NixOS

Layout

Configuration lives under conf/:

conf/
├── machines/
│   ├── hp/
│   └── thinkpad/
├── modules/
├── secrets/
└── shared.nix

• conf/shared.nix: shared NixOS and Home Manager modules.
• conf/machines/{machine}/configuration.nix: host-specific settings.
• conf/machines/{machine}/hardware-configuration.nix: generated hardware.
• conf/modules/: extra config assets used by Home Manager.
• conf/secrets/owais.yaml: encrypted SOPS secrets.

Rebuild

sudo nixos-rebuild switch --flake .#$(hostname)
sudo nixos-rebuild test --flake .#$(hostname)
nix flake update

Configurations currently provided by the flake:

• nix-haxorus: ThinkPad
• owais-nix-hp: HP

Add a machine

1. Create conf/machines/{machine}/.

2. Generate hardware config:

   sudo nixos-generate-config --show-hardware-config \
     > conf/machines/{machine}/hardware-configuration.nix
   

3. Add configuration.nix importing hardware and (import ../../shared.nix).nixos.

4. Add a nixosConfigurations.{hostname} entry in flake.nix.

SOPS

The system imports sops-nix from conf/shared.nix and exposes secrets under /run/secrets/.

Useful commands:

SOPS_AGE_KEY_FILE=$(pwd)/age.txt sops conf/secrets/owais.yaml
SOPS_AGE_KEY_FILE=$(pwd)/age.txt sops -d conf/secrets/owais.yaml
sops updatekeys conf/secrets/owais.yaml

The personal age key is documented in age.txt. .sops.yaml controls which files are encrypted and which recipients can decrypt them.