Personal NixOS configuration
|
|
||
|---|---|---|
| docs | ||
| machines | ||
| options | ||
| profiles | ||
| secrets | ||
| .gitignore | ||
| .prettierrc.yaml | ||
| configuration.nix | ||
| flake.lock | ||
| flake.nix | ||
| LICENSE | ||
| README.md | ||
About
Monorepo for @myned's personal NixOS configuration and partial homelab infrastructure
Caveats
Security considerations are practically lax, but always open for improvement:
- Secrets handled via agenix, inheriting its threat model
- Storage module supports LUKS encryption at rest via disko and systemd initrd
- Containers attempt to be compatible with rootless docker
- Prioritizes usability over hardening (ex. some home-manager modules apply to the root user)
- Assumes a single-user machine plus root
Various tools are underdocumented prerequisites:
- agenix (for secrets management)
- disko (for disk formatting and declaration)
- flakes (for reproducibility)
- genflake (for use of normal nix in flake.in.nix)
- home-manager (for user modules)
- nixos-anywhere (for remote installation)
- nixos-hardware (for hardware quirks)
- stylix (for interactive theming)
- tailscale (for mesh communication)
...combined with some nix abstractions used by custom modules:
- machines (hardware-specific options identified by hostname)
- profiles (shared options between machines identified by purpose)
Install
General instructions for how to use this configuration, may not include all requirements
- Clone this repository
git clone https://git.bjork.tech/myned/nixos
-
Boot from the NixOS installer
-
Add machine-specific configuration to
machines/<machine>/default.nix
{
...
imports = [
./hardware-configuration.nix
];
custom = {
hostname = "<machine>";
settings = {
boot.systemd-boot.enable = true;
storage.root.device = "/dev/disk/by-*/<disk>"
}
};
...
}
- Add generated hardware configuration to
machines/<machine>/hardware-configuration.nix
# On machine
nixos-generate-config --show-hardware-config --no-filesystems
- Choose or create a profile in
profiles/<profile>/default.nix
{
...
custom = {
profile = "<profile>";
};
...
}
- Add the machine to
flake.in.nix
{
...
<machine> = nixos "<architecture>" [ ./profiles/<profile> ./machines/<machine> ];
...
}
- Stage git files and lock
flake.nix
cd nixos
git add .
nix flake lock
- Generate machine SSH key and copy public key to clipboard
mkdir -p tmp/etc/ssh/
ssh-keygen -f tmp/etc/ssh/id_ed25519 -N '' -C root@<machine>
cat tmp/etc/ssh/id_ed25519.pub | wl-copy -n
- Add public key to
secrets/secrets.nix
{
...
<machine> = "<ssh public key>";
...
}
- Rekey agenix secrets
cd secrets/
agenix -r
cd -
- Add encrypted password declarations to
secrets/secrets.nix
{
...
"<machine>/users/<username>.pass" = machine <machine>;
"<machine>/users/root.pass" = machine <machine>;
...
}
- Create hashed password files with agenix
cd secrets/
mkpasswd | wl-copy
agenix -e <machine>/users/<username>.pass
mkpasswd | wl-copy
agenix -e <machine>/users/root.pass
cd -
- If encrypting with LUKS, write the passphrase to
/tmp/secret.keyand mount the key device containing the keyfile ifcustom.settings.storage.key.enable = true
# On machine
echo -n '<passphrase>' > /tmp/secret.key
sudo mkdir -p /key
sudo mount /dev/disk/by-*/<device> /key
- Create a temporary password for the nixos user (or use SSH keys)
# On machine
passwd
- Execute nixos-anywhere to install remotely
nixos-anywhere --flake .#<machine> nixos@<ip> --extra-files tmp/
- Remove temporary files
rm -r tmp/
Deploy
Subsequent deployment of configuration changes, implies /etc/nixos as repo location
Local builds
sudo nixos-rebuild switch
Remote builds
nixos-rebuild switch --flake .#<machine> --target-host root@<ip>