Add README and update kemptop configuration

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "crane": {
       "locked": {
-        "lastModified": 1767744144,
-        "narHash": "sha256-9/9ntI0D+HbN4G0TrK3KmHbTvwgswz7p8IEJsWyef8Q=",
+        "lastModified": 1769287525,
+        "narHash": "sha256-gABuYA6BzoRMLuPaeO5p7SLrpd4qExgkwEmYaYQY4bM=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "2fb033290bf6b23f226d4c8b32f7f7a16b043d7e",
+        "rev": "0314e365877a85c9e5758f9ea77a9972afbb4c21",
         "type": "github"
       },
       "original": {
@@ -65,11 +65,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768307256,
-        "narHash": "sha256-3yDvlAqWa0Vk3B9hFRJJrSs1xc+FwVQFLtu//VrTR4c=",
+        "lastModified": 1769417433,
+        "narHash": "sha256-0WZ7I/N9InaBHL96/qdiJxg8mqFW3vRla8Z062JmQFE=",
         "owner": "nix-community",
         "repo": "lanzaboote",
-        "rev": "7e031eb535a494582f4fc58735b5aecba7b57058",
+        "rev": "1902463415745b992dbaf301b2a35a1277be1584",
         "type": "github"
       },
       "original": {
@@ -80,11 +80,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1768736227,
-        "narHash": "sha256-qgGq7CfrYKc3IBYQ7qp0Z/ZXndQVC5Bj0N8HW9mS2rM=",
+        "lastModified": 1769302137,
+        "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "d447553bcbc6a178618d37e61648b19e744370df",
+        "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1768564909,
-        "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=",
+        "lastModified": 1769170682,
+        "narHash": "sha256-oMmN1lVQU0F0W2k6OI3bgdzp2YOHWYUAw79qzDSjenU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f",
+        "rev": "c5296fdd05cfa2c187990dd909864da9658df755",
         "type": "github"
       },
       "original": {
@@ -119,11 +119,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767281941,
-        "narHash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE=",
+        "lastModified": 1769069492,
+        "narHash": "sha256-Efs3VUPelRduf3PpfPP2ovEB4CXT7vHf8W+xc49RL/U=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa",
+        "rev": "a1ef738813b15cf8ec759bdff5761b027e3e1d23",
         "type": "github"
       },
       "original": {
@@ -147,11 +147,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768704795,
-        "narHash": "sha256-Y33TAp2BHEcuspYvcmBXXD0qdvjftv73PwyKTDOjoSY=",
+        "lastModified": 1769482338,
+        "narHash": "sha256-SVwjMqR981PEdEdRvYj5Mefnd61GLinWmIr7GMu7LW8=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "4b7472a78857ac789fb26616040f55cfcbd36c6e",
+        "rev": "dc9c76a75a6d382613cdcb1a3f95640e9cedcdea",
         "type": "github"
       },
       "original": {

kemptop/configuration.nix

@@ -24,6 +24,8 @@
   # Use the systemd-boot EFI boot loader.
   boot = {
     binfmt.emulatedSystems = [ "aarch64-linux" ];
+    binfmt.preferStaticEmulators = true; 
+    
     plymouth = {
       enable = true;
       theme = "abstract_ring_alt";
@@ -132,6 +134,9 @@
     gnumake
     xz
     android-tools
+    ffmpeg-full
+    ghex
+    wireguard-tools
 
     # GUI programs
 

readme.md

@@ -0,0 +1,140 @@
+# NixOS Configurations
+
+This repo contains NixOS system configurations for multiple machines, managed via flakes.
+
+Systems:
+
+- `heimserver` — Home server for self‑hosting, home automation, and network monitoring
+- `kemptop` — Personal laptop/desktop focused on development and a modern desktop experience
+
+---
+
+## heimserver (home server)
+
+Home server used for:
+
+- Self‑hosting services
+- Home automation
+- Network monitoring and DNS filtering
+- Media/photos
+
+### Role & characteristics
+
+- Runs as a headless, always‑on server
+- Uses static IP and acts as a central entry point into the home network
+- Uses ZFS for backup storage
+- Optimized for running containers and services, not desktop use
+
+### Notable services
+
+- **Reverse proxy / TLS termination**
+  - nginx as the front‑door for HTTP(S)
+  - ACME integration for automatic TLS certificates
+  - Hosts multiple domains/subdomains (e.g. main website, git, images)
+
+- **Git hosting**
+  - Forgejo instance (self‑hosted Git service)
+  - Supports Git LFS
+  - Automatic periodic dumps/backups into local backup storage
+
+- **Photo management**
+  - Immich instance for photo backup & management
+  - Data location backed up with Borg to ZFS storage
+
+- **Home automation stack (via Podman containers)**
+  - Home Assistant
+  - Matter server
+  - Mosquitto MQTT broker
+  - Frigate for camera/NVR functionality, with GPU acceleration
+
+- **DNS & ad‑blocking**
+  - AdGuardHome as network‑wide DNS resolver and ad blocker
+
+- **Network monitoring**
+  - NetFlow collector pipeline (netflow2ng) feeding into ntopng
+  - ntopng for traffic analysis and network visibility
+  - InfluxDB for time‑series storage
+  - GeoIP update service to keep MaxMind databases current
+
+- **Security**
+  - fail2ban for basic SSH/HTTP abuse prevention
+  - SSH with key‑only authentication for root
+
+### System / Nix specifics
+
+- NVIDIA support configured, including container toolkit for GPU access from containers
+- Nix flakes and modern Nix features enabled
+- Automatic garbage collection with short retention to keep disk usage in check
+- `system.configurationRevision` wired to the flake revision when available
+- State pinned to NixOS `25.05` for backwards compatibility
+
+---
+
+## kemptop (workstation / laptop)
+
+Personal workstation configuration optimized for:
+
+- Software development
+- Graphical desktop applications
+- Virtualization and container workloads
+- Secure boot
+
+### Role & characteristics
+
+- Daily‑driver laptop/desktop
+- Secure boot using `lanzaboote` + `sbctl`
+- Can build and run software for other architectures (e.g. `aarch64-linux`)
+- Better desktop/user‑experience focus than the server
+
+### Desktop environment
+
+- COSMIC desktop as the main environment
+- Graphical login managed by the COSMIC greeter
+- Auto‑login configured for the main user (`kemp`) because of LUKS encryption
+- Audio via PipeWire
+- Flatpak enabled for additional apps
+- Printing with support for HP printers
+- mDNS/Avahi for local network service discovery
+- Fingerprint authentication integrated into login
+
+### Development & tooling
+
+- Full Rust toolchain and build system tooling
+- Large LaTeX/TeXLive setup for document preparation
+- Multiple IDEs/editors installed:
+  - JetBrains IDEA
+  - Android Studio
+  - Zed
+- Container & virtualization tools:
+  - Podman (with Docker‑compat)
+  - libvirt + virt‑manager
+- Nix‑related tools:
+  - Language servers for Nix
+  - `nix-ld` configured to ease running foreign binaries
+  - Extended Nix experimental features (flakes, ca‑derivations, etc.)
+
+### Desktop applications
+
+- Multiple web browsers (Firefox with PipeWire support, Chrome, Tor browser)
+- Media and productivity apps (Spotify, VLC, LibreOffice, TeXStudio, etc.)
+- File management and system inspection tools (Nautilus, QDirStat, Mission Center, network scanners)
+- Theming and UX tools (e.g. `adw-gtk3`)
+
+### Shell & UX
+
+- Fish shell as primary interactive shell, auto‑started from bash
+- Fish enhanced with plugins (fzf integration, git helpers, colorization, etc.)
+- System PATH and environment tuned via `systemd.user.extraConfig`
+
+### Power & firmware
+
+- Firmware updates enabled (`fwupd`)
+- Powertop integration for power tuning
+
+### System / Nix specifics
+
+- Uses the latest Linux kernel packages
+- Nix configured for multiple experimental features and flakes
+- State pinned to NixOS `25.05`
+
+