This has some problems (as explained in the comment), but this at least makes it work for now.
|2 weeks ago|
|.git-crypt||2 years ago|
|keys||1 month ago|
|machines||2 weeks ago|
|modules||2 weeks ago|
|pkgs||1 month ago|
|users/simon||3 weeks ago|
|.envrc||2 years ago|
|.gitattributes||2 years ago|
|.gitignore||3 years ago|
|.sops.yaml||1 month ago|
|LICENSE||3 years ago|
|README.md||2 weeks ago|
|flake.lock||4 weeks ago|
|flake.nix||2 months ago|
|secrets.yaml||1 month ago|
machines: Machine-specific configuration
README.md: Short overview of the hardware and usage of the machine
configuration.nix: Main configuration
hardware-configuration.nix: Hardware-specific configuration. It should not depend on any modules or files from this repository, since it is used for initial setup.
services: Non-trivial machine-specific configuration related to a specific service the machine provides.
secrets: Nix expressions that include information that is not meant to be visible to everyone (e.g. accounts, password hashes, private information etc.) or secrets for services that don’t provide any other (easy) way of specifying them and whose secrets leaking does not pose a huge threat
modules: Custom modules. Many are activated by default, since I want them on all systems.
pkgs: My nixpkgs overlay
users/simon: home-manager configuration
Secrets are managed with sops-nix.
Machines can be deployed with
nix run .#deploy/hostname, LUKS encrypted
systems can be unlocked over network with
nix run .#unlock/hostname.
How to install
This guide describes how to install this configuration with GPT and BIOS boot. It is not a one-fits-all guide, but the base for what I use for interactive systems. Servers and specialised systems may need a different setup (e. g. swap with random luks passphrase and no LVM).
Set up wifi if no wired connection is available:
systemctl start wpa_supplicant wpa-cli add_network set_network 0 ssid "SSID" set_network 0 psk "PSK" set_network 0 key_mgmt WPA-PSK enable_network 0
Create the partition table (enter the indented lines in the repl):
parted /dev/nvmeXnY mktable GPT mkpart ESP 1MiB 512MiB mkpart root 512MiB 100% set 1 esp on quit
parted /dev/sdX mktable GPT mkpart primary 1MiB 2MiB mkpart primary 2MiB 500MiB mkpart primary 500MiB 100% set 1 bios_grub on disk_toggle pmbr_boot quit
Format encrypted partition and open it:
cryptsetup luksFormat --type luks2 /dev/nvmeXnYp2 cryptsetup open --type luks2 /dev/nvmeXnYp2 HOSTNAME-pv
Create LVM (replace
8G with desired swap size):
pvcreate /dev/mapper/HOSTNAME-pv vgcreate HOSTNAME-vg /dev/mapper/HOSTNAME-pv lvcreate -L 8G -n swap HOSTNAME-vg lvcreate -l '100%FREE' -n root HOSTNAME-vg
Hint: If you have to reboot to the installation system later because
something went wrong and you need access to the LVM (but don’t know LVM), do
the following after opening the luks partition:
mkfs.fat -F 32 -n boot /dev/nvmeXnYpZ mkfs.btrfs -L root /dev/HOSTNAME-vg/root mkswap -L swap /dev/HOSTNAME-vg/swap
mkfs.ext2 /dev/sdX2 mkfs.btrfs -L root /dev/HOSTNAME-vg/root mkswap -L swap /dev/HOSTNAME-vg/swap
Mount the file systems and activate swap:
mount /dev/HOSTNAME-vg/root /mnt mkdir /mnt/boot mount /dev/nvmeXnYp1 /mnt/boot swapon /dev/HOSTNAME-vg/swap
Generate hardware configuration and copy hardware configuration to machine configuration (skip this step if you already have a hardware-configuration for this machine):
nixos-generate-config --root /mnt/
Modify the hardware configuration as needed and add it to the machine
configuration in this repository. If necessary, create the machine
configuration first by basing it on an already existing configuration and
adding an entry to
machines/default.nix. Then copy this repository to the
target machine and run (
--impure is needed since
/mnt/nix/store is not in
nixos-install --no-channel-copy --impure --flake /path/to/repository#hostname
Add the krops sentinel file:
mkdir -p /mnt/var/src touch /mnt/var/src/.populate
Unless otherwise noted in the specific files or directories, the files in this repository are licensed under the MIT License. This only applies to the nix expressions, not the built system or package closures. Patches may also be licensed differently, since they may be derivative works of the packages to which they apply.