Managing private, work/home-related NixOS configs in a Flake


I’m revamping my 'nixfigs', which is essentially my NixOS flake. I currently use an external private repo for my home network servers, and work computers, and use the // operator to combine the public nixosConfigurations, and the outputs from the private repo.

It’s amazing this works. Why? There are a lot of almost-not-quite circular references, in the lock files, and I’m not certain I’ve done this right.

Does anyone have a way they manage private nixosConfigurations? I’ll be using Nix-Darwin and Home Manager too for the private configs.


For keeping small parts of a repo private, git crypt works reasonably well.

There are two ways that I use to achieve this.

The first way is to export common configuration in your public flake and use that in your private flake. For example, you can export custom Home Manager modules in your public flake through the homeModules attribute and use that in your private flake. My preferred way is to wrap the homeManagerConfiguration function and inject custom modules there. I expose the wrapper through the lib attribute in my public flake and use it in both my public flake itself as well as my private flake.

For reference, here’s my homeManagerConfiguration wrapper:

And here’s the example usage:

When I need to make more invasive changes to my public configuration, I fork my public flake into a private git branch. It’s simple, but it works.

Sorry! Lost track of things.

I could use git-crypt, but I currently use Agenix as well. Would that be counter-productive to use two encryption schemes? Ideally I’d like to be able to check-in my private configs to Git, so I can rollback.