A clean, modular, and professional NixOS configuration system with centralized configuration management.
- Highly Modular: Every component is in its own module
- Centralized Configuration: Single source of truth in
modules/config.nix - Profile-Based: Pre-configured profiles for different use cases
- Conditional Activation: Modules activate based on configuration
- AppImage Support: binfmt registration + auto-download of managed AppImages
- Storage Management: External volume mounts +
/datadirectory layout for package managers - Security Toolkit: Optional OSINT/pentest module with comprehensive tooling
nixos/
├── configuration.nix # Main entry point
├── hardware-configuration.nix # Generated hardware config (not tracked)
│
├── modules/
│ ├── config.nix # ⭐ Centralized configuration
│ ├── packages.nix # System-wide packages (7 categories)
│ ├── appimage.nix # AppImage binfmt + managed apps
│ │
│ ├── core/ # Core system modules
│ │ ├── boot.nix
│ │ ├── network.nix
│ │ ├── nix.nix
│ │ └── system.nix
│ │
│ ├── locale/ # Regional settings
│ │ ├── default.nix
│ │ ├── timezone.nix
│ │ ├── i18n.nix
│ │ ├── console.nix
│ │ └── xkb.nix
│ │
│ ├── hardware/ # Hardware support
│ │ ├── gpu/ (amd, nvidia, intel)
│ │ ├── audio.nix
│ │ ├── bluetooth.nix
│ │ └── printing.nix
│ │
│ ├── graphics/ # Display servers
│ │ ├── wayland.nix
│ │ └── xorg.nix
│ │
│ ├── desktop/ # Desktop environments
│ │ ├── fonts.nix
│ │ ├── cosmic.nix
│ │ ├── gnome.nix
│ │ ├── hyprland.nix
│ │ ├── i3.nix
│ │ ├── mate.nix
│ │ ├── xfce.nix
│ │ └── awesome.nix
│ │
│ ├── services/ # System services
│ │ ├── docker.nix
│ │ ├── ollama.nix
│ │ ├── claude.nix # Claude Code CLI
│ │ ├── ssh.nix
│ │ └── lsyncd.nix # Live sync to external volume
│ │
│ ├── storage/ # Storage management
│ │ ├── data.nix # /data directory layout + env vars
│ │ ├── volumes.nix # External mounts + bind mounts
│ │ ├── lvm.nix
│ │ └── zfs.nix
│ │
│ ├── users/ # User management
│ │ ├── default.nix
│ │ └── groups.nix
│ │
│ └── profiles/ # Optional feature profiles
│ ├── security.nix # OSINT / pentest toolkit
│ └── SECURITY_README.md
│
├── profiles/ # System profiles
│ ├── minimal.nix
│ ├── desktop.nix
│ ├── server.nix
│ └── developer.nix
│
├── dotfiles/
│ └── awesome/ # AwesomeWM dotfiles
│ ├── rc.lua
│ ├── dunstrc
│ └── picom.conf
│
└── install/ # Interactive Python installer
├── configurator.py
├── lib/
│ ├── config_generator.py
│ └── validators.py
└── data/ # JSON data for installer options
git clone https://github.com/julas23/nixos.git /etc/nixos
cd /etc/nixosEdit modules/config.nix:
system.config = {
system.hostname = "my-nixos";
locale = {
timezone = "America/New_York";
language = "en_US.UTF-8";
};
hardware.gpu = "amd";
graphics = {
server = "wayland";
desktop = "cosmic";
};
user = {
name = "myuser";
fullName = "My Name";
};
};sudo nixos-rebuild switchUncomment a profile in configuration.nix:
imports = [
# ...
./profiles/desktop.nix
];Available Profiles:
minimal— Bare minimum (no GUI)desktop— Full workstationserver— Headless serverdeveloper— Dev environment
system = {
hostname = "nixos";
stateVersion = "24.11";
};locale = {
timezone = "America/Miami";
language = "en_US.UTF-8";
keyboard = {
console = "us";
layout = "us";
variant = "alt-intl";
};
};hardware = {
gpu = "amd"; # amd | nvidia | intel | none
audio = {
enable = true;
backend = "pipewire"; # pipewire | pulseaudio
};
bluetooth.enable = false;
printing.enable = false;
};graphics = {
server = "wayland"; # wayland | xorg
desktop = "cosmic"; # cosmic | gnome | hyprland | i3 | mate | xfce | awesome | none
};services = {
docker.enable = true;
ollama.enable = false;
claude.code.enable = false; # installs claude-code from nixpkgs
ssh = {
enable = true;
permitRootLogin = false;
};
};lsyncd is enabled by its presence in
importsrather than a flag — comment/uncomment./modules/services/lsyncd.nixinconfiguration.nixto toggle it.
user = {
name = "user";
fullName = "User Name";
uid = 1000;
gid = 100;
group = "users";
extraGroups = [ "wheel" "networkmanager" ];
sudoer = true;
nopasswd = false;
shell = "bash"; # bash | zsh | fish
};network = {
networkmanager.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [];
allowedUDPPorts = [];
};
};boot = {
loader = "systemd-boot"; # systemd-boot | grub
timeout = 5;
quietBoot = true;
};nix = {
flakes = true;
autoOptimiseStore = true;
gc = {
enable = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
};modules/storage/data.nix creates a /data directory tree that keeps package
managers and runtimes outside $HOME:
/data/
├── appimage/ AppImage binaries
├── docker/ Docker data root
├── python/
│ ├── venvs/
│ └── packages/ pip user installs (PYTHONUSERBASE)
├── node/
│ ├── npm/ npm global packages
│ └── yarn/ yarn global packages
├── rust/
│ ├── cargo/ Cargo registry and binaries
│ └── rustup/ Rust toolchains
├── flatpak/
└── projects/
Environment variables (CARGO_HOME, NPM_CONFIG_PREFIX, etc.) are set
system-wide via /etc/profile.d/data-dirs.sh.
modules/storage/volumes.nix mounts external volumes (/mnt/DOCK, /mnt/NVME)
and creates bind mounts so Docker, Node, Python, and Rust data persist across
NixOS rebuilds.
modules/appimage.nix enables binfmt so AppImages run directly without a
wrapper, and provides a systemd one-shot service that downloads the following
managed AppImages on first boot:
| App | Category |
|---|---|
| Wavebox | Productivity browser |
| Simplenote | Note-taking |
| AnthemScore | Music transcription |
AppImages are stored in /data/appimage/ and .desktop entries are created
automatically in ~/.local/share/applications/.
A helper script run-appimage is also available for running arbitrary AppImages
with the correct library path.
modules/profiles/security.nix is an optional import that installs a
comprehensive toolkit organized into 13 categories:
- OSINT (theHarvester, recon-ng, spiderfoot, amass, subfinder…)
- SOCMINT (sherlock, yt-dlp…)
- Network sniffing (Wireshark, Bettercap, Aircrack-ng…)
- Brute force / password cracking (Hydra, Hashcat, John…)
- Penetration testing frameworks (Metasploit, OWASP ZAP, sqlmap…)
- Vulnerability scanning (nmap, Rustscan, Lynis…)
- Privacy / anonymity (Tor, WireGuard, ProxyChains…)
- Reconnaissance & enumeration (enum4linux, smbmap…)
- Social engineering helpers
- Post-exploitation (pwncat, CrackMapExec…)
- Forensics (Binwalk, Volatility3, Steghide…)
- Reverse engineering (Radare2, Ghidra)
- Utilities (netcat, socat, sslscan, Python security libs…)
These tools are for authorized security research, CTF competitions, and penetration testing engagements only. Unauthorized use may be illegal.
- nix-ld: enabled in
packages.nixso unpatched binaries run without manual patching - Flatpak: system Flatpak service enabled; user data redirected to
/data/flatpak - Android Debug Bridge:
programs.adb.enable = true - Scientific Python: bundled environment with NumPy, SciPy, TensorFlow, PyTorch, Jupyter, and more
# Rebuild and switch
sudo nixos-rebuild switch
# Dry run (check without applying)
sudo nixos-rebuild dry-build
# Garbage collection
sudo nix-collect-garbage -dAll settings live in modules/config.nix — the single source of truth. Each
module reads from config.system.config and activates conditionally:
let
enabled = config.system.config.hardware.gpu == "amd";
in
{
config = lib.mkIf enabled {
# AMD-specific configuration
};
}MIT License
Created by julas23