My personal Nix configurations.
These configurations make use of personal preferences. I have forked some tools and made personal edits which may make this unstable:
nix-darwin
: I added additional user configuration management and fixed some multi-user issues in the system. This was done in a heavy-handed manner and so will likely not be supported upstream. This may change as upstream improves on these issues.agenix
: Wanted to add armor output support for better git visibility. Also needed to fixageBin
for Darwin configuration.
This assumes starting from a fresh installation of macOS before initial setup and attempts to follow best practices as laid out in drduh's macOS Security and Privacy Guide. It is possible to start after initial setup but assuming a setup without admin/user separation then the admin account will need to be created, and the regular user demoted from the admin group.
- Create the admin user which will manage the OS and Nix:
laplace
- If demoting a regular user after creating the admin account, log out of the regular user and into the new admin account to run:
sudo dscl . -delete /Groups/admin GroupMembership <username> sudo dscl . -delete /Groups/admin GroupMembers <GeneratedUID>
- To find the
GeneratedUID
of an account:dscl . -read /Users/<username> GeneratedUID
- If demoting a regular user after creating the admin account, log out of the regular user and into the new admin account to run:
- Rename the computer
System Settings -> General -> About -> Name
:laplace
- Install Nix
- Install Homebrew
- Clone this repo in
/Users/Shared/
:git clone https://github.com/dlubawy/nix-configs.git /Users/Shared/nix
- Enter where the repo was cloned:
cd /Users/Shared/nix
- Edit
vars
inflake.nix
to use your desired name, email, user, and public keys - As admin user (
laplace
), run the initialnix --extra-experimental-features 'nix-command flakes' run nix-darwin -- switch --flake .#laplace
- The normal user may subsequently run the command with sudo
sudo -Hu laplace darwin-rebuild switch --flake .#laplace
- A
make
command is supplied to make this easier:make laplace
- You may want to change the
shellAlias
forlaplace
to point to your own repo with any changes; Then you may runlaplace
as a command alias for rebuilding from the remote.
- The normal user may subsequently run the command with sudo
This assumes a working Nix installation on a separate computer for building manually. Otherwise, one may follow the ARM installation guide to install on the board first and then follow the instructions given here.
- Clone this repo:
git clone https://github.com/dlubawy/nix-configs.git
- Enter where the repo was cloned:
cd nix-configs
- Edit
vars
inflake.nix
to use your desired name, email, user, and public keys - Run
make pi-image
to build the initial SD card image or runmake pi
to build the image from an existing installation. - Using a 32 GB+ SD card (skip if using an existing pi image)
- Insert the SD and figure out the appropriate disk device (
fdisk
on Linux ordiskutil
on macOS) - Run
nix run nixpkgs#zstdcat ./result/sd-image/nixos-sd-image-*.zst | dd of=<disk> status=progress bs=64M
- Insert SD card and boot the Raspberry Pi
- Insert the SD and figure out the appropriate disk device (
- Login to the user defined previously using username as initial password then change the password with
passwd
This assumes a working Nix installation on the target platform (x86_64-linux
). Can run this from a temporary NixOS-WSL image built following these instructions.
- Run
sudo nix run github:dlubawy/nix-configs/main#nixosConfigurations.syringa.config.system.build.tarballBuilder
- Install the resulting tarball from inside a PowerShell terminal on the target:
wsl --import NixOS $env:USERPROFILE\NixOS\ nixos-wsl.tar.gz
- Add Catppuccin theme for Windows Terminal
- Install FantasqueSansMono Nerd Font in Windows and select it as font
This makes use of nakato/nixos-sbc for creating the boot image of the router. I am not a network security expert, so this configuration does not guarantee security. I made a best attempt with the skills I posess; all feedback welcome. Goal of the router is to primary segment LAN users through four VLAN: vl-lan
, vl-user
, vl-iot
, and vl-guest
.
- LAN network acts as a management interface to the router and networks themselves.
- USER network provides trusted networking that can reach into the IOT and GUEST netwoks but not the reverse.
- IOT provides a downgraded Wi-Fi security entrypoint and a dedicated 2.4GHz connection for devices that have poor update support.
- GUEST provides an entrypoint for all devices not registered in the dynamic VLAN configuration for hostapd. NOTE: devices on the GUEST network may talk to each other due to hostapd
ap_isolatenot working with dynamic VLAN. This is due to MAC address routing bypassing forwarding rules in nftables on the WLAN interface that is dynamically created. GUEST devices will not be able to talk outside the VLAN though (except for a set aside subnet into the IOT network).
Installation assumes an assembled Banana Pi BPI-R3 without any additional PCI devices and only an SD card.
- Clone this repo:
git clone https://github.com/dlubawy/nix-configs.git
- Enter where the repo was cloned:
cd nix-configs
- Edit
vars
inflake.nix
to use your desired name, email, user, and public keys - Change any static network configurations such as DHCP leases and passwords using
agenix
- Run
make bpi-image
to build the initial SD card image or runmake bpi
to build the image from an existing installation. - Using a 32 GB+ SD card (skip if using an existing bpi image)
- Insert the SD and figure out the appropriate disk device (
fdisk
on Linux ordiskutil
on macOS) - Run
nix run nixpkgs#zstdcat ./result/sd-image/nixos-sd-image-*.zst | dd of=<disk> status=progress bs=64M
- Insert SD card and boot the Banana Pi
- Insert the SD and figure out the appropriate disk device (
- Connect to the BPI using an Ethernet cable to one of the LAN 1--4 ports or use an SPI connection (Wi-Fi cannot start if SPI is connected)
- Change the initial password with
passwd
- Login to Grafana (user:
admin
, password:admin
) and change the admin password
Use any template to create a nix flake based development environment with:
nix flake init --template github:dlubawy/nix-configs/main#[template]