Ty/nix
1
0
Fork 0
Code Issues 2 Pull requests Projects 1 Releases Packages Wiki Activity
My NixOS configuration
157 commits 2 branches 0 tags 1.4 MiB
Find a file
Exact
Tyler Beckman 3e66f0596b
 Update lock
2025-07-25 16:13:50 -06:00
.woodpecker :/ 2025-02-04 22:18:46 -07:00
home-manager Update lock 2025-07-25 16:13:50 -06:00
modules/myriation Update lock 2025-07-25 16:13:50 -06:00
nix-on-droid/ty-pixel I did some shit 2025-02-23 18:54:29 -07:00
nixos Update lock 2025-07-25 16:13:50 -06:00
packages Update lock 2025-07-25 16:13:50 -06:00
secrets Update lock 2025-07-25 16:13:50 -06:00
utils Update lock 2025-07-25 16:13:50 -06:00
.envrc did some shit 2025-04-19 01:58:26 -06:00
.gitattributes Mark magna-splash source as vendored 2025-01-06 22:14:07 -07:00
.gitignore h 2025-05-02 12:04:57 -06:00
.sops.yaml did some shit 2025-04-19 01:58:26 -06:00
flake.lock Update lock 2025-07-25 16:13:50 -06:00
flake.nix Update lock 2025-07-25 16:13:50 -06:00
Justfile Update lock 2025-07-25 16:13:50 -06:00
LICENSE.md Squash whole repo 2024-12-02 06:52:33 -07:00
README.md move to sops-nix and maybe some other stuff idk 2025-03-11 23:16:31 -06:00
secrets.example.nix Remove unnecessary caddy values in secrets.nix 2025-03-11 23:16:31 -06:00

README.md

Ty's NixOS Configuration

Config Setup

The four main parts of my config are the home-manager/, nixos/, nix-on-droid, and packages/ folders. The entrypoint for all of these is the flake.nix file, which utilizes the logic in utils/default.nix to generate nixosConfigurations, homeConfigurations, colmena configurations, and the such.

Secrets setup

Secrets are managed using sops-nix, and the encrypted values (and keys) are kept in secrets/ with a file per-host. My personal GPG key is used for encryption, and each file is also encrypted with a per-host age key I generated for the sole purpose of keys. Thus, each host must have an age private key at the location /var/lib/sops-nix/key.txt and the corresponding public key in .sops.yaml.

secrets.nix

This file includes some secrets that were made before using the new system with bitwarden. It is still necessary, though may not be for long. An example file can be found at secrets.example.nix, which contains the same exact structure as the necessary secrets.nix file.

Home manager

This folder handles everything user-scope related, including most of my installed packages. I try and keep most configuration isolated to the user scope for simplicity and isolation. The main entrypoint for this configuration is in home-manager/, but all the real configuration is located in home-manager/modules for organizational purposes. Packages installed in the user scope are located in home-manager/modules/packages.nix, and everything else is largely configuration for those programs. This also contains KDE Plasma configuration using the https://github.com/nix-community/plasma-manager module for home-manager, to configure the desktop environment and some associated KDE programs - this is largely mixed with the other home-manager options, that might change soon.

Hosts

This folder contains sub-folders for each of my NixOS hosts, of which there is only one for now (my laptop). Each has a default.nix entrypoint and the rest of the configuration is kept in a modules folder, just like the home-manager configuration. This isn't yet abstracted and easily re-usable for new hosts (I have no need for it given I only have one NixOS install), but might be in the future.

Packages

This folder contains all of my personally-made nix packages. This is mainly just packages I can't seem to find on the interwebs, like some themes. Theoretically they could be used by someone else, but I haven't quite made my config modular yet, so don't try.

Package License Original Link
BeautyLine (Garuda) GPLv3 https://gitlab.com/garuda-linux/themes-and-settings/artwork/beautyline
Magna Splash 6 GPLv3 https://www.pling.com/p/2136626/
Rescrobbled GPLv3 https://github.com/NixOS/nixpkgs/pull/274553 (unmerged nixpkgs PR by negatethis)

NordVPN Wireguard Documentation (I should move this eventually)

NordVPN as compatible wireguard documentation:

Despite what they say, NordLynx is just Wireguard If you have an authentication token, you can query https://api.nordvpn.com/v1/users/services/credentials with it (I believe the auth is HTTP basic with username as "token", or at least thats what it is in the android app). This will return JSON containing OpenVPN username and password, and a wireguard private key to use.

The general wireguard config is just add a singular peer, containing the server details of the specific NordVPN location

A recommended (close geographical) server can be found by running one of the commands listed in the following gist: https://gist.github.com/bluewalk/7b3db071c488c82c604baf76a42eaad3 (or just find other sources on the nordvpn recommendation api)

Peer endpoint address is IP_OF_SERVER:51820, and public key will also be listed as a part of that api request. Allowed IPs must be "0.0.0.0/0" (all ips), as we want this nordvpn wireguard server to handle all traffic to all IPs.

I did try reverse-engineering the Post-Quantum PSK (which nordvpn supports in the Android app at least), but although the general code is open source in libtelio, they seem to use a custom encrypted side-channel protocol for transferring the keys. This is great for security, but unfortunate for compatibility with standard wireguard tools.

Side note: if you need a token without using offical means (such as if you don't own the email the account is under) then I made this: https://git.myriation.xyz/Ty/nordvpn/ which can use frida to extract the token from a logged-in android app.

In addition to this, you should set up a static IP configuration with the address & subnet as 10.5.0.2/32. DNS should probably be set to a common resolver like 1.1.1.1/1.0.0.1 or 8.8.8.8/8.4.4.8. Hypothetically the static IP could be different, but this is one that just objectively works