README.md

# nixfiles

NixOS / nix-darwin / home-manager configuration for all hosts, built from a
single flake.

## Hosts

Defined in the host table in [`flake.nix`](./flake.nix):

| Configuration         | System           | Machine                                                                                                              |
| --------------------- | ---------------- | -------------------------------------------------------------------------------------------------------------------- |
| `lyrathorpe-mbp`      | `aarch64-linux`  | MacBook Pro (Apple Silicon, Asahi)                                                                                   |
| `lyrathorpe-t400`     | `x86_64-linux`   | ThinkPad T400 — [install notes](./system/machine/T400/README.md)                                                     |
| `lyrathorpe-macpro31` | `x86_64-linux`   | Mac Pro 3,1, desktop — [install notes](./system/machine/MacPro31/README.md)                                          |
| `emmathorpe-edaas`    | `x86_64-linux`   | Work WSL box (NixOS-WSL)                                                                                             |
| `lyrathorpe-rpi5`     | `aarch64-linux`  | Raspberry Pi 5 headless server: Docker host + nginx reverse proxy — [install notes](./system/machine/RPi5/README.md) |
| `lyrathorpe-mac`      | `aarch64-darwin` | macOS (nix-darwin)                                                                                                   |

Shared layers: `lyrathorpe/home` (home-manager: shell, git, editor),
`system/modules/common-nixos.nix` (all NixOS hosts: fonts, nix-ld, caches),
`system/modules/workstation.nix` (physical graphical hosts: audio, thermald,
earlyoom, fwupd), `system/modules/laptop.nix` (laptops: Wi-Fi, Bluetooth, power,
lid), and `system/modules/ssh.nix` (key-only sshd). The x86 hosts also pull
`nixos-hardware` profiles.

## Applying

```sh
# NixOS
sudo nixos-rebuild switch --flake .#<configuration>
# Darwin
darwin-rebuild switch --flake .#lyrathorpe-mac
```

## Shell environment & keybindings

- Interactive shell features (zsh, tmux, git, ssh, CLI tools, auto-tmux):
  [`lyrathorpe/home/README.md`](./lyrathorpe/home/README.md).
- All Sway / tmux / foot / zsh keyboard shortcuts:
  [`lyrathorpe/home/KEYBINDINGS.md`](./lyrathorpe/home/KEYBINDINGS.md).

## Login / greeter

Graphical (Sway) hosts log in through a Wayland greeter — `greetd` running
ReGreet inside the `cage` kiosk compositor — implemented in
[`lyrathorpe/swaywm.nix`](./lyrathorpe/swaywm.nix), gated on
`features.swayDesktop.enable` (the option is declared in
[`system/modules/features.nix`](./system/modules/features.nix), so headless hosts
can leave it off without importing `swaywm.nix`). The greeter is forced to Dvorak
to match the console and Sway session. Headless hosts (the WSL work box and the
Raspberry Pi server) keep plain TTY login. The target account needs a password
(`passwd <user>`) before it can log in.

## MacBook (Asahi) firmware

The MBP host references `system/modules/firmware/` for Apple peripheral
firmware (Wi-Fi/Bluetooth). These blobs are **committed** (tracked) even though
`.gitignore` lists the directory: the flake is `git+file`, so it only sees
tracked files — untracking them breaks `lyrathorpe-mbp` evaluation (and the CI
host-eval) because the config can't find the firmware. They are not
redistributable; the repo is private.

To refresh them, copy the firmware extracted during the Asahi install (from
`/etc/nixos/firmware`, or re-extract per the
[Asahi NixOS docs](https://github.com/tpwrules/nixos-apple-silicon)) into
`system/modules/firmware/` and commit with `git add -f`.

## Development

A dev shell and a formatting/lint gate are wired through the flake:

- `nix develop` — shell with `deadnix`, `statix`, `treefmt`, and the git
  `pre-commit` hooks (installed automatically on first entry).
- `nix fmt` — formats the tree via `treefmt` (nixfmt + shfmt + prettier;
  generated files and `flake.lock` are excluded).
- `nix flake check` — runs formatting, `deadnix`, `statix`, the pre-commit
  hooks, and evaluates every host. `.editorconfig` carries the base style;
  `statix.toml` disables the two house-style lints (`repeated_keys`,
  `empty_pattern`).

## CI

[`.gitea/workflows/ci.yaml`](./.gitea/workflows/ci.yaml) runs `nix flake check`
(formatting, `deadnix`, `statix`, the pre-commit hooks) and evaluates every
NixOS and Darwin host configuration on push/PR.
docs: add README with hosts, apply steps, and firmware caveat 2026-06-04 13:34:44 +00:00			`# nixfiles`

			`NixOS / nix-darwin / home-manager configuration for all hosts, built from a`
			`single flake.`

			`## Hosts`

			Defined in the host table in [`flake.nix`](./flake.nix):

docs(rpi5): add install notes and update host table 2026-06-16 13:32:11 +01:00			`\| Configuration \| System \| Machine \|`
			`\| --------------------- \| ---------------- \| -------------------------------------------------------------------------------------------------------------------- \|`
			\| `lyrathorpe-mbp` \| `aarch64-linux` \| MacBook Pro (Apple Silicon, Asahi) \|
			\| `lyrathorpe-t400` \| `x86_64-linux` \| ThinkPad T400 — [install notes](./system/machine/T400/README.md) \|
			\| `lyrathorpe-macpro31` \| `x86_64-linux` \| Mac Pro 3,1, desktop — [install notes](./system/machine/MacPro31/README.md) \|
			\| `emmathorpe-edaas` \| `x86_64-linux` \| Work WSL box (NixOS-WSL) \|
			\| `lyrathorpe-rpi5` \| `aarch64-linux` \| Raspberry Pi 5 headless server: Docker host + nginx reverse proxy — [install notes](./system/machine/RPi5/README.md) \|
			\| `lyrathorpe-mac` \| `aarch64-darwin` \| macOS (nix-darwin) \|
docs: add README with hosts, apply steps, and firmware caveat 2026-06-04 13:34:44 +00:00
			Shared layers: `lyrathorpe/home` (home-manager: shell, git, editor),
docs: document the audit improvements; fix remaining stale work refs 2026-06-10 16:49:15 +01:00			`system/modules/common-nixos.nix` (all NixOS hosts: fonts, nix-ld, caches),
			`system/modules/workstation.nix` (physical graphical hosts: audio, thermald,
			earlyoom, fwupd), `system/modules/laptop.nix` (laptops: Wi-Fi, Bluetooth, power,
			lid), and `system/modules/ssh.nix` (key-only sshd). The x86 hosts also pull
			`nixos-hardware` profiles.
docs: add README with hosts, apply steps, and firmware caveat 2026-06-04 13:34:44 +00:00
			`## Applying`

			```sh
			`# NixOS`
			`sudo nixos-rebuild switch --flake .#<configuration>`
			`# Darwin`
			`darwin-rebuild switch --flake .#lyrathorpe-mac`
			```

docs: document the interactive shell environment 2026-06-10 13:25:25 +01:00			`## Shell environment & keybindings`
docs: add a keybindings reference covering Sway/tmux/foot/zsh 2026-06-09 20:57:15 +01:00
docs: document the interactive shell environment 2026-06-10 13:25:25 +01:00			`- Interactive shell features (zsh, tmux, git, ssh, CLI tools, auto-tmux):`
			[`lyrathorpe/home/README.md`](./lyrathorpe/home/README.md).
			`- All Sway / tmux / foot / zsh keyboard shortcuts:`
			[`lyrathorpe/home/KEYBINDINGS.md`](./lyrathorpe/home/KEYBINDINGS.md).
docs: add a keybindings reference covering Sway/tmux/foot/zsh 2026-06-09 20:57:15 +01:00
docs(sway): note the Wayland greeter login in READMEs 2026-06-09 18:14:00 +01:00			`## Login / greeter`

			Graphical (Sway) hosts log in through a Wayland greeter — `greetd` running
docs(rpi5): add install notes and update host table 2026-06-16 13:32:11 +01:00			ReGreet inside the `cage` kiosk compositor — implemented in
docs(sway): note the Wayland greeter login in READMEs 2026-06-09 18:14:00 +01:00			[`lyrathorpe/swaywm.nix`](./lyrathorpe/swaywm.nix), gated on
docs(rpi5): add install notes and update host table 2026-06-16 13:32:11 +01:00			`features.swayDesktop.enable` (the option is declared in
			[`system/modules/features.nix`](./system/modules/features.nix), so headless hosts
			can leave it off without importing `swaywm.nix`). The greeter is forced to Dvorak
			`to match the console and Sway session. Headless hosts (the WSL work box and the`
			`Raspberry Pi server) keep plain TTY login. The target account needs a password`
docs(sway): note the Wayland greeter login in READMEs 2026-06-09 18:14:00 +01:00			(`passwd <user>`) before it can log in.

docs: add README with hosts, apply steps, and firmware caveat 2026-06-04 13:34:44 +00:00			`## MacBook (Asahi) firmware`

			The MBP host references `system/modules/firmware/` for Apple peripheral
chore(flake): treefmt + deadnix/statix + pre-commit; relocate work module 2026-06-10 14:57:21 +01:00			`firmware (Wi-Fi/Bluetooth). These blobs are committed (tracked) even though`
			`.gitignore` lists the directory: the flake is `git+file`, so it only sees
			tracked files — untracking them breaks `lyrathorpe-mbp` evaluation (and the CI
			`host-eval) because the config can't find the firmware. They are not`
			`redistributable; the repo is private.`

			`To refresh them, copy the firmware extracted during the Asahi install (from`
			`/etc/nixos/firmware`, or re-extract per the
docs: add README with hosts, apply steps, and firmware caveat 2026-06-04 13:34:44 +00:00			`[Asahi NixOS docs](https://github.com/tpwrules/nixos-apple-silicon)) into`
chore(flake): treefmt + deadnix/statix + pre-commit; relocate work module 2026-06-10 14:57:21 +01:00			`system/modules/firmware/` and commit with `git add -f`.

			`## Development`

			`A dev shell and a formatting/lint gate are wired through the flake:`

			- `nix develop` — shell with `deadnix`, `statix`, `treefmt`, and the git
			`pre-commit` hooks (installed automatically on first entry).
			- `nix fmt` — formats the tree via `treefmt` (nixfmt + shfmt + prettier;
			generated files and `flake.lock` are excluded).
			- `nix flake check` — runs formatting, `deadnix`, `statix`, the pre-commit
			hooks, and evaluates every host. `.editorconfig` carries the base style;
			`statix.toml` disables the two house-style lints (`repeated_keys`,
			`empty_pattern`).
docs: add README with hosts, apply steps, and firmware caveat 2026-06-04 13:34:44 +00:00
			`## CI`

docs: document the audit improvements; fix remaining stale work refs 2026-06-10 16:49:15 +01:00			[`.gitea/workflows/ci.yaml`](./.gitea/workflows/ci.yaml) runs `nix flake check`
			(formatting, `deadnix`, `statix`, the pre-commit hooks) and evaluates every
			`NixOS and Darwin host configuration on push/PR.`