Find a file
2023-10-10 22:12:30 +02:00
hosts fix: computer unbroken (fixes #66) 2023-10-10 22:12:30 +02:00
img feat: more streamdeck config 2023-09-28 19:52:12 +02:00
lib chore: deadnix 2023-09-19 13:11:11 +02:00
modules WIP: bricked desktop 2023-10-10 21:01:12 +02:00
nix feat: reimaged laptop 2023-09-26 22:25:58 +02:00
pkgs fix: deploy script did not set new generation 2023-09-26 15:55:21 +02:00
secrets chore: last computer got secureboot 2023-10-09 15:07:30 +02:00
users WIP: computer bricked 2023-10-10 18:37:55 +02:00
.envrc chore: system update 2023-07-28 23:21:31 +09:00
.gitignore feat: added test system 2023-08-31 22:34:22 +02:00
.luacheckrc Switched to new folder layout 2023-05-18 18:47:55 +09:00
flake.lock chore: last computer got secureboot 2023-10-09 15:07:30 +02:00
flake.nix feat: more laptop shit 2023-09-30 18:08:54 +02:00
hosts.toml feat: added simons computer 2023-10-06 22:01:50 +02:00
README.md WIP: computer bricked 2023-10-10 18:37:55 +02:00
statix.toml feat: systemd upgrade 2023-09-18 17:27:54 +02:00

Meine wundervolle nix config

Structure

  • hosts/ contain nixos configuration for hosts
    • <hostname>/ configuration for hosts
      • default.nix Toplevel system definition
      • fs.nix file system definiton
      • net.nix network setup
      • secrets/ secrets local to this hosts
        • secrets.nix.age local secrets usable on deploy
        • host.pub host public key, needed for rekeying agenix secrets
  • modules/ extra nixos modules and shared configurations
    • secrets.nix module to enable deploy-time secrets
    • config/ base configuration used on all machines
    • dev/ configuration options enabling developer environment
    • graphical/ configuration for graphical environments
    • hardware/ configuration for hardware components
    • impermanence/ impermanence modules for hosts
  • nix/ additional nix functions
    • devshell.nix Development shell
    • extra-builtins.nix Extra builtin plugin file to enable repository secrets
    • TODO
    • lib.nix additional library functions
  • secrets/ global secrets
    • <name>.key.pub public key handles to decrypt secrets using yubikey
    • recipients.txt rage recipient file for encrypting secrets
      • currently containing both yubikeys and a rage backup key
    • secrets.nix.age global secrets available at deploy
  • users/ home manager user configuration
    • common/ shared home-manager modules
      • graphical/ configuration for graphical programs
      • programs/ configuration for miscellaneous programs
      • shells/ configuration for shells
      • default.nix minimal setup for all users
      • interactive.nix minimal setup for interactive users on a command line
      • graphical.nix configuration for users utilizing a graphical interface
    • <username>/ configuration for users
      • impermanence.nix users persistence configuration

Hosts

  • patricknix my main laptop
  • desktopnix my main desktop
  • testienix old laptop for testing

Users

  • patrick my normal everyday unprivileged user
  • root root user imported by every host

Flake output structure

  • checks linting and other checks for this repository
    • pre-commit-check automatic checks executed as pre-commit hooks
  • nixosHosts top level configs for hosts
  • nodes alias to nixosNodes
  • devshell development shell using devshell
  • formatter nix code formatter
  • hosts host meta declaration
  • pkgs nixpkgs
  • packages additional packages
  • secretsConfig meta configuration for secrets
  • stateVersion global stateversion used by nixos and home-manager to determine default config

How-To

Add additional hosts

  1. Add host definition to hosts.toml
  2. Create host configuration in hosts/<name>
    1. Create and fill default.nix
    2. Fill net.nix
    3. Fill fs.nix
    4. Don't forget to add necesarry config for filesystems, etc.
  3. Generate ISO image with nix build --print-out-paths --no-link .#images.<target-system>.live-iso
    • This might take multiple minutes(~10)
    • Alternatively boot an official nixos image connect with password
  4. Copy ISO to usb using dd
  5. After booting copy the installer to the live system using nix copy --to <target> .#packages.<target-system>.installer-package.<target>
  6. Run the installer script from the nix store of the live system
    • you can get the path using nix path-info .#packages.<target-system>.installer-package.<target>
  7. Export all zpools and reboot into system
  8. Retrieve hostkeys using ssh-keyscan <host> | grep -o 'ssh-ed25519.*' > host/<target>/secrets/host.pub
  9. Deploy system

Add secureboot to new systems

  1. generate keys with sbct create-keys
  2. tar the resulting folder using tar cvf secureboot.tar -C /etc/secureboot .
  3. Copy the tar to local using scp and encrypt it using rage
    • rage -e -R ./secrets/recipients.txt secureboot.tar -o <host>/secrets/secureboot.tar.age
  4. safe the encrypted archive to hosts/<host>/secrets/secureboot.tar.age
  5. DO NOT forget to delete the unecrypted archives
  6. Deploy your system with lanzaboote enabled
    • link /run/secureboot to /etc/secureboot
    • This is necesarry since for your this apply the rekeyed keys are not yet available but already needed for signing the boot files
  7. ensure the boot files are signed using sbctl verify
  8. Now reboot the computer into BIOS and enable secureboot, this may include removing any existing old keys
  9. bootctl should now read Secure Boot: disabled (setup)
  10. you can now enroll your secureboot keys using
  11. sbctl enroll-keys If you want to be able to boot microsoft signed images append --microsoft
  12. Time to reboot and pray

Add luks encryption TPM keys

systemd-cryptenroll --tpm2-with-pin={yes/no} --tpm2-device=auto <device>

Deploy

If deploying from a host not containing the necessary nix configuration option append

--nix-option plugin-files "$NIX_PLUGINS"/lib/nix/plugins --nix-option extra-builtins-file ./nix/extra-builtins`