2023-06-25 01:28:19 +02:00
|
|
|
# nixos
|
|
|
|
|
2023-08-01 15:35:09 +02:00
|
|
|
## Installation
|
|
|
|
Follow the [NixOS manual](https://nixos.org/manual/nixos/stable/index.html#ch-installation) to obtain and boot
|
|
|
|
the installation medium. Use the graphical ISO image since it ships with useful programs such as `nmtui`; the
|
|
|
|
installation can still be done through the terminal.
|
|
|
|
|
|
|
|
### Disk Partitioning
|
|
|
|
For [impermanence](https://nixos.wiki/wiki/Impermanence), partitioning should be done as outlined in the [tmpfs
|
|
|
|
as root](https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/) blogpost, but with `/nix` as a [LUKS-encrypted file
|
|
|
|
system](https://nixos.org/manual/nixos/stable/index.html#sec-luks-file-systems). The boot partition will not be
|
|
|
|
encrypted, since that is poorly supported by systemd-boot. Persistent files will be saved under `/nix/persist`.
|
|
|
|
|
|
|
|
The following is based on the [tmpfs as root](https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/) blogpost, the NixOS
|
|
|
|
manual's [partitioning](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-partitioning),
|
|
|
|
[formatting](https://nixos.orgmanual/nixos/stable/index.html#sec-installation-manual-partitioning-formatting) and
|
|
|
|
[LUKS-Encrypted File Systems](https://nixos.org/manual/nixos/stable/index.html#sec-luks-file-systems) sections,
|
|
|
|
ArchWiki's [LVM on LUKS](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS),
|
|
|
|
the unofficial NixOS wiki [Full Disk Encryption](https://nixos.wiki/wiki/Full_Disk_Encryption), and [this GitHub
|
|
|
|
gist](https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134).
|
|
|
|
|
|
|
|
We create a 1GiB EFI boot partition (`/dev/sda1`) and the rest will be our LUKS-encrypted volume:
|
|
|
|
```bash
|
|
|
|
# Create partition table
|
|
|
|
parted /dev/sda -- mklabel gpt
|
|
|
|
|
|
|
|
# Create /boot partition
|
|
|
|
parted /dev/sda -- mkpart ESP fat32 1MiB 1024MiB
|
|
|
|
parted /dev/sda -- set 1 esp on
|
|
|
|
|
|
|
|
# Create /nix partition
|
|
|
|
parted /dev/sda -- mkpart primary 1024MiB 100%
|
|
|
|
|
|
|
|
# Create and open LUKS-encrypted container
|
|
|
|
cryptsetup --type=luks2 luksFormat --label=crypted /dev/sda2
|
|
|
|
cryptsetup open /dev/sda2 crypted
|
|
|
|
|
|
|
|
# Create LVM volume group
|
|
|
|
pvcreate /dev/mapper/crypted
|
|
|
|
vgcreate vg /dev/mapper/crypted
|
|
|
|
|
|
|
|
# Create root logical volume
|
|
|
|
lvcreate -l 100%FREE vg -n root
|
|
|
|
|
|
|
|
# Format partitions
|
|
|
|
mkfs.fat -F32 -n BOOT /dev/sda1
|
|
|
|
mkfs.ext4 -L nix /dev/vg/root
|
|
|
|
```
|
|
|
|
|
|
|
|
The result should be the following (`lsblk -f`):
|
|
|
|
```text
|
|
|
|
NAME FSTYPE FSVER LABEL
|
2023-08-12 15:31:37 +02:00
|
|
|
sda
|
|
|
|
├─sda1 vfat FAT32 BOOT
|
|
|
|
└─sda2 crypto_LUKS 2 crypted
|
2023-08-01 15:35:09 +02:00
|
|
|
└─crypted LVM2_member LVM2 001
|
|
|
|
└─vg-root ext4 1.0 nix
|
|
|
|
```
|
|
|
|
|
|
|
|
### Installation
|
|
|
|
Whereas the [NixOS manual](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-installing) mounts
|
|
|
|
the newly-created `nixos` partition to `/mnt`, we will follow the _tmpfs as root_ blogpost and mount `/mnt` as `tmpfs`:
|
|
|
|
```bash
|
|
|
|
mount -t tmpfs none /mnt
|
|
|
|
mount --mkdir /dev/disk/by-label/BOOT /mnt/boot
|
|
|
|
mount --mkdir /dev/disk/by-label/nix /mnt/nix
|
|
|
|
mkdir -p /mnt/nix/persist/
|
|
|
|
```
|
|
|
|
|
|
|
|
The remaining installation can be done (more or less) according to the [NixOS
|
|
|
|
manual](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-installing).
|
|
|
|
```bash
|
|
|
|
cd /mnt/nix
|
|
|
|
git clone https://git.caspervk.net/caspervk/nixos.git tmp
|
|
|
|
cd tmp/
|
|
|
|
nixos-generate-config --root /mnt --show-hardware-config
|
|
|
|
vim hosts/omega/hardware.nix
|
2023-08-05 18:13:59 +02:00
|
|
|
git add . # nix sometimes ignores files outside version control
|
2023-08-01 15:35:09 +02:00
|
|
|
nixos-install --no-root-passwd --flake .#omega
|
|
|
|
|
|
|
|
# Make sure to set a password
|
|
|
|
mkpasswd > /mnt/nix/persist/passwordfile
|
|
|
|
chmod 400 /mnt/nix/persist/passwordfile
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## Hardware Configuration
|
|
|
|
`hosts/*/hardware.nix`, while initially generated by `nixos-generate-config --show-hardware-config`, _is_ manually
|
2023-08-12 15:31:37 +02:00
|
|
|
modified.
|
2023-08-01 15:35:09 +02:00
|
|
|
|
|
|
|
|
|
|
|
## Impermanence
|
|
|
|
To find out which of our darlings will be erased on reboot do `tree -x /`.
|
|
|
|
|
|
|
|
|
|
|
|
## Upgrading
|
|
|
|
```bash
|
2023-08-13 19:34:10 +02:00
|
|
|
sudo nixos-rebuild switch --flake .
|
2023-08-01 15:35:09 +02:00
|
|
|
```
|
2023-08-16 02:29:53 +02:00
|
|
|
|
|
|
|
|
2023-12-01 17:32:41 +01:00
|
|
|
## State Version
|
|
|
|
Nixpkgs uses `stateVersion` so sparingly that
|
|
|
|
auditing the entire nixpkgs repo is [easy
|
|
|
|
enough](https://sourcegraph.com/search?q=context%3Aglobal+repo%3A%5Egithub%5C.com%3FNixOS%2Fnixpkgs%24++lang%3ANix+stateVersion+AND+23.11).
|
|
|
|
|
|
|
|
|
2023-08-16 02:29:53 +02:00
|
|
|
## Debugging
|
|
|
|
```bash
|
|
|
|
nix repl
|
|
|
|
:lf .
|
2023-12-13 20:24:08 +01:00
|
|
|
# print the value of a configuration settings
|
2023-08-16 02:29:53 +02:00
|
|
|
:p nixosConfigurations.omega.config.services.openssh.ports
|
2023-12-13 20:24:08 +01:00
|
|
|
# print _why_ the value is as it is (source of defaults, overwrites)
|
|
|
|
:p nixosConfigurations.omega.options.services.openssh.ports
|
|
|
|
# print value of home-manager setting
|
2023-08-16 02:29:53 +02:00
|
|
|
:p nixosConfigurations.omega.config.home-manager.users.caspervk.programs.ssh.matchBlocks
|
2023-12-13 20:24:08 +01:00
|
|
|
# print version of package in nixpkgs
|
2023-08-16 02:29:53 +02:00
|
|
|
:p inputs.nixpkgs.outputs.legacyPackages.x86_64-linux.openssh.version
|
|
|
|
```
|
|
|
|
|
|
|
|
|