2026-04-06 06:53:19 +00:00
# FredOS NixOS Configuration
This is a NixOS flake-based configuration for multiple hosts:
- **FredOS-Gaming** — gaming desktop
2026-06-11 10:00:02 +01:00
- **FredOS-Mediaserver** — home media server **and the home router** (nftables NAT/firewall in `services/router.nix` ; `networking.firewall` is disabled on this host, WAN exposure comes from `ports.toml` )
2026-04-06 06:53:19 +00:00
- **FredOS-Macbook** — MacBook laptop
## Structure
2026-06-11 10:00:02 +01:00
- `flake.nix` — flake inputs/outputs; all hosts track the `nixos-26.05` stable channel
2026-04-06 06:53:19 +00:00
- `common.nix` — shared configuration across all hosts
2026-06-11 10:00:02 +01:00
- `hosts/` — per-host NixOS configuration modules (imported per-host by `mkHost` in flake.nix)
2026-04-06 06:53:19 +00:00
- `hosts/hardware/` — hardware-specific configuration
- `home-manager/` — Home Manager configuration (via NixOS module)
2026-06-11 10:00:02 +01:00
- `services/` — modular service definitions, gated by hostname with `lib.mkIf`
- `settings/` — shared settings (desktop, hyprland, quickshell, stylix, …)
- `modules/crowdsec/` — vendored crowdsec modules from nixpkgs PR #446307 ; delete once that PR lands in the pinned channel
- `ports.toml` — WAN → LAN port forwards consumed by `services/router.nix`
## Deployment
Hosts never pull this repo locally — they rebuild from the Forgejo remote via the
`update` alias (`nixos-rebuild switch --refresh --flake git+https://forg.gregersen.it/rope/nixos` ).
That means evaluation is **pure** : config can never read files outside the repo
(e.g. `/var/secrets` ) at eval time. Secrets must be injected at service runtime
(see `services/crowdsec.nix` and `services/go2rtc.nix` for the pattern).
2026-04-06 06:53:19 +00:00
## Code Evaluation
Always validate Nix expressions with `nix eval` before committing. For example:
```bash
# Evaluate a specific attribute to check for syntax/type errors
nix eval .#nixosConfigurations .FredOS-Gaming.config.system.stateVersion
2026-06-11 10:00:02 +01:00
# Full eval of a host without building
nix eval --raw .#nixosConfigurations .FredOS-Mediaserver.config.system.build.toplevel.drvPath
2026-04-06 06:53:19 +00:00
# Evaluate the full flake outputs to catch top-level errors
nix eval .#nixosConfigurations --apply builtins.attrNames
```
Use `nix flake check` for a broader check of the flake.