Skip to content

kurnevsky/nixfiles

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1,646 Commits
machines
machines
 
 
modules
modules
 
 
resources
resources
 
 
secrets
secrets
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
flake.lock
flake.lock
 
 
flake.nix
flake.nix
 
 

Repository files navigation

NixFiles

My personal NixOS configuration.

Nix commands

Command Description
nixos-rebuild switch --keep-going -L apply configuration
nixos-rebuild switch --keep-going --option substitute false -L apply configuration offline
nixos-rebuild switch --upgrade --recreate-lock-file --keep-going -L apply configuration and update dependencies
nixos-rebuild switch --keep-going -L --option extra-substituters 'ssh://somehost' apply configuration using ssh store
nixos-rebuild switch --keep-going -L --option builders 'ssh://somehost - - N' --option max-jobs 0 apply configuration using ssh builder with N jobs
all_proxy=socks5://127.0.0.1:1080 nixos-rebuild switch -L apply configuration using proxy
nix-collect-garbage --delete-old collect garbage

To use nix-output-monitor the following command can be executed as root:

nom build \
  --keep-going \
  --option extra-substituters 'ssh://somehost' \
  --builders 'ssh://somehost x86_64-linux,aarch64-linux - 32' \
  "/etc/nixos#nixosConfigurations.${HOST}.config.system.build.toplevel"

Nix-on-droid commands

Specifying binfmt.emulatedSystems allows to build packages remotely for a different architecture using qemu. Nix-on-droid can be called like:

nix-on-droid switch --flake ~/.config/nixfiles#default --max-jobs 0 --builders 'ssh://nix-ssh@somehost x86_64-linux,aarch64-linux - N'

Sandboxing

Some applications are sandboxed using bubblewrap. See sandbox module for details.

The following environment variables are supported:

Variable Description
BLACKLIST additional blacklisted paths
CAMERA a newline separated list of /dev/video* devices that will be allowed (useful for applications that don't allow to choose a camera)
DNS override DNS server (useful in case of running an application inside network namespace that don't have access to localhost)
NOLOCALTIME use UTC timezone (if not set will be inherited from TORJAIL)
RO_WHITELIST additional readonly whitelisted paths
TORJAIL indicate that an application is running inside tor jail (necessary for proper DNS resolution)
UNSANDBOXED run application without sandbox
WHITELIST additional whitelisted paths
WITH_NETWORK allow network access (if it's disabled by default)

Breaking updates

In case something breaks during update an old version can be used with an overlay like:

{ pkgs, ... }:

let oldPkgs = import inputs.nixpkgs-old {
  inherit (pkgs.stdenv.targetPlatform) system;
}; in {
  nixpkgs.overlays = [
    (_self: _super: {
      inherit (oldPkgs) some-broken-package;
    })
  ];
}

A patch to a derivation can be applied like:

{ pkgs, ... }:

let
  patchesDrv = pkgs.applyPatches {
    src = pkgs.path;
    patches = [
      (pkgs.fetchpatch {
        url = "https://some-patch.diff";
        sha256 = "";
      })
    ];
  };
  patchedPkgs = import patchesDrv { inherit (pkgs.stdenv.targetPlatform) system; };
in {
  nixpkgs.overlays = [ (_self: _super: { inherit (patchedPkgs) some-broken-package; }) ];
}

A module can be patched like:

{ pkgs, ... }:

{
  disabledModules = [ "services/networking/some-broken-module.nix" ];
  imports = [
    (builtins.fetchurl {
      url = "https://some-fixed-module.nix";
      sha256 = "";
    })
  ];
}

License

Licensed under GPLv3+ with an exception that allows code from this repository to be incorporated into projects that are used as flake inputs by this project, regardless of their license.

About

Nix configs

Resources

Readme

License

GPL-3.0 license
Activity

Stars

26 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages