caspervk/nixos
1
Code Activity Actions
❄️
192 commits 2 branches 0 tags 6.9 MiB
Nix 85.2%
HTML 14.8%
Find a file
snowflake 19409ad8a5 flake.lock: Update 
Flake lock file updates:

• Updated input 'home-manager':
    'github:nix-community/home-manager/924d91e1e4c802fd8e60279a022dbae5acb36f2d' (2024-01-14)
  → 'github:nix-community/home-manager/10cd9c53115061aa6a0a90aad0b0dde6a999cdb9' (2024-01-19)
• Updated input 'home-manager-unstable':
    'github:nix-community/home-manager/16cefa78cc801911ebd4ff1faddc6280ab3c9228' (2024-01-16)
  → 'github:nix-community/home-manager/d634c3abafa454551f2083b054cd95c3f287be61' (2024-01-28)
• Updated input 'impermanence':
    'github:nix-community/impermanence/033643a45a4a920660ef91caa391fbffb14da466' (2023-12-27)
  → 'github:nix-community/impermanence/cd13c2917eaa68e4c49fea0ff9cada45440d7045' (2024-01-30)
• Updated input 'nix-index-database':
    'github:nix-community/nix-index-database/49aaeecf41ae0a0944e2c627cb515bcde428a1d1' (2024-01-15)
  → 'github:nix-community/nix-index-database/c782f2a4f6fc94311ab5ef31df2f1149a1856181' (2024-01-28)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/bee2202bec57e521e3bd8acd526884b9767d7fa0' (2024-01-15)
  → 'github:NixOS/nixos-hardware/f84eaffc35d1a655e84749228cde19922fcf55f1' (2024-01-25)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/b8dd8be3c790215716e7c12b247f45ca525867e2' (2024-01-15)
  → 'github:NixOS/nixpkgs/f4a8d6d5324c327dcc2d863eb7f3cc06ad630df4' (2024-01-29)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370' (2024-01-15)
  → 'github:NixOS/nixpkgs/c002c6aa977ad22c60398daaa9be52f2203d0006' (2024-01-27)
2024-01-31 01:15:15 +00:00
hosts terraform => tofu 🥹 2024-01-30 10:27:42 +01:00
modules sway: calendar 2024-01-30 14:59:48 +01:00
overlays 23.11: no more need for ripgrep overlay 2023-12-01 20:57:14 +01:00
.gitignore Initial commit 2023-06-25 01:28:19 +02:00
Containerfile replace gitlab-ci with dumb Containerfile 2023-11-29 01:48:28 +01:00
flake.lock flake.lock: Update 2024-01-31 01:15:15 +00:00
flake.nix 23.11: home-manager 2023-12-01 20:55:41 +01:00
LICENSE fmt license 2023-07-09 00:15:18 +02:00
README.md explain repl 2023-12-13 20:24:08 +01:00
todo Base 2023-08-01 15:35:59 +02:00

README.md

nixos

Installation

Follow the NixOS manual to obtain and boot the installation medium. Use the graphical ISO image since it ships with useful programs such as nmtui; the installation can still be done through the terminal.

Disk Partitioning

For impermanence, partitioning should be done as outlined in the tmpfs as root blogpost, but with /nix as a LUKS-encrypted file system. The boot partition will not be encrypted, since that is poorly supported by systemd-boot. Persistent files will be saved under /nix/persist.

The following is based on the tmpfs as root blogpost, the NixOS manual's partitioning, formatting and LUKS-Encrypted File Systems sections, ArchWiki's LVM on LUKS, the unofficial NixOS wiki Full Disk Encryption, and this GitHub gist.

We create a 1GiB EFI boot partition (/dev/sda1) and the rest will be our LUKS-encrypted volume:

# Create partition table
parted /dev/sda -- mklabel gpt

# Create /boot partition
parted /dev/sda -- mkpart ESP fat32 1MiB 1024MiB
parted /dev/sda -- set 1 esp on

# Create /nix partition
parted /dev/sda -- mkpart primary 1024MiB 100%

# Create and open LUKS-encrypted container
cryptsetup --type=luks2 luksFormat --label=crypted /dev/sda2
cryptsetup open /dev/sda2 crypted

# Create LVM volume group
pvcreate /dev/mapper/crypted
vgcreate vg /dev/mapper/crypted

# Create root logical volume
lvcreate -l 100%FREE vg -n root

# Format partitions
mkfs.fat -F32 -n BOOT /dev/sda1
mkfs.ext4 -L nix /dev/vg/root

The result should be the following (lsblk -f):

NAME          FSTYPE      FSVER            LABEL
sda
├─sda1        vfat        FAT32            BOOT
└─sda2        crypto_LUKS 2                crypted
  └─crypted   LVM2_member LVM2 001
    └─vg-root ext4        1.0              nix

Installation

Whereas the NixOS manual mounts the newly-created nixos partition to /mnt, we will follow the tmpfs as root blogpost and mount /mnt as tmpfs:

mount -t tmpfs none /mnt
mount --mkdir /dev/disk/by-label/BOOT /mnt/boot
mount --mkdir /dev/disk/by-label/nix /mnt/nix
mkdir -p /mnt/nix/persist/

The remaining installation can be done (more or less) according to the NixOS manual.

cd /mnt/nix
git clone https://git.caspervk.net/caspervk/nixos.git tmp
cd tmp/
nixos-generate-config --root /mnt --show-hardware-config
vim hosts/omega/hardware.nix
git add .  # nix sometimes ignores files outside version control
nixos-install --no-root-passwd --flake .#omega

# Make sure to set a password
mkpasswd > /mnt/nix/persist/passwordfile
chmod 400 /mnt/nix/persist/passwordfile

Hardware Configuration

hosts/*/hardware.nix, while initially generated by nixos-generate-config --show-hardware-config, is manually modified.

Impermanence

To find out which of our darlings will be erased on reboot do tree -x /.

Upgrading

sudo nixos-rebuild switch --flake .

State Version

Nixpkgs uses stateVersion so sparingly that auditing the entire nixpkgs repo is easy enough.

Debugging

nix repl
:lf .
# print the value of a configuration settings
:p nixosConfigurations.omega.config.services.openssh.ports
# print _why_ the value is as it is (source of defaults, overwrites)
:p nixosConfigurations.omega.options.services.openssh.ports
# print value of home-manager setting
:p nixosConfigurations.omega.config.home-manager.users.caspervk.programs.ssh.matchBlocks
# print version of package in nixpkgs
:p inputs.nixpkgs.outputs.legacyPackages.x86_64-linux.openssh.version