Simon Bruder
b2b55c442b
Flake lock file updates: • Updated input 'flake-utils': 'github:numtide/flake-utils/c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a' (2024-09-17) → 'github:numtide/flake-utils/11707dc2f618dd54ca8739b309ec4fc024de578b' (2024-11-13) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/038630363e7de57c36c417fd2f5d7c14773403e4' (2024-10-07) → 'github:nix-community/home-manager/66c5d8b62818ec4c1edb3e941f55ef78df8141a8' (2024-12-13) • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/1211305a5b237771e13fcca0c51e60ad47326a9a' (2024-10-05) → 'github:cachix/pre-commit-hooks.nix/4c8e75efbbdcc6f9203f64b1f21f8a55d2285264' (2024-12-15) • Updated input 'nix-pre-commit-hooks/nixpkgs-stable': 'github:NixOS/nixpkgs/194846768975b7ad2c4988bdb82572c00222c0d7' (2024-07-07) → 'github:NixOS/nixpkgs/d063c1dd113c91ab27959ba540c0d9753409edf3' (2024-11-04) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/ecfcd787f373f43307d764762e139a7cdeb9c22b' (2024-10-07) → 'github:nixos/nixos-hardware/cf737e2eba82b603f54f71b10cb8fd09d22ce3f5' (2024-12-10) • Updated input 'sops-nix': 'github:Mic92/sops-nix/06535d0e3d0201e6a8080dd32dbfde339b94f01b' (2024-10-08) → 'github:Mic92/sops-nix/2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004' (2024-12-12) • Removed input 'sops-nix/nixpkgs-stable' |
||
---|---|---|
.git-crypt | ||
.reuse | ||
keys | ||
LICENSES | ||
machines | ||
modules | ||
pkgs | ||
secrets | ||
users/simon | ||
.envrc | ||
.gitattributes | ||
.gitignore | ||
.sops.yaml | ||
flake.lock | ||
flake.lock.license | ||
flake.nix | ||
README.md | ||
secrets.yaml |
NixOS configuration
Structure
machines
: Machine-specific configurationREADME.md
: Short overview of the hardware and usage of the machineconfiguration.nix
: Main configurationhardware-configuration.nix
: Hardware-specific configuration. It should not depend on any modules or files from this repository, since it is used for initial setup.services
: Non-trivial machine-specific configuration related to a specific service the machine provides.secrets
: Nix expressions that include information that is not meant to be visible to everyone (e.g. accounts, password hashes, private information etc.) or secrets for services that don’t provide any other (easy) way of specifying them and whose secrets leaking does not pose a huge threat
modules
: Custom modules. Many are activated by default, since I want them on all systems.pkgs
: My nixpkgs overlayusers/simon
: home-manager configuration
Secrets are managed with sops-nix.
Machines can be deployed with nix run .#deploy/hostname
, LUKS encrypted
systems can be unlocked over network with nix run .#unlock/hostname
.
How to install
This guide describes how to install this configuration with GPT and BIOS boot. It is not a one-fits-all guide, but the base for what I use for interactive systems. Servers and specialised systems may need a different setup (e. g. swap with random luks passphrase and no LVM).
Set up wifi if no wired connection is available:
systemctl start wpa_supplicant
wpa-cli
add_network
set_network 0 ssid "SSID"
set_network 0 psk "PSK"
set_network 0 key_mgmt WPA-PSK
enable_network 0
Create the partition table (enter the indented lines in the repl):
parted /dev/nvmeXnY
mktable GPT
mkpart ESP 1MiB 512MiB
mkpart root 512MiB 100%
set 1 esp on
quit
On MBR:
parted /dev/sdX
mktable GPT
mkpart primary 1MiB 2MiB
mkpart primary 2MiB 512MiB
mkpart primary 512MiB 100%
set 1 bios_grub on
disk_toggle pmbr_boot
quit
Format encrypted partition and open it:
cryptsetup luksFormat --type luks2 /dev/nvmeXnYp2
cryptsetup open /dev/nvmeXnYp2 HOSTNAME-pv
Create LVM (replace 8G
with desired swap size):
pvcreate /dev/mapper/HOSTNAME-pv
vgcreate HOSTNAME-vg /dev/mapper/HOSTNAME-pv
lvcreate -L 8G -n swap HOSTNAME-vg
lvcreate -l '100%FREE' -n root HOSTNAME-vg
Hint: If you have to reboot to the installation system later because
something went wrong and you need access to the LVM (but don’t know LVM), do
the following after opening the luks partition: vgchange -ay
.
Create filesystems:
mkfs.fat -F 32 -n boot /dev/nvmeXnYpZ
mkfs.btrfs -L root /dev/HOSTNAME-vg/root
mkswap -L swap /dev/HOSTNAME-vg/swap
On MBR:
mkfs.ext2 /dev/sdX2
mkfs.btrfs -L root /dev/HOSTNAME-vg/root
mkswap -L swap /dev/HOSTNAME-vg/swap
Mount the file systems and activate swap:
mount -o compress=zstd /dev/HOSTNAME-vg/root /mnt
mkdir /mnt/boot
mount /dev/nvmeXnYp1 /mnt/boot
swapon /dev/HOSTNAME-vg/swap
Generate hardware configuration and copy hardware configuration to machine configuration (skip this step if you already have a hardware-configuration for this machine):
nixos-generate-config --root /mnt/
Modify the hardware configuration as needed and add it to the machine
configuration in this repository. If necessary, create the machine
configuration first by basing it on an already existing configuration and
adding an entry to machines/default.nix
. Then copy this repository to the
target machine and run (--impure
is needed since /mnt/nix/store
is not in
/nix/store
):
nixos-install --no-channel-copy --impure --flake /path/to/repository#hostname
Add the krops sentinel file:
mkdir -p /mnt/var/src
touch /mnt/var/src/.populate
Reboot.
License
This repository is REUSE compliant. To get the most correct licensing information, please consult the REUSE specification or use a tool that parses it.
As a rule of thumb,
most code files are released under the AGPL-3.0-or-later
,
most generated files are specified as CC0-1.0
(as they are not copyrightable)
and small independent scripts are licensed under Apache-2.0
.
However, there are deviations from this,
so always consult the file header and other resources as specified in the REUSE specification.
Please note that those licensing terms only apply to the source files in this repository, not any build outputs, like system or package closures. They might be licensed differently, depending on their source.
If you think you have a compelling reason why you should be able to use part of this repository under a more permissive license, please contact me, so we can figure something out. Please note, that I can only offer this for files that are solely authored by me, as I do not own the rights to other people’s code.