← Back to list
system-planning
by khaneliman
Nix configuration for my systems supporting macOS, NixOS, and WSL.
⭐ 303🍴 14📅 Jan 23, 2026
Run in ManusSKILL.md
name: system-planning description: NixOS system configuration and administration. Use when configuring system services, hardware setup, networking, security hardening, boot configuration, or system maintenance.
NixOS System Planning Guide
Expert guidance for NixOS system-level configuration, administration, and maintenance.
Core Principles
- Declarative first - Define desired state, let NixOS handle the rest
- Reproducibility - Same config should produce same system
- Atomic updates - Changes are all-or-nothing with rollback
- Security by default - Minimize attack surface
- Stability focus - Prioritize reliability over bleeding edge
System Configuration Workflow
Copy this checklist when making system changes:
System Configuration Progress:
- [ ] Step 1: Identify requirements and constraints
- [ ] Step 2: Check existing configuration for conflicts
- [ ] Step 3: Plan changes in staging/VM first
- [ ] Step 4: Implement changes incrementally
- [ ] Step 5: Test each change before next
- [ ] Step 6: Document non-obvious decisions
- [ ] Step 7: Verify rollback works if needed
Configuration Areas
System Services
# Enable and configure services
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
};
Hardware Configuration
# hardware-configuration.nix (auto-generated, but can extend)
hardware.cpu.intel.updateMicrocode = true;
hardware.enableAllFirmware = true;
# GPU configuration
hardware.opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true; # For Steam/gaming
};
Networking
networking = {
hostName = "myhost";
networkmanager.enable = true;
# Firewall
firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 ];
allowedUDPPorts = [ ];
};
};
Boot Configuration
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
# Kernel parameters
kernelParams = [ "quiet" "splash" ];
# Kernel modules
kernelModules = [ "kvm-intel" ];
};
User Management
users.users.myuser = {
isNormalUser = true;
description = "My User";
extraGroups = [ "wheel" "networkmanager" "docker" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAA..."
];
};
# Disable mutable users for reproducibility
users.mutableUsers = false;
Security Hardening
Essential Security Settings
security = {
# Sudo configuration
sudo = {
enable = true;
wheelNeedsPassword = true;
};
# Audit logging
auditd.enable = true;
# AppArmor (alternative to SELinux)
apparmor.enable = true;
};
# Disable unnecessary services
services.avahi.enable = false;
# Restrict kernel features
boot.kernel.sysctl = {
"kernel.unprivileged_bpf_disabled" = 1;
"net.core.bpf_jit_harden" = 2;
};
Security Checklist
- SSH key-only authentication
- Firewall enabled with minimal ports
- Automatic security updates configured
- Audit logging enabled
- Unnecessary services disabled
- User privileges minimized
Performance Tuning
System Optimization
# Increase file descriptor limits
security.pam.loginLimits = [{
domain = "*";
type = "soft";
item = "nofile";
value = "65536";
}];
# Zram swap for better memory utilization
zramSwap = {
enable = true;
algorithm = "zstd";
memoryPercent = 50;
};
# SSD optimization
services.fstrim.enable = true;
Maintenance Procedures
Regular Tasks
| Task | Frequency | Command |
|---|---|---|
| Update system | Weekly | sudo nixos-rebuild switch --upgrade |
| Garbage collection | Monthly | sudo nix-collect-garbage -d |
| Check disk space | Weekly | df -h |
| Review logs | Weekly | journalctl -p err -b |
| Test rollback | After major changes | Boot previous generation |
Troubleshooting Quick Reference
| Issue | Diagnostic | Resolution |
|---|---|---|
| Boot failure | Boot previous generation | Fix config, rebuild |
| Service won't start | systemctl status <service> | Check logs, fix config |
| Network issues | ip addr, ping | Check networking config |
| Disk full | ncdu / | Run garbage collection |
| Performance issues | htop, iotop | Identify bottleneck |
Decision Guide
When to Use System vs Home Config
| Configuration | System (nixos/) | Home (home/) |
|---|---|---|
| System services | Yes | No |
| Hardware drivers | Yes | No |
| Firewall rules | Yes | No |
| User applications | Prefer home | Yes |
| Desktop environment | Either | Prefer home |
| Shell configuration | Either | Prefer home |
See Also
- Module placement: See scaffolding-modules for where to put system configs
- Configuration layers: See configuring-layers for override precedence
- Flake management: See managing-flakes for input and dependency management
Score
Total Score
65/100
Based on repository quality metrics
✓SKILL.md
SKILL.mdファイルが含まれている
+20
○LICENSE
ライセンスが設定されている
0/10
○説明文
100文字以上の説明がある
0/10
✓人気
GitHub Stars 100以上
+5
✓最近の活動
1ヶ月以内に更新
+10
✓フォーク
10回以上フォークされている
+5
✓Issue管理
オープンIssueが50未満
+5
✓言語
プログラミング言語が設定されている
+5
✓タグ
1つ以上のタグが設定されている
+5
Reviews
💬
Reviews coming soon
