nix-config/README.md

123 lines
6.7 KiB
Markdown
Raw Normal View History

2024-04-11 23:11:53 +02:00
# Meine wundervolle nix config ❄️
[Structure](./STRUCTURE.md)
## Hosts
2024-04-11 23:11:53 +02:00
| | Name | Device | Description
---|---|---|---
💻 | patricknix | HP spectre x360 | Patrick's laptop, mainly used for on the go university
🖥️ | desktopnix | Intel i5-8600K <br> NVIDIA GeForce GTX 1080 <br> 32 GiB RAM | Patrick's desktop, used for most development and gaming
🖥️ | elisabeth | AMD Ryzen 7 5800X <br> 32 GiB RAM | Server running most cloud services
🖥️ | maddy | Hetzner VPS | Static IP server running mail
## User Configuration
This showcases my end user setup, which I dailydrive on all my hosts.
| | Programm | Description
---|---|---
🐚 Shell | [ZSH](./users/common/shells/zsh/default.nix) & [Starship](./users/common/shells/starfish.nix) | ZSH with FZF autocomplete, starship prompt, sqlite history and histdb-skim for fancy reverse search
🪟 WM | [Sway](./users/common/graphical/wayland/sway.nix) & [i3](./users/common/graphical/Xorg/i3.nix) | Tiling window managers with similar behaviour for wayland and xorg
🖼️ Styling | [Stylix](./modules/graphical/default.nix) | globally consistent styling
📝 Editor | [NeoVim](./users/common/programs/nvim/default.nix) | Extensively configured neovim
🎮 Gaming | [Bottles](./users/common/programs/bottles.nix) & [Steam](./modules/optional/steam.nix) | Pew, Pew and such
🌐 Browser | [Firefox](./users/patrick/firefox.nix) | Heavily configured Firefox to still my privacy and security needs
💻 Terminal | [Kitty](./users/common/programs/kitty.nix) | fast terminal
🎵 Music | [Spotify](./users/common/programs/spicetify.nix) | Fancy looking spotify using spicetify
📫 Mail | [Thunderbird](./users/common/programs/thunderbird.nix) | Best email client there is
🎛️ StreamDeck | [StreamDeck](./users/patrick/streamdeck.nix) | More hotkeys = more better
## Service Configuration
These are services I've set up
| | Programm | Description
---|---|---
💸 Budgeting | [FireflyIII](./config/services/firefly.nix) | Self Hosted budgeting tool
🛡️ AdBlock | [AdGuard Home](./config/services/adguardhome.nix) | DNS Adblocker
🔨 Git | [Forgejo](./config/services/forgejo.nix) | Selfhosted GitHub alternative
📸 Photos | [Immich](./config/services/immich.nix) | Selfhosted Google Photos equivalent
🔒 SSO | [Kanidm](./config/services/kanidm.nix) | Secure single sign on Identity Provider
📧 E-Mail | [Maddy](./config/services/maddy.nix) | All in one mail server
🎧 Communication | [Murmur](./config/services/murmur.nix) | Selfhosted mumble server for secure and always available communication
🌐 VPN | [Netbird](./config/services/netbird.nix) | Easy to use peer to peer VPN solution based on wireguard
🌧️ Cloud | [NextCloud](./config/services/nextcloud.nix) | All in one cloud solution providing online File storage as well as notes, contacts and calendar synchronization
🗄️ Documents | [Paperless](./config/services/paperless.nix) | Machine learnig supported document organizing plattform
📁 NAS | [Samba](./config/services/samba.nix) | Local network shared storage
📰 Feedreader | [freshRSS](./config/services/ttrss.nix) | hosted RSS feed aggregator
🔑 Passwords | [Vaultwarden](./config/services/vaultwarden.nix) | Self hosted bitwarden server
🎵 Music | [Your Spotify](./config/services/yourspotify.nix) | Spotify listening habits analyzer
## External dependencies
These are notable external flakes which this config depend upon
| Name | Usage |
---|---
[NixVim](https://github.com/nix-community/nixvim) | NeoVim using nix
[MicroVM](https://github.com/astro/microvm.nix) | Declarative VMs
[Disko](https://github.com/nix-community/disko)| disk partitioning
[nixos-generators](https://github.com/nix-community/nixos-generators) | generate installers
[home-manager](https://github.com/nix-community/home-manager) | user config
[agenix](https://github.com/ryantm/agenix) | secret files for nix
[agenix-rekey](https://github.com/oddlama/agenix-rekey) | secret files that are git commitable
[nixos-nftables-firewall](https://github.com/thelegy/nixos-nftables-firewall) | nftables based firewall
[impermanence](https://github.com/nix-community/impermanence) | stateless filesystem
[lanzaboote](https://github.com/nix-community/lanzaboote) | Secure Boot
[stylix](https://github.com/danth/stylix) | theming
[spicetify](https://github.com/the-argus/spicetify-nix) | spotify looking fancy
## How-To
2023-08-26 14:01:58 +02:00
### Add additional hosts
1. Add host definition to `hosts.toml`
2023-08-30 14:25:52 +02:00
2. Create host configuration in `hosts/<name>`
1. Create and fill `default.nix`
1. Fill `net.nix`
1. Fill `fs.nix`
2024-04-11 23:11:53 +02:00
2. Don't forget to add necessary config for filesystems, etc.
3. Generate ISO image using `nix build --print-out-paths --no-link .#images.<target-system>.live-iso`
2023-08-30 20:18:26 +02:00
- This might take multiple minutes(~10)
2023-08-31 22:34:22 +02:00
- Alternatively boot an official nixos image connect with password
3. Copy ISO to usb using dd
3. After booting copy the installer to the live system using `nix copy --to <target> .#packages.<target-system>.installer-package.<target>`
4. Run the installer script from the nix store of the live system
- you can get the path using `nix path-info .#packages.<target-system>.installer-package.<target>`
4. Export all zpools and reboot into system
2023-09-26 22:25:58 +02:00
6. Retrieve hostkeys using `ssh-keyscan <host> | grep -o 'ssh-ed25519.*' > host/<target>/secrets/host.pub`
2023-09-25 21:28:30 +02:00
5. Deploy system
2023-08-30 14:25:52 +02:00
### Add secureboot to new systems
2024-04-11 23:11:53 +02:00
2023-10-09 15:07:30 +02:00
1. generate keys with `sbct create-keys`
1. tar the resulting folder using `tar cvf secureboot.tar -C /etc/secureboot .`
1. Copy the tar to local using scp and encrypt it using rage
2023-10-09 15:07:30 +02:00
- `rage -e -R ./secrets/recipients.txt secureboot.tar -o <host>/secrets/secureboot.tar.age`
1. safe the encrypted archive to `hosts/<host>/secrets/secureboot.tar.age`
1. *DO NOT* forget to delete the unecrypted archives
2023-10-09 15:07:30 +02:00
1. Deploy your system with lanzaboote enabled
- link `/run/secureboot` to `/etc/secureboot`
- This is necesarry since for your this apply the rekeyed keys are not yet available but already needed for signing the boot files
1. ensure the boot files are signed using `sbctl verify`
2023-10-09 15:07:30 +02:00
1. Now reboot the computer into BIOS and enable secureboot,
this may include removing any existing old keys
1. bootctl should now read `Secure Boot: disabled (setup)`
1. you can now enroll your secureboot keys using
1. `sbctl enroll-keys`
If you want to be able to boot microsoft signed images append `--microsoft`
1. Time to reboot and pray
2023-10-09 15:07:30 +02:00
### Add luks encryption TPM keys
2024-04-11 23:11:53 +02:00
2023-10-10 18:37:55 +02:00
`systemd-cryptenroll --tpm2-with-pin={yes/no} --tpm2-device=auto <device>`
2023-10-06 23:46:48 +02:00
2024-04-11 23:11:53 +02:00
### Deploy from new host
If deploying from a host not containing the necessary nix configuration option append
```bash
--nix-option plugin-files "$NIX_PLUGINS"/lib/nix/plugins --nix-option extra-builtins-file ./nix/extra-builtins`
```