update installation instructions
This commit is contained in:
parent
0c97189dd5
commit
dad753c5b7
1 changed files with 65 additions and 34 deletions
99
README.md
99
README.md
|
@ -1,26 +1,37 @@
|
|||
# nixos
|
||||
|
||||
## Installation
|
||||
Follow the [NixOS manual](https://nixos.org/manual/nixos/stable/index.html#ch-installation) to obtain and boot
|
||||
the installation medium. Use the graphical ISO image since it ships with useful programs such as `nmtui`; the
|
||||
installation can still be done through the terminal.
|
||||
Follow the [NixOS
|
||||
manual](https://nixos.org/manual/nixos/stable/index.html#ch-installation) to
|
||||
obtain and boot the installation medium. Use the graphical ISO image since it
|
||||
ships with useful programs such as `nmtui`; the installation can still be done
|
||||
through the terminal.
|
||||
|
||||
### Disk Partitioning
|
||||
For [impermanence](https://nixos.wiki/wiki/Impermanence), partitioning should be done as outlined in the [tmpfs
|
||||
as root](https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/) blogpost, but with `/nix` as a [LUKS-encrypted file
|
||||
system](https://nixos.org/manual/nixos/stable/index.html#sec-luks-file-systems). The boot partition will not be
|
||||
encrypted, since that is poorly supported by systemd-boot. Persistent files will be saved under `/nix/persist`. To
|
||||
find out which of our darlings will be erased on reboot do `tree -x /` or `ncdu -x /`.
|
||||
For [impermanence](https://nixos.wiki/wiki/Impermanence), partitioning should
|
||||
be done as outlined in the [tmpfs as
|
||||
root](https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/) blogpost, but with
|
||||
`/nix` as a [LUKS-encrypted file
|
||||
system](https://nixos.org/manual/nixos/stable/index.html#sec-luks-file-systems).
|
||||
The boot partition will not be encrypted, since that is poorly supported by
|
||||
systemd-boot. Persistent files will be saved under `/nix/persist`. To find out
|
||||
which of our darlings will be erased on reboot do `tree -x /` or `ncdu -x /`.
|
||||
|
||||
The following is based on the [tmpfs as root](https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/) blogpost, the NixOS
|
||||
manual's [partitioning](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-partitioning),
|
||||
[formatting](https://nixos.orgmanual/nixos/stable/index.html#sec-installation-manual-partitioning-formatting) and
|
||||
[LUKS-Encrypted File Systems](https://nixos.org/manual/nixos/stable/index.html#sec-luks-file-systems) sections,
|
||||
ArchWiki's [LVM on LUKS](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS),
|
||||
the unofficial NixOS wiki [Full Disk Encryption](https://nixos.wiki/wiki/Full_Disk_Encryption), and [this GitHub
|
||||
The following is based on the [tmpfs as
|
||||
root](https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/) blogpost, the NixOS
|
||||
manual's
|
||||
[partitioning](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-partitioning),
|
||||
[formatting](https://nixos.orgmanual/nixos/stable/index.html#sec-installation-manual-partitioning-formatting)
|
||||
and [LUKS-Encrypted File
|
||||
Systems](https://nixos.org/manual/nixos/stable/index.html#sec-luks-file-systems)
|
||||
sections, ArchWiki's [LVM on
|
||||
LUKS](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS),
|
||||
the unofficial NixOS wiki [Full Disk
|
||||
Encryption](https://nixos.wiki/wiki/Full_Disk_Encryption), and [this GitHub
|
||||
gist](https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134).
|
||||
|
||||
We create a 1GiB EFI boot partition (`/dev/sda1`) and the rest will be our LUKS-encrypted volume:
|
||||
We create a 1GiB EFI boot partition (`/dev/sda1`) and the rest will be our
|
||||
LUKS-encrypted volume:
|
||||
```fish
|
||||
# Create partition table
|
||||
parted /dev/sda -- mklabel gpt
|
||||
|
@ -58,8 +69,10 @@ sda
|
|||
└─vg-root ext4 1.0 nix
|
||||
```
|
||||
|
||||
Whereas the [NixOS manual](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-installing) mounts
|
||||
the newly-created `nixos` partition to `/mnt`, we will follow the _tmpfs as root_ blogpost and mount `/mnt` as `tmpfs`:
|
||||
Whereas the [NixOS
|
||||
manual](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-installing)
|
||||
mounts the newly-created `nixos` partition to `/mnt`, we will follow the _tmpfs
|
||||
as root_ blogpost and mount `/mnt` as `tmpfs`:
|
||||
```fish
|
||||
mount -t tmpfs none /mnt
|
||||
mount --mkdir /dev/disk/by-label/BOOT /mnt/boot
|
||||
|
@ -68,44 +81,62 @@ mkdir -p /mnt/nix/persist/
|
|||
```
|
||||
|
||||
### Secrets
|
||||
All files in the Nix store are world-readable, so it is not a suitable place for including cleartext secrets,
|
||||
even if we had a scheme to securely transfer them to each system. [Agenix](https://github.com/ryantm/agenix)
|
||||
solves this issue by encrypting the secrets using [age](https://github.com/FiloSottile/age), and then decrypting
|
||||
and symlinking them using the system's SSH host key during system activation.
|
||||
All files in the Nix store are world-readable, so it is not a suitable place
|
||||
for including cleartext secrets, even if we had a scheme to securely transfer
|
||||
them to each system. [Agenix](https://github.com/ryantm/agenix) solves this
|
||||
issue by encrypting the secrets using
|
||||
[age](https://github.com/FiloSottile/age), and then decrypting and symlinking
|
||||
them using the system's SSH host key during system activation.
|
||||
|
||||
All secrets, and other private configuration such as DNS zonefiles, are stored
|
||||
in a separate, private [repo](https://git.caspervk.net/caspervk/nixos-secrets).
|
||||
To bootstrap a new system, we must first generate a host key manually using
|
||||
`ssh-keygen -A -f /mnt/nix/persist` during installation. Then, on an existing
|
||||
system, add the new host's public key to `secrets.nix` in the `nixos-secrets`
|
||||
repo and rekey all secrets using `agenix --rekey`. Commit and transfer the
|
||||
repository to the new system.
|
||||
|
||||
When managing secrets, the Keepass recovery key is used like so:
|
||||
To bootstrap a new system, we must generate a host key manually during
|
||||
installation:
|
||||
```fish
|
||||
mkdir -p /mnt/nix/persist/etc/ssh/
|
||||
ssh-keygen -A -f /mnt/nix/persist
|
||||
nc alpha.caspervk.net 1337 < /mnt/nix/persist/etc/ssh/ssh_host_ed25519.pub
|
||||
```
|
||||
Then, on an existing system, add the new host's public key to `secrets.nix` in
|
||||
the `nixos-secrets` repo and **rekey** all secrets. When managing secrets, the
|
||||
Keepass recovery key is used like so:
|
||||
```fish
|
||||
set AGE_KEY_FILE (mktemp); read -s > $AGE_KEY_FILE
|
||||
agenix -i $AGE_KEY_FILE --rekey
|
||||
agenix -i $AGE_KEY_FILE -e foo.age
|
||||
```
|
||||
|
||||
The new system needs to be able to pull the `nixos-secrets` repo temporarily
|
||||
during installation:
|
||||
```fish
|
||||
ssh-keygen -t ed25519
|
||||
nc alpha.caspervk.net 1337 < /root/.ssh/id_ed25519.pub
|
||||
# https://git.caspervk.net/caspervk/nixos-secrets/settings/keys
|
||||
```
|
||||
After bootstrapping, servers will auto-upgrade using the shared `autoUpgrade`
|
||||
SSH key. Desktops will need to add `~caspervk/.ssh/id_ed25519.pub` either as a
|
||||
deploy key for the `nixos-secrets` repo, or to the entire git user.
|
||||
|
||||
### Installation
|
||||
The remaining installation can be done (more or less) according to the [NixOS
|
||||
manual](https://nixos.org/manual/nixos/stable/index.html#sec-installation-manual-installing).
|
||||
```fish
|
||||
cd /mnt/nix
|
||||
git clone https://git.caspervk.net/caspervk/nixos.git tmp
|
||||
cd tmp/
|
||||
git clone https://git.caspervk.net/caspervk/nixos.git
|
||||
cd nixos/
|
||||
nixos-generate-config --root /mnt --show-hardware-config
|
||||
vim hosts/omega/hardware.nix
|
||||
git add . # nix sometimes ignores files outside version control
|
||||
nixos-install --no-root-passwd --flake .#omega --override-input secrets ./../nixos-secrets/
|
||||
nixos-install --no-root-passwd --flake .#omega
|
||||
```
|
||||
|
||||
### Hardware Configuration
|
||||
`hosts/*/hardware.nix`, while initially generated by `nixos-generate-config --show-hardware-config`, _is_ manually
|
||||
modified.
|
||||
`hosts/*/hardware.nix`, while initially generated by `nixos-generate-config
|
||||
--show-hardware-config`, _is_ manually modified.
|
||||
|
||||
### State Version
|
||||
Nixpkgs uses `stateVersion` so sparingly that auditing the entire nixpkgs repo is [easy
|
||||
Nixpkgs uses `stateVersion` so sparingly that auditing the entire nixpkgs repo
|
||||
is [easy
|
||||
enough](https://sourcegraph.com/search?q=context%3Aglobal+repo%3A%5Egithub%5C.com%3FNixOS%2Fnixpkgs%24++lang%3ANix+stateVersion+AND+23.11).
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue