nixos/README.md

# nixos-config [![built with nix](https://builtwithnix.org/badge.svg)](https://builtwithnix.org)![CI](https://github.com/Stunkymonkey/nixos/actions/workflows/nix.yml/badge.svg)

This repository holds my NixOS configuration.
It is fully reproducible, flakes based, and position-independent, ...

used flakes:

- image generation: [nixos-generators](https://github.com/nix-community/nixos-generators)
- disk partitioning: [disko](https://github.com/nix-community/disko)
- secrets: [sops-nix](https://github.com/Mic92/sops-nix)
- deployment: [nixinate](https://github.com/MatthewCroughan/nixinate), see [usage](#usage)
- formatting: [git-hooks](https://github.com/cachix/git-hooks.nix)
- install: [nixos-anywhere](https://github.com/nix-community/nixos-anywhere/)

## Structure

```text
.
├── images       # custom image generations
├── machines     # machine definitions
├── modules      # own nix-options, to modularize services/hardware/...
├── overlays     # overlays
├── pkgs         # own packages, which are not available in nixpkgs
└── profiles     # summarize module collections into single options
```

## Usage

- updating:

    ```bash
    nix flake update
    ```

- deployment/update:

    ```bash
    nix run .#<flake>
    ```

- secrets:

    ```bash
    sops ./machines/<host>/secrets.yaml
    ```

- images:

    ```bash
    nix build .#install-iso
    nix build .#aarch64-install --system aarch64-linux
    ```

- vms:

    ```bash
    nixos-rebuild build-vm --flake .#<flake>
    ```

- (re-)install:

    make sure you have ssh-root access to the machine and the ssh-key is used properly.
    (It does not matter what system is installed before.)

    1. generate config (only needed for new host)

        get `nixos-generate-config` to run via nix and execute

        ```bash
        nixos-generate-config --no-filesystems --root $(mktemp -d)
        ```

        reuse the `hardware-configuration.nix` to create a new machine with its flake.

    1. setup secrets

        1. new host

            then prepare the secrets in the following layout:

            ```bash
            # enter disk encryption key
            (umask 077; echo "my-super-safe-password" > /tmp/disk.key)

            temp=$(mktemp -d)
            # ssh-host keys
            install -d -m755 "$temp/etc/ssh"
            install -d -m755 "$temp/etc/secrets/initrd"
            ssh-keygen -o -a 100 -N "" -t rsa     -b 4096 -f "$temp/etc/ssh/ssh_host_rsa_key"
            ssh-keygen -o -a 100 -N "" -t ed25519         -f "$temp/etc/ssh/ssh_host_ed25519_key"
            ssh-keygen -o -a 100 -N "" -t ed25519         -f "$temp/etc/secrets/initrd/ssh_host_ed25519_key"
            ```

        1. existing host

            ```bash
            (umask 077; echo "my-super-safe-password" > /tmp/disk.key)
            temp=$(mktemp -d)
            find $temp -printf '%M %p\n'
            ```

            should result in something looking like this

            ```text
            drwx------ $temp
            drwxr-xr-x $temp/etc
            drwxr-xr-x $temp/etc/ssh
            -rw------- $temp/etc/ssh/ssh_host_rsa_key
            -rw------- $temp/etc/ssh/ssh_host_ed25519_key
            -rw-r--r-- $temp/etc/ssh/ssh_host_rsa_key.pub
            -rw-r--r-- $temp/etc/ssh/ssh_host_ed25519_key.pub
            drwxr-xr-x $temp/etc/secrets
            drwxr-xr-x $temp/etc/secrets/initrd
            -rw------- $temp/etc/secrets/initrd/ssh_host_ed25519_key
            -rw-r--r-- $temp/etc/secrets/initrd/ssh_host_ed25519_key.pub
            ```

    1. execute install

        now simply install by executing (this will delete all data!):

        ```bash
        nix run github:nix-community/nixos-anywhere -- \
            --disk-encryption-keys /tmp/disk.key /tmp/disk.key \
            --extra-files "$temp" \
            --flake .#<flake> \
            root@<host>
        ```

## Inspired by

- [Nix config by Mic92](https://github.com/Mic92/dotfiles)
- [Nix config by ambroisie](https://github.com/ambroisie/nix-config)
- [Nix config by pborzenkov](https://github.com/pborzenkov/nix-config)
- [Nix config by nyanloutre](https://gitea.nyanlout.re/nyanloutre/nixos-config)
- [Nix config by disassembler](https://github.com/disassembler/network)
- [git-hook config](https://github.com/cachix/git-hooks.nix/blob/master/template/flake.nix)
github-ci: add 2023-07-30 13:04:13 +02:00			`# nixos-config [![built with nix](https://builtwithnix.org/badge.svg)](https://builtwithnix.org)![CI](https://github.com/Stunkymonkey/nixos/actions/workflows/nix.yml/badge.svg)`
initial commit 2020-11-16 21:14:46 +01:00
restructure folder organisation 2022-12-05 20:32:39 +01:00			`This repository holds my NixOS configuration.`
readme: add & fix lint 2023-07-30 12:51:01 +02:00			`It is fully reproducible, flakes based, and position-independent, ...`
initial commit 2020-11-16 21:14:46 +01:00
flake: add disko 2023-03-18 16:58:18 +01:00			`used flakes:`
readme: add & fix lint 2023-07-30 12:51:01 +02:00
flake: add disko 2023-03-18 16:58:18 +01:00			`- image generation: [nixos-generators](https://github.com/nix-community/nixos-generators)`
readme: add disko and nixos-anywhere 2023-09-02 17:51:12 +02:00			`- disk partitioning: [disko](https://github.com/nix-community/disko)`
flake: add disko 2023-03-18 16:58:18 +01:00			`- secrets: [sops-nix](https://github.com/Mic92/sops-nix)`
nixinate: migrate from deploy-rs 2024-01-18 22:37:39 +01:00			`- deployment: [nixinate](https://github.com/MatthewCroughan/nixinate), see [usage](#usage)`
readme: rename git-hook as well 2024-04-28 15:09:59 +02:00			`- formatting: [git-hooks](https://github.com/cachix/git-hooks.nix)`
Fix nixos-anywhere repo URL to nix-community 2024-12-02 22:00:53 +01:00			`- install: [nixos-anywhere](https://github.com/nix-community/nixos-anywhere/)`
initial commit 2020-11-16 21:14:46 +01:00
readme: add disko and nixos-anywhere 2023-09-02 17:51:12 +02:00			`## Structure`
initial commit 2020-11-16 21:14:46 +01:00
readme: add & fix lint 2023-07-30 12:51:01 +02:00			```text
have a new README reflecting flake changes 2022-06-15 21:14:59 +02:00			`.`
update README 2023-03-10 21:41:41 +01:00			`├── images # custom image generations`
			`├── machines # machine definitions`
			`├── modules # own nix-options, to modularize services/hardware/...`
			`├── overlays # overlays`
			`├── pkgs # own packages, which are not available in nixpkgs`
			`└── profiles # summarize module collections into single options`
have a new README reflecting flake changes 2022-06-15 21:14:59 +02:00			```
initial commit 2020-11-16 21:14:46 +01:00
readme: add disko and nixos-anywhere 2023-09-02 17:51:12 +02:00			`## Usage`
initial commit 2020-11-16 21:14:46 +01:00
readme: add disko and nixos-anywhere 2023-09-02 17:51:12 +02:00			`- updating:`
readme: add & fix lint 2023-07-30 12:51:01 +02:00
readme: add disko and nixos-anywhere 2023-09-02 17:51:12 +02:00			```bash
			`nix flake update`
			```
initial commit 2020-11-16 21:14:46 +01:00
nixinate: migrate from deploy-rs 2024-01-18 22:37:39 +01:00			`- deployment/update:`
readme: add & fix lint 2023-07-30 12:51:01 +02:00
readme: add disko and nixos-anywhere 2023-09-02 17:51:12 +02:00			```bash
flake/nixinate: use apps/flakes directly 2024-11-08 00:19:17 +01:00			`nix run .#<flake>`
readme: add disko and nixos-anywhere 2023-09-02 17:51:12 +02:00			```
have a new README reflecting flake changes 2022-06-15 21:14:59 +02:00
readme: add disko and nixos-anywhere 2023-09-02 17:51:12 +02:00			`- secrets:`
readme: add & fix lint 2023-07-30 12:51:01 +02:00
readme: add disko and nixos-anywhere 2023-09-02 17:51:12 +02:00			```bash
			`sops ./machines/<host>/secrets.yaml`
			```
README: add links to other configs 2022-07-03 13:51:27 +02:00
readme: add disko and nixos-anywhere 2023-09-02 17:51:12 +02:00			`- images:`
readme: add & fix lint 2023-07-30 12:51:01 +02:00
readme: add disko and nixos-anywhere 2023-09-02 17:51:12 +02:00			```bash
			`nix build .#install-iso`
			`nix build .#aarch64-install --system aarch64-linux`
			```

			`- vms:`

			```bash
			`nixos-rebuild build-vm --flake .#<flake>`
			```

			`- (re-)install:`

			`make sure you have ssh-root access to the machine and the ssh-key is used properly.`
			`(It does not matter what system is installed before.)`

			`1. generate config (only needed for new host)`

			get `nixos-generate-config` to run via nix and execute

			```bash
			`nixos-generate-config --no-filesystems --root $(mktemp -d)`
			```

			reuse the `hardware-configuration.nix` to create a new machine with its flake.

			`1. setup secrets`

			`1. new host`

			`then prepare the secrets in the following layout:`

			```bash
			`# enter disk encryption key`
Fix problems in umask You must set the umask to not spill the directory permissions $> umask 022 $> echo asdf1234 > password $> ls -la password -rw-r--r-- 1 bebe bebe 9 2. Dez 21:29 password $> rm password $> (umask 077; echo "my-super-safe-password" > password) $> ls -la password -rw------- 1 bebe bebe 23 Dec 2 21:28 password 2024-12-02 21:28:49 +01:00			`(umask 077; echo "my-super-safe-password" > /tmp/disk.key)`
readme: add disko and nixos-anywhere 2023-09-02 17:51:12 +02:00
			`temp=$(mktemp -d)`
			`# ssh-host keys`
			`install -d -m755 "$temp/etc/ssh"`
			`install -d -m755 "$temp/etc/secrets/initrd"`
Make option parameters to `ssh-keygen` uniform 2024-12-02 21:33:48 +01:00			`ssh-keygen -o -a 100 -N "" -t rsa -b 4096 -f "$temp/etc/ssh/ssh_host_rsa_key"`
			`ssh-keygen -o -a 100 -N "" -t ed25519 -f "$temp/etc/ssh/ssh_host_ed25519_key"`
			`ssh-keygen -o -a 100 -N "" -t ed25519 -f "$temp/etc/secrets/initrd/ssh_host_ed25519_key"`
readme: add disko and nixos-anywhere 2023-09-02 17:51:12 +02:00			```

			`1. existing host`

			```bash
Fix problems in umask You must set the umask to not spill the directory permissions $> umask 022 $> echo asdf1234 > password $> ls -la password -rw-r--r-- 1 bebe bebe 9 2. Dez 21:29 password $> rm password $> (umask 077; echo "my-super-safe-password" > password) $> ls -la password -rw------- 1 bebe bebe 23 Dec 2 21:28 password 2024-12-02 21:28:49 +01:00			`(umask 077; echo "my-super-safe-password" > /tmp/disk.key)`
readme: add disko and nixos-anywhere 2023-09-02 17:51:12 +02:00			`temp=$(mktemp -d)`
readme: fix print 2023-09-05 21:51:43 +02:00			`find $temp -printf '%M %p\n'`
readme: add disko and nixos-anywhere 2023-09-02 17:51:12 +02:00			```

			`should result in something looking like this`

			```text
			`drwx------ $temp`
			`drwxr-xr-x $temp/etc`
			`drwxr-xr-x $temp/etc/ssh`
			`-rw------- $temp/etc/ssh/ssh_host_rsa_key`
			`-rw------- $temp/etc/ssh/ssh_host_ed25519_key`
			`-rw-r--r-- $temp/etc/ssh/ssh_host_rsa_key.pub`
			`-rw-r--r-- $temp/etc/ssh/ssh_host_ed25519_key.pub`
			`drwxr-xr-x $temp/etc/secrets`
			`drwxr-xr-x $temp/etc/secrets/initrd`
			`-rw------- $temp/etc/secrets/initrd/ssh_host_ed25519_key`
			`-rw-r--r-- $temp/etc/secrets/initrd/ssh_host_ed25519_key.pub`
			```

			`1. execute install`

			`now simply install by executing (this will delete all data!):`

			```bash
Fix nixos-anywhere repo URL to nix-community 2024-12-02 22:00:53 +01:00			`nix run github:nix-community/nixos-anywhere -- \`
readme: add disko and nixos-anywhere 2023-09-02 17:51:12 +02:00			`--disk-encryption-keys /tmp/disk.key /tmp/disk.key \`
			`--extra-files "$temp" \`
			`--flake .#<flake> \`
			`root@<host>`
			```

			`## Inspired by`
readme: add & fix lint 2023-07-30 12:51:01 +02:00
udpate README 2022-07-30 15:03:48 +02:00			`- [Nix config by Mic92](https://github.com/Mic92/dotfiles)`
			`- [Nix config by ambroisie](https://github.com/ambroisie/nix-config)`
			`- [Nix config by pborzenkov](https://github.com/pborzenkov/nix-config)`
			`- [Nix config by nyanloutre](https://gitea.nyanlout.re/nyanloutre/nixos-config)`
nixinate: migrate from deploy-rs 2024-01-18 22:37:39 +01:00			`- [Nix config by disassembler](https://github.com/disassembler/network)`
readme: rename git-hook as well 2024-04-28 15:09:59 +02:00			`- [git-hook config](https://github.com/cachix/git-hooks.nix/blob/master/template/flake.nix)`