README > Roadmap of TODOs
-
complete firewall and services.per-network-services branch when genoa is nixified
-
consider tagging with version numbers that match roadmap
- Revise:
nixos-installer- bootstrap script - TESTING
complete migration to granular secrets files
-
Tools to integrate
- ignoreBoy - https://github.com/Ookiiboy/ignoreBoy
- syncthing - refer to https://nitinpassa.com/running-syncthing-as-a-system-user-on-nixos/
-
Tools to try
- wezterm
- tmux or zellij
- https://github.com/dandavison/delta
-
NeoVim stuff to look at and integrate
- go through existing plugins, a few are enabled but binds are disabled etc
- refine linting and fixing in nvim
- hardtime # training tool to stop bad vim habits # https://github.com/m4xshen/hardtime.nvim
- lint # not sure if this is redundant with all the other language stuff
- conform # meant to make lsp less disruptive to the buffer #https://github.com/stevearc/conform.nvim
- lspsaga # meant to improve the lsps experience for nvim #https://github.com/nvimdev/lspsaga.nvim
- trouble # side or bottom list of all 'trouble' items in your code.#https://github.com/folke/trouble.nvim/
- none-ls # inject LSP diagnostics, code actions, and more via LUA #https://github.com/nvimtools/none-ls.nvim
- harpoon #file nav
- ultimate-autopair #https://github.com/altermo/ultimate-autopair.nvim works with nvim-surround
- nvim-surround #https://github.com/kylechui/nvim-surround or tim popes surround
- vim-grepper
- toggle-term #https://github.com/akinsho/toggleterm.nvim
Build up a stable config using grief lab. The focus will be on structure, nix-config automation, and core tty that will be common on all machines.
Basic utility shell for bootstrappingCore host config common to all machinesgarbage collectionclamavmsmtp notifierability to import modular options
Core home-manager config for primary usercli configsnvim configability to import modular options
Repository based secrets management for local users, remote host connection, and repository authAbility to consistently add new hosts and users with the core settingsBasic automation for rebuildsBasic CI testing
This stage will add a second host machine, gusto (theatre). To effectively used gusto, we'll need to introduce gui elements such as a desktop, basic QoL tools for using the desktop, and some basic gui applications to play media, including the requisite audio/visual packages to make it all work.
Add a media user specifically for gusto (autolog that one)Document and tweak steps to deploy to new hostSimple desktop - add visual desktop and a/v elements as common optionsStable windows manager environmentStable audioStable videoAuto-upgradeBetter secrets managementprivate repo for secretspersonal documentation for secrets management, i.e. README for nix-secrets private repopublic documentation for secrets management, i.e. how to use this repo with the private repo
Review and complete applicable TODO sops, TODO yubi, and TODO stage 2Deploy gusto
DEFERRED:
Potentially yubiauth and u2f for passwordless sudo
Introduce declarative partitioning, custom iso generation, install automation, and full drive encryption. This stage was also initially intended to add impermanence and several other improvements aimed at keeping a cleaner environment. However, automation took substantially longer than anticipated and I need to start using NixOS as a daily driver sooner than later. Being spread across two distros and different config paradigms while putting 99% of the effort into the new distro/config is becoming unsustainable. As such, several features have been deferred until later stages.
nixos-anywheredeclarative partitioning and formatting via diskolight-weight bootstrap flake for basic, pre-secrets installcustom iso generationautomated bootstrap script
Local decryption only for now. Enabling remote decryption while working entirely from VMs is beyond my current abilities.
LUKS full drive encryption
Make use of configLib.scanPathslook for better syntax options to shorten just recipes- Decided to just re-enable nix-fmt
update nix-fmt to nixfmt-rfc-style (including pre-commit) since it will be the standard for nix packages moving forward update sops to make use of per host age keys for home-manager level secrets- don't bother
maybe rename pkgs -> custom_pkgs and modules -> custom_modules Enable git ssh signing in home/ta/common/core/git.nix
DEFERRED:
Investigate outstanding yubikey FIXMEsPotentially yubiauth and u2f for passwordless sudoFidgetingBits still encounter significant issues with this when remotingConfirm clamav scan notification- ~~check email for clamavd notification on ~/clamav-testfile. If yes, remove the file~~
check if the two commented out options in hosts/common/options/services/clamav.nix are in stable yet.
Migrate primary box to NixOS
setup borg modulehyprland prepmigrate dotfiles to nix-configghost moduleschange over and recovery plan
install nixos on Ghostverify drivesverify critical apps and services functionalityenable backupenable mediashare
setup and enable hyprland basicshyprlocklogout managerwaypaperdunstrofi-wayland
reestablish workflow
Investigate outstanding yubikey FIXMEsyubiauth and u2f for passwordless sudoConfirm clamav scan notification- ~~check email for clamavd notification on ~/clamav-testfile. If yes, remove the file~~
check if the two commented out options in hosts/common/options/services/clamav.nix are in stable yet.
basic themeing via stylix or nix-colorshotkey for sleeping monitors (all or non-primary)set up copyq clipboard mgr
Some of the original parts of this stage have been split off to later stages because they are more Nice to Have at the moment.
Refactor nix-config to use more extensive specialArgs and extraSpecial Args for common user and host settingsRefactor from configVars to modularized hostSpecRe-implement modules to make use of options for enablementdeferred, nice to have
- Revise bootstrap script and roll in granular secrets hierarchy
- ~~move Gusto to disko~~~
- revisit scanPaths. Usage in hosts/common/core is doubled up when hosts/common/core/services is imported. Options are: declare services imports individually in services/default.nix, move services modules into parent core directory... or add a recursive variant of scanPaths.
Add laptop support to the mix to handle stuff like power, lid state, wifi, and the like.
- nixify genoa
- add laptop utils
- declarative wifi network handling
-
declare what needs to persist
-
enable impermanence
- make sure to include
/luks-secondary-unlock.key
Need to sort out how to maintain /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_ed25519_key.pub
- make sure to include
- lanzaboote https://github.com/nix-community/lanzaboote
Some stage 1 with systemd info for reference (not specific to lanzaboote)
- https://github.com/ElvishJerricco/stage1-tpm-tailscale
- https://youtu.be/X-2zfHnHfU0?si=HXCyJ5MpuLhWWwj3
- Consider nixifying bash scripts (see refs below)
- Overhaul just file
- clean up
- add {{just.executable()}} to just entries
Impermanence - These two are the references to follow and integrate. The primer list below is good review before diving into this:
Impermanence primer info
- impermanence repo - an implementation of the below concept
- blog - erase your darlings
- blog - encrypted btrfs root with opt-in state
- blog - setting up my new laptop nix style
- blog - tmpfs as root
- blog - tmpfs as home
Migrating bash scripts to nix
- https://www.youtube.com/watch?v=diIh0P12arA and https://www.youtube.com/watch?v=qRE6kf30u4g
- Consider also the first comment "writeShellApplication over writeShellScriptBin. writeShellApplication also runs your shell script through shellcheck, great for people like me who write sloppy shell scripts. You can also specify runtime dependencies by doing runtimeInputs = [ cowsay ];, that way you can just write cowsay without having to reference the path to cowsay explicitly within the script"
- Per host branch scheme
- Automated machine update on branch release
- Handle general auto updates as well
The following has to happen on bare metal because I can't seem to get the yubikey's to redirect to the VM for use with git-agecrypt.
- Remote LUKS decrypt over ssh for headless hosts
- need to set up age-crypt keys because this happens before sops and therefore we can't use nix-secrets
- add initrd-ssh module that will spawn an ssh service for use during boot
- Automatic scheduled sops rotate
- Look at re-enabling CI pipelines. These were disabled during stage 2 because I moved to inputting the private nix-secrets repo in flake.nix. Running nix flake check in a gitlab pipeline now requires figuring out access tokens. There were higher priorities considering the check can be run locally prior to pushing.
- Disk usage notifier
-
gui dev
- host specific colours (terminal in particular) via stylix or nix-colors
- centralize color palette
-
eww as a potential replacement to waybar
-
hyprcursor
- recreate ascendancy cursor as a hyprcursor... the existing themes out there are really underwhelming
-
plymouth
-
maybe rEFInd
-
greetd - Have considered just auto logging in after luks unlock but if/when wayland or X inevitably shit the bed again, it's convenient to have a stop point after unlock
-
p10k - consider config so that line glyphs don't interfere with yanking
-
fonts - https://old.reddit.com/r/vim/comments/fonzfi/what_is_your_favorite_font_for_coding_in_vim/
-
dunst
-
lualine
Inspirational sets:
- see FF bookmarks > Nix > Rice >
- Re-implement modules to make use of options for enablement
README > Roadmap of TODOs