README > Roadmap of TODOs
-
next video - yubikey
write article/scriptrecord camera/audio- record screencaptures
- preproduction assets
- edit
- publish
-
neovim
- sort out lsp deficiencies
-
enable backup (verify access to oops)
-
waybar - fix workspace issue. right monitor displays workspace '10' on reboot but should be '0'
-
symlink home stuff with /mnt/extra/foo
-
enable mediashare
-
investigate
- hyprcursor
- hyprlock
update docs in nix-secrets
-
New tools to integrate
- atuin - https://github.com/atuinsh/atuin
- du-dust
- syncthing - refer to https://nitinpassa.com/running-syncthing-as-a-system-user-on-nixos/
-
New tools to try
- wezterm
- tmux or zellij
-
NeoVim stuff to look at and integrate (so much to do and learn)
- hardtime # training tool to stop bad vim habits # https://github.com/m4xshen/hardtime.nvim
- lint # not sure if this is redundant with all the other language stuff
- conform # meant to make lsp less disruptive to the buffer #https://github.com/stevearc/conform.nvim
- lspsaga # meant to improve the lsps experience for nvim #https://github.com/nvimdev/lspsaga.nvim
- trouble # side or bottom list of all 'trouble' items in your code.#https://github.com/folke/trouble.nvim/
- none-ls # inject LSP diagnostics, code actions, and more via LUA #https://github.com/nvimtools/none-ls.nvim
- harpoon #file nav
- ultimate-autopair #https://github.com/altermo/ultimate-autopair.nvim works with nvim-surround
- nvim-surround #https://github.com/kylechui/nvim-surround or tim popes surround
- vim-grepper
- toggle-term #https://github.com/akinsho/toggleterm.nvim
Build up a stable config using grief lab. The focus will be on structure, nix-config automation, and core tty that will be common on all machines.
Basic utility shell for bootstrappingCore host config common to all machinesgarbage collectionclamavmsmtp notifierability to import modular options
Core home-manager config for primary usercli configsnvim configability to import modular options
Repository based secrets management for local users, remote host connection, and repository authAbility to consistently add new hosts and users with the core settingsBasic automation for rebuildsBasic CI testing
This stage will add a second host machine, gusto (theatre). To effectively used gusto, we'll need to introduce gui elements such as a desktop, basic QoL tools for using the desktop, and some basic gui applications to play media, including the requisite audio/visual packages to make it all work.
Add a media user specifically for gusto (autolog that one)Document and tweak steps to deploy to new hostSimple desktop - add visual desktop and a/v elements as common optionsStable windows manager environmentStable audioStable videoAuto-upgradeBetter secrets managementprivate repo for secretspersonal documentation for secrets management, i.e. README for nix-secrets private repopublic documentation for secrets management, i.e. how to use this repo with the private repo
Review and complete applicable TODO sops, TODO yubi, and TODO stage 2Deploy gusto
DEFERRED:
Potentially yubiauth and u2f for passwordless sudo
Introduce declarative partitioning, custom iso generation, install automation, and full drive encryption. This stage was also initially intended to add impermanence and several other improvements aimed at keeping a cleaner environment. However, automation took substantially longer than anticipated and I need to start using NixOS as a daily driver sooner than later. Being spread across two distros and different config paradigms while putting 99% of the effort into the new distro/config is becoming unsustainable. As such, several features have been deferred until later stages.
nixos-anywheredeclarative partitioning and formatting via diskolight-weight bootstrap flake for basic, pre-secrets installcustom iso generationautomated bootstrap script
Local decryption only for now. Enabling remote decryption while working entirely from VMs is beyond my current abilities.
LUKS full drive encryption
Make use of configLib.scanPathslook for better syntax options to shorten just recipes- Decided to just re-enable nix-fmt
update nix-fmt to nixfmt-rfc-style (including pre-commit) since it will be the standard for nix packages moving forward update sops to make use of per host age keys for home-manager level secrets- don't bother
maybe rename pkgs -> custom_pkgs and modules -> custom_modules Enable git ssh signing in home/ta/common/core/git.nix
DEFERRED:
Investigate outstanding yubikey FIXMEsPotentially yubiauth and u2f for passwordless sudoFidgetingBits still encounter significant issues with this when remoting- Confirm clamav scan notification
- check email for clamavd notification on ~/clamav-testfile. If yes, remove the file
- check if the two commented out options in hosts/common/options/services/clamav.nix are in stable yet.
setup borg modulehyprland prepmigrate dotfiles to nix-configghost moduleschange over and recovery plan
install nixos on Ghostverify drivesverify critical apps and services functionality- enable backup
- enable mediashare
- setup and enable hyprland basics
- hyprlock or similar
- logout manager
waypaperdunstrofi-wayland
- reestablish workflow
Investigate outstanding yubikey FIXMEsyubiauth and u2f for passwordless sudo- Confirm clamav scan notification
- check email for clamavd notification on ~/clamav-testfile. If yes, remove the file
- check if the two commented out options in hosts/common/options/services/clamav.nix are in stable yet.
basic themeing via stylix or nix-colors- dig into fzf and telescope
- hotkey for sleeping monitors (all or game mode)
- disk usage notifier
- check out ananicy - hold over todo from arch but there is a nixos pkg here https://search.nixos.org/packages?channel=23.11&from=0&size=50&sort=relevance&type=packages&query=ananicy
- more desktop utils and customization
set up copyq clipboard mgr- dig into better kitty and zsh usage
- better linting and fixing in vscode and nvim
- look at https://github.com/dandavison/delta
-
declare what needs to persist
-
enable impermanence
- make sure to include
/luks-secondary-unlock.key
Need to sort out how to maintain /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_ed25519_key.pub
- make sure to include
The following has to happen on bare metal because I can't seem to get the yubikey's to redirect to the VM for use with git-agecrypt.
- Remote LUKS decrypt over ssh for headless hosts
- need to set up age-crypt keys because this happens before sops and therefore we can't use nix-secrets
- add initrd-ssh module that will spawn an ssh service for use during boot
- Per host branch scheme
- Automated machine update on branch release
- Handle general auto updates as well
- Consider nixifying bash scripts (see refs below)
- Overhaul just file
- clean up
- add {{just.executable()}} to just entries
- explore direnv
- Refactor nix-config to use more extensive specialArgs and extraSpecial Args for common user and host settings
- Re-implement modules to make use of options for enablement
- lanzaboote https://github.com/nix-community/lanzaboote
Some stage 1 with systemd info for reference (not specific to lanzaboote)
- https://github.com/ElvishJerricco/stage1-tpm-tailscale
- https://youtu.be/X-2zfHnHfU0?si=HXCyJ5MpuLhWWwj3
- automatic scheduled sops rotate
- Look at re-enabling CI pipelines. These were disabled during stage 2 because I moved to inputting the private nix-secrets repo in flake.nix. Running nix flake check in a gitlab pipeline now requires figuring out access tokens. There were higher priorities considering the check can be run locally prior to pushing.
- move Gusto to disko
- revisit scanPaths. Usage in hosts/common/core is doubled up when hosts/common/core/services is imported. Options are: declare services imports individually in services/default.nix, move services modules into parent core directory... or add a recursive variant of scanPaths.
Impermanence - These two are the references to follow and integrate. The primer list below is good review before diving into this:
Impermanence primer info
- impermanence repo - an implementation of the below concept
- blog - erase your darlings
- blog - encrypted btrfs root with opt-in state
- blog - setting up my new laptop nix style
- blog - tmpfs as root
- blog - tmpfs as home
Migrating bash scripts to nix
- https://www.youtube.com/watch?v=diIh0P12arA and https://www.youtube.com/watch?v=qRE6kf30u4g
- Consider also the first comment "writeShellApplication over writeShellScriptBin. writeShellApplication also runs your shell script through shellcheck, great for people like me who write sloppy shell scripts. You can also specify runtime dependencies by doing runtimeInputs = [ cowsay ];, that way you can just write cowsay without having to reference the path to cowsay explicitly within the script"
Add laptop support to the mix to handle stuff like power, lid state, wifi, and the like.
- laptop utils
-
gui dev
- host specific colours via stylix or nix-colors
-
eww as a potential replacement to waybar
-
hyprcursor
-
plymouth
-
maybe rEFInd
-
greetd
-
p10k - consider config so that line glyphs don't interfere with yanking
-
fonts - https://old.reddit.com/r/vim/comments/fonzfi/what_is_your_favorite_font_for_coding_in_vim/
-
centralize color palette
-
dunst
-
airline
README > Roadmap of TODOs