felix/nixos
1
0
Fork 0
mirror of https://github.com/Stunkymonkey/nixos.git synced 2025-05-24 01:44:40 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
personal nixos config
649 commits 2 branches 0 tags 1.2 MiB
Find a file
Felix Buehler baed8f6fc3 service/loki: fix loki 3.0.0
2024-06-01 18:48:52 +02:00
.github/workflows disable nix checks for now 2024-01-18 23:46:48 +01:00
images images: disable rebuilding 2023-11-30 22:54:04 +01:00
machines service/paperless: migrate to settings from extraConfig 2024-06-01 18:48:38 +02:00
modules service/loki: fix loki 3.0.0 2024-06-01 18:48:52 +02:00
overlays treewide: fix deadnix errors 2023-11-07 22:49:32 +01:00
pkgs pkgs/homer: 24.04.1 -> 24.05.1 2024-05-22 17:04:18 +02:00
profiles profile/desktop-dev: rename dbeaver package 2024-06-01 18:41:35 +02:00
.editorconfig editorconfig: add json config 2023-04-16 16:57:02 +02:00
.envrc envrc: use from nixpkgs 2024-02-18 11:53:38 +01:00
.gitignore gitignore: ignore qcow images 2023-07-18 17:46:42 +02:00
flake.lock flake: update 2024-06-01 18:40:47 +02:00
flake.nix flake/nixpkgs: 23.11 -> 24.05 2024-06-01 00:33:55 +02:00
README.md readme: rename git-hook as well 2024-04-28 15:09:59 +02:00

README.md

nixos-config built with nixCI

This repository holds my NixOS configuration. It is fully reproducible, flakes based, and position-independent, ...

used flakes:

Structure

.
├── images       # custom image generations
├── machines     # machine definitions
├── modules      # own nix-options, to modularize services/hardware/...
├── overlays     # overlays
├── pkgs         # own packages, which are not available in nixpkgs
└── profiles     # summarize module collections into single options

Usage

  • updating:

    nix flake update

  • deployment/update:

    nix run .#apps.nixinate.<flake>

  • secrets:

    sops ./machines/<host>/secrets.yaml

  • images:

    nix build .#install-iso
nix build .#aarch64-install --system aarch64-linux

  • vms:

    nixos-rebuild build-vm --flake .#<flake>

  • (re-)install:

    make sure you have ssh-root access to the machine and the ssh-key is used properly. (It does not matter what system is installed before.)

    1. generate config (only needed for new host)

      get nixos-generate-config to run via nix and execute

      nixos-generate-config --no-filesystems --root $(mktemp -d)

      reuse the hardware-configuration.nix to create a new machine with its flake.

    2. setup secrets

      1. new host

        then prepare the secrets in the following layout:

        # enter disk encryption key
echo "my-super-safe-password" > /tmp/disk.key

temp=$(mktemp -d)
# ssh-host keys
install -d -m755 "$temp/etc/ssh"
ssh-keygen -o -t rsa -a 100 -N "" -b 4096 -f "$temp/etc/ssh/ssh_host_rsa_key"
chmod 600 "$temp/etc/ssh/ssh_host_rsa_key"
ssh-keygen -o -t ed25519 -a 100 -N "" -f "$temp/etc/ssh/ssh_host_ed25519_key"
chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
# initrd key
install -d -m755 "$temp/etc/secrets/initrd"
ssh-keygen -o -t ed25519 -a 100 -N "" -f "$temp/etc/secrets/initrd/ssh_host_ed25519_key"
chmod 600 "$temp/etc/secrets/initrd/ssh_host_ed25519_key"

      2. existing host

        echo "my-super-safe-password" > /tmp/disk.key
temp=$(mktemp -d)
find $temp -printf '%M %p\n'

        should result in something looking like this

        drwx------ $temp
drwxr-xr-x $temp/etc
drwxr-xr-x $temp/etc/ssh
-rw------- $temp/etc/ssh/ssh_host_rsa_key
-rw------- $temp/etc/ssh/ssh_host_ed25519_key
-rw-r--r-- $temp/etc/ssh/ssh_host_rsa_key.pub
-rw-r--r-- $temp/etc/ssh/ssh_host_ed25519_key.pub
drwxr-xr-x $temp/etc/secrets
drwxr-xr-x $temp/etc/secrets/initrd
-rw------- $temp/etc/secrets/initrd/ssh_host_ed25519_key
-rw-r--r-- $temp/etc/secrets/initrd/ssh_host_ed25519_key.pub

    3. execute install

      now simply install by executing (this will delete all data!):

      nix run github:numtide/nixos-anywhere -- \
    --disk-encryption-keys /tmp/disk.key /tmp/disk.key \
    --extra-files "$temp" \
    --flake .#<flake> \
    root@<host>

Inspired by