1. Install nix.
2. nix profile install nixpkgs#vscodium
3. nix profile upgrade ‘.*’

Won’t auto update but you could add the upgrade command to a login script or something.

Won’t lie, nix has a high learning curve to get the most out of it, but installing a single app is pretty simple.

Most startups I’ve applied to are Linux friendly.

I currently work for a fortune 100 and managed to get a Linux machine purchased as a “lab” machine.

I’m fully in control. IT doesn’t even know it exists. I’m not allowed on the corporate network, but I managed to get some internal corporate access through another department’s lab network (IT sanctioned) that has a VPN with a few routes to things like ticketing, time cards, and our internal wiki. Most of the stuff I need to do my job is in AWS and we are allowed to add home IPs to the security groups.

IT still gives me a MacBook. I use it like once every 6 months.

nixos-unstable is the only thing I will use currently.

I’m running bleeding edge stuff like the latest kernel, Hyprland nightly, my own “shell” built from Gnome components and lots of custom stuff using GJS (Gnome JavaScript).

If you get one, and you are free to do whatever on it, encrypt your drives like your job depends on it. I have a memorized passphrase, pin protected hardware key, and a key in TPM. No biometrics.

As far as other nice things to have:

• VPN: https://www.infradead.org/openconnect/ supports some common enterprise VPNs.
• Communication tools (Teams, WebEx, Zoom, Slack, etc.). I tend to have access to 90% of what I need. My team is thankfully accommodating for the couple features I have issues with. Make sure you test things like Screen Sharing especially in Wayland if you use it.
• VM: If you can get a corporate licensed image to run a corporate licensed version of Office, I recommend it. Office365 for web is missing a few features and often renders differently from native.
• Password Manager and encrypt everything. System is encrypted as previously stated. My home volume (BTRFS) is encrypted with a different key/passphrase. My work’s sensitive files are encrypted yet again using rclone with different keys. I try to minimize attack surfaces by unlocking only what I need when I need it.
• Backups. I use rclone to backup to our corporate OneDrive. Nixos is immutable and I have it setup with impermanence where every reboot is like a fresh install if I didn’t codify it my nixos-config which is tracked in git. I persist a few cache and setting directories in my home directory, but not much. I can restore my setup in like 20 minutes if I ever lost my machine.
• Virtual mic and camera for noise suppression and blurring for communication tools that don’t have it built in.
• Evolution EWS works okay as an Exchange email client. I had to hunt some weird settings like tenant ID to get it to work. I’ve been using Webmail or Outlook in a VM more often though as of late.

I work in software dev as FYI. For the few issues I have, my team has more issues getting stuff working consistently on macOS for our project. I used that as a justification when requesting the laptop: my dev environment should closely match our runtime environment. Most of that is moot now since we use Nix flakes in our repos for local dev envs.

I use rclone and the Round Sync Android client.

Supports a ton of back ends, self hosted, and commercial options. You can transparently encrypt with private keys you control.

I personally use B2 Backblaze for storage.

My phone backs up every night and Round Sync pushes them to B2. On my desktop I can mount as a volume. I can also access my storage from my phone going the other direction.

I’ve done the same using SFTP if I don’t want the overhead of persistent file storage.

It does not support indexing or previews for searching or finding say a photo. You can put whatever you want for data. So I have caches, indexes, and thumbnails that work in Linux. I can’t really make use of those on my phone though.

Rclones bisync feature is also a bit dangerous when I tried to use it a year ago. I more than once “deleted” everything. B2 doesn’t delete by default, just hides, so I was able to recover. I now do unidirectional syncs from my machines to different buckets until I’m motivated to investigate a proper 3-way merge solution.

I’m using Graphene. The Pixel requirement I believe is due to the Titan chip: https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html?m=1.

https://divestos.org/ has caught my eye. When I last installed Grapheme, you had to install eSIMs using the factory ROM then install Graphene. Divest I guess had support without Google services. I think Grapheme does now also, but before I get my next phone I’ll weigh it as an option.

And track this stuff in git so you don’t need to remember how you did it when you inevitably forget, lol.

I use Nix, even on my Ubuntu machines, to install tooling in my user profile.

Nixpkgs unstable stays pretty up to date. The few I want something on release day or bleeding edge nightlies, I override the derivation source. I use nvfetcher to pull the latest release or head of the default branch as part of my update routine.

I’m pretty new to Nix, so its been slow integrating into my workflow, but I plan to start integrating flake’s into my repos. My team seems to have constant issues with keeping their tooling up to date which breaks things locally from time to time.