Managing private, work/home-related NixOS configs in a Flake

shymega · January 10, 2024, 12:04am

Hi!

I’m revamping my 'nixfigs', which is essentially my NixOS flake. I currently use an external private repo for my home network servers, and work computers, and use the // operator to combine the public nixosConfigurations, and the outputs from the private repo.

It’s amazing this works. Why? There are a lot of almost-not-quite circular references, in the lock files, and I’m not certain I’ve done this right.

Does anyone have a way they manage private nixosConfigurations? I’ll be using Nix-Darwin and Home Manager too for the private configs.

Thanks!

uep · January 10, 2024, 3:42am

For keeping small parts of a repo private, git crypt works reasonably well.

midchildan · January 10, 2024, 5:00pm

There are two ways that I use to achieve this.

The first way is to export common configuration in your public flake and use that in your private flake. For example, you can export custom Home Manager modules in your public flake through the homeModules attribute and use that in your private flake. My preferred way is to wrap the homeManagerConfiguration function and inject custom modules there. I expose the wrapper through the lib attribute in my public flake and use it in both my public flake itself as well as my private flake.

For reference, here’s my homeManagerConfiguration wrapper:

github.com

midchildan/dotfiles/blob/2f6c9ee60b479f9b28e5e2b197139021af82eabd/nix/lib/flake-module.nix#L11-L37


      
          # Creates a Home Manager configuration with addtional modules. The interface
          # is identical to homeManagerConfiguration from Home Manager.
          #
          mkHome = { pkgs, modules ? [ ], ... }@args:
            let
              userDir = if pkgs.stdenv.isDarwin then "/Users" else "/home";
              flakeOptionsModule = { lib, config, ... }: {
                dotfiles._flakeOptions = flake.config.dotfiles;
                home = {
                  username = lib.mkDefault config.dotfiles._flakeOptions.user.name;
                  homeDirectory = lib.mkDefault "${userDir}/${config.home.username}";
                };
              };
            in
            homeManagerConfiguration (args // {
              inherit pkgs;
              modules = modules ++ cfg.home.modules ++ [
                localFlake.inputs.self.homeModules.default
                flakeOptionsModule
              ];

This file has been truncated. show original

And here’s the example usage:

github.com

midchildan/dotfiles/blob/2f6c9ee60b479f9b28e5e2b197139021af82eabd/nix/templates/home/flake.nix#L25


      
          
          
  dotfiles.user = {
              # See list of options in:
              # https://github.com/midchildan/dotfiles/blob/main/nix/config.nix
              name = "midchildan";
              email = "foo@bar.example";
              pgpKey = "";
            };
          
          
  flake.homeManagerConfigurations = {
              "${config.dotfiles.user}@my-desktop" = self.lib.mkHome {
                pkgs = self.lib.pkgsFor "x86_64-linux";
                modules = [{
                  # Options are defined in:
                  # https://github.com/midchildan/dotfiles/blob/nix/home
                  dotfiles.profiles.enableAll = true;
                  home.stateVersion = "23.11";
                }];
              };
            };
          });

When I need to make more invasive changes to my public configuration, I fork my public flake into a private git branch. It’s simple, but it works.

shymega · July 15, 2024, 10:21pm

Sorry! Lost track of things.

I could use git-crypt, but I currently use Agenix as well. Would that be counter-productive to use two encryption schemes? Ideally I’d like to be able to check-in my private configs to Git, so I can rollback.