This is my personal NixOS configuration, being lapdated since 2019, by using flakes
and home-manager
. You will also find a bit of security and privacy configurations in my attempt of improving Linux's desktop. You are welcome to take inspiration :)
- Sway (Wayland / xWayland)
- AMD CPU / GPU
- Pipewire
- ZSH
- Dnscrypt
- Systemd Hardened
- Opensnitch
- Bwrap (browsers, telegram, discord, steam)
- Neovim
- XDG
- Themes
flake.nix -- entry point, merges everything bellow
|
|--> profiles/* -- high-level configuration, the "user profile"
|--> hardwares/* -- configs specific by hardware
|
|--> modules/* -- modules to compose the "profiles/*" and "hardwares/*",
| -- defines the custom "myNix" options
|
|--> overlays/* -- define new or override packages
|--> lib/* -- custom functions and abstractions for everything above (eg: bwrapIt)
If you want a full disk reset:
# download script from _scripts/setup_disk.sh
curl -L setup-disk.shiryel.com > setup.sh
chmod +x setup.sh
# run it
./_scripts/setup_disk.sh /dev/YOUR_DEVICE_HERE
If you already have a system formated, add your hardware_config.nix
to system/hardware/hardware-configuration.nix
and run:
sudo nixos-rebuild switch --flake .#generic
You can get started with flakes here: https://nixos.wiki/wiki/Flakes Also, you may want to take a look on the flakes that I took inspiration:
- https://github.com/ners/NixOS
- https://github.com/balsoft/nixos-config
- https://github.com/Kranzes/nix-config
- https://github.com/jonringer/nixpkgs-config
- https://github.com/sebastiant/dotfiles
- https://github.com/kotokrad/dotfiles (fennel nvim!)
- https://github.com/ericdallo/dotfiles (android / flutter configs)
xrandr
- check if primary on a output with 16:9 aspect ratiorecord
- check if screen recording is working on every workspace
dig +short txt qnamemintest.internet.nl
- check if QNAME minimisation is enabledsudo cat /var/log/dnscrypt-proxy/dnscrypt-proxy.log
- check if dnscrypt is choosing a good DNS server with low latencyssh -T [email protected]
- check if ssh, gpg and pinentry are workinghttps://www.cloudflare.com/ssl/encrypted-sni/
- check DNSSEC (SNI will be unsuported)
systemctl --user --type=target
- check available user targetssystemctl --user --failed
- check failed user servicessystemctl --failed
- check failed system servicessystemd-analyze security
- check system securitysystemd-analyze security --user
- check user security
- ldd - check dynamic executables (notice that ldd is wrapped in a hard-coded loader that always reports its own path no matter what loader path the program has expected, eg: /lib/ld-linux.so.2 != /lib/ld-lsb.so.3)
- LD_DEBUG=all $COMMAND
- objdump -j .interp -s $COMMAND
- strace
- ftrace
- perf
- NIX_DEBUG=true
- WAYLAND_DEBUG=1
- XDG_UTILS_DEBUG_LEVEL=10
- QT_DEBUG_PLUGINS=1
- GTK_DEBUG=interactive
- chkrootkit
- lynis