Declarative system configuration for Framework Laptop 13

Installation • Features • Keyboard • Architecture

curl -fsSL https://raw.githubusercontent.com/anaclumos/nix/main/bootstrap.sh | bash

Bootstraps a fresh NixOS installation into a fully configured system. Includes hardware detection, firmware updates, and automatic reboot.

• Full disk encryption — LUKS on root and swap partitions
• Kernel hardening — kptr_restrict, dmesg_restrict, kexec_load_disabled
• Network hardening — SYN cookies, reverse path filtering, no ICMP redirects
• SSH via 1Password — Keys stored in 1Password, never on disk
• Fingerprint auth — sudo and login via fprintd
• Core dumps disabled — No sensitive memory written to disk

• Zram — 48GB compressed swap (zstd, 50% of RAM)
• VM tuning — swappiness=180, optimized for zram workloads
• IO schedulers — none for NVMe, mq-deadline for SATA
• Systemd initrd — Faster boot with parallel service startup
• tmpfs /tmp — RAM-backed temp directory (50% allocation)
• AMD P-State — Active mode for dynamic CPU scaling

• GNOME 49 "Brescia" on Wayland with curated extensions
• Dynamic wallpaper — Solar gradient synced to Seoul time via Timewall
• Pretendard — Neo-grotesque typeface with 20+ font aliases
• Dash to Dock — Auto-hiding dock with intellihide
• Unite — Clean panel without window decorations
• Blur My Shell — Gaussian blur effects

• Tailscale — Mesh VPN with Taildrop file sharing
• ExpressVPN — Commercial VPN integration
• systemd-resolved — DNSSEC with fallback DNS (1.1.1.1, 8.8.8.8)

This configuration recreates macOS keyboard behavior on Linux using keyd.

Caps Lock acts as a Hyper key. Tap alone to maximize window (Alt+F10). Hold for app switching:

Inspired by Japanese keyboard input on macOS. Each hand has a dedicated language:

No toggle key. Powered by fcitx5 with ActivateKeys=Control+Control_R and DeactivateKeys=Control+Control_L.

.
├── flake.nix                 # Flake definition with inputs
├── configuration.nix         # Module composition
├── hardware-configuration.nix
├── packages.nix              # Package sets by category
├── modules/
│   ├── options.nix           # Custom module options
│   ├── boot.nix              # Kernel, Plymouth, LUKS
│   ├── power.nix             # Zram, hibernation, IO schedulers
│   ├── security.nix          # Firewall, kernel hardening
│   ├── core.nix              # keyd, Docker, 1Password
│   ├── keyd.conf             # keyd mappings (macOS-style)
│   ├── networking.nix        # Tailscale, VPN
│   ├── gnome.nix             # Desktop environment
│   ├── input-method.nix      # fcitx5 + Hangul
│   ├── nix-settings.nix      # Caches, GC, nix-ld
│   └── media.nix             # PipeWire, GPU drivers
├── pkgs/
│   └── tableplus.nix          # TablePlus package (unfree)
├── home/
│   ├── default.nix           # Home Manager entry
│   ├── shell.nix             # Zsh, Atuin, aliases
│   ├── git.nix               # Git + SSH signing
│   ├── gnome-settings.nix    # dconf settings
│   ├── fcitx.nix             # Input method config
│   ├── services.nix          # Timewall, Thunderbird
│   └── autostart.nix         # 1Password, Trayscale
├── fonts/
│   └── default.nix           # Pretendard, Iosevka, font aliases
└── wallpaper/
    └── solar-gradient.heic   # Dynamic wallpaper

Linting and formatting tools are installed system-wide:

statix check .   # Lint for anti-patterns
deadnix .        # Find dead code
nixfmt **/*.nix  # Format (RFC style)

Also available: nil (LSP), nix-tree, nvd, nix-diff

This configuration uses personal flakes for packages not in nixpkgs:

• anaclumos/tableplus.nix — Database GUI

MIT