zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity
724 Commits 7 Branches 0 Tags
91545959105dc94f745d183e76b79ee9ed15eb0d
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Zuckerberg 9154595910
All checks were successful
Check Flake / check-flake (push) Successful in 3m35s
Details
Ad Incus sandbox on fry I've already been using for a while now
2026-02-17 21:35:23 -08:00
.claude/skills/create-workspace
Clean up CLAUDE.md and make the claude skill correctly this time
2026-02-10 21:08:13 -08:00
.gitea/workflows
Update to NixOS 24.05
2024-06-02 21:12:07 -06:00
common
Fix tailscale networking when incus is on
2026-02-17 21:28:28 -08:00
home
Fix rust analyzer in vscode
2026-02-17 21:28:50 -08:00
lib
Add Incus container support to sandboxed workspaces
2026-02-08 15:16:40 -08:00
machines
Ad Incus sandbox on fry I've already been using for a while now
2026-02-17 21:35:23 -08:00
overlays
Fix unused vars
2026-02-11 23:12:00 -08:00
patches
Update nixpkgs
2026-01-11 14:25:03 -08:00
secrets
Remove old stale/unused configuration
2026-02-11 22:47:38 -08:00
.gitignore
Add .gitignore
2022-05-20 16:37:33 -04:00
CLAUDE.md
Clean up CLAUDE.md and make the claude skill correctly this time
2026-02-10 21:08:13 -08:00
flake.lock
Add use flake for fresh claude code
2026-02-09 18:04:09 -08:00
flake.nix
Fix CI build. Ephemeral targets should not be in nixosConfigurations
2026-02-11 22:49:11 -08:00
LICENSE
Add LICENSE
2021-05-21 13:01:02 +00:00
Makefile
Add activate deploy command
2026-01-24 14:58:40 -08:00
new_machine.md
Update install steps
2023-04-19 21:17:45 -06:00
README.md
Update README.md
2026-02-11 21:58:38 -08:00
TODO.md
update TODOs
2023-04-23 10:16:54 -06:00

README.md

NixOS Configuration

A NixOS flake managing multiple machines with role-based configuration, agenix secrets, and sandboxed dev workspaces.

Layout

  • /common - shared configuration imported by all machines
    • /boot - bootloaders, CPU microcode, remote LUKS unlock over Tor
    • /network - Tailscale, VPN tunneling via PIA
    • /pc - desktop/graphical config (enabled by the personal role)
    • /server - service definitions and extensions
    • /sandboxed-workspace - isolated dev environments (VM, container, or Incus)
  • /machines - per-machine config (default.nix, hardware-configuration.nix, properties.nix)
  • /secrets - agenix-encrypted secrets, decryptable by machines based on their roles
  • /home - Home Manager user config
  • /lib - custom library functions extending nixpkgs lib
  • /overlays - nixpkgs overlays applied globally
  • /patches - patches applied to nixpkgs at build time

Notable Features

Auto-discovery & roles — Machines register themselves by placing a properties.nix under /machines/. No manual listing in flake.nix. Roles declared per-machine ("personal", "dns-challenge", etc.) drive feature enablement via config.thisMachine.hasRole.<role> and control which agenix secrets each machine can decrypt.

Machine properties module systemproperties.nix files form a separate lightweight module system (machine-info) for recording machine metadata (hostnames, architecture, roles, SSH keys). Since every machine's properties are visible to every other machine, each system can reflect on the properties of the entire fleet — enabling automatic SSH trust, role-based secret access, and cross-machine coordination without duplicating information.

Remote LUKS unlock over Tor — Machines with encrypted root disks can be unlocked remotely via SSH. An embedded Tor hidden service starts in the initrd so the machine is reachable even without a known IP, using a separate SSH host key for the boot environment.

VPN containers — A vpn-container module spins up an ephemeral NixOS container with a PIA WireGuard tunnel. The host creates the WireGuard interface and authenticates with PIA, then hands it off to the container's network namespace. This ensures that the container can never have direct internet access. Leakage is impossible.

Sandboxed workspaces — Isolated dev environments backed by microVMs (cloud-hypervisor), systemd-nspawn containers, or Incus. Each workspace gets a static IP on a NAT'd bridge, auto-generated SSH host keys, shell aliases for management, and comes pre-configured with Claude Code. The sandbox network blocks access to the local LAN while allowing internet.

Snapshot-aware backups — Restic backups to Backblaze B2 automatically create ZFS snapshots or btrfs read-only snapshots before backing up, using mount namespaces to bind-mount frozen data over the original paths so restic records correct paths. Each backup group gets a restic_<group> CLI wrapper. Supports .nobackup marker files.

Reference in New Issue View Git Blame Copy Permalink
Description
My NixOS configurations
Readme MIT 46 MiB
Languages
Nix 92.5%
Shell 6.9%
Makefile 0.6%