NixOS Provisioning

Deterministic system builds, flake architecture, and flash workflow.

Overview

Floppy.WTF provisions devices by flashing NixOS using a flake-based system definition. Each device receives a deterministic OS build defined by its assigned role and hardware profile.

Flake Architecture

flake.nix — Build Manifest

{
  description = "Floppy.WTF — Deterministic device provisioning";
 
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
    home-manager = {
      url = "github:nix-community/home-manager/release-24.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
 
  outputs = { self, nixpkgs, home-manager, ... }:
  let
    system = "x86_64-linux";
  in {
    nixosConfigurations = {
      dell-dev = nixpkgs.lib.nixosSystem {
        inherit system;
        modules = [
          ./hosts/dell/configuration.nix
          ./roles/dev.nix
          home-manager.nixosModules.home-manager
        ];
      };
 
      dell-minimal = nixpkgs.lib.nixosSystem {
        inherit system;
        modules = [
          ./hosts/dell/configuration.nix
          ./roles/minimal.nix
          home-manager.nixosModules.home-manager
        ];
      };
    };
  };
}

Module Composition

Host Config (hardware-specific)
    │
    ├── modules/base.nix        (always included)
    ├── modules/filesystem.nix  (always included)
    ├── modules/power.nix       (laptops)
    │
    ├── roles/{role}.nix        (role-selected)
    │   └── includes theme + packages + services
    │
    └── theme/{theme}.nix       (role-selected or overridden)

Core Modules

modules/base.nix — Core System

Every host includes this. Provides:

• Boot loader (systemd-boot + EFI)
• Networking (NetworkManager)
• Timezone and locale
• Default user (jeremy)
• SSH server
• Nix flakes enabled
• Basic packages (git, vim, htop)

modules/filesystem.nix — Btrfs Layout

Disk Layout (GPT)
├── /boot (EFI System Partition) — 512MB, FAT32
└── / (Root) — Btrfs, remainder of disk
    ├── @         → /         (root subvolume)
    ├── @home     → /home     (user data)
    ├── @nix      → /nix      (Nix store — large)
    ├── @log      → /var/log  (persistent logs)
    └── @snapshots → /.snapshots (snapshot storage)

Btrfs features enabled:

• Transparent compression (zstd)
• Metadata checksums
• CoW (copy-on-write)
• Automatic scrub schedule (weekly)

modules/power.nix — Laptop Power

TLP enabled, CPU governor tuning, lid/suspend behavior, battery thresholds.

modules/desktop.nix — Desktop Environment

Default: XFCE (lightweight, GPU-safe for older hardware) with LightDM display manager and Picom compositor.

Role Taxonomy

USB Flash Workflow

Prerequisites

• NixOS minimal ISO downloaded
• USB stick (8GB+)
• balenaEtcher (or dd)
• Target device: Secure Boot disabled, SATA mode AHCI, USB boot first

Step-by-Step

1. Write NixOS ISO to USB — balenaEtcher: select ISO, select USB, flash
2. Boot target device from USB — F12 (Dell) to select USB boot
3. Connect to network — nmtui or ethernet
4. Partition disk — Btrfs layout per filesystem.nix spec
5. Mount filesystems — Mount Btrfs subvolumes
6. Clone repo — git clone {repo} /mnt/etc/nixos
7. Generate hardware config — nixos-generate-config --root /mnt
8. Install — nixos-install --flake /mnt/etc/nixos/nixos#dell-dev
9. Reboot — Remove USB, boot into provisioned system
10. Verify — floppy device update-status {id} --status provisioned

Automation Target

floppy provision FLOPPY-DEL-00001 --role dev

Orchestrates partitioning, subvolume creation, config deployment, nixos-install, verification, and status update.

Integrity Guarantees

Build Reproducibility

• flake.lock pins exact nixpkgs commit
• Same flake inputs → same system closure hash
• Closure hash verifiable via nix path-info

Filesystem Integrity

• Btrfs metadata checksums detect corruption
• Weekly scrub validates data blocks
• Snapshots provide rollback points

Store Verification

• Every Nix store path is content-addressed
• Tampering changes the hash → system detects mismatch
• nix store verify --all checks entire store