feature(ssl/tls): add my homelab pki root ca to the trust store

Reviewed-on: #10

README.md

@@ -1,10 +1,10 @@
 # 0x29a nixos config
 
-My personal nixos configuration files.
+My personal nixos configuration files for different environments.
 
 ## basic system installation
 
-- The installations in this repository are always luks encrypted
+- The installations presented in this repository are always luks encrypted
 - For simplicity I'm using device labels rather than uuids
 
 1. the partitioning layout should look somewhat like this after the installation
@@ -97,10 +97,12 @@ cd /mnt
 sudo nixos-install
 ```
 
-## how to deploy the config
+## how to deploy the inital config
+
+- Don't forget to install the bootloader, if you changed it since `nixos-install`
 
 ```bash
-$ sudo nixos-rebuild switch --flake .#host_name
+$ sudo nixos-rebuild --install-bootloader switch --flake .#host_name
 ```
 
 ## how to upgrade the system
@@ -109,8 +111,24 @@ $ sudo nixos-rebuild switch --flake .#host_name
 $ cd /path/to/repo
 $ sudo nix flake update
 $ sudo nixos-rebuild switch --flake .#host_name
+$ sudo nix-collect-garbage
 ```
 
+## how to use nix-helper
+
+The tool nix-helper is installed by this configuration. It simplifies administrating nixos and adds more output to the rebuild command. It also features a diff after a successful build. The command uses the `NH_FLAKE` environment variable to be able to run from whatever directory.
+
+Basic commands with a set `NH_FLAKE` variable are:
+
+```bash
+$ nh os switch
+$ nh os build
+$ nh os test
+$ nh clean all --keep 5
+```
+
+There is also the option to interface with home-manager by using `nh home switch`but this isn't necessary since home-manager is imported as a module in this config.
+
 ## author
 
 aaron <aaron@0x29a.ch>

flake.lock

@@ -1,5 +1,26 @@
 {
   "nodes": {
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nixvim",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1765835352,
+        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -7,11 +28,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765337252,
-        "narHash": "sha256-HuWQp8fM25fyWflbuunQkQI62Hg0ecJxWD52FAgmxqY=",
+        "lastModified": 1768434960,
+        "narHash": "sha256-cJbFn17oyg6qAraLr+NVeNJrXsrzJdrudkzI4H2iTcg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "13cc1efd78b943b98c08d74c9060a5b59bf86921",
+        "rev": "b4d88c9ac42ae1a745283f6547701da43b6e9f9b",
         "type": "github"
       },
       "original": {
@@ -22,11 +43,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1765186076,
-        "narHash": "sha256-hM20uyap1a0M9d344I692r+ik4gTMyj60cQWO+hAYP8=",
+        "lastModified": 1768305791,
+        "narHash": "sha256-AIdl6WAn9aymeaH/NvBj0H9qM+XuAuYbGMZaP0zcXAQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "addf7cf5f383a3101ecfba091b98d0a1263dc9b8",
+        "rev": "1412caf7bf9e660f2f962917c14b1ea1c3bc695e",
         "type": "github"
       },
       "original": {
@@ -36,6 +57,28 @@
         "type": "github"
       }
     },
+    "nixvim": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1768486009,
+        "narHash": "sha256-I7ymDe6UQooHy9I9wrafKCCDnRbox/EMWAgJgpm7fGs=",
+        "owner": "nix-community",
+        "repo": "nixvim",
+        "rev": "03a638205b5cb04ba9c2ed6c604e137b15f07fa1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixvim",
+        "type": "github"
+      }
+    },
     "noctalia": {
       "inputs": {
         "nixpkgs": [
@@ -43,11 +86,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765420707,
-        "narHash": "sha256-lX0WxWosQbm3DrZhscVTiLLpJcoZvaQaZoP+eNt75wE=",
+        "lastModified": 1768504094,
+        "narHash": "sha256-4BRzwk88XyTeM8IzfQm31AHxGu2YpAorLMG2dpsA6xs=",
         "owner": "noctalia-dev",
         "repo": "noctalia-shell",
-        "rev": "298b2f5c794d4641cde21cf20422224bf8a60f99",
+        "rev": "c083b33dca0f8fc9c9647ee5cc88281a4bb8c69d",
         "type": "github"
       },
       "original": {
@@ -60,8 +103,24 @@
       "inputs": {
         "home-manager": "home-manager",
         "nixpkgs": "nixpkgs",
+        "nixvim": "nixvim",
         "noctalia": "noctalia"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -1,63 +1,55 @@
 {
-  description = "0x29a ecosystem NixOS flake";
+  description = "0x29a NixOS flake";
   
   inputs = {
-    # the main nix package collection
-    nixpkgs = {
-      url = "github:nixos/nixpkgs/nixos-unstable";
-    };
-    # home manager for dotfiles
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     home-manager = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    # noctalia shell
     noctalia = {
       url = "github:noctalia-dev/noctalia-shell";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    nixvim = {
+      url = "github:nix-community/nixvim";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
   
-  outputs = inputs@{self, nixpkgs, home-manager, ... }: let
-    lib = nixpkgs.lib;
-    system = "x86_64-linux";
-    pkgs = nixpkgs.legacyPackages.${system};
-  in {
+  outputs = { self, nixpkgs, home-manager, nixvim, ... }@inputs: {
     nixosConfigurations = {
-      # default config
+
       default = nixpkgs.lib.nixosSystem {
-        inherit system;
-        specialArgs = {
-          inherit inputs;
-        };
+        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
         modules = [
-          # import host specific configs
-          ./hosts/default/configuration.nix
-          # import host specific hardware configs
           ./hosts/default/hardware-configuration.nix
+          ./hosts/default/configuration.nix
+          home-manager.nixosModules.home-manager
+          {
+            home-manager.extraSpecialArgs = { inherit inputs; };
+            home-manager.users.aaron.imports = [
+              nixvim.homeModules.nixvim
+              ./users/aaron/home.nix
+            ];
+          }
         ];
       };
       
-      # laptop neon
       neon = nixpkgs.lib.nixosSystem {
-        inherit system;
-        specialArgs = {
-          inherit inputs;
-        };
+        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
         modules = [
-          # import host specific configs
-          ./hosts/neon/configuration.nix
-          # import host specific hardware configs
           ./hosts/neon/hardware-configuration.nix
-          # import noctalia shell configs
-          ./hosts/neon/noctalia.nix
-          # Add home-manager form my user as a module
+          ./hosts/neon/configuration.nix
           home-manager.nixosModules.home-manager
           {
-            home-manager.useGlobalPkgs = true;
-            home-manager.useUserPackages = true;
-            home-manager.users.aaron = import ./hosts/neon/home.nix;
             home-manager.extraSpecialArgs = { inherit inputs; };
+            home-manager.users.aaron.imports = [
+              nixvim.homeModules.nixvim
+              ./users/aaron/home.nix
+            ];
           }
         ];
       };

hosts/neon/configuration.nix

@@ -1,151 +1,24 @@
-{ pkgs, lib, inputs, ... }:
+{ config, pkgs, inputs, ... }:
 
 {
-  imports =
-    [ 
-      ./hardware-configuration.nix
+  imports = [
+    ../../modules/nixos/audio.nix
+    ../../modules/nixos/bootloader.nix
+    ../../modules/nixos/certificates.nix
+    ../../modules/nixos/gnupg.nix
+    ../../modules/nixos/locales.nix
+    ../../modules/nixos/networking.nix
+    ../../modules/nixos/niri.nix
+    ../../modules/nixos/noctalia.nix
+    ../../modules/nixos/openssh.nix
+    ../../modules/nixos/packages.nix
+    ../../modules/nixos/sddm.nix
+    ../../modules/nixos/services.nix
+    ../../modules/nixos/settings.nix
+    ../../modules/nixos/steam.nix
+    ../../modules/nixos/users.nix
   ];
 
-  # use flakes
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-
-  # configure bootloader
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-  
-  # plymouth boot eye candy
-  boot.initrd.systemd.enable = true;
-  boot.plymouth.enable = true;
-  boot.plymouth.theme = "spinner";
- 
-  # use latest kernel
-  boot.kernelPackages = pkgs.linuxPackages_latest;
-
-  # networking
-  networking.hostName = "neon"; 
-  networking.networkmanager.enable = true;
-
-  # bluetooth
-  hardware.bluetooth.enable = true;
-
-  # time zone.
-  time.timeZone = "Europe/Amsterdam";
-
-  # select internationalisation properties
-  i18n.defaultLocale = "en_US.UTF-8";
-  i18n.extraLocaleSettings = {
-    LC_ADDRESS = "en_US.UTF-8";
-    LC_IDENTIFICATION = "en_US.UTF-8";
-    LC_MEASUREMENT = "en_US.UTF-8";
-    LC_MONETARY = "en_US.UTF-8";
-    LC_NAME = "en_US.UTF-8";
-    LC_NUMERIC = "en_US.UTF-8";
-    LC_PAPER = "en_US.UTF-8";
-    LC_TELEPHONE = "en_US.UTF-8";
-    LC_TIME = "en_US.UTF-8";
-  };
-  console = {
-    font = "Lat2-Terminus16";
-    keyMap = "de_CH-latin1";
-  };
-
-  # window manager configs
-  programs.niri.enable = true;
-  programs.xwayland.enable = true;
-  services.displayManager.gdm = {
-    enable = true;
-    wayland = true;
-  };
-  services.tuned.enable = true;
-  services.upower.enable = true;
-
-  environment.pathsToLink = [ "/libexec" ];
-  environment.variables.EDITOR = "vim";
-
-  # enable sound
-  services.pipewire = {
-     enable = true;
-     pulse.enable = true;
-  };
-
-  # define a user account
-  users.users.aaron = {
-    isNormalUser = true;
-    group = "users";
-    extraGroups = [ "wheel" ];
-    shell = pkgs.zsh;
-    packages = with pkgs; [
-      tree
-      fastfetch
-    ];
-  };
-
-  # browser
-  programs.firefox.enable = true;
-
-  # zsh config
-  programs.zsh = {
-    enable = true;
-    enableCompletion = true;
-    autosuggestions.enable = true;
-    ohMyZsh = {
-      enable = true;
-      plugins = [ "git" "sudo" ];
-      theme = "gentoo";
-    };
-  };
-
-  # system packages
-  environment.systemPackages = with pkgs; [
-    efibootmgr
-    neovim
-    vim
-    git
-    alacritty
-    ghostty
-    kitty
-    gnupg
-    xwayland
-    xwayland-satellite
-    wget
-  ];
-
-  # Some programs need SUID wrappers
-  programs.mtr.enable = true;
-  programs.gnupg.agent = {
-     enable = true;
-     enableSSHSupport = true;
-  };
-
-  # enable steam on this machine
-  nixpkgs.config.allowUnfree = true;
-  programs.steam = {
-    enable = true;
-    remotePlay.openFirewall = true;
-    dedicatedServer.openFirewall = true;
-    localNetworkGameTransfers.openFirewall = true;
-  };
-
-  # fix black screen in steam on intel gpu
-  programs.steam.package = pkgs.steam.override {
-    extraArgs = "-system-composer";
-  };
-
-  # enable the OpenSSH daemon
-  services.openssh = {
-    enable = true;
-    openFirewall = true;
-  };
-
-  # firewall configs
-  networking.firewall.allowedTCPPorts = [ ];
-  networking.firewall.allowedUDPPorts = [ ];
-
-  # enable home-manager globally
-  home-manager.useGlobalPkgs = true;
-  home-manager.useUserPackages = true;
-  home-manager.backupFileExtension = "backup";
-
   # install state version
   system.stateVersion = "25.11"; # Don't change
 }

hosts/neon/home.nix

@@ -1,102 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  # user config
-  home.username = "aaron";
-  home.homeDirectory = "/home/aaron";
-
-  # user packages
-  home.packages = with pkgs; [
-    discord
-    fastfetch
-    screenfetch
-    zip
-    xz
-    unzip
-    p7zip
-    jq
-    mtr
-    iperf3
-    imagemagick
-    imv
-    dnsutils
-    ldns
-    socat
-    nmap
-    keepassxc
-    cowsay
-    file
-    which
-    tree
-    zstd
-    gnupg
-    btop
-    iotop
-    iftop
-    strace
-    ltrace
-    lsof
-    sysstat
-    lm_sensors
-    ethtool
-    pciutils
-    usbutils
-    powerline-fonts
-    powerline-symbols
-    nerd-fonts.sauce-code-pro
-  ];
-
-  # configure git
-  programs.git.settings = {
-    enable = true;
-    userName = "aaron";
-    userEmail = "aaron@0x29a.ch";
-  };
-
-  # configure zsh theme
-  programs.zsh = {
-    enable = true;
-    autosuggestion.enable = true;
-    syntaxHighlighting.enable = true;
-    oh-my-zsh = {
-      enable = true;
-      theme = "agnoster";
-      #plugins = [ "git" "ssh-agent" ];
-    };
-  };
-
-  # set gtk theme
-  gtk = {
-    enable = true;
-    theme = {
-      name = "Adwaita-dark";
-        package = pkgs.gnome-themes-extra;
-      };
-    gtk3.extraConfig.gtk-application-prefer-dark-theme = 1;
-    gtk4.extraConfig.gtk-application-prefer-dark-theme = 1;
-  };
-
-  # set qt theme
-  qt = {
-    enable = true;
-    platformTheme.name = "qt6";
-    style = {
-      name = "adwaita-dark";
-      package = pkgs.adwaita-qt;
-    };
-  };
-
-  # set env vars
-  home.sessionVariables = {
-    EDITOR = "vim";
-  };
-
-  # enable syncthing for user
-  services.syncthing.enable = true;
-
-  # enable home manager
-  programs.home-manager.enable = true;
-
-  # don't change
-  home.stateVersion = "25.11";
-}

modules/home-manager/git.nix

@@ -0,0 +1,18 @@
+{ config, pkgs, inputs, ... }:
+
+{
+  programs.git = {
+    enable = true;
+    settings = {
+      push = { autoSetupRemote = true; };
+      user = {
+        name  = "aaron";
+        email = "aaron@0x29a.ch";
+      };
+    };
+    signing = {
+      key = "7A830180A05DAC59CDE43B0677D2F5DB48184456";
+      signByDefault = true;
+    };
+  };
+}

modules/home-manager/nixvim.nix

@@ -0,0 +1,26 @@
+{ config, pkgs, inputs, ... }:
+
+{
+  programs.nixvim = {
+    globals.mapleader = " ";
+    enable = true;
+    viAlias = false;
+    vimAlias = true;
+    opts = {
+      number = true;
+      relativenumber = true;
+      shiftwidth = 2;
+      tabstop = 2;
+      expandtab = true;
+      incsearch = true;
+    };
+    colorschemes.nord.enable = true;
+    plugins.lualine.enable = true;
+    plugins.nix.enable = true;
+    plugins.nvim-tree.enable = true;
+    plugins.treesitter.enable = true;
+    plugins.telescope.enable = true;
+    plugins.web-devicons.enable = true;
+    plugins.indent-blankline.enable = true;
+  };
+}

modules/home-manager/programs.nix

@@ -0,0 +1,18 @@
+{ config, pkgs, inputs, ... }:
+
+{
+  # user packages
+  home.packages = with pkgs; [
+    discord
+    fastfetch
+    keepassxc
+    nerd-fonts.sauce-code-pro
+    powerline-fonts
+    powerline-symbols
+    screenfetch
+  ];
+
+  # services and other software
+  services.syncthing.enable = true;
+  programs.home-manager.enable = true;
+}

modules/home-manager/shell.nix

@@ -0,0 +1,20 @@
+{ config, pkgs, inputs, ... }:
+ 
+{
+  programs.zsh = {
+    enable = true;
+    autosuggestion.enable = true;
+    syntaxHighlighting.enable = true;
+    oh-my-zsh = {
+      enable = true;
+      theme = "agnoster";
+      #plugins = [ "git" "ssh-agent" ];
+    };
+  };
+
+  # set important env vars
+  home.sessionVariables = {
+    EDITOR = "vim";
+    NH_FLAKE = "/home/aaron/git/nixconfig";
+  };
+}

modules/home-manager/styling.nix

@@ -0,0 +1,30 @@
+{ config, pkgs, inputs, ... }:
+
+{
+  # set gtk theme
+  gtk = {
+    enable = true;
+    theme = {
+      name = "Adwaita-dark";
+        package = pkgs.gnome-themes-extra;
+      };
+    gtk3.extraConfig.gtk-application-prefer-dark-theme = 1;
+    gtk4.extraConfig.gtk-application-prefer-dark-theme = 1;
+  };
+
+  # set qt theme
+  qt = {
+    enable = true;
+    platformTheme.name = "qt6";
+    style = {
+      name = "adwaita-dark";
+      package = pkgs.adwaita-qt;
+    };
+  };
+
+  # ensure packages are installed
+  home.packages = with pkgs; [
+    gnome-themes-extra
+    adwaita-qt
+  ];
+}

modules/home-manager/tmux.nix

@@ -0,0 +1,56 @@
+{ config, pkgs, inputs, ... }:
+
+{
+  programs.tmux = {
+    enable = true;
+    prefix = "C-a";
+    keyMode = "vi";
+    mouse = true;
+    terminal = "screen-256color";
+    extraConfig = ''
+      # Status keys
+      set -g status-keys vi
+      # Status bar options
+      set -g status-interval 1
+      set -g status on
+      set -g status-justify left
+      # Clock mode
+      setw -g clock-mode-colour cyan
+      # Colors
+      set -g status-bg black
+      set -g status-fg white
+      # Key bindings
+      # Reload configuration 
+      bind r source-file ~/.config/tmux/tmux.conf
+      # Panel split and selection
+      unbind %
+      unbind '"'
+      bind v split-window -v
+      bind c split-window -h
+      bind i new-window
+      bind b previous-window
+      bind n next-window
+      # Move around panes with hjkl
+      bind h select-pane -L
+      bind j select-pane -D
+      bind k select-pane -U
+      bind l select-pane -R
+      # Resize panes
+      bind H resize-pane -L 5
+      bind J resize-pane -D 5
+      bind K resize-pane -U 5
+      bind L resize-pane -R 5
+      # Kill commands
+      bind q kill-window
+      bind Q kill-session
+      # Bars
+      set -g status-left "#[fg=black,bg=blue,bold] #S#[fg=blue,bg=black,nobold,noitalics,nounderscore]"
+      set -g status-left "#[fg=black,bg=blue,bold] #S #[fg=blue,bg=black,nobold,noitalics,nounderscore]"
+      set -g status-right "#{prefix_highlight}#[fg=brightblack,bg=black,nobold,noitalics,nounderscore]#[fg=white,bg=brightblack] %Y-%m-%d #[fg=white,bg=brightblack,nobold,noitalics,nounderscore]#[fg=white,bg=brightblack] %H:%M #[fg=cyan,bg=brightblack,nobold,noitalics,nounderscore]#[fg=black,bg=cyan,bold] #H "
+      # Windows
+      set -g window-status-format "#[fg=black,bg=brightblack,nobold,noitalics,nounderscore] #[fg=white,bg=brightblack]#I #[fg=white,bg=brightblack,nobold,noitalics,nounderscore] #[fg=white,bg=brightblack]#W #F #[fg=brightblack,bg=black,nobold,noitalics,nounderscore]"
+      set -g window-status-current-format "#[fg=black,bg=cyan,nobold,noitalics,nounderscore] #[fg=black,bg=cyan]#I #[fg=black,bg=cyan,nobold,noitalics,nounderscore] #[fg=black,bg=cyan]#W #F #[fg=cyan,bg=black,nobold,noitalics,nounderscore]"
+      set -g window-status-separator ""
+    '';
+  };
+}

modules/nixos/audio.nix

@@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # enable sound through pipewire
+  services.pipewire = {
+     enable = true;
+     pulse.enable = true;
+  };
+}

modules/nixos/bootloader.nix

@@ -0,0 +1,29 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # set bootloader to systemd
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
+
+  # enable systemd initrd
+  boot.initrd.systemd.enable = true;
+  
+  # plymouth
+  boot.plymouth = {
+    enable = true;
+    theme = "spinner";
+  };
+
+  # kernel options
+  boot.kernelParams = [ "quiet" "acpi.debug_level=0"];
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.consoleLogLevel = 2;
+
+  # Add boot-related packages
+  environment.systemPackages = with pkgs; [
+    efibootmgr
+    terminus_font
+  ];
+}

modules/nixos/certificates.nix

@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+
+let
+  caddyRootCA = ''
+    -----BEGIN CERTIFICATE-----
+    MIIBozCCAUmgAwIBAgIQf2N1DGp2HVOoPaGuGDEnwjAKBggqhkjOPQQDAjAwMS4w
+    LAYDVQQDEyVDYWRkeSBMb2NhbCBBdXRob3JpdHkgLSAyMDI1IEVDQyBSb290MB4X
+    DTI1MTEwNjE5NDA1OFoXDTM1MDkxNTE5NDA1OFowMDEuMCwGA1UEAxMlQ2FkZHkg
+    TG9jYWwgQXV0aG9yaXR5IC0gMjAyNSBFQ0MgUm9vdDBZMBMGByqGSM49AgEGCCqG
+    SM49AwEHA0IABGR9mSgKCSjvcv7LvvIcO84Wpf/KtC/aexT5shSKXd1R97kIyMI5
+    SUYz0MzbRZHJ4QMpIeALirOK9Eoy2zht0dKjRTBDMA4GA1UdDwEB/wQEAwIBBjAS
+    BgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRHKfIfJrrA2DACFrunVSmdnJHO
+    1zAKBggqhkjOPQQDAgNIADBFAiAoqc0+cHeq/8SQN16CKjVvXpZuMkg7NLDoWYMw
+    KgmzowIhAJlkxzBdVngwnJu8uPrVizTGF6XtmUHdJ0NDeccEqUCr
+    -----END CERTIFICATE-----
+  '';
+in
+{
+  security.pki.certificates = [
+    caddyRootCA # self-signed pki ca for my home-lab
+  ];
+}

modules/nixos/gnupg.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # enable gnupg agent
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+    pinentryPackage = pkgs.pinentry-curses;
+  };
+
+  environment.systemPackages = with pkgs; [ 
+    gnupg
+    pinentry-curses
+  ];
+}

modules/nixos/locales.nix

@@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # set the time zone
+  time.timeZone = "Europe/Zurich";
+
+  # set internationalisation properties
+  i18n.defaultLocale = "en_US.UTF-8";
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "en_US.UTF-8";
+    LC_IDENTIFICATION = "en_US.UTF-8";
+    LC_MEASUREMENT = "en_US.UTF-8";
+    LC_MONETARY = "en_US.UTF-8";
+    LC_NAME = "en_US.UTF-8";
+    LC_NUMERIC = "en_US.UTF-8";
+    LC_PAPER = "en_US.UTF-8";
+    LC_TELEPHONE = "en_US.UTF-8";
+    LC_TIME = "en_US.UTF-8";
+  };
+
+  # set console font and keymap
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "de_CH-latin1";
+  };
+}

modules/nixos/networking.nix

@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # set hostnname
+  networking.hostName = "neon";
+
+  # user networkmanager
+  networking.networkmanager.enable = true;
+
+  # firewall default configs
+  networking.firewall.allowedTCPPorts = [ ];
+  networking.firewall.allowedUDPPorts = [ ];
+
+  # enable bluetooth
+  hardware.bluetooth.enable = true;
+  
+  # Add network-related packages
+  environment.systemPackages = with pkgs; [
+    wireguard-tools
+  ];
+}

modules/nixos/niri.nix

@@ -0,0 +1,11 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # just enable and install niri
+  programs.niri.enable = true;
+
+  # Add compositor-related packages
+  environment.systemPackages = with pkgs; [
+    xwayland-satellite
+  ];
+}

modules/nixos/noctalia.nix

@@ -1,10 +1,8 @@
-{ pkgs, inputs, ... }:
+{ config, lib, pkgs, inputs, ... }:
 {
   # install noctalia and helper packages
   environment.systemPackages = with pkgs; [
     inputs.noctalia.packages.${pkgs.stdenv.hostPlatform.system}.default
-    #kdePackages.qt6ct
-    #nwg-look
     adw-gtk3
     adwaita-qt
     adwaita-qt6

modules/nixos/openssh.nix

@@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # enable the openssh daemon
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+  };
+}

modules/nixos/packages.nix

@@ -0,0 +1,53 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # system packges
+  environment.systemPackages = with pkgs; [
+    alacritty
+    btop
+    cowsay
+    dnsutils
+    ethtool
+    file
+    fwupd
+    fwupd-efi
+    ghostty
+    git
+    imagemagick
+    imv
+    iperf3
+    jq
+    kdePackages.qtmultimedia
+    kitty
+    ldns
+    lm_sensors
+    lsof
+    ltrace
+    mtr
+    neovim
+    nh
+    nix-output-monitor
+    nmap
+    nvd
+    p7zip
+    pciutils
+    sddm-astronaut
+    socat
+    sof-firmware
+    strace
+    sysstat
+    terminus_font
+    tree
+    unzip
+    usbutils
+    vim
+    wget
+    which
+    xz
+    zip
+    zstd
+  ];
+
+  # browser
+  programs.firefox.enable = true;
+}

modules/nixos/sddm.nix

@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # enable sddm and use astronaut theme
+  services.displayManager.sddm = {
+    enable = true;
+    wayland.enable = true;
+    autoNumlock = true;
+    enableHidpi = true;
+    theme = "sddm-astronaut-theme";
+    settings = {
+      Theme = {
+        Current = "sddm-astronaut-theme";
+      };
+    };
+    extraPackages = with pkgs; [
+      sddm-astronaut
+    ];
+  };
+}

modules/nixos/services.nix

@@ -0,0 +1,11 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # list of enabled services on the system
+  services = {
+    tuned.enable = true;
+    upower.enable = true;
+    fwupd.enable = true;
+    tailscale.enable = true;
+  };
+}

modules/nixos/settings.nix

@@ -0,0 +1,44 @@
+{ config, lib, pkgs, ... }:
+
+{
+  nix = {
+    # nix settings
+    settings = {
+      # enable flakes and nix-command
+      experimental-features = [ "nix-command" "flakes" ];
+      # auto-optimize my nix-store
+      auto-optimise-store = true;
+      # use all cores
+      max-jobs = "auto";  
+      # use all available cores per job
+      cores = 0;          
+      # add trusted substituters (binary caches)
+      substituters = [
+        "https://cache.nixos.org"
+        "https://nix-community.cachix.org"
+      ];
+      # add keys
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+    };
+    
+    # enable automatic garbage collection
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 7d";
+    };
+  };
+
+  # links /libexec from derivations to /run/current-system/sw
+  environment.pathsToLink = [ "/libexec" ];
+  # set the default editor to vim
+  environment.variables.EDITOR = "vim";
+
+  # enable home-manager globally
+  home-manager.useGlobalPkgs = true;
+  home-manager.useUserPackages = true;
+  home-manager.backupFileExtension = "backup";
+}

modules/nixos/steam.nix

@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # allow unfree to install steam
+  nixpkgs.config.allowUnfree = true;
+
+  # enable steam and open firewall
+  programs.steam = {
+    enable = true;
+    remotePlay.openFirewall = true;
+    dedicatedServer.openFirewall = true;
+    localNetworkGameTransfers.openFirewall = true;
+    # add proton-glorious-eggroll
+    extraCompatPackages = with pkgs; [
+      proton-ge-bin
+    ];
+  };
+
+  # fix black screen in steam when using xwayland-satellite
+  programs.steam.package = pkgs.steam.override {
+    extraArgs = "-system-composer";
+  };
+}

modules/nixos/users.nix

@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # create users
+  users.users.aaron = {
+    isNormalUser = true;
+    group = "users";
+    extraGroups = [ "wheel" "networkmanager" ];
+    shell = pkgs.zsh;
+  };
+
+  # add default zsh config
+  programs.zsh = {
+    enable = true;
+    enableCompletion = true;
+    autosuggestions.enable = true;
+    ohMyZsh = {
+      enable = true;
+      plugins = [ "git" "sudo" ];
+      theme = "gentoo";
+    };
+  };
+}

users/aaron/home.nix

@@ -0,0 +1,18 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ../../modules/home-manager/git.nix
+    ../../modules/home-manager/nixvim.nix
+    ../../modules/home-manager/programs.nix
+    ../../modules/home-manager/shell.nix
+    ../../modules/home-manager/styling.nix
+    ../../modules/home-manager/tmux.nix
+  ];
+
+  home = {
+    username = "aaron";
+    homeDirectory = "/home/aaron";
+    stateVersion = "25.11";
+  };
+}