A comprehensive NixOS configuration using flakes and Home Manager, featuring desktop environments, development tools, and security configurations.
- NixOS with flakes enabled
- Git
-
Clone the repository:
git clone https://github.com/your-username/dotfiles.git ~/dotfiles cd ~/dotfiles
-
Configure personal settings:
cp secrets.example.nix secrets.nix # Edit secrets.nix with your personal information # Set up secure private secrets directory mkdir -p ~/.secrets chmod 700 ~/.secrets
-
Apply configuration:
# For desktop hosts (slax/brix) sudo nixos-rebuild switch --flake .#slax # Apply home-manager configuration home-manager switch --flake .#user@slax
-
Bootstrap secrets (after system builds successfully):
# Generate new BIP39 mnemonic and set up SOPS ./assets/scripts/bootstrap-secrets.sh --generate # Or use existing mnemonic ./assets/scripts/bootstrap-secrets.sh --mnemonic "your 24 words here"
βββ flake.nix # Main flake configuration
βββ hosts/ # Host-specific configurations
β βββ slax/ # Desktop configuration
β βββ brix/ # Mini PC configuration
β βββ common/ # Shared host configurations
βββ profiles/ # Modular configuration profiles
β βββ desktop/ # Desktop environment configs
β βββ features/ # Feature modules (gaming, development, etc.)
β βββ programs/ # Program-specific configurations
β βββ security/ # Security hardening configurations
β βββ services/ # System services
βββ lib/ # Shared libraries and variables
βββ assets/ # Static assets (wallpapers, configs)
βββ secrets.example.nix # Template for personal secrets
βββ README.md # This file
- slax: Desktop configuration with development and multimedia features
- brix: Mini PC configuration with gaming, development, and multimedia features
- COSMIC Desktop: Modern desktop environment
- Customized themes: Dark themes and consistent styling
- Font configuration: Programming and UI fonts
- Languages: Support for multiple programming languages
- Editors: Configured development environments
- Shell: Enhanced Zsh with Starship prompt
- Git: Comprehensive Git configuration with SSH signing
- Infrastructure: Kubernetes, Terraform, and infrastructure management tools
- Auto-environment: Direnv automatically loads project-specific tools
- GPG/SSH: Advanced cryptographic configurations
- BIP39/TPM: Hardware-backed key derivation from mnemonic phrases
- System hardening: Security-focused system configurations
- Secure boot: TPM and secure boot configurations
- Audio/Video: Complete multimedia stack
- Gaming: Steam and gaming optimizations (brix host)
Edit secrets.nix to customize:
- User information (name, email, GitHub username)
- Domain names (for infrastructure integration)
- SSH keys and signing keys
The configuration includes tools for infrastructure management:
- VPN: Tailscale client for secure infrastructure access
- Kubernetes: kubectl, helm, k9s for cluster management
- Infrastructure as Code: Terraform and OpenTofu
- Auto-loading: Direnv automatically provides tools in project directories
To use with your infrastructure:
- Clone your infrastructure repo to
~/Projects/your-infrastructure - The environment will auto-configure with appropriate tools
- Connect via VPN to access internal services
Modify host configurations in hosts/ to enable/disable features:
features = [ "gaming" "development" "multimedia" ];- Create a new directory in
hosts/ - Add hardware configuration
- Create
configuration.niximporting desired profiles - Add to
flake.nixoutputs
Generate ISO and VM images:
# Live ISOs
nix build .#slax-live-iso
nix build .#brix-live-iso
nix build .#emergency-iso
# VM images
nix build .#slax-vm
nix build .#brix-vm
# nixtv-player
nix build .#nixtv-player-iso
nix build .#nixtv-player-vmISOs and VMs use environment variables at build time to configure credentials, avoiding hardcoded passwords in the repository.
Priority system (highest to lowest):
- SOPS secrets (for deployed systems)
- Environment variables at build time
- No password (SSH key required)
Generate a password hash:
nix-shell -p mkpasswd --run 'mkpasswd -m sha-512'Build examples:
# Emergency ISO with password authentication
EMERGENCY_PASSWORD_HASH="$(mkpasswd -m sha-512)" nix build .#emergency-iso
# Emergency ISO with SSH key (recommended)
EMERGENCY_SSH_KEY="ssh-ed25519 AAAA..." nix build .#emergency-iso
# nixtv-player ISO with admin password
NIXTV_PASSWORD_HASH="$(mkpasswd -m sha-512)" nix build .#nixtv-player-iso
# Standard host build with user password
USER_PASSWORD_HASH="$(mkpasswd -m sha-512)" sudo nixos-rebuild switch --flake .#slaxAvailable environment variables:
| Variable | Used By | Description |
|---|---|---|
USER_PASSWORD_HASH |
All hosts (base.nix) | Password for 'user' account |
NIXTV_PASSWORD_HASH |
nixtv-player | Password for 'nixtv' admin account |
EMERGENCY_PASSWORD_HASH |
emergency-iso | Root password for recovery ISO |
EMERGENCY_SSH_KEY |
emergency-iso | Root SSH public key (disables password login) |
For production deployments, use SOPS secrets instead. See docs/SOPS-SETUP.md.
Update the flake and rebuild:
nix flake update
sudo nixos-rebuild switch --flake .#your-host
home-manager switch --flake .#user@your-hostThis configuration includes an automated bootstrap process for BIP39/TPM key derivation and SOPS setup.
# After your system builds successfully, run the bootstrap script:
# Generate new BIP39 mnemonic and set up everything automatically
./assets/scripts/bootstrap-secrets.sh --generate
# Or use an existing BIP39 mnemonic
./assets/scripts/bootstrap-secrets.sh --mnemonic "word1 word2 ... word24"The bootstrap script will:
- β Initialize TPM hardware
- β Generate 24-word BIP39 mnemonic (or use existing)
- β Derive age encryption keys using HKDF
- β Update SOPS configuration with new age key
- β
Create encrypted secrets file in
~/.secrets/ - β Enable SOPS in system configuration
# List all TPM-stored keys
tpm-keys list
# Get detailed info about a specific key
tpm-keys info 0x81000100
# Extract SSH public key from TPM
tpm-to-pubkey 0x81000100
# Load TPM keys into SSH agent
tpm-ssh-agent
# Remove a key from TPM (destructive!)
tpm-keys remove 0x81000100# 1. Set up secure secrets directory
mkdir -p ~/.secrets && chmod 700 ~/.secrets
# 2. Generate 24-word mnemonic (save this securely!)
MNEMONIC=$(bip39 generate --words 24 --quiet)
echo "Save this mnemonic securely: $MNEMONIC"
# 3. Initialize TPM
tpm-init
# 4. Create all keys from mnemonic
bip39-unified-keys --mnemonic "$MNEMONIC" --setup-sops --comment "MyDevice"
# 5. Verify keys are stored
tpm-keys list
# 6. Get SSH public key for GitHub/servers
tpm-to-pubkey 0x81000100- Hardware-Only Storage: Private keys are sealed in TPM hardware and never stored on disk
- Deterministic Recovery: All keys can be recreated from the BIP39 mnemonic on any TPM-enabled device
- Zero Trust: Private key material never exists unencrypted outside the TPM
- Forward Security: Each operation requires TPM unsealing
- Secrets: Never commit
secrets.nix- it's gitignored - Keys: SSH keys and GPG keys are referenced, not embedded
- Signatures: Git commits are signed by default
- Hardening: System security configurations are applied
- BIP39 Recovery: Store your mnemonic phrase securely offline - it's your master key
- Secure Storage: Secrets stored in
~/.secrets/with 700 permissions (owner-only access)
This repository serves as an educational example of:
- NixOS flake architecture
- Home Manager integration
- Modular configuration organization
- Security best practices
- Development environment automation
This configuration is provided as-is for educational purposes. Adapt it to your needs!
Feel free to use this configuration as inspiration for your own setup. If you find improvements or have questions, please open an issue!