Gone, but not forgotten (thanks, Git), Enterprise will live on in our
memories (and git log).
With this commit, we have finally let go of:
- sound
- networking
- hw
- nvidia
And some more stuff from home.nix and configuration.nix for Enterprise.
I'll probably come back to this commit to refer to it in future, so ite better
to leave as many clues here as possible.
This is admittedly a failure, because restic is a one way street. It takes what
is on disk and pushes to backup location.
Which means, if I want to restore the backup, I have to restore first, by way of
imperatively setting up restic repos in advance and then setting up the backup
servies for restic.
This is not ideal, and Syncthing has proven to be more suitable solution for my
needs.
But, considering my possible future requirements, I should start thinking about
solving this problem.
Since I've been using WSL2 for past few days, I have been using Windows
Terminal.
While it doesn't really hold a candle to Konsole, it is alright and comes with
Cascadia Code font by default. Over few days, I've come to like this font and
decided to try it out for Emacs within WSL.
This is minimal config for Hermes on WSL2.
Emacs is untested yet and needs ~/org/ to be imperatively copied still.
Email, Syncthing and Backup modules are yet to be set up and might need
some imperative actions.
However, the system is working and automatically logs into correct
default user.
- Plasma desktop
- Fonts
- Users
These are top-level modules in anticipation of new machine, but I expect them to
remain same regardless of particular host.
Separate below config in their own modules:
- networking
- hardware, boot, filesystem
Again, the philosophy is to move parts of config that are logically related and
generally edited together in its own module. Networking fits the bill because it
barely saw any change and when it did, it was focused area.
hw.nix is bit more complicated, as there are multiple things there, and is
likely grow yet in future, but this stuff is nearly unchanged since I started
using NixOS and is not something I want to change everyday.
This should be considered ephemeral and temporary.
once the ISO is generated and copied, this part of the config should be removed,
because the way flake is evaluated makes it impossible to dynamically refer to
modules array from nixosConfigurations. It can be solved by general array
variable, but will require slightly complicating the config that I am not
willing to try just yet
It is easier to configure and has a NixOS module, it is well maintained, does
not need docker or non-deterministic container and
generally seems allright.
But, it *appears* to have less bells and whistles compared to PiHole. Generally
PiHole has a lot of mindshare, and as crappy as their development practices are,
it is taking a lead.. Its default list alsu has more than twice the number of
entries, so I'm inclined to return to it.
pi-hole is a DNS based ad-blocker.
Currently there is no NixOS module for it, so it is run inside a container.
That means it runs a root, brings in crapload of dependencies and shows pretty
graphs.
ut, looking at 20 minutes of blocked traffic, I realise I need this.
This meant few things:
- systemd is now handled by the system, not home-manager
- I could have done it via home-manager, but other devices are using NixOS
module anyway, so its nice to reuse that code
- Few folders are no more:
- Roci_Camera : covered by parent Pictures folder
- HoG_Camera : covered by parent Pictures folder
- Whatsapp_Backup : This one was doomed since a while.
On Android the restrictions mean the Whatsapp dir is not top level, but
buried inside app specific data dir, which is either not accessible to
syncthing mobile app or soon will not be.
Dickheads want me to put that data on their Google Drive.
Well, I'm just not going to keep anything really important in whatsapp alone
anymore, so there goes that.
- Couple of minor config changes happened as NixOS defaults are slightly
different from Syncthing default, such as better handling for NTFS partitions
etc., which I no longer need
This change marks completion of one of the very first goals I set while
installing NixOS almost 2.5 years ago, of unburdening Syncthing setup on Nix.
After so long, it is finally done. This brings a lot of peace to my mind :)
flake.nix is getting bigger and complicated. Might need some fix afterall.
A simple and dumb refactor would be to just collect all common modules and
host-specific files in single files and import them in flake. Should make things
lot simpler. but it is becomming apparent that this is where I can use more Nix
skills in general.
This is really good, because all the folders and devices and all their sharing
matrix is now declarative and part of same config as everything else. This
should remove a lot of headache going forward.
Only question is, the secrets management for Syncthing cert and key.
cert is public info encoded into the device ID, so that is mostly taken care of,
kinda.
But, these are still imperatively generated by Syncthing on the first run. I can
generate my own using openssh, but that isn't strictly better because it adds
more imperative overhead.
Lastly, the cert+key+ID combo is unique and every time a new device comes
in/current device needs to be reinstalled (highly unlikely since the dawn on
NixOS, but never say never), then this needs to be adjusted manually. For now,
I'm gonna leave it be, and deal with it when the need arises.
Declaratively deploying key via agenix is currently shelved, because unlike
other uses, this one directly exposes my network and machine to wide internet,
hedging on single SSH key, that cannot be password protected due to limitation
in agenix.
This allows easy config of few applications/services
- git
- htop
- fzf
- neovim
* syncthing is not enabled yet. During previous experimentation it did not work,
so need to look more into it
While setting up Raspberry Pi, I realised there are some packages I consider
bare minimum, even for headless servers (that I own)
- NeoVim
- git
- ripgrep
- fd
- htop
- jq
- wget
- fzf
I could in theory just import all flake files from particular host, but so far
there aren't a lot of files in there, and I like the explicitness, and central
point of entry in flake.nix
Not sure what went wrong the last time I tried it. This seems to be working, so
I'll keep it and keep an eye for a while
nixpkgs-unfree supposedly provides builds for non-free, but redistributable
packages that cache.nixos.org does not build.
Along with cuda-maintainers, it should reduce the burden for using heavy
packages for machine learning quite a bit. So, lets see how this one goes.
I should also start checking how the machine learning story is with NixOS at
all, it is rife with Python and Python has absolutely horrible ecosystem for
managing dependencies.
It is not perfect, it does not load private files and it generally feels a set
and forget, not-updated-often situation like every other Nix derivation.
It is promising, but the edges are sharp, and not something I'd like to invest
time in right now.
Build Doom-emacs config via Nix itself, and comine all in single monolithic,
declarative system mwahahahahaha
Except, its not working yet. It keeps complaining about missing 'beancount' :/
So, this commit will most likely be promptly reverted.
Also add new alias to `nixos-rebuild switch -v --offline`
Because offline build takes under a minute on cold-boot while without can take
multiple minutes, often wasting time and bandwidth on useless stuff like
fetching and parsing all inputs to system flake.
Lower time also makes it a as good temporary workaround for the agenix bug.
- Enable nvidia GPU in sync-mode
At least one game did not work well enough on Intel
- Move nvidia config to separate file (nvidia.nix)
- Refactor and simplify nvidia config
enabling/mode-changing of nvidia can be done via two simple
top-level variables instead of changing interdependent booleans
independently.
select GPU driver based on top level variable
Add `nvidia-offload' environment variable shell to env based on top-level variable
agenix uses age (a utility + standard) that encrypts secrets using ssh key.
This simplifies secrets management quite a bit compared to GPG (my attempts for
which have failed so far).
Changes included:
- Encrypt all current keys (mail, backups) using age, configured via
agenix
- All encrypted keys are committed to git repo and decrypted during boot
- None of the keys are used anywhere just yet. They will replace file
paths in future commit after testing
- Decrypted keys are available after boot under user name with read-only
permissions at default agenix location (as of this commit)
- The Nix variable path is provided by agenix and can be used instead of
having to recreate
- multiple keys can be specified for single key, but for now I am only
using one
For now, the code is dirty and can definitely use improvements. It is just at a
place where it is all working right now.
TODO: Get age + agenix in environment packages available at runtime in NixOS
Links:
- https://github.com/ryantm/agenix
- https://github.com/hlissner/dotfiles
Move some logically independent and consisitent parts into separate
modules (files):
1. Nix config :
Package, experimental options, automatic garbage-collection config
2. Backups :
Restic + rclone + systemd services for backup notifications
This has reduced main configuration.nix by 100+ lines. These parts are also
unlikely to be touched in tandem with other configuration and hence can be
separated out.
A change in Emacs 29 changed signature of define-key that broke doom.
Until the issue is fixed, pin emacs-overlay to commit before that.
Doom issue link: https://github.com/hlissner/doom-emacs/issues/5785
Finally fully enable binary cache for nix-community and emacs-overlay.
No I don't have to build emacs from scratch for every master update :)
This was done by means of cachix, which is a means to upload built derivations
for others to share with. Nix-community has their own, and it makes using
overlays provided by nix-community that much better. This should shave off 20-25
min per system rebuild.
I am not sure if this will work as is after moving this config to new system,
so here are the steps to follow:
1. nix shell nixpkgs#cachix
2. sudo cachix use nix-community
3. stage/commit cachix.nix and cachix/ from /etc/nixos
4. done
Hopefully this will be enough in the future system move. If not, all the best to
future me.
Use Emacs master branch with native compilation flag enabled.
I tried Pgtk branch, but it is not always kept up to date with master (currently
3+ months behind) and could have some issues that aren't always tested. It does
mean Wayland integration is imperfect, but right now it is good enough (with few
minor annoyances).
Emacs + Gcc (native-comp)
native-comp is currently in upcoming release branch (28.0.50), while pgtk branch
is yet to be merged. Using both above features is easily available with
emacs-overlay provided by nix-community.
I still haven't been able to get cachix build cache to work, so currrently this
config builds full Emacs on machine. This extends system rebuild by 30+ minutes
and reduces system useability for the same duration.
Updating system frequently is not currently on my radar anyway, and I can
probably stomach keeping the machine humming for 60+ minutes of system
rebuild (compiling Emacs itself takes 25-30 min),
as long as I do it less than once per week. Will see how it goes.
PipeWire is new Linux audio and video streams.
Previously I used PulseAudio, and while it worked, it was less than
perfect. Pulse used bit much processing, and in general had few bugs.
Pipewire is supposed to be lighter, more stable, and it can use high
quality codec for bluetooth.
I took this opportunity to move sound-related config to its separate
module (sound.nix). This is a beginning to nicely move inpendent config
sections to their own modules. Sound config has pretty much zero
relations with rest of the config, so it made sense to move it in
separate file. Perhaps I can do the same with other stuff, maybe some services.
Initial setup to email from within emacs.
That required setting up above stuff, detailed below:
mbsync : sync maildir with email host/provider (gmail)
mu : index and search maildir
msmtp : send mail
All of the above have good module under home-manager, making it *relatively*
straightforward to set the whole thing up.
For now, simply copied current configuration.nix and hardware-configuration.nix
to hostname specific directory.
Made minor modifications to remove input impurity from
hardware-configuration.nix (<nixpkgs> to 4{modulesPath}).
Created flake.nix to import the configuration.nix and just build it.
Referred to this guy : https://github.com/MatthewCroughan/nixcfg
