greg/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
79 commits 1 branch 0 tags 69 MiB
  • Nix 98.1%
  • Shell 1.9%
Find a file
Exact
Greg Helding da33f3bacc add ntfy to wintermute
2026-05-09 22:37:46 -05:00
assets Initial commit 2026-04-13 21:44:14 -05:00
home add ntfy to wintermute 2026-05-09 22:37:46 -05:00
hosts update 2026-05-09 07:44:22 -05:00
scripts backup obsidian vault to NAS 2026-05-09 07:45:55 -05:00
secrets revert RTC and TURN from matrix 2026-04-27 22:57:05 -05:00
.gitignore add sop-nix and matrix host config (secrets pending host key) 2026-04-16 20:25:03 -05:00
.sops.yaml Configure Mastodon with sops-nix secrets, manual nginx setup for 2026-04-22 23:22:33 -05:00
flake.lock update 2026-05-09 07:44:22 -05:00
flake.nix bambu-studio fix 2026-05-09 04:50:20 -05:00
README.md strider changes 2026-04-29 18:31:31 -05:00

README.md

nixos-config

I'm Greg Helding. You can find me at helding.net, on GitHub at github.com/gthelding, and on Forgejo at forgejo.gth.sh/greg.

This is my personal NixOS flake for four machines, with shared Home Manager configuration for user greg. Welcome, and thanks for stopping by - feel free to explore the layout, borrow ideas, and adapt anything useful for your own setup.

Hosts

Host Hardware Role
strider ThinkPad X1 Carbon Gen 11 Laptop
wintermute AMD Ryzen desktop Workstation
matrix Proxmox VM Matrix Synapse homeserver
social Proxmox VM Mastodon server (gth.social)

What this repo manages

  • NixOS system configuration per host under hosts/
  • Shared Home Manager modules under home/
  • Host-aware user services (for example, backup timers on wintermute)
  • Scripts synced into ~/.local/bin via Home Manager

Repository layout

flake.nix                  Flake entrypoint and host definitions
hosts/
  strider/                 Laptop system config + hardware
  wintermute/              Workstation system config + hardware
  matrix/                  Matrix Synapse server config + hardware
  social/                  Mastodon server config + hardware
secrets/
  matrix/                  sops-encrypted Synapse secrets
  social/                  sops-encrypted Mastodon secrets
home/
  greg.nix                 Home Manager entrypoint
  bash.nix                 Shell configuration
  plasma.nix               KDE Plasma 6 configuration
  syncthing.nix            Syncthing configuration
  packages/                User package sets
scripts/                   Helper scripts (backups, git helpers, rsync exclude)
assets/                    Misc assets used by the setup

Common commands

Build a host config without switching:

sudo nixos-rebuild build --flake .#strider
sudo nixos-rebuild build --flake .#wintermute
sudo nixos-rebuild build --flake .#matrix
sudo nixos-rebuild build --flake .#social

Apply configuration to the current host:

sudo nixos-rebuild switch --flake .#strider
sudo nixos-rebuild switch --flake .#wintermute
sudo nixos-rebuild switch --flake .#matrix
sudo nixos-rebuild switch --flake .#social

Update flake lockfile:

nix flake update

Note: matrix and social track nixpkgs-stable (25.11) rather than unstable and have no Home Manager user environment — they are headless servers only. Secrets are managed via sops-nix; encrypted files live under secrets/ and are decrypted at runtime using each host's /etc/ssh/ssh_host_ed25519_key.

social runs Mastodon at gth.social with a manual nginx config (SSL is terminated by an external Nginx Proxy Manager). SMTP is handled by MXRoute.

Audio

PipeWire is enabled in hosts/common.nix for the desktop hosts (strider and wintermute). Host-specific audio tuning lives in each host's configuration.nix rather than the shared common module:

  • wintermute carries a low-latency profile (92-low-latency, fixed 512-quantum at 48 kHz) and a wireplumber rule (99-no-suspend) that prevents ALSA nodes from suspending. This suits a workstation with always-connected speakers and recording use.
  • strider uses default PipeWire behavior: dynamic quantum and normal node suspend, which is friendlier to laptop battery life.

Strider (X1 Carbon Gen 11) tuning

In addition to the shared desktop config, strider applies a few laptop-specific tweaks in hosts/strider/configuration.nix:

  • VA-API: LIBVA_DRIVER_NAME=iHD is exported so Firefox, mpv, OBS, and other VA-API consumers use the modern Intel Media Driver instead of falling back to legacy i965.
  • TLP charge thresholds: paired hysteresis with START_CHARGE_THRESH_BAT0=75 and STOP_CHARGE_THRESH_BAT0=80 to prevent constant micro-charging at 100%.
  • TLP power tuning on battery: RUNTIME_PM_ON_BAT=auto and PCIE_ASPM_ON_BAT=powersupersave for additional runtime PM and deeper PCIe link power savings.
  • ZFS auto-snapshot bootstrap: a oneshot unit (zfs-auto-snapshot-init) sets com.sun:auto-snapshot properties on rpool datasets at boot.

Quick post-switch verification on strider:

vainfo                    # should show iHD driver
tlp-stat -b               # should show START=75, STOP=80
pw-metadata -n settings   # quantum should not be pinned to 512

Distrobox

Distrobox containers are configured in hosts/common.nix with access to Nix-installed executables. Three things make this work:

  1. Bind mounts expose the Nix store and user profile symlinks into every container (read-only):

    • /nix/store
    • /etc/profiles/per-user
    • /etc/static/profiles/per-user

  2. An init hook creates /etc/profile.d/nix-path.sh inside the container on first entry, which adds /etc/profiles/per-user/$USER/bin to PATH. This is necessary because NixOS normally sets PATH via /etc/set-environment during login, and that mechanism doesn't exist inside the container.

  3. Podman is the container runtime (virtualisation.podman).

Flake input note

Inputs currently point at private Forgejo mirrors over SSH (see flake.nix). If you are not on that network/account, replace input URLs with upstream sources before running updates.