❄️ ≃ 💙

This repository defines almost^† all of the configuration for my machines running the NixOS Linux distribution, including installed programs, configuration files and running services, in a declarative and reproducible way.

NixOS is built on top of Nix, a package manager and build system with a declarative approach based on a lazy functional programming language. It makes life infinitely easier. (See GNU Guix for an alternative with a stronger focus on software freedoms.)

This repository is not meant to be used as-is by anyone else, but feel free to take inspiration (see the license). Of course, this is a perpetual work in progress.

Structure

modules is where most of the configuration is defined.

The top-level modules are imported for every machine and may then import submodules conditionally; for example, the server module imports every module in the server directory if the current machine is a server. Similarly, the station module contains modules to be used in physical machines (desktops and laptops).

Configuration for Nix itself is defined in the nix module. This module creates the file ~/.nix-defexpr/default.nix, which is used as the source of Nix expressions for various Nix commands (see Usage). This file roughly replicates the environment available in modules: lib, config, pkgs, etc.

Configuration for my home directory is managed using Home Manager (see the home-manager module).

machines contains machine-specific configuration:

• mu is a Netcup VPS that runs web, mail and DNS servers for monade.li, serves as an IRC bouncer (see the weechat module) and a central node for my WireGuard network and for Syncthing.
• mo is my old laptop, a Lenovo ThinkPad T420.
• no is my new laptop, a Lenovo ThinkPad T14s Gen 1 AMD.
• fu is my desktop computer.

secrets contains sops-encrypted secrets.

They are decrypted on system activation by sops-nix using my GPG private key (see the secrets module).

lib extends the Nixpkgs lib.

lib.my is a collection of variables used in all the modules, such as my username, domain name and email addresses.

my.machines contains basic information about all my machines (including those not yet running NixOS) such as WireGuard public keys and Syncthing IDs. The module argument this is mapped to my.machines.${hostname}.

flake.nix declares this repository as a flake, an experimental feature of Nix.

This is the entry point where things are plugged into each other. The flake exports the following outputs:

• lib is the lib defined above.
• nixosConfigurations is the set of configurations for my machines.
• packages.x86_64-linux.iso creates an ISO image similar to the official unstable minimal ISO but with a few conveniences, like my localisation settings, a flakes-enabled Nix, git, and the GPG agent with SSH support (see iso.nix).
• for convenience, packages.x86_64-linux.host = nixosConfigurations.host.config.system.build.toplevel.

Usage

The nix module also defines a config command which I use to manage my systems. It has the following subcommands:

• env is meant to be sourced in scripts (as in . config env) and exports a few common variables using lib.toShellVars.
• compare allows me to compare the locked version of a flake input to the current upstream version.
• update updates flake inputs.
• repl, eval and bld run nix repl, nix eval and nix build respectively on ~/.nix-defexpr. These three commands can be made to use the config from the worktree rather than the currently activated config by passing --wip.

• specialise switches to a specialisation. I am not currently using this.
• revert is meant to be used after config test or config specialise to revert to the latest generation of the system profile.
• home builds and activates my Home Manager configuration without building the whole system. This is useful for quickly testing a change to my home.
• every other command (build, test, switch, …) is passed on to nixos-rebuild. If prefixed with @host, the command is run remotely on host.

^† things currently not managed by this repository include:

• partition layouts, disk encryption and formatting
• GPG private keys (used to decrypt secrets in this repository)
• local git checkouts
• Thunderbird configuration
• general state (wireless networks, mail, command histories, …)