NixOS

These are my NixOS/macOS Nix setup.

NixOS	macOS

Common Features

• User environment and dotfiles management with home-manager.

• CLI-ready workflow with fish, tmux, git, fish, gpg, ssh, curl, rsync, and power tools like bat, zoxide, eza, bottom, broot, fzf, yazi, ripgrep, fd, sd, jq, just, lazygit, lazydocker, gh, and more...

• Developer-ready languages: Nix, Rust, Go, Python, Julia and LLVM.

• Easy to develop environments with nix-shell direnv, and devshell. You can put your soydev TypeScript/JavaScript/NodeJS stuff here.

• Text editor with Helix enabled with the following LSPs:

  • nil: Nix
  • bash-language-server: Bash, Fish, Zsh, shell scripts, etc.
  • rust-analyzer: Rust
  • gopls: Go
  • julia: Julia
  • taplo: TOML
  • yaml-language-server: YAML
  • ruff-lsp: Python
  • marksman: Markdown
  • vscode-langservers-extracted: HTML, CSS, and JSON
  • texlab: $\LaTeX$
  • ltex-ls: LanguageTool for Markdown, HTML, and $\LaTeX$.
  • typst-lsp: Typst

• Catppuccin Mocha theme everywhere.

• Archival tools: gzip, xz, zip, lz4, p7zip, and zstd.

• CLI entertainment tools: yt-dlp, cmus, and ffmpeg.

• Publishing and content CLI tools: qpdf, pandoc, glow, graphicsmagick, tectonic, and typst.

• OS-level adblocking with StevenBlack/hosts in the /etc/hosts.

• age-encrypted secrets with ryantm/agenix with YubiKey support. Check the secrets/README.md for details.

• Apps:

  • Bitcoin tools such as Sparrow wallet and Bisq
  • Encrypted backup tool with Cryptomator
  • Signal messenger
  • Torrenting with Transmission
  • Offline password manager with KeePassXC
  • Screen Recorder with OBS Studio

NixOS

This is paranoid build with root on tmpfs. This means that everything outside of some directories of /etc and some directories of /home will be wiped out. Read more about this in the NixOs Paranoid Guide (this is also a good source NixOS tmpfs as /home).

Features

• XanMod Kernel

• Hyprland Wayland window manager:

  • Waybar status bar.
  • Nemo file manager.
  • Rofi-wayland application launcher.
  • Mako notification daemon.
  • Swaylock-effects screen locker.
  • NetworkManager network management tool.
  • Nerdfonts.

• Apps:

  • foot
  • Docker and Linux VMs with Podman and QEMU

• VPN support with wireguard

• Keyboard customizations with keyd: Caps Lock as Escape (if tapped) and Control (if held).

• Easy and automated disk partitioning with disko.

How to Install

As root:

1. Prepare a 64-bit NixOS 23.11 minimal iso image and burn it, then enter the live system. Suppose I have divided two partitions: /dev/nvme0n1p1 and /dev/nvme0n1p2

2. Format the partitions:

   mkfs.fat -F 32 /dev/nvme0n1p1
   mkfs.ext4 /dev/nvme0n1p2 # or use LUKS with cryptsetup luksFormat /dev/nvme0n1p2 encryptedroot

   or use the disko script for Btrfs with LUKS (don't forget to clone the repo first):

   nix run github:nix-community/disko -- --mode disko linux/disko.nix
   # verify the mount
   mount | grep /mnt
   # you may need to skip some commands in the next "mount" step

3. Mount:

   mount -t tmpfs none /mnt
   mkdir -p /mnt/{boot,nix,etc/nixos}
   mount /dev/nvme0n1p2 /mnt/nix # or LUKS with mount /dev/mapper/encryptedroot /mnt/nix
   mount /dev/nvme0n1p1 /mnt/boot
   mkdir -p /mnt/nix/persist/etc/nixos
   mount -o bind /mnt/nix/persist/etc/nixos /mnt/etc/nixos

4. Generate a basic configuration:

   nixos-generate-config --root /mnt

5. Clone the repository locally:

   nix-shell -p git
   # recursive for git submodules
   git clone --recursive https://github.com/storopoli/flakes.git /mnt/etc/nixos/flakes
   cd /mnt/etc/nixos/flakes/
   nix develop --extra-experimental-features "nix-command flakes" --extra-experimental-features flakes

6. Copy hardware-configuration.nix from /mnt/etc/nixos to /mnt/etc/nixos/flakes/hosts/laptop/hardware-configuration.nix:

   cp /mnt/etc/nixos/hardware-configuration.nix /mnt/etc/nixos/flakes/hosts/laptop/hardware-configuration.nix

7. Modify the overwritten hardware-configuration.nix:

   hx /mnt/etc/nixos/flakes/hosts/laptop/hardware-configuration.nix

   ...
   # This is just an example
   # Please refer to `https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/#step-4-1-configure-disks`
   
     fileSystems."/" =
       { device = "none";
         fsType = "tmpfs";
         options = [ "defaults" "size=12G" "mode=755"  ];
       };
   
     fileSystems."/nix" =
       { device = "/dev/disk/by-uuid/49e24551-c0e0-48ed-833d-da8289d79cdd";
         fsType = "ext4";
       };
   
     fileSystems."/boot" =
       { device = "/dev/disk/by-uuid/3C0D-7D32";
         fsType = "vfat";
       };
   
     fileSystems."/etc/nixos" =
       { device = "/nix/persist/etc/nixos";
         fsType = "none";
         options = [ "bind" ];
       };
   ...

8. remove /mnt/etc/nixos/flakes/.git:

   rm -rf .git

9. Username modification: edit /mnt/etc/nixos/flakes/flake.nix to modify user variable, hostname modification: edit /mnt/etc/nixos/flakes/hosts/system.nix to modify the hostName value in the networking property group

10. Use the hash password generated by the mkpasswd {PASSWORD} -m sha-512 command to replace the value of users.users.<name>.hashedPassword in /mnt/etc/nixos/flakes/hosts/laptop/wayland/default.nix (there are two places to be edited)

11. Perform install:

    nixos-install --no-root-passwd --flake .#laptop

12. Reboot

    reboot

13. Enjoy it!

How to Update

1. First, update the input in flake:

   # update the specified input
   nix flake lock --update-input <foo> <foo>
   # or update all inputs
   nix flake update
   # also you can reclaim storage with
   nix-collect-garbage -d

2. Then, rebuild and switch to the system after rebuild:

   doas nixos-rebuild boot --flake .#<hostname>

macOS

The macOS configs are minimalist in approach and geared towards enhancing security and privacy. It uses the best practices described in the MacOS Hardening Guide and the MacOS Security and Privacy Guide.

Why not Homebrew?

Honestly, Homebrew is a Ruby bloatware. It is slow, non-reproducible, and a mess to maintain.

Nix is superior in every way. It is fast as fuck, and it is 100% reproducible. Migrating to new hardware or rebuilding old hardware after a wipe is a breeze.

Features

• Tiling window manager with yabai and skhd.

• Apps:

  • Alacritty
  • Brave with Tor Browser also available
  • Docker and Linux VMs with UTM and OrbStack
  • Keyboard customization with Karabiner-Elements: Caps Lock as Escape (if tapped) and Control (if held).
  • Android file transfer support
  • ProtonVPN
  • NetNewsWire for RSS feeds
  • IINA as the default video player
  • iTunes media keys disabled with NoTunes and cmus as the default music player (with the caveat that the media keys works, thanks to cmus-control)

• Common developer enhancements in Finder and Search

• MacOS privacy and security enhancements

• Debloating of animations

Prepare your system

Before installing anything you'll need to prepare your system:

1. Don't register an Apple ID

2. Enable Lockdown Mode

3. Disable all Sharing stuff: General > Sharing: Disable All

4. Disable Notifications previews:

   • Notifications > Show Previews: Never
   • Notifications: Disable "Allow notifications when the screen is locked"
   • Lock Screen > Require password immediately

5. Change NTP Server: General > Date & Time > Source: Change to "pool.ntp.org"

6. Set the smart battery saver: Boost mode on AC and Low Power mode on battery

7. Disable Siri:

   • Siri and Spotlight: Disable "Ask Siri"
   • Siri and Spotlight > Siri Suggestions > Disable all

8. Disable Analytics:

   • Privacy and Security > Analytics > Improvements: Disable all
   • Privacy and Security > Apple Advertising > Disable personalized ads
   • Game Center: Disable all

How to Install

1. Install Xcode Command Line Tools:

   xcode-select --install

2. Install Nix using the official installer:

   sh <(curl -L https://nixos.org/nix/install) --daemon

3. Enable Flake support:

   echo 'experimental-features = nix-command flakes' >> /etc/nix/nix.conf

4. Install nix-darwin:

   # aarch64
   nix run nix-darwin -- switch --flake .#macbook
   # x86_64
   nix run nix-darwin -- switch --flake .#macbook_x86

5. Apply changes to your system:

   darwin-rebuild switch --flake .

How to Update

1. First, update the input in flake:

   # update the specified input
   nix flake lock --update-input <foo> <foo>
   # or update all inputs
   nix flake update
   # also you can reclaim storage with
   nix-collect-garbage -d

2. Then, rebuild and switch to the system after rebuild:

   nix --experimental-features 'nix-command flakes' build '.#darwinConfigurations.macbook.system'
   nix run --extra-experimental-features 'nix-command flakes' nix-darwin -- switch --flake .
   # or if nix-command and flakes are enabled:
   nix run nix-darwin -- switch --flake .