Distro	NixOS
WM	Hyprland
Bar	Waybar
Editor	Helix + Tmux
FileManager	yazi
WP-Manager	swww
Keyboard	tbk_mini-QMK

• Installation and Deployment
  • Generic
    • Switch to a new config
    • Build without switch
    • Build an iso or qcow2
  • Pick your poison
    • Using minimal ISO
    • Oracle VPS ARM
    • Oracle VPS x86 (1GB RAM)
    • ARM QEMU VM using nixos-anywhere
• Tailscale/Headscale
• Deploy Secrets

Installation and Deployment

Generic

Switch to a new config

• sudo nixos-rebuild switch --flake ./.#l01

Build without switch

• sudo nixos-rebuild build --flake ~/Desktop/dotfiles/#l01

Build an iso or qcow2

• nix run github:nix-community/nixos-generators -- --flake .#vm_oracle_aarch64 --format iso

Pick your poison

Using minimal ISO

• Boot a nixos ISO.
  • sudo cp ./nixos-minimal-24.11.714287.a45fa362d887-x86_64-linux.iso /dev/sdb
• Become a root user:
  • sudo su
• Go to home:
  • cd
• Get this repo.
  • git clone https://github.com/hakan-demirli/dotfiles
• Ensure the disk label is correct and matches with the disko config
  • lsblk
• Format the disk using disko:
  • sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko --flake ./dotfiles/#vm
• Obtain a new hardware-configuration.nix for your device
  • Generate nixos config:
    • sudo nixos-generate-config --no-filesystems --root .
• Transfer the changes to an existing host or create a new host.
• Install nixos:
  • nixos-install --root /mnt --flake ./dotfiles/.#vm
• Reboot
  • reboot

Oracle VPS ARM

• Set authorizedKeys in ./kexec.nix
• nix build .#kexec --system aarch64-linux
• scp -i ~/.ssh/id_ed25519_proton ./result ubuntu@140.238.223.249:/tmp/kexec
• ssh ubuntu@140.238.223.249 -i ~/.ssh/id_ed25519_proton -t sudo /tmp/kexec
• Wait for it to load kexec.
• ssh root@140.238.223.249 -i ~/.ssh/id_ed25519_proton
• Continue as if you have booted the minimal iso

Oracle VPS x86 (1GB RAM)

• Follow Oracle VPS ARM installation guide (remove --system aarch64-linux from nix-build) and boot the kexec image.
• Compile everything local and send it to vm:
  • Prepare disko:
    • nix build --extra-experimental-features "nix-command flakes" github:nix-community/disko#disko --print-out-paths > /tmp/disko-path.txt
    • DISKO_LOCAL_STORE_PATH=$(cat /tmp/disko-path.txt)
    • echo "Disko built locally at: $DISKO_LOCAL_STORE_PATH"
  • Prepare the system:
    • nix build .#nixosConfigurations.vm_oracle_x86.config.system.build.toplevel --extra-experimental-features "nix-command flakes" --print-out-paths > /tmp/system-path.txt
    • SYSTEM_LOCAL_STORE_PATH=$(cat /tmp/system-path.txt)
    • echo "System built locally at: $SYSTEM_LOCAL_STORE_PATH"
  • Copy the system and disko to VPS:
    • nix copy --to ssh://root@140.238.223.249?ssh-key=/home/emre/.ssh/id_ed25519_proton $DISKO_LOCAL_STORE_PATH
    • nix copy --to ssh://root@VPS_IP?ssh-key=/home/YOUR_USER/.ssh/id_ed25519_proton $SYSTEM_LOCAL_STORE_PATH
    • scp -i ~/.ssh/id_ed25519_proton /home/emre/Desktop/dotfiles/hosts/vm_oracle/hardware/disko.nix root@140.238.223.249:/tmp/disko.nix
  • Format the disk using disko:
    • REMOTE_DISKO_BIN_PATH=$(echo $DISKO_LOCAL_STORE_PATH | sed 's|^/nix/store/||') # Get the hash-name part
    • REMOTE_DISKO_BIN_PATH="/nix/store/$REMOTE_DISKO_BIN_PATH/bin/disko"
    • ssh root@140.238.223.249 -i ~/.ssh/id_ed25519_proton "$REMOTE_DISKO_BIN_PATH --mode disko /tmp/disko.nix --arg device '\"/dev/sda\"'"
  • Activate the system:
    • REMOTE_SYSTEM_STORE_PATH=$(echo $SYSTEM_LOCAL_STORE_PATH | sed 's|^/nix/store/||') # Get the hash-name part
    • REMOTE_SYSTEM_STORE_PATH="/nix/store/$REMOTE_SYSTEM_STORE_PATH"

    ssh root@VPS_IP -i ~/.ssh/id_ed25519_proton <<EOF
    mkdir -p /mnt/nix/var/nix/profiles/
    
    nix-env --profile /mnt/nix/var/nix/profiles/system --set $REMOTE_SYSTEM_STORE_PATH
    NIXOS_INSTALL_BOOTLOADER=1 /mnt/nix/var/nix/profiles/system/bin/switch-to-configuration boot
    
    echo "Activation finished."
    EOF

    • reboot

ARM QEMU VM using nixos-anywhere

• Boot minimal iso in qemu and allow ssh access
• On your pc: nix-shell -p nixos-anywhere
• nixos-anywhere --flake .#vm_oracle_aarch64 root@192.168.1.128

Tailscale/Headscale

• On each clean installation of the Headscale server:
  • Ensure the users specified in the ACL policy exist:
    • sudo headscale users list
    • If not create them:
      • sudo headscale users create emre
  • Create a new tailscale-key:
    • sudo headscale preauthkeys create --user 1 --reusable --expiration 1752000h --tags tag:bootstrap
      • Add it to ./secrets/secrets.yaml
  • git pull and switch to the new key on all hosts.
  • Ensure the node has a correct tag for its purpose, listed here: /modules/services/headscale/headscale-acl.hujson
  • Configure the exit nodes:
    • Get the ID of the node you want to use as an exit node:
      • sudo headscale nodes routes list
    • Allow the routing through that node:
      • sudo headscale nodes approve-routes -i 1 -r "0.0.0.0/0,::/0"
      • Check if it is approved:
        • sudo headscale nodes routes list
    • Assign exit node tag for the ACL policy:
      • Find the host you want to use as an exit node:
        • sudo headscale nodes list
      • Assign exitnode tag:
        • sudo headscale nodes tag -i 1 -t tag:exitnode
• [Optional QOL]
  • Remove unused nodes: sudo headscale nodes delete --identifier 4
  • Rename hostnames: sudo headscale nodes rename l01 -i 6

Deploy Secrets

Setup (One-time per machine)

1. Decrypt the Master Key (Install the God Key):
   • nix-shell -p age
   • sudo mkdir -p /var/lib/sops-nix
   • age -d secrets/age.key.enc | sudo tee /var/lib/sops-nix/key.txt > /dev/null
   • Enter Passphrase
   • sudo chmod 600 /var/lib/sops-nix/key.txt
2. Install/Switch:
   • sudo nixos-rebuild switch --flake .#hostname

Editing Secrets

• nix-shell -p sops age ssh-to-age
• SOPS_AGE_KEY=$(age -d secrets/age.key.enc) sops secrets/secrets.yaml