+3 -3

hosts/macmini/default.nix

reviewed

··· 1 1 - { config, lib, pkgs, cfgLib, ... }: 1 1 + { pkgs, cfgLib, ... }: 2 2 3 3 let 4 4 cfg = cfgLib.cfg; ··· 17 17 system.primaryUser = cfg.user.username; 18 18 19 19 networking = { 20 20 - hostName = "macmini"; 20 20 + hostName = "macmini"; 21 21 computerName = "MacMini"; 22 22 }; 23 23 ··· 28 28 time.timeZone = cfg.system.timeZone; 29 29 30 30 users.users.${cfg.user.username} = { 31 31 - home = "/Users/${cfg.user.username}"; 31 31 + home = "/Users/${cfg.user.username}"; 32 32 shell = pkgs.${cfg.user.shell}; 33 33 }; 34 34

+26 -1

modules/darwin/system.nix

reviewed

··· 1 1 - { config, pkgs, cfgLib, ... }: 1 1 + { config, lib, pkgs, cfgLib, ... }: 2 2 3 3 let 4 4 cfg = cfgLib.cfg; ··· 20 20 21 21 # Touch ID for sudo – driven from settings/config/darwin.nix 22 22 security.pam.services.sudo_local.touchIdAuth = cfg.darwin.security.touchIdForSudo; 23 23 + 24 24 + # ── Time Machine destination ────────────────────────────────────────────────── 25 25 + # No native nix-darwin option exists for tmutil setdestination, so we use an 26 26 + # activation script. It is idempotent: skipped if the URL is already registered. 27 27 + # 28 28 + # First-time setup (one-off, interactive — stores password in macOS keychain): 29 29 + # sudo tmutil setdestination -p smb://<user>@server/TimeMachine 30 30 + # After that, nrs registers it automatically on every rebuild without prompting. 31 31 + system.activationScripts.timeMachineDestination = lib.mkIf cfg.server.timemachine.enable { 32 32 + text = let 33 33 + shareUrl = "smb://${cfg.user.username}@server/${cfg.server.timemachine.shareName}"; 34 34 + in '' 35 35 + shareUrl='${shareUrl}' 36 36 + echo "Checking Time Machine destination ($shareUrl)..." 37 37 + if /usr/bin/tmutil destinationinfo 2>/dev/null | /usr/bin/grep -qF "$shareUrl"; then 38 38 + echo " already registered, skipping" 39 39 + else 40 40 + echo " registering..." 41 41 + # -a adds alongside existing destinations rather than replacing them. 42 42 + # Credentials come from the macOS keychain — never stored in the Nix store. 43 43 + /usr/bin/tmutil setdestination -a "$shareUrl" 2>&1 || \ 44 44 + echo " WARNING: could not register (share may be unreachable right now)" 45 45 + fi 46 46 + ''; 47 47 + }; 23 48 }

+25 -16

modules/matrix.nix

reviewed

··· 38 38 # Handled by modules/cloudflare-tunnel.nix. 39 39 # See that module for setup instructions. 40 40 ############################################################################## 41 41 - { config, lib, pkgs, self, cfgLib, ... }: 41 41 + { 42 42 + config, 43 43 + lib, 44 44 + self, 45 45 + cfgLib, 46 46 + ... 47 47 + }: 42 48 43 49 let 44 44 - cfg = cfgLib.cfg.matrix; 50 50 + cfg = cfgLib.cfg.matrix; 45 51 synapsePort = toString cfg.port; 46 46 - caddyPort = toString cfg.caddyPort; 47 47 - matrixHost = cfg.hostname; 52 52 + caddyPort = toString cfg.caddyPort; 53 53 + matrixHost = cfg.hostname; 48 54 in 49 55 lib.mkIf cfg.enable { 50 56 51 57 # ── Secrets ────────────────────────────────────────────────────────────────── 52 58 age.secrets."matrix.env" = { 53 53 - file = self + /secrets/age/matrix.env.age; 59 59 + file = self + /secrets/age/matrix.env.age; 54 60 owner = "matrix-synapse"; 55 61 group = "matrix-synapse"; 56 56 - mode = "0400"; 62 62 + mode = "0400"; 57 63 }; 58 64 59 65 # ── Matrix Synapse service ──────────────────────────────────────────────────── 60 66 services.matrix-synapse = { 61 67 enable = true; 62 68 dataDir = "/srv/matrix-synapse"; 63 63 - 69 69 + 64 70 settings = { 65 65 - server_name = cfg.serverName; # Domain used in Matrix IDs (@user:ewancroft.uk) 66 66 - 71 71 + server_name = cfg.serverName; # Domain used in Matrix IDs (@user:ewancroft.uk) 72 72 + 67 73 # Public base URL for client-server API 68 74 public_baseurl = "https://${matrixHost}"; 69 69 - 75 75 + 70 76 # Listener configuration 71 77 listeners = [ 72 78 { ··· 75 81 type = "http"; 76 82 tls = false; 77 83 x_forwarded = true; 78 78 - 84 84 + 79 85 resources = [ 80 86 { 81 81 - names = [ "client" "federation" ]; 87 87 + names = [ 88 88 + "client" 89 89 + "federation" 90 90 + ]; 82 91 compress = false; 83 92 } 84 93 ]; ··· 95 104 96 105 # Enable registration (you may want to disable this and use registration_shared_secret) 97 106 enable_registration = false; 98 98 - 107 107 + 99 108 # Allow guests (optional) 100 109 allow_guest_access = false; 101 110 ··· 115 124 116 125 # Media 117 126 max_upload_size = "50M"; 118 118 - 127 127 + 119 128 # Security 120 129 suppress_key_server_warning = true; 121 130 }; ··· 140 149 # Restart policy for Synapse 141 150 systemd.services.matrix-synapse = { 142 151 serviceConfig = { 143 143 - Restart = lib.mkForce "always"; 152 152 + Restart = lib.mkForce "always"; 144 153 RestartSec = cfgLib.cfg.server.servicePolicy.restartSec; 145 154 }; 146 155 unitConfig = { 147 156 StartLimitIntervalSec = cfgLib.cfg.server.servicePolicy.startLimitIntervalSec; 148 148 - StartLimitBurst = cfgLib.cfg.server.servicePolicy.startLimitBurst; 157 157 + StartLimitBurst = cfgLib.cfg.server.servicePolicy.startLimitBurst; 149 158 }; 150 159 }; 151 160

+19 -15

modules/pds.nix

reviewed

··· 23 23 # Handled by modules/cloudflare-tunnel.nix. 24 24 # See that module for setup instructions. 25 25 ############################################################################## 26 26 - { config, lib, pkgs, self, cfgLib, ... }: 26 26 + { 27 27 + config, 28 28 + lib, 29 29 + pkgs, 30 30 + self, 31 31 + cfgLib, 32 32 + ... 33 33 + }: 27 34 28 35 let 29 29 - cfg = cfgLib.cfg.pds; 30 30 - pdsPort = toString cfg.port; 31 31 - pdsHost = cfg.hostname; 36 36 + cfg = cfgLib.cfg.pds; 37 37 + pdsPort = toString cfg.port; 32 38 caddyPort = toString cfg.caddyPort; 33 39 34 40 # UK Online Safety Act age-assurance static responses. ··· 59 65 60 66 # ── Secrets ────────────────────────────────────────────────────────────────── 61 67 age.secrets."pds.env" = { 62 62 - file = self + /secrets/age/pds.env.age; 68 68 + file = self + /secrets/age/pds.env.age; 63 69 owner = "pds"; 64 70 group = "pds"; 65 65 - mode = "0400"; 71 71 + mode = "0400"; 66 72 }; 67 73 68 74 # ── PDS service ─────────────────────────────────────────────────────────────── 69 75 environment.systemPackages = [ pkgs.atproto-goat ]; 70 76 71 77 services.bluesky-pds = { 72 72 - enable = true; 78 78 + enable = true; 73 79 environmentFiles = [ config.age.secrets."pds.env".path ]; 74 80 settings = { 75 81 PDS_DATA_DIRECTORY = "/srv/bluesky-pds"; 76 76 - PDS_PORT = cfg.port; 77 77 - PDS_HOSTNAME = cfg.hostname; 82 82 + PDS_PORT = cfg.port; 83 83 + PDS_HOSTNAME = cfg.hostname; 78 84 PDS_ADMIN_EMAIL = cfg.adminEmail; 79 79 - PDS_SERVICE_HANDLE_DOMAINS = 80 80 - lib.concatStringsSep "," cfg.serviceHandleDomains; 81 81 - PDS_CRAWLERS = 82 82 - lib.concatStringsSep "," cfg.crawlers; 85 85 + PDS_SERVICE_HANDLE_DOMAINS = lib.concatStringsSep "," cfg.serviceHandleDomains; 86 86 + PDS_CRAWLERS = lib.concatStringsSep "," cfg.crawlers; 83 87 }; 84 88 }; 85 89 86 90 systemd.services.bluesky-pds = { 87 87 - serviceConfig.Restart = "always"; 91 91 + serviceConfig.Restart = "always"; 88 92 serviceConfig.RestartSec = cfgLib.cfg.server.servicePolicy.restartSec; 89 93 unitConfig = { 90 94 StartLimitIntervalSec = cfgLib.cfg.server.servicePolicy.startLimitIntervalSec; 91 91 - StartLimitBurst = cfgLib.cfg.server.servicePolicy.startLimitBurst; 95 95 + StartLimitBurst = cfgLib.cfg.server.servicePolicy.startLimitBurst; 92 96 }; 93 97 }; 94 98

+19 -12

settings/darwin/default.nix

reviewed

··· 28 28 wvous-br-corner = 4; # bottom-right → Desktop 29 29 wvous-tl-corner = 1; # top-left → None 30 30 wvous-tr-corner = 5; # top-right → Screen Saver 31 31 - 32 32 - # Persistent applications in the Dock (left to right) 33 33 - # Note: Finder is always shown and doesn't need to be listed here 31 31 + 32 32 + # Persistent applications in the Dock (left to right). 33 33 + # Note: Finder is always shown and doesn't need to be listed here. 34 34 + # Apps managed by Nix (darwin.packages) live in /Applications/Nix Apps/. 35 35 + # Apps managed by Homebrew cask live in /Applications/. 36 36 + # Apps managed by home-manager live in ~/Applications/Home Manager Apps/. 34 37 persistent-apps = [ 38 38 + # ── Communication ───────────────────────────────────────────── 35 39 "/System/Applications/Mail.app" 36 40 "/Applications/WhatsApp.app" 41 41 + "/System/Applications/Messages.app" 42 42 + "/System/Applications/FaceTime.app" 37 43 "/System/Applications/Phone.app" 38 44 "/System/Applications/iPhone Mirroring.app" 39 39 - "/System/Applications/FaceTime.app" 40 40 - "/System/Applications/Messages.app" 45 45 + "/Applications/Nix Apps/Signal.app" 46 46 + "/Applications/Element.app" 47 47 + "/Applications/Nix Apps/Discord.app" 48 48 + # ── Productivity ─────────────────────────────────────────────── 41 49 "/System/Applications/Calendar.app" 42 50 "/System/Applications/Reminders.app" 43 43 - "/Applications/Signal.app" 44 44 - "/Applications/Element.app" 45 45 - "/Applications/Discord.app" 46 46 - "/Applications/Spotify.app" 51 51 + "/Applications/Nix Apps/Obsidian.app" 52 52 + "/Applications/Nix Apps/Visual Studio Code.app" 53 53 + "/Applications/Claude.app" 54 54 + # ── Media & Gaming ───────────────────────────────────────────── 55 55 + "/Applications/Nix Apps/Spotify.app" 47 56 "/Applications/Firefox.app" 48 57 "/Applications/Steam.app" 49 49 - "/Applications/Obsidian.app" 50 50 - "/Applications/Visual Studio Code.app" 51 51 - "/Applications/Claude.app" 58 58 + # ── System ───────────────────────────────────────────────────── 52 59 "/System/Applications/Utilities/Terminal.app" 53 60 ]; 54 61 };