Welcome to the bikeshed!
This repository houses all my machine configurations expressed declaratively using Nix. It covers both my personal and work devices that are running either NixOS or macOS.
The expressions are organised into platform-agnostic modules that leverage the likes of the nixpkgs, home-manager and nix-darwin channels to fully configure the OS and userspace from scratch.
These days I am spending the majority of time in either Firefox or Emacs (+vterm). On NixOS I am using the Sway Wayland compositor and on macOS I am usually just running native fullscreen, ⌘↹ing between the two previously mentioned apps. Additionally, a simple theming system is used to switch various things between light and dark versions, and a secrets attribute set (kept encrypted in a private repository) is referenced throughout.
NOTE: Some twisted souls found value in all the ricing of the previous incarnation of this repository. I’ll keep archived on this branch for reference.
CI (Travis for NixOS, GitHub Actions for macOS) runs on push. The jobs generate a special CI machine that imports every module, and derives either a NixOS VM (via QEMU) or simply builds on a fresh Darwin agent VM (in the case of macOS). The resultant binaries are pushed to Cachix and subsequently become available for any of my other machines, saving a lot of wasted battery!
The Makefile (in conjunction with some helpful aliases) is used to drive most actions, abstracting away NixOS/macOS differences where necessary.
Below are some rough platform specific installation notes I use to go from fresh installs to fully configured machine.
Download and verify latest NixOS minimal ISO:
"19.09"
#+RESULTS[13b0b58868c32fc283fe08bd6c617fa4d58d6984]: nixos-ver
19.09
(format "%s.1685.e9ef090eb54" nixos-ver)
#+RESULTS[bdc5fd96e1751d6f7b31bf0435c24d27bbb4c02c]: nixos-rel
19.09.1685.e9ef090eb54
(format "https://releases.nixos.org/nixos/%s" nixos-ver)
#+RESULTS[6ea8b95b40577283983b31f1862093ba872ded97]: nixos-url
https://releases.nixos.org/nixos/19.09
curl -O ${NIXOS_URL}/nixos-${NIXOS_REL}/nixos-minimal-${NIXOS_REL}-x86_64-linux.iso
curl -O ${NIXOS_URL}/nixos-${NIXOS_REL}/nixos-minimal-${NIXOS_REL}-x86_64-linux.iso.sha256
sha256sum -c nixos-minimal-${NIXOS_REL}-x86_64-linux.iso.sha256
Create a bootable NixOS USB (macOS example):
diskutil list # Find USB
diskutil unmountDisk /dev/disk2
dd if=nixos-minimal-${NIXOS_REL}-x86_64-linux.iso of=/dev/rdisk2 bs=4m
diskutil unmountDisk /dev/disk2
- [X] Disable Secure Boot
- [X] Enable CSM Support
Setup networking:
wpa_passhrase SSID PASSWORD > /etc/wpa_supplicant.conf
systemctl start wpa_supplicant
ip addr
Enable SSHd for remote (LAN) install and ssh-agent forwarding:
systemctl start sshd
passwd # So we can login via SSH
Conduct rest of install from other laptop for convenience:
ssh nixos@<addr>
Create a 500M
boot partition:
gdisk /dev/nvme0n1
# o (create new empty partition table)
# n (add partition, 500M, type ef00 EFI)
# n (add partition, remaining space, type 8301 Linux Reserved - in the absence of a LUKS code)
# w (write partition table and exit)
Setup the encrypted LUKS partition and open it:
cryptsetup luksFormat /dev/nvme0n1p2
cryptsetup luksOpen /dev/nvme0n1p2 enc-pv
Create two logical volumes (swap and root):
pvcreate /dev/mapper/enc-pv
vgcreate vg /dev/mapper/enc-pv
lvcreate -L 8G -n swap vg
lvcreate -l '100%FREE' -n root vg
Format the partitions:
mkfs.fat -F 32 /dev/nvme0n1p1
mkfs.ext4 -L root /dev/vg/root
mkswap -L swap /dev/vg/swap
Mount the partitions just created under /mnt:
mount /dev/vg/root /mnt
mkdir /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot
swapon /dev/vg/swap
Install:
useradd -m -G wheel martin
sudo su - martin
nix-shell -p git --run \
git clone --recursive [email protected]:martinbaillie/dotfiles.git \
/mnt/etc/dotfiles
make -C /mnt/etc/dotfiles install
If system doesn’t boot:
cryptsetup luksOpen /dev/nvme0n1p2 enc-pv
lvchange -a y /dev/vg/swap
lvchange -a y /dev/vg/root
mount /dev/vg/root /mnt
mount /dev/nvme0n1p1 /mnt/boot
swapon /dev/vg/swap
wpa_passhrase SSID PASSWORD > /etc/wpa_supplicant.conf
systemctl start wpa_supplicant
Try again.
gpg --import ~/.gnupg/gpg.asc
make config-emacs
From a fresh macOS install.
sudo systemsetup -setremotelogin on
sudo xcodebuild -license
NOTE: Do not use sudo
here.
# curl https://nixos.org/nix/install | sh
sh <(curl https://nixos.org/nix/install) --daemon
. /etc/bashrc
ssh $REMOTE nix-daemon --version
cat << EOF | sudo tee -a /etc/nix/nix.conf
trusted-users = $USER @admin
allowed-users = *
EOF
sudo killall nix-daemon
nix copy --no-check-sigs --keep-going --to ssh-ng://$REMOTE ~/.nix-profile
nix-build https://github.com/LnL7/nix-darwin/archive/master.tar.gz -A installer
./result/bin/darwin-installer
. /etc/static/bashrc
nix-channel --add https://github.com/rycee/home-manager/archive/master.tar.gz home-manager
nix-channel --update
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
If not forwarding an agent socket.
mkdir -m 700 ~/.ssh
<download ssh key> > ~/.ssh/id_ed25519
ssh-add
rm -r ~/.ssh
sudo git clone --recursive [email protected]:martinbaillie/dotfiles.git /etc/dotfiles
sudo chown -R $USER: /etc/dotfiles
If not forwarding.
nix-shell -p gpg
mkdir -m 700 ~/.gnupg-temp
<download gpg key> > ~/.gnupg-temp/temporary.asc
gpg --homedir ~/.gnupg-temp --import temporary.asc
gpg --homedir ~/.gnupg-temp -d secrets.nix.gpg > secrets.nix
gpg-connect-agent --homedir ~/.gnupg-temp KILLAGENT /bye
rm -r ~/.gnupg-temp
sudo mv /etc/shells /etc/shells.before-nix-darwin
sudo mv /etc/bashrc /etc/bashrc.before-nix-darwin
sudo mv /etc/zshrc /etc/zshrc.before-nix-darwin
sudo mv /etc/zprofile /etc/zprofile.before-nix-darwin
nix-shell -p cachix
cachix use martinbaillie
NOTE: Before running, make a new/link existing machine.
make channels update switch
chsh -s /run/current-system/sw/bin/zsh $USER
NOTE: macOS gpg has a default interactive pinentry so don’t be remote.
gpg --import ~/.gnupg/gpg.asc
make config-emacs
Set Flux, Karabiner, Spectacle, Cursorcerer to start at boot, install kernel extensions and so on.