fix(nixos): overwrite stock config on first MySetup adoption

Author: TakuyaYagam1

Linux/NixOS/lib/flake-home-module.nix

@@ -12,6 +12,7 @@
     useGlobalPkgs = true;
     useUserPackages = true;
     backupFileExtension = "backup";
+    overwriteBackup = true;
     users.${config.mysetup.user.username} = import ../home/home.nix;
     extraSpecialArgs = {
       inherit

Linux/README.md

@@ -63,6 +63,12 @@ nix run 'github:TakuyaYagam1/MySetup/develop'
 
 Fresh install through `/mnt` is not supported in v1. Run this on an already
 booted NixOS system with an existing `/etc/nixos/hardware-configuration.nix`.
+On first adoption from a stock NixOS/KDE install, MySetup replaces the active
+`/etc/nixos/configuration.nix` with a clean host-local override file. The old
+tree is kept in the `/etc/nixos.bak.<timestamp>.<pid>.<n>` backup made before
+writing `/etc/nixos`. VPN/proxy tools such as Amnezia are only a network
+workaround before running MySetup; they are not required in the bootstrap
+`configuration.nix`.
 
 Nix may ask whether to allow the flake app to use additional substituters. That
 is expected for this config; the installer and checks use these binary caches:
@@ -269,10 +275,11 @@ The installer applies changes defensively:
 1. Creates a temporary staging wrapper flake for `/etc/nixos`.
 2. Writes generated `host-vars.nix`, `configuration.nix`, and `home.nix`
    templates when they do not already exist.
-3. Preserves host-local `hardware-configuration.nix`, `flake.lock`,
-   `hashed-password.nix`, `configuration.nix`, `home.nix`, `private/`, and
-   `secrets/`. Existing thin wrapper flakes are preserved; legacy full mirror
-   flakes are replaced with the generated thin wrapper.
+3. Preserves host-local `hardware-configuration.nix`, `hashed-password.nix`,
+   `private/`, and `secrets/`. Existing MySetup thin wrapper flakes also keep
+   `flake.lock`, `configuration.nix`, and `home.nix`; stock NixOS or legacy
+   non-thin configs are replaced with the generated thin wrapper and clean
+   override templates.
 4. Copies or generates `hashed-password.nix` for the staging build.
 5. Runs `nix flake update mysetup --flake <staging>` for the staging wrapper
    when using the default thin layout, so the installed host receives the latest
@@ -529,6 +536,11 @@ run `mysetup doctor` and check the relevant log.
   multiple Wayland shells, Qt/QML, desktop apps, optional CTF stacks. Make
   sure the listed binary caches are accepted (see Install / Reconfigure) -
   without them everything compiles from source.
+- **First `switch` fails after writing `/etc/nixos` with dbus/systemd activation
+  errors.** Reboot into the new generation boundary, then run
+  `sudo nixos-rebuild switch --flake /etc/nixos#NixOS`. The dry-build already
+  passed; this usually means the live system could not restart part of the
+  desktop/session stack cleanly.
 - **`sudo nixos-rebuild switch` works locally but `mysetup apply` fails.**
   The installer wraps switch with stricter checks (dry-build, password
   hash, dots mirror). Run `nix run "path:$PWD?dir=Linux/NixOS#mysetup" --

Linux/installer/internal/apply/generate.go

@@ -26,8 +26,7 @@ func FlakeNix(s config.State) (string, error) {
 }
 
 func ConfigurationNix() string {
-	return `# Host-local NixOS overrides. This file is preserved by MySetup.
-{ pkgs, ... }:
+	return `{ pkgs, ... }:
 
 {
   imports = [

Linux/installer/internal/apply/generate_test.go

@@ -129,6 +129,10 @@ func TestThinTemplatesExposeSystemAndHomeOverrides(t *testing.T) {
 	if !strings.Contains(ConfigurationNix(), "environment.systemPackages") {
 		t.Fatalf("configuration.nix template must expose system packages\n%s", ConfigurationNix())
 	}
+	if strings.Contains(ConfigurationNix(), "Edit this configuration file") ||
+		strings.Contains(ConfigurationNix(), "services.desktopManager.plasma6") {
+		t.Fatalf("configuration.nix template must stay a clean MySetup override\n%s", ConfigurationNix())
+	}
 	if !strings.Contains(ConfigurationNix(), "./private") {
 		t.Fatalf("configuration.nix template must import private defaults\n%s", ConfigurationNix())
 	}
@@ -594,6 +598,50 @@ func TestPrepareThinHostLocalPreservesOverridesLockAndSecrets(t *testing.T) {
 	}
 }
 
+func TestPrepareThinHostLocalOverwritesFreshNixOSOverrides(t *testing.T) {
+	staging := t.TempDir()
+	dest := t.TempDir()
+	for path, content := range map[string]string{
+		filepath.Join(staging, "configuration.nix"):       ConfigurationNix(),
+		filepath.Join(staging, "home.nix"):                HomeNix(),
+		filepath.Join(dest, "hardware-configuration.nix"): "hardware\n",
+		filepath.Join(dest, "configuration.nix"): `# Edit this configuration file to define what should be installed on
+{ pkgs, ... }:
+
+{
+  imports = [ ./hardware-configuration.nix ];
+  boot.loader.systemd-boot.enable = true;
+  services.desktopManager.plasma6.enable = true;
+}
+`,
+		filepath.Join(dest, "home.nix"): "{ pkgs, ... }: { home.packages = [ pkgs.kate ]; }\n",
+	} {
+		if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
+			t.Fatal(err)
+		}
+		if err := os.WriteFile(path, []byte(content), 0o644); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	if err := prepareStagingHostLocal(context.Background(), run.Runner{Stdout: io.Discard, Stderr: io.Discard}, staging, dest, config.Secrets{}, LayoutThin); err != nil {
+		t.Fatal(err)
+	}
+
+	for path, want := range map[string]string{
+		filepath.Join(staging, "configuration.nix"): ConfigurationNix(),
+		filepath.Join(staging, "home.nix"):          HomeNix(),
+	} {
+		data, err := os.ReadFile(path)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if string(data) != want {
+			t.Fatalf("fresh NixOS adoption must keep generated %s, got:\n%s", filepath.Base(path), data)
+		}
+	}
+}
+
 func TestPrepareThinHostLocalPreservesPrivateDefault(t *testing.T) {
 	staging := t.TempDir()
 	dest := t.TempDir()
@@ -649,9 +697,13 @@ func TestPrepareThinHostLocalReplacesLegacyFullFlake(t *testing.T) {
 	dest := t.TempDir()
 	for path, content := range map[string]string{
 		filepath.Join(staging, "flake.nix"):                    "generated thin wrapper\n",
+		filepath.Join(staging, "configuration.nix"):            ConfigurationNix(),
+		filepath.Join(staging, "home.nix"):                     HomeNix(),
 		filepath.Join(dest, "flake.nix"):                       "{ description = \"NixOS + Caelestia\"; }\n",
 		filepath.Join(dest, "flake.lock"):                      "legacy full lock\n",
 		filepath.Join(dest, "hardware-configuration.nix"):      "hardware\n",
+		filepath.Join(dest, "configuration.nix"):               "{ pkgs, ... }: { services.desktopManager.plasma6.enable = true; }\n",
+		filepath.Join(dest, "home.nix"):                        "{ pkgs, ... }: { home.packages = [ pkgs.kate ]; }\n",
 		filepath.Join(dest, "hosts", "NixOS", "host-vars.nix"): "{ }\n",
 	} {
 		if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
@@ -676,6 +728,18 @@ func TestPrepareThinHostLocalReplacesLegacyFullFlake(t *testing.T) {
 	if _, err := os.Stat(filepath.Join(staging, "flake.lock")); !os.IsNotExist(err) {
 		t.Fatalf("legacy full flake.lock should not be copied into thin staging, stat err: %v", err)
 	}
+	for path, want := range map[string]string{
+		filepath.Join(staging, "configuration.nix"): ConfigurationNix(),
+		filepath.Join(staging, "home.nix"):          HomeNix(),
+	} {
+		data, err := os.ReadFile(path)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if string(data) != want {
+			t.Fatalf("legacy non-thin overrides should not overwrite generated %s, got:\n%s", filepath.Base(path), data)
+		}
+	}
 }
 
 func TestPrepareThinHostLocalStagesLegacySecretsWhenRootMissing(t *testing.T) {

Linux/installer/internal/apply/secrets.go

@@ -47,9 +47,9 @@ func copyExistingThinHostLocal(ctx context.Context, runner run.CommandRunner, st
 		return err
 	}
 
-	preservedFiles := []string{"configuration.nix", "home.nix"}
+	preservedFiles := []string{}
 	if thinFlake {
-		preservedFiles = append([]string{"flake.lock"}, preservedFiles...)
+		preservedFiles = []string{"flake.lock", "configuration.nix", "home.nix"}
 	}
 	if err := copyExistingThinHostLocalFiles(dest, staging, preservedFiles); err != nil {
 		return err

README.md

@@ -56,6 +56,20 @@ instead of Nix's cached GitHub source:
 nix run --refresh 'github:TakuyaYagam1/MySetup'
 ```
 
+Fresh NixOS/KDE bootstrap note: on the first adoption, MySetup replaces the
+active `/etc/nixos/configuration.nix` with a clean host-local override file and
+backs up the previous `/etc/nixos` to `/etc/nixos.bak.<timestamp>...`. Your
+hardware config, password hash, `private/`, and `secrets/` stay preserved. If
+the first live `switch` fails because dbus/systemd could not fully reactivate,
+reboot and run:
+
+```bash
+sudo nixos-rebuild switch --flake /etc/nixos#NixOS
+```
+
+VPN/proxy tools such as Amnezia are only a network workaround before running
+MySetup; they are not required in the bootstrap `configuration.nix`.
+
 Or with a local clone (useful when iterating on the config):
 
 ```bash

flake.nix

@@ -243,6 +243,7 @@
             useGlobalPkgs = lib.mkDefault true;
             useUserPackages = lib.mkDefault true;
             backupFileExtension = lib.mkDefault "backup";
+            overwriteBackup = lib.mkDefault true;
             users.${config.mysetup.user.username} = shellHomeModule;
             extraSpecialArgs = {
               inherit inputs mysetupLib;