{"id":16705548,"url":"https://github.com/storopoli/flakes","last_synced_at":"2025-10-31T09:30:23.891Z","repository":{"id":205881871,"uuid":"714713505","full_name":"storopoli/flakes","owner":"storopoli","description":"NixOS/MacOS Nix Minimalist-Hardened-Privacy-oriented Configs","archived":true,"fork":false,"pushed_at":"2024-06-03T17:12:54.000Z","size":16548,"stargazers_count":51,"open_issues_count":1,"forks_count":5,"subscribers_count":0,"default_branch":"main","last_synced_at":"2024-10-27T12:09:55.841Z","etag":null,"topics":["dotfiles","flakes","macos","nix","nixos"],"latest_commit_sha":null,"homepage":"","language":"Nix","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/storopoli.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"storopoli"}},"created_at":"2023-11-05T16:58:03.000Z","updated_at":"2024-10-20T20:06:09.000Z","dependencies_parsed_at":"2024-10-12T19:30:56.286Z","dependency_job_id":"2274eaa3-09a4-4588-86bd-e96866aab289","html_url":"https://github.com/storopoli/flakes","commit_stats":null,"previous_names":["storopoli/flakes"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/storopoli%2Fflakes","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/storopoli%2Fflakes/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/storopoli%2Fflakes/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/storopoli%2Fflakes/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/storopoli","download_url":"https://codeload.github.com/storopoli/flakes/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239157151,"owners_count":19591265,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dotfiles","flakes","macos","nix","nixos"],"created_at":"2024-10-12T19:30:47.282Z","updated_at":"2025-10-31T09:30:22.597Z","avatar_url":"https://github.com/storopoli.png","language":"Nix","funding_links":["https://github.com/sponsors/storopoli"],"categories":[],"sub_categories":[],"readme":"# NixOS/macOS Flake\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n\n\u003e \"A man and his tools make a man and his trade\"\n\u003e\n\u003e -Vita Sackville-West\n\n\u003e \"We shape our tools and then the tools shape us\"\n\u003e\n\u003e -Winston Churchill\n\nThese are my NixOS/macOS Nix setup.\n\n| NixOS                                                     | macOS                                                   |\n| --------------------------------------------------------- | ------------------------------------------------------- |\n| \u003cimg src=\"screenshots/linux.png\" width=\"350\" alt=\"macOS\"\u003e | \u003cimg src=\"screenshots/mac.png\" width=\"350\" alt=\"NixOS\"\u003e |\n\n## Common Features\n\n- User environment and dotfiles management with\n  [`home-manager`](https://github.com/nix-community/home-manager).\n- CLI-ready workflow with\n  [`fish`](https://github.com/fish-shell/fish-shell),\n  [`tmux`](https://github.com/tmux/tmux),\n  [`zellij`](https://zellij.dev),\n  [`git`](https://git-scm.com/),\n  [`fish`](https://fishshell.com/),\n  [`gpg`](https://gnupg.org/),\n  [`ssh`](https://www.openssh.com/),\n  [`curl`](https://curl.se/),\n  [`rsync`](https://rsync.samba.org/),\n  and power tools like\n  [`bat`](https://github.com/sharkdp/bat),\n  [`zoxide`](https://github.com/ajeetdsouza/zoxide),\n  [`bottom`](https://clementtsang.github.io/bottom),\n  [`fzf`](https://github.com/junegunn/fzf),\n  [`yazi`](https://yazi-rs.github.io/),\n  [`ripgrep`](https://github.com/BurntSushi/ripgrep),\n  [`jq`](https://jqlang.github.io/jq/),\n  [`just`](https://just.systems/),\n  [`lazygit`](https://github.com/jesseduffield/lazygit),\n  [`lazydocker`](https://github.com/jesseduffield/lazydocker),\n  [`gh`](https://cli.github.com/),\n  [`gh-dash`](https://github.com/dlvhdr/gh-dash),\n  and more...\n- Developer-ready languages:\n  [Nix](https://nixos.org/),\n  [Rust](https://rust-lang.org/),\n  [Lua](https://lua.org),\n  and [Python](https://python.org/).\n- Easy to develop environments with\n  [`nix-shell`](https://nixos.org/manual/nix/stable/command-ref/nix-shell.html)\n  [`direnv`](https://direnv.net/),\n  and [`devshell`](https://numtide.github.io/devshell/).\n  You can put your [soydev](https://storopoli.io/2023-11-10-2023-11-13-soydev/)\n  TypeScript/JavaScript/NodeJS stuff here.\n  Check the [recipes for several Nix shells](https://gist.github.com/storopoli/97e6f0b2e177722fcb3b7fbe5275fbe5).\n- Text editor with [Vim](https://www.vim.org/)/[NeoVim](https://neovim.io)\n  and [Helix](https://helix-editor.com) enabled with the following\n  [LSP](https://langserver.org/)s:\n\n  - [`nil`](https://github.com/oxalica/nil): Nix\n  - [`bash-language-server`](https://github.com/bash-lsp/bash-language-server): Bash, Fish, Zsh, shell scripts, etc.\n  - [`rust-analyzer`](https://rust-analyzer.github.io/): Rust\n  - [`taplo`](https://taplo.tamasfe.dev/): TOML\n  - [`yaml-language-server`](https://github.com/redhat-developer/yaml-language-server): YAML\n  - [`pyright`](https://github.com/microsoft/pyright): Python\n  - [`ruff-lsp`](https://github.com/astral-sh/ruff-lsp): Python\n  - [`marksman`](https://github.com/artempyanykh/marksman): Markdown\n  - [`vscode-langservers-extracted`](https://github.com/hrsh7th/vscode-langservers-extracted): HTML, CSS, and JSON\n  - [`typst-lsp`](https://github.com/nvarner/typst-lsp): [Typst](https://typst.app)\n\n- [Catppuccin](https://catppuccin.com) Mocha theme everywhere.\n- Archival tools:\n  [`gzip`](https://www.gnu.org/software/gzip/),\n  [`xz`](https://tukaani.org/xz/),\n  `zip`,\n  [`lz4`](https://github.com/lz4/lz4),\n  [`p7zip`](https://7-zip.org/),\n  and [`zstd`](https://facebook.github.io/zstd/).\n- CLI entertainment tools:\n  [`yt-dlp`](https://github.com/yt-dlp/yt-dlp),\n  [`termusic`](https://github.com/tramhao/termusic),\n  [`ncspot`](https://github.com/hrkfdn/ncspot),\n  and [`ffmpeg`](https://ffmpeg.org/).\n- Publishing and content CLI tools:\n  [`qpdf`](https://github.com/qpdf/qpdf),\n  [`pandoc`](https://pandoc.org/),\n  [`graphicsmagick`](http://www.graphicsmagick.org/),\n  [`tectonic`](https://tectonic-typesetting.github.io/),\n  and [`typst`](https://typst.app/).\n- `age`-encrypted secrets with [`ryantm/agenix`](https://github.com/ryantm/agenix)\n  with YubiKey support.\n  Check the [`secrets/README.md`](secrets/README.md) for details.\n- Apps:\n\n  - Hardened browser\n    with [Tor Browser](https://www.torproject.org/)\n    also available\n  - Bitcoin tools such as [Sparrow wallet](https://sparrowwallet.com/)\n    and [Bisq](https://bisq.network/)\n  - Encrypted backup tool with [Cryptomator](https://cryptomator.org/)\n  - [Signal messenger](https://signal.org/)\n  - Torrenting with [Transmission](https://transmissionbt.com/)\n  - Offline password manager with [KeePassXC](https://keepassxc.org/)\n  - Screen Recorder with [OBS Studio](https://obsproject.com/)\n\n## NixOS\n\nThis is paranoid build with root on `tmpfs`.\nThis means that everything outside of some directories of `/etc`\nand some directories of `/home` will be wiped out.\nRead more about this in the [NixOs Paranoid Guide](https://xeiaso.net/blog/paranoid-nixos-2021-07-18)\n(this is also a good source [NixOS `tmpfs` as `/home`](https://elis.nu/blog/2020/06/nixos-tmpfs-as-home/)).\n\n### Features\n\n- Hardened Kernel Boot Parameters:\n  Based on this [guide](https://dataswamp.org/~solene/2022-01-13-nixos-hardened.html),\n  and also on [`secureblue`](https://github.com/secureblue/secureblue):\n\n  - Use the memory allocator `scudo`, protecting against some buffer overflow exploits\n  - Prevent kernel modules to be loaded after boot\n  - Protect against rewriting kernel image\n  - Increase containers/virtualization protection at a performance cost (L1 flush or page table isolation)\n  - Apparmor is enabled by default\n  - Many filesystem modules are forbidden because old/rare/not audited enough\n  - Firewall: block any incoming traffic\n  - `clamav` antivirus\n  - `firejail`: run programs to restrict its permissions and rights.\n    This is rather important to run web browsers with it because it will prevent them any\n    access to the filesystem except `~/Downloads` and a few required directories\n    (local profile, `/etc/resolv.conf`, font cache etc...).\n    The following packages/binaries are hardened with `firejail`:\n\n    - `chromium`\n    - `tor-browser`\n    - `signal-desktop`\n    - `keepassxc`\n    - `mpv`\n    - `transmission-gtk`\n\n- [bcachefs filesystem](https://bcachefs.org)\n- [Secure Boot](https://en.wikipedia.org/wiki/UEFI#Secure_Boot)\n- [`Hyprland`](https://github.com/hyprwm/Hyprland) Wayland window manager:\n\n  - [`Waybar`](https://github.com/Alexays/Waybar) status bar.\n  - [`Nemo`](https://github.com/linuxmint/nemo) file manager.\n  - [`Rofi-wayland`](https://github.com/lbonn/rofi) application launcher.\n  - [`Mako`](https://github.com/emersion/mako) notification daemon.\n  - [`Swaylock-effects`](https://github.com/mortie/swaylock-effects) screen locker.\n  - [`NetworkManager`](https://networkmanager.dev/) network management tool.\n  - [`Nerdfonts`](https://github.com/ryanoasis/nerd-fonts).\n\n- Apps:\n\n  - [`foot`](https://codeberg.org/dnkl/foot)\n  - hardened [`chromium`](https://www.chromium.org/) with `firejail`\n  - Docker and Linux VMs with [Podman](https://podman.io/) and [QEMU](https://www.qemu.org/)\n\n- VPN support with [`wireguard`](https://www.wireguard.com/)\n- Keyboard customizations with [`keyd`](https://github.com/rvaiya/keyd):\n  Caps Lock as Escape (if tapped) and Control (if held).\n- Easy and automated disk partitioning with [`disko`](https://github.com/nix-community/disko).\n\n### How to Install\n\n\u003e Before starting, remember to enable a BIOS password.\n\u003e And disable Secure Boot.\n\nAs root:\n\n1. Prepare a\n   [64-bit NixOS 23.11 minimal iso image](https://channels.nixos.org/nixos-23.11/latest-nixos-minimal-x86_64-linux.iso)\n   or [64-bit NixOS unstable minimal iso image](https://channels.nixos.org/nixos-unstable/latest-nixos-minimal-x86_64-linux.iso)\n   and burn it, then enter the live system.\n   Suppose I have divided two partitions: `/dev/nvme0n1p1` and `/dev/nvme0n1p2`\n\n1. Format the partitions:\n\n   ```bash\n   mkfs.fat -F 32 /dev/nvme0n1p1\n   mkfs.ext4 /dev/nvme0n1p2 # or use LUKS with cryptsetup luksFormat /dev/nvme0n1p2 encryptedroot\n   ```\n\n   or use the [`disko` script for bcachefs with LUKS](linux/disko.nix)\n   (don't forget to clone the repo first):\n\n   ```bash\n   nix run github:nix-community/disko -- --mode disko linux/filesystem/\u003chostname\u003e/disko.nix\n   # verify the mount\n   mount | grep /mnt\n   # you may need to skip some commands in the next \"mount\" step\n   ```\n\n1. Mount:\n\n   ```bash\n   mount -t tmpfs none /mnt\n   mkdir -p /mnt/{boot,nix,etc/nixos}\n   mount /dev/nvme0n1p2 /mnt/nix # or LUKS with mount /dev/mapper/encryptedroot /mnt/nix\n   mount /dev/nvme0n1p1 /mnt/boot\n   mkdir -p /mnt/nix/persist/etc/nixos\n   mount -o bind /mnt/nix/persist/etc/nixos /mnt/etc/nixos\n   ```\n\n1. Generate a basic configuration:\n\n   ```bash\n   nixos-generate-config --root /mnt\n   ```\n\n1. Clone the repository locally:\n\n   ```bash\n   nix-shell -p git\n   # recursive for git submodules\n   git clone --recursive https://github.com/storopoli/flakes.git /mnt/etc/nixos/flakes\n   cd /mnt/etc/nixos/flakes/\n   nix develop --extra-experimental-features \"nix-command flakes\" --extra-experimental-features flakes\n   ```\n\n1. If you want Secure Boot, now is the time that you\n   [should create your keys](#step-1-create-your-keys).\n\n1. Migrate all the custom `hardware-configuration.nix` from `/mnt/etc/nixos`\n   into `/mnt/etc/nixos/flakes/linux/system.nix` and `/mnt/etc/nixos/flakes/linux/filesystem.nix`:\n\n   ```bash\n   vi /mnt/etc/nixos/flakes/linux/system.nix\n   ```\n\n   ```nix\n   ...\n   # This is just an example\n   # Please refer to `https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/#step-4-1-configure-disks`\n\n     fileSystems.\"/\" =\n       { device = \"none\";\n         fsType = \"tmpfs\";\n         options = [ \"defaults\" \"size=12G\" \"mode=755\"  ];\n       };\n\n     fileSystems.\"/nix\" =\n       { device = \"/dev/disk/by-uuid/49e24551-c0e0-48ed-833d-da8289d79cdd\";\n         fsType = \"ext4\";\n       };\n\n     fileSystems.\"/boot\" =\n       { device = \"/dev/disk/by-uuid/3C0D-7D32\";\n         fsType = \"vfat\";\n       };\n\n     fileSystems.\"/etc/nixos\" =\n       { device = \"/nix/persist/etc/nixos\";\n         fsType = \"none\";\n         options = [ \"bind\" ];\n       };\n   ...\n   ```\n\n1. remove `/mnt/etc/nixos/flakes/.git`:\n\n   ```bash\n   rm -rf .git\n   ```\n\n1. Username modification: edit `user` in `/mnt/etc/nixos/flakes/flake.nix`,\n   `/mnt/etc/nixos/flakes/linux/default.nix`,\n   and `/mnt/etc/nixos/flakes/linux/wayland.nix`;\n   hostname modification: edit `/mnt/etc/nixos/flakes/common/default.nix`\n   to modify the **hostName** value in the **networking** property group\n\n1. Use the hash password generated by the `mkpasswd {PASSWORD} -m sha-512`\n   command to replace the value of `users.users.\u003cname\u003e.hashedPassword` in\n   `/mnt/etc/nixos/flakes/linux/default.nix`\n   (there are two places to be edited)\n\n1. Perform install:\n\n   ```bash\n   nixos-install --no-root-passwd --flake .#laptop\n   ```\n\n1. Reboot\n\n   ```bash\n   reboot\n   ```\n\n1. If you want Secure Boot, now is the time that you\n   [should continue the setup](#step-2-enabling-secure-boot).\n\n1. Enjoy it!\n\n#### OPTIONAL: Secure Boot\n\n\u003e Based on the\n\u003e [Quickstart Guide from `lanzaboote`](https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md)\n\n##### Step 1: Create your Keys\n\n1. Verify if the ESP is mounted at `/boot`: `bootctl status`\n\n1. Create your keys with `sbctl`\n   (available in the Flake shell, i.e. `nix develop .`)\n\n   ```bash\n   $ sudo sbctl create-keys\n   [sudo] password for user:\n   Created Owner UUID 8ec4b2c3-dc7f-4362-b9a3-0cc17e5a34cd\n   Creating secure boot keys...✓\n   Secure boot keys created!\n   ```\n\n   When it is done, your Secure Boot keys are located in `/etc/secureboot`.\n   `sbctl` sets the permissions of the secret key so that only root can read it.\n\n##### Step 2: Enabling Secure Boot\n\n1. Rebuild your system and check the `sbctl verify` output:\n\n   ```bash\n   $ sudo sbctl verify\n   Verifying file database and EFI images in /boot...\n   ✓ /boot/EFI/BOOT/BOOTX64.EFI is signed\n   ✓ /boot/EFI/Linux/nixos-generation-355.efi is signed\n   ✓ /boot/EFI/Linux/nixos-generation-356.efi is signed\n   ✗ /boot/EFI/nixos/0n01vj3mq06pc31i2yhxndvhv4kwl2vp-linux-6.1.3-bzImage.efi is not signed\n   ✓ /boot/EFI/systemd/systemd-bootx64.efi is signed\n   ```\n\n   It is expected that the files ending with `bzImage.efi` are not signed.\n\n1. Enable Secure Boot.\n   On Framework Laptops:\n\n   1. Select \"Administer Secure Boot\"\n   1. Select \"Erease all Secure Boot Settings\"\n   1. When you are done, press `F10` to save and exit.\n\n   On ASUS Desktop Motherboards, there is no explicit option to enter Setup Mode.\n   Instead, choose the option to erase the existing Platform Key\n\n##### Step 3: Enrolling Keys\n\nOnce you've booted your system into NixOS again,\nyou have to enroll your keys to activate Secure Boot.\n\n```bash\n$ sudo sbctl enroll-keys --microsoft\nEnrolling keys to EFI variables...\nWith vendor keys from microsoft...✓\nEnrolled keys to the EFI variables!\n```\n\nFinally, reboot and check if Secure Boot is activated and in user mode:\n\n```bash\n$ bootctl status\nSystem:\n      Firmware: UEFI 2.70 (Framework 3.03)\n Firmware Arch: x64\n   Secure Boot: enabled (user)\n  TPM2 Support: yes\n  Boot into FW: supported\n```\n\n### How to Update\n\n1. First, update the input in `flake`:\n\n   ```bash\n   # update the specified input\n   nix flake lock --update-input \u003cfoo\u003e \u003cfoo\u003e\n   # or update all inputs\n   nix flake update\n   # also you can reclaim storage with\n   nix-collect-garbage -d\n   ```\n\n1. Then, rebuild and switch to the system after rebuild:\n\n   ```bash\n   doas nixos-rebuild boot --flake .#\u003chostname\u003e\n   ```\n\n### Wireguard VPN Configs\n\n\u003e Sources: [manpage of `wg-quick`](https://manpages.debian.org/unstable/wireguard-tools/wg-quick.8.en.html),\n\u003e [Mullvad WireGuard on Linux terminal](https://mullvad.net/en/help/easy-wireguard-mullvad-setup-linux/)\n\u003e [IVPN Autostart WireGuard in systemd](https://www.ivpn.net/knowledgebase/linux/linux-autostart-wireguard-in-systemd/),\n\u003e and [IVPN WireGuard Kill Switch](https://www.ivpn.net/knowledgebase/linux/linux-wireguard-kill-switch/)\n\nFor the extra paranoid, you can use VPNs without installing their apps.\nYou will need [WireGuard](https://www.wireguard.com/).\n\n1. Create your configuration in `/etc/wireguard/wg0.conf`.\n   You can also name `wg0.conf` whatever you want.\n   Any free-form string `[a-zA-Z0-9_=+.-]{1,15}` will work.\n   These configs are generally provided by your VPN provider.\n   They generally look something like this:\n\n   ```shell\n   [Interface]\n   PrivateKey = abcdefghijklmnopqrstuvwxyz0123456789=\n   Address = x.y.z.w/32\n   DNS = x.y.z.w\n   [Peer]\n   PublicKey = abcdefghijklmnopqrstuvwxyz0123456789=\n   Endpoint = sub.wg.domain.tld:9999\n   AllowedIPs = 0.0.0.0/0\n   ```\n\n1. Add \"kill switch\" configs.\n   Add the following two lines to the `[Interface]` section,\n   just before the `[Peer]` section:\n\n   ```shell\n   PostUp  = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT \u0026\u0026 ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT\n   PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT \u0026\u0026 ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT\n   ```\n\n   You may get a problem to connect to your local network.\n   You can modify the kill switch,\n   so it includes an exception for your local network,\n   for example `! -d 192.168.1.0/24`:\n\n   ```shell\n   PostUp  = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT \u0026\u0026 ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT\n   PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT \u0026\u0026 ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT\n   ```\n\n1. Make sure that you have the correct permissions, so only `root` can read them:\n\n   ```bash\n   sudo chown root:root -R /etc/wireguard \u0026\u0026 sudo chmod 600 -R /etc/wireguard\n   ```\n\n1. Start the WireGuard connection with:\n\n   ```bash\n   sudo wg-quick up wg0\n   # to disconnect\n   sudo wg-quick down wg0\n   ```\n\n#### Autostart WireGuard in `systemd`\n\nIf you are using a Linux distribution that comes with `systemd`,\nyou can autostart a WireGuard connection with:\n\n```bash\nsudo systemctl enable wg-quick@wg0.service\nsudo systemctl daemon-reload\nsudo systemctl start wg-quick@wg0\n```\n\nTo check status: `sudo systemctl status wg-quick@wg0`\n\nTo remove the service and clean up the system:\n\n```bash\nsudo systemctl stop wg-quick@wg0\nsudo systemctl disable wg-quick@wg0.service\nsudo rm -i /etc/systemd/system/wg-quick@wg0*\nsudo systemctl daemon-reload\nsudo systemctl reset-failed\n```\n\n#### Testing the Kill Switch\n\nOne way to test a down tunnel is to delete the IP address from the WireGuard network interface,\nlike this via the Terminal:\n\n```bash\nsudo ip a del [IP address] dev [interface]\n```\n\nIn this example, it’s possible to remove `x.y.z.w` from the `wg0` interface:\n\n```bash\nsudo ip a del x.y.z.w/32 dev wg0\n```\n\nThe `PostUP` iptables rule from above restricts all traffic to the tunnel,\nand all outgoing attempts to get traffic out fail.\nTo gracefully recover from this,\nyou will likely have to use the `wg-quick` command to take the connection down,\nthen bring it back up.\n\n## macOS\n\nThe macOS configs are minimalist in approach\nand geared towards enhancing security and privacy.\nIt uses the best practices described in the\n[MacOS Hardening Guide](https://github.com/ataumo/macos_hardening)\nand the\n[MacOS Security and Privacy Guide](https://github.com/drduh/macOS-Security-and-Privacy-Guide).\n\n### Why not Homebrew?\n\nHonestly, Homebrew is a Ruby bloatware.\nIt is slow, non-reproducible, and a mess to maintain.\n\nNix is superior in every way.\nIt is fast as fuck,\nand it is 100% reproducible.\nMigrating to new hardware or rebuilding old hardware after a wipe is a breeze.\n\n### Features\n\n- Tiling window manager with\n  [Rectangle](https://github.com/rxhanson/Rectangle).\n- Status Bar with [stats](https://github.com/exelban/stats)\n\n- Apps:\n\n  - [Alacritty](https://alacritty.org/)\n  - Keyboard customization with [Karabiner-Elements](https://karabiner-elements.pqrs.org/):\n    Caps Lock as Escape (if tapped) and Control (if held).\n  - [Android file transfer](https://www.android.com/filetransfer/) support\n  - [IINA](https://iina.io/) as the default video player\n\n- Common developer enhancements in Finder and Search\n- MacOS privacy and security enhancements\n- Debloating of animations\n\n### Prepare your system\n\nBefore installing anything you'll need to prepare your system:\n\n1. Don't register an Apple ID\n1. Enable Lockdown Mode\n1. Disable all Sharing stuff: General \u003e Sharing: Disable All\n1. Disable Notifications previews:\n\n   - Notifications \u003e Show Previews: Never\n   - Notifications: Disable \"Allow notifications when the screen is locked\"\n   - Lock Screen \u003e Require password immediately\n\n1. Change NTP Server: General \u003e Date \u0026 Time \u003e Source: Change to \"pool.ntp.org\"\n1. Set the smart battery saver: Boost mode on AC and Low Power mode on battery\n1. Disable Siri:\n\n   - Siri and Spotlight: Disable \"Ask Siri\"\n   - Siri and Spotlight \u003e Siri Suggestions \u003e Disable all\n\n1. Disable Analytics:\n\n   - Privacy and Security \u003e Analytics \u003e Improvements: Disable all\n   - Privacy and Security \u003e Apple Advertising \u003e Disable personalized ads\n   - Game Center: Disable all\n\n### How to Install\n\n1. Install Xcode Command Line Tools:\n\n   ```bash\n   xcode-select --install\n   ```\n\n1. Install Nix using the [official installer](https://nixos.org/download.html#nix-install-macos):\n\n   ```bash\n   sh \u003c(curl -L https://nixos.org/nix/install) --daemon\n   ```\n\n1. Enable Flake support:\n\n   ```bash\n   echo 'experimental-features = nix-command flakes' \u003e\u003e /etc/nix/nix.conf\n   ```\n\n1. Install [`nix-darwin`](https://github.com/LnL7/nix-darwin):\n\n   ```bash\n   # aarch64\n   nix run nix-darwin -- switch --flake .#macbook\n   # x86_64\n   nix run nix-darwin -- switch --flake .#macbook_x86\n   ```\n\n1. Apply changes to your system:\n\n   ```bash\n   darwin-rebuild switch --flake .\n   ```\n\n### How to Update\n\n1. First, update the input in `flake`:\n\n   ```bash\n   # update the specified input\n   nix flake lock --update-input \u003cfoo\u003e \u003cfoo\u003e\n   # or update all inputs\n   nix flake update\n   # also you can reclaim storage with\n   nix-collect-garbage -d\n   ```\n\n1. Then, rebuild and switch to the system after rebuild:\n\n   ```bash\n   nix run --extra-experimental-features 'nix-command flakes' nix-darwin -- switch --flake .\n   # or if nix-command and flakes are enabled:\n   darwin-rebuild switch --flake .\n   ```\n\n## Flakes Creed\n\n\u003e This is my computer. There are many like it, but this one is mine.\n\u003e My computer is my best friend. It is my life. I must master it as\n\u003e I must master my life.\n\u003e Without me, my computer is useless. Without my computer, I am useless.\n\u003e I must configure my computer true. I must code more efficiently than my enemy,\n\u003e who is trying to outperform me.\n\u003e I must debug him before he debugs me. I will...\n\u003e\n\u003e My computer and I know that what counts in war is not the lines we code,\n\u003e the noise of our fans, nor the smoke we make.\n\u003e We know that it is the runs that count. We will run...\n\u003e\n\u003e My computer is human, even as I, because it is my life.\n\u003e Thus, I will learn it as a brother.\n\u003e I will learn its weaknesses, its strength, its parts, its accessories,\n\u003e its dotfiles, and its configs.\n\u003e I will keep my computer clean and ready, even as I am clean and ready.\n\u003e We will become part of each other. We will...\n\u003e\n\u003e Before the Internet, I swear this creed.\n\u003e My computer and I are the defenders of my work.\n\u003e We are the masters of our enemy. We are the saviors of my projects.\n\u003e\n\u003e So be it, until victory is mine and there is no enemy, but peace!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstoropoli%2Fflakes","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstoropoli%2Fflakes","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstoropoli%2Fflakes/lists"}