A few weeks ago I ran nix flake update to get the latest versions of CLI tools that I regularly use from nixos-unstable. atuin is one of those tools which I started using relatively recently and quickly became a huge fan of. I run it on all of my machines, and I can’t overstate how amazing it is to have all of my shell history across all of my machines synced.

In the previous article we walked through how to set up our very own Nix binary cache. It’s great being able to run attic push system /run/current-system on whichever machine we are currently using, but the the chances are that if you use Nix to manage your system configurations, you have a system configuration monorepo, and depending on how many machines and architectures you are targeting, it can quickly become tiresome to manually push to the cache from each of them.

I have tried running the Attic Nix Binary Cache on my Hetzner dedicated server in Germany a few times in the past, but the peering issues and the latency to Xfinity in Seattle have always made me throw my hands up in frustration. This morning I noticed a comment by Zhaofeng on the repo issue tracker. As a NixOS aficionado myself, I begrudgingly admit that I’ve been running my instance on fly.

For the most part I feel very much at home on the Hachyderm Mastodon server; it’s probably the best social media experience that I can remember having and I have had the pleasure of interacting with so many cool and impassioned people there. Hachyderm implements the default 500 character post limit which is hard-coded into the Mastodon codebase and as of writing these, seems unlikely to ever be made configurable.

Before this week, it had been a long time since I visited the Plex subreddit. I shared my last article there, which was a technical write-up of moving my Plex instance from a Hetzner auction server to a virtual machine running on hardware in my home network, and the considerations that influenced the migration. It didn’t take long for me to realize that a culture of hostility towards even the mention of Hetzner or other cloud hosting providers has strongly taken root since Plex announced it’s blanket network ban on IP ranges associated with Hetzner data centers.

Last October, Plex started blocking access to instances running on servers hosted by Hetzner. I have a Hetzner Auction server that I renew every year or so to make use of newer hardware, which I use to run various workloads, from web services, to scheduled jobs and self-hosted instances of privacy-friendly alternative web frontends like Nitter. Another one of those workloads, until recently, was Plex. I didn’t have the time to put too much effort into getting around the Hetzner network ban when it was first implemented, so I just started running Jellyfin instead.

I came across an interesting thread on the NixOS subreddit today that helped me fix a problem that I didn’t even know I had with my NixOS system configuration. Every now and then, I’ll try to quickly do nix-shell -p somepackage, and it will fail, because somepackage couldn’t be found. I go and check https://search.nixos.org and it’s there. Huh. Weird. So I just go and add it to my environment.systemPackages to install it, and remove it if it turns out I don’t really need it.

I have a confession to make. Until yesterday, I did not have any form of dotfiles management or versioning for my Windows 11 machine. Yes, I, the person who wrote an entire tiling window manager for Windows from scratch in Rust, did not manage my dots. I had to sheepishly admit this on more than one occasion in the project Discord server when people would watch my live programming videos and then ask if I could share my Windows dotfiles repo.

There are a number of different approaches available for NixOS users to handle secrets. The most popular tend to be git-crypt, agenix and sops-nix. But which one should you use? To hopefully help you in answering this question for yourself, here is an overview of a few common use cases and what I think is most appropriate for each. Managing Your Own Physical Machines Maybe you have a desktop, a Macbook and a Raspberry Pi which you are managing from a single NixOS flake repo.

In my last post, I shared how to get a working instance of Nitter deployed on NixOS, but requested advice on how to best automatically provision the guest_accounts.json runtime secret file on the target server. A number of folks reached out to me on Mastodon (thanks @[email protected], @[email protected], @[email protected] and @[email protected]!) to suggest that I use agenix to copy encrypted files to the server and decrypt them in non-world readable directories, and then use systemd’s LoadCredentials option to make them available to the nitter service.