I’m looking for the right way to describe what I am trying to do.
I have a problem where I have my personal systems (Ubuntu 23.04), my work system (Windows 11 → WSL 2 → Ubuntu 22.04), and I want to standardize what my coworkers (Windows 10 and 11) and our production deployments (Ubuntu 22.04) use. I want a way to have a script to ‘just’ go from nothing to this common configuration. For this final configuration, I only care to have a CLI environment with bash, fish, tmux, python, nvm, yarn, neovim, various configurations, and then on top of that a work specific layer for work specific configurations like the company certificates.
There’s multiple options here. The simplest, if you only care about a few CLI tools to be installed with the same version everywhere, would be to have a tools.nix file that everyone can install on their machines with nix-env -if tools.nix or nix profile install --file tools.nix. I used something like this in my own dotfiles for a long time, see the full code here. Note that the hash of the nixpkgs tarball must be specified in this file, otherwise you can’t guarantee that everyone will get the same version of the packages.
You can also create a flake instead with pkgs.buildEnv instead of creating a simple list. This means that your coworkers will have to manually enable flakes or install nix with the Determinate Systems installer that enables them by default, but the upside is that upgrading tools is easier (simply nix flake lock), and all the tools can be installed with a single command when you host the flake in a git repo:
The git type also supports ssh and there’s specific types for github and gitlab, see the Flakes Types documentation for more info.
In both of those cases, everyone can also install any other software they want with nix. If you need something more drastic, or even full-on system configuration changes (which honestly might be the case for adding company certificates, not sure what you mean by that exactly. you will need to use home-manager or even NixOS-WSL. These would also offer the advantage that you can separate different unrelated parts (like personal and work stuff) into separate modules. You can then share the work module with your company while keeping the personal module private.
There’s also options to have different configurations per repository that are enabled manually with nix-shell, nix develop or automatically with IDE plugins or direnv, though I’m not sure if your coworkers are even software engineers, so that might not be useful to you.