This is primarily a guide for myself on how to setup my own systems, feel free to copy any of the dotfiles, but do not expect a direct copy of everything to work for you.

Make sure to follow the guide for each system step by step and to move over an SSH key for GitHub to get started with cloning the repository. Then, clone the repository into ~/Developer/dotfiles using SSH:

git clone git@github.com:michaelbrusegard/dotfiles.git ~/Developer/dotfiles

Hard secrets are encrypted further inside the private repository using sops. To include them in the build, add the age keys to ~/.config/sops/age/keys.txt and then do a rebuild.

• Nixpkgs
• Homebrew
• WinGet

• nixos
• nix-darwin
• home-manager

Create an installer by downloading the graphical ISO image from NixOS download page and flashing it to a USB drive using the following command:

sudo dd if=~/Downloads/YYY.iso of=/dev/XXX bs=4M status=progress oflag=sync

Replace YYY.iso with the name of the downloaded ISO file and /dev/XXX with the path to your USB drive.

After the installation we need a few things to get started to install the flake configuration:

• Add git to system packages in /etc/nixos/configuration.nix and rebuild the system sudo nixos-rebuild switch.
• Add both the SSH key and the age key to the system, so that we can clone the repository and decrypt secrets.
• Verify that the dotfiles configuration has the same hardware configuration as the /etc/nixos/hardware-configuration.nix. Specifically, device file paths and partition UUIDs.
• Create initial secure keys nix shell nixpkgs#sbctl --command sudo sbctl create-keys. For the rest of the secure boot setup read lanzaboote docs. In short, reboot and clear the secure boot keys in the UEFI settings, then enroll the keys using sbctl enroll-keys --microsoft and reboot the system.

Then we can install the flake configuration by running the following command:

sudo nixos-rebuild switch --flake $HOME/Developer/dotfiles#desktop

Afterwards delete the old NixOS configuration files:

sudo rm -rf /etc/nixos

And reboot the system:

sudo reboot now

First install macOS normally by following the default installation guide on the mac. To access the installer hold the power button during boot to access recovery options. Then go through all the sections below for the initial setup.

System Integrity Protection (SIP) needs to be partially disabled for the yabai tiling window manager to work correctly.

1. Turn off the mac, then press and hold the power button until "Loading startup options" appears. Click Options, then click Continue.

2. In the menu bar, choose Utilities, then Terminal

3. Run this:

csrutil enable --without fs --without debug --without nvram

After rebooting run this:

sudo nvram boot-args=-arm64e_preview_abi

Then reboot again.

Install Xcode command line tools:

xcode-select --install

Accept the license agreement:

sudo xcodebuild -license accept

softwareupdate --install-rosetta --agree-to-license

Run the following command to install Nix:

curl --proto '=https' --tlsv1.2 -sSf -L \
  https://install.determinate.systems/nix | \
  sh -s -- install

When prompted to install Determinate Nix, explicitly say no.

Build the system the first time using the following command:

nix run nix-darwin -- switch --flake $HOME/Developer/dotfiles

Later rebuilds can use the rebuild alias.

Download the Karabiner-DriverKit-VirtualHIDDevice manually and install the package. Afterwards make sure it is enabled in System Settings, General -> Login Items & Extensions -> Driver Extensions (At the bottom).

Also make sure that /run/current-system/sw/bin/kanata is added as an allowed application under Privacy & Security -> Input Monitoring. If kanata is already added, remove it and try again. This may have to be redone if Kanata is updated since the Nix Store path would change.

Lastly, go to Keyboard -> Keyboard Shortcuts... -> Modifier Keys, and make sure the Karabiner DriverKit VirtualHIDDevice is selected as the keyboard.

The nix configuration should handle the rest, for any problems check out this discussion in the kanata repository.

To create the installation ISO for Windows, we use Chris Titus Tech's Windows Utility to create a clean telemetry-free ISO that does not require a Microsoft account (This has to be run on a Windows machine). The commands require administrator privileges, so make sure to run PowerShell as administrator.

First, enable execution of scripts in PowerShell:

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

Then load the tool:

irm "https://christitus.com/win" | iex

In the tool we can download an ISO image from Microsoft and then modify it to remove telemetry and other unwanted features. When we have the MicroWin ISO we can flash a USB drive using Rufus.

[!INFO] The current desktop setup uses the AMD RAID driver to run the two NVMe drives in RAID 0. This is not supported by the Windows installer, so we need to add the driver manually. It can be installed from the Motherboard's website. A guide for adding the driver can be found AMD RAID guide. It can be found ASUS motherboard downloads. Here

After installation go to Windows Update and run it to make sure the system is updated.

Also make sure to install updated drivers for the system, the download pages for the current system can be found below:

• Chipset and Motherboard
• Processor and Graphics

First we need to build the NixOS WSL tarball. This can be done by running the following command in the dotfiles directory on a nix machine:

sudo nix run .#nixosConfigurations.wsl.config.system.build.tarballBuilder

Put this on a flash drive and copy it to the Windows machine.

Then start by installing Windows Subsystem for Linux (WSL) on Windows:

wsl --install --no-distribution

Then reboot the computer and install the NixOS WSL tarball by running the following command (You have to move the tarball to the current directory first from the flash drive):

wsl --install --from-file nixos.wsl

To enter the WSL environment, run:

wsl

Now clone the dotfiles repository, add the age keys and rebuild.

First rerun the WinUtil tool:

irm "https://christitus.com/win" | iex

In the Tweaks tab, enable the Standard tweaks plus the following:

• Disable Recall
• Disable Background Apps
• Disable Microsoft Copilot
• Disable Intel MM
• Disable Notification Tray/Calendar
• Disable Windows Plaform Binary Table
• Set Display for Performance
• Set Classic Right-Click Menu
• Set Time to UTC
• Remove Microsoft Edge
• Remove Home and Gallery from explorer
• Remove OneDrive

Then set the DNS to Cloudflare.

Under Performance Plan click "Add and Activate Ultimate Performance Profile".

In the Updates tab select "Security Settings" to prevent Windows Updates from automatically installing updates at the worst times.

Then run the setup.ps1 script to install packages and apply registry tweaks:

powershell -ExecutionPolicy Bypass -File \
  \\wsl.localhost\NixOS\home\michaelbrusegard\Developer\dotfiles\windows\setup.ps1

The custom keyboard layout is set up like the default US layout, but with mac like behaviour for special characters when holding AltGr (This helps with typing Norwegian characters like æøå when using the US layout). It is configured with MSKLC and the configuration can be imported into the app to be edited via keyboard.klc.

To apply the custom keyboard layout copy the keyboard.zip file from WSL:

SRC=\\wsl$\\NixOS\\home\\michaelbrusegard\\Developer\\dotfiles\\windows\\keyboard.zip
cp $SRC C:\Users\michaelbrusegard\Downloads

The resulting image can be found in result/sd-image/. It is a compressed Zstandard archive that can be flashed to an SD card.

We need to plug in the SD card and find out what the device path is for the SD card.

On linux:

lsblk

On Darwin:

diskutil list

On Linux it is usually /dev/sdX where X is a letter, for example /dev/sdb. On Darwin it is usually /dev/diskX where X is a number for example /dev/disk6.

To flash the image to the SD card you can use the following command, make sure to replace /dev/XXX with the correct device path for your SD card:

zstd -dc result/sd-image/*.zst | sudo dd of=/dev/XXX bs=4M status=progress oflag=sync

Build the SD image on a machine with nix using the following command:

nix build .#Macchiato

The resulting image can be found in result/sd-image/. It is a compressed Zstandard archive that can be flashed to an SD card.

We need to plug in the SD card and find out what the device path is for the SD card.

On Linux:

lsblk

On Darwin:

diskutil list

On Linux it is usually /dev/sdX where X is a letter, for example /dev/sdb. On Darwin it is usually /dev/diskX where X is a number for example /dev/disk6.

To flash the image to the SD card you can use the following command, make sure to replace /dev/XXX with the correct device path for your SD card:

zstd -dc result/sd-image/*.zst | sudo dd of=/dev/XXX bs=4M status=progress oflag=sync

The Espresso setup consists of HA k3s nodes (espresso1, espresso2, espresso3) for running containerized homelab and business services like websites, media hosting and automation.

Start with obtaining MAC addresses for each node by enabling PXE (Preboot Execution Environment) and writing down the MAC address. Then disable PXE again and assign a static IP to each node from the router.

First, build the appropriate bootstrap ISO:

nix build .#bootstrapIsoX86

Flash the resulting ISO (result/iso/*.iso) to a USB drive:

sudo dd if=result/iso/*.iso of=/dev/sdX bs=4M status=progress oflag=sync

Boot each node from the USB drive. Once booted, the node will have SSH enabled with your key.

Then, for each node, run:

nixos-anywhere --flake ~/Developer/dotfiles#Espresso1 \
  -i ~/.config/sops-nix/secrets/ssh/bootstrap/private-key \
  root@node-ip

Replace Espresso1 with Espresso2/Espresso3 and the correct IP.

• Copy sops keys to each node (e.g., via SSH or USB)

• Access via kubectl after connecting to any node
• Drain nodes for maintenance: kubectl drain espresso1
• Uncordon after: kubectl uncordon espresso1

• LGUG2Z'z nix-wsl-starter
• Andrey0189's Nix Hyprland configuration
• Notusknot's nix-dotfiles
• Mathias Bynens and his macOS defaults
• Dries Vints and his SSH script
• Antione Martin and his GPG script
• Elliot's fast and beautiful .zshrc prompt
• Michael Bao's dotfiles
• Josean Martinez's dev environment files
• TheBlueRuby's awesome Arch Linux setup