This is a replacement of my previous dotfiles setup, except that on top of user configuration intent this repo also encodes machine configuration intent.
- Nix + Home Manager manage the "dotfiles" home user configuration intent.
- Where I can control the OS, I run NixOS.
I follow exactly the structure from snowfall-lib and recommend a read to understand their philosophy.
├── nix/ snowfall-lib structure
│── secrets/ sops encrypted secrets
├── .envrc direnv directive
├── README.md Github Repo landing page
├── flake.nix Core flake
├── flake.lock Lockfile
└── LICENSE Project License
- Secret management: integration with
sops/sops-nixlets me check-in encrypted secrets. My FIDO2 keys allow for decryption/rewrapping for a new host's pubkey. After deployment to a new host, the host can decrypt its secrets, exposing them via/run/...to the correct application.- TODO: actually not FIDO yet...
- Multi-machine, multi-user by design.
diskohandles partition layout for new installs.- Development on this repo:
- I cannot commit to the
mainbranch, instead I need to use feature branches, via Github PRs. Each PR integrates with Garnix, building all the hosts, and validating configs. direnvintegration: if youcdinto the repo you should get a useable development environment.nix fmtin this repo just does the right thing.- A few git hooks enforcing best practices.
- I cannot commit to the
Everyday usage:
colmena build # builds all hosts
colmena apply # apply to all remote hosts
colmena apply-local --sudo build # build for my local host
colmena apply-local --sudo switch # apply for my local hostBuilding an iso for a liveusb purpose:
nix build .#nixosConfigurations.liveusb.config.system.build.isoImageDeploying a new machine locally (with disk partitioning):
sudo nix run 'github:nix-community/disko/latest#disko-install' -- --write-efi-boot-entries --flake '.#bistannix' --disk main /dev/sda- https://truxnell.github.io/nix-config/ is a great read.
- https://github.com/jakehamilton/config fairly clean repo using snowfall-lib.