@jaspermayone.com's dotfiles
rekey and horace
+246
-56
+9
flake.nix
+9
flake.nix
···
136
136
# Available through 'nixos-rebuild --flake .#hostname'
137
137
nixosConfigurations = {
138
138
alastor = mkNixos "alastor" "aarch64-linux";
139
+
horace = mkNixos "horace" "x86_64-linux";
139
140
};
140
141
141
142
# Darwin configurations
···
158
159
sshUser = "jsp";
159
160
user = "root";
160
161
path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.alastor;
162
+
};
163
+
};
164
+
horace = {
165
+
hostname = "horace";
166
+
profiles.system = {
167
+
sshUser = "jsp";
168
+
user = "root";
169
+
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.horace;
161
170
};
162
171
};
163
172
};
+8
home/default.nix
+8
home/default.nix
···
95
95
zmx = true; # auto-attach zmx session
96
96
};
97
97
98
+
# Horace (named after Horace Slughorn)
99
+
horace = {
100
+
hostname = "horace";
101
+
user = "jsp";
102
+
identityFile = "~/.ssh/id_ed25519";
103
+
zmx = true;
104
+
};
105
+
98
106
# Proxmox and VMs
99
107
pve = {
100
108
hostname = "10.100.0.222";
+2
-9
hosts/alastor/configuration.nix
+2
-9
hosts/alastor/configuration.nix
···
43
43
jq
44
44
tmux
45
45
bluesky-pds
46
-
inputs.agenix.packages.${pkgs.system}.default # agenix CLI
46
+
inputs.agenix.packages.${pkgs.stdenv.hostPlatform.system}.default # agenix CLI
47
47
];
48
48
49
49
# NH - NixOS helper
···
169
169
# Tangled Knot server (official module)
170
170
services.tangled.knot = {
171
171
enable = true;
172
-
package = inputs.tangled.packages.${pkgs.system}.knot;
172
+
package = inputs.tangled.packages.${pkgs.stdenv.hostPlatform.system}.knot;
173
173
server = {
174
174
owner = "did:plc:abgthiqrd7tczkafjm4ennbo";
175
175
hostname = "knot.jaspermayone.com";
···
274
274
# };
275
275
# };
276
276
# };
277
-
278
-
# Automatic garbage collection
279
-
nix.gc = {
280
-
automatic = true;
281
-
dates = "weekly";
282
-
options = "--delete-older-than 30d";
283
-
};
284
277
285
278
# Automatic updates - checks daily at 4am
286
279
system.autoUpgrade = {
+144
hosts/horace/configuration.nix
+144
hosts/horace/configuration.nix
···
1
+
# Horace - NixOS desktop (named after Horace Slughorn)
2
+
{ config, pkgs, lib, inputs, hostname, ... }:
3
+
4
+
{
5
+
imports = [
6
+
./hardware-configuration.nix
7
+
];
8
+
9
+
# Boot loader
10
+
boot.loader.systemd-boot.enable = true;
11
+
boot.loader.efi.canTouchEfiVariables = true;
12
+
13
+
# System version
14
+
system.stateVersion = "25.11";
15
+
16
+
# Hostname
17
+
networking.hostName = hostname;
18
+
19
+
# Networking
20
+
networking.networkmanager.enable = true;
21
+
22
+
# Nix settings
23
+
nix = {
24
+
settings.experimental-features = [ "nix-command" "flakes" ];
25
+
optimise.automatic = true;
26
+
};
27
+
28
+
# Allow unfree packages
29
+
nixpkgs.config.allowUnfree = true;
30
+
31
+
# Timezone
32
+
time.timeZone = "America/New_York";
33
+
34
+
# Locale
35
+
i18n.defaultLocale = "en_US.UTF-8";
36
+
i18n.extraLocaleSettings = {
37
+
LC_ADDRESS = "en_US.UTF-8";
38
+
LC_IDENTIFICATION = "en_US.UTF-8";
39
+
LC_MEASUREMENT = "en_US.UTF-8";
40
+
LC_MONETARY = "en_US.UTF-8";
41
+
LC_NAME = "en_US.UTF-8";
42
+
LC_NUMERIC = "en_US.UTF-8";
43
+
LC_PAPER = "en_US.UTF-8";
44
+
LC_TELEPHONE = "en_US.UTF-8";
45
+
LC_TIME = "en_US.UTF-8";
46
+
};
47
+
48
+
# X11 windowing system
49
+
services.xserver.enable = true;
50
+
services.xserver.xkb = {
51
+
layout = "us";
52
+
variant = "";
53
+
};
54
+
55
+
# Plasma desktop environment
56
+
services.displayManager.sddm.enable = true;
57
+
services.desktopManager.plasma6.enable = true;
58
+
59
+
# Printing
60
+
services.printing.enable = true;
61
+
62
+
# Audio
63
+
services.pulseaudio.enable = false;
64
+
security.rtkit.enable = true;
65
+
services.pipewire = {
66
+
enable = true;
67
+
alsa.enable = true;
68
+
alsa.support32Bit = true;
69
+
pulse.enable = true;
70
+
};
71
+
72
+
# Basic packages
73
+
environment.systemPackages = with pkgs; [
74
+
vim
75
+
git
76
+
htop
77
+
curl
78
+
jq
79
+
tmux
80
+
kdePackages.kate
81
+
inputs.agenix.packages.${pkgs.stdenv.hostPlatform.system}.default
82
+
];
83
+
84
+
# Firefox
85
+
programs.firefox.enable = true;
86
+
87
+
# NH - NixOS helper
88
+
programs.nh = {
89
+
enable = true;
90
+
clean.enable = true;
91
+
clean.extraArgs = "--keep-since 4d --keep 3";
92
+
flake = "/home/jsp/dots";
93
+
};
94
+
95
+
# Enable SSH
96
+
services.openssh = {
97
+
enable = true;
98
+
settings = {
99
+
PasswordAuthentication = false;
100
+
PermitRootLogin = "prohibit-password";
101
+
KbdInteractiveAuthentication = false;
102
+
};
103
+
};
104
+
105
+
# Fail2ban for SSH protection
106
+
services.fail2ban = {
107
+
enable = true;
108
+
maxretry = 5;
109
+
};
110
+
111
+
# Tailscale VPN
112
+
services.tailscale = {
113
+
enable = true;
114
+
useRoutingFeatures = "client";
115
+
};
116
+
117
+
# User account
118
+
users.users.jsp = {
119
+
isNormalUser = true;
120
+
description = "Jasper";
121
+
extraGroups = [ "networkmanager" "wheel" ];
122
+
shell = pkgs.zsh;
123
+
openssh.authorizedKeys.keys = [
124
+
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHm7lo7umraewipgQu1Pifmoo/V8jYGDHjBTmt+7SOCe jsp@remus"
125
+
];
126
+
};
127
+
128
+
# Enable zsh system-wide
129
+
programs.zsh.enable = true;
130
+
131
+
# Sudo without password for wheel group
132
+
security.sudo.wheelNeedsPassword = false;
133
+
134
+
# Agenix secrets
135
+
age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
136
+
137
+
# Automatic updates
138
+
system.autoUpgrade = {
139
+
enable = true;
140
+
flake = "github:jaspermayone/dots#horace";
141
+
dates = "04:00";
142
+
allowReboot = false;
143
+
};
144
+
}
+32
hosts/horace/hardware-configuration.nix
+32
hosts/horace/hardware-configuration.nix
···
1
+
# Hardware configuration for horace
2
+
# Generated by 'nixos-generate-config'
3
+
{ config, lib, pkgs, modulesPath, ... }:
4
+
5
+
{
6
+
imports =
7
+
[ (modulesPath + "/installer/scan/not-detected.nix")
8
+
];
9
+
10
+
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sdhci_pci" ];
11
+
boot.initrd.kernelModules = [ ];
12
+
boot.kernelModules = [ "kvm-intel" ];
13
+
boot.extraModulePackages = [ ];
14
+
15
+
fileSystems."/" =
16
+
{ device = "/dev/disk/by-uuid/4a20f65f-aba4-4436-979e-3fb6150f9189";
17
+
fsType = "ext4";
18
+
};
19
+
20
+
fileSystems."/boot" =
21
+
{ device = "/dev/disk/by-uuid/A280-6001";
22
+
fsType = "vfat";
23
+
options = [ "fmask=0077" "dmask=0077" ];
24
+
};
25
+
26
+
swapDevices =
27
+
[ { device = "/dev/disk/by-uuid/8516975c-9b9c-4cb9-9f11-67d3527b832d"; }
28
+
];
29
+
30
+
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
31
+
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
32
+
}
+8
-8
secrets/atuin-key.age
+8
-8
secrets/atuin-key.age
···
1
1
age-encryption.org/v1
2
-
-> ssh-ed25519 1uIO/w GO5Ikbht2BQ5eSwsn3xnIdg/1ykIn0942EkaK2dEBQQ
3
-
g+TJAEeLGDwYlQ9Nf/6tZeshHAnZY0C8aoTTjXzMXbI
4
-
-> ssh-ed25519 U0D80g 1jlRH/B7mGDWiLUD5uO/pl09ctZq9/vKz263ztTOzCU
5
-
y0w3Dm9Po+c5rcPe5aegrwxzdYyC+Ca2AoYULjvBpk4
6
-
-> ssh-ed25519 JCO7mw f5BTAKSf05EBKfE3ovRNX6uZEZ4M8dQ4CDhQur1KMV0
7
-
xpGlKddMFfbisvcxk5xOaZnFJGBzNDjuW18KY0GQzQQ
8
-
--- nudP9Nbj2BgMQ8xtJCzvWVrCwob2TFyR4Yl++1kT1jI
9
-
q������';�ZeK
���P�
����k^���i=�����],4kz�a������«w!�*��WwPh�%����1���u��j"�=�|24���q�M
2
+
-> ssh-ed25519 1uIO/w q9bKLYwOfJ+0ZwliCTRKUFEHgw7S1yL1BRyWspz7UVU
3
+
HUtwHGt1NDxfrxTBiJoLo6iLmfkqyEHW/wDxsk0aqHg
4
+
-> ssh-ed25519 U0D80g I+xedxEsWl0dEI22kuYqlMJ9zzji4mE69cgmrNhHdWI
5
+
x7xAd3EuBKKJgf90RBO3dV5MdFt9jVdPD8JzLRRIcFU
6
+
-> ssh-ed25519 JCO7mw iqZk+LQyKhP18NdkSIq10EZVKnznVVxGLHd+F1nF/h8
7
+
dTEY3oCrHLoV4efUaMbIsxHriTthBhFD9fi2/dXF3i8
8
+
--- JXlNdRa3Zz8RZW9VL9ZMUXfiKu3HfzPJW7od80jtzfw
9
+
=0�� b�e$����8L*�@ʕ�̢��8ǽˠ����W���
�_�\e{z�P��n��e
MG
��
\�9kTi�QۑkHs �PaqŦK���n/�+�
+8
-9
secrets/bore-token.age
+8
-9
secrets/bore-token.age
···
1
1
age-encryption.org/v1
2
-
-> ssh-ed25519 1uIO/w AfdhmU54qA2ZVbiTt+fGQ7COcChGhZUVDPlUAKgq7xY
3
-
soWArvDrT7rdXNOF2jeVKt6BQvGRs+RlA0S/hYvncsg
4
-
-> ssh-ed25519 U0D80g ubDrHfgYNpRnPgUgt+moL+t1kDnKH8OhYtENZmCBl3c
5
-
fgPnmFCl0UyrNNWcTY1xbescwmlANerMpcF6iwoSiqY
6
-
-> ssh-ed25519 JCO7mw AK2yX2n4CVwFHB9C1ARVR+gO3NLKjCfLpQiSTmA6QEE
7
-
A1yr6/yPn6FL4VB+EHhWkre3UIxcajSCnH3hZFvybps
8
-
--- sCPlBaSQ4sKLRCb5IfMjHxWeFqivcfTSW7bl2V+Pl28
9
-
_��cg�vZT��뛠�fU�3�$V(l�
10
-
���VV�i��<���;�Uxv.�F0��^~`tgu��_Rm�9D!P�
@'O��JS�Hp�|j��L���
2
+
-> ssh-ed25519 1uIO/w u77eu/0qYRdjwWWtwtw2WvslQhq4Brxv1ZnCE1Uw0yU
3
+
oIoL1pFLIx3EbbXTF6uMX7TpsudwoR6zcuNRkyRMv+c
4
+
-> ssh-ed25519 U0D80g OUTcn05x2xAKNFpXNiKt2uIinEcQXgitx6VLs49U7D4
5
+
dzpgid18BVc5o2oldnr3NxXwKHV4es7l/hygXr3pfvU
6
+
-> ssh-ed25519 JCO7mw wC5EcZX6AZuIqh64Gi1IyptGJjDWtz1zhS+2gW8A3AU
7
+
FWdbaoJJY+kLxlXlYh7+3ttZoxbaL0HFoEQMO1zperM
8
+
--- Ujb2u3x8GhVk6VJekzcM5XRCJ3L6nwbv/tGEoSII0Q4
9
+
� '�'��eR96T���K�
��Q���_Z�
����V2?ϛ��
�_L,
�=} II����Dۇ���,
�q�M6� ��A>�6۲yP�y\�
+7
-6
secrets/cloudflare-credentials.age
+7
-6
secrets/cloudflare-credentials.age
···
1
1
age-encryption.org/v1
2
-
-> ssh-ed25519 1uIO/w R5mEZJQJ15S097V9Aqp7cGUt2Yj6U3T107kz3nkq3BA
3
-
oFO0K8/frV6TO+ATTKuHsSPQb7xt60lo/J4DI4MZVQI
4
-
-> ssh-ed25519 U0D80g rLCDe5gaaLupTUSxeAdI9s5vgdcf7RJo4RTOV1MBnTg
5
-
4XcugiuU67t8lp6UxFwF4ajbH/DBbhvozgzkU2/9Uwg
6
-
--- S3RUiycYw19g4kiOLSOdypnyXSHlhfnWAhe/EImd2eM
7
-
��uٮ���?�N�a������wZtۊ�6���
�E��ġЩb���n��X~������-�%���%���G�[��Ӭ��
�D��c���#c��
2
+
-> ssh-ed25519 1uIO/w mEcQLvRcwwDGGHCejOwn6Vl7i4rJ2B7SNl4/b2heWkw
3
+
tRjs85crzj4Bjm6Pu6oryGVpt8+44lQov4/+S/JA/8U
4
+
-> ssh-ed25519 U0D80g wTX6Z+HNBZNrGv/tuTxT0xuB7tMNHqJuVi82obqYAko
5
+
d4ioDLmxzJE4NzTsOK+Pcv3L7fcpP9K14c2OSvCVRk8
6
+
--- GSIumOH3aWm7CL+oJeE9sV5LWr+4srhDwfJWESwpMzE
7
+
V09�
8
+
��1)t��|�{}煞6����\|7[8����v}�c����bj1r� �vE� �ji=y���d)\ϨKP��v�XrO��Y6�I(6���00"n�
secrets/espanso-secrets.age
secrets/espanso-secrets.age
This is a binary file and will not be displayed.
+9
-8
secrets/frps-token.age
+9
-8
secrets/frps-token.age
···
1
1
age-encryption.org/v1
2
-
-> ssh-ed25519 1uIO/w ZoGiogtiPpjZrqAXKpE+9f0PtQn2AFFH0uN8unFxuV4
3
-
xUbWzTFwyWg4HKHV8NpczmOINyO5++H/jccobz0Q2uY
4
-
-> ssh-ed25519 U0D80g 3bv7/zDMC0CgUduCOhxs2lrlEwXqH1MYZMAfKpesVDA
5
-
KsUHgPNt2E6lVPRdSvb9as7NO1r5ofllqazsie+ljzk
6
-
-> ssh-ed25519 JCO7mw Ni9wVT7I3EMkiCcuFBNG8VTDfGnCk4kBVvT8szSi0gk
7
-
geD+Sq8UAkHmYEfgRfCXYev1HzUxC4XHt3/NWgfvXlw
8
-
--- ZI0kq1imvCDpFX7rt2nu5IOoQVBfhyS94TEy+KcR7Ak
9
-
L�Ttن�V�� �˳43��dL�+b��Y��b�j��`"ɐ�PX� �Nk��nO�W�ɾ%�����_A�>�,��� �zE������ᬔ'n�z�fu�
2
+
-> ssh-ed25519 1uIO/w ZOjDypPXhVcgJHy8LOYNivsV8OpAvcxDec+ngiXINA4
3
+
R58bUrDmCEvoXFrKv2CeUK8gHgXQQVrdrdQlJHxxB7c
4
+
-> ssh-ed25519 U0D80g HFgNqabitVa7hKx0yQKDZ5SOwa2QkXi7iSeprxN7EjM
5
+
u15whB03Fzzs8mGykiMbpGFrU9Gl7Doeq1SzpssApwU
6
+
-> ssh-ed25519 JCO7mw Ac3KE0jmyOh5XoVBL9tez1yUTvSTbIDZMxP8otLe/n4
7
+
RMYe+2hrEG+WXljBlVCqwNeBF/g8w/mBeLDx89aaDo8
8
+
--- 8VdUsdk7X8VuAq6+Wip8uzBaAmPq8N67z+zX38m8CGI
9
+
��G��h�Nr��9������S�<�%���c(�
10
+
j>QK����9��_ؤۃ�%_�C�F�7����C� ���!W%0����:�˧���7;�.3
+10
-8
secrets/github-token.age
+10
-8
secrets/github-token.age
···
1
1
age-encryption.org/v1
2
-
-> ssh-ed25519 1uIO/w htenblQvGbDccvI/7GNXT5hp0kF20yaf+oJd1YzybxQ
3
-
3Ua+YoUriJecdJyir1usheiVJw+s4gWWTyd7NgxURpY
4
-
-> ssh-ed25519 U0D80g gC+XduPQkwmlgK3DvUHDEVu3Pk3cjWTtRoeO3/g4bF0
5
-
6HvDLRZA3t8bV+dCffUJ/E03TtWnpbSNVr5SxsSQMaQ
6
-
-> ssh-ed25519 JCO7mw xL05zeczQIknDNvlWttnsoPhNFEmmRMhQVMpTNOMziw
7
-
oT2Wi3xChQxZ/2uxbC0OtYdFE3qPm9UCB7wrIuv8vO4
8
-
--- ojxmt4weo9Mk0Tuu/D9Z6vYOyLAItrU32j1u6+3YKTk
9
-
���&or�e���
Wx8�O
���PY~�+7���J�(7�P|���(�D+�ע%$(��
�f ��E?�1��U$�K{fyDY�c>���GY��#�Ge{���������0!2]�[�.�
b`��Ȯt�r�1�һ�m
2
+
-> ssh-ed25519 1uIO/w MwbTV9+EeNx6COBW4TycyM13VJRhid4Aw5k1EE6nDCs
3
+
a66iEGcGmcWfmfxaMdnQftY1tAbx6WGVbxFTi4K3WUs
4
+
-> ssh-ed25519 U0D80g wTijSGy33RO9EqsqeVRtGn/d5OuokAzc8ZDN1OlXyVs
5
+
Y4ZHb3dB8l7n1vV+nfUa0HVgklqVWbjQ8qm152yGlNs
6
+
-> ssh-ed25519 JCO7mw ZUEC8NyaC1D8PlETeHck/VqlbYg7y+mR4l4KZBqGEwY
7
+
XGTZVtDRAbCp832heoEUWbLaRiqeXPPM0/cVQLzMWG8
8
+
--- 0Toq7dAWLBJ+ypA+2EmhWcP0UA/wT5+6xkC/B++j0nM
9
+
㰡w
10
+
1��
11
+
�eoi;�����
��9d��
oO
�J���۩�e�欄��?RL��S$H�E�*|�ٵۣ�������=����j7Q �6
䫵�+&��Vq��K[�#0S�����#<-�@��PM��|N�}��~M6�
secrets/knot-secret.age
secrets/knot-secret.age
This is a binary file and will not be displayed.
secrets/npmrc.age
secrets/npmrc.age
This is a binary file and will not be displayed.
secrets/pds-mailer.age
secrets/pds-mailer.age
This is a binary file and will not be displayed.
secrets/pds.age
secrets/pds.age
This is a binary file and will not be displayed.
secrets/wakatime-api-key.age
secrets/wakatime-api-key.age
This is a binary file and will not be displayed.
+9
-8
secrets/wifi-passwords.age
+9
-8
secrets/wifi-passwords.age
···
1
1
age-encryption.org/v1
2
-
-> ssh-ed25519 1uIO/w EUU2jIWIirJKC2eUMBdmxmiLnyVC8O7EKSapvO7d/Fc
3
-
dGMe7NLZwcNO9MhCs0dhpctHlSpdNXFpXHF542e5Z/g
4
-
-> ssh-ed25519 U0D80g 6YsiUDH94WLD0dwiywQdvFxRKCoMM2xjLcGL9ckiFyo
5
-
Diu+75heob9QDgraio1P3AuFlwoFtvTSNrDJWoGlbWM
6
-
-> ssh-ed25519 JCO7mw DAXJU1HHEs/JJ8T1X4zRKcQOmcRX/gdoLXldFdSU8Hw
7
-
tYES5IY3oB8rC8cLw5QE8MtDNlEq20Q5WspUNgI/Jdw
8
-
--- 1xj9YXIZ+9G9d4QhVi9aJw4LaMtd3Kf4R0EixsD/+QE
9
-
.�T��W���+3�^#���Y�?�|�6W�,am݃�R�џ� p�`��u3
DU�EXz�%&���N�
��!� ��/
2
+
-> ssh-ed25519 1uIO/w 2hKTd7zJo79+MS7NB9yZS8OBWDMPLEsdN8hyw+F6A2I
3
+
7mbmz1OJBDSEfhmJaQ4yYDBLu7y9zwf8j478qseNsh4
4
+
-> ssh-ed25519 U0D80g QZ6dEAIQ0QlXmZT6wN05/LI4qR24+Saht2O9CtfCjUI
5
+
RUrbbQh00CVYV/eLhV1sPtON7+KpA+SIvbQkcUxGwAY
6
+
-> ssh-ed25519 JCO7mw QD9RV64JNae9QHkiohH3Ckx//TAs8p16/rKTMsTaYmg
7
+
V7+n/4qKAn1vvluqBmXdQDiDcf6LBhs4garMhWXq/TU
8
+
--- 1Z98BcEf4ZXvhF5XAt7Rl6LQP21rQ2+UHoN8TcjTlHc
9
+
��p��n $慽,��P߄5�����!�9����I��]h���]2.��Ta7D^��c4�[�2�~%�ie�[
10
+
�0O��F���