Resources

• official docs and things:
  • nixos manual
  • nixpkg manual
  • nix manual
  • nixpills
  • home-manager manual
  • nixpgs search
  • nix option search?
  • search.nix.gic.io
• Misc resources:
  • NixOS4Noobs
  • https://christine.website/blog/i-was-wrong-about-nix-2020-02-10
  • nix-shorts: https://github.com/justinwoo/nix-shorts/tree/master/posts
  • link dump: https://wiki.nikitavoloboev.xyz/package-managers/nix
  • https://stephank.nl/p/2020-06-01-a-nix-primer-by-a-newcomer.html
  • https://www.iohannes.us/en/commentary/nix-critique/ (not really a resource)
    • some of this critique seems inaccurate; see the sandbox key for nix.conf (the docs for it allege that with sandbox = true nix does use namespaces and chroots)
    • follow ups/relevant:
      • https://www.reddit.com/r/NixOS/comments/qs529l/a_critique_of_nix_package_manager/
      • https://discourse.nixos.org/t/content-addressed-nix-call-for-testers/12881
        • https://www.tweag.io/blog/2020-09-10-nix-cas/
        • https://github.com/tweag/rfcs/blob/cas-rfc/rfcs/0062-content-addressed-paths.md
  • https://christine.website/blog/how-i-start-nix-2020-03-08
  • https://markhudnall.com/2021/01/27/first-impressions-of-nix/
  • Nix: How and Why it Works (NixCon 2019)Nix: How and Why it Works (NixCon 2019) (Graham Christensen)
    • related: https://shealevy.com/blog/2018/08/05/understanding-nixs-string-context/
    • good overview of evaluation -> derivations -> realisations, caching, and fixed output derivations
  • Fearless Tinkering: How NixOS Works (NixCon 2019) (Graham Christensen)
    • some nice live demos; shows off build-vm and the resulting QEMU script
  • https://www.reddit.com/r/NixOS/comments/gdnzhy/question_how_nixos_options_works_underthehood/
  • Everything You Always Wanted To Know About Nix (But Were Afraid To Ask)
    • bit more about derivations: https://shopify.engineering/what-is-nix
    • more on the "magic" behind callPackage here (actually getting the attrs a lambda takes is just handled by builtins.functionArgs which is the only really magical bit)
      • more discussion here and here
    • ATerm, the drv format: NixOS/nix#5481
    • covers how overlays work (lots of recursion!)
      • this bit is the key:

        let
          self =
            foldl (overlay: super: super // overlay self super)
            initialSet overlays;
          in self

    • self is the final set of overlays; lazy eval lets us refer to it before it's full constructed without creating cycles
    • super is the set of overlays before the current overlay is layered on; this lets us pass along an existing attr with some tweaks, etc.
    • as a mostly unrelated tangent, this covers foldl vs foldl' vs foldr pretty well
  • The dark and murky past of NixOS (NixCon 2019) (Armijn Hemel)
  • Nix on Darwin — History, challenges, and where it's going (NixCon 2017) (Dan Peebles)
    • Tracking Issue for Nix on macOS
    • PR for enabling the sanbox by default on macOS
      • note that the PR is out of date; the sandbox is enabled by default on Linux
  • https://github.com/hlissner/dotfiles
  • https://www.tweag.io/blog/2020-05-25-flakes/
  • https://www.youtube.com/watch?v=K54KKAx2wNc
  • Nix Flakes (NixCon 2019) (Eelco Dolstra)
  • https://ianthehenry.com/posts/how-to-learn-nix/
  • Assembling SoCs with Nix (NixCon 2015)
  • home-manager vs {nix-env, nixos}:
    • vs nixos
    • vs nix-env/profiles
  • NixOS, nix-darwin, and home-manager (Burke Libbey)
    • good quick overview of how the different nix "usages" differ in what they try to do
  • From nix-env to home-manager (Burke Libbey)
    • good home-manager intro
  • Intro to Flakes (Wil T)
  • Moving NixOS System Conifguration Into A Flake (Wil T)
    • helpful intro to using NixOS + home-manager with flakes
  • TODO Running Nix Code: nix eval and nix repl
  • TODO Channels and NIX_PATH
• ZFS:
  • Ars Technica ZFS 101
  • NixOS Wiki ZFS Page
• Custom compiler/flags:
  • on using -march=native or some equiv in stdenv: https://narkive.com/lkYfC9OJ.11
  • hardening compiler flags in stdenv: https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html
  • using clang instead of gcc: https://nixos.wiki/wiki/Using_Clang_instead_of_GCC
• Using your own Linux kernel/patches/etc: https://nixos.wiki/wiki/Linux_kernel
• Encryption:
  • ZFS Encryption Section of NixOS Wiki ZFS Page
  • Encrypted Root NixOS Wiki Page
  • martijnvermaat gist
  • ladinu gist (this is closest to what I ended up doing)
  • ubuntu secure boot page
  • nixos github issue about secure boot (in particular the comments about self-signing)
  • arch linux encrypted root/full disk encryption page
  • arch linux dm-crypt Device_encryption page
  • Ars Technica OpenZFS native encryption guide
• secure boot:
  • https://nwildner.com/posts/2020-07-04-secure-your-boot-process/ (not quite what we're doing but a useful overview)
  • NixOS/nixpkgs#42127
  • NixOS/nixpkgs#53901 (comment)
  • https://github.com/frogamic/nix-machines/tree/main/modules/systemd-secure-boot
  • https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
• Storing secrets:
  • sops, nix-sops (todo: find that blog post)
  • age, agenix, rage, ragenix
  • blog post about some alternatives: https://christine.website/blog/nixos-encrypted-secrets-2021-01-20
  • or homeage
• Caching/build in CI:
  • https://github.com/cachix/install-nix-action
  • https://github.com/cachix/cachix-action
• cross compiling:
  • TODO
• bootstrapping/bootstrapping stages:
  • TODO
• nixpkgs: how lib, stdenv, and friends work
  • (TODO) Demystifying nixpkgs Part 1: preliminaries (Burke Libbey)
  • (TODO) Demystifying nixpkgs Part 2: diving in (Burke Libbey)
  • (TODO) Demystifying nixpkgs Part 3: The "Standard" Library (Burke Libbey)
• nix-darwin:
  • TODO
• home-manager:
  • (TODO) home-manager: Reading the Source (Burke Libbey)
  • TODO
• containers:
  • https://nixos.wiki/wiki/NixOS_Containers
  • https://nixos.org/manual/nixos/stable/#ch-containers
  • https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html
• direnv and friends:
  • lorri
    • lorri — Your project's nix env (NixCon 2019)
  • direnv
  • lorelei
  • sorri
  • nix-direnv
    • has flake support (use flake) which is nice since it means you don't need the default.nix + shell.nix + flake.nix thing I think
      • need to use flake-compat for lorri as described here
  • there's a nice comparison table on the direnv Nix wiki page
  • see the notes below on lorri, direnv libs, and gc-ing nix-shell invocations
• Other tooling/helpers:
  • direnv
  • niv (actually just use flakes?)
  • flake-utils-plus (TODO: name)
  • home-manager
  • nixos-hardware
  • lorri
  • nix-tree
  • nix-visualize
  • nix-du
  • nix-query-tree-viewer
• Other nixOS configurations:
  • Eliza Weismann (@hawkw)'s dotfiles
  • Rebecca Turner (@9999years)'s nix-config
  • jade lovelace (@lf-)'s dotfiles
  • DieracDelta
  • _ other one from V
  • list of configurations on the NixOS wiki
  • other one from twitter; in FF tabs (TODO)
  • https://github.com/mitchellh/nixos-config
  • https://github.com/JorelAli/nixos/blob/master/configuration.nix
  • https://github.com/frogamic/nix-machines

misc/todo

https://github.com/nix-community/home-manager https://typeof.net/Iosevka/ https://github.com/DieracDelta/flakes/blob/flakes/.github/workflows/cachix.yml https://github.com/nmattia/niv https://github.com/ryantm/agenix https://github.com/nix-community/lorri MOZ_USE_XINPUT2=1 for Firefox (https://bugzilla.mozilla.org/show_bug.cgi?id=1438107) MOZ_ENABLE_WAYLAND

enable fstrim: https://www.reddit.com/r/NixOS/comments/rbzhb1/if_you_have_a_ssd_dont_forget_to_enable_fstrim/

use nixos-hardware flake enable nix sandbox on macOS? enable flakes enable content-addressed Nix: https://discourse.nixos.org/t/content-addressed-nix-call-for-testers/12881 use unstable channel remap caps lock: https://unix.stackexchange.com/questions/377600/in-nixos-how-to-remap-caps-lock-to-control

LICENSE

look into/read:

• https://github.com/nix-community/naersk#install
• https://raw.githubusercontent.com/edolstra/edolstra.github.io/49a78323f6b319da6e078b4f5f6b3112a30e8db9/pubs/phd-thesis.pdf
• https://github.com/wmertens/rfcs/blob/master/rfcs/0017-intensional-store.md

can't find an archived copy of this :-(

IFD: https://nixos.wiki/wiki/Import_From_Derivation

• https://fzakaria.com/2020/10/20/nix-parallelism-import-from-derivation.html

install lorri look into direnv vscode: https://marketplace.visualstudio.com/items?itemName=Rubymaniac.vscode-direnv

nix gc option (for lorri, mostly) that only frees things that haven't been used in 1week+, etc.

• this'd be nice for nix-shell/lorri things; any projects that hasn't been entered in, say, a week loses its gc-root
• somewhat relevant: NixOS/nix#2793
• easiest way to achieve this might be to wrap lorri (or whatever direnv plugin we use)'s use_nix function with our own thing that records, somewhere, when nix-shell based gcroots were last "entered"
  • lorri doesn't seem to even register a direnv lib bash file that overrides use_nix(); instead it seems to prefer emitting .envrc files with eval "$(lorri direnv)" (grep for cat .direnv on this post)
  • so, we should be able to register our own direnv lib file like this that records out metadata somewhere and then shells out to eval "$(lorri direnv)"
    • note the writeShellCheckedShareLib!
      • comes from here
        • here, gets overlaid here
  • then, we can also create a separate service that runs every so often and checks the metadata we record and uses it to unregister gc roots that were registered from .direnv activations that haven't been re-entered in

install https://github.com/lf-/nix-doc with plugin stuff

nix gc enable (not on battery power) zfs snapshot, cleanup, etc. (not on battery power, etc.; or reduced freq for snapshotting on battery power)

.cargo/config that's generated with:

• target.<triple>.linker = some wrapper that shells out to ld.lld or mold rustflags = some wrapper that shells out to ld.lld or mold (i.e. ["-C', "link-arg=fuse-ld=lld-wrapper"]?)
  • note: linker only seems to be available for target.<triple> and not target.<cfg()>; rustflags is available for both and can work when -C link-arg= can be used to specify the desired linker
    • for us, specifying mold using -C link-arg=fuse-ld=lld is tricky; we'd need to replace the ld.lld binary with a wrapper, etc.
  • we don't want to use mold for release builds
    • unfortunately there doesn't seem to be a way to do this in .cargo/config; we can't set rustflags conditionally based on the release profile (see this) and the release profile doesn't include a rustflags key or a linker key (see this)
    • best I can come up with is to create a wrapper that checks the paths for "release"/"debug"/"bench", etc. and shells out to mold/lld as appropriate
• rustc-wrapper = sccache

update rust-template with nix stuff (.envrc, flake.nix, flake.lock, shell.nix with flake-compat, etc.; gonna leave nix out of the CI for now I think) (also action-rs rust cache, maybe; rust-version in cargo.toml, 2021 edition, rustfmt updates, .toml for rustfmt and clippy, clippy updates, remove lint list dump, use include_str! for readme, etc.)

https://www.youtube.com/watch?v=XZ9nPZbaYfE

misc notes

nix-env uses nix (build and store and friends) to make nix profiles (set ~/.nix-profile, and to make symlink forests in the form of profiles in the nix store)

• takes a bunch of derivations and gives you a profile
  • nix-profile handles actually making the profile
    • "user-env" handles making a manifest which lists all the derivations in the env + their outs, etc.
    • this manifest along with the derivations in the env are fed to a top-level derivation
    • that in turn shells out to the built in buildenv derivation that handles stitching together the symlink forest and handling conflicts and such
• nix-env then sticks this profile in your home directory with the appropriate glue (generations in /nix/var/profiles/per-user/..., hooks (as part of nixos? it's unclear who puts these in the default bashrc) to have $XDG_DATA_DIRS point to the generated folders, etc) nixpkgs:
• repository of packages
• uses stdenv, lib, callPackage idiom, etc
• config and override system
• overlays as the mechanism to layer nixos:
• set of modules
• also makes a derivation (out of modules which can in turn pull in nixpkgs) that's then used to make a profile, just like nix-env
  • but this profile has different stuff, the generations go in /nix/var/nix/profiles/system-* (I think), managed by nixos-* commands, symlinked to /run/current-system, etc.
  • the nixos-* commands handle all of ^ plus doing things like restarting systemd service on switch and such home-manager:
• also generates a nix profile but from a config file (unlike nix-env which modifies the "current" profile)
• can "manage" files that aren't in the nix store; i.e. doesn't just stick everything in the ~/.nix-profile (?)
• cross platform, not tied to nixos nix-darwin:
• like nixos but for macOS; manages system settings too (no idea how though)

build does:

• instantiate (runs the evaluator to produce derivations)
• realisations ("builds" the derivations)
  • these interact with the nix store
  • nix-daemon does this

build-vm gives you a handy qemu runner script (doesn't even need a bootloader)

structure

• lib: nix helper utils, if the need arises
• machines: ...
• modules: my own nixos modules
• mixins: config things for other things. some call these "roles" or services or w/e
  • darwin: nix-darwin module things (these are really just modules too)
  • home-manager (also just modules)
    • have an all or a default that is system aware or something
  • nixos: nixos module config stuff (also just modules)
  • overlays
    • each are overlay fns (i.e. prev, final: ...)
    • have an all
  • users
• packages: my own nixpkgs
  • have an overlay helper in the style of: https://github.com/frogamic/nix-machines/blob/main/pkgs/default.nix, maybe
• resources: secrets, config files, other supporting Things. mixins and machines can make reference to these freely, no one else.

top-level (flake.nix) should import the stuff in modules as well as external modules see: https://github.com/frogamic/nix-machines/blob/6e2bf36b60fd288476a83b7e7babebfc012c3f6e/flake.nix#L16-L44

expose nixosModule, nixosModules, pkgs, lib, overlay, and overlays in default.nix in the style of: https://github.com/frogamic/nix-machines/blob/main/default.nix

flake exports:

• nixosConfigurations: auto-populate the list from ./machines, etc
• packages: the things in packages
• apps: apps to export? i.e. things with their configs builtin? can just reference config stuff in resources I guess?
• overlay: all of the overlays
• overlays: the things in overlays, a list?
• nixosModule: all of the modules
• nixosModules: things in modules, an attrset?
• checks: check that builds all the stuff? vm images? subs in fake secrets? this is what CI should run, ideally
• defaultApp: runs the vm produces by machines/vm?

TODO: register this repo as a flake registry (just r)

TODO: plain-text diffing for (r)age? (the way sops -d is used as a git diff filter) agenix with a working nix-darwin module: https://github.com/montchr/agenix/compare/darwin-support...rtimush:agenix:darwin-support

• home-manager: ryantm/agenix#108

TODO: running nixos modules outside of home-manager: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/testing/service-runner.nix

TODO: a nixos-module service to home-manager module adapter! this is probably a good starting point: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/testing/service-runner.nix

TODO: why isn't there a service abstraction in home-manager that papers over systemd/launchctl? https://discourse.nixos.org/t/services-on-macos/9095/4 nix-community/home-manager#91 nix-community/home-manager#91 (comment)

TODO: https://discourse.nixos.org/t/franken-script-to-generate-nixos-options-docs-with-custom-modules/1674

names for later

lich (undead, pulsar) fafnir castor deneb acrux (system of 6) spica (system of 2) castor (system of 6) aniara meissa mago mira procyon

dimidium lete haik (water) eyeke dulcinea, quijote, sancho, rocinante (from don quixote, around cervantes (mu arae)) around lich:

• poltergist
• phobetor
• dragur isagel (character from aniara) tondra (nap, sleepy)

---

TODO: figure out how to pass --backup to home-manager running in the flake