My NixOS configuration and other infrastructure related things
Find a file
Simon Bruder 4f536a00d2
Switch home domain to shinonome-lab.de
When having DNSSEC activated (as it is the case on sbruder.de), dnsmasq
interfering in queries for hosts on the LAN often causes problems.

This domain is specifically for the case of not having DNSSEC on it.
2023-10-27 23:54:56 +02:00
.git-crypt Add 1 git-crypt collaborator 2021-02-05 18:01:49 +01:00
keys nazuna: Init 2023-10-04 23:19:44 +02:00
machines Switch home domain to shinonome-lab.de 2023-10-27 23:54:56 +02:00
modules Switch home domain to shinonome-lab.de 2023-10-27 23:54:56 +02:00
pkgs shinobu/router: Dynamically allow ntp for iot 2023-10-22 14:00:47 +02:00
users/simon git: Only allow fast-forward merge by default 2023-10-25 21:18:56 +02:00
.envrc direnv: Use nix-direnv’s use_flake 2021-05-09 12:34:48 +02:00
.gitattributes Use sops for secrets 2021-04-06 14:05:48 +02:00
.gitignore Ignore all results 2020-12-17 09:50:25 +01:00
.sops.yaml nazuna: Init 2023-10-04 23:19:44 +02:00
flake.lock flake.lock: Update 2023-10-22 14:01:40 +02:00
flake.nix deploy-local: Allow not using substituters 2023-06-03 18:34:12 +02:00
LICENSE Initial commit 2020-08-22 17:44:39 +02:00
README.md readme: Apply small updates to install commands 2023-07-01 12:01:36 +02:00
secrets.yaml mpd: Add listenbrainz submitting 2023-09-19 12:23:38 +02:00

NixOS configuration

Structure

  • machines: Machine-specific configuration
    • README.md: Short overview of the hardware and usage of the machine
    • configuration.nix: Main configuration
    • hardware-configuration.nix: Hardware-specific configuration. It should not depend on any modules or files from this repository, since it is used for initial setup.
    • services: Non-trivial machine-specific configuration related to a specific service the machine provides.
    • secrets: Nix expressions that include information that is not meant to be visible to everyone (e.g. accounts, password hashes, private information etc.) or secrets for services that dont provide any other (easy) way of specifying them and whose secrets leaking does not pose a huge threat
  • modules: Custom modules. Many are activated by default, since I want them on all systems.
  • pkgs: My nixpkgs overlay
  • users/simon: home-manager configuration

Secrets are managed with sops-nix.

Machines can be deployed with nix run .#deploy/hostname, LUKS encrypted systems can be unlocked over network with nix run .#unlock/hostname.

How to install

This guide describes how to install this configuration with GPT and BIOS boot. It is not a one-fits-all guide, but the base for what I use for interactive systems. Servers and specialised systems may need a different setup (e.g. swap with random luks passphrase and no LVM).

Set up wifi if no wired connection is available:

systemctl start wpa_supplicant
wpa-cli
  add_network
  set_network 0 ssid "SSID"
  set_network 0 psk "PSK"
  set_network 0 key_mgmt WPA-PSK
  enable_network 0

Create the partition table (enter the indented lines in the repl):

parted /dev/nvmeXnY
  mktable GPT
  mkpart ESP 1MiB 512MiB
  mkpart root 512MiB 100%
  set 1 esp on
  quit

On MBR:

parted /dev/sdX
  mktable GPT
  mkpart primary 1MiB 2MiB
  mkpart primary 2MiB 500MiB
  mkpart primary 500MiB 100%
  set 1 bios_grub on
  disk_toggle pmbr_boot
  quit

Format encrypted partition and open it:

cryptsetup luksFormat --type luks2 /dev/nvmeXnYp2
cryptsetup open /dev/nvmeXnYp2 HOSTNAME-pv

Create LVM (replace 8G with desired swap size):

pvcreate /dev/mapper/HOSTNAME-pv
vgcreate HOSTNAME-vg /dev/mapper/HOSTNAME-pv
lvcreate -L 8G -n swap HOSTNAME-vg
lvcreate -l '100%FREE' -n root HOSTNAME-vg

Hint: If you have to reboot to the installation system later because something went wrong and you need access to the LVM (but dont know LVM), do the following after opening the luks partition: vgchange -ay.

Create filesystems:

mkfs.fat -F 32 -n boot /dev/nvmeXnYpZ
mkfs.btrfs -L root /dev/HOSTNAME-vg/root
mkswap -L swap /dev/HOSTNAME-vg/swap

On MBR:

mkfs.ext2 /dev/sdX2
mkfs.btrfs -L root /dev/HOSTNAME-vg/root
mkswap -L swap /dev/HOSTNAME-vg/swap

Mount the file systems and activate swap:

mount -o compress=zstd /dev/HOSTNAME-vg/root /mnt
mkdir /mnt/boot
mount /dev/nvmeXnYp1 /mnt/boot
swapon /dev/HOSTNAME-vg/swap

Generate hardware configuration and copy hardware configuration to machine configuration (skip this step if you already have a hardware-configuration for this machine):

nixos-generate-config --root /mnt/

Modify the hardware configuration as needed and add it to the machine configuration in this repository. If necessary, create the machine configuration first by basing it on an already existing configuration and adding an entry to machines/default.nix. Then copy this repository to the target machine and run (--impure is needed since /mnt/nix/store is not in /nix/store):

nixos-install --no-channel-copy --impure --flake /path/to/repository#hostname

Add the krops sentinel file:

mkdir -p /mnt/var/src
touch /mnt/var/src/.populate

Reboot.

License

Unless otherwise noted in the specific files or directories, the files in this repository are licensed under the MIT License. This only applies to the nix expressions, not the built system or package closures. Patches may also be licensed differently, since they may be derivative works of the packages to which they apply.