/ flake.nix
flake.nix
1 { 2 description = "NixOS flake with modular mesh networking tools"; 3 4 # Nix build robustness settings (applies during flake evaluation) 5 # Backup layer: if /etc/nix/nix.conf doesn't exist, this still helps 6 # Primary protection is /etc/nix/nix.conf (written by bootstrap script) 7 nixConfig = { 8 download-buffer-size = 268435456; # 256 MiB (default: 64 MiB) 9 }; 10 11 ############################################################################## 12 ## Inputs: nixpkgs + flake-parts + Home Manager + impermanence ## 13 ############################################################################## 14 inputs = { 15 nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; 16 flake-parts.url = "github:hercules-ci/flake-parts"; 17 18 ############################################################################ 19 ## PINNED NIXPKGS INPUTS - Manual Update Required ## 20 ############################################################################ 21 # These inputs are deliberately pinned to protect specific package groups 22 # from breaking during routine `nix flake update` operations. 23 # 24 # UPDATE PROCEDURE: 25 # 1. git commit -m "pre-update: known working state before updating pinned inputs" 26 # 2. nix flake lock --update-input nixpkgs-sdr (or whichever input) 27 # 3. nix build .#nixosConfigurations.x230.config.system.build.toplevel 28 # 4. If build succeeds: test with nixos-rebuild switch, then commit 29 # 5. If build fails: git checkout flake.lock (revert to known-good) 30 # 31 # WHY PINNED: These packages are sensitive to toolchain changes in nixpkgs 32 # (e.g., CMake version policy, Python version bumps). Pinning to a stable 33 # release ensures they survive `nix flake update` without breaking. 34 ############################################################################ 35 36 # SDR packages (sdrpp, rtl-sdr, rtl_433) 37 # Last updated: 2025-11-25 | Next review: 2026-02-25 38 nixpkgs-sdr.url = "github:NixOS/nixpkgs/nixos-24.05"; 39 40 # Signal Desktop (enforces server-side minimum version, needs frequent updates) 41 # Update independently: nix flake update nixpkgs-signal 42 # Last updated: 2026-03-07 | Next review: 2026-06-07 43 nixpkgs-signal.url = "github:NixOS/nixpkgs/nixos-unstable"; 44 45 home-manager.url = "github:nix-community/home-manager"; 46 home-manager.inputs.nixpkgs.follows = "nixpkgs"; 47 48 impermanence.url = "github:nix-community/impermanence"; 49 50 rust-overlay.url = "github:oxalica/rust-overlay"; 51 rust-overlay.inputs.nixpkgs.follows = "nixpkgs"; 52 53 claude-code-overlay.url = "github:ryoppippi/claude-code-overlay"; 54 claude-code-overlay.inputs.nixpkgs.follows = "nixpkgs"; 55 56 # cgroup-exporter for per-cgroup metrics (PSI monitoring) 57 # Only supports cgroup v2 (unified hierarchy) 58 cgroup-exporter.url = "github:arianvp/cgroup-exporter"; 59 cgroup-exporter.inputs.nixpkgs.follows = "nixpkgs"; 60 61 # sops-nix for encrypted secrets management (age backend) 62 # Decrypts repo-committed secrets at system activation time 63 sops-nix.url = "github:Mic92/sops-nix"; 64 sops-nix.inputs.nixpkgs.follows = "nixpkgs"; 65 }; 66 67 ############################################################################## 68 ## Outputs: modular feature-based architecture using flake-parts ## 69 ############################################################################## 70 outputs = inputs@{ flake-parts, ... }: 71 flake-parts.lib.mkFlake { inherit inputs; } { 72 73 ########################################################################## 74 ## Multi-architecture support ## 75 ########################################################################## 76 systems = [ 77 "x86_64-linux" 78 "aarch64-linux" 79 # "riscv64-linux" # TODO: Enable when ready for RISC-V testing 80 ]; 81 82 ########################################################################## 83 ## Modular feature imports - comment out to disable entire features ## 84 ########################################################################## 85 imports = [ 86 # Core infrastructure 87 ./parts/core.nix # Essential: overlays, dev-shells, formatter 88 ./parts/core-packages.nix # Essential: sine-qua-non system packages 89 ./parts/nixos-configurations.nix # System configurations 90 91 # Feature modules (can be individually disabled) 92 ./parts/reticulum.nix # Complete Reticulum ecosystem 93 ./parts/local-tools.nix # Custom packages (previewmd, system-info) 94 ./parts/system-management.nix # Boot errors, persistence, etc. 95 ./parts/home-manager-modules.nix # Reusable home-manager configurations 96 ./parts/security.nix # Security tools (ssh-key-manager) 97 ./parts/remote-desktop.nix # RDP over SSH (server + client modules) 98 ./parts/nix-builder.nix # Remote Nix builder (distributed builds) 99 ./parts/sops.nix # Secrets management (sops-nix + age) 100 ./parts/basic-hardening.nix # Basic security hardening (3-tier: baseline + extras + per-service) 101 # ./parts/hotspot.nix # DISABLED: Wi-Fi hotspot (caused wired internet failure) 102 ./parts/guihotspot.nix # Safe USB dongle GUI hotspots 103 ./parts/sdr.nix # SDR++ Software Defined Radio 104 ./parts/media-server.nix # Jellyfin media server 105 ./parts/network-appliance.nix # Transparent bridge + Suricata IDS (Eye of Sauron) 106 ./parts/deployment-profiles.nix # Deployment profiles (media-server-direct, proxied, reverse-proxy) 107 ./parts/monitoring.nix # PSI + cgroups + systemd monitoring 108 ./parts/radicle.nix # Radicle decentralized code collaboration 109 ]; 110 }; 111 }