This repo is a Nix flake that manages most of my setup on macOS and fully manages machines I have that run NixOS as their operating system.
The Nix bits are driven by flake.nix
which pulls in things under modules/
. Both Intel and Apple Silicon macOS are suppoted, as is NixOS. The flake is structured like so:
let
... in
block that contains:darwinHostConfig
which takes a set of paramters as an attribute set and pulls in all the things needed to use Nix on a macOS hostnixosHostConfig
which takes a set of parameters as an attribute set and pulls in all the things needed to configure a NixOS hostlinuxHomeConfig
which takes a set of paramters as an attribute set and pulls in the things I manage on non-NixOS Linux hostsdarwinConfigurations
contains is an attribute set that contains keys named for each macOS host set to the results of a call to darwinHostConfig
with values for each of the required parametersnixosConfigurations
contains is an attribute set that contains keys named for each NixOS host set to the results of a call to darwinHostConfig
with values for each of the required parametershomeConfigurations
contains an entry for each username set to the results of a call to linuxHomeConfig
with values for each of the required parametersThe parameters on darwinHostConfig
& nixosHostConfig
are:
system:
the system definition to use for nixpkgshostname:
the hostname of the machine being configuredusername:
the username being configured on the host (all code currently assumes there is a single human user managed by Nix)additionalModules:
any nix modules that are desired to supplement the default for the host. An example use case for this is adding in the hardware specific module from nixos-hardware
.additionalSpecialArgs:
any supplemental arguments to be passed to specialArgs
.The parameters on linxuHomeConfig
are the same as the above.
All the bits below here are useful, but may be slightly outdated... I have not done a good job of keeping them updated.
The Nix stuff is structured like so, at least for now:
$ tree . -I legacy* -I link* --gitignore --dirsfirst
.
├── modules
│ ├── home-manager
│ │ ├── common
│ │ │ ├── linux-apps
│ │ │ │ ├── tilix.nix
│ │ │ │ ├── waybar.nix
│ │ │ │ └── xfce4-terminal.nix
│ │ │ ├── all-cli.nix
│ │ │ ├── all-darwin.nix
│ │ │ ├── all-gui.nix
│ │ │ └── all-linux.nix
│ │ ├── files
│ │ │ ├── tilix
│ │ │ │ └── Beanbag-Mathias.json
│ │ │ ├── waybar
│ │ │ │ ├── config
│ │ │ │ └── style.css
│ │ │ ├── xfce4
│ │ │ │ └── terminal
│ │ │ │ ├── accels.scm
│ │ │ │ └── terminalrc
│ │ │ └── Microsoft.PowerShell_profile.ps1
│ │ └── hosts
│ │ ├── Blue-Rock
│ │ │ └── gene.liverman.nix
│ │ ├── nixnuc
│ │ │ └── gene.nix
│ │ └── rainbow-planet
│ │ └── gene.nix
│ ├── hosts
│ │ ├── darwin
│ │ │ └── Blue-Rock
│ │ │ └── default.nix
│ │ └── nixos
│ │ ├── nixnuc
│ │ │ ├── default.nix
│ │ │ └── hardware-configuration.nix
│ │ └── rainbow-planet
│ │ ├── default.nix
│ │ └── hardware-configuration.nix
│ └── system
│ └── common
│ ├── linux
│ │ └── internationalisation.nix
│ ├── all-darwin.nix
│ └── all-nixos.nix
├── LICENSE
├── README.md
├── Vagrantfile
├── flake.lock
└── flake.nix
23 directories, 29 files
This repo historically contained my dot files. Historically symlinked files are still in link/
. Most all the other old stuff is now tucked away under legacy/
to get it out of the way until I decide what is and isn't needed.
xcode-select --install
to install the command-line developer tools (this includes the Apple's stock version of Git).ssh-keygen -t ed25519
mkdir ~/repos
cd ~/repos
git clone git@github.com/genebean/dots
mkdir -p ~/Library/Application\ Support/sops/age && nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 > ~/Library/Application\ Support/sops/age/keys.txt && nix run nixpkgs#ssh-to-age -- -i ~/.ssh/id_ed25519.pub >~/Library/Application\ Support/sops/age/pub-keys.txt
cat ~/Library/Application\ Support/sops/age/pub-keys.txt |pbcopy
.sops.yaml
and:
mkdir modules/home-manager/hosts/$(hostname -s)
nix run nixpkgs#sops -- modules/home-manager/hosts/$(hostname -s)/secrets.yaml
local_git_config
containing something like this:
[user]
email = me@example.com
local_private_env
containing anything you want exported as env vars or local aliases that you want to keep privatetailscale_key
modules/home-manager/hosts/darwin/$(hostname -s)/<username>.nix
based on needs for this machinemkdir modules/hosts/darwin/$(hostname -s)
modules/hosts/darwin/$(hostname -s)/default.nix
based on need for this machineflake.nix
brew leaves
and look for things installed from taps you don't want any moregit add .
run git status
- it should look something like this:
gene.liverman@mightymac dots % git status
On branch main
Your branch is up to date with 'origin/main'.
Changes to be committed:
(use "git restore --staged <file>..." to unstage)
modified: .sops.yaml
modified: flake.nix
new file: modules/home-manager/hosts/mightymac/gene.liverman.nix
new file: modules/home-manager/hosts/mightymac/secrets.yaml
new file: modules/hosts/darwin/mightymac/default.nix
sudo mv /etc/nix/nix.conf{,.before-nix-darwin}
sudo mv /etc/zshenv{,.before-nix-darwin}
nix run --extra-experimental-features 'nix-command flakes repl-flake' nix-darwin -- check --flake ~/repos/dots
nix run --extra-experimental-features 'nix-command flakes repl-flake' nix-darwin -- switch --flake ~/repos/dots
sudo mv /etc/shells{,.before-nix-darwin}
sudo mv /etc/zshenv{,.before-nix-darwin}
~/.zshrc
/Applications
. You may have to run brew install --force <package name>
to fix thisYou will need to link firefox-profile-switcher-connector
for it to work. The easiest way to do this is to run brew reinstall firefox-profile-switcher-connector
and follow the directions printed in the terminal.
sudo cp /etc/pam.d/sudo_local{.template,}
- this will generate a popup asking permissionsudo nvim /etc/pam.d/sudo_local
and uncomment line as directed by top comments!w
which will generate a popup asking permissionNix installs and configures Atuin, but you still need to log into the server:
atuin import auto
to import the shell history from before Atuin was installed and runningread -s akey
and enter the encryption keyread -s apass
and enter the user passwordatuin login --key=$akey --password=$apass --username=gene
mkdir -p ~/.config/sops/age && nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt && nix run nixpkgs#ssh-to-age -- -i ~/.ssh/id_ed25519.pub > ~/.config/sops/age/pub-keys.txt
~/.config/sops/age/pub-keys.txt
.sops.yaml
sops modules/hosts/nixos/$(hostname)/secrets.yaml
sops modules/hosts/nixos/$(hostname)/default.nix
and add the Tailscale service and the block of config for sops.