top-level configurations for all my NixOS machines
Go to file
2024-06-19 02:04:33 +00:00
doc doc: how to recover or add new hosts 2024-06-11 00:25:00 +00:00
hosts nwg-panel: enable sysload by default 2024-06-19 02:04:33 +00:00
integrations hosts/common/nix: migrate the nixpkgs-overlay integration point (part 1) 2024-06-12 23:20:37 +00:00
modules netns: factor the netns setup/teardown into distinct services, rather than trying to piggyback network-local-commands 2024-06-18 10:36:08 +00:00
overlays cross: remove upstreamed libvpx patch 2024-06-15 11:37:20 +00:00
pkgs nwg-panel: enable sysload by default 2024-06-19 02:04:33 +00:00
scripts check-uninsane: test FTP over doof (and simplify) 2024-06-18 08:09:06 +00:00
secrets wifi: add new network 2024-06-18 02:34:27 +00:00
templates flake: add a pkgs.python template 2024-06-07 07:23:35 +00:00
.gitignore rename working -> .working 2023-11-23 03:29:04 +00:00
.sops.yaml secrets/common: allow crappy to access these secrets 2024-06-11 00:27:37 +00:00
default.nix default.nix: pass through host config and fs 2024-06-15 03:18:16 +00:00 readme: update for a flake-free world 2024-06-13 03:14:27 +00:00 note that swaync brightness slider does not work 2024-06-18 09:48:35 +00:00


.❄️≡We|_c0m3 7o m`/ f14k≡❄️.

(er, it's not a flake anymore. welcome to my nix files.)

What's Here

this is the top-level repo from which i configure/deploy all my NixOS machines:

  • desktop
  • laptop
  • server
  • mobile phone (Pinephone)

everything outside of hosts/ and secrets/ is intended for export, to be importable for use by 3rd parties. the only hard dependency for my exported pkgs/modules should be nixpkgs. building hosts/ will require sops.

you might specifically be interested in these files (elaborated further in #key-points-of-interest):

Using This Repo In Your Own Config

follow the instructions here to access my packages through the Nix User Repositories.


  • doc/
    • instructions for tasks i find myself doing semi-occasionally in this repo.
  • hosts/
    • configs which aren't factored with external use in mind.
    • that is, if you were to add this repo to a flake.nix for your own use, you won't likely be depending on anything in this directory.
  • integrations/
    • code intended for consumption by external tools (e.g. the Nix User Repos).
  • modules/
    • config which is gated behind enable flags, in similar style to nixpkgs' nixos/ directory.
    • if you depend on this repo for anything besides packages, it's most likely for something in this directory.
  • overlays/
    • predominantly a list of callPackage directives.
  • pkgs/
    • derivations for things not yet packaged in nixpkgs.
    • derivations for things from nixpkgs which i need to override for some reason.
    • inline code for wholly custom packages (e.g. pkgs/additional/sane-scripts/ for CLI tools that are highly specific to my setup).
  • scripts/
    • scripts which aren't reachable on a deployed system, but may aid manual deployments.
  • secrets/
    • encrypted keys, API tokens, anything which one or more of my machines needs read access to but shouldn't be world-readable.
    • not much to see here.
  • templates/
    • used to instantiate short-lived environments.
    • used to auto-fill the boiler-plate portions of new packages.

Key Points of Interest

i.e. you might find value in using these in your own config:

  • modules/fs/
    • use this to statically define leafs and nodes anywhere in the filesystem, not just inside /nix/store.
    • e.g. specify that /var/www should be:
      • owned by a specific user/group
      • set to a specific mode
      • symlinked to some other path
      • populated with some statically-defined data
      • populated according to some script
      • created as a dependency of some service (e.g. nginx)
    • values defined here are applied neither at evaluation time nor at activation time.
      • rather, they become systemd services.
      • systemd manages dependencies
      • e.g. link /var/www -> /mnt/my-drive/www only after /mnt/my-drive/www appears)
    • this is akin to using Home Manager's file API -- the part which lets you statically define ~/.config files -- just with a different philosophy.
  • modules/persist/
    • my alternative to the Impermanence module.
    • this builds atop modules/fs/ to achieve things stock impermanence can't:
      • persist things to encrypted storage which is unlocked at login time (pam_mount).
      • "persist" cache directories -- to free up RAM -- but auto-wipe them on mount and encrypt them to ephemeral keys so they're unreadable post shutdown/unmount.
  • modules/programs/
    • like nixpkgs' programs options, but allows both system-wide or per-user deployment.
    • allows fs and persist config values to be gated behind program deployment:
      • e.g. /home/<user>/.mozilla/firefox is persisted only for users who sane.programs.firefox.enableFor.user."<user>" = true;
    • allows aggressive sandboxing any program:
      • sane.programs.firefox.sandbox.method = "bwrap"; # sandbox with bubblewrap
      • sane.programs.firefox.sandbox.whitelistWayland = true; # allow it to render a wayland window
      • sane.programs.firefox.sandbox.extraHomePaths = [ "Downloads" ]; # allow it read/write access to ~/Downloads
      • integrated with fs and persist modules so that programs' config files and persisted data stores are linked into the sandbox w/o any extra involvement.
  • modules/users/
    • convenience layer atop the above modules so that you can just write fs.".config/git" instead of fs."/home/colin/.config/git"
    • per-user services managed by s6-rc

some things in here could easily find broader use. if you would find benefit in them being factored out of my config, message me and we could work to make that happen.


this repo exists in a few known locations:


if you want to contact me for questions, or collaborate to split something useful into a shared repo, etc, you can reach me via any method listed here. patches, for this repo or any other i host, will be warmly welcomed in any manner you see fit: git send-email, DM'ing the patch over Matrix/Lemmy/ActivityPub/etc, even a literal PR where you link me to your own clone.