Skip to content

Configuration for Nix on my NixOS machines

License

Notifications You must be signed in to change notification settings

tboerger/nixos-config

Repository files navigation

nixos-config

Build

Provisioning for my NixOS systems based on Nix.

Prepare

Copy /etc/ssh/ssh_host_ed25519_key.pub into secrets and rekey the secrets via agenix, you could also just execute ssh-keyscan ip_or_fqdn to fetch the current public keys. After pushing the rekeyed secrets execute the commands below.

Desktops

Generally after the installation I'm cloning this repository somewhere onto the desktop machine and just execute make switch within that repository to apply updates, if this is not the case I can always execute the following command to get the latest changes pulled in:

nixos-rebuild switch --flake github:tboerger/nixos-config#hostname

Anubis

sudo loadkeys de
sudo nix-shell --packages nixUnstable

nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko --flake github:tboerger/nixos-config#anubis

mkdir -p /mnt/etc/ssh
cp /etc/ssh/ssh_host_* /mnt/etc/ssh/
nixos-install --no-root-password --root /mnt --flake github:tboerger/nixos-config#anubis

After a reboot of the system it should be fully provisioned with the regular flake which includes all defined services:

nixos-rebuild switch --flake github:tboerger/nixos-config#anubis

Chnum

sudo loadkeys de
sudo nix-shell --packages nixUnstable

nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko --flake github:tboerger/nixos-config#chnum

mkdir -p /mnt/etc/ssh
cp /etc/ssh/ssh_host_* /mnt/etc/ssh/
nixos-install --no-root-password --root /mnt --flake github:tboerger/nixos-config#chnum

After a reboot of the system it should be fully provisioned with the regular flake which includes all defined services:

nixos-rebuild switch --flake github:tboerger/nixos-config#chnum

Servers

To apply updates for servers this repository should be updated to the latest version, after that it is possible to use deploy-rs to upgrade the deployment with a command like this:

nix run github:serokell/deploy-rs github:tboerger/nixos-config#hostname

Asgard

sudo loadkeys de
sudo nix-shell --packages nixUnstable

nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko --flake github:tboerger/nixos-config#asgard

mkdir -p /mnt/etc/ssh
cp /etc/ssh/ssh_host_* /mnt/etc/ssh/
nixos-install --no-root-password --root /mnt --flake github:tboerger/nixos-config#asgard

After a reboot of the system it should be fully provisioned with the regular flake which includes all defined services:

nix run github:serokell/deploy-rs github:tboerger/nixos-config#asgard

Utgard

sudo loadkeys de
sudo nix-shell --packages nixUnstable

nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko --flake github:tboerger/nixos-config#utgard

mkdir -p /mnt/etc/ssh
cp /etc/ssh/ssh_host_* /mnt/etc/ssh/
nixos-install --no-root-password --root /mnt --flake github:tboerger/nixos-config#utgard

After a reboot of the system it should be fully provisioned with the regular flake which includes all defined services:

nix run github:serokell/deploy-rs github:tboerger/nixos-config#utgard

Vanaheim

sudo loadkeys de
sudo nix-shell --packages nixUnstable

nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko --flake github:tboerger/nixos-config#vanaheim

mkdir -p /mnt/etc/ssh
cp /etc/ssh/ssh_host_* /mnt/etc/ssh/
nixos-install --no-root-password --root /mnt --flake github:tboerger/nixos-config#vanaheim

After a reboot of the system it should be fully provisioned with the regular flake which includes all defined services:

nix run github:serokell/deploy-rs github:tboerger/nixos-config#vanaheim

Yggdrasil

sudo loadkeys de
sudo nix-shell --packages nixUnstable

mount /dev/disk/by-label/NIXOS_SD /mnt

mkdir -p /mnt/etc/ssh
cp /etc/ssh/ssh_host_* /mnt/etc/ssh/
nixos-install --no-root-password --root /mnt --flake github:tboerger/nixos-config#yggdrasil

After a reboot of the system it should be fully provisioned with the regular flake which includes all defined services:

nix run github:serokell/deploy-rs github:tboerger/nixos-config#yggdrasil

Finish

Finally after I have setup the whole system I usually copy the remaining credentials from my securely stored USB stick to get access to my SSH keys and Gnupg keys if this is required on the machine. It should not be required for servers.

SSH

mkdir -p ${HOME}/.ssh/
cp /media/$(whoami)/secrets/ssh/id_* ${HOME}/.ssh/
chown -R $(id -u):$(id -g) ${HOME}/.ssh
chmod u=rw,g=,o= ${HOME}/.ssh/id_*

Gnupg

for FILE in /media/$(whoami)/secrets/gpg/*.asc; do
    gpg --import ${FILE}
done

Security

If you find a security issue please contact thomas@webhippie.de first.

Contributing

Fork -> Patch -> Push -> Pull Request

Authors

License

Apache-2.0

Copyright

Copyright (c) 2021 Thomas Boerger <thomas@webhippie.de>

Releases

No releases published

Packages

No packages published