This is the configuration for my machines running NixOS.
The main goal is to be fully declarative and reproducible while not compromising usability or security.
- Secure Boot with custom keys using lanzaboote
- Full Disk encryption with key enrolled in TPM2
- Encrypted home directory unlocked automatically on login with pam-mount
- impermanence (/ on a tmpfs) with explicitly persisted paths
- Standalone home-manager activation script generation
- Image generation using nixos-generators to simplify installation and deployment
- Appliation sandboxing with nixpak
- Declarative disk partitioning using disko
- Improve install script
- Configure nix on Android with nix-on-droid
Your nix installation should have nix-command and flakes features set to enabled, nix-installer will do this automatically.
Images can be built that contain nix and a copy of this repository to make installation simpler.
Run the disk partition script for a given system with nix run .#diskConfigurations.<system> replacing <system> with the appropriate system in systems/.
A basic install script exists to automate the rest of the installation but must be modified for each system.
The flake contains small scripts to make applying changes and updating the system easier.
After modifying the configuration run nix run .#apply to apply the changes.
To update the flake's inputs and apply the changes run nix run .#full-upgrade.
Use nix run .#test to verify that all systems evaluate successfully before committing.
Home Manager configurations can be applied without applying the entire system configuration.
Impermanence is disabled when using a standalone configuration.
To apply the configuration run nix run .#homeConfigurations.<system>.<name> replacing <system> with the appropriate system in systems/ and <name> with a username listed in that system's home config.
Images can be easily generated using nixos-generators.
Run nix build .#generators.<format>.<system>, replacing <format> with an image format (e.g. qcow, iso) and <system> with the appropriate system in systems/.
An installation image for this configuration can be generated with nix build.#generators.install-iso.installer.
Note Generating images requires a large $TMPDIR, consider running
nix buildwithNIX_REMOTE=local TMPDIR=/mnt/persist/tmpto ensure adequate space is available.
This directory contains configuration files that modify the NixOS system state.
This directory contains configuration files that modify the user's home directory using home-manager.
If the configuration would affect a home directory, or the option could be user-specific, it should go here.
- Applications (web browser, file browser, shell, development utils) and their configurations
- Themes (shell, applications)
- Desktop configuration
This directory contains the declarations for individual systems, config imports, and system-specific configurations.
The individual system declarations systems/systemname/default.nix contain basic information that imported configs would need, such as.
- System Name
- Architecture
- Kernel packages set
- nixpkgs Channel
The declarations also have fields used to specify config imports (for the system or home).
Files are usually imported from nixos/ and home/, but systems often specify their own individual configs that should not be shared in systems/systemname/nixos/.
The file systems/buildNixos.nix is responsible for taking these system declarations and building a complete NixOS system from them, it also calls systems/buildHomeConfigs.nix to build the home configuration.
ragenix is used to encrypt files specified in secrets.nix and store them in secrets/, which will be decrypted to /run/agenix.d/ at runtime.
This directory contains nix functions that may be useful in creating configurations.
Functions are exposed to configurations in the customLib argument.