Skip to content

kiriwalawren/dotnix

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

763 Commits
.github
.github
 
 
modules
modules
 
 
.envrc
.envrc
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
flake.lock
flake.lock
 
 
flake.nix
flake.nix
 
 

Repository files navigation


Kiri's NixOS Flake

Prequisites

Developing

Enter the development shell with nix develop. Run nix fmt to format the repo.

Origin of the dendritic pattern

This repository follows the dendritic pattern.

Automatic import

Nix files (they're all flake-parts modules) are automatically imported. Nix files prefixed with an underscore are ignored. No literal path imports are used. This means files can be moved around and nested in directories freely.

Installation

The bootstrap-nixos application performs a one-shot NixOS install on a remote machine using nixos-anywhere.

Usage

In nix develop:

bootstrap-nixos -n <hostname> -d <ip-or-domain> -k <ssh_key> [OPTIONS]

Required arguments

Flag Description
-n <hostname> Hostname as defined in the flake (e.g. homelab)
-d <destination> IP or DNS of the target machine
-k <ssh_key> Path to the private SSH key used for install

Options

Flag Description
-u <user> SSH user with sudo (default: current user)
--port <port> SSH port (default: 22)
--secureboot Enable Secure Boot + TPM2 auto-unlock setup
--debug Enable bash xtrace for troubleshooting
-h, --help Show help

What it does

  1. Generates a target SSH host key and derives an age recipient so secrets are ready day-0
  2. Optionally captures hardware-configuration.nix from the target before install
  3. Extracts disk encryption keys from sops secrets (if configured)
  4. Runs nixos-anywhere to install the flake on the target (builds locally)
  5. Syncs the dotnix and secrets repositories to the target
  6. With --secureboot: generates Secure Boot keys, rebuilds with lanzaboote, enrolls keys in firmware, and configures TPM2 auto-unlock
  7. Optionally stages, commits, and pushes all changes to git

Secure Boot configuration

Using --secureboot requires three pieces of configuration in the flake:

  1. Include the encryption module in the host's module list (e.g. modules/hosts/<hostname>/modules.nix):

    configurations.nixos.<hostname>.modules = {
  inherit (config.flake.modules.nixos)
    base
    encryption  # provides lanzaboote, TPM2 initrd support, and sbctl/tpm2-tools
    # ...
    ;
};

  2. Mark disk groups as encrypted in the host's configuration (e.g. modules/hosts/<hostname>/configuration.nix):

    system.disks."/" = {
  devices = [ "/dev/nvme0n1" ];
  encryptDrives = true;  # wraps partitions in LUKS via disko
};

    The encryptionPasswordFile option defaults to /tmp/disk-secret.key, which is where the bootstrap script places the key during install.

  3. Add an encryption key to the secrets repository (secrets.yaml):

    drive-encryption-keys:
  <hostname>: "your-encryption-password-here"

    The bootstrap script extracts this value via sops -d --extract '["drive-encryption-keys"]["<hostname>"]' and passes it to nixos-anywhere at install time.

Special Thanks

  • mightyjam for the Dendritic Pattern
  • nekowinston for the nixppuccin wallpaper
  • redyf for the bar and some Hyprland configuration
  • sioodmy for their NixOS and Hyprland configuration and badges
  • IogaMaster for the most beautiful catppuccin nix flake, some Hyprland config, and the badges
  • This reddit post for helping me figure out the bare minimum to get Hyprland running
    • AMD GPU minimum required config here

About

NixOS, HomeManager, and Nixvim Configurations

Resources

Readme

License

GPL-3.0 license
Activity

Stars

11 stars

Watchers

1 watching

Forks

1 fork
Report repository

Contributors

Languages