{"id":25478323,"url":"https://github.com/phdenzel/nix-config","last_synced_at":"2026-05-07T05:34:52.520Z","repository":{"id":270157420,"uuid":"909026040","full_name":"phdenzel/nix-config","owner":"phdenzel","description":"My Nix(OS) configuration flake for all my machines featuring home-manager, sops, and all the good nix stuff... ","archived":false,"fork":false,"pushed_at":"2025-02-17T15:16:23.000Z","size":881,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-17T16:27:34.897Z","etag":null,"topics":["bashrc","emacs","home-manager","nix","nixos","server","sops-nix","vm","workstation","zshrc"],"latest_commit_sha":null,"homepage":"","language":"Nix","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/phdenzel.png","metadata":{"files":{"readme":"README.org","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-27T15:10:04.000Z","updated_at":"2025-02-17T15:16:27.000Z","dependencies_parsed_at":"2025-01-19T18:31:55.533Z","dependency_job_id":"2d270850-9fae-4413-a05b-adf9ceca743b","html_url":"https://github.com/phdenzel/nix-config","commit_stats":null,"previous_names":["phdenzel/nix-config"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phdenzel%2Fnix-config","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phdenzel%2Fnix-config/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phdenzel%2Fnix-config/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phdenzel%2Fnix-config/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/phdenzel","download_url":"https://codeload.github.com/phdenzel/nix-config/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239488657,"owners_count":19647249,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bashrc","emacs","home-manager","nix","nixos","server","sops-nix","vm","workstation","zshrc"],"created_at":"2025-02-18T14:31:24.772Z","updated_at":"2026-05-07T05:34:52.511Z","avatar_url":"https://github.com/phdenzel.png","language":"Nix","funding_links":[],"categories":[],"sub_categories":[],"readme":"#+AUTHOR: phdenzel\n#+TITLE: nix-config\n#+DATE: 2025-01-05 Sun\n#+OPTIONS: author:nil title:t date:nil timestamp:nil toc:nil num:nil \\n:nil\n\nNixOS flake configuration for all my machines.  These instructions\nassume that ~just~ is installed.  If not, inspect the ~justfile~ and\nrun the underlying commands directly.\n\n** Machines\n\n| Host       | Role                  | Arch          |\n|------------+-----------------------+---------------|\n| ~phinix~   | Workstation           | x86_64-linux  |\n| ~sol~      | AMD AI NUC            | x86_64-linux  |\n| ~fenrix~   | Lenovo laptop         | x86_64-linux  |\n| ~ygdrasil~ | NAS server            | x86_64-linux  |\n| ~idun~     | VM (config dev)       | x86_64-linux  |\n| ~heimdall~ | Raspberry Pi          | aarch64-linux |\n\n\n** Build images\n\n#+begin_src bash\n  just build \u003cmy-image\u003e\n#+end_src\n\nAvailable images:\n- ~iso~: minimal x86_64 installer image (contains this repository)\n- ~rpi~: minimal NixOS image for Raspberry Pi SD cards\n \nA symlink ~./result/~ will appear pointing to the built image.\n \nFor cross-platform (e.g. Raspberry Pi) builds, enable system emulation on the build host:\n#+begin_src nix\n  boot.binfmt.emulatedSystems = [\"aarch64-linux\"];\n#+end_src\n \nFlash to a USB stick:\n#+begin_src bash\n  just flash /dev/sdX\n#+end_src\n \nFlash to an SD card:\n#+begin_src bash\n  just flash-sd /dev/sdX\n#+end_src\n\n\n** Fresh install from ISO\n \n*** Overview\n \nThe ISO contains no secret keys. All sensitive keys (AGE decryption\nkey, SSH key registered with GitHub) must be copied onto the booted\nISO session from a trusted machine before running the installer.\n \nThe full flow is:\n \n1. Build and flash the ISO\n2. Boot the target machine from the USB\n3. From a trusted host, push keys onto the ISO session\n4. Run the installer (via SSH or directly on the machine)\n\n   \n**** Boot the ISO\n \nBoot the target machine from the flashed USB. The ISO starts an SSH\nserver automatically. Root login is permitted and authorized keys from\nexisting machines are already embedded.\n \nFind the machine's IP (with e.g. ~ip -c a~) and verify access:\n#+begin_src bash\n  ssh root@\u003ctarget-ip\u003e\n#+end_src\n\n\n**** Keys from a trusted host\n \nThe following commands are run *from a trusted machine* (e.g. ~phinix~ or\n~sol~), not from inside the ISO session.\n \nPush the AGE decryption key so that sops-nix can decrypt\n~secrets.yaml~ during install:\n#+begin_src bash\n  just send-age-keys \u003ctarget-ip\u003e\n#+end_src\n \nPush the SSH key registered with GitHub so that Nix can fetch private\nflake inputs (e.g. ~phd-wallpapers~) during install:\n#+begin_src bash\n  just send-ssh-keys \u003ctarget-ip\u003e\n#+end_src\n \n\n**** Run the installer\n \nSSH into the ISO session:\n#+begin_src bash\n  ssh root@\u003ctarget-ip\u003e\n#+end_src\n \nThe repository should already be present at ~/home/nixos/nix-config~.\nIf not, clone it:\n#+begin_src bash\n  git clone https://github.com/phdenzel/nix-config.git\n#+end_src\n \nRun the installer:\n#+begin_src bash\n  cd nix-config\n  nix-shell -p just\n  just install \u003cmachine\u003e\n#+end_src\n \nThis command will:\n1. Run ~disko~ to partition and format the disk (if not already done; caution: wipes all disks)\n2. Generate ~hardware-configuration.nix~\n3. Copy the repository and AGE keys into ~/mnt/root/~\n4. Run ~nixos-install~\n\n\n**** Register the new host with sops (post-install)\n \nAfter first boot on the newly installed machine, derive its AGE key\nfrom the host SSH key and add it to ~.sops.yaml~:\n#+begin_src bash\n  just host-age-key \u003cmachine\u003e\n#+end_src\n \nThen re-encrypt all secrets files so the new host can decrypt them:\n#+begin_src bash\n  just update-secrets\n#+end_src\n \nApply the configuration with the re-encrypted secrets:\n#+begin_src bash\n  just rbs \u003cmachine\u003e\n#+end_src\n \nWithout this step, any sops secret declared in the host configuration\nwill fail to decrypt on the new machine.\n\n\n** Rebuild an existing NixOS installation\n \nLog in and pull the latest configuration:\n#+begin_src bash\n  cd nix-config\n  git pull\n#+end_src\n \nRebuild and switch:\n#+begin_src bash\n  just rbs \u003cmachine\u003e\n#+end_src\n \nOr equivalently:\n#+begin_src bash\n  sudo nixos-rebuild switch --flake .#\u003cmachine\u003e\n#+end_src\n\n\n** Secrets management\n \nSecrets are managed with [[https://github.com/Mic92/sops-nix][sops-nix]] using AGE encryption.\n \nEach host decrypts secrets using its own host SSH key\n(~/etc/ssh/ssh_host_ed25519_key~). The corresponding AGE public key\nfor each host must be listed in ~.sops.yaml~ under ~hosts~, and all\nsecrets files must be re-encrypted whenever hosts are added or\nremoved.\n \nThe personal AGE key lives at ~~/.config/sops/age/keys.txt~ and is the\nkey used during development to edit secrets directly with ~sops~.\n \nTo add a new secret key to a host configuration, declare it in the\nhost's ~sops-host~ block:\n#+begin_src nix\n  sops-host = {\n    enable = true;\n    keys = [ \"my-service/some-key\" ];\n  };\n#+end_src\n \nWithout this declaration,\n~config.sops.secrets.\"my-service/some-key\".path~ will be an error at\nevaluation time even if the key exists in ~secrets.yaml~.\n \nTo edit secrets interactively:\n#+begin_src bash\n  sops hosts/secrets.yaml\n  sops home/phdenzel/secrets.yaml\n#+end_src\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphdenzel%2Fnix-config","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphdenzel%2Fnix-config","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphdenzel%2Fnix-config/lists"}