Skip to main content

Ben Cromwell

NixOS

/posts/nixos/

The following are my random thoughts during setting up NixOS. I already have Manjaro installations boiled down into a set of shell scripts that let me reinstall and configure the OS fairly quickly and repeatably. NixOS solves this in a much nicer way, so that appealed. The ability to rollback a bad configuration or update was also a big draw.

Rolling back doesn’t revert the broken configuration.nix, so should I make /etc/nixos a git repo?

I’ve been using Chezmoi but NixOS has Home Manager and people seem to prefer using that. When I installed it, something broke, so I rolled back and haven’t returned to it since. I suspect I need to learn more about Nix and the language first. There’s a whopper of a Catch-22 here though.

The learning curve is quite steep, so I’d rather stick to at least some of the tooling I know, such as that. I expect, as with Home Manager, the more specific things I need to do, the more I will need to know. Of course, that makes sense but it doesn’t do anything to reduce the gradient of the learning curve.

Flakes and nix-command are “experimental” but almost everywhere when you run into some sort of “I need to do x or y” you end up down the path of needing Flakes. That leads you to add:

  # Enable Flakes
  nix.settings.experimental-features = [ "nix-command" "flakes" ];

This feels off in the sense that “experimental” would in many cases imply “unreliable”, which is perhaps not fair here, it’s more they want to change its API. Are they called “Flakes” because they’re potentially flakey?

I followed the tutorial to make sshush into a Flake but despite that it appears to not be correctly named, or something along those lines. Although I can build it with nix-build -A sshush and then install it with nix profile install ./result, it doesn’t seem like it’s the right way to do things. I think in places the docs don’t quite go far enough.

The difficulty when you don’t find an answer in the docs is you need to rely on forum posts, which can be outdated (especially if features are “experimental” and have changed). If you don’t find an answer there, the AIs beckon, which is Not Good as they lie more readily than [insert your least favoured politician here]. Or are simply gleaned from the same outdated forum posts you’ve already read. Distilling wrong information and presenting it as authoritative.

Atuin doesn’t seem to be saving all the commands I run, which would be useful as knowing what I ran before in a given directory is handy information to lean on during the learning curve. Atuin was installed through a nix profile. At some point, I went back to Atuin’s provided installation script to see if anything was cattywampus in the way it had been installed and if that was the reason not all commands were saving. Installing in that way required adding:

  # Atuin is a dynamically linked exec
  programs.nix-ld.enable = true;

Trusting the CA used by pfSense was simple:

  # Certs
  security.pki.certificateFiles = [
    ./certs/HomeCA.crt
  ]

Chromecast didn’t work, it showed “no devices found”, until opening ports:

  networking.firewall = {
    # Chromecast
    allowedUDPPortRanges = [ { from = 32768; to = 60999; } ];
  };

For whatever reason that was all it needed, it didn’t require anything else as per some posts about this.

Installing custom fonts or a subset of those from nerdfonts:

  # Fonts
  fonts.packages = with pkgs; [
    (nerdfonts.override { fonts = [ "FiraCode" ]; })
    fira-code
  ];

Framework firmware, fingerprint login/sudo auth, Keybase, Docker and Tailscale:

  # Framework firmware updates
  services.fwupd.enable = true;

  # For fingerprint support
  services.fprintd.enable = true;

  # Keybase
  services.keybase.enable = true;
  services.kbfs.enable = true;

  # Tailscale
  services.tailscale.enable = true;

  # Install Docker
  virtualisation.docker.enable = true;

For Docker, add yourself to its group to avoid needing sudo.

  users.users.ben = {
    isNormalUser = true;
    description = "Ben";
    extraGroups = [ "networkmanager" "wheel" "docker" ]
  };

I still need to install Ansible, which needed pipx on Manjaro. I definitely expect that to involve Flakes. edit It did not involve Flakes, at least not so far. It was just:

environment.systemPackages = with pkgs; [
  pkgs.ansible
  pkgs.ansible-lint
]

I went looking for Yubikey Authenticator and found this, which looks good. For a laptop in particular, the option of pulling the Yubikey and having it lock the system is a good one. Obviously, that’s nothing NixOS specific.

Since first writing this, I’ve moved configuration.nix into a git repo and symlinked it into /etc/nixos, following this post. This required fixing some relative paths as I wanted to keep the hardware-configuration.nix and certs where they were.

# 2025-03-30

I’m now using Home Manager and have moved from bash to zsh. Atuin seems happier on zsh.

I’ve moved most dotfiles into Home Manager and am leaving chezmoi behind. I’ll need to remember to update them in both places if I change things in my flake. Until I commit to rebuilding my main machine in Nix and putting Manjaro in the past.

I’m working my way through Ryan Yin’s NixOS & Flakes Book.

His preface especially resonated with me.

This book is absolutely the best resource I’ve found so far, that actually works in 2025.