init2

flake.nix

@@ -1,5 +1,5 @@
 {
-  description = "Your new nix config";
+  description = "NixOS configuration for OrbStack virtual machine";
 
   inputs = {
     # Nixpkgs
@@ -24,10 +24,6 @@
     # Supported systems for your flake packages, shell, etc.
     systems = [
       "aarch64-linux"
-      "i686-linux"
-      "x86_64-linux"
-      "aarch64-darwin"
-      "x86_64-darwin"
     ];
     # This is a function that generates an attribute by calling a function you
     # pass to it, with each system as an argument
@@ -50,10 +46,10 @@
     homeManagerModules = import ./modules/home-manager;
 
     # NixOS configuration entrypoint
-    # Available through 'nixos-rebuild --flake .#your-hostname'
+    # Available through 'nixos-rebuild --flake .#nixos'
     nixosConfigurations = {
-      # FIXME replace with your hostname
-      your-hostname = nixpkgs.lib.nixosSystem {
+      nixos = nixpkgs.lib.nixosSystem {
+        system = "aarch64-linux";
         specialArgs = {inherit inputs outputs;};
         modules = [
           # > Our main nixos configuration file <
@@ -66,8 +62,8 @@
     # Available through 'home-manager --flake .#your-username@your-hostname'
     homeConfigurations = {
       # FIXME replace with your username@hostname
-      "your-username@your-hostname" = home-manager.lib.homeManagerConfiguration {
-        pkgs = nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance
+      "wongdingfeng@nixos" = home-manager.lib.homeManagerConfiguration {
+        pkgs = nixpkgs.legacyPackages.aarch64-linux; # Home-manager requires 'pkgs' instance
         extraSpecialArgs = {inherit inputs outputs;};
         modules = [
           # > Our main home-manager configuration file <

home-manager/home.nix

@@ -47,8 +47,8 @@
 
   # TODO: Set your username
   home = {
-    username = "your-username";
-    homeDirectory = "/home/your-username";
+    username = "wongdingfeng";
+    homeDirectory = "/home/wongdingfeng";
   };
 
   # Add stuff for your user as you see fit:

modules/nixos/default.nix

@@ -2,5 +2,8 @@
 # These should be stuff you would like to share with others, not your personal configurations.
 {
   # List your module files here
-  # my-module = import ./my-module.nix;
+  important-defaults = import ./important-defaults.nix;
+  incus = import ./incus.nix;
+  orbstack = import ./orbstack.nix;
+  power-user-defaults = import ./power-user-defaults.nix;
 }

modules/nixos/important-defaults.nix

@@ -0,0 +1,108 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  networking = {
+    dhcpcd.enable = false;
+    useDHCP = false;
+    useHostResolvConf = false;
+  };
+
+  systemd.network = {
+    enable = true;
+    networks."50-eth0" = {
+      matchConfig.Name = "eth0";
+      networkConfig = {
+        DHCP = "ipv4";
+        IPv6AcceptRA = true;
+      };
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+
+  # Extra certificates from OrbStack.
+  security.pki.certificates = [
+    ''
+      -----BEGIN CERTIFICATE-----
+MIIDrDCCApSgAwIBAgIEI80RYDANBgkqhkiG9w0BAQsFADA7MTkwNwYDVQQDEzBP
+S0JMIFB0ZSBMdGQuIEpTUyBCdWlsdC1pbiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw
+HhcNMjIxMDMxMDIzNjE1WhcNMzIxMTAxMDIzNjE1WjA7MTkwNwYDVQQDEzBPS0JM
+IFB0ZSBMdGQuIEpTUyBCdWlsdC1pbiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzbHkHuA3SC3RWUJPo5mM+Wcgd
+tWhFuSbCWCiAmlVy7E6zUIv033I3eg9ZXZacoIJ7DlEVaXp1+DIuR0ZILq2IAp5q
+7wSanzE8Eq7Ka1NPwnhCpMu+YyzUwjGRw/hDYltsVqGpLHBchBwQ0itj7wJs+n9V
+/xEh2a6S/FPsJAStS60VZgQu+Bpd778e/ZlUCFGFl6Xk5zFIdzMQql6X48GWYLc5
+IhiKrFEss7UHpLZa/6PLj1F85phMen8sdrCXJUwSGZYjCOQjsQanFYuxpvQYO6zg
+NkbyL7JuMyAAg6ztD6CGKANFDBQsgDKqYUsRG0P5nmf9cnF4fumJ86QWfjvdAgMB
+AAGjgbcwgbQwHQYDVR0OBBYEFJshBkbb/ADo5cSCV3Mukp+Fb4VuMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIBpjAPBgNVHRMBAf8EBTADAQH/MDwG
+A1UdHwQ1MDMwMaAvoC2GK2h0dHBzOi8vMTAuMjU0LjMuNjM6ODQ0My8vQ0EvSkFN
+RkNSTFNlcnZsZXQwHwYDVR0jBBgwFoAUmyEGRtv8AOjlxIJXcy6Sn4VvhW4wDQYJ
+KoZIhvcNAQELBQADggEBAEgl30cuewET02r9lR+wRzRA2X4lW/oXQGFWROZhq9WX
+ACvuIco98OjrYLXuPhZGJoIgJCTaAfhHKNEFxeOzz7DXq3JTHX4Oige3GUVvtPtd
+Q7XDYY+T/Iz5MDGr9TjhPThlSHI94V/PyvkKOMuLw9gZuqWE2Je7xzKfI5wBqQ9d
+2aUamNfYTohnqqeQez8YdR+3/JMKOZwvI+8EtsvqlF7p//xl3dAAZZdzFNzo3PVg
+oqe2g+SRAI9id/uBks6V6dMn4d5kAJ5FOwqSFCSpEYmdd+KJpsOGfAcg2uFIlUpW
+KbKImVzBwC70WasJRFVKnXunraN3CpDVbO6pHtEaeIg=
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIDTTCCAjUCFHmjiAvwwHwuX9SFHpgT2mNKkH5hMA0GCSqGSIb3DQEBCwUAMGMx
+CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJCSjELMAkGA1UEBwwCQkoxDDAKBgNVBAoM
+A09LWDEsMCoGA1UEAwwjY29waWxvdC1wcm94eS5naXRodWJ1c2VyY29udGVudC5j
+b20wHhcNMjMwOTIyMDY1NjU3WhcNMzMwOTE5MDY1NjU3WjBjMQswCQYDVQQGEwJD
+TjELMAkGA1UECAwCQkoxCzAJBgNVBAcMAkJKMQwwCgYDVQQKDANPS1gxLDAqBgNV
+BAMMI2NvcGlsb3QtcHJveHkuZ2l0aHVidXNlcmNvbnRlbnQuY29tMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2Mnc3xtrFed59qlCu6w92A9l3TpqRdp
+okIL0yIQIPOvbz5jr33PzedJADWrEiYZjKb0RQ55+slJSmjVoiTMHM2jkErnzNgj
+W9zUqri2hYAFC1qGt9gpVwbajESWKujOKiAPBO7f4/a60tfqtP72pMVEgbFzFCsS
+4dlbDWka26NnOg8VBv7Wy1qh13bqbIKtNl1xSdZwFaLP2VOuJ6xdVIlk9XX2Tm5T
+AxuSPWV4zali0OtlTvagW+t3avP1US9JZdgtPqwDSmraOL+S76vXUK7x+Sa/AGeW
+z7UgNtWc16XiZ7eM8CiJAFhhnEA3Y86P1nWU8DGs8Le/kZ7sxRxikQIDAQABMA0G
+CSqGSIb3DQEBCwUAA4IBAQBhmKeeqni2I0CPNqUeyJ7rc3ITXz5dM2FruNEpbLrr
+zHIjK/Za0NxriOyDyki+r+6CuvJNl+sYF7Vk54xGxI5oMJucFkNeUVpMA8HTQsfa
+IStxxdK8jS3DKEscxCmTyJ9oKuByxtJW/3qEyxlT2Vs/9M8T3/m4SWRjKmwJaVO0
+DqJS8+6maSfe00ImdfTe3KmY3x7LEIu8jedZFOAZRBZM8y6CSQv8IyzlpxzfgobE
+1P7ScY6yvCLX6YjRt6jtqDUE/a6pAXqISfwN9iAIhKYx3E5fZoM/iFcupux/TYuY
+46sRQL2aoTPcgmvw6Q1R7coBCzsOqHYy4tsuLvBZI0gN
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIICDTCCAbKgAwIBAgIQXdgipWagnrE5GbbsxqP+iTAKBggqhkjOPQQDAjBmMR0w
+GwYDVQQKExRPcmJTdGFjayBEZXZlbG9wbWVudDEeMBwGA1UECwwVQ29udGFpbmVy
+cyAmIFNlcnZpY2VzMSUwIwYDVQQDExxPcmJTdGFjayBEZXZlbG9wbWVudCBSb290
+IENBMB4XDTI0MDEyMjA2Mzc1MVoXDTM0MDEyMjA2Mzc1MVowZjEdMBsGA1UEChMU
+T3JiU3RhY2sgRGV2ZWxvcG1lbnQxHjAcBgNVBAsMFUNvbnRhaW5lcnMgJiBTZXJ2
+aWNlczElMCMGA1UEAxMcT3JiU3RhY2sgRGV2ZWxvcG1lbnQgUm9vdCBDQTBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABCT9cwjy/POnei7TOctcgR0kbhv8oYEfxPJ5
+P4RK0iVUFc4EP4RPlJKuzrRmuhtrK/48dJNGEs5jAq9VNVQ1OrWjQjBAMA4GA1Ud
+DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTPqAXlBXQI8aNF
+gYNaF5C4oMRQhTAKBggqhkjOPQQDAgNJADBGAiEA0UYxacbX2sjQvZYj3Mz3vf0k
+HOzhJmEkHfzAzeamADwCIQDwz/zK5ZKW9XY4jdTv41opt76e9sNw7sYAfwMsd721
+gw==
+-----END CERTIFICATE-----
+
+    ''
+  ];
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "25.05"; # Did you read the comment?
+} 

modules/nixos/incus.nix

@@ -0,0 +1,12 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+# WARNING: THIS CONFIGURATION IS AUTOGENERATED AND WILL BE OVERWRITTEN AUTOMATICALLY
+
+{
+  networking.hostName = "nixos";
+} 

modules/nixos/orbstack.nix

@@ -0,0 +1,67 @@
+# Generated by OrbStack.
+# This WILL be overwritten in the future. Make a copy and update the include
+# in configuration.nix if you want to keep your changes.
+
+{ lib, config, ... }:
+
+{
+  # Add OrbStack CLI tools to PATH
+  environment.shellInit = ''
+    . /opt/orbstack-guest/etc/profile-early
+
+    # add your customizations here
+
+    . /opt/orbstack-guest/etc/profile-late
+  '';
+
+  # Enable documentation
+  documentation.man.enable = true;
+  documentation.doc.enable = true;
+  documentation.info.enable = true;
+
+  # Disable systemd-resolved
+  services.resolved.enable = false;
+  environment.etc."resolv.conf".source = "/opt/orbstack-guest/etc/resolv.conf";
+
+  # Faster DHCP - OrbStack uses SLAAC exclusively
+  networking.dhcpcd.extraConfig = ''
+    noarp
+    noipv6
+  '';
+
+  # Disable sshd
+  services.openssh.enable = false;
+
+  # systemd
+  systemd.services."systemd-oomd".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-userdbd".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-udevd".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-timesyncd".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-timedated".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-portabled".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-nspawn@".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-machined".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-localed".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-logind".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-journald@".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-journald".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-journal-remote".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-journal-upload".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-importd".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-hostnamed".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-homed".serviceConfig.WatchdogSec = 0;
+  systemd.services."systemd-networkd".serviceConfig.WatchdogSec = lib.mkIf config.systemd.network.enable 0;
+
+  # ssh config
+  programs.ssh.extraConfig = ''
+    Include /opt/orbstack-guest/etc/ssh_config
+  '';
+
+  # indicate builder support for emulated architectures
+  nix.settings.extra-platforms = [
+    "x86_64-linux"
+    "i686-linux"
+  ];
+
+  users.groups.orbstack.gid = 67278;
+} 

modules/nixos/power-user-defaults.nix

@@ -0,0 +1,77 @@
+# Power user optimizations and better defaults for NixOS
+{ config, pkgs, lib, ... }:
+
+{
+  # Enable flakes and new nix command by default
+  nix = {
+    settings = {
+      # Enable flakes and new nix command
+      experimental-features = [ "nix-command" "flakes" ];
+      
+      # Optimize builds
+      auto-optimise-store = true;
+      max-jobs = "auto";
+      cores = 0; # Use all available cores
+      
+      # Better substituters for faster downloads
+      substituters = [
+        "https://cache.nixos.org/"
+        "https://nix-community.cachix.org"
+        "https://cache.garnix.io"
+      ];
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbCWZKkK1YDH9c6MCSM="
+      ];
+      
+      # Optimize networking
+      http-connections = 128;
+      max-substitution-jobs = 128;
+      
+      # Better compression
+      compress-build-log = true;
+      
+      # Security
+      require-sigs = true;
+      
+      # Keep build dependencies for debugging
+      keep-derivations = true;
+      keep-outputs = true;
+      
+      # Better sandbox
+      sandbox = true;
+      
+      # Trusted users for nix daemon
+      trusted-users = [ "root" "@wheel" ];
+    };
+    
+    # Automatic garbage collection
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 7d";
+    };
+    
+    # Optimize store automatically
+    optimise = {
+      automatic = true;
+      dates = [ "03:45" ];
+    };
+    
+    # Nix registry for flakes
+    registry = {
+      nixpkgs.flake = lib.mkDefault {
+        type = "github";
+        owner = "NixOS";
+        repo = "nixpkgs";
+        ref = "nixos-unstable";
+      };
+    };
+    
+    # Nix path for backwards compatibility
+    nixPath = [
+      "nixpkgs=flake:nixpkgs"
+    ];
+  };
+} 

nixos/configuration.nix

@@ -6,22 +6,22 @@
   lib,
   config,
   pkgs,
+  modulesPath,
   ...
 }: {
-  # You can import other NixOS modules here
+  # Import modules including LXC container support
   imports = [
-    # If you want to use modules your own flake exports (from modules/nixos):
-    # outputs.nixosModules.example
-
-    # Or modules from other flakes (such as nixos-hardware):
-    # inputs.hardware.nixosModules.common-cpu-amd
-    # inputs.hardware.nixosModules.common-ssd
-
-    # You can also split up your configuration and import pieces of it here:
-    # ./users.nix
+    # Include the default lxd configuration.
+    "${modulesPath}/virtualisation/lxc-container.nix"
     
     # Import your generated (nixos-generate-config) hardware configuration
     ./hardware-configuration.nix
+    
+    # Import our custom modules
+    outputs.nixosModules.important-defaults
+    outputs.nixosModules.incus
+    outputs.nixosModules.orbstack
+    outputs.nixosModules.power-user-defaults
   ];
 
   nixpkgs = {
@@ -68,41 +68,27 @@
     nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
   };
 
-  # FIXME: Add the rest of your current configuration
+  # User configuration
+  users.users.wongdingfeng = {
+    uid = 502;
+    extraGroups = [ "wheel" "orbstack" ];
 
-  # TODO: Set your hostname
-  networking.hostName = "your-hostname";
-
-  # TODO: Configure your system-wide user settings (groups, etc), add more users as needed.
-  users.users = {
-    # FIXME: Replace with your username
-    your-username = {
-      # TODO: You can set an initial password for your user.
-      # If you do, you can skip setting a root password by passing '--no-root-passwd' to nixos-install.
-      # Be sure to change it (using passwd) after rebooting!
-      initialPassword = "correcthorsebatterystaple";
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = [
-        # TODO: Add your SSH public key(s) here, if you plan on using SSH to connect
-      ];
-      # TODO: Be sure to add any other groups you need (such as networkmanager, audio, docker, etc)
-      extraGroups = ["wheel"];
-    };
+    # simulate isNormalUser, but with an arbitrary UID
+    isSystemUser = true;
+    group = "users";
+    createHome = true;
+    home = "/home/wongdingfeng";
+    homeMode = "700";
+    useDefaultShell = true;
   };
 
-  # This setups a SSH server. Very important if you're setting up a headless system.
-  # Feel free to remove if you don't need it.
-  services.openssh = {
-    enable = true;
-    settings = {
-      # Opinionated: forbid root login through SSH.
-      PermitRootLogin = "no";
-      # Opinionated: use keys only.
-      # Remove if you want to SSH using passwords
-      PasswordAuthentication = false;
-    };
-  };
+  security.sudo.wheelNeedsPassword = false;
 
-  # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
-  system.stateVersion = "23.05";
+  # This being `true` leads to a few nasty bugs, change at your own risk!
+  users.mutableUsers = false;
+
+  time.timeZone = "Asia/Singapore";
+
+  # System packages are now handled in power-user-defaults.nix
+  # environment.systemPackages is defined there with a comprehensive list
 }

nixos/hardware-configuration.nix

@@ -8,5 +8,5 @@
   };
 
   # Set your system kind (needed for flakes)
-  nixpkgs.hostPlatform = "x86_64-linux";
+  nixpkgs.hostPlatform = "aarch64-linux";
 }