AZ-Intec-GmbH/AZ-NIX-CLIENTS
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Sascha König
2026-05-04 19:38:05 +02:00
commit 8e921a05d8
85 changed files with 5524 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

165
hosts/AZ-LT-NIX/configuration.nix Normal file
View File

@@ -0,0 +1,165 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{
config,
pkgs,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.initrd.kernelModules = ["amdgpu" "hid_asus"];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelParams = ["pcie_aspm=off" "pcie_port_pm=off"];
boot.extraModprobeConfig = ''
options hid_asus enable_touchpad=1
options mt7925e disable_aspm=1
options mt7925_common disable_clc=1
'';
services.xserver.videoDrivers = ["amdgpu"];
security.polkit.enable = true;
security.pam.services.gdm.enableGnomeKeyring = true;
networking = {
wireless.iwd = {
enable = true;
settings = {
Settings = {
Timers = "DefaultRoamThreshold=30";
};
General = {
AddressRandomization = "network";
};
};
};
networkmanager = {
enable = true;
wifi = {
backend = "iwd";
powersave = false;
};
};
hostName = "AZ-LT-NIX";
};
systemd.services.disable-wifi-powersave = {
description = "Disable WiFi power save";
after = ["network-online.target" "iwd.service"];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = ''
${pkgs.bash}/bin/bash -c 'for i in {1..30}; do \
${pkgs.iw}/bin/iw dev wlan0 set power_save off 2>/dev/null && exit 0; \
sleep 1; \
done; exit 1'
'';
Restart = "on-failure";
RestartSec = "10s";
};
};
# Define your hostname.
# warp-terminal update fix
# networking.extraHosts = ''
# 127.0.0.1 releases.warp.dev
# 127.0.0.1 app.warp.dev
# '';
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n.defaultLocale = "de_DE.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkb.options in tty.
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Enable the GNOME Desktop Environment.
# services.xserver.displayManager.gdm.enable = true;
# services.xserver.desktopManager.gnome.enable = true;
# Configure keymap in X11
# services.xserver.xkb.layout = "us";
# services.xserver.xkb.options = "eurosign:e,caps:escape";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# hardware.pulseaudio.enable = true;
# OR
# Enable touchpad support (enabled default in most desktopManager).
# services.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [asusctl git];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
settings.PermitRootLogin = "no";
settings = {
PasswordAuthentication = true;
};
};
services.fstrim.enable = true;
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [8080];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "25.05"; # Did you read the comment?
}

58
hosts/AZ-LT-NIX/default.nix Normal file
View File

@@ -0,0 +1,58 @@
# A staring point is the basic NIXOS configuration generated by the ISO installer.
# On an existing NIXOS install you can use the following command in your flakes basedir:
# sudo nixos-generate-config --dir ./hosts/m3tam3re
#
# Please make sure to change the first couple of lines in your configuration.nix:
# { config, inputs, ouputs, lib, pkgs, ... }:
#
# {
# imports = [ # Include the results of the hardware scan.
# ./hardware-configuration.nix
# inputs.home-manager.nixosModules.home-manager
# ];
# ...
#
# Moreover please update the packages option in your user configuration and add the home-manager options:
# users.users = {
# m3tam3re = {
# isNormalUser = true;
# initialPassword = "12345";
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# packages = [ inputs.home-manager.packages.${pkgs.system}.default ];
# };
# };
#
# home-manager = {
# useUserPackages = true;
# extraSpecialArgs = { inherit inputs outputs; };
# users.m3tam3re =
# import ../../home/m3tam3re/${config.networking.hostName}.nix;
# };
#
# Please also change your hostname accordingly:
#:w
# networking.hostName = "nixos"; # Define your hostname.
{
imports = [
../common
./configuration.nix
./hardware.nix
./programs.nix
./secrets.nix
./services
];
extraServices = {
flatpak.enable = true;
ollama.enable = true;
podman.enable = true;
virtualisation.enable = true;
};
services.ollama = {
environmentVariables = {
# HCC_AMDGPU_TARGET = "gfx1103";
# ROCR_VISIBLE_DEVICES = "0";
};
# rocmOverrideGfx = "11.0.3";
};
}

68
hosts/AZ-LT-NIX/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,68 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "thunderbolt" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/9fcbe547-12dc-467d-a0e2-cefeedaf28d9";
fsType = "btrfs";
options = ["subvol=root" "compress=zstd" "noatime" "ssd" "discard=async"];
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/9fcbe547-12dc-467d-a0e2-cefeedaf28d9";
fsType = "btrfs";
options = ["subvol=home" "compress=zstd" "noatime" "ssd" "discard=async"];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/9fcbe547-12dc-467d-a0e2-cefeedaf28d9";
fsType = "btrfs";
options = ["subvol=nix" "compress=zstd" "noatime" "ssd" "discard=async"];
};
fileSystems."/persist" = {
device = "/dev/disk/by-uuid/9fcbe547-12dc-467d-a0e2-cefeedaf28d9";
fsType = "btrfs";
options = ["subvol=persist" "compress=zstd" "noatime" "ssd" "discard=async"];
};
fileSystems."/var/log" = {
device = "/dev/disk/by-uuid/9fcbe547-12dc-467d-a0e2-cefeedaf28d9";
fsType = "btrfs";
options = ["subvol=log" "compress=zstd" "noatime" "ssd" "discard=async"];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/89EE-C4CE";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022"];
};
swapDevices = [
{device = "/dev/disk/by-uuid/7e78ee33-a051-439a-80aa-635d0ab698e4";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp194s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

16
hosts/AZ-LT-NIX/hardware.nix Normal file
View File

@@ -0,0 +1,16 @@
{
hardware = {
amdgpu.opencl.enable = true;
bluetooth.enable = true;
keyboard.zsa.enable = true;
graphics.enable = true;
};
# udev rules for vibetyper / uinput access (virtual input device injection)
services.udev.extraRules = ''
KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_node=uinput"
KERNEL=="event*", SUBSYSTEM=="input", MODE="0660", GROUP="input"
'';
boot.kernelModules = ["uinput"];
}

79
hosts/AZ-LT-NIX/home.nix Normal file
View File

@@ -0,0 +1,79 @@
# hosts/m3-kratos/home.nix — Host-specific home-manager overrides.
# AMD desktop: dual 2560x1440@144 via DisplayPort.
# Everything else (shell, editors, gaming, media, theme, etc.) comes from
# m3ta-home via the profile mapping in hosts/common/users/m3tam3re.nix.
{
config,
lib,
...
}:
with lib; {
config = mkMerge [
# ── XDG / MIME defaults ──
{
xdg = {
enable = true;
userDirs.setSessionVariables = true;
configFile."mimeapps.list".force = true;
mimeApps = {
enable = true;
associations.added = {
"application/zip" = ["org.gnome.FileRoller.desktop"];
"application/csv" = ["calc.desktop"];
"application/pdf" = ["vivaldi-stable.desktop"];
"x-scheme-handler/http" = ["vivaldi-stable.desktop"];
"x-scheme-handler/https" = ["vivaldi-stable.desktop"];
};
defaultApplications = {
"application/zip" = ["org.gnome.FileRoller.desktop"];
"application/csv" = ["calc.desktop"];
"application/pdf" = ["vivaldi-stable.desktop"];
"application/md" = ["dev.zed.Zed.desktop"];
"application/text" = ["dev.zed.Zed.desktop"];
"x-scheme-handler/http" = ["vivaldi-stable.desktop"];
"x-scheme-handler/https" = ["vivaldi-stable.desktop"];
};
};
};
services.hyprpaper.settings = {
ipc = "on";
preload = ["/home/sascha.koenig/.config/hypr/wallpapers/wallhaven-lmmo8r_2560x1600.png"];
wallpaper = [
"eDP-1,/home/sascha.koenig/.config/hypr/wallpapers/wallhaven-lmmo8r_2560x1600.png"
"DP-8,/home/sascha.koenig/.config/hypr/wallpapers/wallhaven-lmmo8r_2560x1600.png"
"DP-10,/home/sascha.koenig/.config/hypr/wallpapers/wallhaven-lmmo8r_2560x1600.png"
];
};
}
# ── Hyprland monitor layout ──
(mkIf config.desktop.wm.hyprland.enable {
wayland.windowManager.hyprland = {
enable = true;
settings = {
source = "~/.config/hypr/monitors.conf";
workspace = [
"1, monitor:eDP-1, default:true"
"2, monitor:eDP-1"
"3, monitor:DP-8"
"4, monitor:DP-8"
"5, monitor:DP-10"
"6, monitor:DP-10"
];
windowrule = [
"match:class com.obsproject.Studio, workspace 1"
"match:class dev.zed.Zed, workspace 3"
"match:class vivaldi-stable, workspace 4, opacity 1.0"
"match:initial_title 3.basecamp.com_/5996442/, workspace 5, opacity 1.0"
"match:initial_title 3.basecamp.com_/5996442/, tile on"
"match:initial_title teams.microsoft.com_/, workspace 6, opacity 1.0"
"match:initial_title teams.microsoft.com_/, tile on"
"match:initial_title outlook.office.com_/mail/, workspace 6, opacity 1.0"
"match:initial_title outlook.office.com_/mail/, tile on"
];
};
};
})
];
}

42
hosts/AZ-LT-NIX/programs.nix Normal file
View File

@@ -0,0 +1,42 @@
{pkgs, ...}: {
programs.nix-ld.enable = true;
programs.nix-ld.libraries = with pkgs; [
# Add any missing dynamic libraries for unpackaged programs
# here, NOT in environment.systemPackages
];
programs.hyprland = {
enable = true;
xwayland.enable = true;
withUWSM = true;
};
programs.fish.enable = true;
programs.thunar = {
enable = true;
plugins = with pkgs; [thunar-archive-plugin thunar-volman];
};
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-gnome3;
settings = {default-cache-ttl = 10800;};
};
programs.obs-studio = {
enable = true;
enableVirtualCamera = true;
plugins = with pkgs.obs-studio-plugins; [
obs-composite-blur
obs-vaapi
# obs-vertical-canvas
obs-vkcapture
wlrobs
];
};
programs.nh = {
enable = true;
clean.enable = true;
clean.extraArgs = "--keep-since 4d --keep 3";
flake = "/home/m3tam3re/p/nixos/nixos-config";
};
services.netbird.enable = true;
environment.systemPackages = [pkgs.netbird-ui];
}

22
hosts/AZ-LT-NIX/secrets.nix Normal file
View File

@@ -0,0 +1,22 @@
{
age = {
secrets = {
outline-key = {
file = ../../secrets/outline-key.age;
owner = "sascha.koenig";
};
ref-key = {
file = ../../secrets/ref-key.age;
owner = "sascha.koenig";
};
exa-key = {
file = ../../secrets/exa-key.age;
owner = "sascha.koenig";
};
kestractl-env = {
file = ../../secrets/kestractl-env.age;
owner = "sascha.koenig";
};
};
};
}

114
hosts/AZ-LT-NIX/services/ad.nix Normal file
View File

@@ -0,0 +1,114 @@
{
config,
pkgs,
...
}: {
environment.systemPackages = with pkgs; [
adcli # Helper library and tools for Active Directory client operations
oddjob # Odd Job Daemon
samba4Full # Standard Windows interoperability suite of programs for Linux and Unix
sssd # System Security Services Daemon
krb5 # MIT Kerberos 5
realmd # DBus service for configuring Kerberos and other
];
#
# Security
#
security = {
krb5 = {
enable = true;
settings = {
libdefaults = {
udp_preference_limit = 0;
default_realm = "AZ-GROUP";
};
};
};
pam = {
makeHomeDir.umask = "077";
services.login.makeHomeDir = true;
services.sshd.makeHomeDir = true;
};
sudo = {
extraConfig = ''
%domain\ admins ALL=(ALL:ALL) NOPASSWD: ALL
Defaults:%domain\ admins env_keep+=TERMINFO_DIRS
Defaults:%domain\ admins env_keep+=TERMINFO
'';
# Use extraConfig because of blank space in 'domain admins'.
# Alternatively, you can use the GID.
# extraRules = [
# { groups = [ "domain admins" ];
# commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
# ];
};
};
#
# Services
#
services = {
nscd = {
enable = true;
config = ''
server-user nscd
enable-cache hosts yes
positive-time-to-live hosts 0
negative-time-to-live hosts 0
shared hosts yes
enable-cache passwd no
enable-cache group no
enable-cache netgroup no
enable-cache services no
'';
};
sssd = {
enable = true;
config = ''
[sssd]
domains = az-group
config_file_version = 2
services = nss, pam
[domain/az-group]
override_shell = /run/current-system/sw/bin/zsh
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = AZ-GROUP
realmd_tags = manages-system joined-with-samba
id_provider = ad
fallback_homedir = /home/%u
ad_domain = your_domain_lowercase
use_fully_qualified_names = false
ldap_id_mapping = false
auth_provider = ad
access_provider = ad
chpass_provider = ad
ad_gpo_access_control = permissive
enumerate = true
'';
};
};
#
# Systemd
#
systemd = {
services.realmd = {
description = "Realm Discovery Service";
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
Type = "dbus";
BusName = "org.freedesktop.realmd";
ExecStart = "${pkgs.realmd}/libexec/realmd";
User = "root";
};
};
};
}

44
hosts/AZ-LT-NIX/services/default.nix Normal file
View File

@@ -0,0 +1,44 @@
{pkgs, ...}: {
imports = [
# ./ad.nix
./mem0.nix
./n8n.nix
./netbird.nix
./printing.nix
./sound.nix
./udev.nix
];
services = {
espanso = {
enable = true;
package = pkgs.espanso-wayland;
};
hypridle.enable = true;
printing.enable = true;
gvfs.enable = true;
gnome.gnome-keyring.enable = true;
qdrant = {
enable = true;
settings = {
service = {
host = "0.0.0.0";
};
};
};
upower.enable = true;
avahi = {
enable = true;
nssmdns4 = true;
publish = {
addresses = true;
workstation = true;
userServices = true;
};
};
asusd = {
enable = true;
};
desktopManager.gnome.enable = true;
displayManager.gdm.enable = true;
};
}

23
hosts/AZ-LT-NIX/services/mem0.nix Normal file
View File

@@ -0,0 +1,23 @@
{
m3ta.mem0 = {
enable = false;
port = 8000;
host = "127.0.0.1";
# LLM Configuration
llm = {
provider = "openai";
apiKeyFile = "/var/lib/mem0/openai-api-key-1"; # Use agenix or sops-nix
};
# Vector Storage Configuration
vectorStore = {
provider = "qdrant"; # or "chroma", "pinecone", etc.
config = {
host = "localhost";
port = 6333;
collection_name = "mem0_alice";
};
};
};
}

14
hosts/AZ-LT-NIX/services/n8n.nix Normal file
View File

@@ -0,0 +1,14 @@
{...}: let
serviceName = "n8n";
in {
services.${serviceName} = {
enable = true;
openFirewall = true;
};
systemd.services.n8n = {
environment = {
N8N_SECURE_COOKIE = "false";
N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = "false";
};
};
}

28
hosts/AZ-LT-NIX/services/netbird.nix Normal file
View File

@@ -0,0 +1,28 @@
{pkgs, ...}: {
services.netbird.enable = true;
systemd.services.netbird = {
environment = {
NB_DISABLE_SSH_CONFIG = "true";
};
path = [
pkgs.shadow
pkgs.util-linux
];
};
programs.ssh.extraConfig = ''
Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p"
PreferredAuthentications password,publickey,keyboard-interactive
PasswordAuthentication yes
PubkeyAuthentication yes
BatchMode no
ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
CheckHostIP no
LogLevel ERROR
'';
networking.firewall.checkReversePath = "loose";
}

45
hosts/AZ-LT-NIX/services/printing.nix Normal file
View File

@@ -0,0 +1,45 @@
{pkgs, ...}: {
# CUPS Druckdienst für PDF-Druck aus n8n
# Drucker: Kyocera TASKalfa 4054ci @ 192.168.152.137
# Druckernetz (192.168.152.0/24) wird via NetBird geroutet ensure-printers
# muss warten bis NetBird verbunden ist und die Route aktiv ist.
systemd.services.ensure-printers = {
after = ["netbird.service"];
requires = ["netbird.service"];
serviceConfig.ExecStartPre = [
"${pkgs.bash}/bin/bash -c 'for i in $(seq 1 60); do ${pkgs.iproute2}/bin/ip route get 192.168.152.137 2>/dev/null | grep -q wt0 && exit 0; sleep 1; done; echo \"NetBird route to printer not available after 60s\" >&2; exit 1'"
];
};
services.printing = {
enable = true;
drivers = with pkgs; [
cups-filters # driverless IPP Everywhere Support
];
};
# Avahi für mDNS/IPP-Druckererkennung
services.avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
# Kyocera TASKalfa 4054ci deklarativ einrichten
hardware.printers = {
ensurePrinters = [
{
name = "JW2OG";
location = "Buero";
description = "Kyocera TASKalfa 4054ci";
deviceUri = "ipps://192.168.152.137:443/ipp/print";
model = "everywhere";
ppdOptions = {
PageSize = "A4";
};
}
];
ensureDefaultPrinter = "JW2OG";
};
}

11
hosts/AZ-LT-NIX/services/sound.nix Normal file
View File

@@ -0,0 +1,11 @@
{
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = false;
wireplumber.enable = true;
};
}

8
hosts/AZ-LT-NIX/services/udev.nix Normal file
View File

@@ -0,0 +1,8 @@
{pkgs, ...}: {
services.udev.extraRules = ''
SUBSYSTEM=="usb", MODE="0666"
'';
environment.systemPackages = with pkgs; [
zsa-udev-rules
];
}

80
hosts/common/default.nix Normal file
View File

@@ -0,0 +1,80 @@
# Common configuration for all hosts
{
config,
pkgs,
lib,
inputs,
outputs,
system,
...
}: {
imports = [
./extraServices
./ports.nix
./users
inputs.home-manager.nixosModules.home-manager
];
environment.pathsToLink = ["/share/xdg-desktop-portal" "/share/applications"];
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = {
inherit inputs outputs system;
videoDrivers = config.services.xserver.videoDrivers or [];
};
};
nixpkgs = {
# You can add overlays here
overlays = [
# Add overlays your own flake exports (from overlays and pkgs dir):
#outputs.overlays.additions
#outputs.overlays.modifications
outputs.overlays.stable-packages
# outputs.overlays.pinned-packages
inputs.m3ta-nixpkgs.overlays.default
inputs.m3ta-nixpkgs.overlays.modifications
(outputs.lib.mkLlmAgentsOverlay system)
# You can also add overlays exported from other flakes:
# neovim-nightly-overlay.overlays.default
# Or define it inline, for example:
# (final: prev: {
# hi = final.hello.overrideAttrs (oldAttrs: {
# patches = [ ./change-hello-to-hi.patch ];
# });
# })
];
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
};
};
nix = {
settings = {
experimental-features = "nix-command flakes";
cores = 2;
max-jobs = 8;
trusted-users = [
"root"
"sascha.koenig"
]; # Set users that are allowed to use the flake command
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
optimise.automatic = true;
registry =
(lib.mapAttrs (_: flake: {inherit flake;}))
((lib.filterAttrs (_: lib.isType "flake")) inputs);
nixPath = ["/etc/nix/path"];
};
users.defaultUserShell = pkgs.nushell;
}

8
hosts/common/extraServices/default.nix Normal file
View File

@@ -0,0 +1,8 @@
{
imports = [
./flatpak.nix
./ollama.nix
./podman.nix
./virtualisation.nix
];
}

23
hosts/common/extraServices/flatpak.nix Normal file
View File

@@ -0,0 +1,23 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.extraServices.flatpak;
in {
options.extraServices.flatpak.enable = mkEnableOption "enable flatpak";
config = mkIf cfg.enable {
services.flatpak.enable = true;
xdg.portal = {
# xdg desktop intergration (required for flatpak)
enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-hyprland
];
config.common.default = "*";
};
};
}

27
hosts/common/extraServices/ollama.nix Normal file
View File

@@ -0,0 +1,27 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.extraServices.ollama;
in {
options.extraServices.ollama.enable = mkEnableOption "enable ollama";
config = mkIf cfg.enable {
services.ollama = {
enable = true;
package = pkgs.ollama-vulkan;
host = "[::]";
openFirewall = true;
environmentVariables = {
OLLAMA_HOST = "0.0.0.0";
};
};
nixpkgs.config = {
rocmSupport = config.services.xserver.videoDrivers == ["amdgpu"];
cudaSupport = config.services.xserver.videoDrivers == ["nvidia"];
};
};
}

33
hosts/common/extraServices/podman.nix Normal file
View File

@@ -0,0 +1,33 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.extraServices.podman;
in {
options.extraServices.podman.enable = mkEnableOption "enable podman";
config = mkIf cfg.enable {
virtualisation = {
podman = {
enable = true;
dockerCompat = true;
dockerSocket.enable = true;
autoPrune = {
enable = true;
dates = "weekly";
flags = [
"--filter=until=24h"
"--filter=label!=important"
];
};
defaultNetwork.settings.dns_enabled = true;
};
};
environment.systemPackages = with pkgs; [
podman-compose
];
};
}

42
hosts/common/extraServices/virtualisation.nix Normal file
View File

@@ -0,0 +1,42 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.extraServices.virtualisation;
in {
options.extraServices.virtualisation.enable = mkEnableOption "enable virtualisation";
config = mkIf cfg.enable {
virtualisation = {
libvirtd = {
enable = true;
qemu = {
package = pkgs.qemu_kvm;
runAsRoot = true;
swtpm.enable = true;
};
};
};
programs.virt-manager.enable = true;
environment = {
systemPackages = [pkgs.qemu];
etc = {
"ovmf/OVMF_CODE.fd" = {
source = "${(pkgs.OVMF.override {
secureBoot = true;
tpmSupport = true;
}).fd}/FV/OVMF_CODE.fd";
};
"ovmf/OVMF_VARS.fd" = {
source = "${(pkgs.OVMF.override {
secureBoot = true;
tpmSupport = true;
}).fd}/FV/OVMF_VARS.fd";
};
};
};
};
}

31
hosts/common/ports.nix Normal file
View File

@@ -0,0 +1,31 @@
{config, ...}: {
m3ta.ports = {
enable = true;
definitions = {
# System services
ssh = 2022;
# Web & proxy services
traefik = 80;
traefik-ssl = 443;
# Databases
postgres = 5432;
mysql = 3306;
redis = 6379;
};
hostOverrides = {
# Host-specific overrides
AZ-LT-NIX = {
# Any custom port overrides for m3-ares
};
};
};
environment.etc."info/all-ports.json" = {
text = builtins.toJSON {
hostname = config.networking.hostName;
ports = config.m3ta.ports.all; # TODO should only return actually used ports
};
};
}

6
hosts/common/users/default.nix Normal file
View File

@@ -0,0 +1,6 @@
{
imports = [
./jannik.mueller.nix
./sascha.koenig.nix
];
}

25
hosts/common/users/jannik.mueller.nix Normal file
View File

@@ -0,0 +1,25 @@
{
config,
pkgs,
inputs,
...
}: {
users.users."jannik.mueller" = {
hashedPassword = "$y$j9T$09RgD3AU3PK9Oi6JGLe0V1$i8J2ZOD1h1b6Zpw28ub.kExujoDKHzokeXzkM23Tfd/";
isNormalUser = true;
extraGroups = [
"wheel"
"networkmanager"
"libvirtd"
"flatpak"
"plugdev"
"input"
"kvm"
"qemu-libvirtd"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvZazSuIoWoRWhkAqQDMLeurxVUyy1MTllp1wfw1tzq"
];
packages = [inputs.home-manager.packages.${pkgs.stdenv.hostPlatform.system}.default];
};
}

157
hosts/common/users/sascha.koenig.nix Normal file
View File

@@ -0,0 +1,157 @@
# hosts/common/users/m3tam3re.nix — Central user definition with m3ta-home integration.
#
# This module:
# 1. Creates the m3tam3re NixOS user
# 2. Loads the m3ta-home profile system via mkHome
# 3. Sets per-host feature flags based on a host profile mapping
# 4. Imports per-host home.nix overrides (monitors, HW-specific config)
#
# To add a new host:
# 1. Add entry to hostProfiles below
# 2. Add feature flags in the hostFlags section
# 3. Create hosts/<hostname>/home.nix if the host needs overrides (monitors, etc.)
{
config,
pkgs,
inputs,
...
}: let
hostname = config.networking.hostName;
# ── Per-host profile mapping ──
# Determines which m3ta-home context and sets each host gets.
hostProfiles = {
# ── Desktop hosts ──
AZ-LT-NIX = {
context = "desktop";
sets = ["coding" "media"];
};
};
profile =
hostProfiles.${
hostname
} or {
context = "server";
sets = [];
};
m3ta-lib = inputs.m3ta-home.lib;
# Check if a per-host home.nix exists
hostHomeFile = ./../../${hostname}/home.nix;
hostHomeExists = builtins.pathExists hostHomeFile;
# ── Per-host feature flags ──
# These enable/disable specific m3ta-home modules per host.
hostFlags =
if hostname == "AZ-LT-NIX"
then {
# Full desktop workstation
base = {
shell = {
fish.enable = true;
nushell.enable = true;
starship.enable = true;
};
cliTools = {
fzf.enable = true;
nitch.enable = true;
television.enable = true;
};
secrets.enable = true;
};
desktop = {
wm = {
hyprland.enable = true;
rofi.enable = true;
wayland.enable = true;
};
apps = {
crypto.enable = false;
obsidian.enable = true;
office.enable = true;
};
theme = {
fonts.enable = true;
wallpapers.enable = true;
};
};
coding = {
editors = {
neovim.enable = true;
zed.enable = true;
};
lsp.enable = true;
packages.enable = true;
languages = {
python.enable = true;
javascript.enable = true;
rustToolchain.enable = true;
go.enable = true;
typescript.enable = true;
};
};
profiles.media = {
obs.enable = true;
ffmpeg.enable = true;
kdenlive.enable = true;
ytDlp.enable = true;
};
}
else {
# m3-helios, m3-hermes, m3-aether — minimal server
base = {
shell = {
fish.enable = true;
starship.enable = true;
};
cliTools = {
fzf.enable = true;
nitch.enable = true;
};
};
};
in {
# ── NixOS user definition ──
users.users."sascha.koenig" = {
hashedPassword = "$y$j9T$ORX4btVZgs9Xjq2oIvzJm0$lXiPwaa0D6t.eMDIx1UBesEAMOkWXBoGwpeI7X0aS8D";
isNormalUser = true;
shell = pkgs.nushell;
extraGroups = [
"wheel"
"networkmanager"
"libvirtd"
"flatpak"
"plugdev"
"input"
"kvm"
"qemu-libvirtd"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZbg/Z9mnflXuLahGY8WOSBMqbgeqVIkIwRkquys1Ml sascha.koenig@azintec.com"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@MBP-Sascha.fritz.box"
];
packages = [inputs.home-manager.packages.${pkgs.stdenv.hostPlatform.system}.default];
};
# ── Home-Manager configuration via m3ta-home ──
home-manager.users."sascha.koenig" = {
imports =
[
# Load m3ta-home composition engine
(m3ta-lib.mkHome {
user = "m3tam3re";
identity = "work";
inherit (profile) context sets;
})
# Per-host feature flags
hostFlags
]
# Per-host home.nix (Hyprland monitors, XDG/MIME, HW-specific overrides)
++ (
if hostHomeExists
then [hostHomeFile]
else []
);
};
}