The Declarative Cure for Your NixOS Headaches
Elixos is a modular, declarative NixOS configuration system for multi-host and multi-user environments. It leverages flakes and sops-nix for secure, reproducible, and extendable NixOS installations.
elixos/
βββ flake.nix
βββ flake.lock
βββ justfile
βββ nixos/
β βββ configuration.nix
β βββ disks/
β βββ hardware/
β βββ hosts/
β βββ home/
β βββ users/
β βββ modules/
β βββ secrets/
Use the following steps to quickly install a NixOS VM using QEMU.
just vm_prerequisites # Install qemu, ovmf, rage, sops
just vm_reset # Remove old VM files
just vm_prepare # Download ISO and create VM disk
just vm_run_installer # Boot the live installer in QEMU
Load the .env file which set the environment variables of the current setup. For instance, load
. .env-generic-vm
This sets:
HOST=generic-vm
SSH_USER=nixos
SSH_PORT=2222
SSH_HOST=localhost
SSH_KEY=$HOME/.ssh/ssh_key_generic-vm_eelco
REPO_DIR=/home/nixos/elixos
Now you can run the bootstrap for this VM
just bootstrap-vm
This performs the following:
- Pushes your Age master key (keys.txt) to the live installer
- Pushes your repo to a bare Git repo on the VM
- Clones the repo into ~/elixos on the VM
- Installs the master key to /etc/sops/age/keys.txt
- Partitions the disk using disko
- Installs NixOS using the
generic-vmconfiguration
After bootstrapping the VM, the age key is available in memory, but not yet in the installed system. To fix that, after booting the VM, run:
just post-boot-setup HOST=localhost
This will:
- Push the age key to the real VM
- Install the key to /etc/sops/age/keys.txt
- Push and clone the repo again
- Prepare for
nixos-rebuild switch
just vm_run
ssh -p 2222 eelco@localhost
If backspace does not work:
export TERM=xterm
-
Modify your configuration (e.g.
hosts/tongfang.nix,modules/, etc.) -
Push to GitHub or directly to the live VM:
git add . && git commit -m "Update" && git push -
On the VM:
cd ~/elixos git pull sudo nixos-rebuild switch --flake .#generic-vm
Secrets like your SSH private key are stored as encrypted YAML files.
just make-secret HOST USER
This creates:
~/.ssh/ssh_key_HOST_USERnixos/secrets/HOST-USER-secrets.yaml
just encrypt-key # Convert ~/.ssh/id_ed25519 to encrypted YAML
just show-key # View decrypted secret
just decrypt-key # Restore ~/.ssh/id_ed25519 from secrets
just update # Update flake inputs
just clean # Run nix garbage collection
just fmt # Format all .nix files
just vm_reset # Reset and clean VM setup
just vm_build_generic-vm # Build the system only (no run)
For manual access to the live installer:
just live_setup_ssh # Start sshd and set root password
just ssh_authorize USER # Add your SSH key to the live VM
Host (QEMU & Just)
|
v
Live Installer (VM)
|
v
Installed NixOS VM
|
v
sops decrypt β ~/.ssh/id_ed25519
|
v
Working SSH login
- Add
export TERM=xtermto your VM shell profile for better terminal compatibility. - Use
just vm_run_gpufor graphical output with virtio-vga and virgl. - Create VM snapshots before major system changes.
Happy hacking with Elixos! π§¬
-
Download the [https://nixos.org/download/](nixos minimal ISO image) and create a live USB starter with it
-
Start up live NIXOS installer
-
Log in as root
sudo su
-
Look up the name of your wifi device
ip link
The name is for example
wlp2s0 -
Scan the available networks
iw dev wlp2s0 scan | grep SSIDIf you get: 'Network is down (-100), activate it with:
ip link set wlp2s0 upIf you now get
Operation not possible due to RF-kill, then checkrfkill list
Check if
0: phy0: Wireless LAN Soft blocked: yes Hard blocked: noIf it it soft blocked, unblock with
rfkill unblock all
Now, activate your device
ip link set wlp2s0 upand scan again
iw dev wlp2s0 scan | grep SSIDAlso, check if you on the right interface with:
iw dev
this should show
Interface wlp2s0 type: managedNow you should see your network
-
Connect to your network
wpa_passphrase "mijn-wifi-ssid" "mijn-wifi-wachtwoord" > wpa.conf
and then
wpa_supplicant -B -i wlp2s0 -c wpa.conf
and now request a ip-address using
dhcpcd wlp2s0
You can ignore the notification
read_config: /etc/dhcpcd.conf: No such file or directory. Just check that you are connected withip a show wlp2s0
Also, check if you are connected to the internet with
ping 1.1.1.1
-
Starting sshd deamon
To start your demeaon, first set your root password with
passwdThen run
sudo systemctl start sshd
Check if it is running
sudo systemctl status sshd
Look up your ip address with:
ip ad
It should be something like
192.168.2.3 -
Loging in on the live installer from a host laptop
Make sure you have set the root password. To do that, on your live installer, login as root as
sudo su
and
passwd
Then you should be able to login from your host machine as
If you get a warning about 'Remote Host Identification Has Changed', you have probably logged in on this IP Address earlier.Delete you key with
ssh-keygen -R "[192.168.2.3]:22"In case logging in is not allowed at all, you may want to change your /etc/ssh/sshd_config file. Since in nixos, you cannot change settings files (even not as root), just copy the file to your home
cp /etc/ssh/sshd_config ~You may want to change the setting UsePAM Yes to UsePAM No
Then, restart your sshd deamon with this new settings file as
sudo $(which sshd) -f ~/sshd_config
(Note that this which sshd is needed since you need to use the full path to the sshd file)
Check if you are now listening to port 22 with
ss -tlnp | grep 22sudo useradd -r -s /urs/sbin/nologin -c "sshd user" sshdstart sshd in the background with
sudo nix run --extra-experimental-features 'nix-command flakes' github:nix-community/disko -- --flake .#singer --mode zap_create_mount
to login: don't use password, but copy you public ssh key and add to authorized_keys. I used keep to copy my key.
also check your firewall if it is not running
To transer your git repo, either bundle or just add your publish key to your git hub account
-
Tranfering you git repository to the laptop
In your terminal where you are remotely logged in on you laptop do:
mkdir /tmp/elixos.git
and turn it into a bare repository with
git init --bare /tmp/elixos.git
On you host, do
ssh-copy-ip [email protected]
to prevent that you have to type a password each time
In your elixos repository do
git remote add nixtmp [email protected]:/tmp/elixos.git
No you can push your repository to the laptop with
git push nixtmp main
-
Installing your laptop
Install just to be able to use is
nix-shell -p just
Start with running disko to partition your hard-drive
just partition singer
Check your partitions with
findmnt /mnt
which should give you
TARGET SOURCE FSTYPE OPTIONS /mnt /dev/nvme0n1p2 ext4 rw,relatimeCopy the sops age key to the laptop installer. Run from your host:
scp ~/.config/sops/age/keys.txt [email protected]:~
And then run in your live installer
mkdir /root/.config/sops
mv /root/keys.txt /root/.config/sops
And also copy them to your future hardrive
mkdir -p /mnt/etc/sops/age cp /root/keys.txt /mnt/etc/sops/age/keys.txt chmod 400 /mnt/etc/sops/age/keys.txt
Now you can install your laptop with
nixos-install --flake .#singerAfter installing, if you ssh keys are not present yet, you can try the following.
First, loging onto your newly installed laptop using the same prodceedure as above (start sshd deamon). Then copy the ~/.config/sops/age/keys.txt file to the newly installed laptop. Clone the repository to the newly installed laptop.
Then do this
mkdir -p /mnt/etc/sops/age cp /root/keys.txt /mnt/etc/sops/age/keys.txt chmod 400 /mnt/etc/sops/age/keys.txt ```shell And try to rebuild your system with ```shell sudo nixos-rebuild switch --flake .#singer