felix/nixos
1
0
Fork 0
mirror of https://github.com/Stunkymonkey/nixos.git synced 2025-10-29 17:02:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
personal nixos config
573 commits 2 branches 0 tags 1.4 MiB
Find a file
Felix Buehler 075c95041c flake: update
2023-11-30 22:02:19 +01:00
.github/workflows github-ci: add 2023-07-30 13:05:45 +02:00
images treewide: avoid repetitive keys in attrSets 2023-11-12 23:36:30 +01:00
machines Merge branch 'nixos-23.11' 2023-11-29 22:38:57 +01:00
modules service/paperless: fix typo 2023-11-29 23:39:37 +01:00
overlays treewide: fix deadnix errors 2023-11-07 22:49:32 +01:00
pkgs treewide: fix statix errors 2023-11-07 23:19:48 +01:00
profiles profile/sway: update xdg-portal-wlr 2023-11-29 23:38:29 +01:00
.editorconfig editorconfig: add json config 2023-04-16 16:57:02 +02:00
.envrc envrc: 2.3.0 -> 2.4.0 2023-11-12 22:55:01 +01:00
.gitignore gitignore: ignore qcow images 2023-07-18 17:46:42 +02:00
flake.lock flake: update 2023-11-30 22:02:19 +01:00
flake.nix flake: ignore sops.yaml from typo checks 2023-11-29 23:39:57 +01:00
README.md machine/serverle: switch to disko config 2023-09-07 00:00:34 +02:00

README.md

nixos-config built with nixCI

This repository holds my NixOS configuration. It is fully reproducible, flakes based, and position-independent, ...

used flakes:

Structure

.
├── images       # custom image generations
├── machines     # machine definitions
├── modules      # own nix-options, to modularize services/hardware/...
├── overlays     # overlays
├── pkgs         # own packages, which are not available in nixpkgs
└── profiles     # summarize module collections into single options

Usage

  • updating:

    nix flake update

  • deployment:

    deploy .#<flake>

  • secrets:

    sops ./machines/<host>/secrets.yaml

  • images:

    nix build .#install-iso
nix build .#aarch64-install --system aarch64-linux

  • vms:

    nixos-rebuild build-vm --flake .#<flake>

  • (re-)install:

    make sure you have ssh-root access to the machine and the ssh-key is used properly. (It does not matter what system is installed before.)

    1. generate config (only needed for new host)

      get nixos-generate-config to run via nix and execute

      nixos-generate-config --no-filesystems --root $(mktemp -d)

      reuse the hardware-configuration.nix to create a new machine with its flake.

    2. setup secrets

      1. new host

        then prepare the secrets in the following layout:

        # enter disk encryption key
echo "my-super-safe-password" > /tmp/disk.key

temp=$(mktemp -d)
# ssh-host keys
install -d -m755 "$temp/etc/ssh"
ssh-keygen -o -t rsa -a 100 -N "" -b 4096 -f "$temp/etc/ssh/ssh_host_rsa_key"
chmod 600 "$temp/etc/ssh/ssh_host_rsa_key"
ssh-keygen -o -t ed25519 -a 100 -N "" -f "$temp/etc/ssh/ssh_host_ed25519_key"
chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
# initrd key
install -d -m755 "$temp/etc/secrets/initrd"
ssh-keygen -o -t ed25519 -a 100 -N "" -f "$temp/etc/secrets/initrd/ssh_host_ed25519_key"
chmod 600 "$temp/etc/secrets/initrd/ssh_host_ed25519_key"

      2. existing host

        echo "my-super-safe-password" > /tmp/disk.key
temp=$(mktemp -d)
find $temp -printf '%M %p\n'

        should result in something looking like this

        drwx------ $temp
drwxr-xr-x $temp/etc
drwxr-xr-x $temp/etc/ssh
-rw------- $temp/etc/ssh/ssh_host_rsa_key
-rw------- $temp/etc/ssh/ssh_host_ed25519_key
-rw-r--r-- $temp/etc/ssh/ssh_host_rsa_key.pub
-rw-r--r-- $temp/etc/ssh/ssh_host_ed25519_key.pub
drwxr-xr-x $temp/etc/secrets
drwxr-xr-x $temp/etc/secrets/initrd
-rw------- $temp/etc/secrets/initrd/ssh_host_ed25519_key
-rw-r--r-- $temp/etc/secrets/initrd/ssh_host_ed25519_key.pub

    3. execute install

      now simply install by executing (this will delete all data!):

      nix run github:numtide/nixos-anywhere -- \
    --disk-encryption-keys /tmp/disk.key /tmp/disk.key \
    --extra-files "$temp" \
    --flake .#<flake> \
    root@<host>

Inspired by