Personal NixOS flake for two users across multiple machines, built with Home Manager.
This repository uses sops-nix to manage sensitive information like API keys and tokens.
-
Generate an age key (one-time per machine):
sudo mkdir -p /var/lib/sops-nix sudo age-keygen -o /var/lib/sops-nix/key.txt sudo chmod 600 /var/lib/sops-nix/key.txt
-
Get your public key:
sudo age-keygen -y /var/lib/sops-nix/key.txt # Output: age1xxxxxx... -
Update
.sops.yamlwith your public key:creation_rules: - path_regex: secrets/.*\.yaml$ age: >- age1your-public-key-here
-
Create the secrets file from the example:
cp secrets/secrets.yaml.example secrets/secrets.yaml
-
Encrypt with sops:
sops -e -i secrets/secrets.yaml
-
Edit encrypted secrets (sops decrypts in-place):
sops secrets/secrets.yaml
github_token: ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
gitlab_token: glpat-xxxxxxxxxxxxxxxxxxxx- Secrets are encrypted in
secrets/secrets.yamland committed to git - On NixOS rebuild, sops-nix decrypts them to
/run/secrets/<secret_name> - The age private key at
/var/lib/sops-nix/key.txtis used for decryption - Secrets are only readable by root and the
usersgroup
-
Add the key to
secrets/secrets.yaml:sops secrets/secrets.yaml # Add: my_new_secret: "value" -
Define the secret in
modules/system/security/sops/default.nix:sops.secrets.my_new_secret = { owner = "root"; group = "users"; mode = "0440"; };
-
Rebuild:
sudo nixos-rebuild switch --flake .#<host>
The secret will be available at /run/secrets/my_new_secret.
flake.nix Entry point — nixosConfigurations
hosts/ Per-machine configs + hardware configuration files
modules/
games/ Gaming-related modules (wago-addons, warcraftlogs)
nix/ Nix daemon settings
rice/ Desktop environment modules (Hyprland, GNOME, themes)
services/ System services (SSH, Traefik, Ollama)
system/ Core system config (users, virtualization)
home/
<user>.nix Top-level Home Manager entry per user
programs/ Per-program HM configs
services/ Per-service HM configs (Dunst)
themes/ Theme system (registry, per-theme assets)
overlays/ Custom package overlays
users/
lanath/profile.nix Personal data for user lanath (single source of truth)
mushu/profile.nix Personal data for user mushu
keys/ SSH public keys (one file per user)
Copy an existing profile and fill in your data:
cp -r users/lanath users/<yourname>
$EDITOR users/<yourname>/profile.nixFields to update:
username— your Unix usernamehomeDir— your home directory (usually/home/<username>)hashedPassword— generate withmkpasswd -m yescryptsshKeyFiles— list of filenames inkeys/to authorize for SSH logingit.*— name, email(s), GPG key fingerprint
Add your SSH public key(s) to keys/:
cp ~/.ssh/id_ed25519.pub keys/<yourname>.pubcp modules/system/user/lanath.nix modules/system/user/<yourname>.nix
# Edit the import path to point to your profile
$EDITOR modules/system/user/<yourname>.nixcp home/lanath.nix home/<yourname>.nix
$EDITOR home/<yourname>.nixCopy and adjust the per-program configs under home/programs/ as needed.
cp hosts/lanath-desktop.nix hosts/<hostname>.nix
$EDITOR hosts/<hostname>.nixGenerate your hardware configuration:
nixos-generate-config --show-hardware-config > hosts/<hostname>-hardware-configuration.nixReplace the hardware UUID and kernel module references with the generated output.
In flake.nix, add your user to homeManagerModule:
home-manager.users.<yourname> = import ./home/<yourname>.nix;And add your host to nixosConfigurations:
<hostname> = mkHost ./hosts/<hostname>.nix;sudo nixos-rebuild switch --flake .#<hostname>
# or
make <hostname>| Command | Description |
|---|---|
make <host> |
Rebuild and switch to a host config |
make update |
Update all flake inputs |
make clean |
Remove old generations and collect garbage |
nix build .#nixosConfigurations.<host>.config.home-manager.users.<user>.home.activationPackage |
Test HM build without switching |
The *-hardware-configuration.nix files contain machine-specific UUIDs and kernel modules. They are not reusable across machines — always generate a fresh one with nixos-generate-config on your target hardware.