- Automation scripts to setup a fresh NixOS machine from scratch or an arbitrary preinstalled Linux machine easily
- Disk configuration using Disko
- Secret management in NixOS (agenix) and Home Manager (homeage) with age
- Secure boot support using Lanzaboote
- Checks source code with shellcheck, statix and nixfmt
- Daily automatic flake input updates committed to master when CI passes
- NixOnDroid-managed
nix-on-droid
- NixOS-managed
nixos-vm
- Home Manager-managed
non-nixos-vm
See flake.nix for more information like system
.
📂 .
├──🔒 flake.lock -- flake lockfile
├── ❄ flake.nix -- flake definition
├──📂 home -- Home Manager configuration
│ ├──📂 base -- basic configs
│ ├──📂 programs -- custom program modules
│ ├──📂 roles -- custom roles for bundling configsets
│ └──📂 users -- user-specific config
├──📂 hosts -- NixOS host configs
│ ├──📂 nixos-vm
│ ├──📂 nix-on-droid
│ └──📂 non-nixos-vm
├──📂 lib -- internal flake library
├──📂 nix-on-droid -- custom NixOnDroid modules
├──📂 nixos -- custom NixOS modules
│ ├──📂 base -- basic configs
│ │ └──📂 users -- user configs
│ ├──📂 containers -- custom container modules
│ ├──📂 programs -- custom program modules
│ └──📂 roles -- custom roles for bundling configsets
└──📂 secrets -- agenix-encrypted secrets
This flake can be either extended/modified directly or be used as a library.
If you are not planning to use this flake for multiple Nix configurations, feel free to fork this
repo and add your host and user configurations into the folder structure and reference them in the
flake.nix
:
{
description = "Custom config flake";
inputs = {
# ...
};
outputs = { self, nixpkgs, ... } @ inputs:
let
# ...
in
{
homeConfigurations = listToAttrs [
(mkHome x86_64-linux "demo@non-nixos-host")
];
nixosConfigurations = listToAttrs [
(mkNixos x86_64-linux "nixos-host")
];
# ...
};
}
Create a new flake and prepare the folder structure as above, according to your needs. Then, add
this flake to the inputs and define your hosts and users in the flake.nix
:
{
description = "Custom config flake";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-22.05";
nixcfg.url = "github:rake5k/nixcfg";
};
outputs = { nixpkgs, nixcfg, ... } @ inputs:
let
nixcfgLib = nixcfg.lib { inherit inputs; };
# ...
in
with nixcfgLib;
{
homeConfigurations = listToAttrs [
(mkHome x86_64-linux "demo@non-nixos-host")
];
nixosConfigurations = listToAttrs [
(mkNixos x86_64-linux "nixos-host")
];
};
}
To install NixOS from the ISO of nixos.org on a fresh machine, run:
# If nix version < 2.4, run:
nix-shell -p nixFlakes
sudo su # become root
mkdir -p ~/.config/nix
echo "experimental-features = nix-command flakes" > ~/.config/nix/nix.conf
export FLAKE=github:rake5k/nixcfg
nix run $FLAKE#disko-install -- <hostname> $FLAKE [--disk <disk-name> /dev/by-id/<disk-id>]...
Where:
<hostname>
is your target machine's desired host name. Define it beforehand insidenixosConfigurations
offlake.nix
.<disk-name>
/<disk-id>
for each drive to be managed by disko (at least the name needs to be defined indisko.devices.disk.<disk-name>
beforehand).
This will completely nuke all the data on your <disk>
device provided. Make sure to have a
working backup from your data of all drives connected to your target machine.
Warning: Even if the script should ask you before committing any changes to your machine, it can unexpectedly cause great harm!
After rebooting proceed with the next section.
sudo nix run github:rake5k/nixcfg#setup -- https://github.com/rake5k/nixcfg.git
# install Nix
mkdir -p ~/.config/nix
echo "experimental-features = nix-command flakes" > ~/.config/nix/nix.conf
sh <(curl -L https://nixos.org/nix/install) --no-channel-add --no-modify-profile
. ~/.nix-profile/etc/profile.d/nix.sh
# Set up this Nix configuration
nix run github:rake5k/nixcfg#setup -- https://github.com/rake5k/nixcfg.git
# set login shell
chsh -s /bin/zsh
Add the host public key into the .agenix.toml file and assign it to the appropriate
groups. Push the updated .agenix.toml
back to the git repository, pull it to an existing host and
re-key all the secrets with the command:
# On NixOS:
sudo agenix -i /etc/ssh/ssh_host_ed25519_key -i ~/.age/key.txt -r -vv
# On non-NixOS:
agenix -i ~/.age/key.txt -r -vv
After pushing/pulling the re-keyed secrets, just run a rebuild of the new host's config for decrypting them.
# First decrypt current secret
age --decrypt -i ~/.age/key.txt -o tmpfile < ./secrets/<secretfile>.age
# Update `tmpfile` contents...
vim tmpfile
# Re-encrypt the updated secret
age --encrypt --armor -i ~/.age/key.txt -o ./secrets/<secretfile>.age < tmpfile
This corresponds to the classical software/system update process known from other distros.
nix flake update
To apply (install) the updated inputs on the system, just run a rebuild of the config.
# On NixOS
sudo nixos-rebuild switch
# On non-NixOS
hm-switch