delegation ─────────────────────────────────────────────────────
delegation = {
max_iterations = 50;
};
# ── Discord ────────────────────────────────────────────────────────
discord = {
require_mention = true;
auto_thread = true;
reactions = true;
};
# ── Approvals / Security ───────────────────────────────────────────
approvals = {
mode = "manual";
timeout = 60;
};
security = {
redact_secrets = true;
tirith_enabled = true;
tirith_fail_open = true;
};
# ── Cron / Session ─────────────────────────────────────────────────
cron = {wrap_response = true;};
session_reset = {
mode = "both";
idle_minutes = 1440;
at_hour = 4;
};
# ── Web ────────────────────────────────────────────────────────────
web = {backend = "exa";};
# ── Platform Toolsets ──────────────────────────────────────────────
platform_toolsets = {
cli = [
"browser"
"clarify"
"code_execution"
"cronjob"
"delegation"
"file"
"image_gen"
"memory"
"session_search"
"skills"
"terminal"
"todo"
"tts"
"vision"
"web"
];
telegram = [
"browser"
"clarify"
"code_execution"
"cronjob"
"delegation"
"file"
"image_gen"
"memory"
"session_search"
"skills"
"terminal"
"todo"
"tts"
"vision"
"web"
];
};
};
};
}

23
hosts/m3-ares/services/mem0.nix Normal file
View File

@@ -0,0 +1,23 @@
{
m3ta.mem0 = {
enable = true;
port = 8000;
host = "127.0.0.1";
# LLM Configuration
llm = {
provider = "openai";
apiKeyFile = "/var/lib/mem0/openai-api-key-1"; # Use agenix or sops-nix
};
# Vector Storage Configuration
vectorStore = {
provider = "qdrant"; # or "chroma", "pinecone", etc.
config = {
host = "localhost";
port = 6333;
collection_name = "mem0_alice";
};
};
};
}

29
hosts/m3-ares/services/netbird.nix Normal file
View File

@@ -0,0 +1,29 @@
{pkgs, ...}: {
services.netbird.enable = true;
environment.systemPackages = with pkgs; [netbird-ui];
systemd.services.netbird = {
environment = {
NB_DISABLE_SSH_CONFIG = "true";
};
path = [
pkgs.shadow
pkgs.util-linux
];
};
programs.ssh.extraConfig = ''
Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p"
PreferredAuthentications password,publickey,keyboard-interactive
PasswordAuthentication yes
PubkeyAuthentication yes
BatchMode no
ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
CheckHostIP no
LogLevel ERROR
'';
networking.firewall.checkReversePath = "loose";
}

2
hosts/m3-ares/services/postgres.nix
View File

@@ -2,7 +2,7 @@
services.postgresql = {
enable = true;
package = pkgs.postgresql_17;
extraPlugins = with pkgs.postgresql17Packages; [
extensions = with pkgs.postgresql17Packages; [
pgvector
];
authentication = ''

5
hosts/m3-ares/services/sound.nix
View File

@@ -1,7 +1,4 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
speechd
];
{
security.rtkit.enable = true;
services.pipewire = {
enable = true;

40
hosts/m3-ares/services/tailscale.nix
View File

@@ -1,40 +0,0 @@
{
config,
pkgs,
...
}: {
services.tailscale = {
enable = true;
useRoutingFeatures = "client";
};
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = ["network-pre.target" "tailscale.service"];
wants = ["network-pre.target" "tailscale.service"];
wantedBy = ["multi-user.target"];
# set this service as a oneshot job
serviceConfig = {
Type = "oneshot";
EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
};
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up --exit-node 100.88.96.77 --authkey $TAILSCALE_KEY
'';
};
}

6
hosts/m3-ares/services/udev.nix
View File

@@ -1,7 +1,9 @@
{pkgs, ...}: {
services.udev.extraRules = ''
SUBSYSTEM=="usb", MODE="0666
'';
SUBSYSTEM=="usb", MODE="0666"
SUBSYSTEM=="leds", KERNEL=="rgb:kbd_backlight*", ACTION=="add", RUN+="${pkgs.coreutils}/bin/chmod a+w /sys/class/leds/%k/multi_intensity"
KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_node=uinput"
KERNEL=="event*", SUBSYSTEM=="input", MODE="0660", GROUP="input" '';
environment.systemPackages = with pkgs; [
zsa-udev-rules
];

2
hosts/m3-ares/services/wireguard.nix
View File

@@ -10,7 +10,7 @@
};
NO = {
configFile = config.age.secrets.wg-NO.path;
autostart = true;
autostart = false;
};
US = {
configFile = config.age.secrets.wg-US.path;

116
hosts/m3-atlas/configuration.nix Normal file
View File

@@ -0,0 +1,116 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{pkgs, ...}: {
imports = [
# Include the results of the hardware scan.
./disko-config.nix
./hardware-configuration.nix
];
# Bootloader.
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
};
networking.hostName = "m3-atlas"; # CHANGE ME.
networking.hostId = "15b60253"; # CHANGE ME
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkb.options in tty.
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Enable the GNOME Desktop Environment.
# services.xserver.displayManager.gdm.enable = true;
# services.xserver.desktopManager.gnome.enable = true;
# Configure keymap in X11
# services.xserver.xkb.layout = "us";
# services.xserver.xkb.options = "eurosign:e,caps:escape";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# hardware.pulseaudio.enable = true;
# OR
# Enable touchpad support (enabled default in most desktopManager).
# services.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
neovim
git
ghostty.terminfo
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
settings.PermitRootLogin = "no";
settings = {
PasswordAuthentication = false;
};
};
# [[Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.11"; # Did you read the comment?
}

50
hosts/m3-atlas/default.nix Normal file
View File

@@ -0,0 +1,50 @@
# A staring point is the basic NIXOS configuration generated by the ISO installer.
# On an existing NIXOS install you can use the following command in your flakes basedir:
# sudo nixos-generate-config --dir ./hosts/m3tam3re
#
# Please make sure to change the first couple of lines in your configuration.nix:
# { config, inputs, ouputs, lib, pkgs, ... }:
#
# {
# imports = [ # Include the results of the hardware scan.
# ./hardware-configuration.nix
# inputs.home-manager.nixosModules.home-manager
# ];
# ...
#
# Moreover please update the packages option in your user configuration and add the home-manager options:
# users.users = {
# m3tam3re = {
# isNormalUser = true;
# initialPassword = "12345";
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# packages = [ inputs.home-manager.packages.${pkgs.system}.default ];
# };
# };
#
# home-manager = {
# useUserPackages = true;
# extraSpecialArgs = { inherit inputs outputs; };
# users.m3tam3re =
# import ../../home/m3tam3re/${config.networking.hostName}.nix;
# };
#
# Please also change your hostname accordingly:
#:w
# networking.hostName = "nixos"; # Define your hostname.
{
imports = [
../common
./configuration.nix
./programs.nix
./secrets.nix
./services
];
extraServices = {
flatpak.enable = false;
ollama.enable = false;
podman.enable = true;
virtualisation.enable = false;
};
}

39
hosts/m3-atlas/disko-config.nix Normal file
View File

@@ -0,0 +1,39 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/vda"; # CHANGE ME
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for GRUB MBR
priority = 1;
};
esp = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["defaults" "umask=0077"];
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
mountOptions = ["noatime" "nodiratime" "discard"];
};
};
};
};
};
};
};
}

31
hosts/m3-atlas/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,31 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
lib,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
fileSystems."/var/storage" = {
device = "46.38.248.210:/voln723044a1";
fsType = "nfs";
};
}

14
hosts/m3-atlas/programs.nix Normal file
View File

@@ -0,0 +1,14 @@
{pkgs, ...}: {
programs.nix-ld.enable = true;
programs.nix-ld.libraries = with pkgs; [
# Add any missing dynamic libraries for unpackaged programs
# here, NOT in environment.systemPackages
];
programs.fish.enable = true;
programs.nh = {
enable = true;
clean.enable = true;
clean.extraArgs = "--keep-since 4d --keep 3";
flake = "/home/m3tam3re/p/nixos/nixos-config";
};
}

76
hosts/m3-atlas/secrets.nix Normal file
View File

@@ -0,0 +1,76 @@
{
age = {
secrets = {
baserow-env = {file = ../../secrets/baserow-env.age;};
ghost-env = {file = ../../secrets/ghost-env.age;};
kestra-config = {
file = ../../secrets/kestra-config.age;
mode = "644";
};
kestra-env = {file = ../../secrets/kestra-env.age;};
littlelink-m3tam3re = {file = ../../secrets/littlelink-m3tam3re.age;};
minio-root-cred = {file = ../../secrets/minio-root-cred.age;};
rustfs-access-key = {file = ../../secrets/rustfs-access-key.age;};
rustfs-secret-key = {file = ../../secrets/rustfs-secret-key.age;};
n8n-env = {file = ../../secrets/n8n-env.age;};
netbird-auth-secret = {
file = ../../secrets/netbird-auth-secret.age;
};
netbird-db-password = {
file = ../../secrets/netbird-db-password.age;
};
netbird-encryption-key = {
file = ../../secrets/netbird-encryption-key.age;
};
netbird-dashboard-env = {
file = ../../secrets/netbird-dashboard-env.age;
};
netbird-server-env = {
file = ../../secrets/netbird-server-env.age;
};
netbird-proxy-env = {
file = ../../secrets/netbird-proxy-env.age;
};
paperless-key = {file = ../../secrets/paperless-key.age;};
restreamer-env = {file = ../../secrets/restreamer-env.age;};
searx = {file = ../../secrets/searx.age;};
tailscale-key = {file = ../../secrets/tailscale-key.age;};
tuwunel-registration-token = {
file = ../../secrets/tuwunel-registration-token.age;
owner = "tuwunel";
};
traefik = {
file = ../../secrets/traefik.age;
owner = "traefik";
};
vaultwarden-env = {file = ../../secrets/vaultwarden-env.age;};
m3tam3re-secrets = {
file = ../../secrets/m3tam3re-secrets.age;
owner = "m3tam3re";
};
gitea-runner-token = {
file = ../../secrets/gitea-runner-token.age;
mode = "600";
owner = "gitea-runner";
group = "gitea-runner";
};
ref-key = {
file = ../../secrets/ref-key.age;
owner = "m3tam3re";
};
exa-key = {
file = ../../secrets/exa-key.age;
owner = "m3tam3re";
};
basecamp-client-id = {
file = ../../secrets/basecamp-client-id.age;
owner = "m3tam3re";
};
basecamp-client-secret = {
file = ../../secrets/basecamp-client-secret.age;
owner = "m3tam3re";
};
authentik-env = {file = ../../secrets/authentik-env.age;};
};
};
}

85
hosts/m3-atlas/services/containers/AGENTS.md Normal file
View File

@@ -0,0 +1,85 @@
# CONTAINER SERVICES (m3-atlas)
**Container orchestration with Podman + Traefik reverse proxy**
## OVERVIEW
11 containerized services on dedicated `web` network (10.89.0.0/24) with Traefik SSL termination.
## STRUCTURE
```
containers/
├── default.nix # Network setup + service imports
├── baserow.nix # 10.89.0.10 - No-code database
├── ghost.nix # 10.89.0.11 - Blog platform
├── kestra.nix # 10.89.0.12 - Workflow orchestration
├── littlelink.nix # 10.89.0.13 - Link aggregator
├── matomo.nix # 10.89.0.14 - Analytics
├── restreamer.nix # 10.89.0.15 - Video streaming
├── slash.nix # 10.89.0.16 - Link shortener
└── slash-nemoti.nix # 10.89.0.17 - Personal link shortener
```
## WHERE TO LOOK
| Task | Action | Notes |
|------|--------|-------|
| Add container | Copy existing .nix, increment IP | Must update default.nix imports |
| Fix networking | Check IP conflicts in 10.89.0.0/24 | Gateway always 10.89.0.1 |
| Debug Traefik | Check router rules in service file | Domain must match DNS |
| Access database | Use `--add-host=mysql:10.89.0.1` | Gateway IP for host services |
## CONVENTIONS
### Container Definition Template
```nix
virtualisation.oci-containers.containers.<name> = {
image = "registry/image:tag";
ports = ["127.0.0.1:<external>:<internal>"];
volumes = ["/var/lib/<service>:/data"];
environmentFiles = [config.age.secrets.<name>-env.path];
extraOptions = [
"--network=web"
"--ip=10.89.0.<sequential>"
"--add-host=mysql:10.89.0.1" # If DB needed
];
};
```
### Traefik Integration
```nix
services.traefik.dynamicConfigOptions.http = {
services.<name>.loadBalancer.servers = [{
url = "http://127.0.0.1:<port>";
}];
routers.<name> = {
rule = "Host(`<subdomain>.m3ta.dev`)";
service = "<name>";
tls.certResolver = "godaddy";
};
# Legacy redirect (if needed)
routers.<name>-old = {
rule = "Host(`<subdomain>.m3tam3re.com`)";
service = "<name>";
middlewares = ["redirect-m3ta"];
};
};
```
### IP Allocation
- **10.89.0.1**: Gateway (host)
- **10.89.0.10-17**: Assigned containers
- **10.89.0.18+**: Available for new services
## ANTI-PATTERNS
- **DON'T** expose ports publicly - bind to 127.0.0.1 only
- **DON'T** skip static IP assignment - routing breaks without it
- **DON'T** hardcode secrets - use age-encrypted env files
- **DON'T** forget to add imports to default.nix
## NOTES
- Network created via activation script in default.nix
- All services behind Traefik - no direct external access
- MySQL/PostgreSQL run on host, accessed via gateway IP
- Secrets pattern: `<service>-env.age` with environment variables

67
hosts/m3-atlas/services/containers/authentik.nix Normal file
View File

@@ -0,0 +1,67 @@
{config, ...}: let
image = "ghcr.io/goauthentik/server:2026.2.0";
serverIp = "10.89.0.22";
workerIp = "10.89.0.23";
postgresHost = "10.89.0.1";
postgresPort = config.m3ta.ports.get "postgres";
authentikPort = config.m3ta.ports.get "authentik";
sharedEnv = {
AUTHENTIK_POSTGRESQL__HOST = postgresHost;
AUTHENTIK_POSTGRESQL__PORT = toString postgresPort;
AUTHENTIK_POSTGRESQL__USER = "authentik";
AUTHENTIK_POSTGRESQL__NAME = "authentik";
};
in {
virtualisation.oci-containers.containers = {
"authentik-server" = {
inherit image;
cmd = ["server"];
environment = sharedEnv;
environmentFiles = [config.age.secrets.authentik-env.path];
ports = ["127.0.0.1:${toString authentikPort}:9000"];
volumes = [
"authentik_media:/media"
"authentik_templates:/templates"
];
extraOptions = [
"--add-host=postgres:${postgresHost}"
"--ip=${serverIp}"
"--network=web"
];
};
"authentik-worker" = {
inherit image;
cmd = ["worker"];
user = "root";
environment = sharedEnv;
environmentFiles = [config.age.secrets.authentik-env.path];
volumes = [
"authentik_media:/media"
"authentik_certs:/certs"
"authentik_templates:/templates"
];
extraOptions = [
"--add-host=postgres:${postgresHost}"
"--ip=${workerIp}"
"--network=web"
];
};
};
services.traefik.dynamicConfigOptions.http = {
services.authentik.loadBalancer.servers = [
{url = "http://localhost:${toString authentikPort}/";}
];
routers.authentik = {
rule = "Host(`auth.m3ta.dev`)";
tls = {certResolver = "godaddy";};
service = "authentik";
entrypoints = "websecure";
};
};
}

35
hosts/m3-atlas/services/containers/baserow.nix Normal file
View File

@@ -0,0 +1,35 @@
{config, ...}: {
virtualisation.oci-containers.containers."baserow" = {
image = "docker.io/baserow/baserow:2.0.6";
environmentFiles = [config.age.secrets.baserow-env.path];
ports = ["127.0.0.1:${toString (config.m3ta.ports.get "baserow")}:80"];
volumes = ["baserow_data:/baserow/data"];
extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.10" "--network=web"];
};
# Traefik configuration specific to baserow
services.traefik.dynamicConfigOptions.http = {
services.baserow.loadBalancer.servers = [
{
url = "http://localhost:${toString (config.m3ta.ports.get "baserow")}/";
}
];
routers.baserow = {
rule = "Host(`br.m3ta.dev`)";
tls = {
certResolver = "godaddy";
};
service = "baserow";
entrypoints = "websecure";
};
routers.baserow-old = {
rule = "Host(`br.m3tam3re.com`)";
tls = {
certResolver = "godaddy";
};
service = "baserow";
entrypoints = "websecure";
middlewares = ["subdomain-redirect"];
};
};
}

21
hosts/m3-atlas/services/containers/default.nix Normal file
View File

@@ -0,0 +1,21 @@
{lib, ...}: {
imports = [
./baserow.nix
./ghost.nix
./kestra.nix
./littlelink.nix
./matomo.nix
./netbird.nix
# ./n8n.nix
# ./pangolin.nix
./restreamer.nix
./slash.nix
./slash-nemoti.nix
./authentik.nix
];
system.activationScripts.createPodmanNetworkWeb = lib.mkAfter ''
if ! /run/current-system/sw/bin/podman network exists web; then
/run/current-system/sw/bin/podman network create web --subnet=10.89.0.0/24 --internal
fi
'';
}

37
hosts/m3-atlas/services/containers/ghost.nix Normal file
View File

@@ -0,0 +1,37 @@
{config, ...}: {
virtualisation.oci-containers.containers."ghost" = {
image = "docker.io/ghost:latest";
environmentFiles = [config.age.secrets.ghost-env.path];
ports = ["127.0.0.1:3002:2368"];
volumes = ["ghost_data:/var/lib/ghost/content"];
extraOptions = ["--add-host=mysql:10.89.0.1" "--ip=10.89.0.11" "--network=web"];
};
# Traefik configuration specific to ghost
services.traefik.dynamicConfigOptions.http = {
services.ghost.loadBalancer.servers = [
{
url = "http://localhost:3002/";
}
];
routers = {
ghost = {
rule = "Host(`m3ta.dev`) || Host(`www.m3ta.dev`)";
tls = {
certResolver = "godaddy";
};
service = "ghost";
entrypoints = "websecure";
middlewares = ["strip-www"];
};
ghost-old = {
rule = "Host(`www.m3tam3re.com`)";
tls = {
certResolver = "godaddy";
};
service = "ghost";
entrypoints = "websecure";
middlewares = ["domain-redirect"];
};
};
};
}

32
hosts/m3-atlas/services/containers/kestra.nix Normal file
View File

@@ -0,0 +1,32 @@
{config, ...}: {
virtualisation.oci-containers.containers."kestra" = {
image = "docker.io/kestra/kestra:latest";
environmentFiles = [config.age.secrets.kestra-env.path];
cmd = ["server" "standalone" "--config" "/etc/config/application.yaml"];
ports = ["127.0.0.1:3018:8080"];
user = "root";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
"${config.age.secrets.kestra-config.path}:/etc/config/application.yaml"
"kestra_data:/app/storage"
"/tmp/kestra-wd:/tmp/kestra-wd"
];
extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.18" "--network=web"];
};
systemd.tmpfiles.rules = [
"d /tmp/kestra-wd 0750 1000 1000 - -"
];
# Traefik configuration specific to littlelink
services.traefik.dynamicConfigOptions.http = {
services.kestra.loadBalancer.servers = [{url = "http://localhost:3018/";}];
routers.kestra = {
rule = "Host(`k.m3ta.dev`)";
tls = {certResolver = "godaddy";};
service = "kestra";
entrypoints = "websecure";
};
};
}

25
hosts/m3-atlas/services/containers/littlelink.nix Normal file
View File

@@ -0,0 +1,25 @@
{config, ...}: {
virtualisation.oci-containers.containers."littlelink_m3tam3re" = {
image = "ghcr.io/techno-tim/littlelink-server";
environmentFiles = [config.age.secrets.littlelink-m3tam3re.path];
ports = ["127.0.0.1:3004:3000"];
extraOptions = ["--ip=10.89.0.4" "--network=web"];
};
# Traefik configuration specific to littlelink
services.traefik.dynamicConfigOptions.http = {
services.littlelink-m3tam3re.loadBalancer.servers = [
{
url = "http://localhost:3004/";
}
];
routers.littlelink-m3tam3re = {
rule = "Host(`links.m3tam3re.com`)";
tls = {
certResolver = "godaddy";
};
service = "littlelink-m3tam3re";
entrypoints = "websecure";
};
};
}

43
hosts/m3-atlas/services/containers/matomo.nix Normal file
View File

@@ -0,0 +1,43 @@
{
virtualisation.oci-containers.containers."matomo" = {
image = "docker.io/matomo:latest";
ports = ["127.0.0.1:3011:80"];
volumes = ["matomo_data:/var/www/html"];
environment = {
MATOMO_DATABASE_HOST = "mysql";
MATOMO_DATABASE_USERNAME = "matomo";
MATOMO_DATABASE_PASSWORD = "matomo";
MATOMO_DATABASE_DBNAME = "matomo";
MYSQL_DATABASE = "matomo";
PHP_MEMORY_LIMIT = "2048M";
};
extraOptions = ["--add-host=mysql:10.89.0.1" "--ip=10.89.0.16" "--network=web"];
};
# Traefik configuration specific to ghost
services.traefik.dynamicConfigOptions.http = {
services.matomo.loadBalancer.servers = [
{
url = "http://localhost:3011/";
}
];
routers = {
matomo-nemoti = {
rule = "Host(`stats.nemoti.com`)";
tls = {
certResolver = "godaddy";
};
service = "matomo";
entrypoints = "websecure";
};
matomo-m3tam3re = {
rule = "Host(`stats.m3tam3re.com`)";
tls = {
certResolver = "godaddy";
};
service = "matomo";
entrypoints = "websecure";
};
};
};
}

27
hosts/m3-atlas/services/containers/n8n.nix Normal file
View File

@@ -0,0 +1,27 @@
{config, ...}: {
virtualisation.oci-containers.containers."n8n" = {
image = "docker.n8n.io/n8nio/n8n";
environmentFiles = [config.age.secrets.n8n-env.path];
ports = ["127.0.0.1:5678:5678"];
volumes = ["n8n_data:/home/node/.n8n"];
extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.14" "--network=web"];
};
# Traefik configuration specific to n8n
services.traefik.dynamicConfigOptions.http = {
services.n8n.loadBalancer.servers = [
{
url = "http://localhost:5678/";
}
];
routers.n8n = {
rule = "Host(`wf.m3tam3re.com`)";
tls = {
certResolver = "godaddy";
};
service = "n8n";
entrypoints = "websecure";
};
};
}

244
hosts/m3-atlas/services/containers/netbird.nix Normal file
View File

@@ -0,0 +1,244 @@
{
config,
pkgs,
...
}: let
serviceName = "netbird";
stunPort = config.m3ta.ports.get "netbird-stun";
proxyTlsPort = config.m3ta.ports.get "netbird-proxy";
metricsPort = config.m3ta.ports.get "netbird-metrics";
healthPort = config.m3ta.ports.get "netbird-health";
postgresPort = config.m3ta.ports.get "postgres";
wireguardPort = config.m3ta.ports.get "wireguard";
domain = "v.m3ta.dev";
proxyDomain = "p.m3ta.dev";
ipBase = "10.89.0";
ipOffset = 50;
dashboardIp = "${ipBase}.${toString ipOffset}";
serverIp = "${ipBase}.${toString (ipOffset + 1)}";
proxyIp = "${ipBase}.${toString (ipOffset + 2)}";
# Database configuration
dbName = "netbird";
dbUser = "netbird";
dbHost = "${ipBase}.1";
# NetBird config as Nix attribute set
netbirdConfig = {
server = {
listenAddress = ":80";
exposedAddress = "https://${domain}:443";
stunPorts = [stunPort];
metricsPort = metricsPort;
healthcheckAddress = ":${toString healthPort}";
logLevel = "info";
logFile = "console";
dataDir = "/var/lib/netbird";
auth = {
issuer = "https://${domain}/oauth2";
localAuthDisabled = true;
signKeyRefreshEnabled = true;
dashboardRedirectURIs = [
"https://${domain}/nb-auth"
"https://${domain}/nb-silent-auth"
];
cliRedirectURIs = ["http://localhost:53000/"];
};
reverseProxy = {
trustedHTTPProxies = ["${ipBase}.1/32"];
};
# Proxy feature
proxy = {
enabled = true;
domain = proxyDomain;
};
store = {
engine = "postgres";
postgres = {
host = dbHost;
port = postgresPort;
database = dbName;
username = dbUser;
};
};
};
};
# Generate YAML from Nix attribute set
yamlFormat = pkgs.formats.yaml {};
configYamlBase = yamlFormat.generate "netbird-config-base.yaml" netbirdConfig;
# Script that injects secrets at runtime
configGenScript = pkgs.writeShellScript "netbird-gen-config" ''
set -euo pipefail
AUTH_SECRET=$(cat "$1")
DB_PASSWORD=$(cat "$2")
ENCRYPTION_KEY=$(cat "$3")
${pkgs.yq-go}/bin/yq eval "
.server.authSecret = \"$AUTH_SECRET\" |
.server.store.encryptionKey = \"$ENCRYPTION_KEY\" |
.server.store.postgres.password = \"$DB_PASSWORD\"
" ${configYamlBase}
'';
in {
age.secrets."${serviceName}-auth-secret".file = ../../../../secrets/${serviceName}-auth-secret.age;
age.secrets."${serviceName}-db-password".file = ../../../../secrets/${serviceName}-db-password.age;
age.secrets."${serviceName}-encryption-key".file = ../../../../secrets/${serviceName}-encryption-key.age;
age.secrets."${serviceName}-dashboard-env".file = ../../../../secrets/${serviceName}-dashboard-env.age;
age.secrets."${serviceName}-server-env".file = ../../../../secrets/${serviceName}-server-env.age;
age.secrets."${serviceName}-proxy-env".file = ../../../../secrets/${serviceName}-proxy-env.age;
# Oneshot systemd service that generates the config with injected secrets
systemd.services."${serviceName}-config" = {
description = "Generate NetBird config with secrets";
wantedBy = ["multi-user.target"];
before = ["podman-${serviceName}-server.service"];
requiredBy = ["podman-${serviceName}-server.service"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "netbird-write-config" ''
mkdir -p /var/lib/${serviceName}
${configGenScript} \
${config.age.secrets."${serviceName}-auth-secret".path} \
${config.age.secrets."${serviceName}-db-password".path} \
${config.age.secrets."${serviceName}-encryption-key".path} \
> /var/lib/${serviceName}/config.yaml
chmod 600 /var/lib/${serviceName}/config.yaml
'';
};
};
virtualisation.oci-containers.containers = {
"${serviceName}-dashboard" = {
image = "netbirdio/dashboard:latest";
autoStart = true;
environmentFiles = [config.age.secrets."${serviceName}-dashboard-env".path];
extraOptions = [
"--ip=${dashboardIp}"
"--network=web"
];
};
"${serviceName}-server" = {
image = "netbirdio/netbird-server:latest";
autoStart = true;
ports = ["${toString stunPort}:${toString stunPort}/udp"];
environmentFiles = [config.age.secrets."${serviceName}-server-env".path];
volumes = [
"${serviceName}_data:/var/lib/netbird"
"/var/lib/${serviceName}/config.yaml:/etc/netbird/config.yaml:ro"
];
cmd = ["--config" "/etc/netbird/config.yaml"];
extraOptions = [
"--ip=${serverIp}"
"--network=web"
];
};
"${serviceName}-proxy" = {
image = "netbirdio/reverse-proxy:latest";
autoStart = true;
ports = ["${toString wireguardPort}:${toString wireguardPort}/udp"];
volumes = [
"${serviceName}_proxy_certs:/certs"
];
environmentFiles = [config.age.secrets."${serviceName}-proxy-env".path];
cmd = [
"--domain=${proxyDomain}"
"--mgmt=https://${domain}:443"
"--addr=:${toString proxyTlsPort}"
"--cert-dir=/certs"
"--acme-certs"
"--trusted-proxies=${ipBase}.1/32"
];
dependsOn = ["${serviceName}-server"];
extraOptions = [
"--ip=${proxyIp}"
"--network=web"
];
};
};
services.traefik.dynamicConfigOptions = {
# HTTP services and routers
http = {
services = {
"${serviceName}-dashboard".loadBalancer.servers = [
{url = "http://${dashboardIp}:80/";}
];
"${serviceName}-server".loadBalancer.servers = [
{url = "http://${serverIp}:80/";}
];
"${serviceName}-server-h2c".loadBalancer.servers = [
{url = "h2c://${serverIp}:80";}
];
};
routers = {
# gRPC (Signal + Management)
"${serviceName}-grpc" = {
rule = "Host(`${domain}`) && (PathPrefix(`/signalexchange.SignalExchange/`) || PathPrefix(`/management.ManagementService/`) || PathPrefix(`/management.ProxyService/`))";
entrypoints = "websecure";
tls.certResolver = "godaddy";
service = "${serviceName}-server-h2c";
priority = 100;
};
# Backend (relay, WebSocket, API, OAuth2)
"${serviceName}-backend" = {
rule = "Host(`${domain}`) && (PathPrefix(`/relay`) || PathPrefix(`/ws-proxy/`) || PathPrefix(`/api`) || PathPrefix(`/oauth2`))";
entrypoints = "websecure";
tls.certResolver = "godaddy";
service = "${serviceName}-server";
priority = 100;
};
# Dashboard (catch-all, lowest priority)
"${serviceName}-dashboard" = {
rule = "Host(`${domain}`)";
entrypoints = "websecure";
tls.certResolver = "godaddy";
service = "${serviceName}-dashboard";
priority = 1;
};
};
};
# TCP for proxy TLS passthrough
tcp = {
services."${serviceName}-proxy-tls".loadBalancer.servers = [
{address = "${proxyIp}:${toString proxyTlsPort}";}
];
routers."${serviceName}-proxy-passthrough" = {
entryPoints = ["websecure"];
rule = "HostSNI(`*`)";
service = "${serviceName}-proxy-tls";
priority = 1;
tls.passthrough = true;
};
};
# ServersTransport for Proxy Protocol v2 (optional)
serversTransports."pp-v2" = {
proxyProtocol.version = 2;
};
};
networking.firewall.allowedUDPPorts = [
stunPort # STUN
wireguardPort # WireGuard for proxy
];
}

75
hosts/m3-atlas/services/containers/restreamer.nix Normal file
View File

@@ -0,0 +1,75 @@
{config, ...}: {
virtualisation.oci-containers.containers."restreamer" = {
image = "docker.io/datarhei/restreamer:latest";
environmentFiles = [config.age.secrets.restreamer-env.path];
# Modified ports to include RTMPS
ports = [
"127.0.0.1:${toString (config.m3ta.ports.get "restreamer")}:8080" # Web UI
"127.0.0.1:1936:1935" # RTMP
];
volumes = [
"restreamer_data:/core/data"
"restreamer_config:/core/config"
];
extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.13" "--network=web"];
};
# Traefik configuration
services.traefik = {
dynamicConfigOptions = {
http = {
services.restreamer.loadBalancer.servers = [
{
url = "http://localhost:${toString (config.m3ta.ports.get "restreamer")}/";
}
];
routers.restreamer = {
rule = "Host(`stream.m3ta.dev`)";
tls = {
certResolver = "godaddy";
};
service = "restreamer";
entrypoints = ["websecure"];
};
};
tcp = {
services = {
rtmp-service.loadBalancer.servers = [
{
address = "localhost:1936";
}
];
rtmps-service.loadBalancer.servers = [
{
address = "localhost:1936";
}
];
};
routers = {
rtmp = {
rule = "HostSNI(`*`)"; # Changed to accept all SNI
service = "rtmp-service";
entryPoints = ["rtmp"];
};
rtmps = {
rule = "HostSNI(`stream.m3tam3re.com`)";
service = "rtmps-service";
entryPoints = ["rtmps"];
tls = {
certResolver = "godaddy";
passthrough = false;
};
};
};
};
};
};
# Firewall configuration
networking.firewall = {
allowedTCPPorts = [1935 1945];
};
}

27
hosts/m3-atlas/services/containers/slash-nemoti.nix Normal file
View File

@@ -0,0 +1,27 @@
{
virtualisation.oci-containers.containers."slash-nemoti" = {
image = "docker.io/yourselfhosted/slash:latest";
ports = ["127.0.0.1:3016:5231"];
volumes = [
"slash-nemoti_data:/var/opt/slash"
];
extraOptions = ["--ip=10.89.0.17" "--network=web"];
};
# Traefik configuration specific to littlelink
services.traefik.dynamicConfigOptions.http = {
services.slash-nemoti.loadBalancer.servers = [
{
url = "http://localhost:3016/";
}
];
routers.slash-nemoti = {
rule = "Host(`l.nemoti.art`)";
tls = {
certResolver = "godaddy";
};
service = "slash-nemoti";
entrypoints = "websecure";
};
};
}

27
hosts/m3-atlas/services/containers/slash.nix Normal file
View File

@@ -0,0 +1,27 @@
{
virtualisation.oci-containers.containers."slash" = {
image = "docker.io/yourselfhosted/slash:latest";
ports = ["127.0.0.1:3010:5231"];
volumes = [
"slash_data:/var/opt/slash"
];
extraOptions = ["--ip=10.89.0.15" "--network=web"];
};
# Traefik configuration specific to littlelink
services.traefik.dynamicConfigOptions.http = {
services.slash.loadBalancer.servers = [
{
url = "http://localhost:3010/";
}
];
routers.slash = {
rule = "Host(`l.m3ta.dev`)";
tls = {
certResolver = "godaddy";
};
service = "slash";
entrypoints = "websecure";
};
};
}

18
hosts/m3-atlas/services/default.nix Normal file
View File

@@ -0,0 +1,18 @@
{
imports = [
./tuwunel.nix
./containers
./gitea.nix
./gitea-actions-runner.nix
./rustfs.nix
./mysql.nix
./netbird.nix
./n8n.nix
./paperless.nix
./postgres.nix
./searx.nix
./traefik.nix
./vaultwarden.nix
./wastebin.nix
];
}

57
hosts/m3-atlas/services/gitea-actions-runner.nix Normal file
View File

@@ -0,0 +1,57 @@
{
config,
pkgs,
...
}: {
services.gitea-actions-runner = {
instances.default = {
enable = true;
name = "${config.networking.hostName}-runner";
url = "https://code.m3ta.dev";
tokenFile = config.age.secrets.gitea-runner-token.path;
# nixos:host is primary, ubuntu is fallback
labels = [
"nixos:host"
];
# Host execution packages
hostPackages = with pkgs; [
bash
curl
coreutils
git
jq
nix
nix-update
nodejs
# Add any other tools you need for nix-update workflows
];
# Advanced settings
settings = {
runner = {
capacity = 4; # One job at a time (increase if you have resources)
timeout = "4h"; # Nix builds can take a while
};
cache = {enabled = true;};
container = {
enable_ipv6 = true;
privileged = false;
};
};
};
};
# User management (auto-created by module, but ensuring proper setup)
users.users.gitea-runner = {
home = "/var/lib/gitea-runner";
group = "gitea-runner";
isSystemUser = true;
createHome = true;
};
users.groups.gitea-runner = {};
# Firewall: Allow Podman bridge networks for cache actions
networking.firewall.trustedInterfaces = ["br-+"];
}

46
hosts/m3-atlas/services/gitea.nix Normal file
View File

@@ -0,0 +1,46 @@
{config, ...}: {
services.gitea = {
enable = true;
settings = {
server = {
ROOT_URL = "https://code.m3ta.dev";
HTTP_PORT = config.m3ta.ports.get "gitea";
};
mailer.SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
service.DISABLE_REGISTRATION = true;
};
lfs.enable = true;
dump = {
enable = true;
type = "tar.gz";
interval = "03:30:00";
backupDir = "/var/backup/gitea";
};
};
# Traefik configuration specific to gitea
services.traefik.dynamicConfigOptions.http = {
services.gitea.loadBalancer.servers = [
{
url = "http://localhost:${toString (config.m3ta.ports.get "gitea")}/";
}
];
routers.gitea = {
rule = "Host(`code.m3ta.dev`)";
tls = {
certResolver = "godaddy";
};
service = "gitea";
entrypoints = "websecure";
};
routers.gitea-old = {
rule = "Host(`code.m3tam3re.com`)";
tls = {
certResolver = "godaddy";
};
service = "gitea";
entrypoints = "websecure";
middlewares = ["subdomain-redirect"];
};
};
}

191
hosts/m3-atlas/services/hermes-agent.nix Normal file
View File

@@ -0,0 +1,191 @@
{config, ...}: let
# Default ElevenLabs voice: Bella (German-capable female)
elevenlabsVoiceId = "hpp4J3VqNfWAUOO0d1Us";
in {
services.hermes-agent = {
enable = true;
addToSystemPackages = true;
# Secrets via agenix
environmentFiles = [config.age.secrets."hermes-env".path];
# Non-secret environment variables
environment = {
#
};
# ── Container mode (podman) ──────────────────────────────────────────
container = {
enable = true;
backend = "podman";
};
settings = {
# ── Model ──────────────────────────────────────────────────────────
model = {
default = "glm-5.1";
provider = "zai";
base_url = "https://api.z.ai/api/coding/paas/v4/";
};
credential_pool_strategies = {
zai = "fill_first";
};
toolsets = ["all"];
# ── Agent ──────────────────────────────────────────────────────────
agent = {
max_turns = 90;
gateway_timeout = 1800;
tool_use_enforcement = "auto";
};
# ── Terminal ───────────────────────────────────────────────────────
terminal = {
backend = "local";
modal_mode = "auto";
cwd = ".";
timeout = 180;
persistent_shell = true;
};
# ── Browser ────────────────────────────────────────────────────────
browser = {
inactivity_timeout = 120;
command_timeout = 30;
cloud_provider = "local";
};
# ── Checkpoints / Compression ──────────────────────────────────────
checkpoints = {
enabled = true;
max_snapshots = 50;
};
file_read_max_chars = 100000;
compression = {
enabled = true;
threshold = 0.5;
target_ratio = 0.2;
protect_last_n = 20;
};
# ── Display ────────────────────────────────────────────────────────
display = {
compact = false;
personality = "kawaii";
resume_display = "full";
busy_input_mode = "interrupt";
inline_diffs = true;
skin = "default";
tool_progress = "all";
};
# ── TTS / STT / Voice ──────────────────────────────────────────────
tts = {
provider = "elevenlabs";
elevenlabs = {
voice_id = elevenlabsVoiceId;
model_id = "eleven_multilingual_v2";
};
};
stt = {
enabled = true;
provider = "local";
local = {model = "base";};
};
voice = {
record_key = "ctrl+b";
max_recording_seconds = 120;
silence_threshold = 200;
silence_duration = 3.0;
};
# ── Memory ─────────────────────────────────────────────────────────
memory = {
memory_enabled = true;
user_profile_enabled = true;
memory_char_limit = 2200;
user_char_limit = 1375;
};
# ── Delegation ─────────────────────────────────────────────────────
delegation = {
max_iterations = 50;
};
# ── Discord ────────────────────────────────────────────────────────
discord = {
require_mention = true;
auto_thread = true;
reactions = true;
};
# ── Approvals / Security ───────────────────────────────────────────
approvals = {
mode = "manual";
timeout = 60;
};
security = {
redact_secrets = true;
tirith_enabled = true;
tirith_fail_open = true;
};
# ── Cron / Session ─────────────────────────────────────────────────
cron = {wrap_response = true;};
session_reset = {
mode = "both";
idle_minutes = 1440;
at_hour = 4;
};
# ── Web ────────────────────────────────────────────────────────────
web = {backend = "exa";};
# ── Platform Toolsets ──────────────────────────────────────────────
platform_toolsets = {
cli = [
"browser"
"clarify"
"code_execution"
"cronjob"
"delegation"
"file"
"image_gen"
"memory"
"session_search"
"skills"
"terminal"
"todo"
"tts"
"vision"
"web"
];
telegram = [
"browser"
"clarify"
"code_execution"
"cronjob"
"delegation"
"file"
"image_gen"
"memory"
"session_search"
"skills"
"terminal"
"todo"
"tts"
"vision"
"web"
];
};
};
};
}

27
hosts/m3-atlas/services/mysql.nix Normal file
View File

@@ -0,0 +1,27 @@
{pkgs, ...}: {
services.mysql = {
enable = true;
package = pkgs.mysql84;
ensureDatabases = [
"ghost"
"matomo"
];
initialScript = pkgs.writeText "initial-script.sql" ''
CREATE USER 'ghost'@'10.89.%' IDENTIFIED BY 'ghost';
GRANT ALL PRIVILEGES ON ghost.* TO 'ghost'@'10.89.%';
CREATE USER 'matomo'@'10.89.%' IDENTIFIED BY 'matomo';
GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'10.89.%'; '';
};
services.mysqlBackup = {
enable = true;
calendar = "03:00:00";
databases = ["ghost" "matomo"];
};
networking.firewall = {
extraCommands = ''
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 10.89.0.0/24 --dport 3306 -j ACCEPT
'';
};
}

34
hosts/m3-atlas/services/n8n.nix Normal file
View File

@@ -0,0 +1,34 @@
{
config,
lib,
...
}: {
services.n8n = {
enable = true;
environment.WEBHOOK_URL = "https://wf.m3tam3re.com";
};
# Temporary fix for upstream module
systemd.services.n8n.serviceConfig.LoadCredential = lib.mkForce [];
systemd.services.n8n.environment.N8N_RUNNERS_AUTH_TOKEN_FILE = lib.mkForce null;
systemd.services.n8n.serviceConfig = {
EnvironmentFile = ["${config.age.secrets.n8n-env.path}"];
};
# Traefik configuration specific to n8n
services.traefik.dynamicConfigOptions.http = {
services.n8n.loadBalancer.servers = [
{
url = "http://localhost:5678/";
}
];
routers.n8n = {
rule = "Host(`wf.m3ta.dev`)";
tls = {
certResolver = "godaddy";
};
service = "n8n";
entrypoints = "websecure";
};
};
}

28
hosts/m3-atlas/services/netbird.nix Normal file
View File

@@ -0,0 +1,28 @@
{pkgs, ...}: {
services.netbird.enable = true;
systemd.services.netbird = {
environment = {
NB_DISABLE_SSH_CONFIG = "true";
};
path = [
pkgs.shadow
pkgs.util-linux
];
};
programs.ssh.extraConfig = ''
Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p"
PreferredAuthentications password,publickey,keyboard-interactive
PasswordAuthentication yes
PubkeyAuthentication yes
BatchMode no
ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
CheckHostIP no
LogLevel ERROR
'';
networking.firewall.checkReversePath = "loose";
}

Some files were not shown because too many files have changed in this diff Show More