~/heim

Here you'll find my NixOS & home-manager configurations for my systems, declared as a single Nix flake.

Notable features

• Declarative disk partitioning (disko)
• Full disk encryption
• Impermanence, ephemeral root in ramfs
• Secure Boot (lanzaboote)
• Secrets provisioning using a separate private repo (sops-nix)
• Remote unattended bootstrapping via SSH (nixos-anywhere)
• Carefuly crafted Wayland DE (Hyprland)
  • Components used

    • Bar: Waybar
    • Display manager: ly
    • File manager (TUI): yazi
    • Launcher: rofi
    • Notification daemon: mako
    • Terminal: foot
    • Theming: stylix

Repo structure

.
├─ home/              # Home-manager configurations
├─ hosts/             # NixOS configurations
│  ├─ common/ # Shared configurations
│    ├─ global/   # Config shared by all hosts
│    ├─ optional/ # Optional configurations
│    ├─ users/    # Host-level user declaration
│  ├─ calcifer/  # Desktop
│  ├─ jiji/      # Headless - Serves Atuin and Navidrome
│  ├─ kamaji/    # Headless - Serves Jellyin/*arr stack + Moonlight client for streaming
│  ├─ noface/    # Headless - QEMU guest used for debugging/testing
│  ├─ ponyo/     # Laptop
├─ lib/               # Nix utilities/helpers
├─ modules/           # Reusable, abstract pieces of config for home-manager, NixOS or both.
│  ├─ common/
│  ├─ home-manager/
│  ├─ nixos/
├─ overlays/          # Overrides/patches for some packages
├─ pkgs/              # Custom packages
├─ checks.nix         # pre-commit-check config
├─ flake.nix          # Entrypoint for hosts and home-manager configs
└─ shell.nix          # devshell for manual bootstrapping tasks (nix-shell)

Bootstrapping a new host

On the target host

1. Follow these instructions to boot NixOS minimal installer
2. Set a password for root to allow for SSH access

On an existing NixOS machine

1. Declare the new host in this repository
2. Generate an SSH key pair that will be used as the host key, use it to encrypt the new host's secrets.
   The key will be copied and must be in a structure and permissioned as it should be on the target:

   temp=$(mktemp -d) # Don't forget to clean it up afterwards
   install -d -m755 "$temp/persist/etc/ssh"
   ssh-keygen -t ed25519 -N "" -C "<hostname>" -f "$temp/persist/etc/ssh/ssh_host_ed25519_key"

3. Push the button:

   nix run github:nix-community/nixos-anywhere#nixos-anywhere -- --extra-files "$temp" --flake /home/mydir/heim#hostname --target-host root@<hostname>
   

Important

If you use ZFS, nixos-anywhere has an issue where it won't export the pool before rebooting.

Possible workarounds:

• append --no-reboot to the install command and manually export the pool before rebooting.
• use the same networking.hostId as the NixOS installer and nixos-anywhere as demonstrated here.

References & Useful resources

Resources that helped me find light down this rabbit hole:

• Nix Pills
• Unmoved Centre blog posts
• NixOS & Flakes book
• How to learn Nix
• Flakes introduction

Other people's configurations that inspired me:

• Misterio77 Nix Starter Config
• hlissner's dotfiles
• EmergentMind nix-config