0xWheatyz/nixos-configurations
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: 0xWheatyz/nixos-configurations:4335687f4850aa55bdcef99d7227ed110a1f8a50
Branches Tags
0xWheatyz/nixos-configurations:master 0xWheatyz/nixos-configurations:tmux
..
compare: 0xWheatyz/nixos-configurations:tmux
Branches Tags
0xWheatyz/nixos-configurations:master 0xWheatyz/nixos-configurations:tmux

2 Commits
4335687f48 .. tmux

Author SHA1 Message Date
0xWheatyz 198cfbc9e4 fix: correct flake configuration and remove duplicate home-manager setup 
- Update flake.nix with correct hostname (nixos) and username (l-wyatt)
- Remove channel-based home-manager imports from configuration.nix
- Eliminate duplicate home-manager.users configuration
- Ensures flake-based home-manager works properly

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2026-03-12 21:36:18 -04:00
0xWheatyz 02c3366bff feat: replace zellij with tmux for terminal multiplexing 
Switch from zellij to tmux with vi keybindings, mouse support, and custom prefix (Ctrl-a). Updates auto-start logic in zsh to launch tmux instead of zellij.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2026-03-12 21:34:28 -04:00
9 changed files with 101 additions and 1091 deletions
Expand all files Collapse all files
.gitignore
-2
View File
@@ -1,2 +0,0 @@
.omc/
wg1.conf
README.md
-251
View File
@@ -1,251 +0,0 @@
# NixOS Configuration
Personal NixOS system configuration using Flakes and Home Manager for declarative system management.
## System Overview
- **OS**: NixOS 25.11
- **Desktop Environment**: GNOME (Wayland/X11)
- **Terminal**: Ghostty + tmux
- **Shell**: Zsh with Oh-My-Zsh (agnoster theme)
- **Editor**: Neovim with [kickstart.nvim](https://github.com/0xWheatyz/kickstart.nvim)
- **Hostname**: nixos
## Features
### Core System
- **Bootloader**: GRUB with EFI support and OS Prober (dual-boot ready)
- **Timezone**: America/New_York
- **Locale**: en_US.UTF-8
- **Networking**: NetworkManager enabled
### Hardware Support
- **Bluetooth**: Enabled with Blueman
- **Fingerprint Sensor**: fprintd enabled
- **Audio**: PipeWire with ALSA and PulseAudio compatibility
- **Printing**: CUPS enabled
### Security & Authentication
- **YubiKey Support**: Configured for login and sudo authentication
- **Auto-lock on YubiKey removal**: Sessions lock when YubiKey is disconnected
- **Fingerprint Authentication**: Available for compatible hardware
### Development Environment
- **Docker**: Rootless mode enabled with proper namespace configuration
- **VMware Workstation**: Host support enabled
- **Nix Flakes**: Experimental features enabled
### Networking
- **Tailscale VPN**: Enabled with client routing features
- **Firewall**: Configured with Tailscale trusted interface
- **Editable /etc/hosts**: Permissions set to 0644 for easy modification
### Desktop Customization
- **GNOME Extensions**:
- Blur My Shell
- Just Perfection
- Arc Menu
- **Fonts**: 0xProto Nerd Font, Adwaita icons
- **Scaling**: Experimental fractional scaling and xwayland-native-scaling enabled
- **QT Integration**: QT apps use GNOME theme (Adwaita Dark)
### Alternative Window Manager
- **Hyprland**: Configured but not currently active (see `home.nix` for configuration)
## Installed Software
### System Packages
- Firefox
- VMware Workstation
- Lunar Client (Minecraft)
- JetBrains Rust Rover
- Cursor (VS Code fork)
- Obsidian
- Claude Code
### User Packages
- Kate (KDE text editor)
- Bitwarden (desktop + CLI)
- LunarVim
- KiCad
- Ghostty terminal
- Python 3
- nmap
- minicom
- freerdp
## Configuration Files
```
.
├── configuration.nix # System-level configuration
├── home.nix # User-level configuration (Home Manager)
├── hardware-configuration.nix # Auto-generated hardware config
└── flake.nix # Flake inputs and outputs
```
## Getting Started
### First Time Setup
1. Clone this repository:
```bash
git clone <your-repo-url> ~/Documents/nixos-configuration
cd ~/Documents/nixos-configuration
```
2. Review and customize configurations:
- Edit `configuration.nix` for system-wide changes
- Edit `home.nix` for user-specific settings
3. Apply the configuration:
```bash
sudo nixos-rebuild switch --flake .#nixos
```
### Making Changes
#### System-Level Changes
Edit `configuration.nix` and rebuild:
```bash
sudo nixos-rebuild switch --flake .#nixos
```
#### User-Level Changes
Edit `home.nix` and rebuild:
```bash
sudo nixos-rebuild switch --flake .#nixos
# or use home-manager directly:
home-manager switch
```
### Adding Packages
**System-wide** (available to all users):
Add to `environment.systemPackages` in `configuration.nix`:
```nix
environment.systemPackages = with pkgs; [
# your-package-here
];
```
**User-specific**:
Add to `home.packages` in `home.nix`:
```nix
home.packages = with pkgs; [
# your-package-here
];
```
### Updating the System
Update flake inputs and rebuild:
```bash
nix flake update
sudo nixos-rebuild switch --flake .#nixos
```
## Key Configurations
### Git Configuration
Managed declaratively in `home.nix`:
- **User**: 0xWheatyz
- **Email**: wyatt@leeworks.dev
- **Default Branch**: master
- **Auto push remote setup**: Enabled
- **Custom alias**: `git lg` for pretty log visualization
### SSH Configuration
Custom SSH hosts configured in `home.nix`:
- **vps**: Direct connection to 45.79.198.105
- **home**: Via jump host proxy
- **git**: Local git server at 10.0.1.10
- Connection multiplexing enabled for faster subsequent connections
### Tmux
- Mouse support enabled
- Window numbering starts at 1
- 256-color terminal support
- Auto-starts on terminal launch
### Zsh
- Oh-My-Zsh with agnoster theme
- Custom `nix develop` wrapper that launches in zsh
- Tmux auto-start on interactive terminals
- Project shell indicator in prompt
## Neovim Configuration
Using [kickstart.nvim](https://github.com/0xWheatyz/kickstart.nvim) as the base configuration, managed through Flakes.
Required dependencies are automatically installed:
- Neovim
- ripgrep
- fd
- gcc
- gnumake
- git
Configuration is synchronized from the GitHub repository and placed in `~/.config/nvim`.
## Docker Configuration
Docker is configured in rootless mode:
- Unprivileged user namespaces enabled
- Socket variable automatically set
- User `l-wyatt` is in the `docker` group
Usage:
```bash
docker ps # No sudo required
```
## Troubleshooting
### Slow Shutdown
The configuration includes optimizations for shutdown handling:
- User manager timeout reduced to 30s (from default 90s)
- Prevents hangs when user linger is enabled
### Building from Flake
If you encounter issues, try:
```bash
# Rebuild with verbose output
sudo nixos-rebuild switch --flake .#nixos --show-trace
# Check flake validity
nix flake check
# Update flake lock file
nix flake update
```
### YubiKey Issues
If YubiKey authentication isn't working:
```bash
# Check PAM configuration
cat /etc/pam.d/login
cat /etc/pam.d/sudo
# Verify udev rules
udevadm control --reload-rules
```
## Important Notes
- **stateVersion**: Set to 25.11 - do not change after initial installation
- **Home Manager stateVersion**: Also 25.11 - keep in sync with system version
- **Unfree packages**: Enabled system-wide via `nixpkgs.config.allowUnfree`
- **User groups**: l-wyatt is member of: networkmanager, wheel, docker, dialout
- **User linger**: Enabled for background services
## Additional Resources
- [NixOS Manual](https://nixos.org/manual/nixos/stable/)
- [Home Manager Manual](https://nix-community.github.io/home-manager/)
- [Nix Flakes](https://nixos.wiki/wiki/Flakes)
- [kickstart.nvim Documentation](https://github.com/nvim-lua/kickstart.nvim)
## License
This configuration is personal and provided as-is for reference.
configuration.nix
+37 -132
View File
@@ -1,14 +1,14 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running 'nixos-help').
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, pkgs-unstable, ... }:
{ config, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
# home-manager is imported via flake.nix
];
imports =
[ # Include the results of the hardware scan.
/etc/nixos/hardware-configuration.nix
];
## Commented out as defined at the end of the page
@@ -100,31 +100,22 @@
environment.systemPackages = with pkgs; [
home-manager
firefox
vmware-workstation
cacert
lunar-client
jetbrains.rust-rover
code-cursor
adwaita-icon-theme
pkgs-unstable.claude-code # Use unstable for latest version
yubikey-manager
# iOS interop
uxplay
libimobiledevice
ifuse
obsidian
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-gnome3;
};
# AirDrop-style file transfer (LocalSend)
programs.localsend = {
enable = true;
openFirewall = true;
};
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
@@ -135,7 +126,7 @@
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
networking.firewall.enable = false;
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
@@ -144,9 +135,7 @@
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "25.11"; # Did you read the comment?
# Home Manager Configuration is handled in flake.nix
### Start of self configuration
# Configure grub to provide ubuntu option
boot.loader.grub.enable = true;
@@ -164,7 +153,7 @@
services.blueman.enable = true;
# Allow /etc/hosts to be modified without system rebuild
environment.etc.hosts.mode = "0644";
environment.etc.hosts.mode = "0700";
# Enable flakes and extras
nix.settings.experimental-features = [ "nix-command" "flakes" ];
@@ -183,64 +172,18 @@
};
};
virtualisation.vmware.host.enable = true;
# WireGuard VPN
networking.wg-quick.interfaces.wg0 = {
address = [ "10.0.1.67/32" ];
dns = [ "1.1.1.1" ];
privateKeyFile = "/etc/wireguard/private.key";
# Route endpoint via local gateway to avoid routing loop
preUp = ''
GW=$(ip route show default | awk '{print $3; exit}')
DEV=$(ip route show default | awk '{print $5; exit}')
ip route add 69.48.243.22/32 via "$GW" dev "$DEV" || true
'';
postDown = ''
ip route del 69.48.243.22/32 || true
'';
peers = [{
publicKey = "VEpzr/CeGdS6Wsy0NDDfmlB/bCYxS55A155HWGCIIzc=";
endpoint = "69.48.243.22:51820";
# Route all traffic through VPN EXCEPT the local 10.0.0.0/24 network
allowedIPs = [
"0.0.0.0/5"
"8.0.0.0/7"
"10.0.1.0/24"
"10.0.2.0/23"
"10.0.4.0/22"
"10.0.8.0/21"
"10.0.16.0/20"
"10.0.32.0/19"
"10.0.64.0/18"
"10.0.128.0/17"
"10.1.0.0/16"
"10.2.0.0/15"
"10.4.0.0/14"
"10.8.0.0/13"
"10.16.0.0/12"
"10.32.0.0/11"
"10.64.0.0/10"
"10.128.0.0/9"
"11.0.0.0/8"
"12.0.0.0/6"
"16.0.0.0/4"
"32.0.0.0/3"
"64.0.0.0/2"
"128.0.0.0/1"
];
persistentKeepalive = 25;
}];
services.tailscale = {
enable = true;
useRoutingFeatures = "client"; # or "both" for subnet routing
};
# Open firewall for Tailscale + UxPlay AirPlay receiver
# Open firewall for Tailscale
networking.firewall = {
checkReversePath = "loose";
trustedInterfaces = [ "tailscale0" "wg0" ];
allowedTCPPorts = [ 7000 7001 7100 ];
allowedUDPPorts = [ config.services.tailscale.port 6000 6001 7011 ];
trustedInterfaces = [ "tailscale0" ];
allowedUDPPorts = [ config.services.tailscale.port ];
};
# Auto-connect tailscale on boot
@@ -270,27 +213,18 @@
# security.pki.certificateFiles = [ /etc/nixos/certs/ipa-ca.crt ];
programs.hyprland = {
enable = true;
withUWSM = true; # Recommended for NixOS 24.11+
xwayland.enable = true;
};
# Enable necessary services
xdg.portal = {
enable = true;
extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
};
services.pcscd.enable = true;
# iPhone USB mount (libimobiledevice)
services.usbmuxd.enable = true;
# mDNS for AirPlay receiver (UxPlay) discovery from iPhone
services.avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
publish = {
enable = true;
addresses = true;
userServices = true;
};
extraPortals = with pkgs; [
xdg-desktop-portal-hyprland
];
};
security.pam.services = {
@@ -307,36 +241,17 @@
RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
'';
# Optimize shutdown handling to prevent user manager hangs
# Reduce timeout for user manager service during shutdown (default is 90s, reducing to 30s)
# This prevents the 2-minute hang when shutting down with linger enabled
systemd.services."user@".serviceConfig = {
TimeoutStopSec = "30s";
};
# Reduce default timeout for all user services
systemd.user.extraConfig = ''
DefaultTimeoutStopSec=30s
'';
# Gnome Configuration
fonts.packages = [
pkgs.adwaita-icon-theme
pkgs.nerd-fonts._0xproto
];
fonts.fontconfig.enable = true;
services.gnome = {
core-apps.enable = true;
core-developer-tools.enable = true;
games.enable = false;
};
services.desktopManager.gnome.extraGSettingsOverrides = ''
[org.gnome.mutter]
experimental-features=['scale-monitor-framebuffer']
'';
services.gnome.core-apps.enable = false;
services.gnome.core-developer-tools.enable = false;
services.gnome.games.enable = false;
environment.gnome.excludePackages = with pkgs; [
gnome-tour gnome-user-docs gnome-console
gnome-tour gnome-user-docs
];
qt = {
@@ -345,15 +260,5 @@
style = "adwaita-dark";
};
security.wrappers = {
# Low-level unprivileged sandboxing tool, see <https://github.com/containers/bubblewrap>.
bwrap = {
owner = "root";
group = "root";
source = "${pkgs.bubblewrap}/bin/bwrap";
setuid = true;
};
};
}
err.log
-32
View File
@@ -1,32 +0,0 @@
building the system configuration...
error:
… while calling the 'head' builtin
at /nix/store/j4hbw1ws742nmsfhbd9r22k1qgivk7hc-nixos-25.11/nixos/lib/attrsets.nix:1696:13:
1695| if length values == 1 || pred here (elemAt values 1) (head values) then
1696| head values
| ^
1697| else
… while evaluating the attribute 'value'
at /nix/store/j4hbw1ws742nmsfhbd9r22k1qgivk7hc-nixos-25.11/nixos/lib/modules.nix:1118:7:
1117| // {
1118| value = addErrorContext "while evaluating the option `${showOption loc}':" value;
| ^
1119| inherit (res.defsFinal') highestPrio;
… while evaluating the option `system.build.toplevel':
… while evaluating definitions from `/nix/store/j4hbw1ws742nmsfhbd9r22k1qgivk7hc-nixos-25.11/nixos/nixos/modules/system/activation/top-level.nix':
… while evaluating the option `assertions':
… while evaluating definitions from `/nix/store/qlchl88ml287pcv5xqyrpcq7jjyl3qgm-home-manager-25.11.tar.gz/home-manager/nixos/common.nix':
(stack trace truncated; use '--show-trace' to show the full, detailed trace)
error: The option `home-manager.users.l-wyatt.programs.neovim-kickstart' does not exist. Definition values:
- In `/home/l-wyatt/Documents/nixos-configuration/configuration.nix':
{
enable = true;
}
Command 'nix-build '<nixpkgs/nixos>' --attr config.system.build.toplevel --no-out-link' returned non-zero exit status 1.
flake.lock
Generated
-169
View File
@@ -1,169 +0,0 @@
{
"nodes": {
"caveman": {
"flake": false,
"locked": {
"lastModified": 1776507098,
"narHash": "sha256-M+NoWXxrhtbkbe/lmq7P0/KpmqOZzJjhgeUVjY+7N2k=",
"owner": "JuliusBrussee",
"repo": "caveman",
"rev": "84cc3c14fa1e10182adaced856e003406ccd250d",
"type": "github"
},
"original": {
"owner": "JuliusBrussee",
"repo": "caveman",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1775077333,
"narHash": "sha256-OXcxobt7lBkh1B8AjwreU+24myhtKpqeLfAeIyNLFY8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "49ca96b2714c5931e17401eff87f3edd42d2b0f2",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-25.11",
"repo": "home-manager",
"type": "github"
}
},
"kickstart-nvim": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1771545825,
"narHash": "sha256-xGrTr8aXGzKBpF+RRwnLR8y8yDweojaoqttfA6RH1ws=",
"owner": "0xWheatyz",
"repo": "kickstart.nvim",
"rev": "cef178c27d1b3840d943f5a28b3a45f9eae049d7",
"type": "github"
},
"original": {
"owner": "0xWheatyz",
"repo": "kickstart.nvim",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1771369470,
"narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "0182a361324364ae3f436a63005877674cf45efb",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1779536132,
"narHash": "sha256-q+fF42iv/geEbHfgSzy3tS0FF/EyD6XTZ98E6yxiBO8=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "3d8f0f3f72a6cd4d93d0ad13203f2ea1cb7e1456",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1775002709,
"narHash": "sha256-d3Yx83vSrN+2z/loBh4mJpyRqr9aAJqlke4TkpFmRJA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "bcd464ccd2a1a7cd09aa2f8d4ffba83b761b1d0e",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"oh-my-claudecode": {
"flake": false,
"locked": {
"lastModified": 1776693787,
"narHash": "sha256-C/m8Vlt6MXy8nlgqtoey9A5JnVTHCPkGUjar9x5Y2uw=",
"owner": "Yeachan-Heo",
"repo": "oh-my-claudecode",
"rev": "084fc47266824b35f4c8cbe886c0990ae716c184",
"type": "github"
},
"original": {
"owner": "Yeachan-Heo",
"repo": "oh-my-claudecode",
"type": "github"
}
},
"root": {
"inputs": {
"caveman": "caveman",
"home-manager": "home-manager",
"kickstart-nvim": "kickstart-nvim",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
"oh-my-claudecode": "oh-my-claudecode"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}
flake.nix
+23 -28
View File
@@ -1,36 +1,37 @@
{
description = "NixOS configuration with home-manager and kickstart.nvim";
description = "FrostPhoenix's nixos configuration";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nur.url = "github:nix-community/NUR";
home-manager = {
url = "github:nix-community/home-manager/release-25.11";
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
kickstart-nvim.url = "github:0xWheatyz/kickstart.nvim";
caveman = {
url = "github:JuliusBrussee/caveman";
flake = false;
};
oh-my-claudecode = {
url = "github:Yeachan-Heo/oh-my-claudecode";
nix-gaming.url = "github:fufexan/nix-gaming";
nix-flatpak.url = "github:gmodena/nix-flatpak";
nix-index-database = {
url = "github:nix-community/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
maple-mono = {
url = "github:subframe7536/maple-font/variable";
flake = false;
};
superfile.url = "github:yorukot/superfile";
vicinae.url = "github:vicinaehq/vicinae";
zen-browser.url = "github:0xc000022070/zen-browser-flake/beta";
};
outputs = { self, nixpkgs, nixpkgs-unstable, home-manager, kickstart-nvim, caveman, oh-my-claudecode, ... }:
let
system = "x86_64-linux";
pkgs-unstable = import nixpkgs-unstable {
inherit system;
config.allowUnfree = true;
};
in {
outputs = { self, nixpkgs, home-manager, ... }: {
nixosConfigurations = {
nixos = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit pkgs-unstable; };
system = "x86_64-linux";
modules = [
./configuration.nix
home-manager.nixosModules.home-manager
@@ -38,15 +39,9 @@
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.l-wyatt = import ./home.nix;
home-manager.extraSpecialArgs = {
inherit kickstart-nvim caveman oh-my-claudecode;
};
home-manager.sharedModules = [
kickstart-nvim.homeManagerModules.default
];
}
];
};
};
};
}
}`
hardware-configuration.nix
-39
View File
@@ -1,39 +0,0 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/2e63927a-129d-400a-b532-5e98dd1f53d0";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/6FAB-C1E3";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp193s0f3u2.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
home.nix
+41 -191
View File
@@ -1,4 +1,4 @@
{ config, pkgs, lib, caveman, oh-my-claudecode, ... }:
{ config, pkgs, ... }:
{
home.username = "l-wyatt";
@@ -15,20 +15,15 @@
python3
nmap
file
freerdp
freerdp
bitwarden-desktop
bitwarden-cli
lunarvim
minicom
ghostty
gnupg
pinentry-gnome3
kicad
gnomeExtensions.blur-my-shell
gnomeExtensions.just-perfection
gnomeExtensions.arc-menu
freecad
gtk3 # Provides org.gtk.Settings.FileChooser schema for FreeCAD
nodejs # Required by claude-code and oh-my-claudecode (HUD, npm plugins)
];
# --------------------------
@@ -74,16 +69,6 @@
initContent = ''
export SHELL=$(which zsh)
alias nix-shell='nix-shell --run $SHELL'
# Auto-update nixpkgs-unstable (for claude-code) on rebuild
nixos-rebuild() {
if [[ "$1" == "switch" || "$1" == "boot" || "$1" == "test" ]]; then
echo "Updating nixpkgs-unstable for latest Claude Code..."
nix flake update nixpkgs-unstable --flake /home/l-wyatt/Documents/nixos-configuration
fi
command sudo nixos-rebuild "$@" --flake /home/l-wyatt/Documents/nixos-configuration
}
nix() {
if [[ $1 == "develop" ]]; then
shift
@@ -103,58 +88,14 @@
'';
};
# Configure cursor theme
home.pointerCursor = {
gtk.enable = true;
x11.enable = true;
name = "Adwaita";
package = pkgs.adwaita-icon-theme;
size = 24;
};
# Set Ghostty as default terminal
dconf.settings = {
"org/gnome/desktop/default-applications/terminal" = {
exec = "ghostty";
exec-arg = "";
};
"org/gnome/crypto/cache" = {
enable-ssh-agent = false;
};
};
# Disable GCR ssh-agent so gpg-agent handles SSH
systemd.user.sockets.gcr-ssh-agent.Install.WantedBy = lib.mkForce [];
# GPG configuration
programs.gpg = {
enable = true;
settings = {
keyserver = "hkps://keys.openpgp.org";
keyid-format = "0xlong";
with-fingerprint = true;
personal-cipher-preferences = "AES256 AES192 AES";
personal-digest-preferences = "SHA512 SHA384 SHA256";
personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed";
};
scdaemonSettings = {
disable-ccid = true;
};
};
# Manage your git configuration declaratively
programs.git = {
enable = true;
signing = {
key = "0xADCEAC560B498269";
signByDefault = true;
};
settings = {
user = {
name = "0xWheatyz";
email = "wyatt@leeworks.dev";
};
pull.rebase = "false";
init.defaultBranch = "master";
push.autoSetupRemote = "true";
alias.lg = "log --graph --pretty=format:'%C(yellow)%h%Creset -%C(red)%d%Creset %s %Cgreen(%cr)%Creset %C(bold blue)<%an>%Creset' --abbrev-commit";
@@ -165,143 +106,52 @@
programs.tmux = {
enable = true;
# Optional: customize tmux settings
# Basic tmux configuration
terminal = "screen-256color";
historyLimit = 10000;
keyMode = "vi";
mouse = true;
extraConfig = ''
# Enable mouse support
set -g mouse on
# Set prefix to Ctrl-a instead of Ctrl-b
unbind C-b
set-option -g prefix C-a
bind-key C-a send-prefix
# Start window numbering at 1
set -g base-index 1
# Split panes using | and -
bind | split-window -h
bind - split-window -v
unbind '"'
unbind %
# Set terminal colors
set -g default-terminal "screen-256color"
# Reload config file
bind r source-file ~/.config/tmux/tmux.conf
'';
};
# Neovim management - using kickstart.nvim via flake
# Basic fallback config (uncomment if not using the flake)
#programs.neovim = {
# enable = true;
# defaultEditor = true;
#
# # Load Lua config inline
# extraLuaConfig = ''
# vim.opt.number = true
# vim.opt.tabstop = 2
# vim.opt.shiftwidth = 2
# vim.opt.expandtab = true
# vim.opt.relativenumber = true
#
# require("telescope").setup {}
# require("nvim-treesitter.configs").setup { highlight = { enable = true } }
# '';
#
# plugins = with pkgs.vimPlugins; [
# telescope-nvim
# nvim-treesitter
# nvim-lspconfig
# gruvbox
# ];
#};
# Neovim management
programs.neovim = {
enable = true;
defaultEditor = true;
# Use kickstart.nvim configuration from flake
programs.neovim-kickstart.enable = true;
# Load Lua config inline
extraLuaConfig = ''
vim.opt.number = true
vim.opt.tabstop = 2
vim.opt.shiftwidth = 2
vim.opt.expandtab = true
vim.opt.relativenumber = true
# Claude Code skills (managed declaratively via flake inputs)
home.file.".claude/skills/caveman" = {
source = "${caveman}/skills/caveman";
recursive = true;
};
home.file.".claude/skills/caveman-help" = {
source = "${caveman}/skills/caveman-help";
recursive = true;
};
home.file.".claude/skills" = {
source = "${oh-my-claudecode}/skills";
recursive = true;
};
# Claude Code agents (managed declaratively via flake inputs)
home.file.".claude/agents" = {
source = "${oh-my-claudecode}/agents";
recursive = true;
};
# Claude Code configuration
home.file.".claude/CLAUDE.md" = {
text = builtins.readFile "${oh-my-claudecode}/CLAUDE.md" + ''
## Commit Behavior
After completing each logical unit of work, use the /commit skill to stage
and commit changes before proceeding to the next task. Do not batch unrelated
changes into a single commit. Do not wait to be asked.
require("telescope").setup {}
require("nvim-treesitter.configs").setup { highlight = { enable = true } }
'';
force = true;
};
home.file.".claude/commands/commit.md" = {
text = ''
---
description: Stage and commit changes as a conventional commit with one logical unit per commit
---
Review the current working tree with `git status` and `git diff --staged` and `git diff`.
Then do the following:
1. Identify the smallest logical unit of change present. If multiple unrelated changes exist, only stage and commit one unit at a time leave the rest unstaged.
2. Stage only the files (or hunks via `git add -p`) relevant to that logical unit.
3. Write a commit message following the Conventional Commits format:
<type>(<scope>): <description>
Types: feat, fix, docs, style, refactor, perf, test, chore, ci
- scope is optional but use it when the change is clearly scoped to a module, package, or domain
- description: lowercase, imperative mood, no trailing period, max ~72 chars
- if the change warrants a body, add it after a blank line
4. Run `git commit` with that message. Never use `--no-verify`.
5. Report what was committed and what (if anything) remains uncommitted.
'';
force = true;
};
home.file.".claude/settings.json" = {
text = builtins.toJSON {
hasCompletedOnboarding = true;
permissions = {
allow = [
"Edit"
"Write"
"Read"
"Glob"
"Grep"
"Bash"
"WebFetch"
"WebSearch"
"Agent"
"NotebookEdit"
"Monitor"
];
};
alwaysThinkingEnabled = true;
includeCoAuthoredBy = false;
statusLine = {
type = "command";
command = "node \${CLAUDE_CONFIG_DIR:-$HOME/.claude}/hud/omc-hud.mjs";
};
env = {
CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS = "1";
OMC_PLUGIN_ROOT = "${oh-my-claudecode}";
#ANTHROPIC_BASE_URL = "http://10.0.1.16:20128/v1";
#ANTHROPIC_AUTH_TOKEN = "sk-634d6ea8670969de-qzxian-1a74cc97";
};
teammateMode = "tmux";
};
force = true;
plugins = with pkgs.vimPlugins; [
telescope-nvim
nvim-treesitter
nvim-lspconfig
gruvbox
];
};
programs.ssh = {
@@ -333,8 +183,8 @@
proxyJump = "_JumpHost";
};
"git" = {
hostname = "gitea.leeworks.dev";
port = 22;
hostname = "10.0.0.9";
port = 122;
user = "git";
};
};
yubikey.md
-247
View File
@@ -1,247 +0,0 @@
# Post-Rebuild YubiKey Setup Guide
## Step 1: Generate GPG Master Key
```bash
gpg --expert --full-generate-key
```
At the prompts:
1. Select **(9) ECC and ECC**
2. Curve: **Curve 25519**
3. Expiration: **1y**
4. Real name: **0xWheatyz**
5. Email: **wyatt@leeworks.dev**
6. Set a strong passphrase
Note the key ID printed (e.g. `0x1234ABCD5678EFGH`).
---
## Step 2: Add Subkeys
```bash
gpg --expert --edit-key <KEY-ID>
```
Add 3 subkeys at the `gpg>` prompt:
**Signing subkey:**
```
gpg> addkey
→ (10) ECC (sign only)
→ Curve 25519
→ 1y expiry
```
**Encryption subkey** (may already exist — check with `list`):
```
gpg> addkey
→ (12) ECC (encrypt only)
→ Curve 25519
→ 1y expiry
```
**Authentication subkey:**
```
gpg> addkey
→ (11) ECC (set your own capabilities)
→ Toggle: disable Sign, enable Authenticate
→ Curve 25519
→ 1y expiry
```
```
gpg> save
```
---
## Step 3: Back Up Master Key (CRITICAL)
> Once keys are moved to the YubiKey, they cannot be extracted. Back up now.
```bash
mkdir -p /tmp/gpg-backup
gpg --armor --export-secret-keys <KEY-ID> > /tmp/gpg-backup/master-secret.asc
gpg --armor --export-secret-subkeys <KEY-ID> > /tmp/gpg-backup/subkeys-secret.asc
gpg --armor --export <KEY-ID> > /tmp/gpg-backup/public.asc
gpg --export-ownertrust > /tmp/gpg-backup/ownertrust.txt
```
Copy `/tmp/gpg-backup/` to an encrypted USB drive or other secure offline storage. Then remove the temp copy:
```bash
rm -rf /tmp/gpg-backup
```
---
## Step 4: Move Subkeys to YubiKey
```bash
gpg --edit-key <KEY-ID>
```
Move each subkey to its corresponding card slot:
```
gpg> key 1
gpg> keytocard
→ (1) Signature key
gpg> key 1
gpg> key 2
gpg> keytocard
→ (2) Encryption key
gpg> key 2
gpg> key 3
gpg> keytocard
→ (3) Authentication key
gpg> save
```
---
## Step 5: Set Trust & Verify
```bash
gpg --edit-key <KEY-ID>
```
```
gpg> trust
→ (5) I trust ultimately
gpg> quit
```
Verify the card:
```bash
gpg --card-status # Should show all 3 subkeys
gpg --list-secret-keys # Subkeys should show "ssb>" (stub pointing to card)
```
---
## Step 6: Back Up & Remove Old SSH Keys
```bash
mkdir -p ~/.ssh/old
mv ~/.ssh/id_ed25519 ~/.ssh/old/
mv ~/.ssh/id_ed25519.pub ~/.ssh/old/
```
---
## Step 7: Get Your New SSH Public Key
```bash
gpg --export-ssh-key <KEY-ID>
```
This outputs the SSH public key derived from your GPG auth subkey. Save it:
```bash
gpg --export-ssh-key <KEY-ID> > ~/.ssh/yubikey.pub
```
Verify gpg-agent serves it:
```bash
ssh-add -L # Should show the same key
```
Deploy this key to your remote servers:
- **vps** (45.79.198.105) — add to `~/.ssh/authorized_keys` for user `wyatt`
- **home** (10.0.0.20) — add to `~/.ssh/authorized_keys` for user `l-wyatt`
- **git** (10.0.1.10) — add via your Gitea/Forgejo web UI
- **GitHub** — Settings → SSH and GPG Keys → New SSH Key
> **Tip:** Use the old key (still in `~/.ssh/old/`) to SSH in and deploy the new one:
> ```bash
> ssh -i ~/.ssh/old/id_ed25519 vps "echo '$(gpg --export-ssh-key <KEY-ID>)' >> ~/.ssh/authorized_keys"
> ```
---
## Step 8: Update home.nix with Your Signing Key
Get your key ID:
```bash
gpg --list-secret-keys --keyid-format 0xlong
```
Then edit `home.nix` and replace the `key = null;` line:
```nix
signing = {
key = "<YOUR-0xLONG-KEY-ID>"; # e.g. "0x1234ABCD5678EFGH"
signByDefault = true;
};
```
Rebuild again:
```bash
nixos-rebuild switch
```
---
## Step 9: Verify Everything
```bash
# Smartcard
gpg --card-status
# SSH via YubiKey
ssh-add -L
ssh vps echo "YubiKey SSH works!"
# Git signing
cd /tmp && git init test-sign && cd test-sign
git commit --allow-empty -m "test signing"
git log --show-signature -1
# Should show "Good signature from 0xWheatyz <wyatt@leeworks.dev>"
rm -rf /tmp/test-sign
```
---
## Step 10 (Optional): Change YubiKey PINs
The default PINs are `123456` (user) and `12345678` (admin). Change them:
```
gpg --card-edit
gpg/card> admin
gpg/card> passwd
→ (1) Change PIN
→ (3) Change Admin PIN
gpg/card> quit
```
---
## Step 11 (Optional): Upload GPG Public Key to GitHub
```bash
gpg --armor --export <KEY-ID>
```
Paste the output into **GitHub → Settings → SSH and GPG Keys → New GPG Key**. This makes your signed commits show "Verified" on GitHub.
---
## Note
The config changes to `configuration.nix` and `home.nix` are already saved. After you rebuild, reboot, and follow the steps above, you'll need to come back to update `home.nix` one more time with your actual GPG key ID (Step 8) and do a final rebuild.