millironx/nix-dotfiles
1
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions
No description
408 commits 3 branches 0 tags 881 KiB
Find a file
Exact
Thomas A. Christensen II 6364da77aa
fix (searx): Set secret key
2026-03-25 08:28:55 -05:00
bin fix (podman-secrets): setuid path 2025-11-28 18:10:19 -06:00
dotfiles feat (linux-desktop): Convert Plasma settings into plasma-manager 2026-01-02 11:56:28 -06:00
homes feat (home): Add tmux 2026-03-19 11:20:55 -05:00
modules fix (podman-secrets): Use user systemd unit 2025-12-01 12:01:45 -06:00
pkgs pkgs (common): Add JuliaFormatter.jl cli 2026-01-02 11:56:28 -06:00
playbooks pkg: Remove FreeTube 2026-01-23 09:13:34 -06:00
programs feat (home): Add tmux 2026-03-19 11:20:55 -05:00
secrets feat (authentik): Add storage bucket support 2026-03-20 10:22:18 -05:00
services fix (searx): Set secret key 2026-03-25 08:28:55 -05:00
systems feat (mcentire): Add SearXNG service 2026-03-23 08:36:45 -05:00
.ansible-lint-ignore Move ansible plays to separate files 2025-09-29 10:01:53 -05:00
.gitignore meta: Add gitignore 2025-12-01 08:37:00 -06:00
flake.lock fix: Revert to prebuilt julia-bin in nixpkgs-darwin 2026-03-08 23:51:33 -05:00
flake.nix fix: Revert to prebuilt julia-bin in nixpkgs-darwin 2026-03-08 23:51:33 -05:00
inventory.yaml config (harmony): Remove Harmony/Asahi configs 2025-11-16 18:24:23 -06:00
playbook.yaml Move ansible plays to separate files 2025-09-29 10:01:53 -05:00
README.md docs: Add mcentire to README 2025-12-01 09:17:07 -06:00
secrets.nix feat (mcentire): add Vaultwarden service 2026-03-19 10:46:33 -05:00
secrets_file.enc secrets: Rekey secrets for secret purposes 2025-11-13 14:47:26 -06:00
secrets_odyssey.enc secrets: Rekey secrets for secret purposes 2025-11-13 14:47:26 -06:00

README.md

nix-dotfiles

System and home configurations for my machines.

Machine Role OS Arch System config tool Home config tool
anderson server linux x86_64 dpkg/Docker (not this repo) home-manager
bosephus server linux x86_64 NixOS home-manager
mcentire server linux x86_64 NixOS home-manager
corianne MacBook darwin aarch64 nix-darwin home-manager
odyssey workstation linux x86_64 Ansible home-manager

Quickstart

Home dotfiles

![WARNING] Fedora systems will set this up automagically via Ansible. Follow the Fedora quickstart instructions.

Ensure Nix is installed, with the nix command and flakes enabled. I try to use the Determinate Nix installer (with upstream Nix) to install Nix with these options turned on by default.

curl -fsSL https://install.determinate.systems/nix | sh -s -- install

Once Nix is installed, clone the repository to ~/.config/home-manager and initiate home-manager.

git clone https://code.millironx.com/millironx/nix-dotfiles.git ~/.config/home-manager
nix run home-manager -- switch --flake ~/.config/home-manager#$USER@$(hostname -s)

In the case that the host has not been assigned a configuration within this repo yet, pick a hostname with the same system OS, arch, and role as the target system to get temporary dotfiles up and running.

nix run home-manager -- switch --flake ~/.config/home-manager#millironx@anderson

Once an SSH (with or without GPG) key has been setup and added to the authorized keys of the git server, switch the upstream to track an authorized (i.e. read/write) version of the repo.

cd ~/.config/home-manager
git remote set-url origin git@code.millironx.com:millironx/nix-dotfiles.git
cd -

NixOS

Switching to a flake-based config requires running as root. All of the following commands are assumed to be running as root.

Ensure that the nix command and flakes are enabled.

sed -i '/^}/i nix.settings.experimental-features = [ "nix-command" "flakes" ];' /etc/nixos/configuration.nix
nixos-rebuild switch

![NOTE] To allow secret decryption in the system, the machine-specific SSH key must be added to the publicKeys attribute of all applicable secrets, and the hardware-configuration.nix file must be added to git. Copying arbitrary strings like SSH keys or disk UUIDs between systems can be painful, so it might be worth setting up the home dotfiles immediately after enabling flakes, then running these steps on the same machine to avoid typos. Alternatively, I might someday be smart enough to create an installer CD that automagically sets this up for me.

Get the machine-specific public SSH key.

cat /etc/ssh/ssh_host_ed25519_key.pub

On a separate machine, add the machine's SSH key to ./secrets.nix and assign it to any secrets it would need.

let
  bosephus-host =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxTfeg+GZsfmG8TuEV1xW1gXknAIKzZ3UjZ3guRY+EW root@nixos";
  bosephus-millironx =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKaDPqRJHoqgY2pseh/mnhjaGWXprHk2s5I52LhHpHcF millironx@bosephus";
  odyssey-millironx =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9Aj7BtQp1Roa0tgopDrUo7g2am5WJ43lO1d1fDUz45 millironx@odyssey";

    system-administrators = [
      bosephus-millironx
      odyssey-millironx
    ];
in {
  "secrets/network-information.age".publicKeys = system-administrators
    ++ [ bosephus-host ];
}

Rekey the secrets, and push the updated secrets to the upstream repo.

nix run github:ryantm/agenix -- --rekey
git add secrets.nix secrets/*
git commit -m "added $NEW_HOST to secrets"
git push

Copy the target machine's hardware-configuration.nix file to this repo's ./systems/linux/hardware-configuration/$NEW_HOST.nix, and be sure to update the configuration to import its own hardware-configuration.

cp /etc/nixos/hardware-configuration.nix ./systems/linux/hardware-configuration/$NEW_HOST.nix

{ config, pkgs, ... }: {
  imports = [
    ./hardware-configuration/bosephus.nix
  ];
}

Commit and push the hardware configuration to the upstream repo.

git add systems/linux/*
git commit -m "added $NEW_HOST hardware configuration"
git push

Now switch to the flake by pulling and switching in one step.

nixos-rebuild switch --flake git+https://code.millironx.com/millironx/nix-dotfiles#$(hostname -s)

Fedora

Fedora systems are managed using Ansible.

TODO

Home settings

TODO