2026-05-19 00:39:10 +02:00
1 changed files with 40 additions and 75 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@ -1,7 +1,6 @@
 # AGENTS.md
-This file teaches AI agents how to navigate and work with this NixOS
+This file teaches AI agents how to navigate and work with this NixOS configuration repository (`sid.ovh`).
 configuration repository (`sid.ovh`).
 ---
@ -9,14 +8,13 @@ configuration repository (`sid.ovh`).
 This is a NixOS flake managing three hosts:
-| Host  | IP (Tailscale) | Role                                              |
+| Host  | IP (Tailscale) | Role                                                 |
-|-------|----------------|---------------------------------------------------|
+|-------|----------------|------------------------------------------------------|
-| `sid` | `100.64.0.6`   | VPS — reverse proxy, mail, matrix, headscale      |
+| `sid` | `100.64.0.6`   | VPS - reverse proxy, mail, matrix, headscale         |
-| `rx4` | `100.64.0.10`  | Home server — open-webui, forgejo, vaultwarden, … |
+| `rx4` | `100.64.0.10`  | Home server - open-webui, forgejo, vaultwarden, etc. |
-| `vde` | `100.64.0.1`   | Desktop / workstation (not in use at the moment)  |
+| `vde` | `100.64.0.1`   | Desktop / workstation (not in use at the moment)     |
-Deployment is done via `deploy-rs` through a Forgejo CI pipeline
+Deployment is done via `deploy-rs` through a Forgejo CI pipeline (`.forgejo/workflows/deploy-configs.yml`).
 (`.forgejo/workflows/deploy-configs.yml`).
 ---
@ -24,25 +22,20 @@ Deployment is done via `deploy-rs` through a Forgejo CI pipeline
 ### What it is
-`synix` is the owner's **personal NixOS library flake**, hosted at:
+`synix` is a **NixOS library flake**, hosted at:
 ```
 https://git.sid.ovh/sid/synix.git
 ```
 It provides:
- **NixOS modules** (`inputs.synix.nixosModules.*`) — opinionated,
+- **NixOS modules** (`inputs.synix.nixosModules.*`): opinionated, reusable service configurations used heavily across all three hosts.
-  reusable service configurations used heavily across all three hosts.
+- **Home Manager modules** (`inputs.synix.homeModules.*`): desktop / user-space configurations (Hyprland, nixvim, waybar, etc.).
- **Home Manager modules** (`inputs.synix.homeModules.*`) — desktop /
+- **Packages** (`inputs.synix.packages.<system>.*`, also accessible via the `synix-packages` overlay as `pkgs.synix.*`): custom packages not in nixpkgs.
-  user-space configurations (Hyprland, nixvim, waybar, …).
+- **Overlays** (`inputs.synix.overlays.*`): nixpkgs modifications.
- **Packages** (`inputs.synix.packages.<system>.*`, also accessible via
+- **A utility library** (`inputs.synix.lib` / `lib.utils`): helper functions such as `mkVirtualHost` and `mkReverseProxyOption`.
-  the `synix-packages` overlay as `pkgs.synix.*`) — custom packages not
+- **Templates**: starter flake templates for servers, desktops, VMs, etc.
-  in nixpkgs.
+- **Apps**: convenience scripts (`deploy`, `rebuild`, `install`, etc.).
 - **Overlays** (`inputs.synix.overlays.*`) — nixpkgs modifications.
 - **A utility library** (`inputs.synix.lib` / `lib.utils`) — helper
  functions such as `mkVirtualHost` and `mkReverseProxyOption`.
 - **Templates** — starter flake templates for servers, desktops, VMs, etc.
 - **Apps** — convenience scripts (`deploy`, `rebuild`, `install`, …).
 ### How it is consumed in `sid.ovh`
@ -59,16 +52,13 @@ inputs = {
 };
 ```
-The active branch is **`release-25.11`**, aligned with `nixpkgs`
+The active branch is **`release-25.11`**, aligned with `nixpkgs` at `nixos-25.11`. A `develop` branch exists for unstable work. A local checkout can be used for testing by switching to the `git+file://` URL.
 `nixos-25.11`. A `develop` branch exists for unstable work. A local
 checkout can be used for testing by switching to the `git+file://` URL.
 ---
 ## `synix` Module Reference
-All NixOS modules are under `modules/nixos/` in the synix repo and
+All NixOS modules are under `modules/nixos/` in the synix repo and exposed as `inputs.synix.nixosModules.<name>`.
 exposed as `inputs.synix.nixosModules.<name>`.
 ### Infrastructure / base modules
@ -107,18 +97,13 @@ exposed as `inputs.synix.nixosModules.<name>`.
 ### Other available modules (not currently active in `sid.ovh`)
-`audio`, `bluetooth`, `amd`, `nvidia`, `jellyfin`, `i2pd`,
+`audio`, `bluetooth`, `amd`, `nvidia`, `jellyfin`, `i2pd`, `ftp-webserver`, `webPage`, `windows-oci`, `librechat-oci`, `nostr-relay`, `ollama`, `cifsMount`, `hyprland` (NixOS-level), `normalUsers`.
 `ftp-webserver`, `webPage`, `windows-oci`, `librechat-oci`,
 `nostr-relay`, `ollama`, `cifsMount`, `hyprland` (NixOS-level),
 `normalUsers`.
 ---
 ## `synix` Packages (`pkgs.synix.*`)
-Custom packages provided by synix and available via the
+Custom packages provided by synix and available via the `synix-packages` overlay (applied in `modules/nixos/common/overlays.nix`):
 `synix-packages` overlay (applied in
 `modules/nixos/common/overlays.nix`):
 | Package name                  | What it is |
 |-------------------------------|------------|
@ -135,15 +120,13 @@ Custom packages provided by synix and available via the
 | `pkgs.synix.bulk-rename`      | Batch file renaming script |
 | `pkgs.synix.pyman`            | Python man-page helper |
-The full list lives in `pkgs/default.nix` in the synix repo. All
+The full list lives in `pkgs/default.nix` in the synix repo. All packages are also accessible as `inputs.synix.packages.<system>.<name>`.
 packages are also accessible as `inputs.synix.packages.<system>.<name>`.
 ---
 ## `synix` Utility Library (`lib.utils`)
-Exposed as `inputs.synix.lib` and merged into the flake's `lib` in
+Exposed as `inputs.synix.lib` and merged into the flake's `lib` in `flake.nix`:
 `flake.nix`:
 ```nix
 lib = nixpkgs.lib.extend (final: prev: inputs.synix.lib or { });
@ -170,8 +153,7 @@ virtualHosts."${constants.services.forgejo.fqdn}" = mkVirtualHost {
 ## How `synix` Modules Are Imported
-In each host's `default.nix`, synix modules are imported directly from
+In each host's `default.nix`, synix modules are imported directly from the `inputs` special arg:
 the `inputs` special arg:
 ```nix
 # hosts/rx4/default.nix
@ -179,7 +161,7 @@ imports = [
  inputs.synix.nixosModules.common          # base system config
  inputs.synix.nixosModules.device.server   # server profile
  inputs.synix.nixosModules.openssh         # hardened SSH
-  # …service-specific modules in hosts/rx4/services/
+  # service-specific modules in hosts/rx4/services/
 ];
 ```
@ -207,18 +189,15 @@ imports = [
 | `old-stable-packages`   | `nixpkgs-25.05`  | `pkgs.old-stable.*`  |
 | `unstable-packages`     | `nixos-unstable` | `pkgs.unstable.*`    |
-`synix` also supplies its own `modifications` overlay
+`synix` also supplies its own `modifications` overlay (`inputs.synix.overlays.modifications`), merged into the local `modifications` overlay in `overlays/default.nix`.
 (`inputs.synix.overlays.modifications`), merged into the local
 `modifications` overlay in `overlays/default.nix`.
 ---
 ## Centralized Logging Architecture
-All hosts ship their systemd journal to a **central receiver running on
+All hosts ship their systemd journal to a **central receiver running on `sid`** over HTTP using `systemd-journal-remote` / `systemd-journal-upload`.
 `sid`** over HTTP using `systemd-journal-remote` / `systemd-journal-upload`.
-### Receiver (`sid`)
+### Receiver (local host `pc` which is not part of this flake)
 ```nix
 services.journald.remote = {
@ -248,19 +227,15 @@ services.journald.upload = {
 };
 ```
-> **Note:** The upload URL uses `100.64.0.5` — the Tailscale transport
+> **Note:** The upload URL uses `100.64.0.5` - the Tailscale transport IP for host `pc` (which is not part of this flake). Verify with `ip addr show tailscale0` and `hostname` if you are on host `pc` with IP `100.64.0.5`.
 > IP for `sid` (distinct from the advertised IP `100.64.0.6` in
 > `constants.nix`; verify with `ip addr show tailscale0` on `sid` if
 > queries fail).
-This module is applied to **every host** via
+This module is applied to **every host** via `outputs.nixosModules.common` -> `modules/nixos/common/default.nix`.
 `outputs.nixosModules.common` → `modules/nixos/common/default.nix`.
 ---
 ## Querying Remote Journals
-All queries run **on `sid`**, reading from `/var/log/journal/remote/`.
+All queries run **on `pc`**, reading from `/var/log/journal/remote/`.
 ### General pattern
@ -293,13 +268,10 @@ journalctl \
 ```
 This works because:
-1. `rx4` uploads its journal to `sid:19532`.
+1. `rx4` uploads its journal to `pc:19532`.
-2. The receiver stores it under `/var/log/journal/remote/` with
+2. The receiver stores it under `/var/log/journal/remote/` with `SplitMode=host`, preserving the `_HOSTNAME` field.
   `SplitMode=host`, preserving the `_HOSTNAME` field.
 3. `_HOSTNAME=rx4` narrows to that host's entries.
-4. `SYSTEMD_UNIT=podman-open-webui.service` targets the OCI container
+4. `SYSTEMD_UNIT=podman-open-webui.service` targets the OCI container unit for Open WebUI (defined in `hosts/rx4/services/open-webui-oci.nix`).
   unit for Open WebUI (defined in
   `hosts/rx4/services/open-webui-oci.nix`).
 ### Other useful queries
@ -308,30 +280,24 @@ This works because:
 journalctl -D /var/log/journal/remote/ _HOSTNAME=rx4 --no-pager -S "1 hour ago"
 # Forgejo on rx4
-journalctl -D /var/log/journal/remote/ _HOSTNAME=rx4 \
+journalctl -D /var/log/journal/remote/ _HOSTNAME=rx4 SYSTEMD_UNIT=forgejo.service --no-pager -n 50
  SYSTEMD_UNIT=forgejo.service --no-pager -n 50
 # Vaultwarden on rx4
-journalctl -D /var/log/journal/remote/ _HOSTNAME=rx4 \
+journalctl -D /var/log/journal/remote/ _HOSTNAME=rx4 SYSTEMD_UNIT=vaultwarden.service --no-pager -n 50
  SYSTEMD_UNIT=vaultwarden.service --no-pager -n 50
 # Nginx on rx4
-journalctl -D /var/log/journal/remote/ _HOSTNAME=rx4 \
+journalctl -D /var/log/journal/remote/ _HOSTNAME=rx4 SYSTEMD_UNIT=nginx.service --no-pager -n 50
  SYSTEMD_UNIT=nginx.service --no-pager -n 50
 # Matrix-synapse on sid
-journalctl -D /var/log/journal/remote/ _HOSTNAME=sid \
+journalctl -D /var/log/journal/remote/ _HOSTNAME=sid SYSTEMD_UNIT=matrix-synapse.service --no-pager -n 50
  SYSTEMD_UNIT=matrix-synapse.service --no-pager -n 50
 # Follow logs live
-journalctl -D /var/log/journal/remote/ _HOSTNAME=rx4 \
+journalctl -D /var/log/journal/remote/ _HOSTNAME=rx4 SYSTEMD_UNIT=podman-open-webui.service -f
  SYSTEMD_UNIT=podman-open-webui.service -f
 ```
 ### OCI container unit names
-Containers managed by `virtualisation.oci-containers` get units named
+Containers managed by `virtualisation.oci-containers` get units named `podman-<container-attr>.service`:
 `podman-<container-attr>.service`:
 | Container attr         | Unit name                              | Host |
 |------------------------|----------------------------------------|------|
@ -345,8 +311,7 @@ Containers managed by `virtualisation.oci-containers` get units named
 ## Permissions
-User `sid` must be in both `systemd-journal` and
+User `sid` must be in both `systemd-journal` and `systemd-journal-remote` to read `/var/log/journal/remote/`:
 `systemd-journal-remote` to read `/var/log/journal/remote/`:
 ```nix
 users.users.sid.extraGroups = [
@ -355,7 +320,7 @@ users.users.sid.extraGroups = [
 ];
 ```
-Verify with `id sid` on `sid`.
+Verify with `id sid` on `pc`.
 ---