A declarative, highly optimized, and ephemeral NixOS system configuration based on Nix Flakes. This setup integrates advanced system virtualization, low-latency performance kernels, encrypted secret management, secure boot configurations, and a bespoke Qt6/QML window manager desktop shell.

graph TD
    A[Hardware: Ryzen CPU + Nvidia/AMD GPUs] --> B[CachyOS Kernel]
    B --> C[Lanzaboote Secure Boot]
    B --> D[Impermanence: Ephemeral Root /]
    D --> E[Persistent State /persist]
    E --> F[Home Manager & User Space]
    F --> G[Hyprland + UWSM Desktop]
    G --> H[Quickshell: illogical-impulse QML]
    E --> I[net-gate MicroVM Tor Gateway]
    F --> J[Docker: Stable Diffusion CUDA Containerization]

The standard C++ Nix daemon is replaced with Lix (via lix-module), a modern, high-performance implementation focused on speed and reliable flake evaluations.

This machine employs the Impermanence paradigm (nix-community/impermanence).

• The root filesystem (/) is wiped or rebuilt on every boot, keeping the OS entirely clean.
• Important files, cache states, configurations, and user directories are mapped selectively onto a persistent partition at /persist.
• Out-of-store Symlinks: Dotfiles in user space are mapped via config.lib.file.mkOutOfStoreSymlink to the git repository under /persist$HOME/.nix-config/dots/. This allows modifications in the repository (e.g., config changes) to take effect instantly without needing a full home-manager switch.

A custom-configured CachyOS Kernel (pkgs.cachyosKernels.linuxPackages-cachyos-latest) is compiled with extreme low-latency performance characteristics:

• Full preemption model (preempt=full) and thread IRQs (threadirqs) for real-time interactivity under high load.
• Sysctl-level kernel overrides for refined memory and scheduling control:
  • Highly aggressive virtual memory mapping (vm.max_map_count = 2147483642) and swappiness (vm.swappiness = 180).
  • Scheduling bandwidth slices optimized (kernel.sched_cfs_bandwidth_slice_us = 3000).
  • High-throughput network tuning incorporating BBR congestion control (net.ipv4.tcp_congestion_control = bbr) and fq queueing disciplines (net.core.default_qdisc = fq).
  • Dedicated GPU stability overrides to counter AMD + NVIDIA hybrid GPU and Ryzen C-state conflicts (processor.max_cstate=1, amdgpu.gpu_recovery=1).

• Lanzaboote: Native integration (nix-community/lanzaboote) implements secure boot without disabling hardware locks by generating and registering key bundles under /etc/secureboot.
• SOPS-Nix: Secret files are encrypted via Mozilla SOPS inside secrets.yaml and decrypted locally on boot using host age SSH keys (/persist/etc/ssh/ssh_host_ed25519_key) to populate system user and root passwords securely.

An isolated background gateway MicroVM named net-gate is run declaratively via microvm.nix:

• Powered by cloud-hypervisor utilizing VSOCK CID bindings and a 1 VCPU / 512MB RAM minimal memory allocation.
• Automatically launches a transparent Tor proxy routing DNSPort (5353) and TransPort (9040) for secure client interactions.
• Placed on a virtual host tap network (vm-netgate) with local network boundaries (192.168.100.1/24) and explicit host-side systemd-networkd isolation rules. NetworkManager is instructed to treat the tap as unmanaged to prevent overlap.

The system is configured as an AI development workstation:

• Docker OCI Configurations: Declarative, non-autostarting stable diffusion services for Fooocus and Forge WebUI equipped with direct host Nvidia GPU hardware passthrough (nvidia.com/gpu=0).
• Local AI Stack: An Ollama runner backed by CUDA-compiled dependencies (pkgs.ollama-cuda) and Open-WebUI run system-wide, integrated dynamically with ffmpeg binaries.
• Nix-LD Wrapper: An exhaustive compilation of standard and graphics-related libraries are configured within nix-ld to run unpatched Linux binaries (including CUDA/OpenGL drivers) natively.

The desktop setup operates on Hyprland launched under the Universal Wayland Session Manager (UWSM) to handle systemd-managed environmental boundaries, using tuigreet and greetd as the primary greeter.

~/.nix-config/dots/
├─quickshell/
│ └─ii/                # Bespoke Qt6/QML shell environment
├─illogical-impulse/   # Custom colorschemes and updates config
├─kitty/               # Modus Vivendi / Custom GPU terminal themes
├─starship/            # Custom starship prompt profiles
├─fuzzel/              # Application launcher ini files
├─wlogout/             # Custom Wayland logout layout and stylesheet
└─cava/                # Console audio visualizer configuration

The user interface features a deep desktop shell written using Quickshell (QML + Qt6).

• Renders system panels, dynamic workspace icons, status trackers, and resource indicators directly onto Wayland.
• System variables dynamically expose custom Qt6 paths and QML2_IMPORT_PATH directories to load libraries cleanly from both system profiles and local directories.
• Includes custom utilities like a screenshot tool (utilizing grim, slurp, and swappy) and custom overlays.

Instead of generic wallpaper generation, this setup relies on a highly sophisticated, custom-built colorscheme compiler engine (apply_theme.py / apply_theme.bin under ~/.config/illogical-impulse/scripts/).

• Reads structured JSON theme matrices stored under ~/.nix-config/dots/illogical-impulse/themes/ (such as petrified_spittoon.json, vivendi_tinted.json, horizon_neon.json, and skumring.json).
• Parses theme palettes and mapping schemas to dynamically patch color configurations in real time across different components:
  • Appearance.qml: Recompiles material and semantic roles to dynamically adjust Quickshell styling.
  • Hyprland Borders: Injects matching border highlights into ~/.config/hypr/hyprland/colors.conf.
  • Kitty Terminal: Rewrites terminal colors and tab-bar layouts in ~/.config/kitty/current.conf and ~/.config/kitty/tab_bar.py.
  • Starship Prompt: Synthesizes custom palette hashes directly inside ~/.config/starship.toml.
• The pipeline integrates with switchwall.sh and applycolor.sh to programmatically update wallpaper positions on multiple monitors and hot-reload virtual terminal color escape sequences (/dev/pts/*) along with Qt/Kvantum assets dynamically.

A custom-developed terminal system information fetch and stylized ASCII art banner application (infernal-init) is packaged natively:

• Pulled declaratively via Nix Flakes input bindings from the upstream repository lowcache/infernal-init.
• Runs instantly on launch to provide an aesthetic, low-overhead system status display.
• Tracked locally under ~/CodeRepo/infernal-init/ and can be pushed/pulled independently, then updated globally using nix flake update infernal-init.

Inside the illogical-impulse configurations lies a highly advanced safety filter:

• Continuously scans networks for specific SSID keywords (e.g., "cafe", "public", "school", "guest").
• When a target network is active, the system triggers the workSafety policy to automatically filter clipboards and prevent background loads of explicit sites or NSFW wallpapers in public environments.

• flake.nix: System inputs, CachyOS kernel overlays, lanzarboote/sops imports, infernal-init fetch modules, and system configurations mapping.
• nixos/:
  • configuration.nix: Main hardware definitions, system services, Docker OCI setups, greetd settings, Nix-LD graphics libraries, and kernel parameter flags.
  • vms.nix: Declares net-gate MicroVM configuration, Tor services, and systemd-networkd TAP rules.
  • hardware-configuration.nix: Physical file system mounts and host boot requirements.
  • secrets.yaml: SOPS-encrypted passwords and private keys.
• home/:
  • default.nix: Imports desktop GTK, user state values, and modular directories.
  • pkgs.nix: Houses explicit developer tools, Qt6 libraries, custom desktop engines, and pre-configured AI MCP servers.
  • persist.nix: Impermanence mapping rules specifying directories and out-of-store symlink coordinates.
  • session.nix: Strict global path exports, including crucial QML2_IMPORT_PATH entries for custom panels.
  • shell.nix: Fish configurations, git signatures, terminal profiles, and custom operational scripts.
  • browsers.nix: Hardware-accelerated Brave (Chromium) settings alongside secondary Floorp browsers.

To facilitate fast operations, the shell is loaded with precise, specialized Fish functions and aliases:

• nxrbs: Runs a full NixOS system rebuild and applies changes on-the-fly from the local flake:

  sudo nixos-rebuild switch --flake /persist$HOME/.nix-config/#infernalnix

• nxrbb: Dry-builds the system configuration to test for compilations and evaluation failures:

  sudo nixos-rebuild build --flake /persist$HOME/.nix-config/#infernalnix

• priv-sync: Safely rsyncs live persistent directories (Documents, Pictures, repos, Gemini configs) from the ephemeral home directory space into the secure backing repository path:

  priv-sync

• setwall: Instantly changes wallpapers globally or on a specified monitor, dynamically running theme scripts to update the active Quickshell theme:

  setwall ~/Pictures/my_wallpaper.png DP-1

• gpgkey: Generates high-strength 4096-bit RSA keys using GPG and automatically exports the armored public key to the working directory.
• extract: Universal archive extraction helper handling complex compressed profiles (.tar.zst, .tar.xz, .zip, etc.).
• fooogo / fooostp: Starts or stops the containerized Fooocus stable diffusion environment.
• forggo / forgstp: Starts or stops the containerized Forge stable diffusion UI environment.

The limbo configuration profile provides a generic, non-opinionated, hardware-independent version of this NixOS system that is highly portable and runs cleanly out of the box on standard x86_64 systems (including physical machines and virtual machines).

It is completely decoupled from all proprietary features of infernalnix, meaning it excludes:

• Lanzaboote Secure Boot (reverts to standard systemd-boot)
• Impermanence and root on RAM (uses a standard, reliable persistent filesystem partition scheme)
• SOPS-Nix encrypted secrets (uses declarative initial passwords)
• Hybrid AMD/Nvidia GPU drivers and Ryzen parameters (runs on generic CPU and open display drivers)
• Specialized hardware services like ASUS daemons and cachyos kernel packages

The Limbo configuration files are completely isolated under the nixos/limbo directory:

• nixos/limbo/configuration.nix: Stripped-down base services, including desktop environment (Hyprland), clean Nix-LD unpatched libraries, Docker engine, Fish shell, and CPU-only services for Ollama and Open-WebUI.
• nixos/limbo/hardware-configuration.nix: Standard physical disk maps for typical Linux installations.

To install and run Limbo successfully, partition your target drive using a standard layout and assign the exact labels listed below (e.g., using parted / gparted / fdisk / mkfs):

1. Boot from a NixOS Installer: Insert a standard minimal or graphical NixOS Live ISO.
2. Mount partitions: Label your partitions and mount them onto /mnt:

   # Mount root partition
   mount -t ext4 /dev/disk/by-label/nixos /mnt
   
   # Mount boot partition
   mkdir -p /mnt/boot
   mount -t vfat /dev/disk/by-label/boot /mnt/boot

3. Clone the Configuration: Clone this repository directly to the target system:

   git clone https://github.com/lowcache/infernalnixos.git /mnt/home/inlimbo/.nix-config

4. Run Installation: Install the system specifying the limbo profile:

   nixos-install --flake /mnt/home/inlimbo/.nix-config#limbo

5. Reboot and Login:
   • Root user initial password: root
   • Standard user (inlimbo) initial password: nixos
   • ⚠️ Set custom passwords immediately after logging in using the passwd command.

To build or switch configurations on an active Limbo system, use standard Nix flake rebuild commands:

• Switch system configuration:

  sudo nixos-rebuild switch --flake ~/.nix-config#limbo

• Dry-build system configuration:

  nixos-rebuild build --flake ~/.nix-config#limbo