❄️ Nix Configuration

Features

• Automation scripts to setup a fresh NixOS machine from scratch or an arbitrary preinstalled Linux machine easily
• Disk configuration using Disko
• Secret management in NixOS (agenix) and Home Manager (homeage) with age
• Secure boot support using Lanzaboote
• Checks source code with shellcheck, statix and nixfmt
• Weekly automatic flake input updates committed to master when CI passes

Supported configurations

• Nix-on-Droid-managed
  • nix-on-droid
• NixOS-managed
  • nixos-vm
• Home Manager-managed
  • non-nixos-vm

See flake.nix for more information like system.

Structure

📂 .
├──🔒 flake.lock    -- flake lockfile
├── ❄ flake.nix     -- flake definition
├──📂 home          -- Home Manager configuration
│  ├──📂 base       -- basic configs
│  ├──📂 programs   -- custom program modules
│  ├──📂 roles      -- custom roles for bundling configsets
│  └──📂 users      -- user-specific config
├──📂 hosts         -- NixOS host configs
│  ├──📂 nixos-vm
│  ├──📂 nix-on-droid
│  └──📂 non-nixos-vm
├──📂 lib           -- internal flake library
├──📂 nix-on-droid  -- custom NixOnDroid modules
├──📂 nixos         -- custom NixOS modules
│  ├──📂 base       -- basic configs
│  │   └──📂 users  -- user configs
│  ├──📂 containers -- custom container modules
│  ├──📂 programs   -- custom program modules
│  └──📂 roles      -- custom roles for bundling configsets
└──📂 secrets       -- agenix-encrypted secrets

Usage

This flake can be either extended/modified directly or be used as a library.

Directly

If you are not planning to use this flake for multiple Nix configurations, feel free to fork this repo and add your host and user configurations into the folder structure and reference them in the flake.nix:

{
  description = "Custom config flake";

  inputs = {
    # ...
  };

  outputs = { self, nixpkgs, ... } @ inputs:
    let
      # ...
    in
    {
      homeConfigurations = listToAttrs [
        (mkHome x86_64-linux "demo@non-nixos-host")
      ];

      nixosConfigurations = listToAttrs [
        (mkNixos x86_64-linux "nixos-host")
      ];

      # ...
    };
}

As a Library

Create a new flake and prepare the folder structure as above, according to your needs. Then, add this flake to the inputs and define your hosts and users in the flake.nix:

{
  description = "Custom config flake";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-22.05";
    nixcfg.url = "github:rake5k/nixcfg";
  };

  outputs = { nixpkgs, nixcfg, ... } @ inputs:
    let
      nixcfgLib = nixcfg.lib { inherit inputs; };

      # ...
    in
    with nixcfgLib;
    {
      homeConfigurations = listToAttrs [
        (mkHome x86_64-linux "demo@non-nixos-host")
      ];

      nixosConfigurations = listToAttrs [
        (mkNixos x86_64-linux "nixos-host")
      ];
    };
}

Initial Setup

NixOS

NixOS installation

To install NixOS from the ISO of nixos.org on a fresh machine, run:

sudo su # become root
mkdir -p ~/.config/nix
echo "experimental-features = nix-command flakes" > ~/.config/nix/nix.conf

export FLAKE=github:rake5k/nixcfg
export NIX_CONFIG="extra-access-tokens = github.com=github_pat_**********************************************************************************"
nix run $FLAKE#disko-install -- <hostname> $FLAKE

Where <hostname> is your target machine's desired host name. Define it beforehand inside nixosConfigurations of flake.nix.

This will completely nuke all the data on your <disk> devices listed in the disko configuration. Make sure to have a working backup from your data of all drives connected to your target machine.

Warning: Even if the script should ask you before committing any changes to your machine, it can unexpectedly cause great harm!

After rebooting proceed with the next section.

NixOS config setup

sudo nix run github:rake5k/nixcfg#setup -- https://github.com/rake5k/nixcfg.git

Non-NixOS

Nix installation

# install Nix
mkdir -p ~/.config/nix
echo "experimental-features = nix-command flakes" > ~/.config/nix/nix.conf
sh <(curl -L https://nixos.org/nix/install) --no-channel-add --no-modify-profile
. ~/.nix-profile/etc/profile.d/nix.sh

Nix config setup

# Set up this Nix configuration
nix run github:rake5k/nixcfg#setup -- https://github.com/rake5k/nixcfg.git

# set login shell
chsh -s /bin/zsh

Nix-on-Droid setup

nix-on-droid switch --flake github:rake5k/nixcfg#<hostname>

Secrets management

Make secrets available on new host

Add the host public key into the .agenix.toml file and assign it to the appropriate groups. Push the updated .agenix.toml back to the git repository, pull it to an existing host and re-key all the secrets with the command:

# On NixOS:
sudo agenix -i /etc/ssh/ssh_host_ed25519_key -i ~/.age/key.txt -r -vv

# On non-NixOS:
agenix -i ~/.age/key.txt -r -vv

After pushing/pulling the re-keyed secrets, just run a rebuild of the new host's config for decrypting them.

Updating secrets

# First decrypt current secret
age --decrypt -i ~/.age/key.txt -o tmpfile < ./secrets/<secretfile>.age

# Update `tmpfile` contents...
vim tmpfile

# Re-encrypt the updated secret
age --encrypt --armor -i ~/.age/key.txt -o ./secrets/<secretfile>.age < tmpfile

Updating inputs

This corresponds to the classical software/system update process known from other distros.

nix flake update

To apply (install) the updated inputs on the system, just run a rebuild of the config.

Rebuilding

# On NixOS
sudo nixos-rebuild switch

# On non-NixOS
hm-switch