nixos-config/README.md

124 lines
4.1 KiB
Markdown
Raw Normal View History

2020-08-22 17:44:39 +02:00
# NixOS configuration
## Structure
* `machines`: Machine-specific configuration
+ `README.md`: Short overview of the hardware and usage of the machine
+ `configuration.nix`: Main configuration
+ `hardware-configuration.nix`: Hardware-specific configuration. It should
not depend on any modules or files from this repository, since it is used
for initial setup.
2021-03-01 13:54:18 +01:00
+ `services`: Non-trivial machine-specific configuration related to a
specific service the machine provides.
2021-03-01 13:54:41 +01:00
+ `secrets`: Nix expressions that include information that is not meant to
be visible to everyone (e.g. accounts, password hashes, private
information etc.) or secrets for services that dont provide any other
(easy) way of specifying them and whose secrets leaking does not pose a
huge threat
* `modules`: Custom modules. Many are activated by default, since I want them
on all systems.
* `pkgs`: My nixpkgs overlay
* `users/simon`: [home-manager](https://github.com/nix-community/home-manager)
configuration
Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix).
Machines can be deployed with `nix run .#deploy/hostname`, LUKS encrypted
systems can be unlocked over network with `nix run .#unlock/hostname`.
2020-08-22 17:44:39 +02:00
## How to install
This guide describes how to install this configuration with GPT and BIOS boot.
It is not a one-fits-all guide, but the base for what I use for interactive
systems. Servers and specialised systems may need a different setup (e.g. swap
with random luks passphrase and no LVM).
2020-08-22 17:44:39 +02:00
Set up wifi if no wired connection is available:
2020-08-24 11:11:23 +02:00
wpa_passphrase "SSID" "PSK" | wpa_supplicant -B -i wlp4s0 -c/dev/stdin
2020-08-24 11:11:23 +02:00
Create the partition table (enter the indented lines in the repl):
2020-08-22 17:44:39 +02:00
parted /dev/sdX
2020-08-22 17:44:39 +02:00
mktable GPT
mkpart primary 1MiB 2MiB
mkpart primary 2MiB 500MiB
mkpart primary 500MiB 100%
set 1 bios_grub on
disk_toggle pmbr_boot
quit
On UEFI:
parted /dev/nvmeXnY
mktable GPT
mkpart ESP 1MiB 512MiB
mkpart root 512MiB 100%
set 1 esp on
quit
Format encrypted partition and open it:
2020-08-22 17:44:39 +02:00
cryptsetup luksFormat --type luks2 /dev/sdX3
cryptsetup open --type luks2 /dev/sdX3 HOSTNAME-pv
2020-08-22 17:44:39 +02:00
Create LVM (replace `8G` with desired swap size):
2020-08-22 17:44:39 +02:00
pvcreate /dev/mapper/HOSTNAME-pv
vgcreate HOSTNAME-vg /dev/mapper/HOSTNAME-pv
lvcreate -L 8G -n swap HOSTNAME-vg
lvcreate -l '100%FREE' -n root HOSTNAME-vg
2020-08-22 17:44:39 +02:00
**Hint**: If you have to reboot to the installation system later because
something went wrong and you need access to the LVM (but dont know LVM), do
the following after opening the luks partition: `vgchange -ay`.
2020-08-22 17:44:39 +02:00
Create filesystems:
2020-08-22 17:44:39 +02:00
mkfs.ext2 /dev/sdX2
mkfs.btrfs -L root /dev/HOSTNAME-vg/root
mkswap -L swap /dev/HOSTNAME-vg/swap
2020-08-22 17:44:39 +02:00
On UEFI:
mkfs.fat -F 32 -n boot /dev/nvmeXnYpZ
mkfs.btrfs -L root /dev/HOSTNAME-vg/root
mkswap -L swap /dev/HOSTNAME-vg/swap
Mount the file systems and activate swap:
2020-08-22 17:44:39 +02:00
mount /dev/HOSTNAME-vg/root /mnt
mkdir /mnt/boot
mount /dev/sdX2 /mnt/boot
swapon /dev/HOSTNAME-vg/swap
2020-08-22 17:44:39 +02:00
Generate hardware configuration and copy hardware configuration to machine
configuration (skip this step if you already have a hardware-configuration for
this machine):
nixos-generate-config --root /mnt/
2020-08-22 17:44:39 +02:00
Modify the hardware configuration as needed and add it to the machine
configuration in this repository. If necessary, create the machine
configuration first by basing it on an already existing configuration and
adding an entry to `machines/default.nix`. Then copy this repository to the
target machine and run (`--impure` is needed since `/mnt/nix/store` is not in
`/nix/store`):
2020-08-22 17:44:39 +02:00
nixos-install --no-channel-copy --impure --flake /path/to/repository#hostname
2020-08-22 17:44:39 +02:00
Add the krops sentinel file:
2020-08-22 17:44:39 +02:00
mkdir -p /mnt/var/src
touch /mnt/var/src/.populate
2020-08-22 17:44:39 +02:00
Reboot.
2020-08-22 17:44:39 +02:00
## License
Unless otherwise noted in the specific files or directories,
the files in this repository are licensed under the [MIT License](LICENSE).
This only applies to the nix expressions, not the built system or package closures.
Patches may also be licensed differently,
since they may be derivative works of the packages to which they apply.