• Nix Flake Usage Scenarios
• Routine Maintenance Operations
• Initialization
  • home-manager (macOS)
  • Linux (NixOS)
• Tips
  • General
  • macOS Operations
• References
• TODOs

• macOS: home-manager only (I don't use nix-darwin).
• Linux (NixOS): NixOS with embedded home-manager.
• Linux (non-NixOS): home-manager only (e.g., Ubuntu).

• Update sops keys: make update-sops
• Edit encrypted files: make edit-backup
• Pin global flake registry to this repo: make pin-registry

Clone this repository and place it in the home directory (required by neovim and chezmoi).

First, add the following to /etc/nix/nix.conf:

build-users-group = nixbld
experimental-features = nix-command flakes
trusted-users = root penglei

Then initialize home-manager:

$ nix --extra-experimental-features nix-command --extra-experimental-features flakes run nixpkgs#home-manager switch -- --flake .#penglei.aarch64-darwin

In a flake directory, direnv can initialize the shell via use flake automatically. However, subsequently adding packages with nix shell ... does not take effect in this shell. The root cause is incorrect PATH priority: subshells that reinitialize by re-reading configurations (e.g., zshrc) are not reentrant. The following configuration solves this problem:

XDG_DATA_DIRS=${XDG_DATA_DIRS:-/usr/local/share:/usr/share}
export NIX_PROFILES="/nix/var/nix/profiles/default $HOME/.nix-profile"

setopt local_options shwordsplit
export NIX_SSL_CERT_FILE=/etc/ssl/cert.pem
for i in $NIX_PROFILES; do
  if [ ! -e "$NIX_SSL_CERT_FILE" ]; then
    if [ -e "$i/etc/ssl/certs/ca-bundle.crt" ]; then
      export NIX_SSL_CERT_FILE=$i/etc/ssl/certs/ca-bundle.crt
    fi
  fi

  if [ -e "$i/bin" ]; then
    if ! [[ :$PATH: == *:"$i/bin":* ]]; then
      export PATH="$i/bin:$PATH"
    fi
  fi
  if [ -e "$i/share" ]; then
    if ! [[ :$XDG_DATA_DIRS == *:"$i/share"* ]]; then
      export XDG_DATA_DIRS="$XDG_DATA_DIRS:$i/share"
    fi
  fi
done
unset i

The nix installer initializes the shell env with:

# Nix
if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
 . '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh'
fi
# End Nix

If SSL is broken (e.g., after nix profile remove cacert), set the env explicitly:

if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
 . '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh'
fi
if [ ! -e "$NIX_SSL_CERT_FILE" ]; then
  export NIX_SSL_CERT_FILE=/etc/ssl/cert.pem
fi

Add the following to /etc/sudoers.d/user:

penglei ALL=(root) NOPASSWD: /usr/bin/su -

pam_smartcard module is enabled by default; no additional configuration needed.

1. Disable most default keyboard shortcuts:

   Launchpad & Dock, Mission Control, Keyboard, Services, Spotlight

   In Mission Control, modify keyboard shortcuts:

   • Option + Up: Mission Control
   • Option + Down: Application Windows

2. Modifier Keys: Caps Lock -> Control

3. Disable "Automatically rearrange Spaces based on most recent use" in Desktop & Dock > Mission Control

1. Restore passphrase and GPG keys: make restore

   After placing the private key in ~/.gnupg/private-keys-v1.d, restart the agent:

   $ gpgconf --kill gpg-agent
   $ gpgconf --launch gpg-agent

2. Copy zsh command history

To quit app followed by mouse cursor, enable all additional control configurations:

$ sudo nixos-rebuild switch --flake .

• Rollback NixOS

  # /nix/var/nix/profiles/system-*-link/bin/switch-to-configuration switch

• Clean home-manager news

  $ home-manager news --flake .

• Use vim on a freshly installed NixOS

  NixOS does not include vim by default (only nano). Use the following to get vim temporarily:

  $ nix --extra-experimental-features nix-command --extra-experimental-features flakes shell nixpkgs#vim

• Clean journald logs older than one hour

  # journalctl --rotate
  # journalctl --vacuum-time=1h

• Installing yabai

  1. Switching between spaces requires disabling SIP:

     $ csrutil enable --without fs --without debug --without nvram

  2. Configure sudo — append to /etc/sudoers.d/user:

     penglei ALL=(root) NOPASSWD: /Users/penglei/.nix-profile/bin/yabai --load-sa
     penglei ALL=(root) NOPASSWD: /Users/penglei/.nix-profile/bin/yabai --uninstall-sa
     

     After completing the sudo configuration, manually run sudo yabai --load-sa once without waiting for the next reboot.

• Restart yabai daemon

  $ launchctl load -F ~/Library/LaunchAgents/org.nix-community.home.yabai.plist
  $ launchctl unload -F ~/Library/LaunchAgents/org.nix-community.home.yabai.plist
  $ launchctl kickstart -k gui/$(id -u)/org.nix-community.home.yabai

Log locations:

• $TMPDIR/rime.squirrel/Squirrel.INFO
• $TMPDIR/rime.squirrel/Squirrel.WARNING

Force deployment after updating configuration:

1. Run home-manager switch to re-link rime configuration

2. Clean cache:

   $ rm -rf ~/Library/Rime/build

3. Click "Deploy" in the Squirrel menu

installation.yaml should be writable after upgrading Squirrel.

Run as root:

# nix profile install nixpkgs#nix_git

• Shell Expansion

  • Bash Parameter Expansion
  • Zsh Expansion
  • Zsh Modifiers
  • Zsh Parameter Expansion
  • Remove entry from array
  • Check if zsh array contains value

• macOS

  • NSUserDefaults
  • Awesome macOS apps

• Rime Input Method

  • rime-ice framework
  • Grammar model
  • Shift+Space as switcher key

• Font

  • LaTeX "Kaiti SC" cannot be found
  • Linux fontconfig matching mechanism
  • Nerd icon font cheat sheet

• Inject username when using home-manager standalone.