GNU/Linux except Linux - A NixOS-based "firmware layer" that makes hardware disappear, topped with rolling apps and portable dev environments.
| Layer | Stability | Updates | Examples |
|---|---|---|---|
| Firmware | Rock solid | Quarterly | Wayland, drivers, ZFS, Docker, libvirt |
| Apps | Rolling | Weekly | VS Code, Neovim, Firefox, Spotify |
| Dev | Portable | Per-project | devcontainer.json (works on Win/WSL/Codespaces/here) |
# 1. Get this repo
nix-shell -p git
git clone https://github.com/youruser/nixos-home /tmp/config
cd /tmp/config
# 2. Run the one-shot installer
sudo ./scripts/install.sh x1carbon
# 3. Set the login password when prompted
# 4. Rebootinstall.sh handles Disko, swap activation, hardware-config generation, nixos-install, and prompts to set the login password for dany before reboot.
For 8GB machines like the X1 Carbon, use a two-stage install so the laptop does not need to evaluate/build the full closure locally.
On the laptop installer:
sudo ./scripts/install.sh x1carbon --prepare-onlyThis partitions the disk, enables swap, mounts the target filesystem, and generates hosts/x1carbon/hardware-configuration.nix.
Copy that generated hardware config back to your stronger builder machine, then build the exact system closure there:
system=$(nix build .#nixosConfigurations.x1carbon.config.system.build.toplevel --print-out-paths --no-link)
echo "$system"Then push that closure into the laptop's target store. Current example while the installer is at root@10.0.82.23:
nix copy --no-check-sigs --to 'ssh-ng://root@10.0.82.23?remote-store=/mnt' "$system"Back on the laptop installer, finish using that printed store path:
sudo ./scripts/install.sh x1carbon --system /nix/store/<hash>-nixos-system-x1carbon-...--system is the non-destructive second phase: it assumes the disk is already partitioned and mounted at /mnt, and goes straight to nixos-install using the prebuilt closure.
It will still prompt to set the login password for dany before reboot.
# Generate keys
sudo sbctl create-keys
# Edit configuration.nix to enable lanzaboote
# ... (uncomment the lanzaboote section in modules/firmware/boot.nix)
sudo nixos-rebuild switch --flake .#zbook
# Verify and enroll
sudo sbctl verify
sudo sbctl enroll-keys --microsoft
# Reboot, enable Secure Boot in BIOSfirmware-os/
├── flake.nix # Entry point
├── disko/ # Declarative disk layouts
│ └── zbook.nix
├── hosts/ # Per-machine configs
│ └── zbook/
├── modules/
│ ├── firmware/ # Stable layer (boot, ZFS, drivers, etc)
│ └── desktop/ # Wayland compositor
└── home/ # User config (home-manager)
- ZFS on LUKS - Battle-tested encryption, excellent snapshots
- Sanoid - Automated snapshots (15min/hourly/daily retention)
- Hyprland - Modern Wayland compositor, good NVIDIA support
- LazyVim - Self-managing neovim config (not Nix-managed plugins)
- VS Code mutable extensions - Let the ecosystem be the ecosystem
- Colemak-DH - Superior ergonomic layout
- Foot terminal - Wayland-native, fast, minimal
Your uncommitted code is protected by aggressive ZFS snapshots:
rpool/safe/home: every 15 min, kept for 3 hours- Can always rollback:
sudo zfs rollback rpool/safe/home@<snapshot>
List snapshots: zfs list -t snapshot