This file lists some notable information that helps further explain the rather odd complexities this flake contains. Additionally, this also serves as good reference page for day-to-day use of the flake.
- Notable Hints
- Building a NixOS ISO with the ISO config
- Rebuilding NixOS+Home-Manager
- Update the flake’s lock file
- Flakes and Trusted Config Values
- Evaluation Secrets
- More Flake Secrets
Peppered throughout my configuration, I have a set of special variables from the user-vars module (nixos) (home-manager) that all of my configs include. These variables used throughout the flake to switch between different settings per config and allows for more fine control over what settings your system will have in the resultant builds.
My iso/vm configurations do not have explicitly defined variables as my other configs do, since null values for them assumes you are trying to build either one of these configs. The only special variables that included are those that are from any of the host opt-in configurations that lie under hosts/common, which includes the desktop environment, theme, rather to use KDE Konsole, and the stylix theming.
Anytime I mention the $FLAKE variable, I mean the variable that is set in the Home-Manager configuration (which points to where you installed the flake!). The default value of the FLAKE variable is /home/USERNAME/Documents/NixConfig.
- Download the repo onto your computer (it must have nix or NixOS already!).
- Open the terminal and enter the repo directory.
- Run
nix build .#nixosConfigurations.live-image.config.system.build.isoImageto build the iso (or runjust iso) - Locate the result folder located in the directory, and the iso will be in result/iso.
In order to commit new changes that you made to the flake, run the command nixos-rebuild switch --flake $FLAKE to rebuild and switch to the new profile. Optionally, you can add the --accept-flake-config parameter in order to skip the prompt asking you to accept the all of the values that nixConfig inside the flake.nix file specifies (it will automatically accept the proposed values).
The nix dependencies/flake inputs (such as nixpkgs) used by the flake will strictly follow the flake.lock file, using the commits written into it when you (re)generate the profiles. Simply run nix flake update --flake $FLAKE to update the flake inputs. If you want to save the update message and have it committed to the repo’s git history, then run nix flake update --commit-lock-file --flake $FLAKE. Keeping this updated is key to obtain the latest packages and modules
Nix will ask you to accept the extra-substituter and extra-trusted-public-key values that the flake adds (for retrieving packages from extra binary caches like https://nix-community.cachix.org and https://nix-gaming.cachix.org); this is for speeding up evaluation time. Make sure to read through the prompts and hit ‘Y’ if you want to allow those changes. Otherwise, if you want to come back later and make the values trusted, you can modify the ~/.local/share/nix/trusted-settings.json or just delete it and restart the nix daemon via systemctl restart nix-daemon.service.
Any secret that starts with the esecrets function from the utils.nix module are secrets that are evaluation while the flake is being built. These secrets in particular are for hiding sensitive information that are in the nix module files. These are particularly useful for when you want to share your configs without directly revealing the secrets in places that are require the secrets as soon as nix evaluates the flake. These secrets are placed in the eval-secrets.json file under secrets/USERNAME.
These secrets are encrypted with git-crypt, which when you clone the repo, you will need to either delete the secrets or decrypt them with the GPG key that was used to encrypt them.
Any secret that is located under secrets/ are secrets generated by agenix, these secrets will require an user key (a key that the user will use) and the ssh host keys (keys located under /etc/ssh). For existing systems, all that needs to be done is add the ssh host key’s public key into secrets/secrets.nix and rekey the secrets you want to use with said public key using just rekey-host or just rekey-multikey. For new systems, you will need to create the ssh keys in the installer with ssh-keyscan -t ed25519 or simply copy the already generated ssh keys from the live-image’s /etc/ssh/ into the newly mounted disks, /mnt/etc/ssh/; then follow the same rekey steps as mentioned previously.
Refer to agenix’s tutorial for more information and some advanced functions.