🏡
About
Welcome to the bikeshed!
This repository houses all my machine configurations expressed declaratively using a Nix flake. It covers both my personal and work devices that are running either NixOS or macOS.
The expressions are organised into platform-agnostic modules that leverage the likes of the nixpkgs, home-manager and nix-darwin to fully configure the OS and userspace from scratch.
These days I am spending the majority of time in either Firefox or Emacs (+vterm). On NixOS I am using EXWM and on macOS I am usually just running native fullscreen, ⌘↹ing between the two previously mentioned apps. Additionally, a simple theming system is used to switch various things between light and dark versions, and a secrets attribute set (kept encrypted in a private repository) is referenced throughout.
NOTE: Some twisted souls found value in all the ricing of the previous incarnation of this repository. I’ll keep archived on this branch for reference.
CI (Travis for NixOS, GitHub Actions for macOS) runs on push. The jobs generate a special CI machine that imports every module, and derives either a NixOS VM (via QEMU) or simply builds on a fresh Darwin agent VM (in the case of macOS). The resultant binaries are pushed to Cachix and subsequently become available for any of my other machines, saving a lot of wasted battery!
The Makefile (in conjunction with some helpful aliases) is used to drive most actions, abstracting away NixOS/macOS differences where necessary.
Installation Notes
Below are some rough platform specific installation notes I use to go from fresh installs to fully configured machine.
macOS
From a fresh macOS install.
Enable SSHd
sudo systemsetup -setremotelogin on
Install XCode
sudo xcodebuild -license
Install Homebrew for those macOS GUI apps unmanageable through Nix
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
[APPLE SILICON] Install Rosetta2
softwareupdate --install-rosetta
Install Nix (multi-user)
NOTE: Do not use sudo
here.
# curl https://nixos.org/nix/install | sh
sh <(curl -L https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volume --daemon
Enable Flakes and experimental commands
Move to experimental.
nix-env -iA nixpkgs.nixUnstable
cat << EOF | sudo tee -a /etc/nix/nix.conf
experimental-features = nix-command flakes
extra-platforms = x86_64-darwin aarch64-darwin
EOF
sudo launchctl kickstart -k system/org.nixos.nix-daemon
[OPTIONAL] Confirm remotely accessible
ssh $REMOTE nix-daemon --version
[OPTIONAL] Seed Nix store contents from an existing Darwin machine
nix copy --no-check-sigs --keep-going --to ssh-ng://$REMOTE ~/.nix-profile
Grab dotfiles using forwarded agent
sudo git clone --recursive [email protected]:martinbaillie/dotfiles.git /etc/dotfiles
sudo chown -R $USER: /etc/dotfiles
Optionally decrypt secrets one-off
If not forwarding.
nix-shell -p gpg
mkdir -m 700 ~/.gnupg-temp
<download gpg key> > ~/.gnupg-temp/temporary.asc
gpg --homedir ~/.gnupg-temp --import temporary.asc
gpg --homedir ~/.gnupg-temp -d secrets.nix.gpg > secrets.nix
gpg-connect-agent --homedir ~/.gnupg-temp KILLAGENT /bye
rm -r ~/.gnupg-temp
Set up Cachix one-off
nix-shell -p cachix
cachix use martinbaillie
Switch to Nix configuration based on hostname
make switch
Switch login shell to zsh
chsh -s /run/current-system/sw/bin/zsh $USER
Configure Emacs
make config-emacs
Configure Casks
Set Flux, Karabiner, Spectacle, Cursorcerer to start at boot, install kernel extensions and so on.
Bump Kernel / User Limits
NixOS
Media
Download and verify latest NixOS minimal ISO:
"21.05"
#+RESULTS[8f7a4f3511d5d6152ec17fdf52addc1eecd1a880]: nixos-ver
21.05
(format "%s.2796.110a2c9ebbf" nixos-ver)
#+RESULTS[d02522c67a569b479981b108c6d2236d90a80aec]: nixos-rel
21.05.2796.110a2c9ebbf
(format "https://releases.nixos.org/nixos/%s" nixos-ver)
#+RESULTS[6ea8b95b40577283983b31f1862093ba872ded97]: nixos-url
https://releases.nixos.org/nixos/21.05
curl -O ${NIXOS_URL}/nixos-${NIXOS_REL}/nixos-minimal-${NIXOS_REL}-x86_64-linux.iso
curl -O ${NIXOS_URL}/nixos-${NIXOS_REL}/nixos-minimal-${NIXOS_REL}-x86_64-linux.iso.sha256
sha256sum -c nixos-minimal-${NIXOS_REL}-x86_64-linux.iso.sha256
Create a bootable NixOS USB (macOS example):
diskutil list # Find USB
diskutil unmountDisk /dev/disk2
dd if=nixos-minimal-${NIXOS_REL}-x86_64-linux.iso of=/dev/rdisk2 bs=4m
diskutil unmountDisk /dev/disk2
Create a bootable NixOS USB (NixOS example):
lsblk -i # Locate the device.
cp nixos-minimal-${NIXOS_REL}-x86_64-linux.iso /dev/sdX # Target whole disk.
BIOS Tweaks (ThinkPad)
- [X] Disable Secure Boot
- [X] Enable CSM Support
Boot
Setup networking:
sudo su
wpa_supplicant -B -i interface -c <(wpa_passphrase 'SSID' 'key')
ip addr
Conduct rest of install from other laptop for convenience (+SSH agent forwarding):
ssh -A root@<addr>
Partition
Create a 500M
boot partition:
gdisk /dev/nvme0n1
# o (create new empty partition table)
# n (add partition, 500M, type ef00 EFI)
# n (add partition, remaining space, type 8301 Linux Reserved - in the absence of a LUKS code)
# w (write partition table and exit)
Setup the encrypted LUKS partition and open it:
cryptsetup luksFormat /dev/nvme0n1p2
cryptsetup luksOpen /dev/nvme0n1p2 enc-pv
Create two logical volumes (swap and root):
pvcreate /dev/mapper/enc-pv
vgcreate vg /dev/mapper/enc-pv
lvcreate -L 8G -n swap vg
lvcreate -l '100%FREE' -n root vg
Format the partitions:
mkfs.fat -F 32 /dev/nvme0n1p1
mkfs.ext4 -L root /dev/vg/root
mkswap -L swap /dev/vg/swap
Install
Mount the partitions just created under /mnt:
mount /dev/vg/root /mnt
mkdir /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot
swapon /dev/vg/swap
Install:
useradd -m -G wheel martin
sudo su - martin
nix-shell -p git --run \
git clone --recursive [email protected]:martinbaillie/dotfiles.git \
/mnt/etc/dotfiles
nix-shell -p nixUnstable -p git
sudo -E nixos-install --option pure-eval no --flake .\#$HOSTNAME
# make -C /mnt/etc/dotfiles install
Iterative Troubleshooting
If system doesn’t boot:
cryptsetup luksOpen /dev/nvme0n1p2 enc-pv
lvchange -a y /dev/vg/swap
lvchange -a y /dev/vg/root
mount /dev/vg/root /mnt
mount /dev/nvme0n1p1 /mnt/boot
swapon /dev/vg/swap
wpa_supplicant -B -i interface -c <(wpa_passphrase 'SSID' 'key')
nixos-enter
Try again.
Import GPG key
gpg --import ~/.gnupg/gpg.asc
Configure Emacs
make config-emacs