This is tetos, teto’s OS, nixos-based, conceived by me for me. It contains the configuration for my machines/servers. I make it public because I love libre software and this makes sharing snippets easier. Dont expect to be able to use this repo as it is a spaghetti of hacks and relies on forks of nixpkgs and home-manager.
- I rely on nixos-anywhere + disko to deploy new machines. For local deployements, I use one machine as a PXE server to bootstrap install from a nicer environment
- My main difficulty when deploying machines is handling secrets. I dont want to put git secrets - even cyphered - online.
This is why my nixosConfigurations can be built __with__ and __without__ secrets depending on a boolean `withSecrets` forwarded via `specialArgs`. This lets me deploy a machine with most of my customizations before migrating my secrets and run a final deployement with all secrets available. My secrets are handled with sops-nix and not gitted (no way I would put those public).
- the flake exposes `nixosModules` along with `homeModules`. I name configurations that can be shared between hosts “profiles” (some would call it “roles”) so the flake exposes `nixosProfiles` as well as `homeProfiles`
- nix packages/modules/profiles are autoloaded according to the folder hierarchy. This is made possible by haumea.
I dont necessarily recommand haumea though because it can lead to some hard to diagnose error messages and while elegant it makes sideeffects harder to track down IMO.
- automated generation of ssh client configuration from the various nixosConfigurations ssh servers
If you scroll a bit, you will find sparse tutorials on how to deploy both on a LAN (PXE) or remotely (e.g. VPS). Kudos to nixos-anywhere and disko for making this easier than ever.
This folder contains my customizations for:
- broot file explorer
- buku: a cli bookmark manager
- clerk (to control mpd via rofi)
- font-manager the best font manager I could find
- fcitx5 (input method mechanims, e.g. to type japanese from your qwerty keyboard)
- home-manager to generate dotfiles from nix
- htop / btop
- https://gitlab.freedesktop.org/emersion/kanshikanshi: a monitor manager for wayland
- way-displays[[]] in the same vein
- waybar sway bar
- khard (a carddav CLI)
- khal (a calendar CLI)
- mpd (configuration files to run this music server as a user)
- https://github.com/mierak/rmpc/ A fantastic rust+tui player
- https://github.com/htkhiem/euphonica a beautiful gtk gui
- ncmpcpp (mpd console player)
- msmtp (MSA: Mail Sending Agent)
- https://mierak.github.io/rmpc/[rmcp]] (mpd console player)
- neovim (fork of vim)
- newboat (RSS reader, fork of newsbeuter)
- notmuch (to tag mails)
- www.qutebrowser.org (vim like browser)
- rofi (a dmenu-like interactive prompt, works with clerk/i3 etc…)
- starship (prompt manager)
- nssxiv (image viewer)
- sway (wayland window manager)
- kitty (terminal)
- wezterm (terminal)
- tig (a git history reader)
- tmux (terminal multiplexer)
- tio a serial device tool
- vifm (ranger-like, file explorer)
- vimus (or vimpc ? mpd player)
- visidata (for data analysis, csv/json/pcap/… reader)
- weechat (Irc client)
- yazi a TUI file manager in rust, much faster than ranger or joshuto, just amazing
- zsh (alternative to bash)
We use nixos-anywhere + disko, aka we need a SERVER machine in the same LAN as the NEW machine to deploy from.
- SERVER: Enable the pixiecore service
- NEW: start via PXE
- NEW: echo LUKS_PASSWORD > /tmp/secret.key
- SERVER: run `just bootstrap-desktop`
For OVH: follow this ovh guide. For gandi it’s easy.
just bootstrap-vps <vps-address>As long as flakes are not supported natively, you need to:
# when not setting #my-machine, defaults to hostname
# deploy a first generation without any secrets but in my favorite environment
$ nixos-rebuild switch --flake 'github:teto/home#laptop' --sudo --option accept-flake-config true --option extra-experimental-features 'nix-command flakes'
$ just stow-config stow-home stow-local
# once you've moved on the secrets to where they must be, you can deploy the final configuration
$ nixos-rebuild switch --flake 'github:teto/home#laptop-with-secrets' --use-remote-sudo --option accept-flake-config true --option extra-experimental-features 'nix-command flakes'Nix writes everything world-readable so you dont want to embed passwords in .nix files.
** information you prefer to hide but won’t seppuku if discovered…
… are handled via git-crypt in the repo.
** Infrastructure secrets
The solution I adopted is sops-nix which reads secrets from sops files.
*** How to securely load those secrets in systemd units ?
With sops, you could create /run/secrets/email_password and have your service pick it up. Set the proper owner to avoid anyone being able to read it.
One further security can be to rely on systemd-creds. LoadCredentialEncrypted
home/teto.config/systemd/user/mbsync.service.d/override.conf
** Most intimate secrets
you wont find on this repo. I handle them via pass and transfer them manually on my machines via the tool in the next section.
Some secrets can’t be shared reliably on the repository so they need to be transferred.
TODO mention termscp or yazi + rsync ?
On the old machine:
$ wormhole send ~/.gnupg $ wormhole send ~/.password-store $ wormhole send ~/.ssh $ wormhole send ~/home/secrets
On the new machine:
$ just receive-secrets tar xvf -C ~/.gnupg/ gnupg.tar ...
Get git-crypt do decypher the files Retreive the key (possibly from an existing deployement via `git-crypt export-key toto.key`) and use it on the new deployement via:
$ git-crypt unlock secrets/git-crypt-teto.keyshould unlock the files.
NOTE: nixos doesnt seem to work out of the box with git-crypt anymore, the secret is to leave your repo in a dirty state so that nix sees the unlocked secrets.nix !
fontconfig
You can see the resulting config via:
nix repl . --override-input nixpkgs github:nixos/nixpkgs nixosConfigurations.laptop.config.home-manager.users.teto.programs.neovim.finalPackage.XXX
Apart from dd, to create a windows installer USB key, unetbootin worked the best: `nix shell nixpkgs#unetbootin`
Tell me what to do please