patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity
nix-config/README.md
Patrick df40786d28
feat: reimaged laptop
2023-09-26 22:25:58 +02:00

4.7 KiB
Raw Blame History

Meine wundervolle nix config

Structure

  • hosts/ contain nixos configuration for hosts
    • <hostname>/ configuration for hosts
      • default.nix Toplevel system definition
      • fs.nix file system definiton
      • net.nix network setup
      • secrets/ secrets local to this hosts
        • secrets.nix.age local secrets usable on deploy
        • host.pub host public key, needed for rekeying agenix secrets
  • modules/ extra nixos modules and shared configurations
    • secrets.nix module to enable deploy-time secrets
    • config/ base configuration used on all machines
    • dev/ configuration options enabling developer environment
    • graphical/ configuration for graphical environments
    • hardware/ configuration for hardware components
    • impermanence/ impermanence modules for hosts
  • nix/ additional nix functions
    • devshell.nix Development shell
    • extra-builtins.nix Extra builtin plugin file to enable repository secrets
    • TODO
    • lib.nix additional library functions
  • secrets/ global secrets
    • <name>.key.pub public key handles to decrypt secrets using yubikey
    • recipients.txt rage recipient file for encrypting secrets
      • currently containing both yubikeys and a rage backup key
    • secrets.nix.age global secrets available at deploy
  • users/ home manager user configuration
    • common/ shared home-manager modules
      • graphical/ configuration for graphical programs
      • programs/ configuration for miscellaneous programs
      • shells/ configuration for shells
      • default.nix minimal setup for all users
      • interactive.nix minimal setup for interactive users on a command line
      • graphical.nix configuration for users utilizing a graphical interface
    • <username>/ configuration for users
      • impermanence.nix users persistence configuration

Hosts

  • patricknix my main laptop
  • desktopnix my main desktop
  • testienix old laptop for testing

Users

  • patrick my normal everyday unprivileged user
  • root root user imported by every host

Flake output structure

  • checks linting and other checks for this repository
    • pre-commit-check automatic checks executed as pre-commit hooks
  • nixosHosts top level configs for hosts
  • nodes alias to nixosNodes
  • devshell development shell using devshell
  • formatter nix code formatter
  • hosts host meta declaration
  • pkgs nixpkgs
  • packages additional packages
  • secretsConfig meta configuration for secrets
  • stateVersion global stateversion used by nixos and home-manager to determine default config

How-To

Add additional hosts

  1. Add host definition to hosts.toml
  2. Create host configuration in hosts/<name>
    1. Create and fill default.nix
    2. Fill net.nix
    3. Fill fs.nix
    4. Don't forget to add necesarry config for filesystems, etc.
  3. Generate ISO image with nix build --print-out-paths --no-link .#images.<target-system>.live-iso
    • This might take multiple minutes(~10)
    • Alternatively boot an official nixos image connect with password
  4. Copy ISO to usb using dd
  5. After booting copy the installer to the live system using nix copy --to <target> .#packages.<target-system>.installer-package.<target>
  6. Run the installer script from the nix store of the live system
    • you can get the path using nix path-info .#packages.<target-system>.installer-package.<target>
  7. Export all zpools and reboot into system
  8. Retrieve hostkeys using ssh-keyscan <host> | grep -o 'ssh-ed25519.*' > host/<target>/secrets/host.pub
  9. Deploy system

Add secureboot to new systems

  1. generate keys with `sbct create-keys'
  2. tar the resulting folder using tar cvf secureboot.tar -C /etc/secureboot
  3. Copy the tar to local using scp and encrypt it using rage
  4. safe the encrypted archive to hosts/<host>/secrets/secureboot.tar.age
  5. DO NOT forget to delete the unecrypted archives
  6. link /run/secureboot to /etc/secureboot
  7. This is necesarry since for your next apply the rekeyed keys are not yet available but needed for signing the boot files
  8. ensure the boot files are signed using sbctl verify
  9. Now reboot the computer into BIOS and enable secureboot this may include removing any existing old keys
  10. bootctl should now read Secure Boot: disabled (setup)
  11. you can now enroll your secureboot keys using
  12. sbctl enroll-keys If you want to be able to boot microsoft signed images append --microsoft
  13. Time to reboot and pray

Deploy

If deploying from a host not containing the necessary nix configuration option append

--nix-option plugin-files "$NIX_PLUGINS"/lib/nix/plugins --nix-option extra-builtins-file ./nix/extra-builtins`