janezicmatej/matej.nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: janezicmatej:main
Branches Tags
janezicmatej:main
..
compare: janezicmatej:3cab4fb812104fac0afcfde54c51ae1219998ccf
Branches Tags
janezicmatej:main

1 Commits
main ... 3cab4fb812

Author SHA1 Message Date
Matej Janežič
3cab4fb812 wip 2026-03-02 16:35:14 +01:00
78 changed files with 1814 additions and 1730 deletions
Expand all files Collapse all files

5
.git-blame-ignore-revs
View File

@@ -1,8 +1,3 @@
# nix fmt & statix # nix fmt & statix
f011c8d71ba09bd94ab04b8d771858b90a03fbf9 f011c8d71ba09bd94ab04b8d771858b90a03fbf9
3aff25b4486a143cd6282f8845c16216598e1c7e 3aff25b4486a143cd6282f8845c16216598e1c7e
# host rename
cfe4c43887a41e52be4e6472474c0fc3788f86e8
bebb7c42bbe87fe041b53189e78a4553e8c08666
258902d409e68b47f781451e6d306a8e47198d75

3
.gitignore vendored
View File

@@ -5,3 +5,6 @@ result-*
# Ignore automatically generated direnv output # Ignore automatically generated direnv output
.direnv .direnv
# Ignore generated seed ISOs
*.iso

69
.gitlab-ci.yml Normal file
View File

@@ -0,0 +1,69 @@
stages:
- build
- upload
- release
build-x86_64:
stage: build
image: ubuntu:24.04
script:
- apt-get update && apt-get install -y curl xz-utils sudo
- curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux --no-confirm
- . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
- nix build .#nixosConfigurations.sandbox.config.system.build.image --out-link result-x86_64
- cp $(find -L result-x86_64 -name '*.qcow2') sandbox-x86_64.qcow2
artifacts:
paths:
- sandbox-x86_64.qcow2
expire_in: 1 week
build-aarch64:
stage: build
image: ubuntu:24.04
tags:
- aarch64
allow_failure: true
script:
- apt-get update && apt-get install -y curl xz-utils sudo
- curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux --no-confirm
- . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
- nix build .#nixosConfigurations.sandbox-aarch64.config.system.build.image --out-link result-aarch64
- cp $(find -L result-aarch64 -name '*.qcow2') sandbox-aarch64.qcow2
artifacts:
paths:
- sandbox-aarch64.qcow2
expire_in: 1 week
upload:
stage: upload
image: curlimages/curl:latest
rules:
- if: $CI_COMMIT_TAG
script:
- |
curl --header "JOB-TOKEN: $CI_JOB_TOKEN" \
--upload-file sandbox-x86_64.qcow2 \
"${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/sandbox/${CI_COMMIT_TAG}/sandbox-x86_64.qcow2"
- |
if [ -f sandbox-aarch64.qcow2 ]; then
curl --header "JOB-TOKEN: $CI_JOB_TOKEN" \
--upload-file sandbox-aarch64.qcow2 \
"${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/sandbox/${CI_COMMIT_TAG}/sandbox-aarch64.qcow2"
fi
release:
stage: release
image: registry.gitlab.com/gitlab-org/release-cli:latest
rules:
- if: $CI_COMMIT_TAG
script:
- echo "Creating release $CI_COMMIT_TAG"
release:
tag_name: $CI_COMMIT_TAG
description: "Sandbox VM $CI_COMMIT_TAG"
assets:
links:
- name: sandbox-x86_64.qcow2
url: "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/sandbox/${CI_COMMIT_TAG}/sandbox-x86_64.qcow2"
- name: sandbox-aarch64.qcow2
url: "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/sandbox/${CI_COMMIT_TAG}/sandbox-aarch64.qcow2"

10
.pre-commit-config.yaml
View File

@@ -12,13 +12,3 @@ repos:
language: system language: system
files: \.nix$ files: \.nix$
pass_filenames: false pass_filenames: false
- repo: https://github.com/koalaman/shellcheck-precommit
rev: v0.11.0
hooks:
- id: shellcheck
args: [-x, -P, scripts]
- repo: https://github.com/scop/pre-commit-shfmt
rev: v3.12.0-2
hooks:
- id: shfmt
args: [-d]

39
dist/make-seed.sh vendored Executable file
View File

@@ -0,0 +1,39 @@
#!/usr/bin/env bash
set -euo pipefail
usage() {
echo "Usage: make-seed.sh <pubkey-file> [output.iso]"
echo "Creates a seed ISO with the given SSH public key."
exit 1
}
[ "${1:-}" ] || usage
PUBKEY_FILE="$1"
OUTPUT="${2:-seed.iso}"
if [ ! -f "$PUBKEY_FILE" ]; then
echo "error: public key file not found: $PUBKEY_FILE"
exit 1
fi
TMPDIR=$(mktemp -d)
trap 'rm -rf "$TMPDIR"' EXIT
cp "$PUBKEY_FILE" "$TMPDIR/authorized_keys"
if command -v mkisofs >/dev/null 2>&1; then
ISO_CMD="mkisofs"
elif command -v genisoimage >/dev/null 2>&1; then
ISO_CMD="genisoimage"
else
echo "error: mkisofs or genisoimage required"
echo " linux: sudo apt install genisoimage"
echo " macos: brew install cdrtools"
echo " nix: nix shell nixpkgs#cdrtools"
exit 1
fi
"$ISO_CMD" -quiet -V SEEDCONFIG -J -R -o "$OUTPUT" "$TMPDIR"
echo "seed ISO created: $OUTPUT"

149
dist/run.sh vendored Executable file
View File

@@ -0,0 +1,149 @@
#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# defaults
SSH_PORT=2222
MEMORY=8G
CPUS=4
PROJECTS=""
CLAUDE_DIR=""
SSH_KEY=""
SEED_ISO=""
IMAGE=""
usage() {
cat <<EOF
Usage: run.sh <image.qcow2> [options]
Options:
--ssh-key <key.pub> SSH public key (auto-generates seed ISO)
--seed-iso <iso> Pre-built seed ISO (alternative to --ssh-key)
--projects <path> Mount host directory as ~/projects in VM
--claude-dir <path> Mount host .claude directory for auth
--memory <size> VM memory (default: 8G)
--cpus <n> VM CPUs (default: 4)
--ssh-port <port> SSH port forward (default: 2222)
EOF
exit 1
}
[ "${1:-}" ] || usage
IMAGE="$1"
shift
while [ $# -gt 0 ]; do
case "$1" in
--ssh-key) SSH_KEY="$2"; shift 2 ;;
--seed-iso) SEED_ISO="$2"; shift 2 ;;
--projects) PROJECTS="$2"; shift 2 ;;
--claude-dir) CLAUDE_DIR="$2"; shift 2 ;;
--memory) MEMORY="$2"; shift 2 ;;
--cpus) CPUS="$2"; shift 2 ;;
--ssh-port) SSH_PORT="$2"; shift 2 ;;
*) echo "unknown option: $1"; usage ;;
esac
done
if [ ! -f "$IMAGE" ]; then
echo "error: image not found: $IMAGE"
exit 1
fi
# platform and accelerator detection
ACCEL="tcg"
ARCH=$(uname -m)
OS=$(uname -s)
case "$OS" in
Linux)
[ -r /dev/kvm ] && ACCEL="kvm"
;;
Darwin)
ACCEL="hvf"
;;
esac
case "$ARCH" in
x86_64|amd64) QEMU_BIN="qemu-system-x86_64" ;;
aarch64|arm64) QEMU_BIN="qemu-system-aarch64" ;;
*) echo "error: unsupported architecture: $ARCH"; exit 1 ;;
esac
# auto-generate seed ISO from SSH key
CLEANUP_SEED=""
if [ -n "$SSH_KEY" ] && [ -z "$SEED_ISO" ]; then
SEED_ISO=$(mktemp /tmp/seed-XXXXXX.iso)
CLEANUP_SEED="$SEED_ISO"
bash "$SCRIPT_DIR/make-seed.sh" "$SSH_KEY" "$SEED_ISO"
fi
cleanup() {
[ -n "$CLEANUP_SEED" ] && rm -f "$CLEANUP_SEED"
}
trap cleanup EXIT
# build qemu command
QEMU_ARGS=(
"$QEMU_BIN"
-accel "$ACCEL"
-m "$MEMORY"
-smp "$CPUS"
-drive "file=$IMAGE,format=qcow2,snapshot=on"
-nic "user,hostfwd=tcp::${SSH_PORT}-:22"
-nographic
)
# aarch64-specific flags
if [ "$ARCH" = "aarch64" ] || [ "$ARCH" = "arm64" ]; then
QEMU_ARGS+=(-machine virt -cpu host)
# uefi firmware
EFI_CODE=""
for p in \
/opt/homebrew/share/qemu/edk2-aarch64-code.fd \
/usr/local/share/qemu/edk2-aarch64-code.fd \
/usr/share/qemu-efi-aarch64/QEMU_EFI.fd \
/usr/share/AAVMF/AAVMF_CODE.fd; do
[ -f "$p" ] && EFI_CODE="$p" && break
done
if [ -z "$EFI_CODE" ]; then
echo "error: aarch64 EFI firmware not found"
echo " macos: brew install qemu"
echo " linux: apt install qemu-efi-aarch64"
exit 1
fi
QEMU_ARGS+=(-bios "$EFI_CODE")
fi
# seed ISO
if [ -n "$SEED_ISO" ]; then
QEMU_ARGS+=(-drive "file=$SEED_ISO,format=raw,media=cdrom,readonly=on")
fi
# 9p mounts
if [ -n "$PROJECTS" ]; then
QEMU_ARGS+=(
-virtfs "local,path=$PROJECTS,mount_tag=projects,security_model=mapped-xattr,id=fs0"
)
fi
if [ -n "$CLAUDE_DIR" ]; then
QEMU_ARGS+=(
-virtfs "local,path=$CLAUDE_DIR,mount_tag=hostclaude,security_model=mapped-xattr,id=fs1"
)
# also mount parent home for .claude.json
QEMU_ARGS+=(
-virtfs "local,path=$(dirname "$CLAUDE_DIR"),mount_tag=hosthome,security_model=mapped-xattr,id=fs2,readonly=on"
)
fi
echo "---"
echo "SSH: ssh -A -p $SSH_PORT gordaina@localhost"
echo "Password: sandbox"
echo "---"
exec "${QEMU_ARGS[@]}"

22
features/calibre.nix
View File

@@ -1,22 +0,0 @@
{
nixos =
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.calibre ];
# udev rules for kindle and mtp device access
# NOTE:(@janezicmatej) uses services.udev.packages instead of extraRules
# because extraRules writes to 99-local.rules which is too late for uaccess
# see https://github.com/NixOS/nixpkgs/issues/308681
services.udev.packages = [
pkgs.libmtp
(pkgs.writeTextFile {
name = "kindle-udev-rules";
text = ''
ACTION!="remove", SUBSYSTEM=="usb", ATTRS{idVendor}=="1949", TAG+="uaccess"
'';
destination = "/etc/udev/rules.d/70-kindle.rules";
})
];
};
}

10
features/claude.nix
View File

@@ -1,10 +0,0 @@
{
home =
{ pkgs, ... }:
{
home.packages = [
pkgs.claude-code
pkgs.mcp-nixos
];
};
}

85
features/desktop.nix
View File

@@ -1,85 +0,0 @@
{
nixos =
{ pkgs, inputs, ... }:
{
imports = [ inputs.stylix.nixosModules.stylix ];
# audio
services.pipewire = {
enable = true;
pulse.enable = true;
};
# bluetooth
hardware.bluetooth.enable = true;
services.blueman.enable = true;
security.polkit.enable = true;
services.dbus.enable = true;
services.playerctld.enable = true;
xdg.portal = {
enable = true;
xdgOpenUsePortal = true;
extraPortals = [
pkgs.xdg-desktop-portal-wlr
pkgs.xdg-desktop-portal-gtk
];
};
fonts.packages = with pkgs; [
font-awesome
nerd-fonts.jetbrains-mono
];
# theming
stylix = {
enable = true;
polarity = "dark";
image = "${inputs.assets}/wallpaper.png";
base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-material-dark-medium.yaml";
};
programs.thunderbird.enable = true;
programs._1password.enable = true;
programs._1password-gui.enable = true;
environment.systemPackages = with pkgs; [
easyeffects
ghostty
google-chrome
zathura
pavucontrol
bolt-launcher
libnotify
bibata-cursors
vesktop
rocketchat-desktop
telegram-desktop
slack
jellyfin-media-player
cider-2
mpv
ffmpeg
wf-recorder
wl-mirror
protonmail-bridge
ledger-live-desktop
];
# internal CA
security.pki.certificateFiles = [
inputs.self.outputs.packages.${pkgs.stdenv.hostPlatform.system}.ca-matheo-si
];
xdg.mime.defaultApplications = {
"application/pdf" = "org.pwmt.zathura.desktop";
};
};
home =
{ inputs, ... }:
{
home.file.".assets".source = inputs.assets;
};
}

16
features/dev-registry.nix
View File

@@ -1,16 +0,0 @@
{
nixos =
{ inputs, ... }:
{
nix.registry.dev = {
from = {
type = "indirect";
id = "dev";
};
to = {
type = "path";
path = inputs.self.outPath;
};
};
};
}

30
features/dev.nix
View File

@@ -1,30 +0,0 @@
{
home =
{ pkgs, inputs, ... }:
let
packages = inputs.self.outputs.packages.${pkgs.stdenv.hostPlatform.system};
in
{
home.packages = [
pkgs.git
packages.git-linearize
packages.ggman
pkgs.go
pkgs.python3
pkgs.mdbook
pkgs.marksman
pkgs.mdformat
pkgs.google-cloud-sdk
pkgs.google-cloud-sql-proxy
packages.ahab
pkgs.just
pkgs.presenterm
pkgs.osc
];
programs.direnv = {
enable = true;
nix-direnv.enable = true;
};
};
}

12
features/docker.nix
View File

@@ -1,12 +0,0 @@
{
nixos =
{ user, ... }:
{
virtualisation.docker = {
enable = true;
logDriver = "json-file";
};
users.users.${user}.extraGroups = [ "docker" ];
};
}

9
features/gnupg.nix
View File

@@ -1,9 +0,0 @@
{
nixos = _: {
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
enableExtraSocket = true;
};
};
}

28
features/greeter.nix
View File

@@ -1,28 +0,0 @@
{
nixos =
{ lib, inputs, ... }:
{
programs.regreet = {
enable = true;
# single output to avoid stretching across monitors
cageArgs = [
"-s"
"-m"
"last"
];
font = {
name = lib.mkForce "JetBrainsMono Nerd Font";
size = lib.mkForce 14;
};
settings = {
background = {
path = lib.mkForce "${inputs.assets}/wallpaper.png";
fit = lib.mkForce "Cover";
};
GTK = {
application_prefer_dark_theme = lib.mkForce true;
};
};
};
};
}

75
features/initrd-ssh.nix
View File

@@ -1,75 +0,0 @@
{
nixos =
{ lib, config, ... }:
let
keyDir = "/etc/secrets/initrd";
mkIpString =
{
address,
gateway,
netmask,
interface,
...
}:
"${address}::${gateway}:${netmask}::${interface}:none";
in
{
options = {
initrd-ssh = {
ip = {
enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
address = lib.mkOption {
type = lib.types.str;
};
gateway = lib.mkOption {
type = lib.types.str;
};
netmask = lib.mkOption {
type = lib.types.str;
default = "255.255.255.0";
};
interface = lib.mkOption {
type = lib.types.str;
};
};
authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
networkModule = lib.mkOption {
type = lib.types.str;
};
};
};
config = {
boot.initrd.kernelModules = [ config.initrd-ssh.networkModule ];
boot.kernelParams = lib.mkIf config.initrd-ssh.ip.enable [
"ip=${mkIpString config.initrd-ssh.ip}"
];
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 22;
hostKeys = [
"${keyDir}/ssh_host_rsa_key"
"${keyDir}/ssh_host_ed25519_key"
];
inherit (config.initrd-ssh) authorizedKeys;
};
postCommands = ''
echo 'cryptsetup-askpass' >> /root/.profile
'';
};
};
};
}

25
features/localisation.nix
View File

@@ -1,25 +0,0 @@
{
nixos =
{ lib, config, ... }:
{
options = {
localisation = {
timeZone = lib.mkOption {
type = lib.types.str;
};
defaultLocale = lib.mkOption {
type = lib.types.str;
};
};
};
config = {
time.timeZone = config.localisation.timeZone;
i18n.defaultLocale = config.localisation.defaultLocale;
# NOTE:(@janezicmatej) some apps (e.g. java) need TZ env var explicitly
environment.variables.TZ = config.localisation.timeZone;
};
};
}

69
features/neovim.nix
View File

@@ -1,69 +0,0 @@
{
home =
{
config,
options,
lib,
pkgs,
inputs,
...
}:
{
options = {
neovim.dotfiles = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
};
};
config = lib.mkMerge [
(lib.optionalAttrs (options ? stylix) {
# disable stylix neovim target when stylix is present (loaded by desktop feature)
stylix.targets.neovim.enable = false;
})
{
xdg.configFile."nvim" = lib.mkIf (config.neovim.dotfiles != null) {
source = config.neovim.dotfiles;
};
programs.neovim = {
enable = true;
vimAlias = true;
defaultEditor = true;
package = inputs.neovim-nightly-overlay.packages.${pkgs.stdenv.hostPlatform.system}.default;
extraPackages = with pkgs; [
gcc
luajit
nodejs_22
tree-sitter
gnumake
osc
fd
ripgrep
bat
delta
pyright
typescript-language-server
lua-language-server
gopls
nil
nixd
nixpkgs-fmt
stylua
];
extraWrapperArgs = [
"--suffix"
"LD_LIBRARY_PATH"
":"
"${lib.makeLibraryPath [ pkgs.stdenv.cc.cc.lib ]}"
];
};
}
];
};
}

9
features/networkmanager.nix
View File

@@ -1,9 +0,0 @@
{
nixos = _: {
networking.networkmanager.enable = true;
networking.nameservers = [
"1.1.1.1"
"8.8.8.8"
];
};
}

5
features/nix-ld.nix
View File

@@ -1,5 +0,0 @@
{
nixos = _: {
programs.nix-ld.enable = true;
};
}

25
features/openssh.nix
View File

@@ -1,25 +0,0 @@
{
nixos =
{ lib, config, ... }:
{
options = {
openssh.port = lib.mkOption {
type = lib.types.port;
default = 22;
};
};
config = {
services.openssh = {
enable = true;
ports = [ config.openssh.port ];
settings = {
PasswordAuthentication = false;
AllowUsers = null;
PermitRootLogin = "no";
StreamLocalBindUnlink = "yes";
};
};
};
};
}

10
features/printing.nix
View File

@@ -1,10 +0,0 @@
{
nixos = _: {
services.printing.enable = true;
services.avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
};
}

25
features/shell.nix
View File

@@ -1,25 +0,0 @@
{
nixos = _: {
programs.zsh.enable = true;
environment.etc."zshenv".text = ''
export ZDOTDIR=$HOME/.config/zsh
'';
};
home =
{ pkgs, ... }:
{
home.packages = with pkgs; [
starship
fzf
htop
jc
jq
openssl
pv
ripgrep
fd
tmux
];
};
}

10
features/steam.nix
View File

@@ -1,10 +0,0 @@
{
nixos = _: {
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
localNetworkGameTransfers.openFirewall = true;
};
};
}

38
features/sway.nix
View File

@@ -1,38 +0,0 @@
{
nixos =
{ pkgs, ... }:
{
programs.sway = {
enable = true;
package = pkgs.swayfx;
wrapperFeatures.gtk = true;
extraSessionCommands = ''
# fix for java awt apps not rendering
export _JAVA_AWT_WM_NONREPARENTING=1
'';
};
environment.systemPackages = with pkgs; [
waybar
mako
wob
playerctl
brightnessctl
foot
grim
pulseaudio
swayidle
swaylock-effects
jq
slurp
wl-clipboard
pamixer
wlsunset
satty
wayland-pipewire-idle-inhibit
fuzzel
cliphist
zenity
];
};
}

8
features/tailscale.nix
View File

@@ -1,8 +0,0 @@
{
nixos = _: {
services.tailscale = {
enable = true;
useRoutingFeatures = "both";
};
};
}

35
features/user-matej.nix
View File

@@ -1,35 +0,0 @@
let
sshKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQGLdINKzs+sEy62Pefng0bcedgU396+OryFgeH99/c janezicmatej"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDk00+Km03epQXQs+xEwwH3zcurACzkEH+kDOPBw6RQe openpgp:0xB095D449"
];
in
{
keys = {
sshAuthorizedKeys = sshKeys;
};
nixos =
{ pkgs, ... }:
{
programs.zsh.enable = true;
users.users.matej = {
uid = 1000;
isNormalUser = true;
home = "/home/matej";
shell = pkgs.zsh;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = sshKeys;
};
users.groups.matej = {
gid = 1000;
members = [ "matej" ];
};
};
home = _: {
home.stateVersion = "24.11";
};
}

72
features/vm-9p-automount.nix
View File

@@ -1,72 +0,0 @@
{
nixos =
{
pkgs,
lib,
config,
...
}:
let
inherit (config.vm-9p-automount) user;
inherit (config.users.users.${user}) home group;
in
{
options = {
vm-9p-automount = {
user = lib.mkOption {
type = lib.types.str;
};
prefix = lib.mkOption {
type = lib.types.str;
default = "m_";
};
basePath = lib.mkOption {
type = lib.types.str;
default = "${home}/mnt";
};
};
};
config = {
systemd.services.vm-9p-automount = {
description = "Auto-discover and mount 9p shares";
after = [
"local-fs.target"
"nss-user-lookup.target"
"systemd-modules-load.service"
];
wants = [ "systemd-modules-load.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "vm-9p-automount" ''
BASE="${config.vm-9p-automount.basePath}"
PREFIX="${config.vm-9p-automount.prefix}"
mkdir -p "$BASE"
chown ${user}:${group} "$BASE"
for tagfile in $(find /sys/devices -name mount_tag 2>/dev/null); do
[ -f "$tagfile" ] || continue
tag=$(tr -d '\0' < "$tagfile")
case "$tag" in
"$PREFIX"*) ;;
*) continue ;;
esac
name="''${tag#"$PREFIX"}"
target="$BASE/$name"
mkdir -p "$target"
${pkgs.util-linux}/bin/mount -t 9p "$tag" "$target" \
-o trans=virtio,version=9p2000.L || continue
done
'';
};
};
};
};
}

47
features/vm-guest.nix
View File

@@ -1,47 +0,0 @@
{
nixos =
{
pkgs,
lib,
config,
...
}:
{
options = {
vm-guest.headless = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
config = {
services.qemuGuest.enable = true;
services.spice-vdagentd.enable = lib.mkIf (!config.vm-guest.headless) true;
boot.kernelParams = lib.mkIf config.vm-guest.headless [ "console=ttyS0,115200" ];
boot.initrd.availableKernelModules = [
"9p"
"9pnet_virtio"
];
boot.kernelModules = [
"9p"
"9pnet_virtio"
];
networking = {
useDHCP = true;
firewall.allowedTCPPorts = [ 22 ];
};
security.sudo.wheelNeedsPassword = false;
environment.systemPackages = with pkgs; [
curl
wget
htop
sshfs
];
};
};
}

12
features/yubikey.nix
View File

@@ -1,12 +0,0 @@
{
nixos =
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
yubikey-personalization
yubikey-manager
];
services.pcscd.enable = true;
};
}

220
flake.lock generated
View File

@@ -84,6 +84,24 @@
"type": "github" "type": "github"
} }
}, },
"claude-code-overlay": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1772252606,
"narHash": "sha256-SiIhFq4XbD3LmODQ2mTtakRBnjBn/KoSgAOId1cL1Ks=",
"owner": "ryoppippi",
"repo": "claude-code-overlay",
"rev": "b1ebf027412136bbbe4202741c3d48721644bc4b",
"type": "github"
},
"original": {
"owner": "ryoppippi",
"repo": "claude-code-overlay",
"type": "github"
}
},
"crane": { "crane": {
"locked": { "locked": {
"lastModified": 1765145449, "lastModified": 1765145449,
@@ -99,26 +117,6 @@
"type": "github" "type": "github"
} }
}, },
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1773889306,
"narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=",
"owner": "nix-community",
"repo": "disko",
"rev": "5ad85c82cc52264f4beddc934ba57f3789f28347",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"firefox-gnome-theme": { "firefox-gnome-theme": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -152,24 +150,6 @@
} }
}, },
"flake-parts": { "flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1772408722,
"narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"neovim-nightly-overlay", "neovim-nightly-overlay",
@@ -190,7 +170,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_3": { "flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"stylix", "stylix",
@@ -211,6 +191,24 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"fromYaml": { "fromYaml": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -275,11 +273,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1774274588, "lastModified": 1772380125,
"narHash": "sha256-dnHvv5EMUgTzGZmA+3diYjQU2O6BEpGLEOgJ1Qe9LaY=", "narHash": "sha256-8C+y46xA9bxcchj9GeDPJaRUDApaA3sy2fhJr1bTbUw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "cf9686ba26f5ef788226843bc31fda4cf72e373b", "rev": "a07a44a839eb036e950bf397d9b782916f8dcab3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -315,16 +313,16 @@
}, },
"neovim-nightly-overlay": { "neovim-nightly-overlay": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts",
"neovim-src": "neovim-src", "neovim-src": "neovim-src",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1774483626, "lastModified": 1772409903,
"narHash": "sha256-8VAX9GXNfv4eBj0qBEf/Rc2/E6G0SBEpuo2A5plw34I=", "narHash": "sha256-yue9XaZ7WHOFJmm3DMEmrF536pHwGxTxh/xr0f1MzNU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "neovim-nightly-overlay", "repo": "neovim-nightly-overlay",
"rev": "5deaa19e80e1c0695f7fa8a16e13a704fd08f96e", "rev": "28962d176db883e4fda4b808e220051f376969da",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -336,11 +334,11 @@
"neovim-src": { "neovim-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1774472446, "lastModified": 1772353308,
"narHash": "sha256-Hp4A0llEmBvvNuw5uKOz+BA86X7TmXZ1vUK0StiMdVs=", "narHash": "sha256-k/3msPgpWW9CRFIp3nz6hJzV+GArXw4m35c0t6fKJK4=",
"owner": "neovim", "owner": "neovim",
"repo": "neovim", "repo": "neovim",
"rev": "c9e961994b16ed841be43541ef550bf3d3f043ec", "rev": "563f9ef7994a35686419b4524cd772c97960dac1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -349,60 +347,29 @@
"type": "github" "type": "github"
} }
}, },
"nixos-hardware": {
"locked": {
"lastModified": 1774465523,
"narHash": "sha256-4v7HPm63Q90nNn4fgkgKsjW1AH2Klw7XzPtHJr562nM=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "de895be946ad1d8aafa0bb6dfc7e7e0e9e466a29",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1774273680, "lastModified": 1768127708,
"narHash": "sha256-a++tZ1RQsDb1I0NHrFwdGuRlR5TORvCEUksM459wKUA=", "narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "fdc7b8f7b30fdbedec91b71ed82f36e1637483ed", "rev": "ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixpkgs-unstable", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-lib": {
"locked": {
"lastModified": 1772328832,
"narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-master": { "nixpkgs-master": {
"locked": { "locked": {
"lastModified": 1774515149, "lastModified": 1772461137,
"narHash": "sha256-avcNAzwJC2lOyMNKVro2u5d6RLGiquXXxQVVmAEQ2+U=", "narHash": "sha256-5MFNMLcDmaXQbdGJVITwFTqJq3IVok4TSR/Oa/DbJys=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "01fcaaa08a9a44ec63c52bf0ee8d9a29593fee07", "rev": "388c66870001909259d1879acd2e3e1108c1854d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -414,11 +381,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1774273680, "lastModified": 1772419343,
"narHash": "sha256-a++tZ1RQsDb1I0NHrFwdGuRlR5TORvCEUksM459wKUA=", "narHash": "sha256-QU3Cd5DJH7dHyMnGEFfPcZDaCAsJQ6tUD+JuUsYqnKU=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "fdc7b8f7b30fdbedec91b71ed82f36e1637483ed", "rev": "93178f6a00c22fcdee1c6f5f9ab92f2072072ea9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -430,11 +397,27 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1774244481, "lastModified": 1772173633,
"narHash": "sha256-4XfMXU0DjN83o6HWZoKG9PegCvKvIhNUnRUI19vzTcQ=", "narHash": "sha256-MOH58F4AIbCkh6qlQcwMycyk5SWvsqnS/TCfnqDlpj4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "4590696c8693fea477850fe379a01544293ca4e2", "rev": "c0f3d81a7ddbc2b1332be0d8481a672b4f6004d6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1772047000,
"narHash": "sha256-7DaQVv4R97cii/Qdfy4tmDZMB2xxtyIvNGSwXBBhSmo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1267bb4920d0fc06ea916734c11b0bf004bbe17e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -469,22 +452,6 @@
"type": "github" "type": "github"
} }
}, },
"nvim": {
"flake": false,
"locked": {
"lastModified": 1773783263,
"narHash": "sha256-lZG4VERlfCwEJpW6C5irkwUxB+JoPVmuV3qOYD9WNYY=",
"ref": "refs/heads/main",
"rev": "a95f1be85c858cb7d1bc0a8506dc9cb01161a3e7",
"revCount": 93,
"type": "git",
"url": "https://git.janezic.dev/janezicmatej/nvim.git"
},
"original": {
"type": "git",
"url": "https://git.janezic.dev/janezicmatej/nvim.git"
}
},
"pre-commit": { "pre-commit": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
@@ -511,16 +478,14 @@
"root": { "root": {
"inputs": { "inputs": {
"assets": "assets", "assets": "assets",
"disko": "disko", "claude-code-overlay": "claude-code-overlay",
"flake-parts": "flake-parts", "flake-utils": "flake-utils",
"home-manager": "home-manager", "home-manager": "home-manager",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"neovim-nightly-overlay": "neovim-nightly-overlay", "neovim-nightly-overlay": "neovim-nightly-overlay",
"nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_2",
"nixpkgs-master": "nixpkgs-master", "nixpkgs-master": "nixpkgs-master",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"nvim": "nvim",
"stylix": "stylix" "stylix": "stylix"
} }
}, },
@@ -552,13 +517,13 @@
"base16-helix": "base16-helix", "base16-helix": "base16-helix",
"base16-vim": "base16-vim", "base16-vim": "base16-vim",
"firefox-gnome-theme": "firefox-gnome-theme", "firefox-gnome-theme": "firefox-gnome-theme",
"flake-parts": "flake-parts_3", "flake-parts": "flake-parts_2",
"gnome-shell": "gnome-shell", "gnome-shell": "gnome-shell",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"nur": "nur", "nur": "nur",
"systems": "systems", "systems": "systems_2",
"tinted-foot": "tinted-foot", "tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty", "tinted-kitty": "tinted-kitty",
"tinted-schemes": "tinted-schemes", "tinted-schemes": "tinted-schemes",
@@ -566,11 +531,11 @@
"tinted-zed": "tinted-zed" "tinted-zed": "tinted-zed"
}, },
"locked": { "locked": {
"lastModified": 1774194089, "lastModified": 1771788390,
"narHash": "sha256-SCczWhr8y8aaXVHG+gOGcRahNb0BU1Z5zYZuv9W/nA8=", "narHash": "sha256-RzBpBwn93GWxLjacTte+ngwwg0L/BVOg4G/sSIeK3Rw=",
"owner": "danth", "owner": "danth",
"repo": "stylix", "repo": "stylix",
"rev": "7c34241d80ea64dd2039bb3a786fb66b4c6261d9", "rev": "ebb238f14d6f930068be4718472da3105fd5d3bf",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -595,6 +560,21 @@
"type": "github" "type": "github"
} }
}, },
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tinted-foot": { "tinted-foot": {
"flake": false, "flake": false,
"locked": { "locked": {

129
flake.nix
View File

@@ -6,14 +6,16 @@
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
nixpkgs-master.url = "github:nixos/nixpkgs/master"; nixpkgs-master.url = "github:nixos/nixpkgs/master";
nvim = { # dotfiles = {
url = "git+https://git.janezic.dev/janezicmatej/nvim.git"; # url = "git+https://git.janezic.dev/janezicmatej/.dotfiles.git";
flake = false; # flake = false;
}; # };
# nvim = {
# url = "git+https://git.janezic.dev/janezicmatej/nvim.git?ref=rewrite";
# flake = false;
# };
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; flake-utils.url = "github:numtide/flake-utils";
flake-parts.url = "github:hercules-ci/flake-parts";
home-manager = { home-manager = {
url = "github:nix-community/home-manager/release-25.11"; url = "github:nix-community/home-manager/release-25.11";
@@ -36,43 +38,104 @@
}; };
neovim-nightly-overlay.url = "github:nix-community/neovim-nightly-overlay"; neovim-nightly-overlay.url = "github:nix-community/neovim-nightly-overlay";
claude-code-overlay.url = "github:ryoppippi/claude-code-overlay";
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = outputs =
inputs@{ inputs@{
flake-parts,
nixpkgs, nixpkgs,
self, flake-utils,
... ...
}: }:
flake-parts.lib.mkFlake { inherit inputs; } {
imports = [ let
./flake/overlays.nix my-lib = import ./lib { inherit (nixpkgs) lib; };
./flake/packages.nix
./flake/devshell.nix overlays = [
./flake/hosts.nix (_: prev: {
inherit
(
(import inputs.nixpkgs-unstable {
inherit (prev.stdenv.hostPlatform) system;
config.allowUnfree = true;
})
)
claude-code
;
})
]; ];
systems = [ "x86_64-linux" ]; mkHost = my-lib.mkHost {
inherit
nixpkgs
overlays
inputs
;
};
perSystem = in
{ system, ... }:
{ {
_module.args.pkgs = import nixpkgs { lib = my-lib;
inherit system;
overlays = [ self.overlays.default ]; nixosConfigurations = {
config.allowUnfree = true; matej-nixos = mkHost "matej-nixos" {
}; system = "x86_64-linux";
users = [ "matej" ];
};
matej-tower = mkHost "matej-tower" {
system = "x86_64-linux";
users = [ "matej" ];
}; };
flake = { # nixos-rebuild build-image --image-variant install-iso --flake .#live-iso
lib = import ./lib { inherit (nixpkgs) lib; }; live-iso = mkHost "live-iso" {
system = "x86_64-linux";
users = [ ];
};
# nixos-rebuild build-image --image-variant qemu --flake .#sandbox
sandbox = mkHost "sandbox" {
system = "x86_64-linux";
users = [ "gordaina" ];
};
sandbox-aarch64 = mkHost "sandbox" {
system = "aarch64-linux";
users = [ "gordaina" ];
};
}; };
};
nixosModules = import ./modules/nixos {
inherit my-lib;
inherit (nixpkgs) lib;
} { };
}
// flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = nixpkgs.legacyPackages.${system};
in
{
packages =
import ./packages
{
inherit my-lib;
inherit (nixpkgs) lib;
}
{
pkgs = nixpkgs.legacyPackages.${system};
pkgs-unstable = inputs.nixpkgs-unstable.legacyPackages.${system};
pkgs-master = inputs.nixpkgs-master.legacyPackages.${system};
};
formatter = pkgs.nixfmt-tree;
devShells.default = pkgs.mkShell {
packages = [
pkgs.pre-commit
pkgs.statix
];
};
}
);
} }

107
flake/devshell.nix
View File

@@ -1,107 +0,0 @@
_: {
perSystem =
{ pkgs, lib, ... }:
let
# libraries needed by python native extensions
pythonLibraries = [
pkgs.stdenv.cc.cc.lib
pkgs.zlib
pkgs.openssl
pkgs.curl
];
mkUv = python: {
packages = [
python
pkgs.uv
];
libraries = pythonLibraries;
env = {
UV_PYTHON_DOWNLOADS = "never";
UV_PYTHON_PREFERENCE = "only-system";
UV_PYTHON = "${python}/bin/python";
};
shellHook = ''
unset PYTHONPATH
export UV_PROJECT_ENVIRONMENT="$HOME/.venvs/$(basename "$PWD")-$(echo "$PWD" | md5sum | cut -c1-8)"
'';
};
# composable dev environment components
# each is exposed as its own devShell, layered via `use dev` in .envrc
components = {
uv_10 = mkUv pkgs.python310;
uv_11 = mkUv pkgs.python311;
uv_12 = mkUv pkgs.python312;
uv_13 = mkUv pkgs.python313;
uv_14 = mkUv pkgs.python314;
pg_15 = {
packages = [ pkgs.postgresql_15 ];
};
pg_16 = {
packages = [ pkgs.postgresql_16 ];
};
pg_17 = {
packages = [ pkgs.postgresql_17 ];
};
pg_18 = {
packages = [ pkgs.postgresql_18 ];
};
rust = {
packages = [
pkgs.rustc
pkgs.cargo
pkgs.rust-analyzer
pkgs.openssl
pkgs.pkg-config
];
};
cmake = {
packages = [
pkgs.cmake
pkgs.ninja
];
};
};
mkComponentShell =
component:
let
c = components.${component};
libraries = c.libraries or [ ];
libPath = lib.makeLibraryPath libraries;
in
pkgs.mkShell (
{
packages = c.packages or [ ];
shellHook =
(lib.optionalString (libraries != [ ]) ''
export LD_LIBRARY_PATH="${libPath}''${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
'')
+ (c.shellHook or "");
}
// lib.optionalAttrs (c ? env) { inherit (c) env; }
);
componentShells = lib.mapAttrs (name: _: mkComponentShell name) components;
in
{
formatter = pkgs.nixfmt-tree;
devShells = {
default = pkgs.mkShell {
packages = [
pkgs.pre-commit
pkgs.statix
pkgs.shellcheck
pkgs.shfmt
pkgs.qemu
];
};
}
// componentShells;
};
}

105
flake/hosts.nix
View File

@@ -1,105 +0,0 @@
{ inputs, self, ... }:
let
inherit (inputs) nixpkgs;
my-lib = import ../lib { inherit (nixpkgs) lib; };
mkHost = my-lib.mkHost {
inherit nixpkgs inputs;
overlays = [ self.overlays.default ];
};
in
{
flake.nixosConfigurations = {
fw16 = mkHost "fw16" {
system = "x86_64-linux";
user = "matej";
features = [
"openssh"
"localisation"
"gnupg"
"shell"
"desktop"
"sway"
"greeter"
"printing"
"networkmanager"
"docker"
"tailscale"
"nix-ld"
"yubikey"
"calibre"
"steam"
"dev-registry"
"neovim"
"dev"
"claude"
];
};
tower = mkHost "tower" {
system = "x86_64-linux";
user = "matej";
features = [
"openssh"
"localisation"
"gnupg"
"shell"
"desktop"
"sway"
"greeter"
"printing"
"networkmanager"
"docker"
"tailscale"
"nix-ld"
"yubikey"
"calibre"
"steam"
"initrd-ssh"
"dev-registry"
"neovim"
"dev"
"claude"
];
};
# nixos-rebuild build-image --image-variant install-iso --flake .#iso
iso = mkHost "iso" {
system = "x86_64-linux";
user = "matej";
features = [
"openssh"
];
};
# nix run github:nix-community/nixos-anywhere -- --flake .#floo root@<ip>
floo = mkHost "floo" {
system = "x86_64-linux";
user = "matej";
features = [
"openssh"
"localisation"
"shell"
"tailscale"
];
};
ephvm = mkHost "ephvm" {
system = "x86_64-linux";
user = "matej";
features = [
"openssh"
"localisation"
"gnupg"
"shell"
"vm-guest"
"vm-9p-automount"
"docker"
"neovim"
"claude"
"dev"
];
};
};
}

21
flake/overlays.nix
View File

@@ -1,21 +0,0 @@
{ inputs, ... }:
{
flake.overlays.default =
_: prev:
let
pkgs-unstable = import inputs.nixpkgs-unstable {
inherit (prev.stdenv.hostPlatform) system;
inherit (prev) config;
};
pkgs-master = import inputs.nixpkgs-master {
inherit (prev.stdenv.hostPlatform) system;
inherit (prev) config;
};
in
{
inherit (pkgs-master) claude-code;
# TODO:(@janezicmatej) 2026-03-09 error with stable for telegram-desktop
inherit (pkgs-unstable) telegram-desktop;
};
}

22
flake/packages.nix
View File

@@ -1,22 +0,0 @@
{ inputs, ... }:
let
my-lib = import ../lib { inherit (inputs.nixpkgs) lib; };
in
{
perSystem =
{ pkgs, system, ... }:
{
packages =
import ../packages
{
inherit my-lib;
inherit (inputs.nixpkgs) lib;
}
{
inherit pkgs;
pkgs-unstable = inputs.nixpkgs-unstable.legacyPackages.${system};
pkgs-master = inputs.nixpkgs-master.legacyPackages.${system};
};
};
}

62
hosts/ephvm/configuration.nix
View File

@@ -1,62 +0,0 @@
{
pkgs,
lib,
inputs,
...
}:
{
# no hardware firmware needed in a VM
hardware.enableRedistributableFirmware = lib.mkForce false;
hardware.wirelessRegulatoryDatabase = lib.mkForce false;
documentation.enable = false;
environment.defaultPackages = [ ];
# compressed qcow2, no channel copy
image.modules.qemu =
{ config, modulesPath, ... }:
{
system.build.image = lib.mkForce (
import (modulesPath + "/../lib/make-disk-image.nix") {
inherit lib config pkgs;
inherit (config.virtualisation) diskSize;
inherit (config.image) baseName;
format = "qcow2-compressed";
copyChannel = false;
partitionTableType = "legacy";
}
);
};
vm-guest.headless = true;
vm-9p-automount.user = "matej";
localisation = {
timeZone = "UTC";
defaultLocale = "en_US.UTF-8";
};
home-manager.users.matej = {
neovim.dotfiles = inputs.nvim;
};
# ensure .config exists with correct ownership before automount
systemd.tmpfiles.rules = [ "d /home/matej/.config 0755 matej users -" ];
# writable claude config via 9p
fileSystems."/home/matej/.config/claude" = {
device = "claude";
fsType = "9p";
options = [
"trans=virtio"
"version=9p2000.L"
"nofail"
"x-systemd.automount"
];
};
environment.sessionVariables.CLAUDE_CONFIG_DIR = "/home/matej/.config/claude";
system.stateVersion = "25.11";
}

22
hosts/ephvm/hardware-configuration.nix
View File

@@ -1,22 +0,0 @@
{
lib,
pkgs,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
virtualisation.diskSize = 30720; # 30G
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
autoResize = true;
fsType = "ext4";
};
# image.modules (disk-image.nix) overrides boot loader per variant
boot.loader.grub.device = lib.mkDefault "/dev/vda";
}

37
hosts/floo/configuration.nix
View File

@@ -1,37 +0,0 @@
{ inputs, ... }:
{
imports = [ inputs.disko.nixosModules.disko ];
boot.loader.grub.enable = true;
disko.devices.disk.main = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02";
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
users.users.matej.hashedPassword = "$6$59Z5NIkOYZ3eSElX$FehMGGXQlC040G8eoO42JQDScb7hI04NbdVMAkKYKqVOLTO/.MJxfk8fHypQHrCdtAs67N1bnU2s5H/3zLWhC1";
localisation = {
timeZone = "Europe/Ljubljana";
defaultLocale = "en_US.UTF-8";
};
system.stateVersion = "25.11";
}

37
hosts/floo/hardware-configuration.nix
View File

@@ -1,37 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"ahci"
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

57
hosts/fw16/configuration.nix
View File

@@ -1,57 +0,0 @@
{
lib,
pkgs,
inputs,
options,
...
}:
{
imports = [
inputs.nixos-hardware.nixosModules.framework-16-amd-ai-300-series
];
localisation = {
timeZone = "Europe/Ljubljana";
defaultLocale = "en_US.UTF-8";
};
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [ "pcie_aspm.policy=powersupersave" ];
boot.resumeDevice = "/dev/disk/by-uuid/ff4750e7-3a9f-42c2-bb68-c458a6560540";
services.logind.settings.Login = {
HandleLidSwitch = "suspend-then-hibernate";
HandlePowerKey = "suspend-then-hibernate";
IdleAction = "suspend-then-hibernate";
IdleActionSec = "15min";
};
systemd.sleep.extraConfig = ''
HibernateDelaySec=30min
'';
programs.nix-ld.libraries = options.programs.nix-ld.libraries.default;
services.gnome.gnome-keyring.enable = true;
services.teamviewer.enable = true;
services.hardware.bolt.enable = true;
hardware.keyboard.zsa.enable = true;
hardware.ledger.enable = true;
hardware.bluetooth.powerOnBoot = true;
hardware.inputmodule.enable = true;
# NOTE:(@janezicmatej) disable wakeup for framework input modules to prevent spurious wakes
services.udev.extraRules = lib.mkAfter ''
SUBSYSTEM=="usb", DRIVERS=="usb", ATTRS{idVendor}=="32ac", ATTRS{idProduct}=="0012", ATTR{power/wakeup}="disabled"
SUBSYSTEM=="usb", DRIVERS=="usb", ATTRS{idVendor}=="32ac", ATTRS{idProduct}=="0014", ATTR{power/wakeup}="disabled"
'';
networking.firewall.enable = false;
system.stateVersion = "24.11";
}

11
hosts/iso/configuration.nix
View File

@@ -1,11 +0,0 @@
_: {
image.modules.iso-installer = {
isoImage.squashfsCompression = "zstd -Xcompression-level 6";
};
# live iso: passwordless login and sudo
users.users.matej.initialHashedPassword = "";
security.sudo.wheelNeedsPassword = false;
system.stateVersion = "25.05";
}

49
hosts/live-iso/configuration.nix Normal file
View File

@@ -0,0 +1,49 @@
{
pkgs,
lib,
inputs,
...
}:
let
keys = import ../../users/matej/keys.nix;
in
{
imports = [
inputs.self.nixosModules.openssh
];
openssh.enable = true;
image.modules.iso-installer = {
isoImage.squashfsCompression = "zstd -Xcompression-level 6";
};
fileSystems."/" = lib.mkDefault {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
boot.loader.grub.device = lib.mkDefault "/dev/sda";
networking.firewall.allowedTCPPorts = [ 22 ];
users = {
groups.matej = {
gid = 1000;
};
users.matej = {
group = "matej";
uid = 1000;
isNormalUser = true;
home = "/home/matej";
createHome = true;
password = "burek123";
extraGroups = [
"wheel"
"users"
];
openssh.authorizedKeys.keys = keys.sshAuthorizedKeys;
};
};
system.stateVersion = "25.05";
}

125
hosts/matej-nixos/configuration.nix Normal file
View File

@@ -0,0 +1,125 @@
{
config,
lib,
pkgs,
inputs,
options,
...
}:
let
packages = inputs.self.outputs.packages.${pkgs.stdenv.hostPlatform.system};
in
{
imports = [
inputs.stylix.nixosModules.stylix
inputs.self.nixosModules.yubikey
inputs.self.nixosModules.sway
inputs.self.nixosModules.openssh
inputs.self.nixosModules.desktop
inputs.self.nixosModules.printing
inputs.self.nixosModules.zsh
inputs.self.nixosModules.gnupg
inputs.self.nixosModules.tuigreet
inputs.self.nixosModules.workstation
inputs.self.nixosModules.nvidia
inputs.self.nixosModules.initrd-ssh
inputs.self.nixosModules.localisation
];
yubikey.enable = true;
openssh.enable = true;
desktop.enable = true;
printing.enable = true;
zsh.enable = true;
gnupg.enable = true;
workstation.enable = true;
tuigreet = {
enable = true;
command = "sway";
};
sway = {
enable = true;
cmdFlags = [ "--unsupported-gpu" ];
};
nvidia.enable = true;
initrd-ssh = {
enable = true;
networkModule = "r8169";
ip = {
enable = true;
address = "10.222.0.247";
gateway = "10.222.0.1";
interface = "enp5s0";
};
};
stylix = {
enable = true;
polarity = "dark";
image = "${inputs.assets}/wallpaper.png";
base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-material-dark-medium.yaml";
};
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
localisation = {
enable = true;
timeZone = "Europe/Ljubljana";
defaultLocale = "en_US.UTF-8";
};
# WARN:(@janezicmatej) nix-ld for running pip-installed binaries outside nix, probably want to drop this
programs.nix-ld.enable = true;
programs.nix-ld.libraries = options.programs.nix-ld.libraries.default;
security.pki.certificateFiles = [ packages.ca-matheo-si ];
services.gnome.gnome-keyring.enable = true;
services.teamviewer.enable = true;
programs.thunderbird.enable = true;
programs._1password.enable = true;
programs._1password-gui.enable = true;
programs.firefox.enable = true;
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
localNetworkGameTransfers.openFirewall = true;
};
hardware.keyboard.zsa.enable = true;
hardware.ledger.enable = true;
hardware.bluetooth.powerOnBoot = true;
networking = {
hostName = "matej-nixos";
useDHCP = false;
networkmanager.enable = true;
interfaces.enp5s0.ipv4.addresses = [
{
address = "10.222.0.247";
prefixLength = 24;
}
];
firewall.enable = false;
defaultGateway = "10.222.0.1";
nameservers = [
"1.1.1.1"
"8.8.8.8"
];
};
xdg.mime.defaultApplications = {
"application/pdf" = "org.pwmt.zathura.desktop";
};
system.stateVersion = "24.11";
}

6
hosts/fw16/hardware-configuration.nix → hosts/matej-nixos/hardware-configuration.nix
View File

@@ -17,10 +17,8 @@
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [
"nvme" "nvme"
"xhci_pci" "xhci_pci"
"thunderbolt" "ahci"
"usbhid" "usbhid"
"uas"
"sd_mod"
]; ];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
@@ -35,7 +33,7 @@
}; };
fileSystems."/boot" = { fileSystems."/boot" = {
device = "/dev/disk/by-uuid/42D9-FAFD"; device = "/dev/disk/by-uuid/7151-CE52";
fsType = "vfat"; fsType = "vfat";
options = [ options = [
"fmask=0022" "fmask=0022"

91
hosts/matej-tower/configuration.nix Normal file
View File

@@ -0,0 +1,91 @@
{
config,
lib,
pkgs,
inputs,
options,
...
}:
{
networking.hostName = "matej-tower";
imports = [
inputs.stylix.nixosModules.stylix
inputs.lanzaboote.nixosModules.lanzaboote
inputs.self.nixosModules.yubikey
inputs.self.nixosModules.sway
inputs.self.nixosModules.openssh
inputs.self.nixosModules.desktop
inputs.self.nixosModules.printing
inputs.self.nixosModules.zsh
inputs.self.nixosModules.gnupg
inputs.self.nixosModules.tuigreet
inputs.self.nixosModules.workstation
inputs.self.nixosModules.initrd-ssh
inputs.self.nixosModules.localisation
];
yubikey.enable = true;
openssh.enable = true;
desktop.enable = true;
printing.enable = true;
zsh.enable = true;
gnupg.enable = true;
workstation.enable = true;
tuigreet = {
enable = true;
command = "sway";
};
sway.enable = true;
initrd-ssh = {
enable = true;
networkModule = "r8169";
};
stylix = {
enable = true;
polarity = "dark";
image = "${inputs.assets}/wallpaper.png";
base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-material-dark-medium.yaml";
};
# lanzaboote secure boot
boot.kernelParams = [ "btusb.reset=1" ];
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
localisation = {
enable = true;
timeZone = "Europe/Ljubljana";
defaultLocale = "en_US.UTF-8";
};
services.udisks2.enable = true;
programs._1password.enable = true;
programs._1password-gui.enable = true;
# higher sample rate for audio equipment
services.pipewire.extraConfig.pipewire.adjust-sample-rate = {
"context.properties" = {
"default.clock.rate" = 192000;
"default.allowed-rates" = [ 192000 ];
};
};
environment.systemPackages = with pkgs; [
easyeffects
];
xdg.mime.defaultApplications = {
"application/pdf" = "org.pwmt.zathura.desktop";
};
system.stateVersion = "25.05";
}

0
hosts/tower/hardware-configuration.nix → hosts/matej-tower/hardware-configuration.nix
View File

128
hosts/sandbox/configuration.nix Normal file
View File

@@ -0,0 +1,128 @@
{
pkgs,
lib,
inputs,
config,
...
}:
{
imports = [
./hardware-configuration.nix
inputs.self.nixosModules.vm-guest
inputs.self.nixosModules.seed-ssh
inputs.self.nixosModules.zsh
inputs.self.nixosModules.localisation
];
vm-guest = {
enable = true;
headless = true;
};
seed-ssh = {
enable = true;
user = "gordaina";
};
zsh.enable = true;
localisation = {
enable = true;
timeZone = "UTC";
defaultLocale = "en_US.UTF-8";
};
users = {
groups.gordaina = {
gid = 1000;
};
users.gordaina = {
group = "gordaina";
uid = 1000;
isNormalUser = true;
home = "/home/gordaina";
createHome = true;
password = "sandbox";
shell = pkgs.zsh;
extraGroups = [
"wheel"
"users"
];
};
};
# 9p mounts — silently fail if shares not provided at runtime
fileSystems."/home/gordaina/projects" = {
device = "projects";
fsType = "9p";
options = [
"trans=virtio"
"version=9p2000.L"
"msize=65536"
"nofail"
"x-systemd.automount"
"x-systemd.device-timeout=2s"
];
};
fileSystems."/mnt/host-claude" = {
device = "hostclaude";
fsType = "9p";
options = [
"trans=virtio"
"version=9p2000.L"
"msize=65536"
"nofail"
"x-systemd.automount"
"x-systemd.device-timeout=2s"
];
};
fileSystems."/mnt/host-home" = {
device = "hosthome";
fsType = "9p";
options = [
"trans=virtio"
"version=9p2000.L"
"msize=65536"
"nofail"
"x-systemd.automount"
"x-systemd.device-timeout=2s"
"ro"
];
};
# pre-auth claude-code from host config
systemd.services.claude-auth = {
description = "Copy claude-code credentials from host mount";
after = [ "local-fs.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "claude-auth" ''
# skip if host mounts are not available
if ! mountpoint -q /mnt/host-claude && ! mountpoint -q /mnt/host-home; then
echo "no host mounts found, skipping"
exit 0
fi
mkdir -p /home/gordaina/.claude
if mountpoint -q /mnt/host-claude; then
cp -a /mnt/host-claude/. /home/gordaina/.claude/
fi
if mountpoint -q /mnt/host-home; then
cp /mnt/host-home/.claude.json /home/gordaina/.claude.json || true
fi
chown -R gordaina:gordaina /home/gordaina/.claude /home/gordaina/.claude.json 2>/dev/null || true
'';
};
};
environment.systemPackages = with pkgs; [
claude-code
git
];
system.stateVersion = "25.11";
}

23
hosts/sandbox/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,23 @@
{
lib,
pkgs,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
autoResize = true;
fsType = "ext4";
};
# x86_64: bios/grub, aarch64: uefi/systemd-boot
boot.loader.grub.device = lib.mkIf pkgs.stdenv.hostPlatform.isx86_64 (lib.mkDefault "/dev/vda");
boot.loader.grub.enable = lib.mkIf pkgs.stdenv.hostPlatform.isAarch64 false;
boot.loader.systemd-boot.enable = lib.mkIf pkgs.stdenv.hostPlatform.isAarch64 true;
boot.loader.efi.canTouchEfiVariables = lib.mkIf pkgs.stdenv.hostPlatform.isAarch64 true;
}

43
hosts/tower/configuration.nix
View File

@@ -1,43 +0,0 @@
{
lib,
inputs,
userKeys,
...
}:
{
imports = [
inputs.lanzaboote.nixosModules.lanzaboote
];
localisation = {
timeZone = "Europe/Ljubljana";
defaultLocale = "en_US.UTF-8";
};
initrd-ssh = {
networkModule = "r8169";
authorizedKeys = userKeys.sshAuthorizedKeys;
};
# lanzaboote secure boot
boot.kernelParams = [ "btusb.reset=1" ];
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
services.udisks2.enable = true;
# higher sample rate for audio equipment
services.pipewire.extraConfig.pipewire.adjust-sample-rate = {
"context.properties" = {
"default.clock.rate" = 192000;
"default.allowed-rates" = [ 192000 ];
};
};
system.stateVersion = "25.05";
}

34
justfile
View File

@@ -3,8 +3,8 @@ default:
@just --list @just --list
# rebuild and switch # rebuild and switch
switch config="": switch:
nixos-rebuild switch --flake .{{ if config != "" { "#" + config } else { "" } }} --sudo nixos-rebuild switch --flake . --sudo
# fetch flake inputs # fetch flake inputs
sync: sync:
@@ -31,24 +31,20 @@ build:
# build installation iso # build installation iso
iso: iso:
nixos-rebuild build-image --image-variant iso-installer --flake .#iso nixos-rebuild build-image --image-variant iso-installer --flake .#live-iso
# run ephemeral VM
ephvm *ARGS:
bash scripts/ephvm-run.sh {{ARGS}}
# ssh into running ephemeral VM
ephvm-ssh port="2222":
ssh -p {{port}} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null matej@localhost
# provision a host with nixos-anywhere
provision host ip:
nix run github:nix-community/nixos-anywhere -- --flake .#{{host}} --generate-hardware-config nixos-generate-config ./hosts/{{host}}/hardware-configuration.nix root@{{ip}}
# deploy config to a remote host
deploy host remote=host:
nixos-rebuild switch --flake .#{{host}} --target-host {{remote}} --sudo --ask-sudo-password
# garbage collect old generations # garbage collect old generations
clean: clean:
sudo nix-collect-garbage $(nix eval --raw -f ./nix.nix nix.gc.options) sudo nix-collect-garbage $(nix eval --raw -f ./nix.nix nix.gc.options)
# build sandbox VM image
sandbox-build:
nixos-rebuild build-image --image-variant qemu --flake .#sandbox
# run sandbox VM
sandbox-run *ARGS:
bash dist/run.sh $(find -L result -name '*.qcow2' | head -1) {{ARGS}}
# ssh into running sandbox
sandbox-ssh:
ssh -A -p 2222 gordaina@localhost

53
lib/mkHost.nix
View File

@@ -7,48 +7,20 @@
name: name:
{ {
system, system,
user ? null, users ? [ ],
features ? [ ],
}: }:
let let
inherit (nixpkgs) lib;
hasUser = user != null;
# path helpers
featurePath = f: ../features/${f}.nix;
userFeaturePath = u: ../features/user-${u}.nix;
hostConfig = ../hosts/${name}/configuration.nix; hostConfig = ../hosts/${name}/configuration.nix;
hostHWConfig = ../hosts/${name}/hardware-configuration.nix; hostHWConfig = ../hosts/${name}/hardware-configuration.nix;
hasHWConfig = builtins.pathExists hostHWConfig;
# load feature with path check userNixosConfigs = map (user: ../users/${user}/nixos.nix) (
loadFeature = builtins.filter (user: builtins.pathExists ../users/${user}/nixos.nix) users
f: );
assert
builtins.pathExists (featurePath f)
|| throw "feature '${f}' not found at ${toString (featurePath f)}";
import (featurePath f);
loadedFeatures = map loadFeature features; userHMConfigs = nixpkgs.lib.genAttrs users (user: import ../users/${user}/home-manager.nix);
# load user feature with path check
userFeature =
if hasUser then
assert
builtins.pathExists (userFeaturePath user)
|| throw "user feature 'user-${user}' not found at ${toString (userFeaturePath user)}";
import (userFeaturePath user)
else
null;
allFeatures = loadedFeatures ++ lib.optional (userFeature != null) userFeature;
# extract keys from user feature for specialArgs
userKeys = if userFeature != null then (userFeature.keys or { }) else { };
# collect nixos and home modules from all features
nixosMods = map (f: f.nixos) (builtins.filter (f: f ? nixos) allFeatures);
homeMods = map (f: f.home) (builtins.filter (f: f ? home) allFeatures);
in in
nixpkgs.lib.nixosSystem { nixpkgs.lib.nixosSystem {
inherit system; inherit system;
@@ -57,23 +29,20 @@ nixpkgs.lib.nixosSystem {
{ nixpkgs.overlays = overlays; } { nixpkgs.overlays = overlays; }
{ nixpkgs.config.allowUnfree = true; } { nixpkgs.config.allowUnfree = true; }
{ networking.hostName = name; }
hostConfig hostConfig
] ]
++ lib.optional (builtins.pathExists hostHWConfig) hostHWConfig ++ nixpkgs.lib.optional hasHWConfig hostHWConfig
++ nixosMods ++ userNixosConfigs
++ lib.optionals hasUser [ ++ [
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
{ {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.backupFileExtension = "backup"; home-manager.backupFileExtension = "backup";
home-manager.users.${user}.imports = homeMods; home-manager.users = userHMConfigs;
home-manager.extraSpecialArgs = { inherit inputs; }; home-manager.extraSpecialArgs = { inherit inputs; };
} }
]; ];
specialArgs = { specialArgs = { inherit inputs; };
inherit inputs userKeys user;
};
} }

1
modules/nixos/default.nix Normal file
View File

@@ -0,0 +1 @@
{ lib, my-lib }: args: (my-lib.autoDir ./.)

44
modules/nixos/desktop.nix Normal file
View File

@@ -0,0 +1,44 @@
{
lib,
config,
pkgs,
...
}:
{
options = {
desktop = {
enable = lib.mkEnableOption "base desktop environment";
};
};
config = lib.mkIf config.desktop.enable {
services.pipewire = {
enable = true;
pulse.enable = true;
};
hardware.bluetooth.enable = true;
services.blueman.enable = true;
security.polkit.enable = true;
services.dbus.enable = true;
services.playerctld.enable = true;
xdg.portal = {
enable = true;
xdgOpenUsePortal = true;
extraPortals = [
pkgs.xdg-desktop-portal-wlr
pkgs.xdg-desktop-portal-gtk
];
};
fonts.packages = with pkgs; [
font-awesome
nerd-fonts.jetbrains-mono
maple-mono.NF
];
};
}

20
modules/nixos/gnupg.nix Normal file
View File

@@ -0,0 +1,20 @@
{
lib,
config,
...
}:
{
options = {
gnupg = {
enable = lib.mkEnableOption "GnuPG agent with SSH support";
};
};
config = lib.mkIf config.gnupg.enable {
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
enableExtraSocket = true;
};
};
}

86
modules/nixos/initrd-ssh.nix Normal file
View File

@@ -0,0 +1,86 @@
{
lib,
config,
...
}:
let
# TODO:(@janezicmatej) restructure keys import
keys = import ../../users/matej/keys.nix;
# generate host keys for new machines: ./scripts/initrd-ssh-keygen.sh
keyDir = "/etc/secrets/initrd";
mkIpString =
{
address,
gateway,
netmask,
interface,
...
}:
"${address}::${gateway}:${netmask}::${interface}:none";
in
{
options = {
initrd-ssh = {
enable = lib.mkEnableOption "SSH in initrd for remote LUKS unlock";
ip = {
enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
address = lib.mkOption {
type = lib.types.str;
example = "10.222.0.247";
};
gateway = lib.mkOption {
type = lib.types.str;
example = "10.222.0.1";
};
netmask = lib.mkOption {
type = lib.types.str;
default = "255.255.255.0";
};
interface = lib.mkOption {
type = lib.types.str;
example = "enp5s0";
};
};
authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = keys.sshAuthorizedKeys;
};
networkModule = lib.mkOption {
type = lib.types.str;
example = "r8169";
};
};
};
config = lib.mkIf config.initrd-ssh.enable {
boot.initrd.kernelModules = [ config.initrd-ssh.networkModule ];
boot.kernelParams = lib.mkIf config.initrd-ssh.ip.enable [
"ip=${mkIpString config.initrd-ssh.ip}"
];
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 22;
hostKeys = [
"${keyDir}/ssh_host_rsa_key"
"${keyDir}/ssh_host_ed25519_key"
];
inherit (config.initrd-ssh) authorizedKeys;
};
postCommands = ''
echo 'cryptsetup-askpass' >> /root/.profile
'';
};
};
}

28
modules/nixos/localisation.nix Normal file
View File

@@ -0,0 +1,28 @@
{
lib,
config,
...
}:
{
options = {
localisation = {
enable = lib.mkEnableOption "localisation defaults";
timeZone = lib.mkOption {
type = lib.types.str;
};
defaultLocale = lib.mkOption {
type = lib.types.str;
};
};
};
config = lib.mkIf config.localisation.enable {
time.timeZone = config.localisation.timeZone;
i18n.defaultLocale = config.localisation.defaultLocale;
# NOTE:(@janezicmatej) some apps (e.g. java) need TZ env var explicitly
environment.variables.TZ = config.localisation.timeZone;
};
}

23
modules/nixos/nvidia.nix Normal file
View File

@@ -0,0 +1,23 @@
{
lib,
config,
...
}:
{
options = {
nvidia.enable = lib.mkEnableOption "NVIDIA GPU support";
};
config = lib.mkIf config.nvidia.enable {
hardware.graphics.enable = true;
services.xserver.videoDrivers = [ "nvidia" ];
hardware.nvidia = {
modesetting.enable = true;
open = true;
nvidiaSettings = true;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
};
}

29
modules/nixos/openssh.nix Normal file
View File

@@ -0,0 +1,29 @@
{
lib,
config,
...
}:
{
options = {
openssh = {
enable = lib.mkEnableOption "hardened SSH server";
port = lib.mkOption {
type = lib.types.port;
default = 22;
};
};
};
config = lib.mkIf config.openssh.enable {
services.openssh = {
enable = true;
ports = [ config.openssh.port ];
settings = {
PasswordAuthentication = false;
AllowUsers = null;
PermitRootLogin = "no";
StreamLocalBindUnlink = "yes";
};
};
};
}

21
modules/nixos/printing.nix Normal file
View File

@@ -0,0 +1,21 @@
{
lib,
config,
...
}:
{
options = {
printing = {
enable = lib.mkEnableOption "CUPS printing with Avahi discovery";
};
};
config = lib.mkIf config.printing.enable {
services.printing.enable = true;
services.avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
};
}

61
modules/nixos/seed-ssh.nix Normal file
View File

@@ -0,0 +1,61 @@
{
pkgs,
lib,
config,
...
}:
{
options = {
seed-ssh = {
enable = lib.mkEnableOption "SSH key injection from seed ISO";
user = lib.mkOption {
type = lib.types.str;
description = "user to install authorized_keys for";
};
label = lib.mkOption {
type = lib.types.str;
default = "SEEDCONFIG";
description = "volume label of the seed ISO";
};
};
};
config = lib.mkIf config.seed-ssh.enable {
systemd.services.seed-ssh = {
description = "Install SSH authorized_keys from seed ISO";
after = [ "local-fs.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart =
let
cfg = config.seed-ssh;
inherit (cfg) user;
inherit (config.users.users.${user}) home;
in
pkgs.writeShellScript "seed-ssh" ''
DEVICE="/dev/disk/by-label/${cfg.label}"
if [ ! -e "$DEVICE" ]; then
echo "seed ISO not found, skipping"
exit 0
fi
MOUNT=$(mktemp -d)
mount -o ro "$DEVICE" "$MOUNT"
mkdir -p "${home}/.ssh"
cp "$MOUNT/authorized_keys" "${home}/.ssh/authorized_keys"
chmod 700 "${home}/.ssh"
chmod 600 "${home}/.ssh/authorized_keys"
chown -R ${user}:${user} "${home}/.ssh"
umount "$MOUNT"
rmdir "$MOUNT"
'';
};
};
};
}

51
modules/nixos/sway.nix Normal file
View File

@@ -0,0 +1,51 @@
{
pkgs,
lib,
config,
...
}:
{
options = {
sway = {
enable = lib.mkEnableOption "enable sway module";
cmdFlags = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
};
};
config = lib.mkIf config.sway.enable {
programs.sway = {
enable = true;
package = pkgs.swayfx;
wrapperFeatures.gtk = true;
extraOptions = config.sway.cmdFlags;
extraSessionCommands = ''
# fix for java awt apps not rendering
export _JAVA_AWT_WM_NONREPARENTING=1
'';
};
environment.systemPackages = with pkgs; [
brightnessctl
foot
grim
pulseaudio
swayidle
# use swaylock-effects instead of swaylock
swaylock-effects
wmenu
slurp
wofi
wl-clipboard
wob
pamixer
wlsunset
flameshot
waybar
wayland-pipewire-idle-inhibit
];
};
}

33
modules/nixos/tuigreet.nix Normal file
View File

@@ -0,0 +1,33 @@
{
lib,
config,
pkgs,
...
}:
{
options = {
tuigreet = {
enable = lib.mkEnableOption "greetd with tuigreet";
command = lib.mkOption {
type = lib.types.str;
};
};
};
config = lib.mkIf config.tuigreet.enable {
services.greetd = {
enable = true;
useTextGreeter = true;
settings = {
default_session = {
command = pkgs.writeShellScript "tuigreet-session" ''
${pkgs.util-linux}/bin/setterm --blank 1 --powersave powerdown --powerdown 1
exec ${pkgs.tuigreet}/bin/tuigreet --time --remember --cmd ${config.tuigreet.command}
'';
user = "greeter";
};
};
};
};
}

62
modules/nixos/vm-guest.nix Normal file
View File

@@ -0,0 +1,62 @@
{
pkgs,
lib,
config,
...
}:
{
options = {
vm-guest = {
enable = lib.mkEnableOption "VM guest configuration";
headless = lib.mkOption {
type = lib.types.bool;
default = false;
description = "run without display, serial console only";
};
};
};
config = lib.mkIf config.vm-guest.enable {
services.qemuGuest.enable = true;
services.spice-vdagentd.enable = lib.mkIf (!config.vm-guest.headless) true;
boot.kernelParams = lib.mkIf config.vm-guest.headless [ "console=ttyS0,115200" ];
# 9p for host file mounting
boot.initrd.availableKernelModules = [
"9p"
"9pnet_virtio"
];
boot.kernelModules = [
"9p"
"9pnet_virtio"
];
# ssh with agent forwarding for git and hot-mount
services.openssh = {
enable = true;
ports = [ 22 ];
settings = {
PasswordAuthentication = true;
PermitRootLogin = "no";
AllowAgentForwarding = true;
StreamLocalBindUnlink = "yes";
};
};
networking = {
useDHCP = true;
firewall.allowedTCPPorts = [ 22 ];
};
security.sudo.wheelNeedsPassword = false;
environment.systemPackages = with pkgs; [
curl
wget
htop
sshfs
];
};
}

29
modules/nixos/workstation.nix Normal file
View File

@@ -0,0 +1,29 @@
{
lib,
config,
pkgs,
...
}:
{
options = {
workstation = {
enable = lib.mkEnableOption "workstation utilities";
};
};
config = lib.mkIf config.workstation.enable {
virtualisation.docker = {
enable = true;
logDriver = "json-file";
};
services.tailscale = {
enable = true;
useRoutingFeatures = "both";
};
environment.systemPackages = with pkgs; [
smartmontools
];
};
}

23
modules/nixos/yubikey.nix Normal file
View File

@@ -0,0 +1,23 @@
{
pkgs,
lib,
config,
...
}:
{
options = {
yubikey = {
enable = lib.mkEnableOption "enable yubikey module";
};
};
config = lib.mkIf config.yubikey.enable {
environment.systemPackages = with pkgs; [
yubikey-personalization
yubikey-manager
];
services.pcscd.enable = true;
};
}

19
modules/nixos/zsh.nix Normal file
View File

@@ -0,0 +1,19 @@
{
lib,
config,
...
}:
{
options = {
zsh = {
enable = lib.mkEnableOption "zsh with ZDOTDIR in ~/.config/zsh";
};
};
config = lib.mkIf config.zsh.enable {
programs.zsh.enable = true;
environment.etc."zshenv".text = ''
export ZDOTDIR=$HOME/.config/zsh
'';
};
}

14
packages/ahab/package.nix
View File

@@ -19,20 +19,6 @@ pkgs.rustPlatform.buildRustPackage {
buildType = "debug"; buildType = "debug";
nativeBuildInputs = [ pkgs.installShellFiles ];
preBuild = ''
mkdir -p completions
'';
SHELL_COMPLETIONS_DIR = "completions";
postInstall = ''
installShellCompletion --bash completions/ahab.bash
installShellCompletion --zsh completions/_ahab
installShellCompletion --fish completions/ahab.fish
'';
meta = { meta = {
description = "ahab"; description = "ahab";
homepage = "https://git.janezic.dev/janezicmatej/ahab"; homepage = "https://git.janezic.dev/janezicmatej/ahab";

91
packages/ahab/update.sh
View File

@@ -1,6 +1,5 @@
#!/usr/bin/env nix-shell #!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl jq nix-prefetch #!nix-shell -i bash -p curl jq nix-prefetch
# shellcheck shell=bash
set -euo pipefail set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
@@ -10,62 +9,54 @@ PKG_FILE="$SCRIPT_DIR/package.nix"
cd "$ROOT_DIR" cd "$ROOT_DIR"
extract_hash() { extract_hash() {
sed 's/\x1b\[[0-9;]*m//g' | grep 'got:' | tail -1 | grep -oP 'sha256-[A-Za-z0-9+/]+=' sed 's/\x1b\[[0-9;]*m//g' | grep 'got:' | tail -1 | grep -oP 'sha256-[A-Za-z0-9+/]+='
} }
main() { echo "fetching latest version..."
echo "fetching latest version..." LATEST=$(curl -sf "https://git.janezic.dev/api/v1/repos/janezicmatej/ahab/tags?limit=1" | jq -r '.[0].name')
local latest current CURRENT=$(grep 'version = ' "$PKG_FILE" | head -1 | sed 's/.*"\(.*\)".*/\1/')
latest=$(curl -sf "https://git.janezic.dev/api/v1/repos/janezicmatej/ahab/tags?limit=1" | jq -r '.[0].name')
current=$(grep 'version = ' "$PKG_FILE" | head -1 | sed 's/.*"\(.*\)".*/\1/')
if [[ "$current" == "$latest" ]]; then if [[ "$CURRENT" == "$LATEST" ]]; then
echo "ahab already at $latest" echo "ahab already at $LATEST"
return 0 exit 0
fi fi
echo "updating ahab: $current -> $latest" echo "updating ahab: $CURRENT -> $LATEST"
echo " prefetching source..." echo " prefetching source..."
local base32 src_hash BASE32=$(nix-prefetch-url --unpack "https://git.janezic.dev/janezicmatej/ahab/archive/${LATEST}.tar.gz" 2>/dev/null)
base32=$(nix-prefetch-url --unpack "https://git.janezic.dev/janezicmatej/ahab/archive/${latest}.tar.gz" 2>/dev/null) SRC_HASH=$(nix hash convert --to sri "sha256:$BASE32")
src_hash=$(nix hash convert --to sri "sha256:$base32") echo " source: $SRC_HASH"
echo " source: $src_hash"
echo " computing cargo hash..." echo " computing cargo hash..."
local build_output cargo_hash BUILD_OUTPUT=$(nix build --no-link --impure --expr "
build_output=$(nix build --no-link --impure --expr " let
let pkgs = (builtins.getFlake \"path:$ROOT_DIR\").inputs.nixpkgs.legacyPackages.\${builtins.currentSystem};
pkgs = (builtins.getFlake \"path:$ROOT_DIR\").inputs.nixpkgs.legacyPackages.\${builtins.currentSystem}; in pkgs.rustPlatform.fetchCargoVendor {
in pkgs.rustPlatform.fetchCargoVendor { src = pkgs.fetchFromGitea {
src = pkgs.fetchFromGitea { domain = \"git.janezic.dev\";
domain = \"git.janezic.dev\"; owner = \"janezicmatej\";
owner = \"janezicmatej\"; repo = \"ahab\";
repo = \"ahab\"; rev = \"$LATEST\";
rev = \"$latest\"; hash = \"$SRC_HASH\";
hash = \"$src_hash\"; };
}; hash = \"\";
hash = \"\"; }
} " 2>&1) || true
" 2>&1) || true CARGO_HASH=$(echo "$BUILD_OUTPUT" | extract_hash) || true
cargo_hash=$(echo "$build_output" | extract_hash) || true
if [[ -z "$cargo_hash" ]]; then if [[ -z "$CARGO_HASH" ]]; then
echo "error: failed to compute cargo hash" >&2 echo " error: failed to compute cargo hash"
echo "$build_output" >&2 echo "$BUILD_OUTPUT"
exit 1 exit 1
fi fi
echo " cargo: $cargo_hash" echo " cargo: $CARGO_HASH"
local old_src old_cargo OLD_SRC=$(grep 'sha256 = ' "$PKG_FILE" | grep -oP 'sha256-[A-Za-z0-9+/]+=')
old_src=$(grep 'sha256 = ' "$PKG_FILE" | grep -oP 'sha256-[A-Za-z0-9+/]+=') OLD_CARGO=$(grep 'cargoHash = ' "$PKG_FILE" | grep -oP 'sha256-[A-Za-z0-9+/]+=')
old_cargo=$(grep 'cargoHash = ' "$PKG_FILE" | grep -oP 'sha256-[A-Za-z0-9+/]+=')
sed -i "s|version = \"$current\"|version = \"$latest\"|" "$PKG_FILE" sed -i "s|version = \"$CURRENT\"|version = \"$LATEST\"|" "$PKG_FILE"
sed -i "s|$old_src|$src_hash|" "$PKG_FILE" sed -i "s|$OLD_SRC|$SRC_HASH|" "$PKG_FILE"
sed -i "s|$old_cargo|$cargo_hash|" "$PKG_FILE" sed -i "s|$OLD_CARGO|$CARGO_HASH|" "$PKG_FILE"
echo "ahab updated to $latest" echo "ahab updated to $LATEST"
}
main "$@"

9
packages/ggman/package.nix
View File

@@ -26,15 +26,6 @@ pkgs.buildGoModule.override
"-X go.tkw01536.de/ggman.buildVersion=${version}" "-X go.tkw01536.de/ggman.buildVersion=${version}"
]; ];
nativeBuildInputs = [ pkgs.installShellFiles ];
postInstall = ''
installShellCompletion --cmd ggman \
--bash <($out/bin/ggman completion bash) \
--zsh <($out/bin/ggman completion zsh) \
--fish <($out/bin/ggman completion fish)
'';
meta = { meta = {
description = "Manager for all your local git repositories"; description = "Manager for all your local git repositories";
homepage = "https://github.com/tkw1536/ggman"; homepage = "https://github.com/tkw1536/ggman";

93
packages/ggman/update.sh
View File

@@ -1,6 +1,5 @@
#!/usr/bin/env nix-shell #!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl jq nix-prefetch #!nix-shell -i bash -p curl jq nix-prefetch
# shellcheck shell=bash
set -euo pipefail set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
@@ -10,63 +9,55 @@ PKG_FILE="$SCRIPT_DIR/package.nix"
cd "$ROOT_DIR" cd "$ROOT_DIR"
extract_hash() { extract_hash() {
sed 's/\x1b\[[0-9;]*m//g' | grep 'got:' | tail -1 | grep -oP 'sha256-[A-Za-z0-9+/]+=' sed 's/\x1b\[[0-9;]*m//g' | grep 'got:' | tail -1 | grep -oP 'sha256-[A-Za-z0-9+/]+='
} }
main() { echo "fetching latest tag..."
echo "fetching latest tag..." LATEST=$(curl -sf "https://api.github.com/repos/tkw1536/ggman/tags?per_page=1" | jq -r '.[0].name')
local latest current CURRENT=$(grep 'version = ' "$PKG_FILE" | head -1 | sed 's/.*"\(.*\)".*/\1/')
latest=$(curl -sf "https://api.github.com/repos/tkw1536/ggman/tags?per_page=1" | jq -r '.[0].name')
current=$(grep 'version = ' "$PKG_FILE" | head -1 | sed 's/.*"\(.*\)".*/\1/')
if [[ "$current" == "$latest" ]]; then if [[ "$CURRENT" == "$LATEST" ]]; then
echo "ggman already at $latest" echo "ggman already at $LATEST"
return 0 exit 0
fi fi
echo "updating ggman: $current -> $latest" echo "updating ggman: $CURRENT -> $LATEST"
echo " prefetching source..." echo " prefetching source..."
local base32 src_hash BASE32=$(nix-prefetch-url --unpack "https://github.com/tkw1536/ggman/archive/${LATEST}.tar.gz" 2>/dev/null)
base32=$(nix-prefetch-url --unpack "https://github.com/tkw1536/ggman/archive/${latest}.tar.gz" 2>/dev/null) SRC_HASH=$(nix hash convert --to sri "sha256:$BASE32")
src_hash=$(nix hash convert --to sri "sha256:$base32") echo " source: $SRC_HASH"
echo " source: $src_hash"
echo " computing vendor hash..." echo " computing vendor hash..."
local build_output vendor_hash BUILD_OUTPUT=$(nix build --no-link --impure --expr "
build_output=$(nix build --no-link --impure --expr " let
let pkgs = (builtins.getFlake \"path:$ROOT_DIR\").inputs.nixpkgs-master.legacyPackages.\${builtins.currentSystem};
pkgs = (builtins.getFlake \"path:$ROOT_DIR\").inputs.nixpkgs-master.legacyPackages.\${builtins.currentSystem}; in (pkgs.buildGoModule.override { go = pkgs.go_1_26; } {
in (pkgs.buildGoModule.override { go = pkgs.go_1_26; } { pname = \"ggman\";
pname = \"ggman\"; version = \"$LATEST\";
version = \"$latest\"; src = pkgs.fetchFromGitHub {
src = pkgs.fetchFromGitHub { owner = \"tkw1536\";
owner = \"tkw1536\"; repo = \"ggman\";
repo = \"ggman\"; rev = \"$LATEST\";
rev = \"$latest\"; hash = \"$SRC_HASH\";
hash = \"$src_hash\"; };
}; vendorHash = \"\";
vendorHash = \"\"; }).goModules
}).goModules " 2>&1) || true
" 2>&1) || true VENDOR_HASH=$(echo "$BUILD_OUTPUT" | extract_hash) || true
vendor_hash=$(echo "$build_output" | extract_hash) || true
if [[ -z "$vendor_hash" ]]; then if [[ -z "$VENDOR_HASH" ]]; then
echo "error: failed to compute vendor hash" >&2 echo " error: failed to compute vendor hash"
echo "$build_output" >&2 echo "$BUILD_OUTPUT"
exit 1 exit 1
fi fi
echo " vendor: $vendor_hash" echo " vendor: $VENDOR_HASH"
local old_src old_vendor OLD_SRC=$(grep 'sha256 = ' "$PKG_FILE" | grep -oP 'sha256-[A-Za-z0-9+/]+=')
old_src=$(grep 'sha256 = ' "$PKG_FILE" | grep -oP 'sha256-[A-Za-z0-9+/]+=') OLD_VENDOR=$(grep 'vendorHash = ' "$PKG_FILE" | grep -oP 'sha256-[A-Za-z0-9+/]+=')
old_vendor=$(grep 'vendorHash = ' "$PKG_FILE" | grep -oP 'sha256-[A-Za-z0-9+/]+=')
sed -i "s|version = \"$current\"|version = \"$latest\"|" "$PKG_FILE" sed -i "s|version = \"$CURRENT\"|version = \"$LATEST\"|" "$PKG_FILE"
sed -i "s|$old_src|$src_hash|" "$PKG_FILE" sed -i "s|$OLD_SRC|$SRC_HASH|" "$PKG_FILE"
sed -i "s|$old_vendor|$vendor_hash|" "$PKG_FILE" sed -i "s|$OLD_VENDOR|$VENDOR_HASH|" "$PKG_FILE"
echo "ggman updated to $latest" echo "ggman updated to $LATEST"
}
main "$@"

39
packages/todo-mcp/package.nix Normal file
View File

@@ -0,0 +1,39 @@
{ pkgs, ... }:
let
version = "v0.3.1";
in
pkgs.rustPlatform.buildRustPackage {
pname = "todo-mcp";
inherit version;
src = pkgs.fetchFromGitea {
domain = "git.janezic.dev";
owner = "janezicmatej";
repo = "todo-mcp";
rev = version;
sha256 = "sha256-FLsPatHeWcDMLaGZS91aaXtZEful5frN2pqZkQN9vNs=";
};
cargoHash = "sha256-gdR4p5LIEMGBV3ikuuRZ5R8CYIjE1K2OnMJm7yo18Nw=";
nativeBuildInputs = [ pkgs.installShellFiles ];
preBuild = ''
mkdir -p completions
'';
SHELL_COMPLETIONS_DIR = "completions";
postInstall = ''
installShellCompletion --bash completions/todo-mcp.bash
installShellCompletion --zsh completions/_todo-mcp
installShellCompletion --fish completions/todo-mcp.fish
'';
meta = {
description = "simple todo cli with mcp server for ai integration";
homepage = "https://git.janezic.dev/janezicmatej/todo-mcp";
maintainers = [ ];
};
}

62
packages/todo-mcp/update.sh Executable file
View File

@@ -0,0 +1,62 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl jq nix-prefetch
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT_DIR="$(cd "$SCRIPT_DIR/../.." && pwd)"
PKG_FILE="$SCRIPT_DIR/package.nix"
cd "$ROOT_DIR"
extract_hash() {
sed 's/\x1b\[[0-9;]*m//g' | grep 'got:' | tail -1 | grep -oP 'sha256-[A-Za-z0-9+/]+='
}
echo "fetching latest version..."
LATEST=$(curl -sf "https://git.janezic.dev/api/v1/repos/janezicmatej/todo-mcp/tags?limit=1" | jq -r '.[0].name')
CURRENT=$(grep 'version = ' "$PKG_FILE" | head -1 | sed 's/.*"\(.*\)".*/\1/')
if [[ "$CURRENT" == "$LATEST" ]]; then
echo "todo-mcp already at $LATEST"
exit 0
fi
echo "updating todo-mcp: $CURRENT -> $LATEST"
echo " prefetching source..."
BASE32=$(nix-prefetch-url --unpack "https://git.janezic.dev/janezicmatej/todo-mcp/archive/${LATEST}.tar.gz" 2>/dev/null)
SRC_HASH=$(nix hash convert --to sri "sha256:$BASE32")
echo " source: $SRC_HASH"
echo " computing cargo hash..."
BUILD_OUTPUT=$(nix build --no-link --impure --expr "
let
pkgs = (builtins.getFlake \"path:$ROOT_DIR\").inputs.nixpkgs.legacyPackages.\${builtins.currentSystem};
in pkgs.rustPlatform.fetchCargoVendor {
src = pkgs.fetchFromGitea {
domain = \"git.janezic.dev\";
owner = \"janezicmatej\";
repo = \"todo-mcp\";
rev = \"$LATEST\";
hash = \"$SRC_HASH\";
};
hash = \"\";
}
" 2>&1) || true
CARGO_HASH=$(echo "$BUILD_OUTPUT" | extract_hash) || true
if [[ -z "$CARGO_HASH" ]]; then
echo " error: failed to compute cargo hash"
echo "$BUILD_OUTPUT"
exit 1
fi
echo " cargo: $CARGO_HASH"
OLD_SRC=$(grep 'sha256 = ' "$PKG_FILE" | grep -oP 'sha256-[A-Za-z0-9+/]+=')
OLD_CARGO=$(grep 'cargoHash = ' "$PKG_FILE" | grep -oP 'sha256-[A-Za-z0-9+/]+=')
sed -i "s|version = \"$CURRENT\"|version = \"$LATEST\"|" "$PKG_FILE"
sed -i "s|$OLD_SRC|$SRC_HASH|" "$PKG_FILE"
sed -i "s|$OLD_CARGO|$CARGO_HASH|" "$PKG_FILE"
echo "todo-mcp updated to $LATEST"

156
scripts/ephvm-run.sh
View File

@@ -1,156 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
setup_colors() {
if [ -t 2 ]; then
red=$'\033[31m'
yellow=$'\033[33m'
cyan=$'\033[36m'
reset=$'\033[0m'
else
red="" yellow="" cyan="" reset=""
fi
}
die() {
echo "${red}error:${reset} $*" >&2
exit 1
}
warn() {
echo "${yellow}warning:${reset} $*" >&2
}
info() {
echo "${cyan}$*${reset}" >&2
}
# globals for cleanup trap
CLEANUP_OVERLAY=""
cleanup() {
[ -n "$CLEANUP_OVERLAY" ] && rm -rf "$CLEANUP_OVERLAY"
return 0
}
trap cleanup EXIT
usage() {
cat <<EOF
Usage: ephvm-run.sh [options]
Options:
--mount <path> Mount host directory into VM (repeatable)
--claude Mount claude config dir (requires CLAUDE_CONFIG_DIR)
--disk-size <size> Resize guest disk (e.g. 50G)
--memory <size> VM memory (default: 8G)
--cpus <n> VM CPUs (default: 4)
--ssh-port <port> SSH port forward (default: 2222)
-h, --help Show usage
EOF
exit "${1:-0}"
}
main() {
setup_colors
local ssh_port=2222 memory=8G cpus=4 claude=false disk_size=""
local -a mounts=()
while [ $# -gt 0 ]; do
case "$1" in
--mount)
mounts+=("$2")
shift 2
;;
--claude)
claude=true
shift
;;
--disk-size)
disk_size="$2"
shift 2
;;
--memory)
memory="$2"
shift 2
;;
--cpus)
cpus="$2"
shift 2
;;
--ssh-port)
ssh_port="$2"
shift 2
;;
-h | --help) usage ;;
*)
echo "${red}error:${reset} unknown option: $1" >&2
usage 1
;;
esac
done
info "building ephvm image..."
local image_dir image
image_dir=$(nix build --no-link --print-out-paths .#nixosConfigurations.ephvm.config.system.build.images.qemu)
image=$(find "$image_dir" -name '*.qcow2' -print -quit)
[ -n "$image" ] || die "no qcow2 image found in $image_dir"
# create resized overlay when --disk-size is given
local drive_arg
if [ -n "$disk_size" ]; then
CLEANUP_OVERLAY=$(mktemp -d)
local overlay="$CLEANUP_OVERLAY/overlay.qcow2"
qemu-img create -f qcow2 -b "$(realpath "$image")" -F qcow2 "$overlay" "$disk_size"
drive_arg="file=$overlay,format=qcow2"
else
drive_arg="file=$image,format=qcow2,snapshot=on"
fi
local accel="tcg"
[ -r /dev/kvm ] && accel="kvm"
local -a qemu_args=(
qemu-system-x86_64
-accel "$accel"
-m "$memory"
-smp "$cpus"
-drive "$drive_arg"
-nic "user,hostfwd=tcp::${ssh_port}-:22"
-nographic
)
if [ "$accel" != "tcg" ]; then
qemu_args+=(-cpu host)
fi
local fs_id=0 mount_path name tag
for mount_path in "${mounts[@]}"; do
mount_path=$(realpath "$mount_path")
name=$(basename "$mount_path")
tag="m_${name:0:29}"
qemu_args+=(
-virtfs "local,path=$mount_path,mount_tag=$tag,security_model=none,id=fs${fs_id}"
)
fs_id=$((fs_id + 1))
done
if [ "$claude" = true ]; then
[ -n "${CLAUDE_CONFIG_DIR:-}" ] || die "--claude requires CLAUDE_CONFIG_DIR to be set"
mkdir -p "$CLAUDE_CONFIG_DIR"
local claude_dir
claude_dir=$(realpath "$CLAUDE_CONFIG_DIR")
qemu_args+=(
-virtfs "local,path=$claude_dir,mount_tag=claude,security_model=none,id=fs${fs_id}"
)
fs_id=$((fs_id + 1))
fi
info "---"
info "Accel: $accel | SSH: ssh -p $ssh_port matej@localhost"
info "---"
exec "${qemu_args[@]}"
}
main "$@"

32
scripts/initrd-ssh-keygen.sh
View File

@@ -3,22 +3,22 @@ set -euo pipefail
KEY_DIR="/etc/secrets/initrd" KEY_DIR="/etc/secrets/initrd"
main() { echo "Generating initrd SSH host keys in $KEY_DIR"
echo "generating initrd SSH host keys in $KEY_DIR"
sudo mkdir -p "$KEY_DIR"
local key_type sudo mkdir -p "$KEY_DIR"
for key_type in rsa ed25519; do
local key_file="$KEY_DIR/ssh_host_${key_type}_key"
if [[ ! -f "$key_file" ]]; then
sudo ssh-keygen -t "$key_type" -N "" -f "$key_file"
echo "generated: $key_file"
else
echo "exists: $key_file"
fi
done
echo "done. now run nixos-rebuild." if [[ ! -f "$KEY_DIR/ssh_host_rsa_key" ]]; then
} sudo ssh-keygen -t rsa -N "" -f "$KEY_DIR/ssh_host_rsa_key"
echo "Generated: $KEY_DIR/ssh_host_rsa_key"
else
echo "Exists: $KEY_DIR/ssh_host_rsa_key"
fi
main "$@" if [[ ! -f "$KEY_DIR/ssh_host_ed25519_key" ]]; then
sudo ssh-keygen -t ed25519 -N "" -f "$KEY_DIR/ssh_host_ed25519_key"
echo "Generated: $KEY_DIR/ssh_host_ed25519_key"
else
echo "Exists: $KEY_DIR/ssh_host_ed25519_key"
fi
echo "Done. Now run nixos-rebuild."

21
users/gordaina/home-manager.nix Normal file
View File

@@ -0,0 +1,21 @@
{
pkgs,
...
}:
{
home.stateVersion = "25.11";
home.packages = with pkgs; [
git
tmux
ripgrep
fd
jq
];
programs.neovim = {
enable = true;
vimAlias = true;
defaultEditor = true;
};
}

130
users/matej/home-manager.nix Normal file
View File

@@ -0,0 +1,130 @@
{
config,
lib,
pkgs,
inputs,
...
}:
let
packages = inputs.self.outputs.packages.${pkgs.stdenv.hostPlatform.system};
in
{
home.stateVersion = "24.11";
# TODO:(@janezicmatej) do i need this here?
services.dunst.enable = true;
home.packages = [
pkgs.bibata-cursors
pkgs.starship
inputs.claude-code-overlay.packages.${pkgs.stdenv.hostPlatform.system}.default
packages.todo-mcp
# git and co
pkgs.git
packages.git-linearize
packages.ggman
# cli utils
packages.ahab
pkgs.fzf
pkgs.htop
pkgs.jc
pkgs.jq
pkgs.openssl
pkgs.pv
pkgs.python3
pkgs.ripgrep
pkgs.fd
pkgs.tmux
pkgs.osc
pkgs.just
# compilers, toolchains, ...
pkgs.go
# pkgs.gcc
# pkgs.clang
# need for gcp stuff
pkgs.google-cloud-sdk
pkgs.google-cloud-sql-proxy
# desktop apps
pkgs.vesktop
pkgs.rocketchat-desktop
pkgs.telegram-desktop
pkgs.slack
pkgs.ghostty
pkgs.google-chrome
pkgs.zathura
pkgs.pavucontrol
pkgs.jellyfin-media-player
pkgs.cider-2
pkgs.protonmail-bridge
pkgs.ledger-live-desktop
pkgs.bolt-launcher
pkgs.libnotify
# writing/docs
pkgs.mdbook
pkgs.marksman
pkgs.mdformat
# security
pkgs.gnupg
pkgs.pass
];
home.file.".assets".source = inputs.assets;
programs.direnv = {
enable = true;
nix-direnv.enable = true;
};
stylix.targets.neovim.enable = false;
programs.neovim = {
enable = true;
vimAlias = true;
defaultEditor = true;
package = inputs.neovim-nightly-overlay.packages.${pkgs.stdenv.hostPlatform.system}.default;
extraPackages = with pkgs; [
# runtime deps
gcc
luajit
nodejs_22 # copilot
tree-sitter
# lua_fzf
fd
ripgrep
bat
gnumake
delta
pyright
typescript-language-server
lua-language-server
gopls
nil
nixd
nixpkgs-fmt
stylua
];
extraWrapperArgs = [
"--suffix"
"LD_LIBRARY_PATH"
":"
"${lib.makeLibraryPath [ pkgs.stdenv.cc.cc.lib ]}"
];
};
}

6
users/matej/keys.nix Normal file
View File

@@ -0,0 +1,6 @@
{
sshAuthorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQGLdINKzs+sEy62Pefng0bcedgU396+OryFgeH99/c janezicmatej"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDk00+Km03epQXQs+xEwwH3zcurACzkEH+kDOPBw6RQe openpgp:0xB095D449"
];
}

27
users/matej/nixos.nix Normal file
View File

@@ -0,0 +1,27 @@
{
lib,
config,
pkgs,
...
}:
let
keys = import ./keys.nix;
in
{
users.users.matej = {
uid = 1000;
isNormalUser = true;
home = "/home/matej";
shell = pkgs.zsh;
extraGroups = [
"wheel"
"docker"
];
openssh.authorizedKeys.keys = keys.sshAuthorizedKeys;
};
users.groups.matej = {
gid = 1000;
members = [ "matej" ];
};
}