patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity
711 commits 1 branch 0 tags 6.2 MiB
Nix 93.9%
CSS 3.8%
Shell 2%
Nu 0.3%
Find a file
Patrick ab2cb2b4d5
fix: weird backticks
2025-01-15 21:31:42 +01:00
config feat: check luks on boot 2025-01-15 13:11:41 +01:00
hosts feat: check luks on boot 2025-01-15 13:11:41 +01:00
keys refactor: remove host.toml 2024-06-09 20:59:23 +02:00
modules fix: weird backticks 2025-01-15 21:31:42 +01:00
modules-hm feat: nucnix 2024-12-14 21:45:46 +01:00
nix feat: globals 2024-12-20 20:40:27 +01:00
patches/PR update 2025-01-12 22:11:22 +01:00
pkgs chore: remove varta packages 2025-01-10 16:36:53 +01:00
secrets WIP: homeassistant 2025-01-05 22:27:49 +01:00
users fix: blink cmp 2025-01-14 22:19:52 +01:00
.envrc chore: update 2023-12-17 01:27:40 +01:00
.gitignore feat: your spotify modules 2024-03-02 10:22:02 +01:00
flake.lock update 2025-01-12 22:11:22 +01:00
flake.nix feat: mdns-relay 2025-01-01 21:20:46 +01:00
globals.nix feat: homeassistant more components 2025-01-09 13:58:51 +01:00
README.md chore: nucnix secureboot 2024-12-20 11:42:34 +01:00
statix.toml feat: systemd upgrade 2023-09-18 17:27:54 +02:00
STRUCTURE.md feat: allow for own patches 2024-11-05 15:20:07 +01:00

README.md

Meine wundervolle nix config ❄️

Structure

Hosts

Name Device Description
💻 patricknix HP spectre x360 Patrick's laptop, mainly used for on the go university
🖥️ desktopnix Intel i5-8600K
NVIDIA GeForce GTX 1080
32 GiB RAM		 Patrick's desktop, used for most development and gaming
🖥️ elisabeth AMD Ryzen 7 5800X
32 GiB RAM		 Server running most cloud services
🖥️ maddy Hetzner VPS Static IP server running mail

User Configuration

This showcases my end user setup, which I dailydrive on all my hosts.

Programm Description
🐚 Shell ZSH & Starship ZSH with FZF autocomplete, starship prompt, sqlite history and histdb-skim for fancy reverse search
🪟 WM Hyprland Tiling window manager
🖼️ Styling Stylix globally consistent styling
📝 Editor NeoVim Extensively configured neovim
🎮 Gaming Bottles & Steam Pew, Pew and such
🌐 Browser Firefox Heavily configured Firefox to still my privacy and security needs
💻 Terminal Kitty fast terminal
🎵 Music Spotify Fancy looking spotify using spicetify
📫 Mail Thunderbird Best email client there is

Service Configuration

These are services I've set up

Programm Description
💸 Budgeting FireflyIII Self Hosted budgeting tool
🛡️ AdBlock AdGuard Home DNS Adblocker
🔨 Git Forgejo Selfhosted GitHub alternative
📸 Photos Immich Selfhosted Google Photos equivalent
🔒 SSO Kanidm Secure single sign on Identity Provider
📧 E-Mail Maddy All in one mail server
🎧 Communication Teamspeak Selfhosted teamspeak server for secure and always available communication
🌐 VPN Netbird Easy to use peer to peer VPN solution based on wireguard
🌧️ Cloud NextCloud All in one cloud solution providing online File storage as well as notes, contacts and calendar synchronization
🗄️ Documents Paperless Machine learnig supported document organizing plattform
📁 NAS Samba Local network shared storage
📰 Feedreader freshRSS hosted RSS feed aggregator
🔑 Passwords Vaultwarden Self hosted bitwarden server
🎵 Music Your Spotify Spotify listening habits analyzer

External dependencies

These are notable external flakes which this config depend upon

Name Usage
NixVim NeoVim using nix
MicroVM Declarative VMs
Disko disk partitioning
nixos-generators generate installers
home-manager user config
agenix secret files for nix
agenix-rekey secret files that are git commitable
nixos-nftables-firewall nftables based firewall
impermanence stateless filesystem
lanzaboote Secure Boot
stylix theming
spicetify spotify looking fancy

How-To

Add additional hosts

  1. Add host definition to hosts.toml
  2. Create host configuration in hosts/<name>
    1. Create and fill default.nix
    2. Fill net.nix
    3. Fill fs.nix
    4. Don't forget to add necessary config for filesystems, etc.
  3. Generate ISO image using nix build --print-out-paths --no-link .#images.<target-system>.live-iso
    • This might take multiple minutes(~10)
    • Alternatively boot an official nixos image connect with password
  4. Copy ISO to usb using dd
  5. After booting copy the installer to the live system using nix copy --to <target> .#minimalConfigurations.<target-system>.config.system.build.installFromLive
  6. Run the installer script from the nix store of the live system
    • you can get the path using nix path-info .#minimalConfigurations.<target-system>.config.system.build.installFromLive
  7. Export all zpools and reboot into system
  8. Retrieve hostkeys using ssh-keyscan <host> | grep -o 'ssh-ed25519.*' > host/<target>/secrets/host.pub
  9. Deploy system

Add secureboot to new systems

  1. generate keys with sbctl create-keys
  2. tar the resulting folder using tar cvf secureboot.tar -C /var/lib/sbctl .
  3. Copy the tar to local using scp and encrypt it using rage
    • rage -e -R ./secrets/recipients.txt secureboot.tar -o <host>/secrets/secureboot.tar.age
  4. safe the encrypted archive to hosts/<host>/secrets/secureboot.tar.age
  5. DO NOT forget to delete the unecrypted archives
  6. Deploy your system with lanzaboote enabled
  7. ensure the boot files are signed using sbctl verify
  8. Now reboot the computer into BIOS and enable secureboot, this may include removing any existing old keys
  9. bootctl should now read Secure Boot: disabled (setup)
  10. you can now enroll your secureboot keys using
  11. sbctl enroll-keys If you want to be able to boot microsoft signed images append --microsoft
  12. Time to reboot and pray

Add luks encryption TPM keys

systemd-cryptenroll --tpm2-with-pin={yes/no} --tpm2-device=auto <device>

Deploy from new host

If deploying from a host not containing the necessary nix configuration option append

--nix-option plugin-files "$NIX_PLUGINS"/lib/nix/plugins --nix-option extra-builtins-file ./nix/extra-builtins`