nixos/README.md

# nixos

## Installation
Follow the [NixOS manual](https://nixos.org/manual/nixos/stable/index.html#ch-installation) to obtain and boot
the installation medium. Use the graphical ISO image since it ships with useful programs such as `nmtui`; the
installation can still be done through the terminal.

### Disk Partitioning
For [impermanence](https://nixos.wiki/wiki/Impermanence), partitioning should be done as outlined in the [tmpfs
as root](https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/) blogpost, but with `/nix` as a [LUKS-encrypted file
system](https://nixos.org/manual/nixos/stable/index.html#sec-luks-file-systems). The boot partition will not be
encrypted, since that is poorly supported by systemd-boot. Persistent files will be saved under `/nix/persist`. To
find out which of our darlings will be erased on reboot do `tree -x /` or `ncdu -x /`.

The following is based on the [tmpfs as root](https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/) blogpost, the NixOS
manual's [partitioning](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-partitioning),
[formatting](https://nixos.orgmanual/nixos/stable/index.html#sec-installation-manual-partitioning-formatting) and
[LUKS-Encrypted File Systems](https://nixos.org/manual/nixos/stable/index.html#sec-luks-file-systems) sections,
ArchWiki's [LVM on LUKS](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS),
the unofficial NixOS wiki [Full Disk Encryption](https://nixos.wiki/wiki/Full_Disk_Encryption), and [this GitHub
gist](https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134).

We create a 1GiB EFI boot partition (`/dev/sda1`) and the rest will be our LUKS-encrypted volume:
```fish
# Create partition table
parted /dev/sda -- mklabel gpt

# Create /boot partition
parted /dev/sda -- mkpart ESP fat32 1MiB 1024MiB
parted /dev/sda -- set 1 esp on

# Create /nix partition
parted /dev/sda -- mkpart primary 1024MiB 100%

# Create and open LUKS-encrypted container
cryptsetup --type=luks2 luksFormat --label=crypted /dev/sda2
cryptsetup open /dev/sda2 crypted

# Create LVM volume group
pvcreate /dev/mapper/crypted
vgcreate vg /dev/mapper/crypted

# Create root logical volume
lvcreate -l 100%FREE vg -n root

# Format partitions
mkfs.fat -F32 -n BOOT /dev/sda1
mkfs.ext4 -L nix /dev/vg/root
```

The result should be the following (`lsblk -f`):
```text
NAME          FSTYPE      FSVER            LABEL
sda
├─sda1        vfat        FAT32            BOOT
└─sda2        crypto_LUKS 2                crypted
  └─crypted   LVM2_member LVM2 001
    └─vg-root ext4        1.0              nix
```

Whereas the [NixOS manual](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-installing) mounts
the newly-created `nixos` partition to `/mnt`, we will follow the _tmpfs as root_ blogpost and mount `/mnt` as `tmpfs`:
```fish
mount -t tmpfs none /mnt
mount --mkdir /dev/disk/by-label/BOOT /mnt/boot
mount --mkdir /dev/disk/by-label/nix /mnt/nix
mkdir -p /mnt/nix/persist/
```

### Secrets
All files in the Nix store are world-readable, so it is not a suitable place for including cleartext secrets,
even if we had a scheme to securely transfer them to each system. [Agenix](https://github.com/ryantm/agenix)
solves this issue by encrypting the secrets using [age](https://github.com/FiloSottile/age), and then decrypting
and symlinking them using the system's SSH host key during system activation.

To bootstrap a new system, we must first generate a host key manually using `ssh-keygen -A -f /mnt/nix/persist`
during installation. Then, on an existing system, add the new host's public key to `secrets.nix` and rekey all
secrets using `agenix --rekey`. Commit and push the changes and proceed below.

When managing secrets, the Keepass recovery key is used like so:
```fish
set AGE_KEY_FILE (mktemp); read -s > $AGE_KEY_FILE
agenix -i $AGE_KEY_FILE -e foo.age
```

### Installation
The remaining installation can be done (more or less) according to the [NixOS
manual](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-installing).
```fish
cd /mnt/nix
git clone https://git.caspervk.net/caspervk/nixos.git tmp
cd tmp/
nixos-generate-config --root /mnt --show-hardware-config
vim hosts/omega/hardware.nix
git add .  # nix sometimes ignores files outside version control
nixos-install --no-root-passwd --flake .#omega
```

### Hardware Configuration
`hosts/*/hardware.nix`, while initially generated by `nixos-generate-config --show-hardware-config`, _is_ manually
modified.

### State Version
Nixpkgs uses `stateVersion` so sparingly that auditing the entire nixpkgs repo is [easy
enough](https://sourcegraph.com/search?q=context%3Aglobal+repo%3A%5Egithub%5C.com%3FNixOS%2Fnixpkgs%24++lang%3ANix+stateVersion+AND+23.11).


## Useful Commands
```fish
# upgrade system
sudo nixos-rebuild switch --flake .

# start build environment with user's default shell instead of bash
nix develop --command $SHELL

# nix shell with python packages
# https://discourse.nixos.org/t/nix-shell-for-python-packages/16575
# https://github.com/NixOS/nix/issues/5567
nix shell --impure --expr 'with builtins.getFlake "nixpkgs"; with legacyPackages.${builtins.currentSystem}; python3.withPackages (ps: with ps; [ numpy ])'
```

### Debugging
```nix
# load flake into repl
nix repl
:lf .

# print a configuration option
:p nixosConfigurations.omega.options.services.openssh.ports.declarationPositions  # declaration
:p nixosConfigurations.omega.options.services.openssh.ports.default  # declaration default
:p nixosConfigurations.omega.options.services.openssh.ports.definitionsWithLocations  # overwrites
:p nixosConfigurations.omega.options.services.openssh.ports.value  # current value
# print derivation package names
:p builtins.map (d: d.name) outputs.nixosConfigurations.omega.options.environment.systemPackages.value

# print version of package in nixpkgs
:p inputs.nixpkgs.outputs.legacyPackages.${builtins.currentSystem}.openssh.version
```
Initial commit 2023-06-25 01:28:19 +02:00			`# nixos`

Base 2023-08-01 15:35:09 +02:00			`## Installation`
			`Follow the [NixOS manual](https://nixos.org/manual/nixos/stable/index.html#ch-installation) to obtain and boot`
			the installation medium. Use the graphical ISO image since it ships with useful programs such as `nmtui`; the
			`installation can still be done through the terminal.`

			`### Disk Partitioning`
			`For [impermanence](https://nixos.wiki/wiki/Impermanence), partitioning should be done as outlined in the [tmpfs`
			as root](https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/) blogpost, but with `/nix` as a [LUKS-encrypted file
			`system](https://nixos.org/manual/nixos/stable/index.html#sec-luks-file-systems). The boot partition will not be`
update readme 2024-02-06 02:09:39 +01:00			encrypted, since that is poorly supported by systemd-boot. Persistent files will be saved under `/nix/persist`. To
			find out which of our darlings will be erased on reboot do `tree -x /` or `ncdu -x /`.
Base 2023-08-01 15:35:09 +02:00
			`The following is based on the [tmpfs as root](https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/) blogpost, the NixOS`
			`manual's [partitioning](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-partitioning),`
			`[formatting](https://nixos.orgmanual/nixos/stable/index.html#sec-installation-manual-partitioning-formatting) and`
			`[LUKS-Encrypted File Systems](https://nixos.org/manual/nixos/stable/index.html#sec-luks-file-systems) sections,`
			`ArchWiki's [LVM on LUKS](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS),`
			`the unofficial NixOS wiki [Full Disk Encryption](https://nixos.wiki/wiki/Full_Disk_Encryption), and [this GitHub`
			`gist](https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134).`

			We create a 1GiB EFI boot partition (`/dev/sda1`) and the rest will be our LUKS-encrypted volume:
agenix 2024-02-24 02:11:59 +01:00			```fish
Base 2023-08-01 15:35:09 +02:00			`# Create partition table`
			`parted /dev/sda -- mklabel gpt`

			`# Create /boot partition`
			`parted /dev/sda -- mkpart ESP fat32 1MiB 1024MiB`
			`parted /dev/sda -- set 1 esp on`

			`# Create /nix partition`
			`parted /dev/sda -- mkpart primary 1024MiB 100%`

			`# Create and open LUKS-encrypted container`
			`cryptsetup --type=luks2 luksFormat --label=crypted /dev/sda2`
			`cryptsetup open /dev/sda2 crypted`

			`# Create LVM volume group`
			`pvcreate /dev/mapper/crypted`
			`vgcreate vg /dev/mapper/crypted`

			`# Create root logical volume`
			`lvcreate -l 100%FREE vg -n root`

			`# Format partitions`
			`mkfs.fat -F32 -n BOOT /dev/sda1`
			`mkfs.ext4 -L nix /dev/vg/root`
			```

			The result should be the following (`lsblk -f`):
			```text
			`NAME FSTYPE FSVER LABEL`
Update readme 2023-08-12 15:31:37 +02:00			`sda`
			`├─sda1 vfat FAT32 BOOT`
			`└─sda2 crypto_LUKS 2 crypted`
Base 2023-08-01 15:35:09 +02:00			`└─crypted LVM2_member LVM2 001`
			`└─vg-root ext4 1.0 nix`
			```

			`Whereas the [NixOS manual](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-installing) mounts`
			the newly-created `nixos` partition to `/mnt`, we will follow the _tmpfs as root_ blogpost and mount `/mnt` as `tmpfs`:
agenix 2024-02-24 02:11:59 +01:00			```fish
Base 2023-08-01 15:35:09 +02:00			`mount -t tmpfs none /mnt`
			`mount --mkdir /dev/disk/by-label/BOOT /mnt/boot`
			`mount --mkdir /dev/disk/by-label/nix /mnt/nix`
			`mkdir -p /mnt/nix/persist/`
			```

agenix 2024-02-24 02:11:59 +01:00			`### Secrets`
			`All files in the Nix store are world-readable, so it is not a suitable place for including cleartext secrets,`
			`even if we had a scheme to securely transfer them to each system. [Agenix](https://github.com/ryantm/agenix)`
			`solves this issue by encrypting the secrets using [age](https://github.com/FiloSottile/age), and then decrypting`
			`and symlinking them using the system's SSH host key during system activation.`

			To bootstrap a new system, we must first generate a host key manually using `ssh-keygen -A -f /mnt/nix/persist`
			during installation. Then, on an existing system, add the new host's public key to `secrets.nix` and rekey all
			secrets using `agenix --rekey`. Commit and push the changes and proceed below.

			`When managing secrets, the Keepass recovery key is used like so:`
			```fish
			`set AGE_KEY_FILE (mktemp); read -s > $AGE_KEY_FILE`
			`agenix -i $AGE_KEY_FILE -e foo.age`
			```

			`### Installation`
Base 2023-08-01 15:35:09 +02:00			`The remaining installation can be done (more or less) according to the [NixOS`
			`manual](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-installing).`
agenix 2024-02-24 02:11:59 +01:00			```fish
Base 2023-08-01 15:35:09 +02:00			`cd /mnt/nix`
			`git clone https://git.caspervk.net/caspervk/nixos.git tmp`
			`cd tmp/`
			`nixos-generate-config --root /mnt --show-hardware-config`
			`vim hosts/omega/hardware.nix`
nix is weird 2023-08-05 18:13:59 +02:00			`git add . # nix sometimes ignores files outside version control`
Base 2023-08-01 15:35:09 +02:00			`nixos-install --no-root-passwd --flake .#omega`
			```

update readme 2024-02-06 02:09:39 +01:00			`### Hardware Configuration`
Base 2023-08-01 15:35:09 +02:00			`hosts/*/hardware.nix`, while initially generated by `nixos-generate-config --show-hardware-config`, _is_ manually
Update readme 2023-08-12 15:31:37 +02:00			`modified.`
Base 2023-08-01 15:35:09 +02:00
update readme 2024-02-06 02:09:39 +01:00			`### State Version`
			Nixpkgs uses `stateVersion` so sparingly that auditing the entire nixpkgs repo is [easy
			`enough](https://sourcegraph.com/search?q=context%3Aglobal+repo%3A%5Egithub%5C.com%3FNixOS%2Fnixpkgs%24++lang%3ANix+stateVersion+AND+23.11).`
Base 2023-08-01 15:35:09 +02:00

update readme 2024-02-06 02:09:39 +01:00			`## Useful Commands`
agenix 2024-02-24 02:11:59 +01:00			```fish
update readme 2024-02-06 02:09:39 +01:00			`# upgrade system`
very minor cleanup 2023-08-13 19:34:10 +02:00			`sudo nixos-rebuild switch --flake .`
Add a little debugging help 2023-08-16 02:29:53 +02:00
update readme 2024-02-06 02:09:39 +01:00			`# start build environment with user's default shell instead of bash`
			`nix develop --command $SHELL`
stateVersion 2023-12-01 17:32:41 +01:00
update readme 2024-02-06 02:09:39 +01:00			`# nix shell with python packages`
			`# https://discourse.nixos.org/t/nix-shell-for-python-packages/16575`
			`# https://github.com/NixOS/nix/issues/5567`
readme: better repl commands 2024-02-18 20:55:45 +01:00			`nix shell --impure --expr 'with builtins.getFlake "nixpkgs"; with legacyPackages.${builtins.currentSystem}; python3.withPackages (ps: with ps; [ numpy ])'`
update readme 2024-02-06 02:09:39 +01:00			```
stateVersion 2023-12-01 17:32:41 +01:00
update readme 2024-02-06 02:09:39 +01:00			`### Debugging`
readme: better repl commands 2024-02-18 20:55:45 +01:00			```nix
update readme 2024-02-06 02:09:39 +01:00			`# load flake into repl`
Add a little debugging help 2023-08-16 02:29:53 +02:00			`nix repl`
			`:lf .`
update readme 2024-02-06 02:09:39 +01:00
readme: better repl commands 2024-02-18 20:55:45 +01:00			`# print a configuration option`
			`:p nixosConfigurations.omega.options.services.openssh.ports.declarationPositions # declaration`
			`:p nixosConfigurations.omega.options.services.openssh.ports.default # declaration default`
			`:p nixosConfigurations.omega.options.services.openssh.ports.definitionsWithLocations # overwrites`
			`:p nixosConfigurations.omega.options.services.openssh.ports.value # current value`
			`# print derivation package names`
			`:p builtins.map (d: d.name) outputs.nixosConfigurations.omega.options.environment.systemPackages.value`
update readme 2024-02-06 02:09:39 +01:00
explain repl 2023-12-13 20:24:08 +01:00			`# print version of package in nixpkgs`
readme: better repl commands 2024-02-18 20:55:45 +01:00			`:p inputs.nixpkgs.outputs.legacyPackages.${builtins.currentSystem}.openssh.version`
Add a little debugging help 2023-08-16 02:29:53 +02:00			```