| .github/workflows | ||
| config | ||
| home | ||
| hosts | ||
| lib | ||
| modules | ||
| pkgs/sandbox-agent | ||
| scripts | ||
| .gitignore | ||
| flake.lock | ||
| flake.nix | ||
| justfile | ||
| README.md | ||
Nix Leveraging
Everything starts at flake.nix — one one dependency graph that owns both a macOS laptop and a Netcup VPS. Instead of managing two machines with different tools, both collapse into the same reproducible interface.
At the machine level, modules/hosts/darwin.nix composes nix-darwin, home-manager, and nix-homebrew for macOS, while modules/hosts/netty.nix composes nixosSystem, disko, and home-manager for the server. The differences between hosts are encoded as data in lib/hosts.nix and modules/nixpkgs.nix — global username, per-host metadata, feature flags — so leaf modules never need ad hoc platform checks.
One layer down, packages are policy. lib/package-sets.nix, modules/base.nix, modules/packages.nix, and modules/homebrew.nix split the machine surface into core, extras, and fonts. Custom inputs like claude-code-nix, neovim-nightly, disko, and nix-homebrew are pinned in the flake, not installed by hand.
Below system packages sits the user environment. home/default.nix and home/common.nix make Home Manager the userland control plane. home/xdg.nix routes Rust, Go, Node, Python, AWS, and a dozen other tools into XDG-compliant paths. home/security.nix locks down SSH and GPG permissions on every activation. home/migration.nix handles the cutover from legacy ~/dots symlinks so nothing is left to clean up manually.
The shell and terminal layer is driven by a single palette in lib/theme.nix. That one definition renders colors for Ghostty, tmux, fzf, zsh syntax highlighting, bat, and delta. A generated theme script hot-swaps light and dark across all of them. home/tmux.nix adds session restore and directory-based window names. home/zsh.nix sets up vi mode, cursor-shape switching, XDG history, and deterministic PATH assembly. home/scripts.nix rounds out the ergonomics.
At the editor and agent layer, home/nvim.nix pins Neovim to the nightly overlay with seeded lockfile state. home/claude.nix and home/codex.nix keep AI tool configs repo-owned rather than scattered across $HOME. home/skills.nix installs global skills declaratively and only resyncs when the manifest hash changes.
For day-to-day operations, scripts/default.nix wraps local scripts into managed aliases via writeShellApplication. Secrets stay in Bitwarden and are rendered at activation time by scripts/render-bw-shell-secrets.sh and scripts/restore-bw-files.sh. Deployment is just switch for the laptop and just switch-netty for the server.
At the bottom of the stack, the VPS itself is a declarative service bundle in hosts/netty/configuration.nix: static networking, nginx with ACME, Forgejo mirroring to GitHub, a sandbox agent behind a CORS proxy, bounded GC and journald retention — a machine built to be rebuilt, not repaired.