nix-config/README.md

108 lines
4.7 KiB
Markdown

# Meine wundervolle nix config
## Structure
- `hosts/` contain nixos configuration for hosts
- `<hostname>/` configuration for hosts
- `default.nix` Toplevel system definition
- `fs.nix` file system definiton
- `net.nix` network setup
- `secrets/` secrets local to this hosts
- `secrets.nix.age` local secrets usable on deploy
- `host.pub` host public key, needed for rekeying agenix secrets
- `modules/` extra nixos modules and shared configurations
- `secrets.nix` module to enable deploy-time secrets
- `config/` base configuration used on all machines
- `dev/` configuration options enabling developer environment
- `graphical/` configuration for graphical environments
- `hardware/` configuration for hardware components
- `impermanence/` impermanence modules for hosts
- `nix/` additional nix functions
- `devshell.nix` Development shell
- `extra-builtins.nix` Extra builtin plugin file to enable repository secrets
- TODO
- `lib.nix` additional library functions
- `secrets/` global secrets
- `<name>.key.pub` public key handles to decrypt secrets using yubikey
- `recipients.txt` rage recipient file for encrypting secrets
- currently containing both yubikeys and a rage backup key
- `secrets.nix.age` global secrets available at deploy
- `users/` home manager user configuration
- `common/` shared home-manager modules
- `graphical/` configuration for graphical programs
- `programs/` configuration for miscellaneous programs
- `shells/` configuration for shells
- `default.nix` minimal setup for all users
- `interactive.nix` minimal setup for interactive users on a command line
- `graphical.nix` configuration for users utilizing a graphical interface
- `<username>/` configuration for users
- `impermanence.nix` users persistence configuration
## Hosts
- `patricknix` my main laptop
- `desktopnix` my main desktop
- `testienix` old laptop for testing
## Users
- `patrick` my normal everyday unprivileged user
- `root` root user imported by every host
## Flake output structure
- `checks` linting and other checks for this repository
- `pre-commit-check` automatic checks executed as pre-commit hooks
- `nixosHosts` top level configs for hosts
- `nodes` alias to `nixosNodes`
- `devshell` development shell using devshell
- `formatter` nix code formatter
- `hosts` host meta declaration
- `pkgs` nixpkgs
- `packages` additional packages
- `secretsConfig` meta configuration for secrets
- `stateVersion` global stateversion used by nixos and home-manager to determine default config
## How-To
### Add additional hosts
1. Add host definition to `hosts.toml`
2. Create host configuration in `hosts/<name>`
1. Create and fill `default.nix`
1. Fill `net.nix`
1. Fill `fs.nix`
2. Don't forget to add necesarry config for filesystems, etc.
3. Generate ISO image with `nix build --print-out-paths --no-link .#images.<target-system>.live-iso`
- This might take multiple minutes(~10)
- Alternatively boot an official nixos image connect with password
3. Copy ISO to usb using dd
3. After booting copy the installer to the live system using `nix copy --to <target> .#packages.<target-system>.installer-package.<target>`
4. Run the installer script from the nix store of the live system
- you can get the path using `nix path-info .#packages.<target-system>.installer-package.<target>`
4. Export all zpools and reboot into system
6. Retrieve hostkeys using `ssh-keyscan <host> | grep -o 'ssh-ed25519.*' > host/<target>/secrets/host.pub
5. Deploy system
### Add secureboot to new systems
1. generate keys with `sbct create-keys'
1. tar the resulting folder using `tar cvf secureboot.tar -C /etc/secureboot`
1. Copy the tar to local using scp and encrypt it using rage
1. safe the encrypted archive to `hosts/<host>/secrets/secureboot.tar.age`
1. *DO NOT* forget to delete the unecrypted archives
1. link `/run/secureboot` to `/etc/secureboot`
1. This is necesarry since for your next apply the rekeyed keys are not yet available but needed for signing the boot files
1. ensure the boot files are signed using `sbctl verify`
1. Now reboot the computer into BIOS and enable secureboot
this may include removing any existing old keys
1. bootctl should now read `Secure Boot: disabled (setup)`
1. you can now enroll your secureboot keys using
1. `sbctl enroll-keys`
If you want to be able to boot microsoft signed images append `--microsoft`
1. Time to reboot and pray
## Deploy
If deploying from a host not containing the necessary nix configuration option append
```bash
--nix-option plugin-files "$NIX_PLUGINS"/lib/nix/plugins --nix-option extra-builtins-file ./nix/extra-builtins`
```