there’s not much to know about it, I use Cloudflare simply because its routing is better than direct IP connections for many places on Earth. I can’t fully use Cloudflare anyway because I host many non-web services.

I know about it, but it kinda defeats the purpose (the purpose being police raid protection)

• full disk encryption on everything except the router (no point in encrypting the router)
  • the server doesn’t have a display connected for obvious reasons, so I’m manually unlocking it via ssh on each boot
    • obviously, the SSH keys are different, so the server has a different IP in initrd. That said, I still don’t have any protection against malicious modification of initrd or UEFI
• the server scans all new SSL certificates in realtime using certspotter and notifies me of any new certificates issued for my domains that it doesn’t know about (I use Cloudflare so it triggers relatively often, but I still do checks on who the issuer is)
• firewall blocks outgoing 25 so nobody can impersonate my mailserver

Unix epoch time is wrong too, as it doesn’t include leap seconds, meaning your time difference will be off by up to 15 seconds.

tbf the docs are in the format of manuals, i.e. only useful if you already know what you’re looking for or have lots of time. If you don’t, read blog posts and nixos.wiki.

I use fish + tide

I tried zsh+p10k before fish+tide, but zsh felt annoying in subtle ways that weren’t fixable with (existing) plugins, so I switched back to fish, but installed tide to mimic my previous p10k theme.

finance webapps log you out often for “security”, can’t do much about that

deleted by creator

I host it on an Arm SBC lying in the closet, specifically Radxa Rock 5A (well, the dotfiles mention that much). That said, you don’t need your VPS service to offer NixOS provisioning, you can just use nixos-infect

The person who invented the term “open source” simply intended it to be “free software” but in business speak. The fact some random people on the internet thought it means “source available” is not the term’s fault.

my first laptop with 860m ran GTA 5 at like 15FPS on launch (on Windows)

Here’s my example (Github mirror). It stores everything from my custom packages (like GIMP 2.99, which isn’t yet packaged in nixpkgs, or a custom virtiofsd to workaround an upstream bug caused by switching from the old C to the new Rust implementation), to my fish, sway, rofi, mpv configs, to my entire server setup, including Gitea, Nextcloud, Keycloak, Mumble, mailserver and Matrix server with some bots and bridges (I recently migrated from an x86_64 to a arm64 board and the only post-install setup I had to do was copy /var), to my router’s nftables rules.

1. Does your board support UEFI? Have you flashed it, if necessary? If not, your only option is board-specific image with board-specific U-Boot. Still, you may have some luck with mainline kernel after you flash that image.
2. Assuming you’ve flashed UEFI and know how to work with it, you should IMO install mainline images whenever possible, as those will always have the Linux kernel with latest security patches (you shouldn’t use LTS kernel before you’ve verified the very latest kernel version, unless your board is like 10 years old)
3. However, mainline Linux is often missing certain features on certain boards. In that case, you may have to either load some dtb/.dtbo files (it’s a way to specify hardware information at boot time), or, worst case, compile your own kernel with certain patches pulled from developers working on mainlining your board
4. If you don’t want to deal with all that, you can use premade images for your board. They will typically have an old kernel, but nonetheless it should Just Work™. You may still have to pick some .dtbs manually if your hardware is configurable enough (e.g. BPI-R3 has SD/EMMC switch, you can’t use both at the same time, and you have to pick the specific .dtb file depending on what you use)

Discord isn’t encrypted at all

NixOS is a general purpose distro (I use it on my router, server and laptop, and plan to install it on my phone, it doesn’t get any more general purpose). To run packages that aren’t in its repo, you write a package yourself. Note that unlike on traditional Linux systems, there’s essentially no concept of “installing” packages. Packages are built and put into /nix/store, then you can optionally add them to your system packages or user packages and they will be symlinked to /run/current-system/sw or ~/.nix-profile, but there’s nothing preventing you from just using the package without adding it to system/user packages.

it’s good, but older software doesn’t support it

executable ownership doesn’t matter, what matters is the rights of the user running the binary, and whatever sandboxing you have configured. So use Flatpak or Firejail.

it’s fine, but I recommend only enabling autologin at boot so you can lock the screen without shutting down the entire PC

Input/output error means the drive is just dying, irrespective of the software. Software can’t do anything about failing hardware, and that’s what you ran into.

it’s the same as about:config