Nýx

My over-engineered NixOS flake: Desktops, laptops, servers and everything else that can run an OS.

Overview | Hosts | Credits | License
Installation

Screenshot last updated 2024-03-19

Preface

Before you proceed, I would like to direct your attention to the credits section below, where I pay tribute to the individuals who have contributed to this project. Whether through code references, suggestions, bug reports, or simply moral support, they have my most sincere gratitude.

Disclaimer

Caution

As I physically cannot stop tinkering and messing around with my configuration, nothing in this repository (including the README and the overview sections in it) should be considered final. This is my configuration, not a framework. Do keep in mind that I make no promise of stability or support. If something breaks, that will be your responsibility. Please do not allow yourself to be fooled by the sheer amount of documentation effort that has gone into this project. This is not a public framework, and it never will be. It will receive changes, on almost a daily basis and possibly in a half-broken state.

I should also mention that almost all of the configurations contained within this repository, in some shape or form, contain age encrypted secrets - which, to you dear reader, means that they cannot be built and replicated successfully, at least in theory (unless you know a way to revert age encryption, in which case please let me know!) I invite you to go through the modules and countless lines of Nix I have written, but I would strongly advise against attempting to boot any of those configurations unless you are me.

There exists a resources section that I strongly encourage you to check out, which you can use to start building your own configuration. I also document some of my experiences in my nix blog for your convenience. Otherwise, please feel free to dissect this configuration and borrow bits that may appear interesting to you - but please respect my license while doing so!

To re-iterate: this is not a public framework. Please do not try to run this configuration, or to rip off specific bits. It will cause much pain and suffering in addition to robbing you the joys of learning something by yourself. By doing so, you would have to learn my specific design choices on top of Nix/NixOS whereas you could create something that suits your own needs.

High Level Overview

This is a high level overview of this monorepo, containing configurations for all of my machines that are currently running NixOS, or have ran NixOS at some point in time. You will find below a list of my hosts and their specifications, accompanied by a somewhat maintained list of features of this configuration and my design considerations.

Repo Structure

• flake.nix Ground zero of my system configuration. Declaring entrypoints
• docsThe documentation for my flake repository
  • notes Notes from tedious or/and under-documented processes I have gone through. More or less a blog, live at https://nyx.notashelf.dev
  • cheatsheet Useful tips that are hard to memorize, but easy to write down
• parts/ Individual parts of my flake, powered by flake-parts
  • apps Basic executables for maintenance jobs
  • checks Additional checks to build on nix flake check
  • lib Personal library of functions and utilities
  • modules NixOS/Home-manager modules provided by my flake for both internal and public use
  • npins Additional pinned dependencies, managed via npins
  • pkgs Packages exported by my flake
  • pre-commit pre-commit hooks via git-hooks.nix
  • templates Templates for initializing new flakes. Provides some language-specific flakes
  • args.nix Args that will be shared across, or exposed by the flake
  • deployments.nix Host setups for deploy-rs, currently a work in progress
  • fmt.nix Various formatting options for nix fmt and friends
  • iso-images.nix Configurations for my home-built iso images, to be exposed in the flake schema
  • keys.nix My public keys to be shared across the flake
  • shell.nix Local devShell configurations
• homes My personalized Home-Manager configurations.
• hosts Per-host configurations that contain machine specific instructions and setups
• modules Modularized NixOS configurations
  • core The core module that all systems depend on
    • common Module configurations shared between all hosts (except installers)
    • profiles Pluggable internal module system, for providing overrides based on host declarations (e.g. purpose)
    • roles A profile-like system that work through imports and ship predefined configurations
  • extra Extra modules that are rarely imported
    • shared Modules that are both shared for outside consumption, and imported by the flake itself
    • exported Modules that are strictly for outside consumption and are not imported by the flake itself
  • options Definitions of module options used by common modules
    • meta Internal, read-only module that defines host capabilities based on other options
    • device Hardware capabilities of the host
    • documentation Local module system documentation
    • system OS-wide configurations for generic software and firmware on system level
    • theme Active theme configurations ranging from QT theme to shell colors
    • usrEnv userspace exclusive configurations. E.g. lockscreen or package sets
• secrets Agenix secrets

Notable Features

• Flakes enabled - leans heavily into flake-exclusive features of Nix
• All-in-one - Servers, desktops, laptops, virtual machines and anything you can think of. Managed in one place.
  • Sane Defaults - The modules attempt to bring the most sane defaults, while providing per-host toggles for conflicting choices.
  • Flexible Modules - Both Home-manager and NixOS modules allow users to retrieve NixOS or home-manager configurations from anywhere.
  • Extensive Configuration - Most desktop programs are configured out of the box and shared across hosts, with override options for per-host controls.
  • Custom extended library - An extended library for functions that help organize my system.
• Shared Configurations - Reduces re-used boilerplate code by sharing modules and profiles across hosts.
• Fully Modular - Utilizes NixOS' module system to avoid hard-coding any of the options.
  • Profiles & Roles - Provide serialized configuration sets and pluggables for easily changing large portions of configurations with less options and minimal imports.
  • Detached Homes - Home-manager configurations are able to be detached for non-NixOS usage.
  • Modularized Flake Design - With the help of flake-parts, the flake is fully modular: keeping my flake.nix cleaner than ever.
  • Declarative Themes - Using my theme options, profiles and wallpkgs. Everything theming is handled inside the flake.
  • Tree-wide formatting - Format files in any language with the help of devshells and treefmt-nix modules for flake-parts.
• Declarative nftables firewall - Flexible and over-engineered¹ nftables table/chain builder abstraction for easy firewall setups.
• Personal Installation Media - Personalized ISO images for system installation and recovery.
• Secrets Management - Manage secrets through Agenix.
• Opt-in Impermanence - On-demand ephemeral root using BTRFS rollbacks and impermanence.
• Encryption Ready - Supports and actively utilizes full disk encryption.
• Wayland First - Leaves Xorg in the past where it belongs. Everything is configured around Wayland, with Xorg only as a fallback.
• Custom Xanmod Kernel with a wide variety of patches to strip unneeded modules.

Rules/Design Considerations

Most of those rules, so to speak, are quite obvious. However they are noted down as a favor to potential contributors, and to potential observers who wish to make sense of certain decisions that are made.

Note

Host specific design considerations will be in hosts/README.md

• A commit should always be scoped. For example, while modifying a file in hosts/enyo, the commit would begin with hosts/enyo: followed by the description of the change.
• alejandra is the only Nix formatter that shall be used within this repository. nixfmt and nixpkgs-fmt both advertise ugly and confusing diffs, which I dislike. Some of Alejandra's quirks (e.g. lists) can be avoided with minor additions to the code.
• Backwards imports should be avoided wherever applicable.
• The repository should remain modular, and enabled options must never create inconsistencies or incompatibilities between hosts. In case of an unavoidable incompatibility, the issue must be documented. If possible, trigger conditions for incompatibilities must be avoided via assertions.
• Host-exclusive condition must always be placed in the host's own directory. Hosts must advertise their capabilities and features in hosts/<hostname>/modules
• with lib; must be avoided at all costs. Same goes for with builtins; which follows the same confusing pattern as with lib;. In some cases, with scopes may be accepted but only on the condition that the scope is narrow.
  • While accessing standard library functions, the call to library must be explicit. An example to this would be: inherit (lib.modules) mkIf; instead of repeating lib.mkIf or lib.modules.mkIf every time it is used.
  • with pkgs; is fine, however its scope must be kept small. The biggest scope in which it shall be allowed is the smallest scope possible, e.g., environment.systemPackages = with pkgs; [ ];. Anything larger than that should be avoided at all costs.

Goals/Non-goals

Goals

I have a bunch of goals that I wish to accomplish by, and while working on this repository. Those goals are:

• Provide everything - we would like to provide modules, packages, system and home configurations all in one place
• Modularity - we would like to never compromise on modularity, and two hosts of different purposes must never conflict.
• Purity - --impure flag is a no-go.
• Documentation - anything that has been done should be documented. Best-effort not guaranteed.

Non-goals

• Full reproducibility - we contain secrets, therefore the setup is not fully reproducible.
• Replicability - this configuration does not aim to, and will not serve as a framework. I make no guarantees of replicability.
• Support - take a wild guess.
• Stability - see above.

Host Specifications

Warning

This section may be out of date as I constantly add, remove or re-purpose my hosts across a single network. Hostnames are assigned on a per-host basiis and are permanent, type and arch on another hand are subject to change.

Name	Description	Type	Arch
enyo	Day-to-day desktop workstation boasting a full AMD system.	Desktop	x86_64-linux
prometheus	HP Pavilion with a a GTX 1050 and i7-7700hq	Laptop	x86_64-linux
epimetheus	Twin of prometheus, features full disk encryption in addition to everything prometheus provides	Laptop	x86_64-linux
hermes	HP Pavilion with a Ryzen 7 7730U, and my main portable workstation. Used on-the-go	Laptop	x86_64-linux
icarus	My 2014 Lenovo Yoga Ideapad that acts as a portable server, used for testing hardware limitations	Laptop	x86_64-linux
helios	Hetzner Cloud VPS for non-critical infrastructure	Server	x86_64-linux
selene	Alternative Hetzner Cloud VPS to be used as an aarch64-linux builder	Server	aarch64-linux
atlas	Proof of concept server host that is used by my Raspberry Pi 400	Server	aarch64-linux
artemis	VM host for testing basic NixOS concepts. Previously targeted aarch64-linux	VM	x86_64-linux
apollon	VM host for testing networked services, generally used on servers	VM	x86_64-linux
leto	VM host running medium-priority infrastructure inside a virtualized root server	VM	x86_64-linux
gaea	Custom live media, used as an installer	ISO	x86_64-linux
erebus	Air-gapped virtual machine/live-iso configuration for sensitive jobs	ISO	x86_64-linux

Credits & Special Thanks

My most sincere thanks go to fufexan for convincing me to use NixOS and sticking around to answer my most stupid and deranged questions, as well as my atrocious abstractions. Without his help, I would not be able to stand where I do.

I also wish to extend my thanks to sioodmy which my configuration was initially based on. Though layouts and files have since changed, the core principals and ideas remain. The simplicity of his configuration flake allowed me to take a foothold in the Nix world.

Awesome People

I got inspired by, and owe a lot to those folks

sioodmy - fufexan - NobbZ - ViperML - spikespaz - hlissner - Max Headroom

... and surely there are more, but I tend to forget. Nevertheless, I extend my thanks to all of those people and any others that I might have forgotten.

Anti-credits

Pretend I haven't credited those people (but I will, because they are equally awesome and I appreciate them)

gerg-l (bald frog) - eclairevoyant - FrothyMarrow - adamcstephens - nrabulinski - n3oney - Raidenovich - jacekpoz - Vagahbond - vaxry -

Honorable Mentions

Some of the cool people I have interacted with in the past and believe deserve a shoutout for their support or companionship. I appreciate you all. :)

fsnkty - lychee - germanbread

Cool Resources

Resource that helped shape and improve this configuration, or resources that I strongly recommend that you read in no particular order.

Interactive Pages

• A list of Nix library functions and builtins
• Noogle
• NixOS package search
• NixOS option search
• Tour of Nix

Readings

Blogs

• Astrid's blog
• Jade Lovelace's blog
• Xe Iaso's blog
• Viper's Blog
• Solène's Blog
• Vinícius Müller's Blog (/blog no longer exists)
• ...my own "blog"?

Guides & Other Resources

• Zero to Nix
• Nix Pills

Software

Software that helped this configuration become what it is, or software I find interesting

Linux

• Hyprland
• ags

Nix/NixOS

• nix-super
• Agenix
• nh

Projects I have made to use in this repository, or otherwise cool software that are used in this repository that I would like to endorse.

• nyxpkgs - my personal package collection
• nvf - highly modular Neovim configuration framework for Nix/NixOS
• schizofox - hardened Firefox configuration for the delusional and the paranoid
• ndg - a module documentation framework for Nix projects.

Additionally, take a look at my notes/blog for my notes on Linux, and specifically challenging or tedious processes on Nix and NixOS. It is also available as a webpage

License

Unless explicitly stated otherwise, all code under this repository (except for anything in docs directory) is licensed under the GPLv3, or should you prefer, under any later version of the GPL released by the FSF.

The notes and documentation available in docs directory is licensed under the CC BY License.

Note

All code here (excluding secrets) are available for your convenience and at my expense as I choose to keep my entire system configuration public. I believe it is in Nix and NixOS community spirit to learn from and share code with other NixOS users. As such if you are directly copying a section of my configuration, please include a copyright notice at the top of the file you import the code, or as a small comment above the section you have copied.

It is not in any shape or form enforced, but your kindness and due diligence would be highly appreciated. Please do not be one of the people who upstream my commits without any consideration to my time and efforts.

---

Back to the Top

Footnotes

1. I speak of "over-engineering" not as a flaw, but as a trait that can properly describe the time and effort that this repository has taken. After 700+ recorded hours and 4000+ commits, that is the only word that can describe this project. ↩