packages: add Element, enable Steam; fix remote sudo; overhaul docs

+662

LICENCE

··· 1 + GNU AFFERO GENERAL PUBLIC LICENSE 2 + Version 3, 19 November 2007 3 + 4 + Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/> 5 + Everyone is permitted to copy and distribute verbatim copies 6 + of this license document, but changing it is not allowed. 7 + 8 + Preamble 9 + 10 + The GNU Affero General Public License is a free, copyleft license for 11 + software and other kinds of works, specifically designed to ensure 12 + cooperation with the community in the case of network server software. 13 + 14 + The licenses for most software and other practical works are designed 15 + to take away your freedom to share and change the works. By contrast, 16 + our General Public Licenses are intended to guarantee your freedom to 17 + share and change all versions of a program--to make sure it remains free 18 + software for all its users. 19 + 20 + When we speak of free software, we are referring to freedom, not 21 + price. Our General Public Licenses are designed to make sure that you 22 + have the freedom to distribute copies of free software (and charge for 23 + them if you wish), that you receive source code or can get it if you 24 + want it, that you can change the software or use pieces of it in new 25 + free programs, and that you know you can do these things. 26 + 27 + Developers that use our General Public Licenses protect your rights 28 + with two steps: (1) assert copyright on the software, and (2) offer 29 + you this License which gives you legal permission to copy, distribute 30 + and/or modify the software. 31 + 32 + A secondary benefit of defending all users' freedom is that 33 + improvements made in alternate versions of the program, if they 34 + receive widespread use, become available for other developers to 35 + incorporate. Many developers of free software are heartened and 36 + encouraged by the resulting cooperation. However, in the case of 37 + software used on network servers, this result may fail to come about. 38 + The GNU General Public License permits making a modified version and 39 + letting the public access it on a server without ever releasing its 40 + source code to the public. 41 + 42 + The GNU Affero General Public License is designed specifically to 43 + ensure that, in such cases, the modified source code becomes available 44 + to the community. It requires the operator of a network server to 45 + provide the source code of the modified version running there to the 46 + users of that server. Therefore, public use of a modified version, on 47 + a publicly accessible server, gives the public access to the source 48 + code of the modified version. 49 + 50 + An older license, called the Affero General Public License and 51 + published by Affero, was designed to accomplish similar goals. This is 52 + a different license, not a version of the Affero GPL, but Affero has 53 + released a new version of the Affero GPL which permits relicensing under 54 + this license. 55 + 56 + The precise terms and conditions for copying, distribution and 57 + modification follow. 58 + 59 + TERMS AND CONDITIONS 60 + 61 + 0. Definitions. 62 + 63 + "This License" refers to version 3 of the GNU Affero General Public License. 64 + 65 + "Copyright" also means copyright-like laws that apply to other kinds of 66 + works, such as semiconductor masks. 67 + 68 + "The Program" refers to any copyrightable work licensed under this 69 + License. Each licensee is addressed as "you". "Licensees" and 70 + "recipients" may be individuals or organizations. 71 + 72 + To "modify" a work means to copy from or adapt all or part of the work 73 + in a fashion requiring copyright permission, other than the making of an 74 + exact copy. The resulting work is called a "modified version" of the 75 + earlier work or a work "based on" the earlier work. 76 + 77 + A "covered work" means either the unmodified Program or a work based 78 + on the Program. 79 + 80 + To "propagate" a work means to do anything with it that, without 81 + permission, would make you directly or secondarily liable for 82 + infringement under applicable copyright law, except executing it on a 83 + computer or modifying a private copy. Propagation includes copying, 84 + distribution (with or without modification), making available to the 85 + public, and in some countries other activities as well. 86 + 87 + To "convey" a work means any kind of propagation that enables other 88 + parties to make or receive copies. Mere interaction with a user through 89 + a computer network, with no transfer of a copy, is not conveying. 90 + 91 + An interactive user interface displays "Appropriate Legal Notices" 92 + to the extent that it includes a convenient and prominently visible 93 + feature that (1) displays an appropriate copyright notice, and (2) 94 + tells the user that there is no warranty for the work (except to the 95 + extent that warranties are provided), that licensees may convey the 96 + work under this License, and how to view a copy of this License. If 97 + the interface presents a list of user commands or options, such as a 98 + menu, a prominent item in the list meets this criterion. 99 + 100 + 1. Source Code. 101 + 102 + The "source code" for a work means the preferred form of the work 103 + for making modifications to it. "Object code" means any non-source 104 + form of a work. 105 + 106 + A "Standard Interface" means an interface that either is an official 107 + standard defined by a recognized standards body, or, in the case of 108 + interfaces specified for a particular programming language, one that 109 + is widely used among developers working in that language. 110 + 111 + The "System Libraries" of an executable work include anything, other 112 + than the work as a whole, that (a) is included in the normal form of 113 + packaging a Major Component, but which is not part of that Major 114 + Component, and (b) serves only to enable use of the work with that 115 + Major Component, or to implement a Standard Interface for which an 116 + implementation is available to the public in source code form. A 117 + "Major Component", in this context, means a major essential component 118 + (kernel, window system, and so on) of the specific operating system 119 + (if any) on which the executable work runs, or a compiler used to 120 + produce the work, or an object code interpreter used to run it. 121 + 122 + The "Corresponding Source" for a work in object code form means all 123 + the source code needed to generate, install, and (for an executable 124 + work) run the object code and to modify the work, including scripts to 125 + control those activities. However, it does not include the work's 126 + System Libraries, or general-purpose tools or generally available free 127 + programs which are used unmodified in performing those activities but 128 + which are not part of the work. For example, Corresponding Source 129 + includes interface definition files associated with source files for 130 + the work, and the source code for shared libraries and dynamically 131 + linked subprograms that the work is specifically designed to require, 132 + such as by intimate data communication or control flow between those 133 + subprograms and other parts of the work. 134 + 135 + The Corresponding Source need not include anything that users 136 + can regenerate automatically from other parts of the Corresponding 137 + Source. 138 + 139 + The Corresponding Source for a work in source code form is that 140 + same work. 141 + 142 + 2. Basic Permissions. 143 + 144 + All rights granted under this License are granted for the term of 145 + copyright on the Program, and are irrevocable provided the stated 146 + conditions are met. This License explicitly affirms your unlimited 147 + permission to run the unmodified Program. The output from running a 148 + covered work is covered by this License only if the output, given its 149 + content, constitutes a covered work. This License acknowledges your 150 + rights of fair use or other equivalent, as provided by copyright law. 151 + 152 + You may make, run and propagate covered works that you do not 153 + convey, without conditions so long as your license otherwise remains 154 + in force. You may convey covered works to others for the sole purpose 155 + of having them make modifications exclusively for you, or provide you 156 + with facilities for running those works, provided that you comply with 157 + the terms of this License in conveying all material for which you do 158 + not control copyright. Those thus making or running the covered works 159 + for you must do so exclusively on your behalf, under your direction 160 + and control, on terms that prohibit them from making any copies of 161 + your copyrighted material outside their relationship with you. 162 + 163 + Conveying under any other circumstances is permitted solely under 164 + the conditions stated below. Sublicensing is not allowed; section 10 165 + makes it unnecessary. 166 + 167 + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 168 + 169 + No covered work shall be deemed part of an effective technological 170 + measure under any applicable law fulfilling obligations under article 171 + 11 of the WIPO copyright treaty adopted on 20 December 1996, or 172 + similar laws prohibiting or restricting circumvention of such 173 + measures. 174 + 175 + When you convey a covered work, you waive any legal power to forbid 176 + circumvention of technological measures to the extent such circumvention 177 + is effected by exercising rights under this License with respect to 178 + the covered work, and you disclaim any intention to limit operation or 179 + modification of the work as a means of enforcing, against the work's 180 + users, your or third parties' legal rights to forbid circumvention of 181 + technological measures. 182 + 183 + 4. Conveying Verbatim Copies. 184 + 185 + You may convey verbatim copies of the Program's source code as you 186 + receive it, in any medium, provided that you conspicuously and 187 + appropriately publish on each copy an appropriate copyright notice; 188 + keep intact all notices stating that this License and any 189 + non-permissive terms added in accord with section 7 apply to the code; 190 + keep intact all notices of the absence of any warranty; and give all 191 + recipients a copy of this License along with the Program. 192 + 193 + You may charge any price or no price for each copy that you convey, 194 + and you may offer support or warranty protection for a fee. 195 + 196 + 5. Conveying Modified Source Versions. 197 + 198 + You may convey a work based on the Program, or the modifications to 199 + produce it from the Program, in the form of source code under the 200 + terms of section 4, provided that you also meet all of these conditions: 201 + 202 + a) The work must carry prominent notices stating that you modified 203 + it, and giving a relevant date. 204 + 205 + b) The work must carry prominent notices stating that it is 206 + released under this License and any conditions added under section 207 + 7. This requirement modifies the requirement in section 4 to 208 + "keep intact all notices". 209 + 210 + c) You must license the entire work, as a whole, under this 211 + License to anyone who comes into possession of a copy. This 212 + License will therefore apply, along with any applicable section 7 213 + additional terms, to the whole of the work, and all its parts, 214 + regardless of how they are packaged. This License gives no 215 + permission to license the work in any other way, but it does not 216 + invalidate such permission if you have separately received it. 217 + 218 + d) If the work has interactive user interfaces, each must display 219 + Appropriate Legal Notices; however, if the Program has interactive 220 + interfaces that do not display Appropriate Legal Notices, your 221 + work need not make them do so. 222 + 223 + A compilation of a covered work with other separate and independent 224 + works, which are not by their nature extensions of the covered work, 225 + and which are not combined with it such as to form a larger program, 226 + in or on a volume of a storage or distribution medium, is called an 227 + "aggregate" if the compilation and its resulting copyright are not 228 + used to limit the access or legal rights of the compilation's users 229 + beyond what the individual works permit. Inclusion of a covered work 230 + in an aggregate does not cause this License to apply to the other 231 + parts of the aggregate. 232 + 233 + 6. Conveying Non-Source Forms. 234 + 235 + You may convey a covered work in object code form under the terms 236 + of sections 4 and 5, provided that you also convey the 237 + machine-readable Corresponding Source under the terms of this License, 238 + in one of these ways: 239 + 240 + a) Convey the object code in, or embodied in, a physical product 241 + (including a physical distribution medium), accompanied by the 242 + Corresponding Source fixed on a durable physical medium 243 + customarily used for software interchange. 244 + 245 + b) Convey the object code in, or embodied in, a physical product 246 + (including a physical distribution medium), accompanied by a 247 + written offer, valid for at least three years and valid for as 248 + long as you offer spare parts or customer support for that product 249 + model, to give anyone who possesses the object code either (1) a 250 + copy of the Corresponding Source for all the software in the 251 + product that is covered by this License, on a durable physical 252 + medium customarily used for software interchange, for a price no 253 + more than your reasonable cost of physically performing this 254 + conveying of source, or (2) access to copy the 255 + Corresponding Source from a network server at no charge. 256 + 257 + c) Convey individual copies of the object code with a copy of the 258 + written offer to provide the Corresponding Source. This 259 + alternative is allowed only occasionally and noncommercially, and 260 + only if you received the object code with such an offer, in accord 261 + with subsection 6b. 262 + 263 + d) Convey the object code by offering access from a designated 264 + place (gratis or for a charge), and offer equivalent access to the 265 + Corresponding Source in the same way through the same place at no 266 + further charge. You need not require recipients to copy the 267 + Corresponding Source along with the object code. If the place to 268 + copy the object code is a network server, the Corresponding Source 269 + may be on a different server (operated by you or a third party) 270 + that supports equivalent copying facilities, provided you maintain 271 + clear directions next to the object code saying where to find the 272 + Corresponding Source. Regardless of what server hosts the 273 + Corresponding Source, you remain obligated to ensure that it is 274 + available for as long as needed to satisfy these requirements. 275 + 276 + e) Convey the object code using peer-to-peer transmission, provided 277 + you inform other peers where the object code and Corresponding 278 + Source of the work are being offered to the general public at no 279 + charge under subsection 6d. 280 + 281 + A separable portion of the object code, whose source code is excluded 282 + from the Corresponding Source as a System Library, need not be 283 + included in conveying the object code work. 284 + 285 + A "User Product" is either (1) a "consumer product", which means any 286 + tangible personal property which is normally used for personal, family, 287 + or household purposes, or (2) anything designed or sold for incorporation 288 + into a dwelling. In determining whether a product is a consumer product, 289 + doubtful cases shall be resolved in favor of coverage. For a particular 290 + product received by a particular user, "normally used" refers to a 291 + typical or common use of that class of product, regardless of the status 292 + of the particular user or of the way in which the particular user 293 + actually uses, or expects or is expected to use, the product. A product 294 + is a consumer product regardless of whether the product has substantial 295 + commercial, industrial or non-consumer uses, unless such uses represent 296 + the only significant mode of use of the product. 297 + 298 + "Installation Information" for a User Product means any methods, 299 + procedures, authorization keys, or other information required to install 300 + and execute modified versions of a covered work in that User Product from 301 + a modified version of its Corresponding Source. The information must 302 + suffice to ensure that the continued functioning of the modified object 303 + code is in no case prevented or interfered with solely because 304 + modification has been made. 305 + 306 + If you convey an object code work under this section in, or with, or 307 + specifically for use in, a User Product, and the conveying occurs as 308 + part of a transaction in which the right of possession and use of the 309 + User Product is transferred to the recipient in perpetuity or for a 310 + fixed term (regardless of how the transaction is characterized), the 311 + Corresponding Source conveyed under this section must be accompanied 312 + by the Installation Information. But this requirement does not apply 313 + if neither you nor any third party retains the ability to install 314 + modified object code on the User Product (for example, the work has 315 + been installed in ROM). 316 + 317 + The requirement to provide Installation Information does not include a 318 + requirement to continue to provide support service, warranty, or updates 319 + for a work that has been modified or installed by the recipient, or for 320 + the User Product in which it has been modified or installed. Access to a 321 + network may be denied when the modification itself materially and 322 + adversely affects the operation of the network or violates the rules and 323 + protocols for communication across the network. 324 + 325 + Corresponding Source conveyed, and Installation Information provided, 326 + in accord with this section must be in a format that is publicly 327 + documented (and with an implementation available to the public in 328 + source code form), and must require no special password or key for 329 + unpacking, reading or copying. 330 + 331 + 7. Additional Terms. 332 + 333 + "Additional permissions" are terms that supplement the terms of this 334 + License by making exceptions from one or more of its conditions. 335 + Additional permissions that are applicable to the entire Program shall 336 + be treated as though they were included in this License, to the extent 337 + that they are valid under applicable law. If additional permissions 338 + apply only to part of the Program, that part may be used separately 339 + under those permissions, but the entire Program remains governed by 340 + this License without regard to the additional permissions. 341 + 342 + When you convey a copy of a covered work, you may at your option 343 + remove any additional permissions from that copy, or from any part of 344 + it. (Additional permissions may be written to require their own 345 + removal in certain cases when you modify the work.) You may place 346 + additional permissions on material, added by you to a covered work, 347 + for which you have or can give appropriate copyright permission. 348 + 349 + Notwithstanding any other provision of this License, for material you 350 + add to a covered work, you may (if authorized by the copyright holders of 351 + that material) supplement the terms of this License with terms: 352 + 353 + a) Disclaiming warranty or limiting liability differently from the 354 + terms of sections 15 and 16 of this License; or 355 + 356 + b) Requiring preservation of specified reasonable legal notices or 357 + author attributions in that material or in the Appropriate Legal 358 + Notices displayed by works containing it; or 359 + 360 + c) Prohibiting misrepresentation of the origin of that material, or 361 + requiring that modified versions of such material be marked in 362 + reasonable ways as different from the original version; or 363 + 364 + d) Limiting the use for publicity purposes of names of licensors or 365 + authors of the material; or 366 + 367 + e) Declining to grant rights under trademark law for use of some 368 + trade names, trademarks, or service marks; or 369 + 370 + f) Requiring indemnification of licensors and authors of that 371 + material by anyone who conveys the material (or modified versions of 372 + it) with contractual assumptions of liability to the recipient, for 373 + any liability that these contractual assumptions directly impose on 374 + those licensors and authors. 375 + 376 + All other non-permissive additional terms are considered "further 377 + restrictions" within the meaning of section 10. If the Program as you 378 + received it, or any part of it, contains a notice stating that it is 379 + governed by this License along with a term that is a further 380 + restriction, you may remove that term. If a license document contains 381 + a further restriction but permits relicensing or conveying under this 382 + License, you may add to a covered work material governed by the terms 383 + of that license document, provided that the further restriction does 384 + not survive such relicensing or conveying. 385 + 386 + If you add terms to a covered work in accord with this section, you 387 + must place, in the relevant source files, a statement of the 388 + additional terms that apply to those files, or a notice indicating 389 + where to find the applicable terms. 390 + 391 + Additional terms, permissive or non-permissive, may be stated in the 392 + form of a separately written license, or stated as exceptions; 393 + the above requirements apply either way. 394 + 395 + 8. Termination. 396 + 397 + You may not propagate or modify a covered work except as expressly 398 + provided under this License. Any attempt otherwise to propagate or 399 + modify it is void, and will automatically terminate your rights under 400 + this License (including any patent licenses granted under the third 401 + paragraph of section 11). 402 + 403 + However, if you cease all violation of this License, then your 404 + license from a particular copyright holder is reinstated (a) 405 + provisionally, unless and until the copyright holder explicitly and 406 + finally terminates your license, and (b) permanently, if the copyright 407 + holder fails to notify you of the violation by some reasonable means 408 + prior to 60 days after the cessation. 409 + 410 + Moreover, your license from a particular copyright holder is 411 + reinstated permanently if the copyright holder notifies you of the 412 + violation by some reasonable means, this is the first time you have 413 + received notice of violation of this License (for any work) from that 414 + copyright holder, and you cure the violation prior to 30 days after 415 + your receipt of the notice. 416 + 417 + Termination of your rights under this section does not terminate the 418 + licenses of parties who have received copies or rights from you under 419 + this License. If your rights have been terminated and not permanently 420 + reinstated, you do not qualify to receive new licenses for the same 421 + material under section 10. 422 + 423 + 9. Acceptance Not Required for Having Copies. 424 + 425 + You are not required to accept this License in order to receive or 426 + run a copy of the Program. Ancillary propagation of a covered work 427 + occurring solely as a consequence of using peer-to-peer transmission 428 + to receive a copy likewise does not require acceptance. However, 429 + nothing other than this License grants you permission to propagate or 430 + modify any covered work. These actions infringe copyright if you do 431 + not accept this License. Therefore, by modifying or propagating a 432 + covered work, you indicate your acceptance of this License to do so. 433 + 434 + 10. Automatic Licensing of Downstream Recipients. 435 + 436 + Each time you convey a covered work, the recipient automatically 437 + receives a license from the original licensors, to run, modify and 438 + propagate that work, subject to this License. You are not responsible 439 + for enforcing compliance by third parties with this License. 440 + 441 + An "entity transaction" is a transaction transferring control of an 442 + organization, or substantially all assets of one, or subdividing an 443 + organization, or merging organizations. If propagation of a covered 444 + work results from an entity transaction, each party to that 445 + transaction who receives a copy of the work also receives whatever 446 + licenses to the work the party's predecessor in interest had or could 447 + give under the previous paragraph, plus a right to possession of the 448 + Corresponding Source of the work from the predecessor in interest, if 449 + the predecessor has it or can get it with reasonable efforts. 450 + 451 + You may not impose any further restrictions on the exercise of the 452 + rights granted or affirmed under this License. For example, you may 453 + not impose a license fee, royalty, or other charge for exercise of 454 + rights granted under this License, and you may not initiate litigation 455 + (including a cross-claim or counterclaim in a lawsuit) alleging that 456 + any patent claim is infringed by making, using, selling, offering for 457 + sale, or importing the Program or any portion of it. 458 + 459 + 11. Patents. 460 + 461 + A "contributor" is a copyright holder who authorizes use under this 462 + License of the Program or a work on which the Program is based. The 463 + work thus licensed is called the contributor's "contributor version". 464 + 465 + A contributor's "essential patent claims" are all patent claims 466 + owned or controlled by the contributor, whether already acquired or 467 + hereafter acquired, that would be infringed by some manner, permitted 468 + by this License, of making, using, or selling its contributor version, 469 + but do not include claims that would be infringed only as a 470 + consequence of further modification of the contributor version. For 471 + purposes of this definition, "control" includes the right to grant 472 + patent sublicenses in a manner consistent with the requirements of 473 + this License. 474 + 475 + Each contributor grants you a non-exclusive, worldwide, royalty-free 476 + patent license under the contributor's essential patent claims, to 477 + make, use, sell, offer for sale, import and otherwise run, modify and 478 + propagate the contents of its contributor version. 479 + 480 + In the following three paragraphs, a "patent license" is any express 481 + agreement or commitment, however denominated, not to enforce a patent 482 + (such as an express permission to practice a patent or covenant not to 483 + sue for patent infringement). To "grant" such a patent license to a 484 + party means to make such an agreement or commitment not to enforce a 485 + patent against the party. 486 + 487 + If you convey a covered work, knowingly relying on a patent license, 488 + and the Corresponding Source of the work is not available for anyone 489 + to copy, free of charge and under the terms of this License, through a 490 + publicly available network server or other readily accessible means, 491 + then you must either (1) cause the Corresponding Source to be so 492 + available, or (2) arrange to deprive yourself of the benefit of the 493 + patent license for this particular work, or (3) arrange, in a manner 494 + consistent with the requirements of this License, to extend the patent 495 + license to downstream recipients. "Knowingly relying" means you have 496 + actual knowledge that, but for the patent license, your conveying the 497 + covered work in a country, or your recipient's use of the covered work 498 + in a country, would infringe one or more identifiable patents in that 499 + country that you have reason to believe are valid. 500 + 501 + If, pursuant to or in connection with a single transaction or 502 + arrangement, you convey, or propagate by procuring conveyance of, a 503 + covered work, and grant a patent license to some of the parties 504 + receiving the covered work authorizing them to use, propagate, modify 505 + or convey a specific copy of the covered work, then the patent license 506 + you grant is automatically extended to all recipients of the covered 507 + work and works based on it. 508 + 509 + A patent license is "discriminatory" if it does not include within 510 + the scope of its coverage, prohibits the exercise of, or is 511 + conditioned on the non-exercise of one or more of the rights that are 512 + specifically granted under this License. You may not convey a covered 513 + work if you are a party to an arrangement with a third party that is 514 + in the business of distributing software, under which you make payment 515 + to the third party based on the extent of your activity of conveying 516 + the work, and under which the third party grants, to any of the 517 + parties who would receive the covered work from you, a discriminatory 518 + patent license (a) in connection with copies of the covered work 519 + conveyed by you (or copies made from those copies), or (b) primarily 520 + for and in connection with specific products or compilations that 521 + contain the covered work, unless you entered into that arrangement, 522 + or that patent license was granted, prior to 28 March 2007. 523 + 524 + Nothing in this License shall be construed as excluding or limiting 525 + any implied license or other defenses to infringement that may 526 + otherwise be available to you under applicable patent law. 527 + 528 + 12. No Surrender of Others' Freedom. 529 + 530 + If conditions are imposed on you (whether by court order, agreement or 531 + otherwise) that contradict the conditions of this License, they do not 532 + excuse you from the conditions of this License. If you cannot convey a 533 + covered work so as to satisfy simultaneously your obligations under this 534 + License and any other pertinent obligations, then as a consequence you may 535 + not convey it at all. For example, if you agree to terms that obligate you 536 + to collect a royalty for further conveying from those to whom you convey 537 + the Program, the only way you could satisfy both those terms and this 538 + License would be to refrain entirely from conveying the Program. 539 + 540 + 13. Remote Network Interaction; Use with the GNU General Public License. 541 + 542 + Notwithstanding any other provision of this License, if you modify the 543 + Program, your modified version must prominently offer all users 544 + interacting with it remotely through a computer network (if your version 545 + supports such interaction) an opportunity to receive the Corresponding 546 + Source of your version by providing access to the Corresponding Source 547 + from a network server at no charge, through some standard or customary 548 + means of facilitating copying of software. This Corresponding Source 549 + shall include the Corresponding Source for any work covered by version 3 550 + of the GNU General Public License that is incorporated pursuant to the 551 + following paragraph. 552 + 553 + Notwithstanding any other provision of this License, you have 554 + permission to link or combine any covered work with a work licensed 555 + under version 3 of the GNU General Public License into a single 556 + combined work, and to convey the resulting work. The terms of this 557 + License will continue to apply to the part which is the covered work, 558 + but the work with which it is combined will remain governed by version 559 + 3 of the GNU General Public License. 560 + 561 + 14. Revised Versions of this License. 562 + 563 + The Free Software Foundation may publish revised and/or new versions of 564 + the GNU Affero General Public License from time to time. Such new versions 565 + will be similar in spirit to the present version, but may differ in detail to 566 + address new problems or concerns. 567 + 568 + Each version is given a distinguishing version number. If the 569 + Program specifies that a certain numbered version of the GNU Affero General 570 + Public License "or any later version" applies to it, you have the 571 + option of following the terms and conditions either of that numbered 572 + version or of any later version published by the Free Software 573 + Foundation. If the Program does not specify a version number of the 574 + GNU Affero General Public License, you may choose any version ever published 575 + by the Free Software Foundation. 576 + 577 + If the Program specifies that a proxy can decide which future 578 + versions of the GNU Affero General Public License can be used, that proxy's 579 + public statement of acceptance of a version permanently authorizes you 580 + to choose that version for the Program. 581 + 582 + Later license versions may give you additional or different 583 + permissions. However, no additional obligations are imposed on any 584 + author or copyright holder as a result of your choosing to follow a 585 + later version. 586 + 587 + 15. Disclaimer of Warranty. 588 + 589 + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 590 + APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 591 + HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 592 + OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 593 + THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 594 + PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 595 + IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 596 + ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 597 + 598 + 16. Limitation of Liability. 599 + 600 + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 601 + WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 602 + THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 603 + GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 604 + USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 605 + DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 606 + PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 607 + EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 608 + SUCH DAMAGES. 609 + 610 + 17. Interpretation of Sections 15 and 16. 611 + 612 + If the disclaimer of warranty and limitation of liability provided 613 + above cannot be given local legal effect according to their terms, 614 + reviewing courts shall apply local law that most closely approximates 615 + an absolute waiver of all civil liability in connection with the 616 + Program, unless a warranty or assumption of liability accompanies a 617 + copy of the Program in return for a fee. 618 + 619 + END OF TERMS AND CONDITIONS 620 + 621 + How to Apply These Terms to Your New Programs 622 + 623 + If you develop a new program, and you want it to be of the greatest 624 + possible use to the public, the best way to achieve this is to make it 625 + free software which everyone can redistribute and change under these terms. 626 + 627 + To do so, attach the following notices to the program. It is safest 628 + to attach them to the start of each source file to most effectively 629 + state the exclusion of warranty; and each file should have at least 630 + the "copyright" line and a pointer to where the full notice is found. 631 + 632 + <one line to give the program's name and a brief idea of what it does.> 633 + Copyright (C) <year> <name of author> 634 + 635 + This program is free software: you can redistribute it and/or modify 636 + it under the terms of the GNU Affero General Public License as published by 637 + the Free Software Foundation, either version 3 of the License, or 638 + (at your option) any later version. 639 + 640 + This program is distributed in the hope that it will be useful, 641 + but WITHOUT ANY WARRANTY; without even the implied warranty of 642 + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 643 + GNU Affero General Public License for more details. 644 + 645 + You should have received a copy of the GNU Affero General Public License 646 + along with this program. If not, see <https://www.gnu.org/licenses/>. 647 + 648 + Also add information on how to contact you by electronic and paper mail. 649 + 650 + If your software can interact with users remotely through a computer 651 + network, you should also make sure that it provides a way for users to 652 + get its source. For example, if your program is a web application, its 653 + interface could display a "Source" link that leads users to an archive 654 + of the code. There are many ways you could offer source, and different 655 + solutions will be better for different programs; see section 13 for the 656 + specific requirements. 657 + 658 + You should also get your employer (if you work as a programmer) or school, 659 + if any, to sign a "copyright disclaimer" for the program, if necessary. 660 + For more information on this, and how to apply and follow the GNU AGPL, see 661 + <https://www.gnu.org/licenses/>. 662 +

+51 -56

README.md

··· 20 20 21 21 ### macOS (nix-darwin) - PRIMARY 22 22 23 - - **macmini** - Apple Silicon Mac Mini (M2) - Main daily driver 23 + - **macmini** - Apple Silicon Mac Mini (M2, 16 GB) — Main daily driver 24 24 25 25 ### Linux (NixOS) - SECONDARY 26 26 27 - - **laptop** - Dell Inspiron 3501 with KDE Plasma 6 - Secondary workstation for Linux-specific tasks 28 - 29 - ### Planned (NixOS) 30 - 31 - - **server** - Minimal headless server configuration (not yet deployed) 27 + - **laptop** - Dell Inspiron 3501 with KDE Plasma 6 — Secondary workstation 28 + - **server** - Minimal headless server — Bluesky PDS + hardened security (configuration complete, pending hardware deployment) 32 29 33 30 ## Repository Structure 34 31 35 32 ``` 36 33 . 37 - ├── flake.nix # Main flake configuration 34 + ├── flake.nix # Main flake — defines all hosts 38 35 ├── flake.lock # Locked dependency versions 39 - ├── configuration.nix # Legacy entry point (superseded by hosts/) 40 36 │ 41 37 ├── lib/ # ⭐ Custom library (DRY helpers) 42 - │ ├── default.nix # Reusable functions and config singleton 43 - │ └── USAGE.md # Developer guide for using cfgLib 38 + │ ├── default.nix # cfgLib: reusable functions and config singleton 39 + │ └── USAGE.md # Developer guide 44 40 │ 45 41 ├── hosts/ # Host-specific configurations 46 42 │ ├── laptop/ # Dell Inspiron 3501 (NixOS + KDE Plasma 6) 47 43 │ ├── server/ # Headless server (NixOS) 48 - │ └── macmini/ # Mac Mini (nix-darwin) 44 + │ └── macmini/ # Mac Mini M2 (nix-darwin) 49 45 │ 50 46 ├── modules/ # Reusable system modules 51 - │ ├── common.nix # Shared settings across all NixOS hosts 52 - │ ├── desktop.nix # KDE Plasma 6 desktop environment 53 - │ ├── gaming.nix # Gaming packages and Steam 47 + │ ├── common.nix # Base NixOS settings 48 + │ ├── desktop.nix # KDE Plasma 6 + SDDM 49 + │ ├── gaming.nix # Steam + Gamemode 54 50 │ ├── packages.nix # Desktop system packages 55 - │ ├── services.nix # System services 56 - │ ├── secrets.nix # Secret management with ragenix 51 + │ ├── services.nix # Printing, Bluetooth, etc. 57 52 │ ├── users.nix # User account configuration 53 + │ ├── caddy.nix # Caddy web server 54 + │ ├── pds.nix # Bluesky ATProto PDS 55 + │ ├── ssh-keys.nix # Public key registry for all hosts 56 + │ ├── server/ # Headless server sub-modules 57 + │ │ ├── default.nix # Imports all server sub-modules 58 + │ │ ├── firewall.nix 59 + │ │ ├── intrusion.nix # fail2ban 60 + │ │ ├── ssh.nix # sshd hardening 61 + │ │ ├── hardware-health.nix 62 + │ │ ├── maintenance.nix 63 + │ │ ├── packages.nix 64 + │ │ ├── services.nix 65 + │ │ └── disable-noise.nix 58 66 │ └── darwin/ # macOS-specific modules 59 67 │ ├── common.nix 60 68 │ ├── homebrew.nix 61 69 │ ├── packages.nix 62 70 │ └── system.nix 63 71 │ 64 - ├── home/ # Home Manager configurations (unified across systems) 65 - │ ├── home.nix # Main home-manager entry point 66 - │ ├── configs/ # Application config files 67 - │ │ ├── fastfetch.jsonc 68 - │ │ └── starship.toml 69 - │ └── programs/ # Unified program configs (work on NixOS + macOS) 70 - │ ├── fastfetch.nix # System info display 71 - │ ├── git.nix # Git configuration 72 - │ ├── kde.nix # KDE Plasma desktop settings (Linux only) 73 - │ ├── ssh.nix # SSH client + agent config 74 - │ ├── starship.nix # Shell prompt 75 - │ ├── vscode.nix # VSCode extensions and settings 76 - │ └── zsh.nix # Shell configuration with aliases 72 + ├── profiles/ # Reusable configuration profiles 73 + │ ├── server-base.nix # Base server config 74 + │ └── server-hardened.nix # Security hardening 75 + │ 76 + ├── home/ # Home Manager (unified across all hosts) 77 + │ ├── home.nix # Main entry point 78 + │ ├── configs/ # Raw config files (fastfetch, starship) 79 + │ ├── programs/ # Per-program config (git, zsh, ssh, vscode, kde, ...) 80 + │ └── scripts/ # Shell scripts on PATH 81 + │ ├── verify-tailscale-ssh 82 + │ ├── update-all 83 + │ ├── update-everything 84 + │ └── relts 77 85 │ 78 86 ├── settings/ # ⭐ Centralized configuration — edit here 79 87 │ ├── config.nix # Entry point (imports config/) 80 88 │ ├── config/ # All configurable values (one file per domain) 81 - │ ├── plasma/ # KDE Plasma settings (declarative) 82 - │ ├── darwin/ # macOS defaults (auto-exported) 83 - │ └── darwin-export.sh # Export current macOS settings 89 + │ ├── plasma/ # KDE Plasma declarative settings 90 + │ └── darwin/ # macOS system defaults 84 91 │ 85 92 ├── secrets/ # Encrypted secrets (ragenix / age) 86 - │ ├── secrets.nix # Public key mappings 93 + │ ├── secrets.nix # Public key mappings (users + systems) 87 94 │ ├── setup.sh # Key management helper 88 95 │ └── age/*.age # Encrypted secret files 89 96 │ 90 - ├── wallpapers/ # Desktop wallpapers 91 - ├── tools/ # Maintenance and health check tools 92 - │ ├── health-check # Pre-build validation script 93 - │ ├── flake-bump # Update flake inputs helper 94 - │ └── gen-diff # Compare generations 95 - └── docs/ # All documentation 96 - ├── REFERENCE.md # Quick-reference card 97 - ├── settings-config.md # Settings file map and cheatsheet 98 - ├── settings.md # Settings overview 99 - ├── settings-structure.md # Why config is modular 100 - ├── hosts.md # Adding/configuring hosts 101 - ├── hosts-macmini.md # macOS setup guide 102 - ├── hosts-server.md # Server setup guide 103 - ├── secrets.md # Secrets management 104 - └── wallpapers.md # Wallpaper usage 97 + ├── tools/ # Rust maintenance tools 98 + │ └── src/bin/ # health-check, flake-bump, gen-diff 99 + ├── wallpapers/ 100 + └── docs/ 105 101 ``` 106 102 107 103 ## DRY Architecture ··· 299 295 - **Starship** prompt looks the same everywhere 300 296 301 297 ### Platform-Specific When Needed 302 - - macOS uses Keychain for SSH keys 303 - - Linux uses SSH agent service 304 - - KDE Plasma settings only apply on Linux 305 - - Homebrew only on macOS 298 + - **macOS**: SSH keys loaded at login via LaunchAgent (`ssh-add --apple-load-keychain`) 299 + - **Linux desktop**: SSH keys loaded at login via systemd + ksshaskpass/KWallet 300 + - **Server**: No agent needed — SSH connections go *into* it, not out 301 + - **KDE Plasma** settings only apply on Linux desktop 302 + - **Homebrew** only on macOS 306 303 307 304 ## Documentation 308 305 ··· 315 312 - [`docs/hosts.md`](docs/hosts.md) — hosts documentation index *(start here)* 316 313 - [`docs/hosts-overview.md`](docs/hosts-overview.md) — complete comparison of all three hosts 317 314 - [`docs/hosts-modification.md`](docs/hosts-modification.md) — how to modify and add hosts 318 - - [`docs/unified-terminal.md`](docs/unified-terminal.md) — identical terminal across all hosts 319 315 - [`docs/hosts-laptop.md`](docs/hosts-laptop.md) — Dell Inspiron 3501 (NixOS + KDE Plasma 6) 320 - - [`docs/hosts-server.md`](docs/hosts-server.md) — headless server setup 316 + - [`docs/hosts-server.md`](docs/hosts-server.md) — headless server + Bluesky PDS setup 321 317 - [`docs/hosts-macmini.md`](docs/hosts-macmini.md) — macOS with nix-darwin 322 - - [`docs/pds-quickstart.md`](docs/pds-quickstart.md) — Bluesky PDS quick setup *(automated script)* 323 - - [`docs/pds-setup.md`](docs/pds-setup.md) — Bluesky PDS detailed guide *(manual setup)* 318 + - [`docs/TAILSCALE-SSH.md`](docs/TAILSCALE-SSH.md) — inter-host SSH over Tailscale 324 319 325 320 ### Settings Management 326 321 - [`docs/settings.md`](docs/settings.md) — settings overview

+91 -40

docs/REFERENCE.md

··· 3 3 ## File Structure 4 4 ``` 5 5 ├── flake.nix 6 - ├── configuration.nix # Legacy entry point 6 + ├── flake.lock 7 7 ├── hosts/ 8 - │ ├── laptop/ 9 - │ ├── server/ 10 - │ └── macmini/ 8 + │ ├── laptop/ # NixOS desktop (Dell Inspiron 3501) 9 + │ ├── server/ # NixOS headless server 10 + │ └── macmini/ # macOS (nix-darwin) 11 11 ├── modules/ 12 - │ ├── desktop.nix 13 - │ ├── packages.nix 14 - │ ├── services.nix 15 - │ ├── gaming.nix 16 - │ └── darwin/ 12 + │ ├── common.nix # Base NixOS settings 13 + │ ├── desktop.nix # KDE Plasma 6 + SDDM 14 + │ ├── packages.nix # Desktop applications 15 + │ ├── services.nix # Printing, Bluetooth, etc. 16 + │ ├── gaming.nix # Steam, Gamemode 17 + │ ├── users.nix # User accounts 18 + │ ├── caddy.nix # Caddy web server 19 + │ ├── pds.nix # Bluesky PDS service 20 + │ ├── ssh-keys.nix # Public key registry 21 + │ ├── server/ # Headless server modules 22 + │ │ ├── default.nix 23 + │ │ ├── firewall.nix 24 + │ │ ├── intrusion.nix # fail2ban 25 + │ │ ├── ssh.nix 26 + │ │ └── ... 27 + │ └── darwin/ # macOS-specific modules 28 + │ ├── common.nix 29 + │ ├── packages.nix 30 + │ ├── homebrew.nix 31 + │ └── system.nix 32 + ├── profiles/ 33 + │ ├── server-base.nix 34 + │ └── server-hardened.nix 17 35 ├── home/ 18 36 │ ├── home.nix 19 - │ └── programs/ 20 - │ ├── git.nix 21 - │ ├── zsh.nix 22 - │ ├── starship.nix 23 - │ ├── vscode.nix 24 - │ └── kde.nix 25 - └── settings/ 26 - └── config/ # ⭐ Edit here 27 - ├── user.nix 28 - ├── packages.nix 29 - ├── desktop.nix 30 - └── ... 37 + │ ├── programs/ # git, zsh, ssh, starship, vscode, kde, ... 38 + │ └── scripts/ # verify-tailscale-ssh, update-all, update-everything, relts 39 + ├── lib/ 40 + │ ├── default.nix # cfgLib helpers 41 + │ └── USAGE.md 42 + ├── secrets/ 43 + │ ├── secrets.nix # age public key mappings 44 + │ ├── setup.sh # Key management helper 45 + │ └── age/*.age # Encrypted secret files 46 + ├── settings/ 47 + │ ├── config.nix # Entry point 48 + │ ├── config/ # ⭐ Edit here — one file per domain 49 + │ ├── darwin/ # macOS system defaults 50 + │ └── plasma/ # KDE Plasma declarative settings 51 + ├── tools/ # Rust maintenance tools 52 + │ └── src/bin/ # health-check, flake-bump, gen-diff 53 + └── wallpapers/ 31 54 ``` 32 55 33 56 ## Essential Commands 34 57 35 58 | Command | Description | 36 59 |---|---| 37 - | `sudo nixos-rebuild switch --flake .#laptop` | Apply configuration | 38 - | `sudo nixos-rebuild boot --flake .#laptop` | Apply on next boot | 39 - | `sudo nixos-rebuild test --flake .#laptop` | Test without making default | 40 - | `nix flake update` | Update all flake inputs | 41 - | `sudo nix-collect-garbage -d` | Remove old generations | 60 + | `nrs` | Rebuild and switch (shell alias) | 61 + | `nrt` | Test build without switching | 62 + | `nrb` | Build for next boot (NixOS only) | 63 + | `update` | Update flake inputs + rebuild | 64 + | `cleanup` | Garbage collect old generations | 65 + | `health-check` | Pre-build validation | 66 + | `gen-diff` | Compare generations | 42 67 | `nix flake check` | Check for errors | 43 - | `nrs` | Quick rebuild (shell alias) | 44 - | `update` | Full update (shell alias) | 45 - | `cleanup` | Collect garbage (shell alias) | 68 + | `verify-tailscale-ssh` | Test Tailscale SSH connectivity | 69 + 70 + ## Remote Rebuild (one-liner) 71 + 72 + ```bash 73 + # Rebuild local then remote in one shot 74 + nrs && ssh laptop 'cd ~/.config/nix-config && sudo nixos-rebuild switch --flake .#laptop' 75 + ``` 46 76 47 77 ## Quick Edits 48 78 ··· 53 83 | Add package (macOS) | `settings/config/darwin.nix` → `packages` | 54 84 | Add Homebrew cask | `settings/config/darwin.nix` → `homebrew.casks` | 55 85 | Theme / fonts | `settings/config/desktop.nix` | 56 - | KDE Plasma settings | `settings/plasma/default.nix` and `home/programs/kde.nix` | 86 + | KDE Plasma settings | `settings/plasma/default.nix` + `home/programs/kde.nix` | 57 87 | Shell aliases | `settings/config/shell.nix` | 58 88 | Git settings | `settings/config/git.nix` | 59 89 | VS Code | `settings/config/development.nix` | 60 90 | Wallpaper | `wallpapers/wallpaper.jpg` | 61 91 | Firewall ports | `settings/config/server.nix` | 92 + | SSH hosts | `home/programs/ssh.nix` → `internalHosts` | 93 + | SSH public keys | `modules/ssh-keys.nix` | 62 94 63 95 ## Hardware (laptop) 64 96 - **Model**: Dell Inspiron 3501 65 - - **CPU**: Intel i3-1115G4 (Tiger Lake) 97 + - **CPU**: Intel Core i3-1115G4 (Tiger Lake, 11th Gen) 66 98 - **RAM**: 8 GB DDR4-3200 67 99 - **Storage**: 256 GB NVMe SSD 68 - - **GPU**: Intel UHD Graphics 69 - - **WiFi**: Intel 9462AC 100 + - **GPU**: Intel UHD Graphics (Xe) 101 + - **WiFi**: Intel Wi-Fi 6 AX201 102 + 103 + ## Hardware (macmini) 104 + - **Model**: Apple Mac Mini (M2, 2023) 105 + - **CPU**: Apple M2 (8-core) 106 + - **RAM**: 16 GB unified 107 + - **GPU**: Apple M2 (10-core) 108 + 109 + ## SSH / Tailscale 110 + 111 + All inter-host SSH goes through Tailscale (`tailscale nc` ProxyCommand): 112 + ```bash 113 + ssh laptop # → Tailscale → laptop 114 + ssh server # → Tailscale → server 115 + ssh macmini # → Tailscale → macmini (self — usually skipped) 116 + ``` 117 + 118 + macOS binary path: `/Applications/Tailscale.app/Contents/MacOS/Tailscale` 70 119 71 120 ## Emergency Recovery 121 + 72 122 ```bash 73 - # Check logs 74 - journalctl -xe 123 + # Rollback active generation (NixOS) 124 + sudo nixos-rebuild switch --rollback 75 125 76 - # Rollback active system generation 77 - sudo nix-env --rollback --profile /nix/var/nix/profiles/system 126 + # From GRUB: select "NixOS — All configurations" → pick older generation 78 127 79 - # From installer (safe mode) 80 - nixos-enter 81 - nix-env --rollback --profile /nix/var/nix/profiles/system 128 + # From installer (chroot) 129 + sudo mount /dev/nvme0n1p2 /mnt 130 + sudo mount /dev/nvme0n1p1 /mnt/boot 131 + sudo nixos-enter 132 + nixos-rebuild switch --rollback 82 133 ```

+2 -2

docs/TAILSCALE-SSH.md

··· 23 23 - `home/programs/ssh.nix` - Defines SSH hosts and ProxyCommand routing 24 24 - `hosts/laptop/default.nix` - Laptop firewall trusts tailscale0 25 25 - `modules/server/firewall.nix` - Server firewall trusts tailscale0 26 - - `settings/config/darwin.nix` - macOS Tailscale via Homebrew 26 + - `settings/config/darwin.nix` - macOS Tailscale via Homebrew (`tailscale-app` cask) 27 27 28 28 ## Initial Setup 29 29 ··· 98 98 99 99 ### "tailscale: command not found" 100 100 - **Linux**: Ensure you rebuilt with the updated configuration 101 - - **macOS**: Ensure Homebrew is in PATH: `eval "$(/opt/homebrew/bin/brew shellenv)"` 101 + - **macOS**: The ProxyCommand uses the absolute path `/Applications/Tailscale.app/Contents/MacOS/Tailscale` — ensure the `tailscale-app` Homebrew cask is installed and Tailscale.app is in `/Applications` 102 102 103 103 ### "Connection refused" or "Connection timed out" 104 104 1. Verify Tailscale is running: `tailscale status`

+4 -6

docs/UPDATE-GUIDE.md

··· 51 51 52 52 ### Update a Remote System 53 53 ```bash 54 - # Update laptop from any other machine 55 - ssh laptop 'cd ~/.config/nix-config && nix flake update && sudo nixos-rebuild switch --flake .#laptop' 54 + # Rebuild local then remote in one shot (recommended) 55 + nrs && ssh laptop 'cd ~/.config/nix-config && sudo nixos-rebuild switch --flake .#laptop' 56 56 57 - # Update server 57 + # Update flake inputs on remote too 58 + ssh laptop 'cd ~/.config/nix-config && nix flake update && sudo nixos-rebuild switch --flake .#laptop' 58 59 ssh server 'cd ~/.config/nix-config && nix flake update && sudo nixos-rebuild switch --flake .#server' 59 - 60 - # Update macmini 61 - ssh macmini 'cd ~/.config/nix-config && nix flake update && sudo darwin-rebuild switch --flake .#macmini' 62 60 ``` 63 61 64 62 ## Update Specific Components

+2 -2

docs/hosts-macmini.md

··· 79 79 └── system.nix # macOS system settings 80 80 81 81 settings/darwin/ 82 - └── domains/ # Auto-exported macOS defaults (per-domain) 82 + └── default.nix # macOS system.defaults (Dock, Finder, login window, etc.) 83 83 84 84 settings/config/darwin.nix # All darwin values — edit here 85 85 ``` ··· 102 102 - `startup.chime` — boot chime 103 103 - `security.touchIdForSudo` — Touch ID for sudo 104 104 105 - Fine-grained defaults (Dock, Finder, trackpad, etc.) live in `settings/darwin/domains/` and are auto-generated by `settings/darwin-export.sh`. 105 + Fine-grained defaults (Dock, Finder, trackpad, login window, etc.) live in `settings/darwin/default.nix`. Edit them directly in Nix rather than exporting from the GUI. 106 106 107 107 ## Architecture 108 108

+2 -2

docs/hosts-modification.md

··· 227 227 228 228 ```nix 229 229 # hosts/NEW-HOST/default.nix 230 - { config, pkgs, lib, ... }: 230 + { cfgLib, ... }: 231 231 232 232 let 233 - cfg = import ../../settings/config.nix; 233 + cfg = cfgLib.cfg; 234 234 in 235 235 { 236 236 imports = [

+36 -34

docs/hosts-overview.md

··· 6 6 7 7 | Host | Type | OS | Purpose | Desktop | Status | 8 8 |---|---|---|---|---|---| 9 - | **macmini** | Desktop | macOS | Primary workstation | macOS GUI | ✅ Active (Main) | 9 + | **macmini** | Desktop | macOS Tahoe | Primary workstation | macOS GUI | ✅ Active (Main) | 10 10 | **laptop** | Desktop/Laptop | NixOS | Secondary workstation | KDE Plasma 6 | ✅ Active | 11 - | **server** | Server | NixOS | Headless server | None | 📋 Planned | 11 + | **server** | Server | NixOS | Headless server + PDS | None | 🔧 Config complete, pending deploy | 12 12 13 13 ## Detailed Comparison 14 14 ··· 16 16 17 17 **Hardware**: Apple Silicon Mac Mini (M2) 18 18 - Apple M2 chip (8-core CPU, 10-core GPU) 19 - - Unified memory 20 - - macOS Sequoia 19 + - 16 GB unified memory 20 + - macOS Tahoe 26.3 21 21 22 22 **Purpose**: Primary daily driver for all computing tasks 23 23 ··· 71 71 72 72 **Documentation**: [hosts-laptop.md](hosts-laptop.md) 73 73 74 - ### server (PLANNED) 74 + ### server 75 75 76 76 **Hardware**: To be determined 77 77 78 - **Purpose**: Future headless server for services and remote access 78 + **Purpose**: Minimal headless server — Bluesky ATProto PDS + hardened security 79 79 80 - **Planned Use Cases**: 81 - - SSH remote access 82 - - Self-hosted services (potential: web server, database, etc.) 83 - - Home lab experimentation 84 - - Always-on availability 85 - - Learning server administration 80 + **Use Cases**: 81 + - Bluesky PDS (via Caddy + Cloudflare tunnel, no open HTTP/HTTPS ports) 82 + - SSH remote access over Tailscale 83 + - Always-on home lab 86 84 87 - **Planned Features**: 88 - - 🔵 Hardened security profile 89 - - 🔵 SSH server with key-based auth only 90 - - 🔵 Fail2ban for intrusion prevention 91 - - 🔵 Firewall (SSH-only by default) 92 - - 🔵 Auto-upgrades (daily) 93 - - 🔵 SMART disk monitoring 94 - - 🔵 Minimal package set 95 - - ❌ No GUI 96 - - ❌ No gaming 97 - - ❌ No multimedia 85 + **Features**: 86 + - ✅ Hardened security profile (`profiles/server-hardened.nix`) 87 + - ✅ SSH key-based auth only 88 + - ✅ Fail2ban intrusion prevention 89 + - ✅ Firewall (SSH-only inbound) 90 + - ✅ Auto-upgrades (daily) 91 + - ✅ SMART disk monitoring 92 + - ✅ Minimal package set 93 + - ✅ Bluesky PDS + Caddy + cloudflared 94 + - ❌ No GUI, no gaming, no multimedia 98 95 99 - **Status**: Configuration exists but not yet deployed to hardware 96 + **Status**: Configuration complete, hardware not yet provisioned. See [hosts-server.md](hosts-server.md) for the deploy runbook. 100 97 101 98 **Documentation**: [hosts-server.md](hosts-server.md) 102 99 ··· 148 145 | `users.nix` | ✅ | ✅ | ❌ | User account creation | 149 146 | `desktop.nix` | ✅ | ❌ | ❌ | KDE Plasma 6 setup | 150 147 | `packages.nix` | ✅ | ❌ | ❌ | Desktop applications | 151 - | `services.nix` | ✅ | ❌ | ❌ | Desktop services (printing, bluetooth) | 148 + | `services.nix` | ✅ | ❌ | ❌ | Printing, Bluetooth | 152 149 | `gaming.nix` | ✅ | ❌ | ❌ | Steam, Gamemode | 150 + | `caddy.nix` | ❌ | ✅ | ❌ | Caddy web server | 151 + | `pds.nix` | ❌ | ✅ | ❌ | Bluesky PDS | 152 + | `server/default.nix` | ❌ | ✅ | ❌ | Server sub-modules (firewall, fail2ban, sshd, ...) | 153 + | `profiles/server-hardened.nix` | ❌ | ✅ | ❌ | Security hardening | 153 154 | `darwin/common.nix` | ❌ | ❌ | ✅ | macOS Nix settings | 154 155 | `darwin/packages.nix` | ❌ | ❌ | ✅ | macOS CLI tools | 155 156 | `darwin/homebrew.nix` | ❌ | ❌ | ✅ | Homebrew management | 156 157 | `darwin/system.nix` | ❌ | ❌ | ✅ | macOS system defaults | 157 - | `profiles/server-hardened.nix` | ❌ | ✅ | ❌ | Security hardening | 158 158 159 159 ## Settings Scope 160 160 ··· 185 185 186 186 ``` 187 187 laptop → can SSH to: server, macmini 188 - server → can SSH to: laptop, macmini 189 188 macmini → can SSH to: laptop, server 189 + server ← SSH connections go into it only 190 190 ``` 191 191 192 192 Each host's `~/.ssh/authorized_keys` contains keys from all OTHER hosts. 193 + 194 + ### SSH Agent / Key Loading 195 + 196 + | Host | Mechanism | 197 + |---|---| 198 + | **macmini** | LaunchAgent runs `ssh-add --apple-load-keychain` at login (replaces removed `UseKeychain yes`) | 199 + | **laptop** | systemd user service + ksshaskpass loads keys from KWallet at graphical session start | 200 + | **server** | None needed — only receives inbound SSH connections | 193 201 194 202 ### Secrets Distribution 195 203 ··· 501 509 502 510 ### Secrets Not Available on Host 503 511 504 - Ensure host imports secrets module: 505 - ```nix 506 - # hosts/<hostname>/default.nix 507 - imports = [ 508 - ../../modules/secrets.nix # Must be imported 509 - ]; 510 - ``` 512 + Secrets are managed via ragenix. Ensure the secret is enabled in `settings/config/secrets.nix` and that the host's age key is in `secrets/secrets.nix`. Check activation logs for decryption errors. 511 513 512 514 ## Best Practices 513 515

+112 -263

docs/hosts.md

··· 10 10 11 11 ## Documentation Index 12 12 13 - ### Overview and Guides 14 - 15 13 | Document | Description | 16 14 |---|---| 17 - | [**Hosts Overview**](hosts-overview.md) | Complete comparison of all three hosts, configuration philosophy, and multi-host workflows | 18 - | [**Host Modification Guide**](hosts-modification.md) | How to modify existing hosts, add new hosts, and customize host-specific behavior | 19 - 20 - ### Host-Specific Documentation 21 - 22 - | Host | Type | Documentation | 23 - |---|---|---| 24 - | **laptop** | NixOS Desktop | [hosts-laptop.md](hosts-laptop.md) | 25 - | **server** | NixOS Server | [hosts-server.md](hosts-server.md) | 26 - | **macmini** | macOS | [hosts-macmini.md](hosts-macmini.md) | 15 + | [**Hosts Overview**](hosts-overview.md) | Full comparison of all hosts, configuration philosophy, and multi-host workflows | 16 + | [**Host Modification Guide**](hosts-modification.md) | How to modify existing hosts and add new ones | 17 + | [**Tailscale SSH**](TAILSCALE-SSH.md) | Inter-host SSH over Tailscale mesh | 27 18 28 19 ## Current Hosts 29 20 30 21 ### macmini — Apple Silicon Mac Mini (PRIMARY) 31 22 32 - **Purpose**: Primary daily driver with native macOS 23 + **Purpose**: Primary daily driver 33 24 34 25 **Key Features**: 35 - - Apple M2 chip (8-core CPU, 10-core GPU) 36 - - nix-darwin for declarative config 37 - - Homebrew integration (casks + formulae) 38 - - Development tools (VSCode, Git) 39 - - Native macOS apps and ecosystem 40 - - Unified home-manager 41 - 42 - **Status**: Configuration exists but not yet deployed to hardware 26 + - Apple M2 (8-core CPU, 10-core GPU), 16 GB RAM 27 + - nix-darwin for declarative macOS config 28 + - Homebrew integration (casks + formulae via `tailscale-app`, Office, etc.) 29 + - SSH keys auto-loaded at login via LaunchAgent (`ssh-add --apple-load-keychain`) 30 + - Unified home-manager (same shell, git, prompt as other hosts) 43 31 44 - **Common Tasks** (when deployed): 32 + **Common Tasks**: 45 33 ```bash 46 - # Rebuild (on server) 47 - sudo nixos-rebuild switch --flake .#server 34 + # Rebuild (on macmini) 35 + nrs 48 36 49 - # Rebuild (from macmini remotely) 50 - nixos-rebuild switch --flake .#server \ 51 - --target-host ewan@server-ip \ 52 - --build-host localhost \ 53 - --use-remote-sudo 37 + # Rebuild macmini then laptop in one shot 38 + nrs && ssh laptop 'cd ~/.config/nix-config && sudo nixos-rebuild switch --flake .#laptop' 54 39 ``` 55 40 56 - **Documentation**: [hosts-server.md](hosts-server.md) 41 + **Documentation**: [hosts-macmini.md](hosts-macmini.md) 42 + 43 + --- 57 44 58 45 ### laptop — Dell Inspiron 3501 (SECONDARY) 59 46 60 47 **Purpose**: Secondary workstation for Linux-specific tasks 61 48 62 49 **Key Features**: 63 - - Intel i3-1115G4, 8GB RAM, 256GB SSD 50 + - Intel Core i3-1115G4, 8 GB RAM, 256 GB NVMe 64 51 - KDE Plasma 6 (Wayland) 65 52 - Gaming support (Steam, Gamemode) 66 - - Development tools 67 - - Audio, Bluetooth, WiFi 68 - - Backup workstation 53 + - SSH keys auto-loaded via systemd + ksshaskpass/KWallet at login 69 54 70 55 **Common Tasks**: 71 56 ```bash 72 57 # Rebuild (on laptop) 73 - sudo nixos-rebuild switch --flake .#laptop 74 - # or: nrs 75 - 76 - # Rebuild (from macmini remotely) 77 - nixos-rebuild switch --flake .#laptop \ 78 - --target-host ewan@laptop-ip \ 79 - --build-host localhost \ 80 - --use-remote-sudo 58 + nrs 81 59 82 - # Gaming 83 - steam 60 + # Rebuild remotely from macmini 61 + ssh laptop 'cd ~/.config/nix-config && sudo nixos-rebuild switch --flake .#laptop' 84 62 ``` 85 63 86 64 **Documentation**: [hosts-laptop.md](hosts-laptop.md) 87 65 88 - ### server — Headless NixOS Server (PLANNED) 66 + --- 89 67 90 - **Purpose**: Future minimal, security-hardened server (not yet deployed) 68 + ### server — Headless NixOS Server 69 + 70 + **Purpose**: Minimal security-hardened server (Bluesky PDS + services) 91 71 92 - **Planned Features**: 93 - - No GUI (headless) 94 - - SSH with key-based auth only 95 - - Fail2ban intrusion prevention 96 - - Firewall (SSH-only by default) 97 - - Auto-upgrades 98 - - SMART disk monitoring 72 + **Key Features**: 73 + - Headless (no GUI, no desktop packages) 74 + - SSH key-based auth only; Fail2ban; firewall 75 + - Bluesky ATProto PDS via Caddy + Cloudflare tunnel 76 + - Auto-upgrades and SMART disk monitoring 77 + - Configuration is complete and ready to deploy 99 78 100 79 **Common Tasks**: 101 80 ```bash 102 - # Rebuild 103 - darwin-rebuild switch --flake .#macmini 81 + # Rebuild (on server) 82 + nrs 104 83 105 - # Update 106 - nix flake update && darwin-rebuild switch --flake .#macmini 107 - 108 - # Cleanup 109 - sudo nix-collect-garbage -d 110 - darwin-rebuild switch --flake .#macmini 84 + # Rebuild remotely from macmini 85 + ssh server 'cd ~/.config/nix-config && sudo nixos-rebuild switch --flake .#server' 111 86 ``` 112 87 113 - **Documentation**: [hosts-macmini.md](hosts-macmini.md) 88 + **Documentation**: [hosts-server.md](hosts-server.md) 89 + 90 + --- 114 91 115 92 ## Repository Structure 116 93 117 94 ``` 118 95 hosts/ 119 - ├── laptop/ # NixOS desktop configuration 120 - │ ├── default.nix # Main config (imports modules) 121 - │ └── hardware-configuration.nix # Auto-generated hardware config 122 - ├── server/ # NixOS server configuration 123 - │ ├── default.nix # Main config (minimal + hardened) 124 - │ └── minimal-hardware.nix # Minimal hardware config 125 - └── macmini/ # macOS configuration 126 - └── default.nix # Main config (nix-darwin + homebrew) 96 + ├── laptop/ 97 + │ ├── default.nix 98 + │ └── hardware-configuration.nix 99 + ├── server/ 100 + │ ├── default.nix 101 + │ └── minimal-hardware.nix 102 + └── macmini/ 103 + └── default.nix 127 104 128 - modules/ # Reusable modules imported by hosts 105 + modules/ 129 106 ├── common.nix # Base NixOS settings 130 107 ├── desktop.nix # KDE Plasma 6 + SDDM 131 108 ├── gaming.nix # Steam, Gamemode 132 109 ├── packages.nix # Desktop applications 133 - ├── services.nix # System services (printing, bluetooth) 110 + ├── services.nix # Printing, Bluetooth, etc. 134 111 ├── users.nix # User accounts 135 - └── darwin/ # macOS-specific modules 136 - ├── common.nix # Base macOS settings 137 - ├── packages.nix # CLI tools 138 - ├── homebrew.nix # Homebrew management 139 - └── system.nix # macOS system defaults 112 + ├── caddy.nix # Caddy web server 113 + ├── pds.nix # Bluesky PDS 114 + ├── ssh-keys.nix # Public key registry (all hosts) 115 + ├── server/ # Server-specific modules 116 + │ ├── default.nix # Imports all server sub-modules 117 + │ ├── firewall.nix 118 + │ ├── intrusion.nix # fail2ban 119 + │ ├── ssh.nix # sshd hardening 120 + │ ├── hardware-health.nix # SMART monitoring 121 + │ ├── maintenance.nix # Auto-upgrades, GC 122 + │ ├── packages.nix # Server package set 123 + │ ├── services.nix # Server services 124 + │ └── disable-noise.nix # Quieten unnecessary logging 125 + └── darwin/ 126 + ├── common.nix 127 + ├── packages.nix 128 + ├── homebrew.nix 129 + └── system.nix 140 130 141 - profiles/ # Reusable configuration profiles 131 + profiles/ 142 132 ├── server-base.nix # Base server config 143 - └── server-hardened.nix # Security-hardened server 133 + └── server-hardened.nix # Security hardening (imports server-base) 144 134 145 - settings/config/ # Global configuration values (DRY) 146 - ├── user.nix # Username, email, shell (ALL hosts) 147 - ├── system.nix # Timezone, locale (NixOS hosts) 148 - ├── packages.nix # Package lists (NixOS hosts) 149 - ├── desktop.nix # Theme, fonts (laptop only) 150 - ├── gaming.nix # Gaming config (laptop only) 151 - ├── server.nix # Server config (server only) 152 - ├── darwin.nix # macOS config (macmini only) 153 - └── ... # Other shared settings 135 + settings/config/ # ⭐ Global values — edit here 136 + home/scripts/ # verify-tailscale-ssh, update-all, update-everything, relts 154 137 ``` 155 138 139 + ## Module Import Matrix 140 + 141 + | Module | macmini | laptop | server | 142 + |---|:---:|:---:|:---:| 143 + | `common.nix` | ❌ | ✅ | ✅ | 144 + | `users.nix` | ❌ | ✅ | ✅ | 145 + | `desktop.nix` | ❌ | ✅ | ❌ | 146 + | `packages.nix` | ❌ | ✅ | ❌ | 147 + | `services.nix` | ❌ | ✅ | ❌ | 148 + | `gaming.nix` | ❌ | ✅ | ❌ | 149 + | `caddy.nix` | ❌ | ❌ | ✅ | 150 + | `pds.nix` | ❌ | ❌ | ✅ | 151 + | `profiles/server-hardened.nix` | ❌ | ❌ | ✅ | 152 + | `darwin/common.nix` | ✅ | ❌ | ❌ | 153 + | `darwin/packages.nix` | ✅ | ❌ | ❌ | 154 + | `darwin/homebrew.nix` | ✅ | ❌ | ❌ | 155 + | `darwin/system.nix` | ✅ | ❌ | ❌ | 156 + 156 157 ## Configuration Philosophy 157 158 158 159 ### Three Layers 159 160 160 - 1. **Global Settings** (`settings/config/`) — Values shared across hosts 161 - 2. **Reusable Modules** (`modules/`) — Components imported by hosts 162 - 3. **Host Files** (`hosts/*/default.nix`) — Minimal, imports modules + overrides 161 + 1. **Global Settings** (`settings/config/`) — values shared across hosts 162 + 2. **Reusable Modules** (`modules/`) — components imported by hosts 163 + 3. **Host Files** (`hosts/*/default.nix`) — minimal; just imports + overrides 163 164 164 165 ### DRY Principle 165 166 166 - Don't repeat yourself: 167 167 - ✅ Edit `settings/config/user.nix` once → applies to all hosts 168 - - ✅ Edit `settings/config/packages.nix` once → applies to relevant hosts 168 + - ✅ Edit `settings/config/shell.nix` once → shell is identical everywhere 169 169 - ❌ Don't hardcode values in host files 170 170 - ❌ Don't duplicate configuration across hosts 171 171 172 - ### Example: Changing Username 173 - 174 - ```bash 175 - # ✅ Right way (edit once) 176 - vim settings/config/user.nix 177 - # Change: username = "newuser"; 178 - 179 - # Apply to all hosts 180 - sudo nixos-rebuild switch --flake .#laptop 181 - ssh server sudo nixos-rebuild switch --flake .#server 182 - ssh macmini darwin-rebuild switch --flake .#macmini 183 - 184 - # ❌ Wrong way (editing each host file) 185 - # DON'T hardcode username in hosts/laptop/default.nix 186 - # DON'T hardcode username in hosts/server/default.nix 187 - # DON'T hardcode username in hosts/macmini/default.nix 188 - ``` 189 - 190 172 ## Common Workflows 191 173 192 - ### Adding a New Package 174 + ### Adding a Package 193 175 194 - **To macOS (primary)** (macmini): 176 + **macOS only** (`darwin.nix` → `packages` or `homebrew.casks`): 195 177 ```bash 196 178 vim settings/config/darwin.nix 197 - # Add to "packages" or "homebrew.casks" 198 - darwin-rebuild switch --flake .#macmini 179 + nrs 199 180 ``` 200 181 201 - **To Linux hosts** (laptop, server when deployed): 182 + **Linux hosts** (`packages.nix` → `desktop` or `common`): 202 183 ```bash 203 184 vim settings/config/packages.nix 204 - # Add to "common" or "desktop" list 205 - ssh laptop sudo nixos-rebuild switch --flake .#laptop 206 - ``` 207 - 208 - **To laptop only** (gaming, Linux-specific): 209 - ```bash 210 - vim settings/config/packages.nix 211 - # Add to "desktop" list (already laptop-only) 212 - # or edit laptop's default.nix for truly laptop-specific 213 - ``` 214 - 215 - ### Changing a System Setting 216 - 217 - **Timezone** (affects Linux hosts, macOS set separately): 218 - ```bash 219 - vim settings/config/system.nix 220 - # Change: timeZone = "America/New_York"; 221 - # Apply to laptop 222 - ssh laptop sudo nixos-rebuild switch --flake .#laptop 223 - 224 - # For macOS, edit hosts/macmini/default.nix 225 - vim hosts/macmini/default.nix 226 - # Change: time.timeZone = "America/New_York"; 227 - darwin-rebuild switch --flake .#macmini 185 + nrs && ssh laptop 'cd ~/.config/nix-config && sudo nixos-rebuild switch --flake .#laptop' 228 186 ``` 229 187 230 - **Shell alias** (all hosts via home-manager): 188 + ### Changing a Shell Alias (all hosts) 231 189 ```bash 232 190 vim settings/config/shell.nix 233 - # Add to "aliases" 234 - # Apply to macmini (primary) 235 - darwin-rebuild switch --flake .#macmini 236 - # Apply to laptop 237 - ssh laptop sudo nixos-rebuild switch --flake .#laptop 238 - ``` 239 - 240 - **Desktop theme** (laptop only, macOS uses native themes): 241 - ```bash 242 - vim settings/config/desktop.nix 243 - # Change: theme = "New-Theme-Name"; 244 - ssh laptop sudo nixos-rebuild switch --flake .#laptop 191 + nrs 192 + ssh laptop 'cd ~/.config/nix-config && sudo nixos-rebuild switch --flake .#laptop' 245 193 ``` 246 194 247 195 ### Enabling/Disabling Features 248 - 249 - **Gaming** (laptop only): 250 196 ```bash 251 - vim settings/config/gaming.nix 252 - # Toggle: enable = true/false; 197 + vim settings/config/gaming.nix # toggle gaming 198 + vim settings/config/maintenance.nix # toggle auto-upgrades 253 199 ``` 254 200 255 - **Auto-upgrades** (all hosts): 256 - ```bash 257 - vim settings/config/maintenance.nix 258 - # Toggle: autoUpgrade.enable = true/false; 259 - ``` 260 - 261 - ### Adding a New Host 262 - 263 - See [Host Modification Guide](hosts-modification.md#adding-new-hosts) for complete instructions. 264 - 265 - Quick overview: 266 - 1. Create `hosts/NEW-HOST/` directory 267 - 2. Generate `hardware-configuration.nix` (NixOS) or skip (macOS) 268 - 3. Create `default.nix` using a template 269 - 4. Register in `flake.nix` 270 - 5. Build and test 271 - 272 - ## Module Import Matrix 273 - 274 - Which modules does each host import? 275 - 276 - | Module | macmini | laptop | server | 277 - |---|:---:|:---:|:---:| 278 - | `common.nix` | ❌ | ✅ | ✅ | 279 - | `users.nix` | ❌ | ✅ | ✅ | 280 - | `desktop.nix` | ❌ | ✅ | ❌ | 281 - | `packages.nix` | ❌ | ✅ | ❌ | 282 - | `services.nix` | ❌ | ✅ | ❌ | 283 - | `gaming.nix` | ❌ | ✅ | ❌ | 284 - | `profiles/server-hardened.nix` | ❌ | ❌ | 🔵 | 285 - | `darwin/common.nix` | ✅ | ❌ | ❌ | 286 - | `darwin/packages.nix` | ✅ | ❌ | ❌ | 287 - | `darwin/homebrew.nix` | ✅ | ❌ | ❌ | 288 - | `darwin/system.nix` | ✅ | ❌ | ❌ | 289 - 290 201 ## Troubleshooting 291 - 292 - ### Build Failures 293 202 294 203 ```bash 295 - # Check for syntax errors 204 + # Syntax check 296 205 nix flake check 297 206 298 207 # Build without activating 299 - nixos-rebuild build --flake .#hostname 208 + sudo nixos-rebuild build --flake .#laptop 300 209 301 - # Show detailed error trace 302 - nixos-rebuild switch --flake .#hostname --show-trace 303 - ``` 210 + # Detailed error trace 211 + sudo nixos-rebuild switch --flake .#laptop --show-trace 304 212 305 - ### Rollback 306 - 307 - ```bash 308 - # NixOS 309 - sudo nixos-rebuild --rollback 310 - 311 - # macOS 312 - # Use Time Machine or reinstall from backup 213 + # Rollback 214 + sudo nixos-rebuild switch --rollback 313 215 ``` 314 216 315 - ### Remote Deployment Issues 217 + ## Resources 316 218 317 - ```bash 318 - # Test SSH connection first 319 - ssh ewan@remote-host 320 - 321 - # Check if nix-daemon is running on remote 322 - ssh ewan@remote-host systemctl status nix-daemon 323 - 324 - # Use verbose mode 325 - nixos-rebuild switch --flake .#server \ 326 - --target-host ewan@server-ip \ 327 - --build-host localhost \ 328 - --use-remote-sudo \ 329 - --verbose 330 - ``` 331 - 332 - ### Configuration Not Applying 333 - 334 - ```bash 335 - # Ensure you're targeting the right host 336 - nixos-rebuild switch --flake .#CORRECT-HOSTNAME 337 - 338 - # Check which modules are imported 339 - cat hosts/HOSTNAME/default.nix | grep imports 340 - 341 - # Verify the setting file is correct 342 - cat settings/config/SETTING-FILE.nix 343 - ``` 344 - 345 - ## Best Practices 346 - 347 - 1. **Always test changes** — Use `nixos-rebuild test` before `switch` 348 - 2. **Use version control** — Commit after working changes 349 - 3. **Keep hosts minimal** — Import modules, don't duplicate logic 350 - 4. **Centralize values** — Use `settings/config/`, not host files 351 - 5. **Document overrides** — Comment why host-specific overrides exist 352 - 6. **Regular backups** — Especially `~/.config/nix-config` and `/etc/nixos` 353 - 7. **Check flake inputs** — Run `nix flake check` before rebuilding 354 - 8. **Update regularly** — But test on one host first 355 - 356 - ## Additional Resources 357 - 358 - ### Internal Documentation 359 - - [Hosts Overview](hosts-overview.md) — Comprehensive comparison and workflows 360 - - [Host Modification Guide](hosts-modification.md) — How to modify and add hosts 361 - - [Laptop Guide](hosts-laptop.md) — Dell Inspiron 3501 specifics 362 - - [Server Guide](hosts-server.md) — Headless server setup 363 - - [macOS Guide](hosts-macmini.md) — nix-darwin and Homebrew 364 - - [Settings Reference](settings-config.md) — All configurable values 365 - - [REFERENCE.md](REFERENCE.md) — Quick command reference 366 - 367 - ### External Resources 368 219 - [NixOS Manual](https://nixos.org/manual/nixos/stable/) 220 + - [nix-darwin Manual](https://github.com/LnL7/nix-darwin) 221 + - [Home Manager Manual](https://nix-community.github.io/home-manager/) 369 222 - [NixOS Options Search](https://search.nixos.org/options) 370 - - [nix-darwin Documentation](https://github.com/LnL7/nix-darwin) 371 - - [Home Manager Manual](https://nix-community.github.io/home-manager/) 372 - - [Nix Pills](https://nixos.org/guides/nix-pills/) 373 - - [NixOS Wiki](https://nixos.wiki/)

+4 -12

docs/settings.md

··· 15 15 │ ├── desktop.nix 16 16 │ ├── darwin.nix 17 17 │ └── ... 18 - ├── plasma/ # KDE Plasma settings (declarative) 18 + ├── plasma/ # KDE Plasma declarative settings 19 19 │ └── default.nix 20 - ├── darwin/ # macOS system defaults (auto-generated) 21 - │ ├── default.nix 22 - │ └── domains/ 23 - └── darwin-export.sh # Export current macOS state → domains/ 20 + └── darwin/ # macOS system defaults (Dock, Finder, trackpad, etc.) 21 + └── default.nix 24 22 ``` 25 23 26 24 ## Usage ··· 55 53 56 54 ### macOS 57 55 58 - After changing settings through System Settings: 59 - 60 - ```bash 61 - ./settings/darwin-export.sh 62 - ``` 63 - 64 - Exports to `settings/darwin/domains/`. Applied automatically on next `darwin-rebuild`. 56 + macOS system defaults are managed declaratively in `settings/darwin/default.nix`. Edit the Nix values directly rather than exporting from System Settings — this ensures the config is reproducible and version-controlled. 65 57 66 58 ## Further Reading 67 59

+11

hosts/laptop/default.nix

··· 32 32 jack.enable = true; 33 33 }; 34 34 35 + # Allow passwordless sudo for nixos-rebuild so remote one-liners work over SSH 36 + # (no TTY is available in that context). Other sudo commands still require a password. 37 + # The server keeps wheelNeedsPassword = true; this exception is laptop-only. 38 + security.sudo.extraRules = [{ 39 + users = [ cfg.user.username ]; 40 + commands = [{ 41 + command = "/run/current-system/sw/bin/nixos-rebuild"; 42 + options = [ "NOPASSWD" ]; 43 + }]; 44 + }]; 45 + 35 46 system.stateVersion = cfg.system.stateVersion; 36 47 }

+1

settings/config/darwin.nix

··· 95 95 "netnewswire" 96 96 "prismlauncher" 97 97 "tailscale-app" # VPN for inter-host communication 98 + "element" # Matrix client 98 99 ]; 99 100 100 101 # Mac App Store apps (by ID)

+2 -2

settings/config/gaming.nix

··· 1 1 { 2 2 # Gaming configuration 3 - enable = false; # Set true on gaming systems 3 + enable = true; 4 4 steam = { 5 - enable = false; 5 + enable = true; 6 6 openFirewall = false; 7 7 }; 8 8 }

+1

settings/config/packages.nix

··· 139 139 # Communication 140 140 "discord" 141 141 "signal-desktop" 142 + "element-desktop" # Matrix client 142 143 143 144 # Media 144 145 "spotify"

Configure Feed

Configure Feed