From ea76f8a6f21ed5baa75d0a7a8a5e56e6163bebd2 Mon Sep 17 00:00:00 2001 From: Stefan Kempinger Date: Tue, 27 Jan 2026 12:19:27 +0100 Subject: [PATCH] Add README and update kemptop configuration --- flake.lock | 36 +++++----- kemptop/configuration.nix | 5 ++ readme.md | 140 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 163 insertions(+), 18 deletions(-) create mode 100644 readme.md diff --git a/flake.lock b/flake.lock index ac4b4ba..fcf1da1 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "crane": { "locked": { - "lastModified": 1767744144, - "narHash": "sha256-9/9ntI0D+HbN4G0TrK3KmHbTvwgswz7p8IEJsWyef8Q=", + "lastModified": 1769287525, + "narHash": "sha256-gABuYA6BzoRMLuPaeO5p7SLrpd4qExgkwEmYaYQY4bM=", "owner": "ipetkov", "repo": "crane", - "rev": "2fb033290bf6b23f226d4c8b32f7f7a16b043d7e", + "rev": "0314e365877a85c9e5758f9ea77a9972afbb4c21", "type": "github" }, "original": { @@ -65,11 +65,11 @@ ] }, "locked": { - "lastModified": 1768307256, - "narHash": "sha256-3yDvlAqWa0Vk3B9hFRJJrSs1xc+FwVQFLtu//VrTR4c=", + "lastModified": 1769417433, + "narHash": "sha256-0WZ7I/N9InaBHL96/qdiJxg8mqFW3vRla8Z062JmQFE=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "7e031eb535a494582f4fc58735b5aecba7b57058", + "rev": "1902463415745b992dbaf301b2a35a1277be1584", "type": "github" }, "original": { @@ -80,11 +80,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1768736227, - "narHash": "sha256-qgGq7CfrYKc3IBYQ7qp0Z/ZXndQVC5Bj0N8HW9mS2rM=", + "lastModified": 1769302137, + "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "d447553bcbc6a178618d37e61648b19e744370df", + "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8", "type": "github" }, "original": { @@ -95,11 +95,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1768564909, - "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=", + "lastModified": 1769170682, + "narHash": "sha256-oMmN1lVQU0F0W2k6OI3bgdzp2YOHWYUAw79qzDSjenU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f", + "rev": "c5296fdd05cfa2c187990dd909864da9658df755", "type": "github" }, "original": { @@ -119,11 +119,11 @@ ] }, "locked": { - "lastModified": 1767281941, - "narHash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE=", + "lastModified": 1769069492, + "narHash": "sha256-Efs3VUPelRduf3PpfPP2ovEB4CXT7vHf8W+xc49RL/U=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa", + "rev": "a1ef738813b15cf8ec759bdff5761b027e3e1d23", "type": "github" }, "original": { @@ -147,11 +147,11 @@ ] }, "locked": { - "lastModified": 1768704795, - "narHash": "sha256-Y33TAp2BHEcuspYvcmBXXD0qdvjftv73PwyKTDOjoSY=", + "lastModified": 1769482338, + "narHash": "sha256-SVwjMqR981PEdEdRvYj5Mefnd61GLinWmIr7GMu7LW8=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "4b7472a78857ac789fb26616040f55cfcbd36c6e", + "rev": "dc9c76a75a6d382613cdcb1a3f95640e9cedcdea", "type": "github" }, "original": { diff --git a/kemptop/configuration.nix b/kemptop/configuration.nix index 9f193c7..319584c 100644 --- a/kemptop/configuration.nix +++ b/kemptop/configuration.nix @@ -24,6 +24,8 @@ # Use the systemd-boot EFI boot loader. boot = { binfmt.emulatedSystems = [ "aarch64-linux" ]; + binfmt.preferStaticEmulators = true; + plymouth = { enable = true; theme = "abstract_ring_alt"; @@ -132,6 +134,9 @@ gnumake xz android-tools + ffmpeg-full + ghex + wireguard-tools # GUI programs diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..4dd3ac8 --- /dev/null +++ b/readme.md @@ -0,0 +1,140 @@ +# NixOS Configurations + +This repo contains NixOS system configurations for multiple machines, managed via flakes. + +Systems: + +- `heimserver` — Home server for self‑hosting, home automation, and network monitoring +- `kemptop` — Personal laptop/desktop focused on development and a modern desktop experience + +--- + +## heimserver (home server) + +Home server used for: + +- Self‑hosting services +- Home automation +- Network monitoring and DNS filtering +- Media/photos + +### Role & characteristics + +- Runs as a headless, always‑on server +- Uses static IP and acts as a central entry point into the home network +- Uses ZFS for backup storage +- Optimized for running containers and services, not desktop use + +### Notable services + +- **Reverse proxy / TLS termination** + - nginx as the front‑door for HTTP(S) + - ACME integration for automatic TLS certificates + - Hosts multiple domains/subdomains (e.g. main website, git, images) + +- **Git hosting** + - Forgejo instance (self‑hosted Git service) + - Supports Git LFS + - Automatic periodic dumps/backups into local backup storage + +- **Photo management** + - Immich instance for photo backup & management + - Data location backed up with Borg to ZFS storage + +- **Home automation stack (via Podman containers)** + - Home Assistant + - Matter server + - Mosquitto MQTT broker + - Frigate for camera/NVR functionality, with GPU acceleration + +- **DNS & ad‑blocking** + - AdGuardHome as network‑wide DNS resolver and ad blocker + +- **Network monitoring** + - NetFlow collector pipeline (netflow2ng) feeding into ntopng + - ntopng for traffic analysis and network visibility + - InfluxDB for time‑series storage + - GeoIP update service to keep MaxMind databases current + +- **Security** + - fail2ban for basic SSH/HTTP abuse prevention + - SSH with key‑only authentication for root + +### System / Nix specifics + +- NVIDIA support configured, including container toolkit for GPU access from containers +- Nix flakes and modern Nix features enabled +- Automatic garbage collection with short retention to keep disk usage in check +- `system.configurationRevision` wired to the flake revision when available +- State pinned to NixOS `25.05` for backwards compatibility + +--- + +## kemptop (workstation / laptop) + +Personal workstation configuration optimized for: + +- Software development +- Graphical desktop applications +- Virtualization and container workloads +- Secure boot + +### Role & characteristics + +- Daily‑driver laptop/desktop +- Secure boot using `lanzaboote` + `sbctl` +- Can build and run software for other architectures (e.g. `aarch64-linux`) +- Better desktop/user‑experience focus than the server + +### Desktop environment + +- COSMIC desktop as the main environment +- Graphical login managed by the COSMIC greeter +- Auto‑login configured for the main user (`kemp`) because of LUKS encryption +- Audio via PipeWire +- Flatpak enabled for additional apps +- Printing with support for HP printers +- mDNS/Avahi for local network service discovery +- Fingerprint authentication integrated into login + +### Development & tooling + +- Full Rust toolchain and build system tooling +- Large LaTeX/TeXLive setup for document preparation +- Multiple IDEs/editors installed: + - JetBrains IDEA + - Android Studio + - Zed +- Container & virtualization tools: + - Podman (with Docker‑compat) + - libvirt + virt‑manager +- Nix‑related tools: + - Language servers for Nix + - `nix-ld` configured to ease running foreign binaries + - Extended Nix experimental features (flakes, ca‑derivations, etc.) + +### Desktop applications + +- Multiple web browsers (Firefox with PipeWire support, Chrome, Tor browser) +- Media and productivity apps (Spotify, VLC, LibreOffice, TeXStudio, etc.) +- File management and system inspection tools (Nautilus, QDirStat, Mission Center, network scanners) +- Theming and UX tools (e.g. `adw-gtk3`) + +### Shell & UX + +- Fish shell as primary interactive shell, auto‑started from bash +- Fish enhanced with plugins (fzf integration, git helpers, colorization, etc.) +- System PATH and environment tuned via `systemd.user.extraConfig` + +### Power & firmware + +- Firmware updates enabled (`fwupd`) +- Powertop integration for power tuning + +### System / Nix specifics + +- Uses the latest Linux kernel packages +- Nix configured for multiple experimental features and flakes +- State pinned to NixOS `25.05` + +