Parker Jones Dev Blog - flakesDev Blog of Parker JonesZola2026-06-26T00:00:00+00:00https://parkerjones.dev/tags/flakes/atom.xmlOne Flake, Every Machine: a NixOS + macOS Fleet2026-06-26T00:00:00+00:002026-06-26T00:00:00+00:00
Unknown
https://parkerjones.dev/posts/nix-fleet-one-flake/<blockquote>
<p><strong>Nix Fleet, part 1.</strong> This post is the architecture overview. Later parts go deep on the pieces it depends on: cross-arch remote builders, fleet-wide secrets with agenix, and bare-metal install of a NAS with disko.</p>
</blockquote>
<p>Every machine I work on — Linux servers, a NAS, and my M3 MacBook — is configured by <a rel="external" href="https://github.com/parallaxisjones/dotfiles">one Git repository</a>. One <code>flake.nix</code> describes all of them: same shell, same tools, same agent skills, same secrets handling, whether the target is <code>x86_64-linux</code>, <code>aarch64-linux</code>, or <code>aarch64-darwin</code>. Adding a machine means adding a host entry; changing my setup everywhere means one commit and a rebuild.</p>
<p>This is the "single source of truth for my computing environment" that Nix promises and rarely delivers without a fight. Here's how the repo is laid out and the one trick that makes cross-architecture management actually pleasant.</p>
<h2 id="the-shape-of-the-repo">The shape of the repo</h2>
<pre><code data-lang="text">nixos-config/
├── flake.nix # inputs + outputs: hosts, devShells, apps
├── hosts/
│ ├── nixos/ # configuration.nix, hardware-configuration.nix,
│ │ # helios64.nix (the NAS), profiles/
│ └── darwin/ # configuration.nix (the Mac)
├── modules/
│ ├── shared/ # config + secrets shared across OSes
│ ├── nixos/ # homelab services, Linux-only config
│ └── darwin/ # dock, homebrew casks, home-manager
├── overlays/ # package customizations
└── justfile # deploy / check convenience targets
</code></pre>
<p>The split that makes this maintainable: <strong><code>hosts/</code> is per-machine, <code>modules/</code> is shared.</strong> A host file is mostly a list of which modules to import plus its hardware specifics. The actual configuration — my packages, dotfiles, services — lives in modules that any host can pull in. When I want a tool on every machine, it goes in <code>modules/shared</code>; when it's Linux-only, <code>modules/nixos</code>; macOS-only, <code>modules/darwin</code>.</p>
<h2 id="what-s-wired-together">What's wired together</h2>
<p>The flake stitches together the whole modern Nix ecosystem:</p>
<pre><code data-lang="nix">inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
home-manager.url = "github:nix-community/home-manager";
darwin.url = "github:LnL7/nix-darwin/master"; # macOS, declaratively
nix-homebrew.url = "github:zhaofengli-wip/nix-homebrew";
disko.url = "github:nix-community/disko"; # declarative partitioning
fenix.url = "github:nix-community/fenix"; # Rust toolchains
agenix.url = "github:ryantm/agenix"; # age-encrypted secrets
secrets.url = "git+ssh://git@github.com/parallaxisjones/nix-secrets.git";
my-skills.url = "github:parallaxisjones/skills"; # my Claude skills
# ...
};
</code></pre>
<p>A few deliberate choices in there:</p>
<ul>
<li><strong><code>nix-darwin</code> + <code>home-manager</code></strong> mean my Mac is configured by the same mechanisms as my Linux boxes. The dock, defaults, and dotfiles are all declarative.</li>
<li><strong><code>nix-homebrew</code></strong> is the pragmatic concession: GUI Mac apps still come from Homebrew casks, but managed <em>through</em> Nix so the cask list is in the repo, not in my shell history.</li>
<li><strong><code>fenix</code></strong> pins my Rust toolchain so <code>cargo</code>/<code>clippy</code> are identical everywhere.</li>
<li><strong><code>secrets</code></strong> is a <em>separate private repo</em> pulled in as an input — encrypted secrets are versioned and shared across hosts without living in this (public) config. That's its own post.</li>
<li><strong><code>my-skills</code></strong> wires my <a href="/posts/skills-with-nix/">Claude agent skills</a> into the same declarative system.</li>
</ul>
<h2 id="the-cross-arch-trick-build-where-you-can">The cross-arch trick: build where you can</h2>
<p>Here's the problem a mixed fleet runs into immediately: <strong>my macOS laptop cannot build Linux derivations locally.</strong> So how do I deploy to the NixOS box from the Mac? The answer is to build <em>on the target</em> and just orchestrate from the laptop. My <code>justfile</code> deploy recipe:</p>
<pre><code data-lang="make"># Build + switch the NixOS host remotely over SSH. Builds ON the server
# (--build-host) since a darwin laptop can't build Linux derivations locally.
deploy host=nixos_host:
nix run nixpkgs#nixos-rebuild -- switch \
--flake .#{{nixos_attr}} \
--target-host parallaxis@{{host}} \
--build-host parallaxis@{{host}} \
--use-remote-sudo
</code></pre>
<p><code>--build-host</code> and <code>--target-host</code> both pointing at the server means the laptop never compiles a Linux package — it hands the flake to the server, the server builds and switches, and <code>--use-remote-sudo</code> handles the privilege step. I get to drive everything from my editor on macOS. (Part 2 covers the inverse — building Linux artifacts <em>from</em> the Mac via a remote builder — for when you do want local orchestration of the build itself.)</p>
<p>There's a <code>check</code> target too, for a fast feedback loop that doesn't build anything:</p>
<pre><code data-lang="make">check:
nix eval .#nixosConfigurations.{{nixos_attr}}.config.system.build.toplevel.drvPath
</code></pre>
<p>Evaluating the derivation path is a near-instant syntax-and-type check of the whole host config — the Nix equivalent of <code>tsc --noEmit</code>.</p>
<h2 id="the-gotcha-that-cost-me-time">The gotcha that cost me time</h2>
<p>My <code>nixosConfigurations</code> are keyed by <strong>system string</strong>, not hostname. So the deploy target is <code>.#x86_64-linux</code>, <em>not</em> <code>.#nixos</code>:</p>
<pre><code data-lang="make">nixos_attr := "x86_64-linux" # NOT the hostname
</code></pre>
<p>If you key your configs this way and then try <code>nixos-rebuild --flake .#nixos</code>, you get a confusing "attribute not found" with no hint about why. Worth a comment in your own repo so future-you doesn't lose twenty minutes to it. (I did.)</p>
<h2 id="why-it-s-worth-the-upfront-cost">Why it's worth the upfront cost</h2>
<p>Nix has a real learning tax, and a single-machine setup rarely justifies it. A <em>fleet</em> does. The payoffs that keep me here:</p>
<ul>
<li><strong>Small, frequent, reversible changes.</strong> Every change is a commit; every rebuild is a new generation I can roll back to atomically. I deploy config changes the way I deploy code.</li>
<li><strong>New machines reach parity from the flake.</strong> No "setup day." The repo <em>is</em> the setup.</li>
<li><strong>One mental model across operating systems.</strong> I stopped maintaining a separate pile of macOS hacks and a separate pile of Linux hacks. It's all modules.</li>
</ul>
<p>The roadmap from here — and the next posts in this series — is the interesting infrastructure underneath: <a href="/posts/nix-fleet-remote-builders/"><strong>remote builders</strong></a> so cross-compilation stops being a chore (part 2), <a href="/posts/nix-fleet-agenix-secrets/"><strong>agenix</strong></a> for secrets that are versioned and fleet-wide without ever sitting in plaintext (part 3), and standing up a <a href="/posts/nix-fleet-helios64-disko/"><strong>Helios64 NAS</strong></a> from bare metal with <code>disko</code> (part 4). The overview is the boring part. The machinery is where Nix gets fun.</p>
<p><em>The full fleet configuration lives in <a rel="external" href="https://github.com/parallaxisjones/dotfiles"><code>parallaxisjones/dotfiles</code></a>.</em></p>
<p><em>— Parker Jones, <a rel="external" href="https://parkerjones.dev">parkerjones.dev</a></em></p>