• Automated update of lockfile and linting via CI & pre-commit hooks
• Declarative disk partitioning (disko)
• Full disk encryption
• Impermanence, ephemeral root in ramfs
• Secure Boot (lanzaboote)
• Secrets provisioning using a separate private repo (sops-nix)
• Remote unattended bootstrapping via SSH (nixos-anywhere)
• Carefuly crafted Wayland DE (Hyprland)
  • Components used

    • Bar: Waybar
    • Display manager: ly
    • File manager (TUI): yazi
    • Launcher: rofi
    • Notification daemon: mako
    • Terminal: foot
    • Theming: stylix

. ├─ .github/workflows/ # CI/CD for linting, flake checking and updates ├─ home/ # Home-manager configurations ├─ hosts/ # NixOS configurations │ ├─ common/ # Shared configurations │ ├─ global/ # Config shared by all hosts │ ├─ optional/ # Optional configurations │ ├─ users/ # Host-level user declaration │ ├─ calcifer/ # Desktop │ ├─ jiji/ # Headless - Serves Atuin and Navidrome │ ├─ kamaji/ # Headless - Serves Jellyin/*arr stack + Moonlight client for streaming │ ├─ noface/ # Headless - QEMU guest used for debugging/testing │ ├─ ponyo/ # Laptop ├─ lib/ # Nix utilities/helpers ├─ modules/ # Reusable, abstract pieces of config for home-manager, NixOS or both. │ ├─ common/ │ ├─ home-manager/ │ ├─ nixos/ ├─ overlays/ # Overrides/patches for some packages ├─ pkgs/ # Custom packages ├─ checks.nix # pre-commit-check config ├─ flake.nix # Entrypoint for hosts and home-manager configs └─ shell.nix # devshell for manual bootstrapping tasks (nix-shell)

1. Follow these instructions to boot NixOS minimal installer
2. Set a password for root to allow for SSH access

1. Declare the new host in this repository
2. Generate an SSH key pair that will be used as the host key, use it to encrypt the new host's secrets.
   The key will be copied and must be in a structure and permissioned as it should be on the target:

   temp=$(mktemp -d) # Don't forget to clean it up afterwards install -d -m755 "$temp/persist/etc/ssh" ssh-keygen -t ed25519 -N "" -C "<hostname>" -f "$temp/persist/etc/ssh/ssh_host_ed25519_key"

3. Push the button:

   nix run github:nix-community/nixos-anywhere#nixos-anywhere -- --extra-files "$temp" --flake /home/mydir/heim#hostname --target-host root@<hostname> 

Resources that helped me find light down this rabbit hole:

• Nix Pills
• Unmoved Centre blog posts
• NixOS & Flakes book
• How to learn Nix
• Flakes introduction

Other people's configurations that inspired me:

• Misterio77 Nix Starter Config
• hlissner's dotfiles
• EmergentMind nix-config