Features | Roles | Images | CLI
slighly overengineered NixOS configuration flake for multiple hosts
Why do I not use some popular libraries?
Nix-specific features:
- Completely reproducible, pure evaluation
- Dotfiles managed using wrappers implemented from basic nixpkgs functions
- Symlinks in ~ managed using hjem
- Secrets managed using sops-nix
- Secure boot using lanzaboote
- Impermanence using ZFS snapshots and bind mounts, without the library.
- Package management using lix
- Android environment using nix-on-droid
- Role based modules
- Variables system for device-specific configuration
- Flake helper CLI
- Flake-enabled installation images
Desktop features:
- 100% wayland, no xorg or xwayland
- SwayFX compositor
- Waybar top panel with several useful modules
- Eww widgets for bottom dock, dashboard, calendar, etc
- Rofi menu for launchers, clipboard history, workspace switchers, etc
- Brave browser with tight policies to ensure security and protect user privacy
- NVF-powered neovim configuration
- Theming and colors with colors
- Declarative browser homepage with homepage
- Declarative wallpapers with wallpapers
- XKCD lockscreen wallpapers with xkcd-wall
- Automatic behavior changes when outside trusted & reliable networks with Nomad Mode
Services features:
- Unbound dns server
- NGINX web server & reverse proxy
- ACME for Let's Encrypt certificates
- SearXNG search engine
- Vaultwarden password manager
- i2pd I2P router
- Jellyfin media server
Comprehensive features list:
| Category | Stack |
|---|---|
| distro | NixOS |
| packages | nixos-unstable |
| package manager | lix |
| shell | bash |
| kernel | linux-hardened |
| entropy | jitterentropy |
| malloc | graphene-hardened |
| bootloader | systemd-boot, uboot |
| secure boot | lanzaboote |
| filesystem | zfs |
| impermanence | zfs(8) mount(8) |
| drive health | smartmontools |
| ~ symlinks | hjem |
| dotfiles | nixpkgs wrappers |
| auditing | auditd |
| secrets | sops, sops-nix |
| usb policy | usbguard |
| sandboxing | firejail, bubblewrap |
| firewall | iptables (nf_tables) |
| mac randomization | macchanger |
| anonymity | i2pd, oniux, mat2 |
| networking | wpa_supplicant |
| dns | unbound |
| secure shell | sshd, fail2ban |
| display server | wayland |
| compositor | swayfx, cage |
| bar | waybar |
| widgets | eww |
| launcher | rofi |
| notifications | dunst |
| terminal emulator | foot |
| file manager | thunar |
| audio | pipewire, pavucontrol, playerctl |
| media player | mpv |
| pdf reader | zathura |
| images | swayimg, imagemagick |
| vector graphics editor | inkscape |
| screenshots | grimshot, grim, slurp |
| clipboard | cliphist |
| browser | brave |
| web server | nginx |
| certificates | acme |
| homepage | homepage |
| search engine | searxng |
| media server | jellyfin |
| bittorrent | qbittorrent-nox |
| passwords | vaultwarden |
| text editor | neovim, mousepad |
| version control | git |
| development | rust, python, go, haskell |
| virtualization | qemu, virt-manager, distrobox, podman |
| cpu optimizations | auto-cpufreq |
| resource monitor | btop, htop |
| android | nix-on-droid |
| themes, icons, cursors, fonts | colors |
| wallpapers | wallpapers, xkcd-wall |
| terminal misc | cava, fortune |
This flake uses role-based configuration.
-
Laptop role: Laptop configuration
-
Server role: Headless home server configuration
-
Droid role: nix-on-droid configuration
Four images: Minimal, GNOME, SD and SD Remote are included (for installation, recovery, etc.)
These images have an ideal environment for setting up this flake.
See Images Documentation for more details.
Routine tasks such as updating the flake, switching configurations,
garbage-collecting, and editing variables & secrets are handled through the
unified nixos(1) helper CLI.
Manpage:
man nixosSee CLI Documentation for the full command reference and workflow examples.