No description

Find a file

Patrick e8a8a15086 WIP: kernel things		2025-12-31 15:47:51 +01:00
config	format	2025-12-31 15:47:45 +01:00
hosts	WIP: kernel things	2025-12-31 15:47:51 +01:00
keys	fix: better yubikey detection	2025-10-11 22:55:04 +02:00
modules	feat: snapshot automatically	2025-11-01 13:11:45 +01:00
modules-hm	feat: nucnix	2024-12-14 21:45:46 +01:00
nix	update	2025-11-23 15:30:25 +01:00
patches/PR	update	2025-12-17 22:26:51 +01:00
pkgs	fix: add mainProgram	2025-09-17 19:33:18 +02:00
secrets	feat: add dev mail account	2025-11-01 13:11:46 +01:00
users	format	2025-12-31 15:47:45 +01:00
.envrc	feat: switch to treefmt	2025-05-13 18:59:49 +02:00
.gitignore	feat: jj more config	2025-05-07 15:54:59 +02:00
flake.lock	update	2025-12-31 15:47:51 +01:00
flake.nix	feat: try dank material shell	2025-12-19 22:39:48 +01:00
globals.nix	feat: mealie	2025-12-25 11:21:00 +01:00
ids.json	feat: bookstack	2025-12-25 11:21:00 +01:00
README.md	feat: aggregate services for faster evaluation	2025-10-11 22:55:09 +02:00
statix.toml	feat: systemd upgrade	2023-09-18 17:27:54 +02:00
STRUCTURE.md	feat: allow for own patches	2024-11-05 15:20:07 +01:00

Meine wundervolle nix config ❄️

Hosts

	Name	Device	Description
💻	patricknix	HP spectre x360	Patrick's laptop, mainly used for on the go university
🖥️	desktopnix	Intel i5-8600K NVIDIA GeForce GTX 1080 32 GiB RAM	Patrick's desktop, used for most development and gaming
🖥️	elisabeth	AMD Ryzen 7 5800X 32 GiB RAM	Server running most cloud services
🖥️	mailnix	Hetzner VPS	Static IP server running mail
🖥️	torweg	Hetzner VPS	Static IP server running gatway services

This showcases my end user setup, which I dailydrive on all my hosts.

	Programm	Description
🐚 Shell	ZSH & Starship	ZSH with FZF autocomplete, starship prompt, sqlite history and histdb-skim for fancy reverse search
🪟 WM	Hyprland	Tiling window manager
🖼️ Styling	Stylix	globally consistent styling
📝 Editor	NeoVim	Extensively configured neovim
🎮 Gaming	Bottles & Steam	Pew, Pew and such
🌐 Browser	Firefox	Heavily configured Firefox to still my privacy and security needs
💻 Terminal	Kitty	fast terminal
🎵 Music	Spotify	Fancy looking spotify using spicetify
📫 Mail	Thunderbird	Best email client there is

These are services I've set up

	Programm	Description
💸 Budgeting	FireflyIII	Self Hosted budgeting tool
🛡️ AdBlock	AdGuard Home	DNS Adblocker
🔨 Git	Forgejo	Selfhosted GitHub alternative
📸 Photos	Immich	Selfhosted Google Photos equivalent
🔒 SSO	Kanidm	Secure single sign on Identity Provider
📧 E-Mail	Stalwart	All in one mail server
🎧 Communication	Teamspeak	Selfhosted teamspeak server for secure and always available communication
🌐 VPN	Firezone	Easy to use peer to peer VPN solution based on wireguard
🌧️ Cloud	NextCloud	All in one cloud solution providing online File storage as well as notes, contacts and calendar synchronization
🗄️ Documents	Paperless	Machine learnig supported document organizing plattform
📁 NAS	Samba	Local network shared storage
📰 Feedreader	freshRSS	hosted RSS feed aggregator
🔑 Passwords	Vaultwarden	Self hosted bitwarden server
🎵 Music	Your Spotify	Spotify listening habits analyzer

These are notable external flakes which this config depend upon

Name	Usage
NixVim	NeoVim using nix
MicroVM	Declarative VMs
Disko	disk partitioning
nixos-generators	generate installers
home-manager	user config
agenix	secret files for nix
agenix-rekey	secret files that are git commitable
nixos-nftables-firewall	nftables based firewall
impermanence	stateless filesystem
lanzaboote	Secure Boot
stylix	theming
spicetify	spotify looking fancy

Create host configuration in hosts/<name>
1. Create and fill default.nix
2. Fill net.nix
3. Fill fs.nix
4. Don't forget to add necessary config for filesystems, etc.
Generate ISO image using nix build --print-out-paths --no-link .#images.<target-system>.live-iso
- This might take multiple minutes(~10)
- Alternatively boot an official nixos image connect with password
Copy ISO to usb using dd
After booting copy the installer to the live system using nix copy --to <target> .#minimalConfigurations.<target-system>.config.system.build.installFromLive
Run the installer script from the nix store of the live system
- you can get the path using nix path-info .#minimalConfigurations.<target-system>.config.system.build.installFromLive
Export all zpools and reboot into system
Retrieve hostkeys using ssh-keyscan <host> | grep -o 'ssh-ed25519.*' > host/<target>/secrets/host.pub
Deploy system

Add service config to config/services/<service>
1. Add Impermanence
2. Add allowed ports
Add id to ids.json
Add UID to config/basic/users.nix
Add definitions to globals.nix
Add Container/VM to hosts/<host>/guests.nix
Run agenix generate && agenix rekey
Deploy system
Fetch ssh hostkey using ssh-keyscan
Rekey again agenix rekey
Deploy again

generate keys with sbctl create-keys
tar the resulting folder using tar cvf secureboot.tar -C /var/lib/sbctl .
Copy the tar to local using scp and encrypt it using rage
- rage -e -R ./secrets/recipients.txt secureboot.tar -o <host>/secrets/secureboot.tar.age
safe the encrypted archive to hosts/<host>/secrets/secureboot.tar.age
DO NOT forget to delete the unecrypted archives
Deploy your system with lanzaboote enabled
ensure the boot files are signed using sbctl verify
Now reboot the computer into BIOS and enable secureboot, this may include removing any existing old keys
bootctl should now read Secure Boot: disabled (setup)
you can now enroll your secureboot keys using
sbctl enroll-keys If you want to be able to boot microsoft signed images append --microsoft
Time to reboot and pray

If deploying from a host not containing the necessary nix configuration option append

--nix-option plugin-files "$NIX_PLUGINS"/lib/nix/plugins --nix-option extra-builtins-file ./nix/extra-builtins`