Forgot to commit my stuff btw

.config/nixos/flake.lock

@@ -162,11 +162,11 @@
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1735381016,
+        "lastModified": 1735735907,
-        "narHash": "sha256-CyCZFhMUkuYbSD6bxB/r43EdmDE7hYeZZPTCv0GudO4=",
+        "narHash": "sha256-/AOGn9qJMjrZQyWYbObHTKmWDUP0q9+0TAXOJnq6ik0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "10e99c43cdf4a0713b4e81d90691d22c6a58bdf2",
+        "rev": "59a4c43e9ba6db24698c112720a58a334117de83",
         "type": "github"
       },
       "original": {
@@ -328,11 +328,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1734649271,
+        "lastModified": 1735471104,
-        "narHash": "sha256-4EVBRhOjMDuGtMaofAIqzJbg4Ql7Ai0PSeuVZTHjyKQ=",
+        "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d70bd19e0a38ad4790d3913bf08fcbfc9eeca507",
+        "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4",
         "type": "github"
       },
       "original": {
@@ -344,11 +344,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1735291276,
+        "lastModified": 1735471104,
-        "narHash": "sha256-NYVcA06+blsLG6wpAbSPTCyLvxD/92Hy4vlY9WxFI1M=",
+        "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "634fd46801442d760e09493a794c4f15db2d0cbb",
+        "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4",
         "type": "github"
       },
       "original": {

.config/nixos/flake.nix

@@ -3,21 +3,11 @@
 
   # try to be in-sync with the nix-channels
   inputs = {
-    nixpkgs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-      url = "github:NixOS/nixpkgs/nixos-unstable";
+    home-manager.url = "github:nix-community/home-manager/master";
-    };
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-    home-manager = {
+    determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/0.1";
-      url = "github:nix-community/home-manager/master";
+    vscode-server.url = "github:nix-community/nixos-vscode-server";
-    };
-    nixos-hardware = {
-      url = "github:NixOS/nixos-hardware/master";
-    };
-    determinate = {
-      url = "https://flakehub.com/f/DeterminateSystems/determinate/0.1";
-    };
-    vscode-server = {
-      url = "github:nix-community/nixos-vscode-server";
-    };
   };
 
   outputs = {
@@ -32,10 +22,12 @@
       stellapent-cier = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
+          ./hosts/stellapent-cier/configuration.nix
+
+          # load Determinate Nix and the rest
           determinate.nixosModules.default
           vscode-server.nixosModules.default
           home-manager.nixosModules.home-manager
-          ./hosts/stellapent-cier/configuration.nix
         ];
       };
     };

.config/nixos/hosts/stellapent-cier/configuration.nix

@@ -9,13 +9,14 @@
     [
       ./hardware-configuration.nix
       ../../shared/meta-configs.nix
+      ../../shared/systemd.nix
       ../../shared/networking.nix
-      ../../shared/firewall.nix
-      ../../shared/tailscale.nix
-      ../../shared/ssh.nix
       ../../shared/locale.nix
-      ../../shared/kde-plasma.nix
+      ../../shared/server/tailscale.nix
-      ../../shared/bluetooth.nix
+      ../../shared/server/ssh.nix
+      ../../shared/desktop/kde-plasma.nix
+      ../../shared/desktop/bluetooth.nix
+      ../../shared/desktop/firewall.nix
     ];
 
   # Bootloader.
@@ -94,7 +95,8 @@
   # home-manager specifics
   home-manager.useUserPackages = true;
   home-manager.useGlobalPkgs = true;
-  home-manager.users.gildedguy = (import ./users/gildedguy.nix);
+  home-manager.users.gildedguy = import ./users/gildedguy.nix;
+  #programs.home-manager.enable = true; # allow home-manager to manage itself
 
   # Install firefox.
   programs.firefox.enable = true;
@@ -109,11 +111,15 @@
     btop
     htop
     google-chrome
+    direnv
+    cachix
   ];
 
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.
   programs.mtr.enable = true;
+
+  # enable gpg-agent with SSH support
   programs.gnupg.agent = {
      enable = true;
      enableSSHSupport = true;

.config/nixos/hosts/stellapent-cier/users/gildedguy.nix

@@ -1,211 +1,12 @@
 { config, pkgs, lib, ... }:
 
-let
-  vscExts = (import ../../../shared/vscode-extensions.nix) {
-    pkgs = pkgs;
-    lib = lib;
-  };
-  #extList = lib.attrsets.mapAttrsToList (name: value: value) vscExts;
-in
-with pkgs;
 {
-  # https://fnordig.de/til/nix/home-manager-allow-unfree.html
+  imports = [
-  nixpkgs = {
+    ../../../shared/home-manager/main.nix
-    config = {
-      allowUnfree = true;
-      # https://github.com/nix-community/home-manager/issues/2942
-      allowUnfreePredicate = (_: true);
-    };
-  };
-
-  # Home Manager needs a bit of information about you and the paths it should
-  # manage. Also don't ask how we got here on the roleplaying part.
-  home.username = "gildedguy";
-  home.homeDirectory = "/home/gildedguy";
-
-  # This value determines the Home Manager release that your configuration is
-  # compatible with. This helps avoid breakage when a new Home Manager release
-  # introduces backwards incompatible changes.
-  #
-  # You should not change this value, even if you update Home Manager. If you do
-  # want to update the value, then make sure to first check the Home Manager
-  # release notes.
-  home.stateVersion = "24.11"; # Please read the comment before changing.
-
-  # The home.packages option allows you to install Nix packages into your
-  # environment.
-  home.packages = with pkgs; [
-    # # Adds the 'hello' command to your environment. It prints a friendly
-    # # "Hello, world!" when run.
-    # pkgs.hello
-
-    # # It is sometimes useful to fine-tune packages, for example, by applying
-    # # overrides. You can do that directly here, just don't forget the
-    # # parentheses. Maybe you want to install Nerd Fonts with a limited number of
-    # # fonts?
-    # (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
-
-    # # You can also create simple shell scripts directly inside your
-    # # configuration. For example, this adds a command 'my-hello' to your
-    # # environment:
-    # (pkgs.writeShellScriptBin "my-hello" ''
-    #   echo "Hello, ${config.home.username}!"
-    # '')
-
-    ## devtools ##
-    # https://httpie.io
-    httpie
-    # https://devenv.sh
-    devenv
-    # https://cli.github.com
-    gh
-    # bet we'll going to have a field day since Copilot is now available for free
-    # (this is seperate from the gh copilot extension for those asking)
-    # context: https://github.blog/news-insights/product-news/github-copilot-in-vscode-free/
-    github-copilot-cli
-    # markdownlint
-    markdownlint-cli
-    # https://doppler.com
-    doppler
-
-    ## programming languages
-    deno
-    nodejs_22
-    python313
-    pipx
-    pipenv
-
-    ## language servers ##
-    # nix language server - https://github.com/oxalica/nil
-    nil
-    # https://github.com/alesbrelih/gitlab-ci-ls
-    gitlab-ci-ls
   ];
 
-  home.sessionPath = [
+  config = {
-    "$HOME/bin"
+    home.username = "gildedguy";
-  ];
+    home.homeDirectory = "/home/gildedguy";
-
-  # Home Manager is pretty good at managing dotfiles. The primary way to manage
-  # plain files is through 'home.file'.
-  home.file = {
-    # # Building this configuration will create a copy of 'dotfiles/screenrc' in
-    # # the Nix store. Activating the configuration will then make '~/.screenrc' a
-    # # symlink to the Nix store copy.
-    # ".screenrc".source = dotfiles/screenrc;
-
-    # # You can also set the file content immediately.
-    # ".gradle/gradle.properties".text = ''
-    #   org.gradle.console=verbose
-    #   org.gradle.daemon.idletimeout=3600000
-    # '';
   };
-
+}
-  # Home Manager can also manage your environment variables through
-  # 'home.sessionVariables'. These will be explicitly sourced when using a
-  # shell provided by Home Manager. If you don't want to manage your shell
-  # through Home Manager then you have to manually source 'hm-session-vars.sh'
-  # located at either
-  #
-  #  ~/.nix-profile/etc/profile.d/hm-session-vars.sh
-  #
-  # or
-  #
-  #  ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
-  #
-  # or
-  #
-  #  /etc/profiles/per-user/gildedguy/etc/profile.d/hm-session-vars.sh
-  #
-  home.sessionVariables = {
-    EDITOR = "nano";
-    NIXOS_ALLOW_UNFREE = "1"; # for impure builds
-    GIT_EDITOR = "code --wait";
-    VISUAL = "code --wait";
-    DOCKER_BUILDKIT = "1";
-  };
-
-  # Let Home Manager install and manage itself.
-  programs.home-manager.enable = true;
-
-  # let me cook with the configs, starting with git
-  programs.git = {
-    enable = true;
-    package = pkgs.gitAndTools.gitFull;
-    lfs = {
-      enable = true;
-    };
-    userName = "Andrei Jiroh Halili";
-    userEmail = "ajhalili2006@andreijiroh.dev";
-    aliases = {
-      signoff = "commit --signoff";
-      amend = "commit -a --amend";
-      remotes = "remote -v";
-      root = "rev-parse --show-toplevel";
-      unstage = "restore --staged";
-      stats = "status";
-    };
-    extraConfig = {
-      format = {
-        signOff = true;
-      };
-      init = {
-        defaultBranch = "main";
-      };
-
-      # https://groups.google.com/g/binary-transparency/c/f-BI4o8HZW0
-      transfer = {
-        fsckobjects = true;
-      };
-      fetch = {
-        fsckobjects = true;
-      };
-      receive = {
-        fsckobjects = true;
-      };
-      push = {
-        autoSetupRemote = true;
-      };
-
-      
-    };
-  };
-
-  programs.vscode = {
-    enable = true;
-    package = pkgs.vscode;
-    enableExtensionUpdateCheck = true;
-    mutableExtensionsDir = true;
-    # userSettings = {
-    #   "nix.enableLanguageServer" = true;
-    #   "nix.serverPath" = "nil";
-    #   "window.customTitleBarVisibility" = "auto";
-    #   "window.titleBarStyle" = "custom";
-    #   "window.menuBarVisibility" = "classic";
-    #   "redhat.telemetry.enabled" = true;
-    #   "github.copilot.editor.enableAutoCompletions" = false;
-    #   "github.copilot.chat.followUps" = "always";
-    #   "github.copilot.chat.terminalChatLocation" = "terminal";
-    #   "git.confirmSync" = false;
-    #   "microsoft-authentication.implementation" = "msal";
-    #   "workbench.colorTheme" = "GitHub Dark Colorblind (Beta)";
-    #   "workbench.iconTheme" = "material-icon-theme";
-    #   "workbench.productIconTheme" = "material-product-icons";
-    # };
-    # Note that not all extensions are available over gh:NixOS/nixpkgs repo, but
-    # we'll work on that soon.
-    extensions = with vscExts; [
-      pkief.material-icon-theme
-      pkief.material-product-icons
-      github.github-vscode-theme
-      wakatime.vscode-wakatime
-      doppler.doppler-vscode
-      eamodio.gitlens
-      vivaxy.vscode-conventional-commits
-      denoland.vscode-deno
-      jnoortheen.nix-ide
-      #redhat.vscode-yaml
-      unifiedjs.vscode-mdx
-    ];
-  };
-}

.config/nixos/shared/desktop/firewall.nix

@@ -3,25 +3,23 @@
 {
   # Open ports in the firewall.
   networking.firewall.allowedTCPPortRanges = [
-    { from = 1714; to = 1764; }
+    { from = 1714; to = 1764; } # used by KDE Connect
+    { from = 3000; to = 3999; }
+    { from = 8000; to = 8999; }
   ];
   networking.firewall.allowedUDPPortRanges = [
-    { from = 1714; to = 1764; }
+    { from = 1714; to = 1764; } # used by KDE Connect
+    { from = 3000; to = 3999; }
+    { from = 8000; to = 8999; }
   ];
   networking.firewall.allowedTCPPorts = [
     22
     80
     443
-    3000
-    8000
   ];
   networking.firewall.allowedUDPPorts = [
     22
     80
     443
-    3000
-    8000
   ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
 }

.config/nixos/shared/home-manager/main.nix

@@ -0,0 +1,193 @@
+# This is the meta configuration for my dotfiles with home-manager, except
+# some home.{username,userDirectory} configs to ensure portability between
+# hosts
+
+{ config, pkgs, lib, ... }:
+
+{
+  # https://fnordig.de/til/nix/home-manager-allow-unfree.html
+  nixpkgs = {
+    config = {
+      allowUnfree = true;
+      # https://github.com/nix-community/home-manager/issues/2942
+      allowUnfreePredicate = (_: true);
+    };
+  };
+
+  # This value determines the Home Manager release that your configuration is
+  # compatible with. This helps avoid breakage when a new Home Manager release
+  # introduces backwards incompatible changes.
+  #
+  # You should not change this value, even if you update Home Manager. If you do
+  # want to update the value, then make sure to first check the Home Manager
+  # release notes.
+  home.stateVersion = "24.11"; # Please read the comment before changing.
+
+  # The home.packages option allows you to install Nix packages into your
+  # environment.
+  home.packages = with pkgs; [
+    # # Adds the 'hello' command to your environment. It prints a friendly
+    # # "Hello, world!" when run.
+    # pkgs.hello
+
+    # # It is sometimes useful to fine-tune packages, for example, by applying
+    # # overrides. You can do that directly here, just don't forget the
+    # # parentheses. Maybe you want to install Nerd Fonts with a limited number of
+    # # fonts?
+    # (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
+
+    # # You can also create simple shell scripts directly inside your
+    # # configuration. For example, this adds a command 'my-hello' to your
+    # # environment:
+    # (pkgs.writeShellScriptBin "my-hello" ''
+    #   echo "Hello, ${config.home.username}!"
+    # '')
+
+    ## devtools ##
+    # https://httpie.io
+    httpie
+    # https://devenv.sh
+    devenv
+    # https://cli.github.com
+    gh
+    # bet we'll going to have a field day since Copilot is now available for free
+    # (this is seperate from the gh copilot extension for those asking)
+    # context: https://github.blog/news-insights/product-news/github-copilot-in-vscode-free/
+    github-copilot-cli
+    # markdownlint
+    markdownlint-cli
+    # https://doppler.com
+    doppler
+    direnv
+    shellcheck
+    hadolint
+
+    ## programming languages
+    deno
+    nodejs_22
+    python313
+    pipx
+    pipenv
+
+    ## language servers ##
+    # nix language server - https://github.com/oxalica/nil
+    nil
+    # https://github.com/alesbrelih/gitlab-ci-ls
+    gitlab-ci-ls
+  ];
+
+  home.sessionPath = [
+    "${config.home.homeDirectory}/bin"
+  ];
+
+  # Home Manager is pretty good at managing dotfiles. The primary way to manage
+  # plain files is through 'home.file'.
+  home.file = {
+    # # Building this configuration will create a copy of 'dotfiles/screenrc' in
+    # # the Nix store. Activating the configuration will then make '~/.screenrc' a
+    # # symlink to the Nix store copy.
+    # ".screenrc".source = dotfiles/screenrc;
+
+    # # You can also set the file content immediately.
+    # ".gradle/gradle.properties".text = ''
+    #   org.gradle.console=verbose
+    #   org.gradle.daemon.idletimeout=3600000
+    # '';
+  };
+
+  # Home Manager can also manage your environment variables through
+  # 'home.sessionVariables'. These will be explicitly sourced when using a
+  # shell provided by Home Manager. If you don't want to manage your shell
+  # through Home Manager then you have to manually source 'hm-session-vars.sh'
+  # located at either
+  #
+  #  ~/.nix-profile/etc/profile.d/hm-session-vars.sh
+  #
+  # or
+  #
+  #  ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
+  #
+  # or
+  #
+  #  /etc/profiles/per-user/gildedguy/etc/profile.d/hm-session-vars.sh
+  #
+  home.sessionVariables = {
+    EDITOR = "nano";
+    NIXOS_ALLOW_UNFREE = "1"; # for impure builds
+    GIT_EDITOR = "code --wait";
+    VISUAL = "code --wait";
+    DOCKER_BUILDKIT = "1";
+  };
+
+  # Let Home Manager install and manage itself.
+  programs.home-manager.enable = true;
+
+  # let me cook with the configs, starting with git
+  programs.git = {
+    enable = true;
+    package = pkgs.gitAndTools.gitFull;
+    lfs = {
+      enable = true;
+    };
+    userName = "Andrei Jiroh Halili";
+    userEmail = "ajhalili2006@andreijiroh.dev";
+    aliases = {
+      signoff = "commit --signoff";
+      amend = "commit -a --amend";
+      remotes = "remote -v";
+      root = "rev-parse --show-toplevel";
+      unstage = "restore --staged";
+      stats = "status";
+    };
+    extraConfig = {
+      format = {
+        signOff = true;
+      };
+      init = {
+        defaultBranch = "main";
+      };
+
+      # https://groups.google.com/g/binary-transparency/c/f-BI4o8HZW0
+      transfer = {
+        fsckobjects = true;
+      };
+      fetch = {
+        fsckobjects = true;
+      };
+      receive = {
+        fsckobjects = true;
+      };
+      push = {
+        autoSetupRemote = true;
+      };
+
+
+    };
+  };
+
+  programs.vscode = {
+    enable = true;
+    package = pkgs.vscode;
+    enableExtensionUpdateCheck = true;
+    mutableExtensionsDir = true;
+    # userSettings = {
+    #   "nix.enableLanguageServer" = true;
+    #   "nix.serverPath" = "nil";
+    #   "window.customTitleBarVisibility" = "auto";
+    #   "window.titleBarStyle" = "custom";
+    #   "window.menuBarVisibility" = "classic";
+    #   "redhat.telemetry.enabled" = true;
+    #   "github.copilot.editor.enableAutoCompletions" = false;
+    #   "github.copilot.chat.followUps" = "always";
+    #   "github.copilot.chat.terminalChatLocation" = "terminal";
+    #   "git.confirmSync" = false;
+    #   "microsoft-authentication.implementation" = "msal";
+    #   "workbench.colorTheme" = "GitHub Dark Colorblind (Beta)";
+    #   "workbench.iconTheme" = "material-icon-theme";
+    #   "workbench.productIconTheme" = "material-product-icons";
+    # };
+    # We're importing what's generated from nix4vscode here as a workaround
+    # for now.
+    #extensions = lib.attrsets.mapAttrsToList (_: v: v) vscExts;
+  };
+}

.config/nixos/shared/meta-configs.nix

@@ -1,4 +1,5 @@
-# This is the meta config file for nixpkgs and nix cli
+# This is the meta config file for nixpkgs and nix cli itself, including
+# trusted keys for cachnix caches
 
 { config, pkgs, lib, ... }:
 
@@ -13,6 +14,57 @@
     };
   };
 
-  # Enable the Flakes feature and the accompanying new nix command-line tool
+  nix = {
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+    settings = {
-}
+      # See https://nix.dev/manual/nix/latest/development/experimental-features
+      # for latest supported feature flags.
+      experimental-features = [
+        "nix-command"
+        "flakes"
+        "ca-derivations"
+        "cgroups"
+        "impure-derivations"
+        "git-hashing"
+        "fetch-tree"
+        "fetch-closure"
+        "local-overlay-store"
+        "mounted-ssh-store"
+        # "verified-fetches"
+      ];
+
+      trusted-users = [
+        "root"
+        "gildedguy"
+        "ajhalili2006"
+      ];
+
+      # just sync with trusted-users, but w/o root
+      allowed-users = [
+        "gildedguy"
+        "ajhalili2006"
+      ];
+
+      trusted-public-keys = [
+        # devenv.sh
+        "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
+
+        # my caches for nixos and nixpkgs related builds (including devenvs)
+        "ajhalili2006-nixos-builds.cachix.org-1:fA8HXvGR1i792D+CxL2iW/TQzUcyoW7zPUmC9Q4mQLg="
+
+        # the main cache itself
+        "andreijiroh-dev.cachix.org-1:7Jd0STdBOLiNu5fiA+AKwcMqQD2PA1j9zLDGyDkuyBo="
+
+        # recaptime.dev cache
+        "recaptime-dev.cachix.org-1:b0UBO1zONf6ceTIoR06AKhgid4ZOl5kxB/gOIdZ9J6g="
+      ];
+
+      # also list them all too
+      trusted-substituters = [
+        "https://devenv.cachix.org"
+        "https://andreijiroh-dev.cachix.org"
+        "https://ajhalili2006-nixos-builds.cachix.org"
+        "https://recaptime-dev.cachix.org"
+      ];
+    };
+  };
+}

.config/nixos/shared/server/firewall.nix

@@ -0,0 +1,22 @@
+{ config, pkgs, lib, ... }:
+
+{
+  networking.firewall.allowedTCPPortRanges = [
+    { from = 3000; to = 3999; }
+    { from = 8000; to = 8999; }
+  ];
+  networking.firewall.allowedUDPPortRanges = [
+    { from = 3000; to = 3999; }
+    { from = 8000; to = 8999; }
+  ];
+  networking.firewall.allowedTCPPorts = [
+    22
+    80
+    443
+  ];
+  networking.firewall.allowedUDPPorts = [
+    22
+    80
+    443
+  ];
+}

.config/nixos/shared/ssh-keys.nix

@@ -0,0 +1,12 @@
+{
+  personal = {
+    y2022 = "";
+  };
+  rp_ssh_keys = {
+    gildedguy = "";
+  };
+
+  recaptime-dev = {
+    tbd = "";
+  };
+}

.config/nixos/shared/systemd.nix

@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+  services.timesyncd = {
+    enable = true;
+    servers = [
+      # https://pubfiles.pagasa.dost.gov.ph/tamss/oras/time_synchronization_for_windows_7_and_8.pdf
+      "ntp.pagasa.dost.gov.ph"
+      # https://www.cloudflare.com/time/
+      "time.cloudflare.com"
+    ];
+    fallbackServers = [
+      "0.asia.pool.ntp.org"
+      "1.asia.pool.ntp.org"
+	    "2.asia.pool.ntp.org"
+	    "3.asia.pool.ntp.org"
+    ];
+  };
+}