# CLAUDE.md This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. ## What This Repo Is A NixOS flake configuration managing multiple hosts (desktops, laptops, servers). All hosts share common settings via `hosts/configuration_common.nix` and are assembled in `hosts/default.nix`. ## Common Commands ```bash # Format all nix files nix fmt # Build a host configuration (no activation) nixos-rebuild build --flake .# # Switch the current host sudo nixos-rebuild switch --flake .# # Build a custom package nix build .# # Edit an age-encrypted secret agenix -e secrets/.age # Re-key all secrets after adding a new host key to secrets/secrets.nix agenix -r ``` ## Architecture ### Entry Points - `flake.nix` — defines inputs (nixpkgs stable=25.11, unstable, home-manager, agenix, lanzaboote, jovian-nixos, microvm, impermanence, noctalia) and calls `hosts/default.nix` for `nixosConfigurations` - `hosts/default.nix` — instantiates every host via `lib.nixosSystem`; contains the `mkHM` helper that wires home-manager into a host's modules list ### Host Structure Each host lives in `hosts//`: - `default.nix` — imports either `../../modules/desktop` or `../../modules/server`, sets the module options (`myDesktop.*` / `myServer.*`), and adds host-specific settings - `home.nix` — host-specific home-manager config (merged with `hosts/home.nix` for desktops or `hosts/home_server.nix` for servers) - `hardware-configuration.nix` — generated hardware config Shared host-level files: - `hosts/configuration_common.nix` — applied to every host: SSH (key-only, no root), locale, nix GC/settings, zsh, fonts, auto-upgrade flake URL - `hosts/home.nix` — desktop home-manager base - `hosts/home_server.nix` — server home-manager base ### Module System Two top-level NixOS modules expose all major knobs as typed options: **`modules/desktop/default.nix`** — `myDesktop.*` - `windowManager`: `"niri"` (default) | `"sway"` | `"kde"` - `cpu`: `"amd"` | `"intel"` | `"none"` — selects KVM kernel params - `virtualisation.enable` — podman (docker-compat) + qemu/libvirt + virt-manager - `syncthing.{enable,devices,folders}` - `openrgb.{enable,motherboard}` - `laptop.{enable,lidSwitch,hibernateDelaySec}` - `nitrokey.enable` - `niri.hotkeyVariant`: `"default"` | `"lifebook"` - `git.signingKey` — SSH key for commit signing - `extraSystemPackages` **`modules/server/default.nix`** — `myServer.*` - `sshPort` (default 2220) - `virtualisation.{enable,cpu}` — podman only (no libvirt) - `fail2ban.enable` - `autoUpgrade.enable` (default true) - `uid`, `sudoRequiresPassword`, `extraGroups`, `extraSystemPackages` Service bundles are imported as lists in host `default.nix`: - `modules/services/server/` — kabtop services (gitea, nextcloud, matrix, coturn, hydra, mealie, etc.) - `modules/services/nas/` — jupiter services (nfs, vaultwarden, syncthing, paperless) - `modules/services/dmz/` — dmz services (gitea runner microVM) - `modules/services/kabtopci/` — kabtopci services (hydra, gitea runner) - `modules/services/nasbackup/` — nasbak backup jobs ### Secrets (agenix) `secrets/secrets.nix` declares which age public keys (users + host SSH keys) can decrypt each `.age` file. Add a new host: add its `ssh-ed25519` host key to `secrets/secrets.nix` in the relevant groups, then run `agenix -r` to re-key. ### Custom Packages & Overlays - `packages/` — custom packages (e.g. `corosync-qdevice`), imported at `flake.nix` level - `overlays/` — nixpkgs overlays applied globally - Per-host overlays: set `nixpkgs.overlays` inside the host's `default.nix` so only that host is affected ### Disk Layouts `disko/` contains reusable disko modules: `btrfs.nix`, `btrfs_luks.nix`, `nas_luks.nix` — referenced during initial install. ## Active Hosts | Host | Role | WM / Notes | |---|---|---| | hades | Desktop | niri, AMD, Secure Boot (lanzaboote) | | lifebook | Laptop | niri, Intel, Secure Boot | | steamdeck | Gaming | KDE/Jovian-NixOS, Secure Boot | | kabtop | Main server | gitea, nextcloud, matrix+bridges, coturn, hydra, mealie | | kabtopci | CI server | hydra, nix-serve | | jupiter | NAS | nfs, vaultwarden, syncthing, paperless | | dmz | DMZ | gitea Actions homerunner microVM | | nasbak | NAS backup | — | | kubemaster-1 | K8s master | — | See `SERVICES.md` for port-level service details per host.