felix/nixos
1
0
Fork 0
mirror of https://github.com/Stunkymonkey/nixos.git synced 2025-05-23 09:25:38 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
personal nixos config
799 commits 2 branches 0 tags 1.1 MiB
Nix 100%
Find a file
Felix Buehler 25a441b3e2
Some checks failed
/ Build Nix targets (push) Has been cancelled
Details
flake: update
2025-05-18 22:34:55 +02:00
.github/workflows github-actions: update 2024-11-22 20:35:28 +01:00
images treewide: fmt 2024-07-28 21:08:02 +02:00
machines machine/workman: enable power saving 2025-05-18 22:15:13 +02:00
modules system/fonts: cleanup 2025-05-18 22:14:30 +02:00
overlays treewide: fmt 2024-07-28 21:08:02 +02:00
pkgs treewide: remove nginx leftover 2025-04-06 22:10:27 +02:00
profiles profile/desktop-apps: upgrade ghostwriter to qt6 2025-05-17 00:07:59 +02:00
.editorconfig editorconfig: improve 2024-07-02 22:29:38 +02:00
.envrc envrc: use from nixpkgs 2024-02-18 11:53:38 +01:00
.gitignore gitignore: ignore qcow images 2023-07-18 17:46:42 +02:00
flake.lock flake: update 2025-05-18 22:34:55 +02:00
flake.nix machine/workman: init 2025-05-06 00:12:18 +02:00
README.md README: fix nixos-anywhere command 2025-05-06 00:11:37 +02:00

README.md

nixos-config built with nixCI

This repository holds my NixOS configuration. It is fully reproducible, flakes based, and position-independent, ...

used flakes:

Structure

.
├── images       # custom image generations
├── machines     # machine definitions
├── modules      # own nix-options, to modularize services/hardware/...
├── overlays     # overlays
├── pkgs         # own packages, which are not available in nixpkgs
└── profiles     # summarize module collections into single options

Usage

  • updating:

    nix flake update

  • deployment/update:

    nix run .#<flake>

  • secrets:

    sops ./machines/<host>/secrets.yaml

  • images:

    nix build .#install-iso
nix build .#aarch64-install --system aarch64-linux

  • vms:

    nixos-rebuild build-vm --flake .#<flake>

  • (re-)install:

    make sure you have ssh-root access to the machine and the ssh-key is used properly. (It does not matter what system is installed before.)

    1. generate config (only needed for new host)

      get nixos-generate-config to run via nix and execute

      nixos-generate-config --no-filesystems --root $(mktemp -d)

      reuse the hardware-configuration.nix to create a new machine with its flake.

    2. setup secrets

      1. new host

        then prepare the secrets in the following layout:

        # enter disk encryption key
(umask 077; echo "my-super-safe-password" > /tmp/disk.key)

temp=$(mktemp -d)
# ssh-host keys
install -d -m755 "$temp/etc/ssh"
install -d -m755 "$temp/etc/secrets/initrd"
ssh-keygen -o -a 100 -N "" -t rsa     -b 4096 -f "$temp/etc/ssh/ssh_host_rsa_key"
ssh-keygen -o -a 100 -N "" -t ed25519         -f "$temp/etc/ssh/ssh_host_ed25519_key"
ssh-keygen -o -a 100 -N "" -t ed25519         -f "$temp/etc/secrets/initrd/ssh_host_ed25519_key"

      2. existing host

        (umask 077; echo "my-super-safe-password" > /tmp/disk.key)
temp=$(mktemp -d)
find $temp -printf '%M %p\n'

        should result in something looking like this

        drwx------ $temp
drwxr-xr-x $temp/etc
drwxr-xr-x $temp/etc/ssh
-rw------- $temp/etc/ssh/ssh_host_rsa_key
-rw------- $temp/etc/ssh/ssh_host_ed25519_key
-rw-r--r-- $temp/etc/ssh/ssh_host_rsa_key.pub
-rw-r--r-- $temp/etc/ssh/ssh_host_ed25519_key.pub
drwxr-xr-x $temp/etc/secrets
drwxr-xr-x $temp/etc/secrets/initrd
-rw------- $temp/etc/secrets/initrd/ssh_host_ed25519_key
-rw-r--r-- $temp/etc/secrets/initrd/ssh_host_ed25519_key.pub

    3. execute install

      now simply install by executing (this will delete all data!):

      nix run github:nix-community/nixos-anywhere -- \
    --disko-mode disko \
    --disk-encryption-keys /tmp/disk.key /tmp/disk.key \
    --extra-files "$temp" \
    --flake .#<flake> \
    root@<host>

Inspired by