m3tam3re/nixos-config
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: m3tam3re:master
Branches Tags
m3tam3re:master m3tam3re:feat/rustfs-migration
..
compare: m3tam3re:aa8636c80df8cb45b946ab30dc4c1d95957bd7f4
Branches Tags
m3tam3re:feat/rustfs-migration m3tam3re:master

2 Commits
master ... aa8636c80d

Author SHA1 Message Date
m3tam3re
aa8636c80d temp fix for autocpu-freq not building 2025-03-28 09:38:15 +01:00
m3tam3re
6011c940ac OVMF pinned 2025-03-27 15:17:51 +01:00
174 changed files with 2389 additions and 5314 deletions
Expand all files Collapse all files

73
.beads/.gitignore vendored
View File

@@ -1,73 +0,0 @@
# Dolt database (managed by Dolt, not git)
dolt/
embeddeddolt/
# Runtime files
bd.sock
bd.sock.startlock
sync-state.json
last-touched
.exclusive-lock
# Daemon runtime (lock, log, pid)
daemon.*
# Interactions log (runtime, not versioned)
interactions.jsonl
# Push state (runtime, per-machine)
push-state.json
# Lock files (various runtime locks)
*.lock
# Credential key (encryption key for federation peer auth — never commit)
.beads-credential-key
# Local version tracking (prevents upgrade notification spam after git ops)
.local_version
# Worktree redirect file (contains relative path to main repo's .beads/)
# Must not be committed as paths would be wrong in other clones
redirect
# Sync state (local-only, per-machine)
# These files are machine-specific and should not be shared across clones
.sync.lock
export-state/
export-state.json
# Ephemeral store (SQLite - wisps/molecules, intentionally not versioned)
ephemeral.sqlite3
ephemeral.sqlite3-journal
ephemeral.sqlite3-wal
ephemeral.sqlite3-shm
# Dolt server management (auto-started by bd)
dolt-server.pid
dolt-server.log
dolt-server.lock
dolt-server.port
dolt-server.activity
# Corrupt backup directories (created by bd doctor --fix recovery)
*.corrupt.backup/
# Backup data (auto-exported JSONL, local-only)
backup/
# Per-project environment file (Dolt connection config, GH#2520)
.env
# Legacy files (from pre-Dolt versions)
*.db
*.db?*
*.db-journal
*.db-wal
*.db-shm
db.sqlite
bd.db
# NOTE: Do NOT add negation patterns here.
# They would override fork protection in .git/info/exclude.
# Config files (metadata.json, config.yaml) are tracked by git by default
# since no pattern above ignores them.

81
.beads/README.md
View File

@@ -1,81 +0,0 @@
# Beads - AI-Native Issue Tracking
Welcome to Beads! This repository uses **Beads** for issue tracking - a modern, AI-native tool designed to live directly in your codebase alongside your code.
## What is Beads?
Beads is issue tracking that lives in your repo, making it perfect for AI coding agents and developers who want their issues close to their code. No web UI required - everything works through the CLI and integrates seamlessly with git.
**Learn more:** [github.com/steveyegge/beads](https://github.com/steveyegge/beads)
## Quick Start
### Essential Commands
```bash
# Create new issues
bd create "Add user authentication"
# View all issues
bd list
# View issue details
bd show <issue-id>
# Update issue status
bd update <issue-id> --claim
bd update <issue-id> --status done
# Sync with Dolt remote
bd dolt push
```
### Working with Issues
Issues in Beads are:
- **Git-native**: Stored in Dolt database with version control and branching
- **AI-friendly**: CLI-first design works perfectly with AI coding agents
- **Branch-aware**: Issues can follow your branch workflow
- **Always in sync**: Auto-syncs with your commits
## Why Beads?
**AI-Native Design**
- Built specifically for AI-assisted development workflows
- CLI-first interface works seamlessly with AI coding agents
- No context switching to web UIs
🚀 **Developer Focused**
- Issues live in your repo, right next to your code
- Works offline, syncs when you push
- Fast, lightweight, and stays out of your way
🔧 **Git Integration**
- Automatic sync with git commits
- Branch-aware issue tracking
- Dolt-native three-way merge resolution
## Get Started with Beads
Try Beads in your own projects:
```bash
# Install Beads
curl -sSL https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh | bash
# Initialize in your repo
bd init
# Create your first issue
bd create "Try out Beads"
```
## Learn More
- **Documentation**: [github.com/steveyegge/beads/docs](https://github.com/steveyegge/beads/tree/main/docs)
- **Quick Start Guide**: Run `bd quickstart`
- **Examples**: [github.com/steveyegge/beads/examples](https://github.com/steveyegge/beads/tree/main/examples)
---
*Beads: Issue tracking that moves at the speed of thought*

56
.beads/config.yaml
View File

@@ -1,56 +0,0 @@
# Beads Configuration File
# This file configures default behavior for all bd commands in this repository
# All settings can also be set via environment variables (BD_* prefix)
# or overridden with command-line flags
# Issue prefix for this repository (used by bd init)
# If not set, bd init will auto-detect from directory name
# Example: issue-prefix: "myproject" creates issues like "myproject-1", "myproject-2", etc.
# issue-prefix: ""
# Use no-db mode: JSONL-only, no Dolt database
# When true, bd will use .beads/issues.jsonl as the source of truth
# no-db: false
# Enable JSON output by default
# json: false
# Feedback title formatting for mutating commands (create/update/close/dep/edit)
# 0 = hide titles, N > 0 = truncate to N characters
# output:
# title-length: 255
# Default actor for audit trails (overridden by BEADS_ACTOR or --actor)
# actor: ""
# Export events (audit trail) to .beads/events.jsonl on each flush/sync
# When enabled, new events are appended incrementally using a high-water mark.
# Use 'bd export --events' to trigger manually regardless of this setting.
# events-export: false
# Multi-repo configuration (experimental - bd-307)
# Allows hydrating from multiple repositories and routing writes to the correct database
# repos:
# primary: "." # Primary repo (where this database lives)
# additional: # Additional repos to hydrate from (read-only)
# - ~/beads-planning # Personal planning repo
# - ~/work-planning # Work planning repo
# JSONL backup (periodic export for off-machine recovery)
# Auto-enabled when a git remote exists. Override explicitly:
# backup:
# enabled: false # Disable auto-backup entirely
# interval: 15m # Minimum time between auto-exports
# git-push: false # Disable git push (export locally only)
# git-repo: "" # Separate git repo for backups (default: project repo)
# Integration settings (access with 'bd config get/set')
# These are stored in the database, not in this file:
# - jira.url
# - jira.project
# - linear.url
# - linear.api-key
# - github.org
# - github.repo
sync.remote: "git+ssh://gitea@code.m3ta.dev/m3tam3re/nixos-config.git"

24
.beads/hooks/post-checkout
View File

@@ -1,24 +0,0 @@
#!/usr/bin/env sh
# --- BEGIN BEADS INTEGRATION v1.0.2 ---
# This section is managed by beads. Do not remove these markers.
if command -v bd >/dev/null 2>&1; then
export BD_GIT_HOOK=1
_bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
if command -v timeout >/dev/null 2>&1; then
timeout "$_bd_timeout" bd hooks run post-checkout "$@"
_bd_exit=$?
if [ $_bd_exit -eq 124 ]; then
echo >&2 "beads: hook 'post-checkout' timed out after ${_bd_timeout}s — continuing without beads"
_bd_exit=0
fi
else
bd hooks run post-checkout "$@"
_bd_exit=$?
fi
if [ $_bd_exit -eq 3 ]; then
echo >&2 "beads: database not initialized — skipping hook 'post-checkout'"
_bd_exit=0
fi
if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
fi
# --- END BEADS INTEGRATION v1.0.2 ---

24
.beads/hooks/post-merge
View File

@@ -1,24 +0,0 @@
#!/usr/bin/env sh
# --- BEGIN BEADS INTEGRATION v1.0.2 ---
# This section is managed by beads. Do not remove these markers.
if command -v bd >/dev/null 2>&1; then
export BD_GIT_HOOK=1
_bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
if command -v timeout >/dev/null 2>&1; then
timeout "$_bd_timeout" bd hooks run post-merge "$@"
_bd_exit=$?
if [ $_bd_exit -eq 124 ]; then
echo >&2 "beads: hook 'post-merge' timed out after ${_bd_timeout}s — continuing without beads"
_bd_exit=0
fi
else
bd hooks run post-merge "$@"
_bd_exit=$?
fi
if [ $_bd_exit -eq 3 ]; then
echo >&2 "beads: database not initialized — skipping hook 'post-merge'"
_bd_exit=0
fi
if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
fi
# --- END BEADS INTEGRATION v1.0.2 ---

24
.beads/hooks/pre-commit
View File

@@ -1,24 +0,0 @@
#!/usr/bin/env sh
# --- BEGIN BEADS INTEGRATION v1.0.2 ---
# This section is managed by beads. Do not remove these markers.
if command -v bd >/dev/null 2>&1; then
export BD_GIT_HOOK=1
_bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
if command -v timeout >/dev/null 2>&1; then
timeout "$_bd_timeout" bd hooks run pre-commit "$@"
_bd_exit=$?
if [ $_bd_exit -eq 124 ]; then
echo >&2 "beads: hook 'pre-commit' timed out after ${_bd_timeout}s — continuing without beads"
_bd_exit=0
fi
else
bd hooks run pre-commit "$@"
_bd_exit=$?
fi
if [ $_bd_exit -eq 3 ]; then
echo >&2 "beads: database not initialized — skipping hook 'pre-commit'"
_bd_exit=0
fi
if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
fi
# --- END BEADS INTEGRATION v1.0.2 ---

24
.beads/hooks/pre-push
View File

@@ -1,24 +0,0 @@
#!/usr/bin/env sh
# --- BEGIN BEADS INTEGRATION v1.0.2 ---
# This section is managed by beads. Do not remove these markers.
if command -v bd >/dev/null 2>&1; then
export BD_GIT_HOOK=1
_bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
if command -v timeout >/dev/null 2>&1; then
timeout "$_bd_timeout" bd hooks run pre-push "$@"
_bd_exit=$?
if [ $_bd_exit -eq 124 ]; then
echo >&2 "beads: hook 'pre-push' timed out after ${_bd_timeout}s — continuing without beads"
_bd_exit=0
fi
else
bd hooks run pre-push "$@"
_bd_exit=$?
fi
if [ $_bd_exit -eq 3 ]; then
echo >&2 "beads: database not initialized — skipping hook 'pre-push'"
_bd_exit=0
fi
if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
fi
# --- END BEADS INTEGRATION v1.0.2 ---

24
.beads/hooks/prepare-commit-msg
View File

@@ -1,24 +0,0 @@
#!/usr/bin/env sh
# --- BEGIN BEADS INTEGRATION v1.0.2 ---
# This section is managed by beads. Do not remove these markers.
if command -v bd >/dev/null 2>&1; then
export BD_GIT_HOOK=1
_bd_timeout=${BEADS_HOOK_TIMEOUT:-300}
if command -v timeout >/dev/null 2>&1; then
timeout "$_bd_timeout" bd hooks run prepare-commit-msg "$@"
_bd_exit=$?
if [ $_bd_exit -eq 124 ]; then
echo >&2 "beads: hook 'prepare-commit-msg' timed out after ${_bd_timeout}s — continuing without beads"
_bd_exit=0
fi
else
bd hooks run prepare-commit-msg "$@"
_bd_exit=$?
fi
if [ $_bd_exit -eq 3 ]; then
echo >&2 "beads: database not initialized — skipping hook 'prepare-commit-msg'"
_bd_exit=0
fi
if [ $_bd_exit -ne 0 ]; then exit $_bd_exit; fi
fi
# --- END BEADS INTEGRATION v1.0.2 ---

3
.beads/issues.jsonl
View File

@@ -1,3 +0,0 @@
{"id":"home-profile-restructuring-edz","title":"Create copy-hermes-skills systemd service","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:44:42Z","started_at":"2026-04-26T12:36:30Z","closed_at":"2026-04-26T12:44:42Z","close_reason":"Created systemd service in hosts/m3-hermes/services/hermes-agent.nix - copies skills to /var/lib/hermes/.agents/skills before hermes-agent starts","labels":["hermes-agent","nixos"],"dependencies":[{"issue_id":"home-profile-restructuring-edz","depends_on_id":"home-profile-restructuring-ycz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":1,"comment_count":0}
{"id":"home-profile-restructuring-ycz","title":"Build hermes-agent skills using mkOpencodeSkills","status":"closed","priority":1,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":2,"created_at":"2026-04-26T12:30:09Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:35:15Z","started_at":"2026-04-26T12:31:35Z","closed_at":"2026-04-26T12:35:15Z","close_reason":"Added inputs to module signature and defined hermesSkills via inputs.agents.lib.mkOpencodeSkills with basecamp, anthropic, and kestra external skills. Verified with nixos-rebuild dry-run --flake .#m3-hermes (no errors).","labels":["hermes-agent","nixos"],"dependency_count":0,"dependent_count":1,"comment_count":0}
{"id":"home-profile-restructuring-cxa","title":"Verify skills available at /var/lib/hermes/.agents/skills","status":"closed","priority":2,"issue_type":"task","assignee":"m3tm3re","owner":"p@m3ta.dev","estimated_minutes":1,"created_at":"2026-04-26T12:30:10Z","created_by":"m3tm3re","updated_at":"2026-04-26T12:50:58Z","started_at":"2026-04-26T12:38:15Z","closed_at":"2026-04-26T12:50:58Z","close_reason":"Manually verified - skills are present at /var/lib/hermes/.agents/skills on m3-hermes","labels":["hermes-agent","testing"],"dependencies":[{"issue_id":"home-profile-restructuring-cxa","depends_on_id":"home-profile-restructuring-edz","type":"blocks","created_at":"2026-04-26T14:30:57Z","created_by":"m3tm3re","metadata":"{}"}],"dependency_count":1,"dependent_count":0,"comment_count":0}

7
.beads/metadata.json
View File

@@ -1,7 +0,0 @@
{
"database": "dolt",
"backend": "dolt",
"dolt_mode": "embedded",
"dolt_database": "home_profile_restructuring",
"project_id": "664fc7e3-94eb-4874-aab6-e47835abe9d8"
}

3
.gitattributes vendored
View File

@@ -1,3 +0,0 @@
# Use bd merge for beads JSONL files
.beads/issues.jsonl merge=beads

46
.gitignore vendored
View File

@@ -1,46 +0,0 @@
# Sisyphus work session data
.sisyphus/
# Editor files
*~
.*.swp
.*.swo
.*.swx
# Build artifacts
result
result-*
.direnv/
# IDE
.vscode/
.idea/
*.iml
# OS
.DS_Store
Thumbs.db
# Opencode rules
.opencode-rules
opencode.json
# AI agent state
.sidecar/
.sidecar-*
.sisyphus/
.sidecar-agent
.sidecar-task
.sidecar-pr
.sidecar-start.sh
.sidecar-base
.td-root
.cache
.pi*
.worktrees/
docs/plans/
# Beads / Dolt files (added by bd init)
.dolt/
*.db
.beads-credential-key

445
AGENTS.md
View File

@@ -1,445 +0,0 @@
# Agent Instructions
This project uses **bd** (beads) for issue tracking. Run `bd prime` for full workflow context.
## Quick Reference
```bash
bd ready # Find available work
bd show <id> # View issue details
bd update <id> --claim # Claim work atomically
bd close <id> # Complete work
bd dolt push # Push beads data to remote
```
## Non-Interactive Shell Commands
**ALWAYS use non-interactive flags** with file operations to avoid hanging on confirmation prompts.
Shell commands like `cp`, `mv`, and `rm` may be aliased to include `-i` (interactive) mode on some systems, causing the agent to hang indefinitely waiting for y/n input.
**Use these forms instead:**
```bash
# Force overwrite without prompting
cp -f source dest # NOT: cp source dest
mv -f source dest # NOT: mv source dest
rm -f file # NOT: rm file
# For recursive operations
rm -rf directory # NOT: rm -r directory
cp -rf source dest # NOT: cp -r source dest
```
**Other commands that may prompt:**
- `scp` - use `-o BatchMode=yes` for non-interactive
- `ssh` - use `-o BatchMode=yes` to fail instead of prompting
- `apt-get` - use `-y` flag
- `brew` - use `HOMEBREW_NO_AUTO_UPDATE=1` env var
<!-- BEGIN BEADS INTEGRATION v:1 profile:minimal hash:ca08a54f -->
## Beads Issue Tracker
This project uses **bd (beads)** for persistent task tracking. Run `bd prime` for full workflow context.
### Why Beads?
- **Prefer Beads over ad-hoc markdown TODO lists** — Beads provides structured, queryable, shareable issue tracking with dependency management
- **Never use `bd edit`** — it opens an interactive editor which blocks agent workflows
- **Use flags and stdin instead** — `bd update <id> --claim`, `bd create --title "..." --estimate 2`
### Slash Commands (Agent Workflow)
| Command | Purpose |
|---------|---------|
| `/beads:ready` | Find unblocked issues |
| `/beads:create` | Create a new issue |
| `/beads:update` | Update an issue (claim, status) |
| `/beads:close` | Close completed work |
| `/beads:stats` | Project-level snapshot |
### Core Workflow (6 Steps)
#### 1. Find Unblocked Work
```bash
bd ready --json
```
Lists issues with no blocking dependencies that are ready to work on.
#### 2. Claim Work
```bash
bd update <id> --claim
```
Atomically assigns the issue to you (sets status to "in-progress").
#### 3. Inspect Details
```bash
bd show <id>
```
View full issue details including:
- Description and acceptance criteria
- Blocking/blocked-by dependencies
- Time estimates
- Status history
#### 4. Create Newly Discovered Work
```bash
# Create a new issue
bd create \
--title "Fix audio on m3-helios" \
--estimate 2 \
--priority high \
--labels nixos,audio
# Link dependencies
bd dep <id> --blocks <blocked-id> # This issue blocks another
bd dep <id> --after <after-id> # This issue after another completes
bd dep <id> --requires <requires-id> # This issue requires another
```
#### 5. Complete Work
```bash
bd close <id> --reason "Added PulseAudio fallback to configuration.nix"
```
Provide a concise summary of what was done. The `--reason` is mandatory.
#### 6. Project Snapshot
```bash
bd status --json # Current state of all issues
bd stats # Metrics: velocity, cycle time, bottlenecks
```
### Example Complete Workflow
```bash
# Start session - find work
bd ready --json
# Claim available issue
bd update 42 --claim
# Do the work...
# Discover something else needed
bd create --title "Document hermes-agent setup" --estimate 1
# Link as related
bd dep 43 --after 42
# Complete original
bd close 42 --reason "Added Hyprland idle timeout config"
# Close related
bd close 43 --reason "Added setup docs to AGENTS.md"
# Push state to remote
bd dolt push
```
### Rules
- Use `bd` for ALL task tracking — do NOT use TodoWrite, TaskCreate, or markdown TODO lists
- Run `bd prime` for detailed command reference and session close protocol
- Use `bd remember` for persistent knowledge — do NOT use MEMORY.md files
## Session Completion
**When ending a work session**, you MUST complete ALL steps below. Work is NOT complete until `git push` succeeds.
**MANDATORY WORKFLOW:**
1. **File issues for remaining work** - Create issues for anything that needs follow-up
2. **Run quality gates** (if code changed) - Tests, linters, builds
3. **Update issue status** - Close finished work, update in-progress items
4. **PUSH TO REMOTE** - This is MANDATORY:
```bash
git pull --rebase
bd dolt push
git push
git status # MUST show "up to date with origin"
```
5. **Clean up** - Clear stashes, prune remote branches
6. **Verify** - All changes committed AND pushed
7. **Hand off** - Provide context for next session
**CRITICAL RULES:**
- Work is NOT complete until `git push` succeeds
- NEVER stop before pushing - that leaves work stranded locally
- NEVER say "ready to push when you are" - YOU must push
- If push fails, resolve and retry until it succeeds
<!-- END BEADS INTEGRATION -->
# Project Agent
**Workspace Path:** `/home/m3tam3re/p/NIX/nixos-config`
_(Note to Pi: Your file write/edit tools run in a different directory by default. You MUST use absolute paths starting with the Workspace Path above for ALL file operations!)_
**Generated:** 2026-04-26
---
## Stack
| Component | Version/Source |
| ---------------- | --------------------------------- |
| **Nixpkgs** | nixos-unstable + 25.05 stable |
| **Home Manager** | github:nix-community/home-manager |
| **m3ta-home** | code.m3ta.dev/m3tam3re/m3ta-home |
| **m3ta-nixpkgs** | code.m3ta.dev/m3tam3re/nixpkgs |
| **Agenix** | github:ryantm/agenix |
| **Disko** | github:nix-community/disko |
| **NUR** | github:nix-community/NUR |
| **Formatter** | alejandra |
| **Linters** | statix, deadnix |
| **IDE** | nixd |
| **Hermes Agent** | NousResearch/hermes-agent |
| **LLM Agents** | numtide/llm-agents.nix |
---
## Structure
```
nixos-config/
├── flake.nix # Entry point: hosts, overlays, dev shells, m3ta-home input
├── coding-rules.json # Opencode rules configuration
├── hosts/ # Per-host NixOS configurations
│ ├── common/ # Shared across all hosts
│ │ ├── users/
│ │ │ └── m3tam3re.nix # ← Central user + m3ta-home integration
│ │ ├── default.nix # Shared NixOS settings, overlays, home-manager setup
│ │ ├── ports.nix # Network ports config
│ │ └── extraServices/ # Common service toggles
│ ├── m3-ares/ # TUXEDO laptop (desktop)
│ │ └── home.nix # Hyprland: eDP-1 + HDMI, XDG/MIME
│ ├── m3-kratos/ # AMD desktop (desktop)
│ │ └── home.nix # Hyprland: dual DP, XDG/MIME
│ ├── m3-daedalus/ # Portable laptop (desktop, no Hyprland)
│ │ └── home.nix # XDG/MIME only
│ ├── m3-atlas/ # Primary server (server + coding)
│ ├── m3-helios/ # AdGuard DNS server (minimal server)
│ ├── m3-hermes/ # Secondary server (minimal server)
│ └── m3-aether/ # Cloud VM (minimal server)
├── modules/ # Reusable NixOS modules
│ └── nixos/ # NixOS-specific modules
├── overlays/ # Package overlays (stable/locked/master/pinned)
│ ├── default.nix
│ └── mods/
├── pkgs/ # Custom packages
├── secrets/ # Encrypted secrets (agenix)
│ └── secrets.nix
├── .opencode-rules/ # Opencode AI rules
│ ├── concerns/
│ ├── languages/nix.md
│ └── USAGE.md
└── .pi/ # Agent configuration
```
### Home-Manager Integration
Home-Manager configs are managed centrally in the **`m3ta-home`** repository:
- **Repo**: `code.m3ta.dev/m3tam3re/m3ta-home`
- **Docs**: See m3ta-home README for full documentation
What lives where:
| Concern | Location | Why |
|---------|----------|-----|
| Shell, CLI tools, editors, apps | `m3ta-home/profiles/` | Portable across all hosts |
| User identity (git, SSH, JJ) | `m3ta-home/users/` | Switchable: private vs work |
| Feature flags (enable/disable) | `nixos-config/hosts/common/users/m3tam3re.nix` | Per-host decisions |
| Monitor layouts, window rules | `nixos-config/hosts/<name>/home.nix` | Hardware-specific |
| XDG/MIME defaults | `nixos-config/hosts/<name>/home.nix` | Host-specific preferences |
| NixOS overlays | `nixos-config/overlays/` | System-level package management |
#### Host → Profile Mapping
Defined in `hosts/common/users/m3tam3re.nix`:
```nix
hostProfiles = {
# Desktop hosts
m3-ares = { context = "desktop"; sets = ["coding" "gaming" "media"]; };
m3-kratos = { context = "desktop"; sets = ["coding" "gaming" "media"]; };
m3-daedalus = { context = "desktop"; sets = ["coding" "media"]; };
# Server hosts
m3-atlas = { context = "server"; sets = ["coding"]; };
m3-helios = { context = "server"; sets = []; };
m3-hermes = { context = "server"; sets = []; };
m3-aether = { context = "server"; sets = []; };
};
```
#### Work Identity Use Case
The same `m3ta-home` repo supports a **work identity** for company machines:
```nix
# On a work NixOS machine:
(m3ta-lib.mkHome {
user = "m3tam3re";
identity = "work"; # ← switches git to sascha.koenig, SSH to AZ hosts
context = "desktop";
sets = ["coding"];
})
```
This provides the familiar shell/editor/CLI setup but with work git credentials and SSH configuration.
---
## Commands
| Action | Command | Notes |
| -------------------- | ---------------------------------------------------------------------- | ------------------------------------------------- |
| **Enter dev shell** | `nix develop` | Includes alejandra, nixd, agenix, statix, deadnix |
| **Build host** | `sudo nixos-rebuild switch --flake .#m3-ares` | Replace hostname as needed |
| **Dry run build** | `sudo nixos-rebuild dry-run --flake .#m3-ares` | Validate without applying |
| **List hosts** | `nix flake show` | Shows all NixOS configurations |
| **Update flake** | `sudo nixos-rebuild switch --flake .#m3-ares --update-input nixpkgs` | Update specific input |
| **Format code** | `alejandra .` | Run before committing |
| **Check lint** | `statix check .` | Run statix for antipatterns |
| **Remove dead code** | `deadnix -w .` | Clean up unused let bindings |
| **Build ISO** | `nix build .#nixosConfigurations.m3-ares.config.system.build.isoImage` | Generate install ISO |
---
## Conventions
### Formatting & Style
- **Formatter:** `alejandra` (mandatory, run before commits)
- **Indentation:** 2 spaces (alejandra default)
- **Variables:** camelCase (e.g., `maxRetryAttempts`)
- **Types/Modules:** PascalCase (e.g., `MyService`)
- **Constants:** UPPER_SNAKE_CASE (e.g., `MAX_RETRIES`)
- **Files:** hyphen-case (e.g., `my-file.nix`)
### Nix Module Patterns
```nix
{ config, lib, pkgs, ... }:
{
options.myService.enable = lib.mkEnableOption "my service";
config = lib.mkIf config.myService.enable {
services.myService.enable = true;
};
}
```
### Conditionals
```nix
config = lib.mkMerge [
(lib.mkIf cfg.enable { ... })
(lib.mkIf cfg.extraConfig { ... })
];
```
### Anti-Patterns (AVOID)
- **Never use `with pkgs;`** — always use explicit package references
- **Never use `builtins.fetchTarball`** — use flake inputs instead
- **Never use `import <nixpkgs>`** — always use inputs
- **Never use `builtins.getAttr/hasAttr`** — use `lib.attrByPath` or `lib.optionalAttrs`
- **Avoid anonymous functions in config** — extract to named lets
### Imports
- Use flake inputs for dependencies (e.g., `inputs.home-manager.nixosModules.home-manager`)
- Import relative paths with `./` or `../`
- Never use absolute paths in imports
### Secrets
- Secrets managed via **agenix** in `secrets/` directory
- Never commit plaintext secrets
- Use `.nix` extension for secret files
### Flake Input URLs
All `code.m3ta.dev` inputs use **SSH** URLs:
```nix
url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/<repo>";
```
Anonymous HTTPS git on Gitea is unreliable and prompts for auth. SSH works with configured keys.
---
## Key Files
| File | Purpose |
| ---------------------------------- | ------------------------------------------------------------------------------------------ |
| `flake.nix` | Central entry point defining all hosts, overlays, packages, dev shells, and nixpkgs config |
| `hosts/common/default.nix` | Shared Nix settings, nixpkgs overlays, home-manager setup (`useGlobalPkgs = true`) |
| `hosts/common/users/m3tam3re.nix` | User definition + m3ta-home mkHome integration + per-host feature flags |
| `hosts/<name>/home.nix` | Host-specific overrides: monitors, workspaces, window rules, XDG/MIME |
| `overlays/default.nix` | Package version overrides (stable/locked/master branches) |
| `.opencode-rules/languages/nix.md` | Nix-specific conventions and patterns |
---
## What to Avoid
1. **Don't modify `flake.lock`** directly — use `nix flake update`
2. **Don't use impure operations** — this is a pure flake-based config
3. **Don't commit without formatting** — always run `alejandra .` first
4. **Don't add packages to hosts directly** — prefer adding to overlays or using NUR
5. **Don't hardcode paths** — use `inputs` and relative imports
6. **Don't create monolithic modules** — keep functions under 20 lines
7. **Don't skip the dry-run** — always test with `--dry-run` before switching
8. **Don't use lib.mkDefault lightly** — understand the precedence implications
---
## Notes
### Adding a New Host
1. Add entry to `flake.nix` → `nixosConfigurations`
2. Create directory in `hosts/` with:
- `default.nix` — imports common + specific configs
- `configuration.nix` — host-specific system config
- `hardware-configuration.nix` — from `nixos-generate-config`
- `programs.nix`, `services/`, `secrets.nix` as needed
3. Add entry to `hostProfiles` in `hosts/common/users/m3tam3re.nix`
4. Add feature flags in the `hostFlags` section
5. Create `hosts/<name>/home.nix` if the host needs monitor/XDG overrides
6. Run `sudo nixos-generate-config --dir ./hosts/new-host` first time
### Adding a New Package
1. For simple packages: add to appropriate overlay in `overlays/default.nix`
2. For complex packages: create in `pkgs/` directory
3. For upstream packages: use NUR or add as flake input
### Adding a New Home-Manager Feature
1. Create the module in `m3ta-home` under the appropriate profile directory
2. Add the import to the parent `default.nix` in m3ta-home
3. Enable it per-host via feature flags in `hosts/common/users/m3tam3re.nix`
### Development Workflow
1. Edit config files
2. Run `alejandra .` to format
3. Run `statix check .` for linting
4. Run `sudo nixos-rebuild dry-run --flake .#m3-ares`
5. If successful: `sudo nixos-rebuild switch --flake .#m3-ares`
### Remote Building
```bash
# Build on remote machine
nix copy --to ssh://user@host .#nixosConfigurations.m3-ares.config.system.build.toplevel
ssh user@host 'sudo nixos-rebuild switch --flake /nix/store/...-closure'
```

1
coding-rules.json
View File

@@ -1 +0,0 @@
{"$schema":"https://opencode.ai/config.json","instructions":[".opencode-rules/concerns/coding-style.md",".opencode-rules/concerns/naming.md",".opencode-rules/concerns/documentation.md",".opencode-rules/concerns/testing.md",".opencode-rules/concerns/git-workflow.md",".opencode-rules/concerns/project-structure.md",".opencode-rules/languages/nix.md"]}

954
flake.lock generated
View File

File diff suppressed because it is too large Load Diff

116
flake.nix
View File

@@ -16,20 +16,11 @@
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.11";
nixpkgs-45570c2.url = "github:nixos/nixpkgs/45570c299dc2b63c8c574c4cd77f0b92f7e2766e";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
nixpkgs-2744d98.url = "github:nixos/nixpkgs/2744d988fa116fc6d46cdfa3d1c936d0abd7d121";
nixpkgs-locked.url = "github:nixos/nixpkgs/2744d988fa116fc6d46cdfa3d1c936d0abd7d121";
nixpkgs-9e58ed7.url = "github:nixos/nixpkgs/9e58ed7ba759d81c98f033b7f5eba21ca68f53b0";
nixpkgs-master.url = "github:nixos/nixpkgs/master";
m3ta-nixpkgs.url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/nixpkgs";
llm-agents.url = "github:numtide/llm-agents.nix";
#
nur = {
url = "github:nix-community/NUR";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix.url = "github:ryantm/agenix";
disko = {
@@ -37,53 +28,21 @@
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-generators = {url = "github:nix-community/nixos-generators";};
hyprpanel.url = "github:Jas-SinghFSU/HyprPanel";
rose-pine-hyprcursor.url = "github:ndom91/rose-pine-hyprcursor";
nix-colors.url = "github:misterio77/nix-colors";
m3ta-home = {
url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/m3ta-home";
inputs.nixpkgs.follows = "nixpkgs";
};
agents = {
# url = "path:/home/m3tam3re/p/AI/AGENTS";
url = "git+ssh://gitea@code.m3ta.dev/m3tam3re/AGENTS";
};
## Skills
skills-basecamp = {
url = "github:basecamp/basecamp-cli";
dotfiles = {
url = "git+https://code.m3tam3re.com/m3tam3re/dotfiles.git";
flake = false;
};
skills-anthropic = {
url = "github:anthropics/skills";
flake = false;
};
skills-kestra = {
url = "github:kestra-io/agent-skills";
flake = false;
};
skills-superpowers = {
url = "github:obra/superpowers";
flake = false;
};
skills-vercel = {
url = "github:vercel-labs/skills";
flake = false;
};
hermes-agent.url = "github:NousResearch/hermes-agent/v2026.4.30";
};
outputs = {
self,
agenix,
dotfiles,
home-manager,
nixpkgs,
m3ta-nixpkgs,
nur,
agents,
...
} @ inputs: let
inherit (self) outputs;
@@ -95,113 +54,60 @@
"x86_64-darwin"
];
forAllSystems = nixpkgs.lib.genAttrs systems;
allOverlays = import ./overlays {inherit inputs outputs;};
in {
packages =
forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system});
overlays = builtins.removeAttrs allOverlays ["mkLlmAgentsOverlay"];
lib.mkLlmAgentsOverlay = allOverlays.mkLlmAgentsOverlay;
overlays = import ./overlays {inherit inputs outputs;};
homeManagerModules = import ./modules/home-manager;
nixosConfigurations = {
m3-ares = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs outputs;
system = "x86_64-linux";
hostname = "m3-ares";
};
modules = [
./hosts/m3-ares
agenix.nixosModules.default
m3ta-nixpkgs.nixosModules.default
inputs.hermes-agent.nixosModules.default
];
};
m3-atlas = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs outputs;
specialArgs = {inherit inputs outputs;};
system = "x86_64-linux";
};
modules = [
./hosts/m3-atlas
inputs.disko.nixosModules.disko
agenix.nixosModules.default
m3ta-nixpkgs.nixosModules.default
];
};
m3-kratos = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs outputs;
system = "x86_64-linux";
hostname = "m3-kratos";
};
modules = [
./hosts/m3-kratos
agenix.nixosModules.default
nur.modules.nixos.default
m3ta-nixpkgs.nixosModules.default
inputs.hermes-agent.nixosModules.default
];
};
m3-helios = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs outputs;
specialArgs = {inherit inputs outputs;};
system = "x86_64-linux";
};
modules = [
./hosts/m3-helios
inputs.disko.nixosModules.disko
agenix.nixosModules.default
m3ta-nixpkgs.nixosModules.default
];
};
m3-hermes = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs outputs;
system = "x86_64-linux";
};
modules = [
./hosts/m3-hermes
inputs.disko.nixosModules.disko
agenix.nixosModules.default
m3ta-nixpkgs.nixosModules.default
inputs.hermes-agent.nixosModules.default
];
};
};
homeConfigurations = {
"m3tam3re@m3-daedalus" = home-manager.lib.homeManagerConfiguration {
"m3tam3re@m3-ares" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages."x86_64-linux";
extraSpecialArgs = {
inherit inputs outputs;
system = "x86_64-linux";
hostname = "m3-daedalus";
hostname = "m3-ares";
};
modules = [./home/m3tam3re/m3-daedalus.nix];
modules = [./home/m3tam3re/m3tam3re-ares.nix];
};
};
devShells = forAllSystems (system: let
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true; # Allow unfree packages in devShell
};
m3taLib = m3ta-nixpkgs.lib.x86_64-linux;
rules = m3taLib.coding-rules.mkCodingRules {
inherit agents;
languages = ["nix"];
};
in {
default = pkgs.mkShell {
buildInputs = with pkgs; [
alejandra
nixd
openssh
agenix.packages.${system}.default
statix
deadnix
];
inherit (rules) instructions shellHook;
};
});
};
}

47
home/common/default.nix Normal file
View File

@@ -0,0 +1,47 @@
{
lib,
outputs,
pkgs,
...
}: {
imports = [
(import
../../modules/home-manager/zellij-ps.nix)
]; #imports = builtins.attrValues outputs.homeManagerModules;
nixpkgs = {
# You can add overlays here
overlays = [
# Add overlays your own flake exports (from overlays and pkgs dir):
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.stable-packages
outputs.overlays.pinned-packages
outputs.overlays.master-packages
# You can also add overlays exported from other flakes:
# neovim-nightly-overlay.overlays.default
# Or define it inline, for example:
# (final: prev: {
# hi = final.hello.overrideAttrs (oldAttrs: {
# patches = [ ./change-hello-to-hi.patch ];
# });
# })
];
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
# Workaround for https://github.com/nix-community/home-manager/issues/2942
allowUnfreePredicate = _: true;
};
};
nix = {
package = lib.mkDefault pkgs.nix;
settings = {
experimental-features = ["nix-command" "flakes"];
warn-dirty = false;
};
};
}

89
home/features/cli/default.nix Normal file
View File

@@ -0,0 +1,89 @@
{pkgs, ...}: {
imports = [
./fish.nix
./fzf.nix
./fastfetch.nix
./secrets.nix
./starship.nix
./zellij.nix
];
programs.zoxide = {
enable = true;
enableFishIntegration = true;
};
programs.neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
vimdiffAlias = true;
withNodeJs = true;
withPython3 = true;
};
programs.bat = {enable = true;};
programs.direnv = {
enable = true;
nix-direnv.enable =
true;
};
programs.eza = {
enable = true;
enableFishIntegration = true;
enableBashIntegration = true;
extraOptions = ["-l" "--icons" "--git" "-a"];
};
programs.lf = {
enable = true;
settings = {
preview = true;
drawbox = true;
hidden = true;
icons = true;
theme = "Dracula";
previewer = "bat";
};
};
home.packages = with pkgs; [
agenix-cli
alejandra
bc
comma
coreutils
devenv
fabric-ai
fd
gcc
go
htop
httpie
jq
just
lazygit
llm
lf
nix-index
procs
progress
ripgrep
rocmPackages.rocm-smi
rocmPackages.rocminfo
rocmPackages.rocm-runtime
tldr
trash-cli
unimatrix
unzip
vulkan-tools
wttrbar
wireguard-tools
yazi
zellij-ps
zip
];
}

15
home/features/cli/fastfetch.nix Normal file
View File

@@ -0,0 +1,15 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.cli.fastfetch;
in {
options.features.cli.fastfetch.enable = mkEnableOption "enable fastfetch";
config = mkIf cfg.enable {
home.packages = with pkgs; [fastfetch];
};
}

77
home/features/cli/fish.nix Normal file
View File

@@ -0,0 +1,77 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.features.cli.fish;
in {
options.features.cli.fish.enable = mkEnableOption "enable fish shell";
config = mkIf cfg.enable {
programs.fish = {
enable = true;
loginShellInit = ''
set -x NIX_PATH nixpkgs=channel:nixos-unstable
set -x NIX_LOG info
set -x WEBKIT_DISABLE_COMPOSITING_MODE 1
set -x TERMINAL kitty
set -x EDITOR nvim
set -x VISUAL zed
set -x XDG_DATA_HOME $HOME/.local/share
set -x FZF_CTRL_R_OPTS "
--preview='bat --color=always -n {}'
--preview-window up:3:hidden:wrap
--bind 'ctrl-/:toggle-preview'
--bind 'ctrl-y:execute-silent(echo -n {2..} | wl-copy)+abort'
--color header:bold
--header 'Press CTRL-Y to copy command into clipboard'"
set -x FZF_DEFAULT_COMMAND fd --type f --exclude .git --follow --hidden
set -x FZF_CTRL_T_COMMAND "$FZF_DEFAULT_COMMAND"
set -x FLAKE $HOME/p/nixos/nixos-config
source /run/agenix/${config.home.username}-secrets
if test (tty) = "/dev/tty1"
exec uwsm start -S -F /run/current-system/sw/bin/Hyprland
end
if test (tty) = "/dev/tty2"
exec gamescope -O HDMI-A-1 -W 1920 -H 1080 --adaptive-sync --hdr-enabled --rt --steam -- steam -pipewire-dmabuf -tenfoot
end
'';
shellAbbrs = {
".." = "cd ..";
"..." = "cd ../..";
b = "yazi";
ls = "eza";
l = "eza -l --icons --git -a";
lt = "eza --tree --level=2 --long --icons --git";
grep = "rg";
ps = "procs";
just = "just --unstable";
fs = "du -ah . | sort -hr | head -n 10";
n = "nix";
nd = "nix develop -c $SHELL";
ns = "nix shell";
nsn = "nix shell nixpkgs#";
nb = "nix build";
nbn = "nix build nixpkgs#";
nf = "nix flake";
nr = "sudo nixos-rebuild --flake .";
nrs = "sudo nixos-rebuild switch --flake .#(uname -n)";
snr = "sudo nixos-rebuild --flake .";
snrs = "sudo nixos-rebuild --flake . switch";
hm = "home-manager --flake .";
hms = "home-manager --flake . switch";
hmr = "cd ~/projects/nix-configurations; nix flake lock --update-input dotfiles; home-manager --flake .#(whoami)@(hostname) switch";
tsu = "sudo tailscale up";
tsd = "sudo tailscale down";
vi = "nvim";
vim = "nvim";
};
};
};
}

37
home/features/cli/fzf.nix Normal file
View File

@@ -0,0 +1,37 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.features.cli.fzf;
in {
options.features.cli.fzf.enable = mkEnableOption "enable fuzzy finder";
config = mkIf cfg.enable {
programs.fzf = {
enable = true;
enableFishIntegration = true;
colors = {
"fg" = "#f8f8f2";
"bg" = "#282a36";
"hl" = "#bd93f9";
"fg+" = "#f8f8f2";
"bg+" = "#44475a";
"hl+" = "#bd93f9";
"info" = "#ffb86c";
"prompt" = "#50fa7b";
"pointer" = "#ff79c6";
"marker" = "#ff79c6";
"spinner" = "#ffb86c";
"header" = "#6272a4";
};
defaultOptions = [
"--preview='bat --color=always -n {}'"
"--bind 'ctrl-/:toggle-preview'"
];
defaultCommand = "fd --type f --exclude .git --follow --hidden";
changeDirWidgetCommand = "fd --type d --exclude .git --follow --hidden";
};
};
}

21
home/features/cli/secrets.nix Normal file
View File

@@ -0,0 +1,21 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.cli.secrets;
in {
options.features.cli.secrets.enable = mkEnableOption "enable secrets";
config = mkIf cfg.enable {
programs.password-store = {
enable = true;
package =
pkgs.pass-wayland.withExtensions
(exts: [exts.pass-otp exts.pass-import]);
};
home.packages = with pkgs; [pinentry];
};
}

17
home/features/cli/starship.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.features.cli.starship;
in {
options.features.cli.starship.enable = mkEnableOption "enable starship prompt";
config = mkIf cfg.enable {
programs.starship = {
enable = true;
enableFishIntegration = true;
};
};
}

16
home/features/cli/zellij.nix Normal file
View File

@@ -0,0 +1,16 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.features.cli.zellij;
in {
options.features.cli.zellij.enable = mkEnableOption "enable tmux";
config = mkIf cfg.enable {
programs.zellij = {
enable = true;
};
};
}

20
home/features/coding/default.nix Normal file
View File

@@ -0,0 +1,20 @@
{pkgs, ...}: {
home.packages = with pkgs; [
devpod
devpod-desktop
(python3.withPackages (ps:
with ps; [
pip
# Scientific packages
numba
numpy
openai-whisper
torch
srt
]))
nixd
alejandra
tailwindcss
tailwindcss-language-server
];
}

94
home/features/desktop/coding.nix Normal file
View File

@@ -0,0 +1,94 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.desktop.office;
in {
options.features.desktop.coding.enable =
mkEnableOption "install coding related stuff";
config = mkIf cfg.enable {
home.packages = with pkgs; [
bruno
insomnia
];
programs.zed-editor = {
enable = true;
userSettings = {
features = {
inline_prediction_provider = "zed";
inline_completion_provider = "zed";
copilot = false;
};
telemetry = {
metrics = false;
};
lsp = {
rust_analyzer = {
binary = {path_lookup = true;};
};
};
languages = {
Nix = {
language_servers = ["nixd"];
formatter = {
external = {
command = "alejandra";
arguments = ["-q" "-"];
};
};
};
Python = {
language_servers = ["pyright"];
formatter = {
external = {
command = "black";
arguments = ["-"];
};
};
};
};
assistant = {
version = "2";
default_model = {
provider = "zed.dev";
model = "claude-3-5-sonnet-latest";
};
};
language_models = {
anthropic = {
version = "1";
api_url = "https://api.anthropic.com";
};
openai = {
version = "1";
api_url = "https://api.openai.com/v1";
};
ollama = {
api_url = "http://localhost:11434";
};
};
ssh_connections = [
{
host = "152.53.85.162";
nickname = "m3-atlas";
args = ["-i" "~/.ssh/m3tam3re"];
}
];
auto_update = false;
format_on_save = "on";
vim_mode = true;
load_direnv = "shell_hook";
theme = "Dracula";
buffer_font_family = "FiraCode Nerd Font";
ui_font_size = 16;
buffer_font_size = 16;
show_edit_predictions = true;
};
};
};
}

15
home/features/desktop/crypto.nix Normal file
View File

@@ -0,0 +1,15 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.desktop.crypto;
in {
options.features.desktop.crypto.enable = mkEnableOption "Enable Crypto";
config = mkIf cfg.enable {
home.packages = with pkgs; [bisq2 monero-gui trezor-suite];
};
}

134
home/features/desktop/default.nix Normal file
View File

@@ -0,0 +1,134 @@
{pkgs, ...}: {
imports = [
./coding.nix
./crypto.nix
./fonts.nix
./gaming.nix
./hyprland.nix
./media.nix
./office.nix
./rofi.nix
./theme.nix
./wayland.nix
./wofi.nix
];
xdg = {
enable = true;
configFile."mimeapps.list".force = true;
mimeApps = {
enable = true;
associations.added = {
"application/zip" = ["org.gnome.FileRoller.desktop"];
"application/csv" = ["calc.desktop"];
"application/pdf" = ["okularApplication_pdf.desktop"];
};
defaultApplications = {
"application/zip" = ["org.gnome.FileRoller.desktop"];
"application/csv" = ["calc.desktop"];
"application/pdf" = ["okularApplication_pdf.desktop"];
"application/md" = ["nvim.desktop"];
"application/text" = ["nvim.desktop"];
"x-scheme-handler/http" = ["io.github.zen_browser.zen"];
"x-scheme-handler/https" = ["io.github.zen_browser.zen"];
};
};
userDirs = {
enable = true;
createDirectories = true;
};
};
home.sessionVariables = {
WEBKIT_DISABLE_COMPOSITING_MODE = "1";
NIXOS_OZONE_WL = "1";
TERMINAL = "kitty";
QT_QPA_PLATFORM = "wayland";
XDG_CURRENT_DESKTOP = "Hyprland";
XDG_SESSION_TYPE = "wayland";
XDG_SESSION_DESKTOP = "Hyprland";
};
home.sessionPath = ["\${XDG_BIN_HOME}" "\${HOME}/.cargo/bin" "$HOME/.npm-global/bin"];
fonts.fontconfig.enable = true;
services.mako = {
enable = true;
backgroundColor = "#282a36";
textColor = "#80FFEA";
borderColor = "#9742b5";
width = 400;
height = 150;
padding = "10,20";
borderRadius = 8;
borderSize = 1;
margin = "20,20";
};
programs.kitty = {
enable = true;
shellIntegration = {
enableFishIntegration = true;
enableBashIntegration = true;
};
font = {name = "Fira Code";};
themeFile = "Dracula";
settings = {copy_on_select = "yes";};
};
home.pointerCursor = {
gtk.enable = true;
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Ice";
size = 20;
};
home.packages = with pkgs; [
appimage-run
anytype
# blueberry
brave
# brightnessctl
# clipman
distrobox
# eww
# firefox-devedition
file-roller
hyprpanel
seahorse
sushi
# glib
# google-chrome
# gsettings-desktop-schemas
# graphviz
# ksnip
msty
nwg-look
# pamixer
# pavucontrol
# libsForQt5.qtstyleplugins
# stable.nyxt
# pcmanfm
rose-pine-hyprcursor
# qt5ct
# qt6.qtwayland
#rustdesk
# socat
# unrar
# unzip
# usbutils
# v4l-utils
remmina
slack
telegram-desktop
vivaldi
vivaldi-ffmpeg-codecs
warp-terminal
# wl-clipboard
# wlogout
# wtype
# xdg-utils
# ydotool
# zip
];
}

24
home/features/desktop/fonts.nix Normal file
View File

@@ -0,0 +1,24 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.desktop.fonts;
in {
options.features.desktop.fonts.enable =
mkEnableOption "install additional fonts for desktop apps";
config = mkIf cfg.enable {
home.packages = with pkgs; [
fira-code
fira-code-symbols
nerd-fonts.fira-code
nerd-fonts.jetbrains-mono
font-manager
font-awesome_5
noto-fonts
];
};
}

21
home/features/desktop/gaming.nix Normal file
View File

@@ -0,0 +1,21 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.desktop.gaming;
in {
options.features.desktop.gaming.enable =
mkEnableOption "install gaming related stuff";
config = mkIf cfg.enable {
home.packages = with pkgs; [
gamescope
goverlay
mangohud
protonup-ng
];
};
}

179
home/features/desktop/hyprland.nix Normal file
View File

@@ -0,0 +1,179 @@
{
wayland.windowManager.hyprland = {
settings = {
xwayland = {
force_zero_scaling = true;
};
exec-once = [
"hyprpanel"
"hyprpaper"
"hypridle"
"wl-paste -p -t text --watch clipman store -P --histpath=\"~/.local/share/clipman-primary.json\""
];
env = [
"XCURSOR_SIZE,32"
"HYPRCURSOR_THEME,Bibata-Modern-Ice"
"WLR_NO_HARDWARE_CURSORS,1"
"GTK_THEME,Dracula"
];
input = {
kb_layout = "de,us";
kb_variant = "";
kb_model = "";
kb_rules = "";
kb_options = "ctrl:nocaps";
follow_mouse = 1;
};
general = {
gaps_in = 5;
gaps_out = 5;
border_size = 1;
"col.active_border" = "rgba(9742b5ee) rgba(9742b5ee) 45deg";
"col.inactive_border" = "rgba(595959aa)";
layout = "dwindle";
};
decoration = {
shadow = {
enabled = true;
range = 60;
render_power = 3;
color = "rgba(1E202966)";
offset = "1 2";
scale = 0.97;
};
rounding = 8;
blur = {
enabled = true;
size = 3;
passes = 3;
};
active_opacity = 0.9;
inactive_opacity = 0.5;
};
animations = {
enabled = true;
bezier = "myBezier, 0.05, 0.9, 0.1, 1.05";
animation = [
"windows, 1, 7, myBezier"
"windowsOut, 1, 7, default, popin 80%"
"border, 1, 10, default"
"borderangle, 1, 8, default"
"fade, 1, 7, default"
"workspaces, 1, 6, default"
];
};
dwindle = {
pseudotile = true;
preserve_split = true;
};
master = {
new_status = "master";
};
gestures = {
workspace_swipe = false;
};
device = [
{
name = "epic-mouse-v1";
sensitivity = -0.5;
}
{
name = "zsa-technology-labs-moonlander-mark-i";
kb_layout = "us";
}
{
name = "keychron-keychron-k7";
kb_layout = "us";
}
];
windowrule = [
"float, class:file_progress"
"float, class:confirm"
"float, class:dialog"
"float, class:download"
"float, class:notification"
"float, class:error"
"float, class:splash"
"float, class:confirmreset"
"float, title:Open File"
"float, title:branchdialog"
"float, class:pavucontrol-qt"
"float, class:pavucontrol"
"fullscreen, class:wlogout"
"float, title:wlogout"
"fullscreen, title:wlogout"
"float, class:mpv"
"idleinhibit focus, class:mpv"
"opacity 1.0 override, class:mpv"
"float, title:^(Media viewer)$"
"float, title:^(Volume Control)$"
"float, title:^(Picture-in-Picture)$"
];
"$mainMod" = "SUPER";
bind = [
"$mainMod, return, exec, kitty -e zellij-ps"
# "$mainMod, t, exec, warp-terminal"
"$mainMod, t, exec, kitty -e fish -c 'fastfetch; exec fish'"
"$mainMod SHIFT, e, exec, kitty -e zellij_nvim"
"$mainMod, o, exec, hyprctl setprop activewindow opaque toggle"
"$mainMod, b, exec, thunar"
"$mainMod SHIFT, B, exec, vivaldi"
"$mainMod, Escape, exec, wlogout -p layer-shell"
"$mainMod, Space, togglefloating"
"$mainMod, q, killactive"
"$mainMod, M, exit"
"$mainMod, F, fullscreen"
"$mainMod, V, togglefloating"
"$mainMod, D, exec, rofi -show"
"$mainMod SHIFT, S, exec, bemoji"
"$mainMod, P, exec, rofi-pass"
"$mainMod SHIFT, P, pseudo"
"$mainMod, J, togglesplit"
"$mainMod, h, movefocus, l"
"$mainMod, l, movefocus, r"
"$mainMod, k, movefocus, u"
"$mainMod, j, movefocus, d"
"$mainMod, 1, workspace, 1"
"$mainMod, 2, workspace, 2"
"$mainMod, 3, workspace, 3"
"$mainMod, 4, workspace, 4"
"$mainMod, 5, workspace, 5"
"$mainMod, 6, workspace, 6"
"$mainMod, 7, workspace, 7"
"$mainMod, 8, workspace, 8"
"$mainMod, 9, workspace, 9"
"$mainMod, 0, workspace, 10"
"$mainMod SHIFT, 1, movetoworkspace, 1"
"$mainMod SHIFT, 2, movetoworkspace, 2"
"$mainMod SHIFT, 3, movetoworkspace, 3"
"$mainMod SHIFT, 4, movetoworkspace, 4"
"$mainMod SHIFT, 5, movetoworkspace, 5"
"$mainMod SHIFT, 6, movetoworkspace, 6"
"$mainMod SHIFT, 7, movetoworkspace, 7"
"$mainMod SHIFT, 8, movetoworkspace, 8"
"$mainMod SHIFT, 9, movetoworkspace, 9"
"$mainMod SHIFT, 0, movetoworkspace, 10"
"$mainMod, mouse_down, workspace, e+1"
"$mainMod, mouse_up, workspace, e-1"
];
bindm = [
"$mainMod, mouse:272, movewindow"
"$mainMod, mouse:273, resizewindow"
];
};
};
}

68
home/features/desktop/media.nix Normal file
View File

@@ -0,0 +1,68 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.desktop.media;
in {
options.features.desktop.media.enable =
mkEnableOption "enable media features";
config = mkIf cfg.enable {
home.packages = with pkgs; [
# handbrake
# kdePackages.kdenlive
# makemkv
# mediainfo
amf
blueberry
ffmpeg_6-full
gst_all_1.gstreamer
gst_all_1.gst-vaapi
handbrake
inkscape
kdePackages.kdenlive
krita
libation
makemkv
pamixer
pavucontrol
qpwgraph
v4l-utils
plexamp
webcord
# uxplay
# vlc
# webcord
# yt-dlp
unimatrix
];
programs = {
obs-studio = {
enable = true;
plugins = with pkgs.obs-studio-plugins; [
obs-composite-blur
obs-vaapi
obs-vertical-canvas
obs-vkcapture
obs-webkitgtk
wlrobs
];
};
mpv = {
enable = true;
bindings = {
WHEEL_UP = "seek 10";
WHEEL_DOWN = "seek -10";
};
config = {
profile = "gpu-hq";
ytdl-format = "bestvideo+bestaudio";
};
};
};
};
}

18
home/features/desktop/office.nix Normal file
View File

@@ -0,0 +1,18 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.desktop.office;
in {
options.features.desktop.office.enable =
mkEnableOption "install office and paperwork stuff";
config = mkIf cfg.enable {
home.packages = with pkgs; [
libreoffice-fresh
];
};
}

38
home/features/desktop/rofi.nix Normal file
View File

@@ -0,0 +1,38 @@
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.features.desktop.rofi;
in {
options.features.desktop.rofi.enable = mkEnableOption "enable rofi";
config = mkIf cfg.enable {
programs.rofi = with pkgs; {
enable = true;
package = rofi.override {
plugins = [
rofi-calc
rofi-emoji
stable.rofi-file-browser
];
};
pass = {
enable = true;
package = rofi-pass-wayland;
};
terminal = "\${pkgs.kitty}/bin/kitty";
font = "Fira Code";
extraConfig = {
show-icons = true;
disable-history = false;
modi = "drun,calc,emoji,filebrowser";
kb-primary-paste = "Control+V,Shift+Insert";
kb-secondary-paste = "Control+v,Insert";
};
theme = "dracula";
};
};
}

17
home/features/desktop/theme.nix Normal file
View File

@@ -0,0 +1,17 @@
{pkgs, ...}: {
qt = {
enable = true;
platformTheme.name = "gtk";
};
gtk = {
enable = true;
theme = {
name = "Dracula";
package = pkgs.dracula-theme;
};
iconTheme = {
name = "Dracula";
package = pkgs.dracula-icon-theme;
};
};
}

286
home/features/desktop/wayland.nix Normal file
View File

@@ -0,0 +1,286 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.desktop.wayland;
in {
options.features.desktop.wayland.enable = mkEnableOption "wayland extra tools and config";
config = mkIf cfg.enable {
programs.waybar = {
enable = true;
style = ''
@define-color background-darker rgba(30, 31, 41, 230);
@define-color background #282a36;
@define-color selection #44475a;
@define-color foreground #f8f8f2;
@define-color comment #6272a4;
@define-color cyan #8be9fd;
@define-color green #50fa7b;
@define-color orange #ffb86c;
@define-color pink #ff79c6;
@define-color purple #bd93f9;
@define-color red #ff5555;
@define-color yellow #f1fa8c;
* {
border: none;
border-radius: 0;
font-family: FiraCode Nerd Font;
font-weight: bold;
font-size: 14px;
min-height: 0;
}
window#waybar {
background: rgba(21, 18, 27, 0);
color: #cdd6f4;
}
tooltip {
background: #1e1e2e;
border-radius: 10px;
border-width: 2px;
border-style: solid;
border-color: #11111b;
}
#workspaces button {
padding: 5px;
color: #313244;
margin-right: 5px;
}
#workspaces button.active {
color: #11111b;
background: #a6e3a1;
border-radius: 10px;
}
#workspaces button.focused {
color: #a6adc8;
background: #eba0ac;
border-radius: 10px;
}
#workspaces button.urgent {
color: #11111b;
background: #a6e3a1;
border-radius: 10px;
}
#workspaces button:hover {
background: #11111b;
color: #cdd6f4;
border-radius: 10px;
}
#custom-language,
#custom-updates,
#custom-caffeine,
#custom-weather,
#window,
#clock,
#battery,
#pulseaudio,
#network,
#workspaces,
#tray,
#backlight {
background: #1e1e2e;
padding: 0px 10px;
margin: 3px 0px;
margin-top: 10px;
border: 1px solid #181825;
}
#tray {
border-radius: 10px;
margin-right: 10px;
}
#workspaces {
background: #1e1e2e;
border-radius: 10px;
margin-left: 10px;
padding-right: 0px;
padding-left: 5px;
}
#custom-caffeine {
color: #89dceb;
border-radius: 10px 0px 0px 10px;
border-right: 0px;
margin-left: 10px;
}
#custom-language {
color: #f38ba8;
border-left: 0px;
border-right: 0px;
}
#custom-updates {
color: #f5c2e7;
border-left: 0px;
border-right: 0px;
}
#window {
border-radius: 10px;
margin-left: 60px;
margin-right: 60px;
}
#clock {
color: #fab387;
border-radius: 10px 0px 0px 10px;
margin-left: 0px;
border-right: 0px;
}
#network {
color: #f9e2af;
border-left: 0px;
border-right: 0px;
}
#pulseaudio {
color: #89b4fa;
border-left: 0px;
border-right: 0px;
}
#pulseaudio.microphone {
color: #cba6f7;
border-left: 0px;
border-right: 0px;
}
#battery {
color: #a6e3a1;
border-radius: 0 10px 10px 0;
margin-right: 10px;
border-left: 0px;
}
#custom-weather {
border-radius: 0px 10px 10px 0px;
border-right: 0px;
margin-left: 0px;
}
'';
settings = {
mainbar = {
layer = "top";
position = "top";
mod = "dock";
exclusive = true;
passthrough = false;
gtk-layer-shell = true;
height = 0;
modules-left = ["clock" "custom/weather" "hyprland/workspaces"];
modules-center = ["hyprland/window"];
modules-right = [
"tray"
"custom/language"
"battery"
"backlight"
"pulseaudio"
"pulseaudio#microphone"
];
"hyprland/window" = {
format = "👉 {}";
seperate-outputs = true;
};
"hyprland/workspaces" = {
disable-scroll = true;
all-outputs = true;
on-click = "activate";
format = " {name} {icon} ";
on-scroll-up = "hyprctl dispatch workspace e+1";
on-scroll-down = "hyprctl dispatch workspace e-1";
format-icons = {
"1" = "";
"2" = "";
"3" = "";
"4" = "";
"5" = "";
"6" = "";
"7" = "";
};
persistent_workspaces = {
"1" = [];
"2" = [];
"3" = [];
"4" = [];
};
};
"custom/weather" = {
format = "{}°C";
tooltip = true;
interval = 3600;
exec = "wttrbar --location Pockau-Lengefeld";
return-type = "json";
};
tray = {
icon-size = 13;
spacing = 10;
};
clock = {
format = " {:%R %d/%m}";
tooltip-format = "<big>{:%Y %B}</big>\n<tt><small>{calendar}</small></tt>";
};
pulseaudio = {
format = "{icon} {volume}%";
tooltip = false;
format-muted = " Muted";
on-click = "pamixer -t";
on-scroll-up = "pamixer -i 5";
on-scroll-down = "pamixer -d 5";
scroll-step = 5;
format-icons = {
headphone = "";
hands-free = "";
headset = "";
phone = "";
portable = "";
car = "";
default = ["" "" ""];
};
};
"pulseaudio#microphone" = {
format = "{format_source}";
format-source = " {volume}%";
format-source-muted = " Muted";
on-click = "pamixer --default-source -t";
on-scroll-up = "pamixer --default-source -i 5";
on-scroll-down = "pamixer --default-source -d 5";
scroll-step = 5;
};
};
};
};
home.packages = with pkgs; [
grim
hyprcursor
hyprlock
hyprpaper
qt6.qtwayland
slurp
waypipe
wl-clipboard
wf-recorder
wl-mirror
wl-clipboard
wlogout
wtype
ydotool
];
};
}

6
home/features/desktop/wofi.nix Normal file
View File

@@ -0,0 +1,6 @@
{pkgs, ...}: {
home.packages = with pkgs; [
wofi
bemoji
];
}

26
home/m3tam3re/dotfiles/default.nix Normal file
View File

@@ -0,0 +1,26 @@
{
pkgs,
inputs,
...
}: {
home.file.".config/bat" = {
source = "${inputs.dotfiles}/bat";
recursive = true;
};
home.file.".config/nyxt" = {
source = "${inputs.dotfiles}/nyxt";
recursive = true;
};
# home.file.".config/hypr" = {
# source = "${inputs.dotfiles}/hypr";
# recursive = true;
# };
home.file.".config/nvim" = {
source = "${inputs.dotfiles}/nvim";
recursive = true;
};
home.file.".config/zellij" = {
source = "${inputs.dotfiles}/zellij";
recursive = true;
};
}

115
home/m3tam3re/home-server.nix Normal file
View File

@@ -0,0 +1,115 @@
# This is a default home.nix generated by the follwing hone-manager command
#
# home-manager init ./
{
config,
lib,
pkgs,
...
}: {
# Home Manager needs a bit of information about you and the paths it should
# manage.
home.username = lib.mkDefault "your-name";
home.homeDirectory = lib.mkDefault "/home/${config.home.username}";
# This value determines the Home Manager release that your configuration is
# compatible with. This helps avoid breakage when a new Home Manager release
# introduces backwards incompatible changes.
#
# You should not change this value, even if you update Home Manager. If you do
# want to update the value, then make sure to first check the Home Manager
# release notes.
home.stateVersion = "24.11"; # Please read the comment before changing.
# The home.packages option allows you to install Nix packages into your
# environment.
home.packages = with pkgs; [
# # Adds the 'hello' command to your environment. It prints a friendly
# # "Hello, world!" when run.
# pkgs.hello
# # It is sometimes useful to fine-tune packages, for example, by applying
# # overrides. You can do that directly here, just don't forget the
# # parentheses. Maybe you want to install Nerd Fonts with a limited number of
# # fonts?
# (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
# # You can also create simple shell scripts directly inside your
# # configuration. For example, this adds a command 'my-hello' to your
# # environment:
# (pkgs.writeShellScriptBin "my-hello" ''
# echo "Hello, ${config.home.username}!"
# '')
];
# Home Manager is pretty good at managing dotfiles. The primary way to manage
# plain files is through 'home.file'.
home.file = {
# # Building this configuration will create a copy of 'dotfiles/screenrc' in
# # the Nix store. Activating the configuration will then make '~/.screenrc' a
# # symlink to the Nix store copy.
# ".screenrc".source = dotfiles/screenrc;
# # You can also set the file content immediately.
# ".gradle/gradle.properties".text = ''
# org.gradle.console=verbose
# org.gradle.daemon.idletimeout=3600000
# '';
};
# Home Manager can also manage your environment variables through
# 'home.sessionVariables'. If you don't want to manage your shell through Home
# Manager then you have to manually source 'hm-session-vars.sh' located at
# either
#
# ~/.nix-profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# /etc/profiles/per-user/m3tam3re/etc/profile.d/hm-session-vars.sh
#
home.sessionVariables = {
# EDITOR = "emacs";
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
programs.git = {
enable = true;
userName = "m3tam3re";
userEmail = "m@m3tam3re.com";
aliases = {st = "status";};
extraConfig = {
core.excludesfile = "~/.gitignore_global";
init.defaultBranch = "master";
};
};
programs.zellij-ps = {
enable = true;
projectFolders = [
"${config.home.homeDirectory}/p/c"
"${config.home.homeDirectory}/p"
"${config.home.homeDirectory}/.config"
];
layout = ''
layout {
pane size=1 borderless=true {
plugin location="zellij:tab-bar"
}
pane size="70%" command="nvim"
pane split_direction="vertical" {
pane
pane command="unimatrix"
}
pane size=1 borderless=true {
plugin location="zellij:status-bar"
}
}
'';
};
}

203
home/m3tam3re/home.nix Normal file
View File

@@ -0,0 +1,203 @@
# This is a default home.nix generated by the follwing hone-manager command
#
# home-manager init ./
{
config,
lib,
pkgs,
...
}: {
# Home Manager needs a bit of information about you and the paths it should
# manage.
home.username = lib.mkDefault "your-name";
home.homeDirectory = lib.mkDefault "/home/${config.home.username}";
# This value determines the Home Manager release that your configuration is
# compatible with. This helps avoid breakage when a new Home Manager release
# introduces backwards incompatible changes.
#
# You should not change this value, even if you update Home Manager. If you do
# want to update the value, then make sure to first check the Home Manager
# release notes.
home.stateVersion = "24.11"; # Please read the comment before changing.
# The home.packages option allows you to install Nix packages into your
# environment.
home.packages = with pkgs; [
aider-chat-env
libgtop
# # Adds the 'hello' command to your environment. It prints a friendly
# # "Hello, world!" when run.
# pkgs.hello
# # It is sometimes useful to fine-tune packages, for example, by applying
# # overrides. You can do that directly here, just don't forget the
# # parentheses. Maybe you want to install Nerd Fonts with a limited number of
# # fonts?
# (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
# # You can also create simple shell scripts directly inside your
# # configuration. For example, this adds a command 'my-hello' to your
# # environment:
# (pkgs.writeShellScriptBin "my-hello" ''
# echo "Hello, ${config.home.username}!"
# '')
];
# Home Manager is pretty good at managing dotfiles. The primary way to manage
# plain files is through 'home.file'.
home.file = {
# # Building this configuration will create a copy of 'dotfiles/screenrc' in
# # the Nix store. Activating the configuration will then make '~/.screenrc' a
# # symlink to the Nix store copy.
# ".screenrc".source = dotfiles/screenrc;
# # You can also set the file content immediately.
# ".gradle/gradle.properties".text = ''
# org.gradle.console=verbose
# org.gradle.daemon.idletimeout=3600000
# '';
};
# Home Manager can also manage your environment variables through
# 'home.sessionVariables'. If you don't want to manage your shell through Home
# Manager then you have to manually source 'hm-session-vars.sh' located at
# either
#
# ~/.nix-profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# /etc/profiles/per-user/m3tam3re/etc/profile.d/hm-session-vars.sh
#
home.sessionVariables = {
# EDITOR = "emacs";
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
programs.git = {
enable = true;
difftastic.enable = true;
userName = "m3tam3re";
userEmail = "m@m3tam3re.com";
aliases = {
st = "status";
logd = "log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
};
extraConfig = {
core.excludesfile = "~/.gitignore_global";
init.defaultBranch = "master";
};
};
programs.ssh = {
enable = true;
matchBlocks = {
"github.com" = {
hostname = "github.com";
user = "m3tam3re";
port = 22;
identityFile = "~/.ssh/github";
};
"code.m3tam3re.com" = {
hostname = "code.m3tam3re.com";
user = "m3tam3re";
identityFile = "~/.ssh/gitea";
};
"lkk-nix-1" = {
hostname = "89.58.10.189";
user = "lkk-admin";
identityFile = "~/.ssh/lkk-admin";
};
"m3-r1" = {
hostname = "202.61.226.110";
user = "m3tam3re";
identityFile = "~/.ssh/m3tam3re";
};
"lkk-prod-test" = {
hostname = "192.168.122.215";
user = "root";
identityFile = "~/.ssh/m3tam3re";
};
"lkk-prod-1" = {
hostname = "192.168.0.24";
user = "root";
identityFile = "~/.ssh/m3tam3re";
};
"lkk-prod-2" = {
hostname = "192.168.0.20";
user = "root";
identityFile = "~/.ssh/m3tam3re";
};
"m3-deck" = {
hostname = "192.168.178.193";
user = "m3tam3re";
identityFile = "~/.ssh/m3tam3re";
};
"m3-kratos-vm" = {
hostname = "192.168.122.43";
user = "m3tam3re";
identityFile = "~/.ssh/m3tam3re";
};
"m3-hermes" = {
hostname = "95.216.214.142";
user = "m3tam3re";
identityFile = "~/.ssh/m3tam3re";
};
"m3-helios" = {
hostname = "192.168.178.210";
user = "m3tam3re";
identityFile = "~/.ssh/m3tam3re";
};
"m3-ares" = {
hostname = "192.168.1.30";
user = "m3tam3re";
identityFile = "~/.ssh/m3tam3re";
};
"m3-atlas" = {
hostname = "152.53.85.162";
user = "m3tam3re";
identityFile = "~/.ssh/m3tam3re";
};
"m3-zelda" = {
hostname = "95.217.189.186";
user = "m3tam3re";
identityFile = "~/.ssh/m3tam3re";
};
"self-host-playbook" = {
hostname = "157.180.21.225";
port = 2222;
user = "m3tam3re";
identityFile = "~/.ssh/self-host-playbook";
};
};
};
programs.zellij-ps = {
enable = true;
projectFolders = [
"${config.home.homeDirectory}/p/c"
"${config.home.homeDirectory}/p"
"${config.home.homeDirectory}/.config"
];
layout = ''
layout {
pane size=1 borderless=true {
plugin location="zellij:tab-bar"
}
pane size="70%" command="nvim"
pane split_direction="vertical" {
pane
pane command="unimatrix"
}
pane size=1 borderless=true {
plugin location="zellij:status-bar"
}
}
'';
};
}

66
hosts/m3-ares/home.nix → home/m3tam3re/m3-ares.nix
View File

@@ -1,17 +1,29 @@
# hosts/m3-ares/home.nix — Host-specific home-manager overrides.
# TUXEDO laptop: eDP-1 + HDMI-A-1 external monitor.
# Everything else (shell, editors, gaming, media, theme, etc.) comes from
# m3ta-home via the profile mapping in hosts/common/users/m3tam3re.nix.
{
config,
lib,
...
}:
with lib; {
with lib; let
cfg = config.features.desktop.hyprland;
in {
imports = [
../common
./dotfiles
./home.nix
../features/cli
../features/coding
../features/desktop
#./services/librechat.nix
];
options.features.desktop.hyprland.enable =
mkEnableOption "enable Hyprland";
config = mkMerge [
# ── XDG / MIME defaults ──
# Base configuration
{
xdg = {
# TODO: better structure
enable = true;
configFile."mimeapps.list".force = true;
mimeApps = {
@@ -34,17 +46,35 @@ with lib; {
};
};
};
features = {
cli = {
fish.enable = true;
fzf.enable = true;
fastfetch.enable = true;
secrets.enable = true;
starship.enable = true;
};
desktop = {
coding.enable = true;
crypto.enable = true;
gaming.enable = true;
hyprland.enable = true;
media.enable = true;
office.enable = true;
rofi.enable = true;
fonts.enable = true;
wayland.enable = true;
};
};
}
# ── Hyprland monitor layout ──
(mkIf config.desktop.wm.hyprland.enable {
(mkIf cfg.enable {
wayland.windowManager.hyprland = {
enable = true;
settings = {
exec-once = ["tuxedo-backlight"];
monitor = [
"eDP-1,preferred,0x0,1.25"
"HDMI-A-1,1920x1080@120,2560x0,1"
"HDMI-A-1,preferred,2560x0,1"
];
workspace = [
"1, monitor:eDP-1, default:true"
@@ -55,14 +85,14 @@ with lib; {
"6, monitor:HDMI-A-1"
];
windowrule = [
"match:class dev.zed.Zed, workspace 1"
"match:class Msty, workspace 1"
"match:class ^(com.obsproject.Studio)$, workspace 2"
"match:class ^(brave-browser)$, workspace 4, opacity 1.0"
"match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0"
"match:class ^steam_app_\\d+$, fullscreen on"
"match:class ^steam_app_\\d+$, workspace 5"
"match:class ^steam_app_\\d+$, idle_inhibit focus"
"workspace 1,class:dev.zed.Zed"
"workspace 1,class:Msty"
"workspace 2,class:(com.obsproject.Studio)"
"workspace 4,opacity 1.0, class:(brave-browser)"
"workspace 4,opacity 1.0, class:(vivaldi-stable)"
"fullscreen,class:^steam_app_\\d+$"
"workspace 5,class:^steam_app_\\d+$"
"idleinhibit focus, class:^steam_app_\\d+$"
];
};
};

17
home/m3tam3re/m3-atlas.nix Normal file
View File

@@ -0,0 +1,17 @@
{
imports = [
../common
../features/cli
./home-server.nix
];
features = {
cli = {
fish.enable = true;
fzf.enable = true;
fastfetch.enable = true;
secrets.enable = false;
starship.enable = true;
};
};
}

17
home/m3tam3re/m3-helios.nix Normal file
View File

@@ -0,0 +1,17 @@
{
imports = [
../common
../features/cli
./home-server.nix
];
features = {
cli = {
fish.enable = true;
fzf.enable = true;
fastfetch.enable = true;
secrets.enable = false;
starship.enable = true;
};
};
}

60
hosts/m3-kratos/home.nix → home/m3tam3re/m3-kratos.nix
View File

@@ -1,17 +1,29 @@
# hosts/m3-kratos/home.nix — Host-specific home-manager overrides.
# AMD desktop: dual 2560x1440@144 via DisplayPort.
# Everything else (shell, editors, gaming, media, theme, etc.) comes from
# m3ta-home via the profile mapping in hosts/common/users/m3tam3re.nix.
{
config,
lib,
...
}:
with lib; {
with lib; let
cfg = config.features.desktop.hyprland;
in {
imports = [
../common
./dotfiles
./home.nix
../features/cli
../features/coding
../features/desktop
./services/librechat.nix
];
options.features.desktop.hyprland.enable =
mkEnableOption "enable Hyprland";
config = mkMerge [
# ── XDG / MIME defaults ──
# Base configuration
{
xdg = {
# TODO: better structure
enable = true;
configFile."mimeapps.list".force = true;
mimeApps = {
@@ -34,10 +46,29 @@ with lib; {
};
};
};
features = {
cli = {
fish.enable = true;
fzf.enable = true;
fastfetch.enable = true;
secrets.enable = true;
starship.enable = true;
};
desktop = {
crypto.enable = true;
coding.enable = true;
gaming.enable = true;
hyprland.enable = true;
media.enable = true;
office.enable = true;
rofi.enable = true;
fonts.enable = true;
wayland.enable = true;
};
};
}
# ── Hyprland monitor layout ──
(mkIf config.desktop.wm.hyprland.enable {
(mkIf cfg.enable {
wayland.windowManager.hyprland = {
enable = true;
settings = {
@@ -54,13 +85,14 @@ with lib; {
"6, monitor:DP-2"
"7, monitor:DP-2"
];
windowrule = [
"match:class dev.zed.Zed, workspace 1"
"match:class Msty, workspace 1"
"match:class ^(com.obsproject.Studio)$, workspace 2"
"match:class ^(brave-browser)$, workspace 4, opacity 1.0"
"match:class ^(vivaldi-stable)$, workspace 4, opacity 1.0"
"match:class ^steam_app_\\d+$, idle_inhibit focus"
"workspace 1,class:dev.zed.Zed"
"workspace 1,class:Msty"
"workspace 2,class:(com.obsproject.Studio)"
"workspace 4,opacity 1.0, class:(brave-browser)"
"workspace 4,opacity 1.0, class:(vivaldi-stable)"
"idleinhibit focus, class:^steam_app_\\d+$"
];
};
};

18
home/m3tam3re/services/librechat.nix Normal file
View File

@@ -0,0 +1,18 @@
{
systemd.user.services.librechat = {
Unit = {
Description = "LibreChat Start";
After = ["network-online.target"];
Wants = ["network-online.target"];
};
Install = {WantedBy = ["default.target"];};
Service = {
Type = "oneshot";
RemainAfterExit = "yes";
WorkingDirectory = "/home/m3tam3re/p/r/ai/LibreChat";
ExecStart = "/run/current-system/sw/bin/podman-compose up -d";
ExecStop = "/run/current-system/sw/bin/podman-compose down";
Restart = "on-failure";
};
};
}

76
hosts/common/AGENTS.md
View File

@@ -1,76 +0,0 @@
# COMMON HOST CONFIGURATION
**Shared base configuration and abstractions for all hosts**
## OVERVIEW
Common imports, overlays, and custom patterns (extraServices, ports) used across 6 hosts.
## STRUCTURE
```
common/
├── default.nix # Base imports, overlays, nix settings
├── ports.nix # Centralized port registry
├── extraServices/ # Optional service modules
│ ├── default.nix
│ ├── flatpak.nix
│ ├── ollama.nix
│ ├── podman.nix
│ └── virtualisation.nix
└── users/
├── default.nix
└── m3tam3re.nix # Primary user definition
```
## WHERE TO LOOK
| Task | Location | Notes |
|------|----------|-------|
| Add port definition | ports.nix | Use config.m3ta.ports.get |
| Enable optional service | Host config extraServices | Boolean flags |
| Modify overlays | default.nix lines 27-36 | 5 overlay sources |
| Add new user | users/ | Shared across all hosts |
## CONVENTIONS
### Port Registry Pattern
```nix
# Define in ports.nix
definitions = {
myservice = 3099;
};
# Access in host config
config.m3ta.ports.get "myservice" # Returns 3099
```
### extraServices Abstraction
Host configs enable via boolean:
```nix
extraServices = {
podman.enable = true; # Container runtime
ollama.enable = true; # LLM inference
flatpak.enable = false; # Flatpak apps
virtualisation.enable = true; # QEMU/KVM
};
```
### Overlay Precedence (bottom overrides top)
1. stable-packages (nixpkgs-stable)
2. locked-packages (nixpkgs-locked)
3. pinned-packages (nixpkgs-45570c2, nixpkgs-9e58ed7)
4. master-packages (nixpkgs-master)
5. m3ta-nixpkgs (local custom overlay)
## ANTI-PATTERNS
- **DON'T** add host-specific logic to common/ - belongs in hosts/<name>/
- **DON'T** bypass port registry - hardcoded ports break consistency
- **DON'T** modify user shell globally - set per-user if needed
## NOTES
- Nix GC runs weekly, keeps 30 days
- Trusted users: root, m3tam3re
- Default shell: Nushell (set line 77)
- Home-manager integrated at common level, not per-host
- TODO on line 69: ports should only return actually used ports

25
hosts/common/default.nix
View File

@@ -1,45 +1,36 @@
# Common configuration for all hosts
{
config,
pkgs,
lib,
inputs,
outputs,
system,
...
}: {
imports = [
./extraServices
./ports.nix
./users
inputs.home-manager.nixosModules.home-manager
];
environment.pathsToLink = ["/share/xdg-desktop-portal" "/share/applications"];
environment.pathsToLink = [
"/share/xdg-desktop-portal"
"/share/applications"
];
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = {
inherit inputs outputs system;
videoDrivers = config.services.xserver.videoDrivers or [];
extraSpecialArgs = {inherit inputs outputs;};
};
};
nixpkgs = {
# You can add overlays here
overlays = [
# Add overlays your own flake exports (from overlays and pkgs dir):
#outputs.overlays.additions
#outputs.overlays.modifications
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.stable-packages
outputs.overlays.locked-packages
outputs.overlays.pinned-packages
outputs.overlays.master-packages
inputs.m3ta-nixpkgs.overlays.default
inputs.m3ta-nixpkgs.overlays.modifications
(outputs.lib.mkLlmAgentsOverlay system)
# You can also add overlays exported from other flakes:
# neovim-nightly-overlay.overlays.default
@@ -78,5 +69,5 @@
((lib.filterAttrs (_: lib.isType "flake")) inputs);
nixPath = ["/etc/nix/path"];
};
users.defaultUserShell = pkgs.nushell;
users.defaultUserShell = pkgs.fish;
}

1
hosts/common/extraServices/flatpak.nix
View File

@@ -14,6 +14,7 @@ in {
xdg.portal = {
# xdg desktop intergration (required for flatpak)
enable = true;
wlr.enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-hyprland
];

12
hosts/common/extraServices/ollama.nix
View File

@@ -12,18 +12,14 @@ in {
config = mkIf cfg.enable {
services.ollama = {
enable = true;
package =
acceleration =
if config.services.xserver.videoDrivers == ["amdgpu"]
then pkgs.ollama-rocm
then "rocm"
else if config.services.xserver.videoDrivers == ["nvidia"]
then pkgs.ollama-cuda
else pkgs.ollama-cpu;
then "cuda"
else null;
host = "[::]";
openFirewall = true;
environmentVariables = {
OLLAMA_ORIGINS = "https://msty.studio";
OLLAMA_HOST = "0.0.0.0";
};
};
nixpkgs.config = {
rocmSupport = config.services.xserver.videoDrivers == ["amdgpu"];

17
hosts/common/extraServices/virtualisation.nix
View File

@@ -17,13 +17,22 @@ in {
package = pkgs.qemu_kvm;
runAsRoot = true;
swtpm.enable = true;
ovmf = {
enable = true;
packages = [
(pkgs.OVMF.override {
secureBoot = true;
tpmSupport = true;
})
.fd
];
};
};
};
};
programs.virt-manager.enable = true;
systemd.services.virt-secret-init-encryption.enable = false;
environment = {
systemPackages = [pkgs.qemu];
};
environment.systemPackages = with pkgs; [
# locked.OVMFFull
];
};
}

75
hosts/common/ports.nix
View File

@@ -1,75 +0,0 @@
{config, ...}: {
m3ta.ports = {
enable = true;
definitions = {
# System services
ssh = 22;
# Web & proxy services
traefik = 80;
traefik-ssl = 443;
# Databases
postgres = 5432;
mysql = 3306;
redis = 6379;
# VPN & networking
wireguard = 51820;
tailscale = 41641;
headscale = 3009;
netbird-stun = 3478;
netbird-proxy = 8443;
netbird-metrics = 9090;
netbird-health = 9000;
# Containers & web apps
gitea = 3030;
baserow = 3001;
ghost = 3002;
wastebin = 3003;
littlelink = 3004;
searx = 3005;
restreamer = 3006;
paperless = 3012;
vaultwarden = 3013;
slash = 3010;
slash-nemoti = 3016;
kestra = 3018;
outline = 3019;
authentik = 3023;
tuwunel = 3024;
# Home automation
homarr = 7575;
# DNS
adguardhome = 53;
};
hostOverrides = {
# Host-specific overrides
m3-ares = {
# Any custom port overrides for m3-ares
};
m3-atlas = {
# Any custom port overrides for m3-atlas
};
m3-helios = {
# Any custom port overrides for m3-helios
};
m3-kratos = {
# Any custom port overrides for m3-kratos
};
};
};
environment.etc."info/all-ports.json" = {
text = builtins.toJSON {
hostname = config.networking.hostName;
ports = config.m3ta.ports.all; # TODO should only return actually used ports
};
};
}

231
hosts/common/users/m3tam3re.nix
View File

@@ -1,211 +1,11 @@
# hosts/common/users/m3tam3re.nix — Central user definition with m3ta-home integration.
#
# This module:
# 1. Creates the m3tam3re NixOS user
# 2. Loads the m3ta-home profile system via mkHome
# 3. Sets per-host feature flags based on a host profile mapping
# 4. Imports per-host home.nix overrides (monitors, HW-specific config)
#
# To add a new host:
# 1. Add entry to hostProfiles below
# 2. Add feature flags in the hostFlags section
# 3. Create hosts/<hostname>/home.nix if the host needs overrides (monitors, etc.)
{
config,
pkgs,
inputs,
...
}: let
hostname = config.networking.hostName;
# ── Per-host profile mapping ──
# Determines which m3ta-home context and sets each host gets.
hostProfiles = {
# ── Desktop hosts ──
m3-ares = {
context = "desktop";
sets = ["coding" "gaming" "media"];
};
m3-kratos = {
context = "desktop";
sets = ["coding" "gaming" "media"];
};
m3-daedalus = {
context = "desktop";
sets = ["coding" "media"];
};
# ── Server hosts ──
m3-atlas = {
context = "server";
sets = ["coding"];
};
m3-helios = {
context = "server";
sets = [];
};
m3-hermes = {
context = "server";
sets = [];
};
m3-aether = {
context = "server";
sets = [];
};
};
profile = hostProfiles.${hostname} or {
context = "server";
sets = [];
};
m3ta-lib = inputs.m3ta-home.lib;
# Check if a per-host home.nix exists
hostHomeFile = ./../../${hostname}/home.nix;
hostHomeExists = builtins.pathExists hostHomeFile;
# ── Per-host feature flags ──
# These enable/disable specific m3ta-home modules per host.
hostFlags =
if hostname == "m3-ares" || hostname == "m3-kratos"
then {
# Full desktop workstation
base = {
shell = {
fish.enable = true;
nushell.enable = true;
starship.enable = true;
};
cliTools = {
fzf.enable = true;
nitch.enable = true;
television.enable = true;
};
secrets.enable = true;
};
desktop = {
wm = {
hyprland.enable = true;
rofi.enable = true;
wayland.enable = true;
};
apps = {
crypto.enable = true;
obsidian.enable = true;
office.enable = true;
};
theme = {
fonts.enable = true;
wallpapers.enable = true;
};
};
coding = {
editors = {
neovim.enable = true;
zed.enable = true;
};
lsp.enable = true;
packages.enable = true;
languages = {
python.enable = true;
javascript.enable = true;
rustToolchain.enable = true;
go.enable = true;
typescript.enable = true;
};
};
profiles.gaming = {
steam.enable = true;
gamescope.enable = true;
};
profiles.media = {
obs.enable = true;
ffmpeg.enable = true;
kdenlive.enable = true;
ytDlp.enable = true;
};
}
else if hostname == "m3-daedalus"
then {
# Portable laptop — desktop without gaming, no Hyprland
base = {
shell = {
fish.enable = true;
nushell.enable = true;
starship.enable = true;
};
cliTools = {
fzf.enable = true;
nitch.enable = true;
television.enable = true;
};
secrets.enable = true;
};
desktop = {
wm = {
hyprland.enable = false;
wayland.enable = false;
};
apps = {
crypto.enable = false;
obsidian.enable = true;
office.enable = false;
};
theme = {
fonts.enable = true;
wallpapers.enable = false;
};
};
coding = {
editors = {
neovim.enable = true;
zed.enable = true;
};
lsp.enable = true;
packages.enable = true;
languages = {
python.enable = true;
javascript.enable = true;
rustToolchain.enable = true;
go.enable = true;
typescript.enable = true;
};
};
profiles.media = {
ytDlp.enable = true;
};
}
else if hostname == "m3-atlas"
then {
# Primary server — coding capable
base = {
shell = {
nushell.enable = true;
starship.enable = true;
};
cliTools = {
fzf.enable = true;
nitch.enable = true;
zellij.enable = true;
};
};
coding.editors.neovim.enable = true;
}
else {
# m3-helios, m3-hermes, m3-aether — minimal server
base = {
shell = {
fish.enable = true;
starship.enable = true;
};
cliTools = {
fzf.enable = true;
nitch.enable = true;
};
};
};
in {
# ── NixOS user definition ──
}: {
users.users.m3tam3re = {
#initialHashedPassword = "$y$j9T$IoChbWGYRh.rKfmm0G86X0$bYgsWqDRkvX.EBzJTX.Z0RsTlwspADpvEF3QErNyCMC";
password = "12345";
isNormalUser = true;
description = "m3tam3re";
@@ -224,30 +24,9 @@ in {
];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZcjCKl0DRuOUOMXbM0GKY5JjvmyFpVZ/tRlTKWu/zp razr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZbg/Z9mnflXuLahGY8WOSBMqbgeqVIkIwRkquys1Ml sascha.koenig@azintec.com"
];
packages = [inputs.home-manager.packages.${pkgs.stdenv.hostPlatform.system}.default];
};
# ── Home-Manager configuration via m3ta-home ──
home-manager.users.m3tam3re = {
imports =
[
# Load m3ta-home composition engine
(m3ta-lib.mkHome {
user = "m3tam3re";
identity = "private";
inherit (profile) context sets;
})
# Per-host feature flags
hostFlags
]
# Per-host home.nix (Hyprland monitors, XDG/MIME, HW-specific overrides)
++ (
if hostHomeExists
then [hostHomeFile]
else []
);
packages = [inputs.home-manager.packages.${pkgs.system}.default];
};
home-manager.users.m3tam3re =
import ../../../home/m3tam3re/${config.networking.hostName}.nix;
}

111
hosts/m3-aether/configuration.nix
View File

@@ -1,111 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{pkgs, ...}: {
imports = [
# Include the results of the hardware scan.
./disko-config.nix
./hardware-configuration.nix
];
# Bootloader.
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
};
networking.hostName = "m3-helios"; # Define your hostname.
networking.hostId = "3ebf1cd3";
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.networkmanager.enable =
true; # Easiest to use and most distros use this by default.
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkb.options in tty.
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Enable the GNOME Desktop Environment.
# services.xserver.displayManager.gdm.enable = true;
# services.xserver.desktopManager.gnome.enable = true;
# Configure keymap in X11
# services.xserver.xkb.layout = "us";
# services.xserver.xkb.options = "eurosign:e,caps:escape";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# hardware.pulseaudio.enable = true;
# OR
# Enable touchpad support (enabled default in most desktopManager).
# services.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [neovim git];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.fstrim = {
enable = true; # For SSD/thin-provisioned storage
interval = "weekly";
};
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.11"; # Did you read the comment?
}

50
hosts/m3-aether/default.nix
View File

@@ -1,50 +0,0 @@
# A staring point is the basic NIXOS configuration generated by the ISO installer.
# On an existing NIXOS install you can use the following command in your flakes basedir:
# sudo nixos-generate-config --dir ./hosts/m3tam3re
#
# Please make sure to change the first couple of lines in your configuration.nix:
# { config, inputs, ouputs, lib, pkgs, ... }:
#
# {
# imports = [ # Include the results of the hardware scan.
# ./hardware-configuration.nix
# inputs.home-manager.nixosModules.home-manager
# ];
# ...
#
# Moreover please update the packages option in your user configuration and add the home-manager options:
# users.users = {
# m3tam3re = {
# isNormalUser = true;
# initialPassword = "12345";
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# packages = [ inputs.home-manager.packages.${pkgs.system}.default ];
# };
# };
#
# home-manager = {
# useUserPackages = true;
# extraSpecialArgs = { inherit inputs outputs; };
# users.m3tam3re =
# import ../../home/m3tam3re/${config.networking.hostName}.nix;
# };
#
# Please also change your hostname accordingly:
#:w
# networking.hostName = "nixos"; # Define your hostname.
{
imports = [
../common
./configuration.nix
./programs.nix
./secrets.nix
./services
];
extraServices = {
flatpak.enable = true;
ollama.enable = false;
podman.enable = true;
virtualisation.enable = false;
};
}

39
hosts/m3-aether/disko-config.nix
View File

@@ -1,39 +0,0 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for GRUB MBR
priority = 1;
};
esp = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["defaults" "umask=0077"];
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
mountOptions = ["noatime" "nodiratime" "discard"];
};
};
};
};
};
};
};
}

28
hosts/m3-aether/hardware-configuration.nix
View File

@@ -1,28 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

14
hosts/m3-aether/programs.nix
View File

@@ -1,14 +0,0 @@
{pkgs, ...}: {
programs.nix-ld.enable = true;
programs.nix-ld.libraries = with pkgs; [
# Add any missing dynamic libraries for unpackaged programs
# here, NOT in environment.systemPackages
];
programs.fish.enable = true;
programs.nh = {
enable = true;
clean.enable = true;
clean.extraArgs = "--keep-since 4d --keep 3";
flake = "/home/m3tam3re/p/nixos/nixos-config";
};
}

15
hosts/m3-aether/secrets.nix
View File

@@ -1,15 +0,0 @@
{
age = {
secrets = {
traefik = {
file = ../../secrets/traefik.age;
mode = "770";
owner = "traefik";
};
m3tam3re-secrets = {
file = ../../secrets/m3tam3re-secrets.age;
owner = "m3tam3re";
};
};
};
}

7
hosts/m3-aether/services/cloud-init.nix
View File

@@ -1,7 +0,0 @@
{
services.cloud-init = {
enable = true;
ext4.enable = true;
network.enable = true;
};
}

5
hosts/m3-aether/services/default.nix
View File

@@ -1,5 +0,0 @@
{
imports = [
./cloud-init.nix
];
}

17
hosts/m3-ares/configuration.nix
View File

@@ -1,7 +1,11 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{pkgs, ...}: {
{
config,
pkgs,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
@@ -9,6 +13,7 @@
specialisation = {
"NVIDIA".configuration = {
boot.kernelParams = ["nvidia.NVreg_PreserveVideoMemoryAllocations=1"];
system.nixos.tags = ["NVIDIA"];
services.xserver.videoDrivers = ["nvidia"];
hardware.nvidia-container-toolkit.enable = true;
@@ -19,15 +24,15 @@
boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.memtest86.enable = true;
boot.initrd.services.lvm.enable = false;
# boot.kernelModules = [];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback];
boot.kernelModules = ["v4l2loopback"];
boot.extraModprobeConfig = ''
options kvm_intel nested=1
options kvm_intel emulate_invalid_guest_state=0
options kvm ignore_msrs=1
options v4l2loopback exclusive_caps=1 max_buffers=2
'';
boot.blacklistedKernelModules = ["nova_core"];
# CRITICAL FIX #4: Kernel parameters to prevent nouveau from loading early
networking.hostName = "m3-ares"; # Define your hostname.
# warp-terminal update fix
@@ -60,7 +65,7 @@
# Enable the GNOME Desktop Environment.
# services.xserver.displayManager.gdm.enable = true;
# services.xserver.desktopManager.gnome.enable = true;
# displayManager.gdm.enable = true;
# Configure keymap in X11
# services.xserver.xkb.layout = "us";
# services.xserver.xkb.options = "eurosign:e,caps:escape";

2
hosts/m3-ares/default.nix
View File

@@ -44,7 +44,7 @@
extraServices = {
flatpak.enable = true;
ollama.enable = false;
ollama.enable = true;
podman.enable = true;
virtualisation.enable = true;
};

34
hosts/m3-ares/hardware.nix
View File

@@ -1,15 +1,4 @@
{
config,
pkgs,
inputs,
...
}: {
# Workaround for tuxedo-drivers module bug in unstable (nixpkgs#480391)
# The unstable module has a type error - use stable module until fix propagates
# disabledModules = [ "hardware/tuxedo-drivers.nix" ];
# imports =
# [ "${inputs.nixpkgs-stable}/nixos/modules/hardware/tuxedo-drivers.nix" ];
hardware.nvidia = {
prime = {
offload.enable = false;
@@ -26,33 +15,12 @@
open = false;
dynamicBoost.enable = true;
nvidiaSettings = true;
package = config.boot.kernelPackages.nvidiaPackages.production;
};
hardware.tuxedo-drivers.enable = true;
hardware.bluetooth.enable = true;
hardware.keyboard.zsa.enable = true;
hardware.graphics.enable = true;
services.hardware.bolt.enable = true;
services.auto-cpufreq.enable = true;
services.tlp = {
enable = true;
settings = {
START_CHARGE_THRESH_BAT0 = 75;
STOP_CHARGE_THRESH_BAT0 = 80;
};
};
environment.systemPackages = with pkgs; [tuxedo-backlight];
security.sudo.extraRules = [
{
users = ["@wheel"];
commands = [
{
command = "/run/current-system/sw/bin/set-backlight";
options = ["NOPASSWD"];
}
];
}
];
services.tlp.enable = true;
}

2
hosts/m3-ares/programs.nix
View File

@@ -28,7 +28,7 @@
programs.fish.enable = true;
programs.thunar = {
enable = true;
plugins = with pkgs; [thunar-archive-plugin thunar-volman];
plugins = with pkgs.xfce; [thunar-archive-plugin thunar-volman];
};
programs.gnupg.agent = {
enable = true;

28
hosts/m3-ares/secrets.nix
View File

@@ -1,10 +1,6 @@
{
age = {
secrets = {
anytype-key = {
file = ../../secrets/anytype-key-ares.age;
owner = "m3tam3re";
};
wg-DE = {
file = ../../secrets/wg-DE.age;
path = "/etc/wireguard/DE.conf";
@@ -25,35 +21,11 @@
file = ../../secrets/wg-BR.age;
path = "/etc/wireguard/BR.conf";
};
ref-key = {
file = ../../secrets/ref-key.age;
owner = "m3tam3re";
};
exa-key = {
file = ../../secrets/exa-key.age;
owner = "m3tam3re";
};
outline-key = {
file = ../../secrets/outline-key.age;
owner = "m3tam3re";
};
basecamp-client-id = {
file = ../../secrets/basecamp-client-id.age;
owner = "m3tam3re";
};
basecamp-client-secret = {
file = ../../secrets/basecamp-client-secret.age;
owner = "m3tam3re";
};
tailscale-key.file = ../../secrets/tailscale-key.age;
m3tam3re-secrets = {
file = ../../secrets/m3tam3re-secrets.age;
owner = "m3tam3re";
};
hermes-env = {
file = ../../secrets/hermes-env.age;
owner = "m3tam3re";
};
};
};
}

33
hosts/m3-ares/services/default.nix
View File

@@ -1,43 +1,21 @@
{pkgs, ...}: {
{
imports = [
./containers
./hermes-agent.nix
./netbird.nix
#./n8n.nix
./mem0.nix
./postgres.nix
./restic.nix
./sound.nix
./tailscale.nix
./udev.nix
./wireguard.nix
];
# console.useXkbConfig = true;
# services.xserver.xkb = {
# layout = "de,us";
# options = "ctrl:nocaps";
# };
# optional, falls du auch die TTY-Konsole deutsch willst:
services = {
hypridle.enable = true;
espanso = {
enable = true;
package = pkgs.espanso-wayland;
};
printing.enable = true;
gvfs.enable = true;
trezord.enable = true;
gnome.gnome-keyring.enable = true;
qdrant.enable = true;
# qdrant = {
# enable = true;
# settings = {
# service = {
# host = "0.0.0.0";
# };
# };
# };
upower.enable = true;
avahi = {
enable = true;
@@ -48,6 +26,11 @@
userServices = true;
};
};
displayManager.gdm.enable = true;
};
systemd.sleep.extraConfig = ''
AllowSuspend=no
AllowHibernation=no
AllowHybridSleep=no
AllowSuspendThenHibernate=no
'';
}

184
hosts/m3-ares/services/hermes-agent.nix
View File

@@ -1,184 +0,0 @@
{config, ...}: let
# Default ElevenLabs voice: Bella (German-capable female)
elevenlabsVoiceId = "hpp4J3VqNfWAUOO0d1Us";
in {
services.hermes-agent = {
enable = true;
addToSystemPackages = true;
# Secrets via agenix
environmentFiles = [config.age.secrets."hermes-env".path];
# Non-secret environment variables
environment = {
GLM_BASE_URL = "https://api.z.ai/api/coding/paas/v4/";
};
settings = {
# ── Model ──────────────────────────────────────────────────────────
model = {
default = "glm-5.1";
provider = "zai";
};
credential_pool_strategies = {
zai = "fill_first";
};
toolsets = ["all"];
# ── Agent ──────────────────────────────────────────────────────────
agent = {
max_turns = 90;
gateway_timeout = 1800;
tool_use_enforcement = "auto";
};
# ── Terminal ───────────────────────────────────────────────────────
terminal = {
backend = "ssh";
modal_mode = "auto";
cwd = ".";
timeout = 180;
persistent_shell = true;
};
# ── Browser ────────────────────────────────────────────────────────
browser = {
inactivity_timeout = 120;
command_timeout = 30;
cloud_provider = "local";
};
# ── Checkpoints / Compression ──────────────────────────────────────
checkpoints = {
enabled = true;
max_snapshots = 50;
};
file_read_max_chars = 100000;
compression = {
enabled = true;
threshold = 0.5;
target_ratio = 0.2;
protect_last_n = 20;
};
# ── Display ────────────────────────────────────────────────────────
display = {
compact = false;
personality = "kawaii";
resume_display = "full";
busy_input_mode = "interrupt";
inline_diffs = true;
skin = "default";
tool_progress = "all";
};
# ── TTS / STT / Voice ──────────────────────────────────────────────
tts = {
provider = "elevenlabs";
elevenlabs = {
voice_id = elevenlabsVoiceId;
model_id = "eleven_multilingual_v2";
};
};
stt = {
enabled = true;
provider = "local";
local = {model = "base";};
};
voice = {
record_key = "ctrl+b";
max_recording_seconds = 120;
silence_threshold = 200;
silence_duration = 3.0;
};
# ── Memory ─────────────────────────────────────────────────────────
memory = {
memory_enabled = true;
user_profile_enabled = true;
memory_char_limit = 2200;
user_char_limit = 1375;
};
# ── Delegation ─────────────────────────────────────────────────────
delegation = {
max_iterations = 50;
};
# ── Discord ────────────────────────────────────────────────────────
discord = {
require_mention = true;
auto_thread = true;
reactions = true;
};
# ── Approvals / Security ───────────────────────────────────────────
approvals = {
mode = "manual";
timeout = 60;
};
security = {
redact_secrets = true;
tirith_enabled = true;
tirith_fail_open = true;
};
# ── Cron / Session ─────────────────────────────────────────────────
cron = {wrap_response = true;};
session_reset = {
mode = "both";
idle_minutes = 1440;
at_hour = 4;
};
# ── Web ────────────────────────────────────────────────────────────
web = {backend = "exa";};
# ── Platform Toolsets ──────────────────────────────────────────────
platform_toolsets = {
cli = [
"browser"
"clarify"
"code_execution"
"cronjob"
"delegation"
"file"
"image_gen"
"memory"
"session_search"
"skills"
"terminal"
"todo"
"tts"
"vision"
"web"
];
telegram = [
"browser"
"clarify"
"code_execution"
"cronjob"
"delegation"
"file"
"image_gen"
"memory"
"session_search"
"skills"
"terminal"
"todo"
"tts"
"vision"
"web"
];
};
};
};
}

23
hosts/m3-ares/services/mem0.nix
View File

@@ -1,23 +0,0 @@
{
m3ta.mem0 = {
enable = true;
port = 8000;
host = "127.0.0.1";
# LLM Configuration
llm = {
provider = "openai";
apiKeyFile = "/var/lib/mem0/openai-api-key-1"; # Use agenix or sops-nix
};
# Vector Storage Configuration
vectorStore = {
provider = "qdrant"; # or "chroma", "pinecone", etc.
config = {
host = "localhost";
port = 6333;
collection_name = "mem0_alice";
};
};
};
}

29
hosts/m3-ares/services/netbird.nix
View File

@@ -1,29 +0,0 @@
{pkgs, ...}: {
services.netbird.enable = true;
environment.systemPackages = with pkgs; [netbird-ui];
systemd.services.netbird = {
environment = {
NB_DISABLE_SSH_CONFIG = "true";
};
path = [
pkgs.shadow
pkgs.util-linux
];
};
programs.ssh.extraConfig = ''
Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p"
PreferredAuthentications password,publickey,keyboard-interactive
PasswordAuthentication yes
PubkeyAuthentication yes
BatchMode no
ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
CheckHostIP no
LogLevel ERROR
'';
networking.firewall.checkReversePath = "loose";
}

5
hosts/m3-ares/services/sound.nix
View File

@@ -1,4 +1,7 @@
{
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
speechd
];
security.rtkit.enable = true;
services.pipewire = {
enable = true;

40
hosts/m3-ares/services/tailscale.nix Normal file
View File

@@ -0,0 +1,40 @@
{
config,
pkgs,
...
}: {
services.tailscale = {
enable = true;
useRoutingFeatures = "client";
};
# systemd.services.tailscale-autoconnect = {
# description = "Automatic connection to Tailscale";
# # make sure tailscale is running before trying to connect to tailscale
# after = ["network-pre.target" "tailscale.service"];
# wants = ["network-pre.target" "tailscale.service"];
# wantedBy = ["multi-user.target"];
# # set this service as a oneshot job
# serviceConfig = {
# Type = "oneshot";
# EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
# };
# # have the job run this shell script
# script = with pkgs; ''
# # wait for tailscaled to settle
# sleep 2
# # check if we are already authenticated to tailscale
# status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
# if [ $status = "Running" ]; then # if so, then do nothing
# exit 0
# fi
# # otherwise authenticate with tailscale
# ${tailscale}/bin/tailscale up --exit-node 100.88.96.77 --authkey $TAILSCALE_KEY
# '';
# };
}

6
hosts/m3-ares/services/udev.nix
View File

@@ -1,9 +1,7 @@
{pkgs, ...}: {
services.udev.extraRules = ''
SUBSYSTEM=="usb", MODE="0666"
SUBSYSTEM=="leds", KERNEL=="rgb:kbd_backlight*", ACTION=="add", RUN+="${pkgs.coreutils}/bin/chmod a+w /sys/class/leds/%k/multi_intensity"
KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_node=uinput"
KERNEL=="event*", SUBSYSTEM=="input", MODE="0660", GROUP="input" '';
SUBSYSTEM=="usb", MODE="0666
'';
environment.systemPackages = with pkgs; [
zsa-udev-rules
];

2
hosts/m3-ares/services/wireguard.nix
View File

@@ -10,7 +10,7 @@
};
NO = {
configFile = config.age.secrets.wg-NO.path;
autostart = false;
autostart = true;
};
US = {
configFile = config.age.secrets.wg-US.path;

6
hosts/m3-atlas/configuration.nix
View File

@@ -59,11 +59,7 @@
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
neovim
git
ghostty.terminfo
];
environment.systemPackages = with pkgs; [neovim git];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.

67
hosts/m3-atlas/secrets.nix
View File

@@ -1,74 +1,35 @@
{
age = {
secrets = {
baserow-env = {file = ../../secrets/baserow-env.age;};
ghost-env = {file = ../../secrets/ghost-env.age;};
kestra-config = {
file = ../../secrets/kestra-config.age;
mode = "644";
baserow-env = {
file = ../../secrets/baserow-env.age;
};
kestra-env = {file = ../../secrets/kestra-env.age;};
littlelink-m3tam3re = {file = ../../secrets/littlelink-m3tam3re.age;};
minio-root-cred = {file = ../../secrets/minio-root-cred.age;};
n8n-env = {file = ../../secrets/n8n-env.age;};
netbird-auth-secret = {
file = ../../secrets/netbird-auth-secret.age;
ghost-env = {
file = ../../secrets/ghost-env.age;
};
netbird-db-password = {
file = ../../secrets/netbird-db-password.age;
littlelink-m3tam3re = {
file = ../../secrets/littlelink-m3tam3re.age;
};
netbird-encryption-key = {
file = ../../secrets/netbird-encryption-key.age;
minio-root-cred = {
file = ../../secrets/minio-root-cred.age;
};
netbird-dashboard-env = {
file = ../../secrets/netbird-dashboard-env.age;
n8n-env = {
file = ../../secrets/n8n-env.age;
};
netbird-server-env = {
file = ../../secrets/netbird-server-env.age;
restreamer-env = {
file = ../../secrets/restreamer-env.age;
};
netbird-proxy-env = {
file = ../../secrets/netbird-proxy-env.age;
};
paperless-key = {file = ../../secrets/paperless-key.age;};
restreamer-env = {file = ../../secrets/restreamer-env.age;};
searx = {file = ../../secrets/searx.age;};
tailscale-key = {file = ../../secrets/tailscale-key.age;};
tuwunel-registration-token = {
file = ../../secrets/tuwunel-registration-token.age;
owner = "tuwunel";
searx = {
file = ../../secrets/searx.age;
};
traefik = {
file = ../../secrets/traefik.age;
owner = "traefik";
};
vaultwarden-env = {file = ../../secrets/vaultwarden-env.age;};
m3tam3re-secrets = {
file = ../../secrets/m3tam3re-secrets.age;
owner = "m3tam3re";
};
gitea-runner-token = {
file = ../../secrets/gitea-runner-token.age;
mode = "600";
owner = "gitea-runner";
group = "gitea-runner";
};
ref-key = {
file = ../../secrets/ref-key.age;
owner = "m3tam3re";
};
exa-key = {
file = ../../secrets/exa-key.age;
owner = "m3tam3re";
};
basecamp-client-id = {
file = ../../secrets/basecamp-client-id.age;
owner = "m3tam3re";
};
basecamp-client-secret = {
file = ../../secrets/basecamp-client-secret.age;
owner = "m3tam3re";
};
authentik-env = {file = ../../secrets/authentik-env.age;};
};
};
}

85
hosts/m3-atlas/services/containers/AGENTS.md
View File

@@ -1,85 +0,0 @@
# CONTAINER SERVICES (m3-atlas)
**Container orchestration with Podman + Traefik reverse proxy**
## OVERVIEW
11 containerized services on dedicated `web` network (10.89.0.0/24) with Traefik SSL termination.
## STRUCTURE
```
containers/
├── default.nix # Network setup + service imports
├── baserow.nix # 10.89.0.10 - No-code database
├── ghost.nix # 10.89.0.11 - Blog platform
├── kestra.nix # 10.89.0.12 - Workflow orchestration
├── littlelink.nix # 10.89.0.13 - Link aggregator
├── matomo.nix # 10.89.0.14 - Analytics
├── restreamer.nix # 10.89.0.15 - Video streaming
├── slash.nix # 10.89.0.16 - Link shortener
└── slash-nemoti.nix # 10.89.0.17 - Personal link shortener
```
## WHERE TO LOOK
| Task | Action | Notes |
|------|--------|-------|
| Add container | Copy existing .nix, increment IP | Must update default.nix imports |
| Fix networking | Check IP conflicts in 10.89.0.0/24 | Gateway always 10.89.0.1 |
| Debug Traefik | Check router rules in service file | Domain must match DNS |
| Access database | Use `--add-host=mysql:10.89.0.1` | Gateway IP for host services |
## CONVENTIONS
### Container Definition Template
```nix
virtualisation.oci-containers.containers.<name> = {
image = "registry/image:tag";
ports = ["127.0.0.1:<external>:<internal>"];
volumes = ["/var/lib/<service>:/data"];
environmentFiles = [config.age.secrets.<name>-env.path];
extraOptions = [
"--network=web"
"--ip=10.89.0.<sequential>"
"--add-host=mysql:10.89.0.1" # If DB needed
];
};
```
### Traefik Integration
```nix
services.traefik.dynamicConfigOptions.http = {
services.<name>.loadBalancer.servers = [{
url = "http://127.0.0.1:<port>";
}];
routers.<name> = {
rule = "Host(`<subdomain>.m3ta.dev`)";
service = "<name>";
tls.certResolver = "godaddy";
};
# Legacy redirect (if needed)
routers.<name>-old = {
rule = "Host(`<subdomain>.m3tam3re.com`)";
service = "<name>";
middlewares = ["redirect-m3ta"];
};
};
```
### IP Allocation
- **10.89.0.1**: Gateway (host)
- **10.89.0.10-17**: Assigned containers
- **10.89.0.18+**: Available for new services
## ANTI-PATTERNS
- **DON'T** expose ports publicly - bind to 127.0.0.1 only
- **DON'T** skip static IP assignment - routing breaks without it
- **DON'T** hardcode secrets - use age-encrypted env files
- **DON'T** forget to add imports to default.nix
## NOTES
- Network created via activation script in default.nix
- All services behind Traefik - no direct external access
- MySQL/PostgreSQL run on host, accessed via gateway IP
- Secrets pattern: `<service>-env.age` with environment variables

67
hosts/m3-atlas/services/containers/authentik.nix
View File

@@ -1,67 +0,0 @@
{config, ...}: let
image = "ghcr.io/goauthentik/server:2026.2.0";
serverIp = "10.89.0.22";
workerIp = "10.89.0.23";
postgresHost = "10.89.0.1";
postgresPort = config.m3ta.ports.get "postgres";
authentikPort = config.m3ta.ports.get "authentik";
sharedEnv = {
AUTHENTIK_POSTGRESQL__HOST = postgresHost;
AUTHENTIK_POSTGRESQL__PORT = toString postgresPort;
AUTHENTIK_POSTGRESQL__USER = "authentik";
AUTHENTIK_POSTGRESQL__NAME = "authentik";
};
in {
virtualisation.oci-containers.containers = {
"authentik-server" = {
inherit image;
cmd = ["server"];
environment = sharedEnv;
environmentFiles = [config.age.secrets.authentik-env.path];
ports = ["127.0.0.1:${toString authentikPort}:9000"];
volumes = [
"authentik_media:/media"
"authentik_templates:/templates"
];
extraOptions = [
"--add-host=postgres:${postgresHost}"
"--ip=${serverIp}"
"--network=web"
];
};
"authentik-worker" = {
inherit image;
cmd = ["worker"];
user = "root";
environment = sharedEnv;
environmentFiles = [config.age.secrets.authentik-env.path];
volumes = [
"authentik_media:/media"
"authentik_certs:/certs"
"authentik_templates:/templates"
];
extraOptions = [
"--add-host=postgres:${postgresHost}"
"--ip=${workerIp}"
"--network=web"
];
};
};
services.traefik.dynamicConfigOptions.http = {
services.authentik.loadBalancer.servers = [
{url = "http://localhost:${toString authentikPort}/";}
];
routers.authentik = {
rule = "Host(`auth.m3ta.dev`)";
tls = {certResolver = "godaddy";};
service = "authentik";
entrypoints = "websecure";
};
};
}

15
hosts/m3-atlas/services/containers/baserow.nix
View File

@@ -1,8 +1,8 @@
{config, ...}: {
virtualisation.oci-containers.containers."baserow" = {
image = "docker.io/baserow/baserow:2.0.6";
image = "docker.io/baserow/baserow:1.31.1";
environmentFiles = [config.age.secrets.baserow-env.path];
ports = ["127.0.0.1:${toString (config.m3ta.ports.get "baserow")}:80"];
ports = ["127.0.0.1:3001:80"];
volumes = ["baserow_data:/baserow/data"];
extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.10" "--network=web"];
};
@@ -10,26 +10,17 @@
services.traefik.dynamicConfigOptions.http = {
services.baserow.loadBalancer.servers = [
{
url = "http://localhost:${toString (config.m3ta.ports.get "baserow")}/";
url = "http://localhost:3001/";
}
];
routers.baserow = {
rule = "Host(`br.m3ta.dev`)";
tls = {
certResolver = "godaddy";
};
service = "baserow";
entrypoints = "websecure";
};
routers.baserow-old = {
rule = "Host(`br.m3tam3re.com`)";
tls = {
certResolver = "godaddy";
};
service = "baserow";
entrypoints = "websecure";
middlewares = ["subdomain-redirect"];
};
};
}

7
hosts/m3-atlas/services/containers/default.nix
View File

@@ -2,16 +2,11 @@
imports = [
./baserow.nix
./ghost.nix
./kestra.nix
./littlelink.nix
./matomo.nix
./netbird.nix
# ./n8n.nix
# ./pangolin.nix
./n8n.nix
./restreamer.nix
./slash.nix
./slash-nemoti.nix
./authentik.nix
];
system.activationScripts.createPodmanNetworkWeb = lib.mkAfter ''
if ! /run/current-system/sw/bin/podman network exists web; then

17
hosts/m3-atlas/services/containers/ghost.nix
View File

@@ -1,6 +1,6 @@
{config, ...}: {
virtualisation.oci-containers.containers."ghost" = {
image = "docker.io/ghost:latest";
image = "docker.io/ghost:5.106.1";
environmentFiles = [config.age.secrets.ghost-env.path];
ports = ["127.0.0.1:3002:2368"];
volumes = ["ghost_data:/var/lib/ghost/content"];
@@ -13,25 +13,14 @@
url = "http://localhost:3002/";
}
];
routers = {
ghost = {
rule = "Host(`m3ta.dev`) || Host(`www.m3ta.dev`)";
tls = {
certResolver = "godaddy";
};
service = "ghost";
entrypoints = "websecure";
middlewares = ["strip-www"];
};
ghost-old = {
routers.ghost = {
rule = "Host(`www.m3tam3re.com`)";
tls = {
certResolver = "godaddy";
};
service = "ghost";
entrypoints = "websecure";
middlewares = ["domain-redirect"];
};
};
};
}

32
hosts/m3-atlas/services/containers/kestra.nix
View File

@@ -1,32 +0,0 @@
{config, ...}: {
virtualisation.oci-containers.containers."kestra" = {
image = "docker.io/kestra/kestra:latest";
environmentFiles = [config.age.secrets.kestra-env.path];
cmd = ["server" "standalone" "--config" "/etc/config/application.yaml"];
ports = ["127.0.0.1:3018:8080"];
user = "root";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
"${config.age.secrets.kestra-config.path}:/etc/config/application.yaml"
"kestra_data:/app/storage"
"/tmp/kestra-wd:/tmp/kestra-wd"
];
extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.18" "--network=web"];
};
systemd.tmpfiles.rules = [
"d /tmp/kestra-wd 0750 1000 1000 - -"
];
# Traefik configuration specific to littlelink
services.traefik.dynamicConfigOptions.http = {
services.kestra.loadBalancer.servers = [{url = "http://localhost:3018/";}];
routers.kestra = {
rule = "Host(`k.m3ta.dev`)";
tls = {certResolver = "godaddy";};
service = "kestra";
entrypoints = "websecure";
};
};
}

2
hosts/m3-atlas/services/containers/littlelink.nix
View File

@@ -3,7 +3,7 @@
image = "ghcr.io/techno-tim/littlelink-server";
environmentFiles = [config.age.secrets.littlelink-m3tam3re.path];
ports = ["127.0.0.1:3004:3000"];
extraOptions = ["--ip=10.89.0.4" "--network=web"];
extraOptions = ["--ip=10.89.0.12" "--network=web"];
};
# Traefik configuration specific to littlelink
services.traefik.dynamicConfigOptions.http = {

244
hosts/m3-atlas/services/containers/netbird.nix
View File

@@ -1,244 +0,0 @@
{
config,
pkgs,
...
}: let
serviceName = "netbird";
stunPort = config.m3ta.ports.get "netbird-stun";
proxyTlsPort = config.m3ta.ports.get "netbird-proxy";
metricsPort = config.m3ta.ports.get "netbird-metrics";
healthPort = config.m3ta.ports.get "netbird-health";
postgresPort = config.m3ta.ports.get "postgres";
wireguardPort = config.m3ta.ports.get "wireguard";
domain = "v.m3ta.dev";
proxyDomain = "p.m3ta.dev";
ipBase = "10.89.0";
ipOffset = 50;
dashboardIp = "${ipBase}.${toString ipOffset}";
serverIp = "${ipBase}.${toString (ipOffset + 1)}";
proxyIp = "${ipBase}.${toString (ipOffset + 2)}";
# Database configuration
dbName = "netbird";
dbUser = "netbird";
dbHost = "${ipBase}.1";
# NetBird config as Nix attribute set
netbirdConfig = {
server = {
listenAddress = ":80";
exposedAddress = "https://${domain}:443";
stunPorts = [stunPort];
metricsPort = metricsPort;
healthcheckAddress = ":${toString healthPort}";
logLevel = "info";
logFile = "console";
dataDir = "/var/lib/netbird";
auth = {
issuer = "https://${domain}/oauth2";
localAuthDisabled = true;
signKeyRefreshEnabled = true;
dashboardRedirectURIs = [
"https://${domain}/nb-auth"
"https://${domain}/nb-silent-auth"
];
cliRedirectURIs = ["http://localhost:53000/"];
};
reverseProxy = {
trustedHTTPProxies = ["${ipBase}.1/32"];
};
# Proxy feature
proxy = {
enabled = true;
domain = proxyDomain;
};
store = {
engine = "postgres";
postgres = {
host = dbHost;
port = postgresPort;
database = dbName;
username = dbUser;
};
};
};
};
# Generate YAML from Nix attribute set
yamlFormat = pkgs.formats.yaml {};
configYamlBase = yamlFormat.generate "netbird-config-base.yaml" netbirdConfig;
# Script that injects secrets at runtime
configGenScript = pkgs.writeShellScript "netbird-gen-config" ''
set -euo pipefail
AUTH_SECRET=$(cat "$1")
DB_PASSWORD=$(cat "$2")
ENCRYPTION_KEY=$(cat "$3")
${pkgs.yq-go}/bin/yq eval "
.server.authSecret = \"$AUTH_SECRET\" |
.server.store.encryptionKey = \"$ENCRYPTION_KEY\" |
.server.store.postgres.password = \"$DB_PASSWORD\"
" ${configYamlBase}
'';
in {
age.secrets."${serviceName}-auth-secret".file = ../../../../secrets/${serviceName}-auth-secret.age;
age.secrets."${serviceName}-db-password".file = ../../../../secrets/${serviceName}-db-password.age;
age.secrets."${serviceName}-encryption-key".file = ../../../../secrets/${serviceName}-encryption-key.age;
age.secrets."${serviceName}-dashboard-env".file = ../../../../secrets/${serviceName}-dashboard-env.age;
age.secrets."${serviceName}-server-env".file = ../../../../secrets/${serviceName}-server-env.age;
age.secrets."${serviceName}-proxy-env".file = ../../../../secrets/${serviceName}-proxy-env.age;
# Oneshot systemd service that generates the config with injected secrets
systemd.services."${serviceName}-config" = {
description = "Generate NetBird config with secrets";
wantedBy = ["multi-user.target"];
before = ["podman-${serviceName}-server.service"];
requiredBy = ["podman-${serviceName}-server.service"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "netbird-write-config" ''
mkdir -p /var/lib/${serviceName}
${configGenScript} \
${config.age.secrets."${serviceName}-auth-secret".path} \
${config.age.secrets."${serviceName}-db-password".path} \
${config.age.secrets."${serviceName}-encryption-key".path} \
> /var/lib/${serviceName}/config.yaml
chmod 600 /var/lib/${serviceName}/config.yaml
'';
};
};
virtualisation.oci-containers.containers = {
"${serviceName}-dashboard" = {
image = "netbirdio/dashboard:latest";
autoStart = true;
environmentFiles = [config.age.secrets."${serviceName}-dashboard-env".path];
extraOptions = [
"--ip=${dashboardIp}"
"--network=web"
];
};
"${serviceName}-server" = {
image = "netbirdio/netbird-server:latest";
autoStart = true;
ports = ["${toString stunPort}:${toString stunPort}/udp"];
environmentFiles = [config.age.secrets."${serviceName}-server-env".path];
volumes = [
"${serviceName}_data:/var/lib/netbird"
"/var/lib/${serviceName}/config.yaml:/etc/netbird/config.yaml:ro"
];
cmd = ["--config" "/etc/netbird/config.yaml"];
extraOptions = [
"--ip=${serverIp}"
"--network=web"
];
};
"${serviceName}-proxy" = {
image = "netbirdio/reverse-proxy:latest";
autoStart = true;
ports = ["${toString wireguardPort}:${toString wireguardPort}/udp"];
volumes = [
"${serviceName}_proxy_certs:/certs"
];
environmentFiles = [config.age.secrets."${serviceName}-proxy-env".path];
cmd = [
"--domain=${proxyDomain}"
"--mgmt=https://${domain}:443"
"--addr=:${toString proxyTlsPort}"
"--cert-dir=/certs"
"--acme-certs"
"--trusted-proxies=${ipBase}.1/32"
];
dependsOn = ["${serviceName}-server"];
extraOptions = [
"--ip=${proxyIp}"
"--network=web"
];
};
};
services.traefik.dynamicConfigOptions = {
# HTTP services and routers
http = {
services = {
"${serviceName}-dashboard".loadBalancer.servers = [
{url = "http://${dashboardIp}:80/";}
];
"${serviceName}-server".loadBalancer.servers = [
{url = "http://${serverIp}:80/";}
];
"${serviceName}-server-h2c".loadBalancer.servers = [
{url = "h2c://${serverIp}:80";}
];
};
routers = {
# gRPC (Signal + Management)
"${serviceName}-grpc" = {
rule = "Host(`${domain}`) && (PathPrefix(`/signalexchange.SignalExchange/`) || PathPrefix(`/management.ManagementService/`) || PathPrefix(`/management.ProxyService/`))";
entrypoints = "websecure";
tls.certResolver = "godaddy";
service = "${serviceName}-server-h2c";
priority = 100;
};
# Backend (relay, WebSocket, API, OAuth2)
"${serviceName}-backend" = {
rule = "Host(`${domain}`) && (PathPrefix(`/relay`) || PathPrefix(`/ws-proxy/`) || PathPrefix(`/api`) || PathPrefix(`/oauth2`))";
entrypoints = "websecure";
tls.certResolver = "godaddy";
service = "${serviceName}-server";
priority = 100;
};
# Dashboard (catch-all, lowest priority)
"${serviceName}-dashboard" = {
rule = "Host(`${domain}`)";
entrypoints = "websecure";
tls.certResolver = "godaddy";
service = "${serviceName}-dashboard";
priority = 1;
};
};
};
# TCP for proxy TLS passthrough
tcp = {
services."${serviceName}-proxy-tls".loadBalancer.servers = [
{address = "${proxyIp}:${toString proxyTlsPort}";}
];
routers."${serviceName}-proxy-passthrough" = {
entryPoints = ["websecure"];
rule = "HostSNI(`*`)";
service = "${serviceName}-proxy-tls";
priority = 1;
tls.passthrough = true;
};
};
# ServersTransport for Proxy Protocol v2 (optional)
serversTransports."pp-v2" = {
proxyProtocol.version = 2;
};
};
networking.firewall.allowedUDPPorts = [
stunPort # STUN
wireguardPort # WireGuard for proxy
];
}

8
hosts/m3-atlas/services/containers/restreamer.nix
View File

@@ -4,7 +4,7 @@
environmentFiles = [config.age.secrets.restreamer-env.path];
# Modified ports to include RTMPS
ports = [
"127.0.0.1:${toString (config.m3ta.ports.get "restreamer")}:8080" # Web UI
"127.0.0.1:3006:8080" # Web UI
"127.0.0.1:1936:1935" # RTMP
];
volumes = [
@@ -20,12 +20,12 @@
http = {
services.restreamer.loadBalancer.servers = [
{
url = "http://localhost:${toString (config.m3ta.ports.get "restreamer")}/";
url = "http://localhost:3006/";
}
];
routers.restreamer = {
rule = "Host(`stream.m3ta.dev`)";
rule = "Host(`stream.m3tam3re.com`)";
tls = {
certResolver = "godaddy";
};
@@ -70,6 +70,6 @@
# Firewall configuration
networking.firewall = {
allowedTCPPorts = [1935 1945];
allowedTCPPorts = [80 443 1935 1945];
};
}

27
hosts/m3-atlas/services/containers/slash-nemoti.nix
View File

@@ -1,27 +0,0 @@
{
virtualisation.oci-containers.containers."slash-nemoti" = {
image = "docker.io/yourselfhosted/slash:latest";
ports = ["127.0.0.1:3016:5231"];
volumes = [
"slash-nemoti_data:/var/opt/slash"
];
extraOptions = ["--ip=10.89.0.17" "--network=web"];
};
# Traefik configuration specific to littlelink
services.traefik.dynamicConfigOptions.http = {
services.slash-nemoti.loadBalancer.servers = [
{
url = "http://localhost:3016/";
}
];
routers.slash-nemoti = {
rule = "Host(`l.nemoti.art`)";
tls = {
certResolver = "godaddy";
};
service = "slash-nemoti";
entrypoints = "websecure";
};
};
}

8
hosts/m3-atlas/services/default.nix
View File

@@ -1,18 +1,14 @@
{
imports = [
./tuwunel.nix
./containers
./gitea.nix
./gitea-actions-runner.nix
./headscale.nix
./minio.nix
./mysql.nix
./netbird.nix
./n8n.nix
./paperless.nix
./postgres.nix
./searx.nix
./tailscale.nix
./traefik.nix
./vaultwarden.nix
./wastebin.nix
];
}

57
hosts/m3-atlas/services/gitea-actions-runner.nix
View File

@@ -1,57 +0,0 @@
{
config,
pkgs,
...
}: {
services.gitea-actions-runner = {
instances.default = {
enable = true;
name = "${config.networking.hostName}-runner";
url = "https://code.m3ta.dev";
tokenFile = config.age.secrets.gitea-runner-token.path;
# nixos:host is primary, ubuntu is fallback
labels = [
"nixos:host"
];
# Host execution packages
hostPackages = with pkgs; [
bash
curl
coreutils
git
jq
nix
nix-update
nodejs
# Add any other tools you need for nix-update workflows
];
# Advanced settings
settings = {
runner = {
capacity = 4; # One job at a time (increase if you have resources)
timeout = "4h"; # Nix builds can take a while
};
cache = {enabled = true;};
container = {
enable_ipv6 = true;
privileged = false;
};
};
};
};
# User management (auto-created by module, but ensuring proper setup)
users.users.gitea-runner = {
home = "/var/lib/gitea-runner";
group = "gitea-runner";
isSystemUser = true;
createHome = true;
};
users.groups.gitea-runner = {};
# Firewall: Allow Podman bridge networks for cache actions
networking.firewall.trustedInterfaces = ["br-+"];
}

19
hosts/m3-atlas/services/gitea.nix
View File

@@ -1,12 +1,8 @@
{config, ...}: {
{
services.gitea = {
enable = true;
settings = {
server = {
ROOT_URL = "https://code.m3ta.dev";
HTTP_PORT = config.m3ta.ports.get "gitea";
};
mailer.SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
server.ROOT_URL = "https://code.m3tam3re.com";
service.DISABLE_REGISTRATION = true;
};
lfs.enable = true;
@@ -21,26 +17,17 @@
services.traefik.dynamicConfigOptions.http = {
services.gitea.loadBalancer.servers = [
{
url = "http://localhost:${toString (config.m3ta.ports.get "gitea")}/";
url = "http://localhost:3000/";
}
];
routers.gitea = {
rule = "Host(`code.m3ta.dev`)";
tls = {
certResolver = "godaddy";
};
service = "gitea";
entrypoints = "websecure";
};
routers.gitea-old = {
rule = "Host(`code.m3tam3re.com`)";
tls = {
certResolver = "godaddy";
};
service = "gitea";
entrypoints = "websecure";
middlewares = ["subdomain-redirect"];
};
};
}

33
hosts/m3-atlas/services/headscale.nix Normal file
View File

@@ -0,0 +1,33 @@
{
services = {
headscale = {
enable = true;
port = 3009;
settings = {
server_url = "https://va.m3tam3re.com";
dns = {
base_domain = "m3tam3re.loc";
};
logtail.enabled = false;
};
};
};
# Traefik configuration specific to
services.traefik.dynamicConfigOptions.http = {
services.headscale.loadBalancer.servers = [
{
url = "http://localhost:3009/";
}
];
routers.headscale = {
rule = "Host(`va.m3tam3re.com`)";
tls = {
certResolver = "godaddy";
};
service = "headscale";
entrypoints = "websecure";
};
};
}

191
hosts/m3-atlas/services/hermes-agent.nix
View File

@@ -1,191 +0,0 @@
{config, ...}: let
# Default ElevenLabs voice: Bella (German-capable female)
elevenlabsVoiceId = "hpp4J3VqNfWAUOO0d1Us";
in {
services.hermes-agent = {
enable = true;
addToSystemPackages = true;
# Secrets via agenix
environmentFiles = [config.age.secrets."hermes-env".path];
# Non-secret environment variables
environment = {
#
};
# ── Container mode (podman) ──────────────────────────────────────────
container = {
enable = true;
backend = "podman";
};
settings = {
# ── Model ──────────────────────────────────────────────────────────
model = {
default = "glm-5.1";
provider = "zai";
base_url = "https://api.z.ai/api/coding/paas/v4/";
};
credential_pool_strategies = {
zai = "fill_first";
};
toolsets = ["all"];
# ── Agent ──────────────────────────────────────────────────────────
agent = {
max_turns = 90;
gateway_timeout = 1800;
tool_use_enforcement = "auto";
};
# ── Terminal ───────────────────────────────────────────────────────
terminal = {
backend = "local";
modal_mode = "auto";
cwd = ".";
timeout = 180;
persistent_shell = true;
};
# ── Browser ────────────────────────────────────────────────────────
browser = {
inactivity_timeout = 120;
command_timeout = 30;
cloud_provider = "local";
};
# ── Checkpoints / Compression ──────────────────────────────────────
checkpoints = {
enabled = true;
max_snapshots = 50;
};
file_read_max_chars = 100000;
compression = {
enabled = true;
threshold = 0.5;
target_ratio = 0.2;
protect_last_n = 20;
};
# ── Display ────────────────────────────────────────────────────────
display = {
compact = false;
personality = "kawaii";
resume_display = "full";
busy_input_mode = "interrupt";
inline_diffs = true;
skin = "default";
tool_progress = "all";
};
# ── TTS / STT / Voice ──────────────────────────────────────────────
tts = {
provider = "elevenlabs";
elevenlabs = {
voice_id = elevenlabsVoiceId;
model_id = "eleven_multilingual_v2";
};
};
stt = {
enabled = true;
provider = "local";
local = {model = "base";};
};
voice = {
record_key = "ctrl+b";
max_recording_seconds = 120;
silence_threshold = 200;
silence_duration = 3.0;
};
# ── Memory ─────────────────────────────────────────────────────────
memory = {
memory_enabled = true;
user_profile_enabled = true;
memory_char_limit = 2200;
user_char_limit = 1375;
};
# ── Delegation ─────────────────────────────────────────────────────
delegation = {
max_iterations = 50;
};
# ── Discord ────────────────────────────────────────────────────────
discord = {
require_mention = true;
auto_thread = true;
reactions = true;
};
# ── Approvals / Security ───────────────────────────────────────────
approvals = {
mode = "manual";
timeout = 60;
};
security = {
redact_secrets = true;
tirith_enabled = true;
tirith_fail_open = true;
};
# ── Cron / Session ─────────────────────────────────────────────────
cron = {wrap_response = true;};
session_reset = {
mode = "both";
idle_minutes = 1440;
at_hour = 4;
};
# ── Web ────────────────────────────────────────────────────────────
web = {backend = "exa";};
# ── Platform Toolsets ──────────────────────────────────────────────
platform_toolsets = {
cli = [
"browser"
"clarify"
"code_execution"
"cronjob"
"delegation"
"file"
"image_gen"
"memory"
"session_search"
"skills"
"terminal"
"todo"
"tts"
"vision"
"web"
];
telegram = [
"browser"
"clarify"
"code_execution"
"cronjob"
"delegation"
"file"
"image_gen"
"memory"
"session_search"
"skills"
"terminal"
"todo"
"tts"
"vision"
"web"
];
};
};
};
}

7
hosts/m3-atlas/services/mysql.nix
View File

@@ -18,10 +18,5 @@
calendar = "03:00:00";
databases = ["ghost" "matomo"];
};
networking.firewall = {
extraCommands = ''
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 10.89.0.0/24 --dport 3306 -j ACCEPT
'';
};
networking.firewall.allowedTCPPorts = [3306];
}

34
hosts/m3-atlas/services/n8n.nix
View File

@@ -1,34 +0,0 @@
{
config,
lib,
...
}: {
services.n8n = {
enable = true;
environment.WEBHOOK_URL = "https://wf.m3tam3re.com";
};
# Temporary fix for upstream module
systemd.services.n8n.serviceConfig.LoadCredential = lib.mkForce [];
systemd.services.n8n.environment.N8N_RUNNERS_AUTH_TOKEN_FILE = lib.mkForce null;
systemd.services.n8n.serviceConfig = {
EnvironmentFile = ["${config.age.secrets.n8n-env.path}"];
};
# Traefik configuration specific to n8n
services.traefik.dynamicConfigOptions.http = {
services.n8n.loadBalancer.servers = [
{
url = "http://localhost:5678/";
}
];
routers.n8n = {
rule = "Host(`wf.m3ta.dev`)";
tls = {
certResolver = "godaddy";
};
service = "n8n";
entrypoints = "websecure";
};
};
}

28
hosts/m3-atlas/services/netbird.nix
View File

@@ -1,28 +0,0 @@
{pkgs, ...}: {
services.netbird.enable = true;
systemd.services.netbird = {
environment = {
NB_DISABLE_SSH_CONFIG = "true";
};
path = [
pkgs.shadow
pkgs.util-linux
];
};
programs.ssh.extraConfig = ''
Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p"
PreferredAuthentications password,publickey,keyboard-interactive
PasswordAuthentication yes
PubkeyAuthentication yes
BatchMode no
ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
CheckHostIP no
LogLevel ERROR
'';
networking.firewall.checkReversePath = "loose";
}

40
hosts/m3-atlas/services/paperless.nix
View File

@@ -1,40 +0,0 @@
{config, ...}: {
services.paperless = {
enable = true;
port = config.m3ta.ports.get "paperless";
database.createLocally = true;
passwordFile = config.age.secrets.paperless-key.path;
configureTika = true;
settings = {
PAPERLESS_URL = "https://pl.m3ta.dev";
DATABASE_URL = "postgresql://paperless:paperless@127.0.0.1:${toString (config.m3ta.ports.get "postgres")}/paperless";
PAPERLESS_CONSUMER_IGNORE_PATTERN = [
".DS_STORE/*"
"desktop.ini"
".env"
];
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_OCR_USER_ARGS = {
optimize = 1;
pdfa_image_compression = "lossless";
};
};
};
# Traefik configuration for headscale
services.traefik.dynamicConfigOptions.http = {
services.paperless.loadBalancer.servers = [
{
url = "http://localhost:${toString (config.m3ta.ports.get "paperless")}/";
}
];
routers.paperless = {
rule = "Host(`pl.m3ta.dev`)";
tls = {
certResolver = "godaddy";
};
service = "paperless";
entrypoints = "websecure";
};
};
}

51
hosts/m3-atlas/services/postgres.nix
View File

@@ -1,49 +1,24 @@
{
pkgs,
config,
...
}: {
{pkgs, ...}: {
services.postgresql = {
enable = true;
enableTCPIP = true;
package = pkgs.postgresql_17;
extensions = with pkgs.postgresql17Packages; [
pgvector
];
package = pkgs.postgresql_15;
authentication = pkgs.lib.mkOverride 10 ''
# Local connections (Unix socket)
local all postgres peer
local paperless paperless scram-sha-256
# Localhost connections (IPv4 and IPv6)
host all postgres 127.0.0.1/32 scram-sha-256
host all postgres ::1/128 scram-sha-256
host outline outline 127.0.0.1/32 scram-sha-256
host outline outline ::1/128 scram-sha-256
host paperless paperless 127.0.0.1/32 scram-sha-256
host paperless paperless ::1/128 scram-sha-256
# Podman network connections for Baserow
host baserow baserow 10.89.0.0/24 scram-sha-256
host kestra kestra 10.89.0.0/24 scram-sha-256
host netbird netbird 10.89.0.0/24 scram-sha-256
host authentik authentik 10.89.0.0/24 scram-sha-256
# Deny all other connections
local all all reject
host all all 0.0.0.0/0 reject
host all all ::/0 reject
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host all all 10.89.0.0/16 trust
'';
initialScript = pkgs.writeText "backend-initScript" ''
CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow';
CREATE DATABASE baserow;
ALTER DATABASE baserow OWNER to baserow;
'';
};
services.postgresqlBackup = {
enable = true;
startAt = "03:10:00";
databases = ["baserow" "paperless" "kestra" "authentik" "netbird"];
};
networking.firewall = {
extraCommands = ''
iptables -A INPUT -p tcp -s 127.0.0.1 --dport ${toString (config.m3ta.ports.get "postgres")} -j ACCEPT
iptables -A INPUT -p tcp -s 10.89.0.0/24 --dport ${toString (config.m3ta.ports.get "postgres")} -j ACCEPT
'';
databases = ["baserow"];
};
networking.firewall.allowedTCPPorts = [5432];
}

9
hosts/m3-atlas/services/searx.nix
View File

@@ -17,21 +17,12 @@
];
routers.searx = {
rule = "Host(`search.m3ta.dev`)";
tls = {
certResolver = "godaddy";
};
service = "searx";
entrypoints = "websecure";
};
routers.searx-old = {
rule = "Host(`search.m3tam3re.com`)";
tls = {
certResolver = "godaddy";
};
service = "searx";
entrypoints = "websecure";
middlewares = ["subdomain-redirect"];
};
};
}

9
hosts/m3-atlas/services/tailscale.nix Normal file
View File

@@ -0,0 +1,9 @@
{
services.tailscale = {
enable = true;
useRoutingFeatures = "both";
};
networking.firewall = {
trustedInterfaces = ["tailscale0"];
};
}

33
hosts/m3-atlas/services/traefik.nix
View File

@@ -12,10 +12,7 @@
dnsChallenge = {
provider = "godaddy";
resolvers = ["1.1.1.1:53" "8.8.8.8:53"];
propagation = {
delayBeforeChecks = 60;
disableChecks = true;
};
propagation.delayBeforeChecks = 60;
};
};
};
@@ -42,35 +39,7 @@
};
dynamicConfigOptions = {
http = {
services = {
dummy = {
loadBalancer.servers = [
{url = "http://192.168.0.1";} # Diese URL wird nie verwendet
];
};
};
middlewares = {
domain-redirect = {
redirectRegex = {
regex = "^https://www\\.m3tam3re\\.com(.*)";
replacement = "https://m3ta.dev$1";
permanent = true;
};
};
strip-www = {
redirectRegex = {
regex = "^https://www\\.(.+)";
replacement = "https://$1";
permanent = true;
};
};
subdomain-redirect = {
redirectRegex = {
regex = "^https://([a-zA-Z0-9-]+)\\.m3tam3re\\.com(.*)";
replacement = "https://$1.m3ta.dev$2";
permanent = true;
};
};
auth = {
basicAuth = {
users = ["m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh."];

50
hosts/m3-atlas/services/tuwunel.nix
View File

@@ -1,50 +0,0 @@
{config, ...}: let
# Tuwunel uses a list for ports
tuwunel-port = config.m3ta.ports.get "tuwunel";
in {
services.matrix-tuwunel = {
enable = true;
settings.global = {
server_name = "m3ta.dev";
address = ["127.0.0.1"];
port = [tuwunel-port];
max_request_size = 20000000;
allow_registration = true;
registration_token_file = config.age.secrets."tuwunel-registration-token".path;
allow_encryption = true;
allow_federation = true;
trusted_servers = ["matrix.org"];
};
};
# Traefik configuration for Tuwunel
services.traefik.dynamicConfigOptions.http = {
services.tuwunel.loadBalancer.servers = [
{
url = "http://localhost:${toString tuwunel-port}/";
}
];
routers.tuwunel = {
rule = "Host(`matrix.m3ta.dev`)";
tls = {
certResolver = "godaddy";
};
service = "tuwunel";
entrypoints = "websecure";
};
# Federation endpoint on base domain
routers.tuwunel-federation = {
rule = "Host(`m3ta.dev`) && PathPrefix(`/_matrix`)";
tls = {
certResolver = "godaddy";
};
service = "tuwunel";
entrypoints = "websecure";
};
};
# Open federation port
networking.firewall.allowedTCPPorts = [8448];
}

29
hosts/m3-atlas/services/vaultwarden.nix
View File

@@ -1,29 +0,0 @@
{config, ...}: {
services.vaultwarden = {
enable = true;
backupDir = "/var/backup/vaultwarden";
config = {
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 3013;
};
environmentFile = "${config.age.secrets.vaultwarden-env.path}";
};
# Traefik configuration for headscale
services.traefik.dynamicConfigOptions.http = {
services.vaultwarden.loadBalancer.servers = [
{
url = "http://localhost:3013/";
}
];
routers.vaultwarden = {
rule = "Host(`vw.m3ta.dev`)";
tls = {
certResolver = "godaddy";
};
service = "vaultwarden";
entrypoints = "websecure";
};
};
}

Some files were not shown because too many files have changed in this diff Show More