My NixOS configs

Find a file

Don Harper 882a95d6a7 chore \| kmscon - upstream changes		2026-06-09 23:25:23 -05:00
.git-crypt	Add 1 git-crypt collaborator	2024-01-04 21:14:40 -06:00
.vscode	Allow insecure libsoup in Citrix package import set during evaluation	2026-05-05 16:40:06 -05:00
home	task \| topgrade - add ~/.password-store to git repos	2026-06-09 22:20:38 -05:00
hosts	chore \| kmscon - upstream changes	2026-06-09 23:25:23 -05:00
modules	task \| add password-store	2026-05-30 21:57:27 -05:00
nixos-anywhere	Squash merge testing into main	2026-01-06 23:27:49 -06:00
overlays	task \| format	2026-05-29 14:48:56 -05:00
pkgs	theme - formating	2024-09-01 10:30:16 -05:00
src	chore \| rm old citrix	2026-06-02 06:29:03 -05:00
.gitattributes	hosts/* \| unencrypt */tailscale.nix	2025-11-24 21:10:07 -06:00
.gitignore	task \| update .gitignore	2026-05-28 18:56:34 -05:00
.sops.yaml	inital support for sops + fomating	2025-11-11 20:24:00 -06:00
deploy-host	task \| nix-anywhere - further fixes	2025-01-29 19:47:50 -06:00
flake.lock	chore \| Update flake.lock	2026-05-28 06:54:41 -05:00
flake.nix	task \| fixes, comment out pi servers	2026-05-29 14:46:49 -05:00
iso.nix	task \| reformatted with nixfmt	2024-12-13 11:50:29 -06:00
justfile	Apply all pending changes excluding .sops.yaml	2026-05-05 14:20:58 -05:00
LICENSE	Initial commit	2022-08-10 16:59:30 -05:00
README.md	Apply all pending changes excluding .sops.yaml	2026-05-05 14:20:58 -05:00
secrets.yaml	chore \| update smtp info	2026-02-25 23:02:35 -06:00
TODO.md	Allow insecure libsoup in Citrix package import set during evaluation	2026-05-05 16:40:06 -05:00

README.md

NixOS-Configs

My NixOS system configurations managed with Nix flakes, home-manager, and colmena for multi-host deployment.

Overview

This repository contains NixOS configurations for multiple hosts including workstations, servers, and Raspberry Pi systems. It uses:

Nix Flakes for reproducible builds and dependency management
home-manager for user environment configuration
colmena for multi-host deployment
sops-nix for secrets management
Role-based configuration for modular host setup

Host Categories

Workstations

loki - Framework AMD AI 300 (primary development machine)
book - Google Pixelbook 2017
dragon - Custom workstation
ace - Acer C720
eve - Google Pixelbook 2017 (eMMC)
pocket2 - Mobile workstation
smaug - ThinkPad x260

Servers

w1 - Hetzner VPS
fred - Acer server
harper - Server
harper2 - Server
nuwww - Web server
www2 - Web server
pihole - Pi-hole server

Raspberry Pi Systems

pi1 - Raspberry Pi
display - Pi 4 with kiosk display

Virtual Machines

vm - Generic VM
vm1 - VM configuration

Quick Start

Prerequisites

Nix with flakes enabled
Age key for secrets decryption (see secrets section)

Building a Host

# Test build without installing
just test <hostname>

# Apply configuration to host
just switch <hostname>

# Apply and reboot
just bootswitch <hostname>

Updating

# Update flake.lock
just update

# Apply updates to all hosts
just world

Available Commands

just test <host> - Build and validate configuration
just switch <host> - Apply configuration
just boot <host> - Apply configuration for next boot
just world - Deploy to all hosts
just workstation - Deploy to workstation hosts
just server - Deploy to server hosts
just web - Deploy to web hosts
just clean <host> - Clean old generations and optimize store
just update - Update flake.lock
just format - Format Nix code

Configuration Structure

Host Configuration

Each host in hosts/<hostname>/ follows this pattern:

{
  imports = [ ../templates/workstation.nix ];  # Base template
  
  networking.hostName = "hostname";
  variables.address = "100.72.x.x";  # Tailscale IP
  
  roles = {
    gui.enable = true;
    games.enable = true;
    wm = "sway";
  };
}

Roles

Hosts are configured using role-based modules:

gui - Graphical user interface packages
games - Gaming packages and Steam
citrix - Citrix Workspace client
zoom - Zoom client
kvm - Virtualization support
kmscon - Console improvements
auto-cpufreq - CPU power management

Window Managers

sway - Wayland compositor (default for workstations)
gnome - GNOME desktop environment

Home Manager

User configurations are managed separately:

home/common/ - Common packages and settings for all users
home/gui/ - GUI-specific user configuration
home/work/ - Work-related packages and settings

Secrets Management

Secrets are encrypted using sops-nix with Age keys.

Setup

Generate Age key pair:

nix run nixpkgs#age -- -generate-keypair

Add public key to .sops.yaml:

keys:
  - &host_<name> <public_key>
creation_rules:
  - path_regex: secrets.yaml$
    key_groups:
      - age:
        - *host_<name>

Encrypt secrets:

sops --encrypt secrets.yaml > secrets.yaml.enc

Usage in Configuration

# In host configuration
sops.secrets."service/password".path

Development

Adding a New Host

Create hosts/<hostname>/default.nix
Add hardware configuration if needed
Import appropriate template (workstation.nix, server.nix, etc.)
Configure roles and variables
Add to flake.nix outputs
Test with just test <hostname>

Template Types

hosts/templates/workstation.nix - Full desktop/workstation
hosts/templates/server.nix - Server configuration
hosts/templates/pi-server.nix - Raspberry Pi server

Code Quality

Format code: just format
Check configuration: nix flake check
Validate secrets: Ensure .sops.yaml has correct public keys

Troubleshooting

Common Issues

Build fails: Check nix flake show for syntax errors
Secrets not found: Verify Age key is in ~/.config/sops/age/keys.txt
Network issues: Check Tailscale connectivity
Home manager conflicts: Remove backup files: locate home-manager-backup | xargs rm

Logs

Build logs are saved to nixos-switch.log. Check this file for detailed error information.

Contributing

Test changes on a single host first
Update documentation for new features
Clean up FIXME/DELME comments
Format code before committing