Technical Documentation and Features
1. Introduction
Declarative Technologies delivers a NixOS 25.05 workstation image with an “it-works-my-way” philosophy; one repo, one stack, minimal tuning knobs. The current build targets single-user desktops and small office servers rather than large fleets; anything outside that scope is aspirational, so it isn’t listed here.
2. System Architecture
| Layer | What You Really Use | Notes |
|---|---|---|
| Boot | systemd-boot on EFI | Simple; no GRUB complexity. |
| Root FS | Btrfs on a single partition, mounted via subvolume @ | Chosen for snapshots & compression; no ZFS present. |
| Config Source | Git monorepo at /etc/nixos | hosts/, sys-modules/, hardware-configuration.nix, etc. |
| Update Flow | switch.sh script → git pull → nix flake update → nixos-rebuild switch | Runs on every manual call; throttles flake update to 10 min. No CI, no signing. |
| Networking | NetworkManager + optional Tailscale | Tailscale set to client routing; no exit nodes. |
| Display Stack | KDE Plasma (X11) + NVIDIA proprietary drivers | hardware.graphics.enable, PRIME offload |
2.1 Filesystem & Snapshotting
- Btrfs snapshots are manual only – see
scripts/btrfs-subvolume.shfor subvolume creation; there is no automatic timeline, rollback helper, or remote replication. - Swap lives on a dedicated
swaplabel partition; nothing fancy.
2.2 Monorepo Layout
/etc/nixos
├── hosts/ # host-specific configs
├── sys-modules/ # 50-ish reusable .nix modules
├── scripts/ # helper bash scripts (switch, hostname, btrfs, etc.)
└── hardware-configuration.nix
Everything (including flake.lock) is committed so rebuilds are deterministic; you don’t regenerate the lock on the fly.
3. Software Stack
| Category | Enabled Modules / Packages | Comment |
|---|---|---|
| Desktop | plasma.nix, papirus-theme.nix, fonts.nix | KDE with Papirus icons. |
| Browsers | Firefox, Chrome | Chrome pulls pkgs.google-chrome. |
| Office / Mail | LibreOffice, OnlyOffice, Evolution, Thunderbird, Birdtray | |
| Dev Tooling | nixvim, github-desktop, nixpkgs-fmt, morph | NixVim is byte-compiled Lua; Gruvbox theme; LazyGit keybind. |
| Media | VLC | |
| Virtualisation | VirtualBox + extension pack | For Windows VMs if you must. |
| Comms | Signal Desktop, Teams, TeamViewer, ProtonMail Bridge | Teams + TeamViewer are optional but on by default. |
| Networking & VPN | Tailscale, ProtonVPN | ProtonVPN module wires in the CLI; no kill-switch rules. |
| Misc Utilities | Htop, GParted, Baobab, Remotemouse, SSHFS, windows-reboot | Last one allows password-less reboot into the Windows bootloader entry. |
4. Security Posture
Firewall: On – all ports blocked, unless you want them opened.
Bluetooth: Enabled and left discoverable; no additional hardening.
Sudo: Extra rule for users to call the Windows-reboot command with NOPASSWD.
Unfree Drivers: nixpkgs.config.allowUnfree = true to pull NVIDIA; no automatic driver updates.
5. Update & Maintenance Workflow
graph TD
A[Run switch.sh] –> B[ssh-agent loads read-only key]
B –> C[git fetch && reset –hard origin/main]
C –> D[Optional nix flake update]
D –> E[nixos-rebuild switch]
E –> F[Reboot if needed]
Trigger: Manual; no cron or timer.
Downtime: One reboot max; can be skipped if only user-space packages change.
Rollback: Standard NixOS boot-loader entry; no wrapper script yet.