millironx/nix-dotfiles
1
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions
No description
332 commits 3 branches 0 tags 590 KiB
Find a file
Exact
Thomas A. Christensen II 0571d801ed
services (bosephus): Remove pihole service
2025-12-04 09:07:16 -06:00
bin fix (podman-secrets): setuid path 2025-11-28 18:10:19 -06:00
dotfiles Switch prompt from Powerlevel10k to Starship 2025-06-25 13:51:33 -05:00
homes pkgs (desktop): add nixos-rebuild package 2025-12-04 09:00:54 -06:00
modules fix (podman-secrets): Use user systemd unit 2025-12-01 12:01:45 -06:00
pkgs pkg (desktop): Add ark (R kernel) derivation 2025-10-11 11:00:22 -05:00
playbooks pkgs (firefoxpwa): Remove Firefox PWAs 2025-11-19 09:28:04 -06:00
programs programs (zed): Add build+preview on demand support for LaTeX 2025-12-04 08:59:53 -06:00
secrets service (mcentire): Add authentik service 2025-11-28 15:41:59 -06:00
services services (bosephus): Remove pihole service 2025-12-04 09:07:16 -06:00
systems services (bosephus): Remove pihole service 2025-12-04 09:07:16 -06:00
.ansible-lint-ignore Move ansible plays to separate files 2025-09-29 10:01:53 -05:00
.gitignore meta: Add gitignore 2025-12-01 08:37:00 -06:00
flake.lock nix-builder (corianne): Add rosetta builder 2025-12-04 09:00:37 -06:00
flake.nix nix-builder (corianne): Add rosetta builder 2025-12-04 09:00:37 -06:00
inventory.yaml config (harmony): Remove Harmony/Asahi configs 2025-11-16 18:24:23 -06:00
playbook.yaml Move ansible plays to separate files 2025-09-29 10:01:53 -05:00
README.md docs: Add mcentire to README 2025-12-01 09:17:07 -06:00
secrets.nix service (mcentire): Add authentik service 2025-11-28 15:41:59 -06:00
secrets_file.enc secrets: Rekey secrets for secret purposes 2025-11-13 14:47:26 -06:00
secrets_odyssey.enc secrets: Rekey secrets for secret purposes 2025-11-13 14:47:26 -06:00

README.md

nix-dotfiles

System and home configurations for my machines.

Machine Role OS Arch System config tool Home config tool
anderson server linux x86_64 dpkg/Docker (not this repo) home-manager
bosephus server linux x86_64 NixOS home-manager
mcentire server linux x86_64 NixOS home-manager
corianne MacBook darwin aarch64 nix-darwin home-manager
odyssey workstation linux x86_64 Ansible home-manager

Quickstart

Home dotfiles

![WARNING] Fedora systems will set this up automagically via Ansible. Follow the Fedora quickstart instructions.

Ensure Nix is installed, with the nix command and flakes enabled. I try to use the Determinate Nix installer (with upstream Nix) to install Nix with these options turned on by default.

curl -fsSL https://install.determinate.systems/nix | sh -s -- install

Once Nix is installed, clone the repository to ~/.config/home-manager and initiate home-manager.

git clone https://code.millironx.com/millironx/nix-dotfiles.git ~/.config/home-manager
nix run home-manager -- switch --flake ~/.config/home-manager#$USER@$(hostname -s)

In the case that the host has not been assigned a configuration within this repo yet, pick a hostname with the same system OS, arch, and role as the target system to get temporary dotfiles up and running.

nix run home-manager -- switch --flake ~/.config/home-manager#millironx@anderson

Once an SSH (with or without GPG) key has been setup and added to the authorized keys of the git server, switch the upstream to track an authorized (i.e. read/write) version of the repo.

cd ~/.config/home-manager
git remote set-url origin git@code.millironx.com:millironx/nix-dotfiles.git
cd -

NixOS

Switching to a flake-based config requires running as root. All of the following commands are assumed to be running as root.

Ensure that the nix command and flakes are enabled.

sed -i '/^}/i nix.settings.experimental-features = [ "nix-command" "flakes" ];' /etc/nixos/configuration.nix
nixos-rebuild switch

![NOTE] To allow secret decryption in the system, the machine-specific SSH key must be added to the publicKeys attribute of all applicable secrets, and the hardware-configuration.nix file must be added to git. Copying arbitrary strings like SSH keys or disk UUIDs between systems can be painful, so it might be worth setting up the home dotfiles immediately after enabling flakes, then running these steps on the same machine to avoid typos. Alternatively, I might someday be smart enough to create an installer CD that automagically sets this up for me.

Get the machine-specific public SSH key.

cat /etc/ssh/ssh_host_ed25519_key.pub

On a separate machine, add the machine's SSH key to ./secrets.nix and assign it to any secrets it would need.

let
  bosephus-host =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxTfeg+GZsfmG8TuEV1xW1gXknAIKzZ3UjZ3guRY+EW root@nixos";
  bosephus-millironx =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKaDPqRJHoqgY2pseh/mnhjaGWXprHk2s5I52LhHpHcF millironx@bosephus";
  odyssey-millironx =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9Aj7BtQp1Roa0tgopDrUo7g2am5WJ43lO1d1fDUz45 millironx@odyssey";

    system-administrators = [
      bosephus-millironx
      odyssey-millironx
    ];
in {
  "secrets/network-information.age".publicKeys = system-administrators
    ++ [ bosephus-host ];
}

Rekey the secrets, and push the updated secrets to the upstream repo.

nix run github:ryantm/agenix -- --rekey
git add secrets.nix secrets/*
git commit -m "added $NEW_HOST to secrets"
git push

Copy the target machine's hardware-configuration.nix file to this repo's ./systems/linux/hardware-configuration/$NEW_HOST.nix, and be sure to update the configuration to import its own hardware-configuration.

cp /etc/nixos/hardware-configuration.nix ./systems/linux/hardware-configuration/$NEW_HOST.nix

{ config, pkgs, ... }: {
  imports = [
    ./hardware-configuration/bosephus.nix
  ];
}

Commit and push the hardware configuration to the upstream repo.

git add systems/linux/*
git commit -m "added $NEW_HOST hardware configuration"
git push

Now switch to the flake by pulling and switching in one step.

nixos-rebuild switch --flake git+https://code.millironx.com/millironx/nix-dotfiles#$(hostname -s)

Fedora

Fedora systems are managed using Ansible.

TODO

Home settings

TODO