| Host | Lenovo ThinkPad T14 Gen 2a (AMD Ryzen) |
| OS | NixOS Unstable with Flakes |
| WM | Hyprland + UWSM + HyprPanel |
| Theme | Gruvbox Dark Hard (via Stylix) |
| Shell | Zsh + Powerlevel10k |
| Terminal | Kitty |
| Editor | VSCodium / Neovim |
| Browser | Chromium (Firejailed) |
| Filesystem | Btrfs with auto-scrub & balance |
The diagram shows how the config flows from top to bottom. Six flake inputs (nixpkgs, home-manager, agenix, lanzaboote, spicetify, stylix) feed into flake.nix, which passes everything down to configuration.nix — the cockpit. From there, three branches split off: host/ for machine-specific hardware, modules/ for all features, and users/ for per-user settings.
Inside modules/, each category (apps, dev, security, hardware...) contains individual .nix files. The ◉ indicator marks modules that can be toggled on or off directly from the cockpit — no need to touch the module files themselves. Modules marked with ● are always active (core, desktop). The cybersec module has 18 sub-toggles so I can pick exactly which toolsets I need for a given job.
File tree
/etc/nixos/
├── flake.nix # Flake inputs & system entry point
├── configuration.nix # Schaltzentrale — all imports & toggles
├── host/
│ ├── hardware-configuration.nix
│ ├── hardware.nix # Kernel, mt7921e, Wayland env vars
│ └── locale.nix
├── modules/
│ ├── core/
│ │ ├── boot.nix # systemd-boot, Plymouth, kernel params
│ │ ├── nix.nix # Nix settings, GC, Btrfs maintenance
│ │ └── services.nix # Blueman, Flatpak, GNOME Keyring, SSH
│ ├── desktop/
│ │ ├── hyprland.nix # Hyprland config, keybinds, monitors
│ │ ├── hyprpanel.nix # HyprPanel bar configuration
│ │ ├── greetd.nix # TUI greeter
│ │ ├── rofi.nix # App launcher (+config.rasi)
│ │ ├── styling.nix # Stylix, fonts, GTK, cursors, wallpapers
│ │ └── xdg.nix # MIME defaults, portals, user dirs
│ ├── apps/
│ │ ├── browsing.nix # Chromium
│ │ ├── communication.nix # Signal, Discord, Tutanota
│ │ ├── creative.nix # GIMP, Darktable, Kdenlive, OBS
│ │ ├── entertainment.nix # Spicetify (Spotify)
│ │ ├── filemanager.nix # Nautilus
│ │ ├── media.nix # VLC, Zathura
│ │ ├── office.nix # LibreOffice, OnlyOffice
│ │ ├── terminals.nix # Kitty
│ │ ├── terminal-fun.nix # Pipes, CMatrix, cowsay
│ │ └── cybersec.nix # 150+ pentesting tools
│ ├── dev/
│ │ ├── tools.nix # VSCodium, Git, Neovim, Cargo
│ │ ├── virtualization.nix# Docker, libvirtd, QEMU
│ │ ├── shell.nix # Zsh, P10k, Fastfetch, aliases
│ │ └── commonAliases.nix # Shared shell aliases
│ ├── security/
│ │ ├── auth.nix # PAM, SSH, sudo rules
│ │ ├── encryption.nix # Agenix, GnuPG
│ │ ├── firejail.nix # Sandboxed apps
│ │ ├── hardening.nix # Kernel sysctl, auditd
│ │ ├── usbguard.nix # USB device whitelisting
│ │ ├── clamav.nix # Antivirus + realtime scanning
│ │ └── aide.nix # File integrity monitoring
│ ├── hardware/
│ │ ├── audio.nix # Pipewire + parametric EQ
│ │ ├── bluetooth.nix # Bluetooth (off by default)
│ │ ├── gpu.nix # Intel/NVIDIA (mkEnableOption)
│ │ ├── network.nix # NetworkManager, WireGuard, Tailscale
│ │ ├── peripherals.nix # Printing, webcam
│ │ └── power.nix # auto-cpufreq, AMD pstate
│ └── gaming.nix # Steam, Wine (disabled)
├── users/daskladas/default.nix
├── scripts/ # Wallpaper manager, rofi modes
└── assets/ # Screenshot, flake diagram
- Flat & readable — max 2 levels of nesting, no empty wrapper files
- Security-first — Firejail sandboxing, USBGuard, ClamAV realtime, AIDE integrity, kernel hardening, auditd
- Declarative — single
configuration.nixcontrols everything mkEnableOptiontoggles —gaming.enable,hw.gpu.enable/hw.gpu.brand- Stylix theming — Gruvbox Dark Hard applied system-wide
- Pentesting ready — 150+ security tools in
cybersec.nix
I wanted a single place to control what gets installed — no digging through module files to enable or disable something. The configuration.nix acts as a central control panel where every feature is a simple true/false toggle.
Main toggles enable entire categories, sub-toggles control individual components:
# One toggle for all pentesting tools
cybersec.enable = true;
cybersec.recon.enable = true;
cybersec.wireless.enable = false; # don't need this today
cybersec.forensics.enable = true;
# Or disable a whole section at once
gaming.enable = false;This way I can spin up a minimal system for travel or a full pentesting workstation — same config, different toggles.
# Clone
git clone git@github.com:daskladas/lapdots.git /etc/nixos
# Apply
sudo nixos-rebuild switch
# Update inputs
sudo nix flake update
sudo nixos-rebuild switch
# Test without activating
sudo nixos-rebuild dry-build| Command | Description |
|---|---|
sudo nixos-rebuild switch |
Apply & activate |
sudo nixos-rebuild dry-build |
Test build without applying |
nix flake update |
Update all inputs |
sudo nix-collect-garbage -d |
Remove old generations |
nh os switch |
Rebuild via nh (prettier output) |
| Command | Description |
|---|---|
nixos-rebuild switch --show-trace |
Detailed error trace |
journalctl -xeu home-manager-daskladas |
Home Manager logs |
systemctl --user status hyprpanel |
HyprPanel status |
aide-check |
File integrity check |
clamscan-status |
Last antivirus scan |
audit-log |
Recent security events |
usb-list |
All USB devices |
Built with ❤️ and mass amounts of ☕
Special thanks to @c0d3h01 for the inspiration and initial setup!