Custom NixOS Installer - Plug ➜ Install ➜ Play - How to achieve this?

Grraahaam · March 21, 2025, 4:02pm

Now that I’ve spent some time analyzing your (well-organized) repo, I’m having some questions :

Could you explain how do you manage your keys used for SOPS? Do you have any backups of the hosts’ keys (i.e. ed25519) + age key? Per hosts?
What’s your process to change passwords/secrets (i.e. users, root)? Do you edit your secrets.yaml files and run the below. If I run passwd and change the user’s password (imperatively), will it be reset on next boot, by reading the hashedPasswordFile? Same goes for wireless network passwords, will they persist (if using impermanence, are they going to be removed)?

nicolas-goudry/nix-config/blob/06e16f000589252d686c507612e0948fc629d8d6/README.md?plain=1#L371-L373


      
          ```shell
          find . -type f -name 'secrets.y*ml' -exec sops updatekeys -y {} \;
          ```

Why disable IPv6?

github.com

nicolas-goudry/nix-config/blob/06e16f000589252d686c507612e0948fc629d8d6/hosts/default.nix#L151-L159


      
          
          # Kernel runtime parameters
          kernel.sysctl = {
            # Enable IPv4 forwarding
            "net.ipv4.ip_forward" = 1;
          
            # Disable IPv6
            "net.ipv6.conf.all.disable_ipv6" = 1;
            "net.ipv6.conf.default.disable_ipv6" = 1;

Saw some other thread about it : Disabling IPv6 - `enableIPv6` and `kernelParams` - #6 by nopro404

What’s the purpose of registering flake inputs?

github.com

nicolas-goudry/nix-config/blob/06e16f000589252d686c507612e0948fc629d8d6/hosts/default.nix#L269-L273


      
          # Add each flake input as a registry
          # To make nix3 commands consistent with this flake
          registry = (lib.mapAttrs (_: flake: { inherit flake; })) (
            (lib.filterAttrs (_: lib.isType "flake")) inputs
          );

As for now, what do you mean by the below note, since it seems that your HM configs are OK, aren’t they?

github.com

nicolas-goudry/nix-config/blob/06e16f000589252d686c507612e0948fc629d8d6/README.md?plain=1#L261


      
          }
          ```
          
          The `username` argument must match one of the subdirectories of `hosts/common/users`.\
          The `desktop` argument must match one of the subdirectories of `hosts/common/desktop`.
          
          Failing to provide a valid `username` or `desktop` will not prevent the installation to succeed. However, without a `username` only the `root` user will be present on the installed system and without a `desktop` the installed system will not have a graphical interface.
          
          ### 👨‍🦱 Add a user
          
          > **TODO**: fill when home-manager configurations are up.
          
          ## 👨‍💻 Usage
          
          ### 📥 Install NixOS
          
          There are two installation method provided on the desktop ISO:
          
          * Run `install-system` from a terminal (recommended, only install option for the console ISO)
          * Use the graphical Calamares installer (basic NixOS installation, not using this flake)

Off topic, but why warp is outside the lib.optionals isLinux condition, since it seems to be a gnome-specific application?

github.com

nicolas-goudry/nix-config/blob/06e16f000589252d686c507612e0948fc629d8d6/home/common/desktop/default.nix#L25-L38


      
          home.packages =
            with pkgs;
            [
              mpv-unwrapped # Video player
              warp # Secure file transfer
            ]
            ++ lib.optionals isLinux [
              amberol # Music player
              hunspell # Spell checker
              # Spell checker dictionaries
              hunspellDicts.en_US
              hunspellDicts.fr-any
              libreoffice-fresh # Productivity suite
            ];

Thanks for your time and for sharing your config!