- Automation scripts to setup a fresh NixOS machine from scratch or an arbitrary preinstalled Linux machine easily
- Disk configuration using Disko
- Secret management in NixOS (agenix) and Home Manager (homeage) with age
- Secure boot support using Lanzaboote
- Checks source code with shellcheck, statix and nixfmt
- Daily automatic flake input updates committed to master when CI passes
- NixOnDroid-managed
nix-on-droid
- NixOS-managed
nixos-vm
- Home Manager-managed
non-nixos-vm
See flake.nix for more information like system
.
π .
βββπ flake.lock -- flake lockfile
βββ β flake.nix -- flake definition
βββπ home -- Home Manager configuration
β βββπ base -- basic configs
β βββπ programs -- custom program modules
β βββπ roles -- custom roles for bundling configsets
β βββπ users -- user-specific config
βββπ hosts -- NixOS host configs
β βββπ nixos-vm
β βββπ nix-on-droid
β βββπ non-nixos-vm
βββπ lib -- internal flake library
βββπ nix-on-droid -- custom NixOnDroid modules
βββπ nixos -- custom NixOS modules
β βββπ base -- basic configs
β β βββπ users -- user configs
β βββπ containers -- custom container modules
β βββπ programs -- custom program modules
β βββπ roles -- custom roles for bundling configsets
βββπ secrets -- agenix-encrypted secrets
This flake can be either extended/modified directly or be used as a library.
If you are not planning to use this flake for multiple Nix configurations, feel free to fork this
repo and add your host and user configurations into the folder structure and reference them in the
flake.nix
:
{
description = "Custom config flake";
inputs = {
# ...
};
outputs = { self, nixpkgs, ... } @ inputs:
let
# ...
in
{
homeConfigurations = listToAttrs [
(mkHome x86_64-linux "demo@non-nixos-host")
];
nixosConfigurations = listToAttrs [
(mkNixos x86_64-linux "nixos-host")
];
# ...
};
}
Create a new flake and prepare the folder structure as above, according to your needs. Then, add
this flake to the inputs and define your hosts and users in the flake.nix
:
{
description = "Custom config flake";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-22.05";
nixcfg.url = "github:rake5k/nixcfg";
};
outputs = { nixpkgs, nixcfg, ... } @ inputs:
let
nixcfgLib = nixcfg.lib { inherit inputs; };
# ...
in
with nixcfgLib;
{
homeConfigurations = listToAttrs [
(mkHome x86_64-linux "demo@non-nixos-host")
];
nixosConfigurations = listToAttrs [
(mkNixos x86_64-linux "nixos-host")
];
};
}
To install NixOS from the ISO of nixos.org on a fresh machine, run:
# If nix version < 2.4, run:
nix-shell -p nixFlakes
sudo su # become root
mkdir -p ~/.config/nix
echo "experimental-features = nix-command flakes" > ~/.config/nix/nix.conf
export FLAKE=github:rake5k/nixcfg
nix run $FLAKE#disko-install -- <hostname> $FLAKE [--disk <disk-name> /dev/by-id/<disk-id>]...
Where:
<hostname>
is your target machine's desired host name. Define it beforehand insidenixosConfigurations
offlake.nix
.<disk-name>
/<disk-id>
for each drive to be managed by disko (at least the name needs to be defined indisko.devices.disk.<disk-name>
beforehand).
This will completely nuke all the data on your <disk>
device provided. Make sure to have a
working backup from your data of all drives connected to your target machine.
Warning: Even if the script should ask you before committing any changes to your machine, it can unexpectedly cause great harm!
After rebooting proceed with the next section.
sudo nix run github:rake5k/nixcfg#setup -- https://github.com/rake5k/nixcfg.git
# install Nix
mkdir -p ~/.config/nix
echo "experimental-features = nix-command flakes" > ~/.config/nix/nix.conf
sh <(curl -L https://nixos.org/nix/install) --no-channel-add --no-modify-profile
. ~/.nix-profile/etc/profile.d/nix.sh
# Set up this Nix configuration
nix run github:rake5k/nixcfg#setup -- https://github.com/rake5k/nixcfg.git
# set login shell
chsh -s /bin/zsh
Add the host public key into the .agenix.toml file and assign it to the appropriate
groups. Push the updated .agenix.toml
back to the git repository, pull it to an existing host and
re-key all the secrets with the command:
# On NixOS:
sudo agenix -i /etc/ssh/ssh_host_ed25519_key -i ~/.age/key.txt -r -vv
# On non-NixOS:
agenix -i ~/.age/key.txt -r -vv
After pushing/pulling the re-keyed secrets, just run a rebuild of the new host's config for decrypting them.
# First decrypt current secret
age --decrypt -i ~/.age/key.txt -o tmpfile < ./secrets/<secretfile>.age
# Update `tmpfile` contents...
vim tmpfile
# Re-encrypt the updated secret
age --encrypt --armor -i ~/.age/key.txt -o ./secrets/<secretfile>.age < tmpfile
This corresponds to the classical software/system update process known from other distros.
nix flake update
To apply (install) the updated inputs on the system, just run a rebuild of the config.
# On NixOS
sudo nixos-rebuild switch
# On non-NixOS
hm-switch