caspervk/nixos
1
0
Fork 0
Code Actions Activity
202 commits 2 branches 0 tags 6.3 MiB
Nix 84%
HTML 16%
Find a file
snowflake 8b383ff6b0 flake.lock: Update 
Flake lock file updates:

• Updated input 'home-manager-unstable':
    'github:nix-community/home-manager/21b078306a2ab68748abf72650db313d646cf2ca' (2024-02-11)
  → 'github:nix-community/home-manager/517601b37c6d495274454f63c5a483c8e3ca6be1' (2024-02-20)
• Updated input 'nix-index-database':
    'github:nix-community/nix-index-database/0cb4345704123492e6d1f1068629069413c80de0' (2024-02-11)
  → 'github:nix-community/nix-index-database/17352eb241a8d158c4ac523b19d8d2a6c8efe127' (2024-02-18)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/f1b2f71c86a5b1941d20608db0b1e88a07d31303' (2024-02-13)
  → 'github:NixOS/nixos-hardware/106d3fec43bcea19cb2e061ca02531d54b542ce3' (2024-02-16)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/809cca784b9f72a5ad4b991e0e7bcf8890f9c3a6' (2024-02-11)
  → 'github:NixOS/nixpkgs/e0da498ad77ac8909a980f07eff060862417ccf7' (2024-02-18)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/f9d39fb9aff0efee4a3d5f4a6d7c17701d38a1d8' (2024-02-11)
  → 'github:NixOS/nixpkgs/b98a4e1746acceb92c509bc496ef3d0e5ad8d4aa' (2024-02-18)
2024-02-21 01:18:25 +00:00
hosts proper vulkan setup 2024-02-18 20:55:35 +01:00
modules proper vulkan setup 2024-02-18 20:55:35 +01:00
overlays 23.11: no more need for ripgrep overlay 2023-12-01 20:57:14 +01:00
.gitignore Initial commit 2023-06-25 01:28:19 +02:00
Containerfile replace gitlab-ci with dumb Containerfile 2023-11-29 01:48:28 +01:00
flake.lock flake.lock: Update 2024-02-21 01:18:25 +00:00
flake.nix 23.11: home-manager 2023-12-01 20:55:41 +01:00
LICENSE fmt license 2023-07-09 00:15:18 +02:00
README.md readme: better repl commands 2024-02-18 20:55:45 +01:00

README.md

nixos

Installation

Follow the NixOS manual to obtain and boot the installation medium. Use the graphical ISO image since it ships with useful programs such as nmtui; the installation can still be done through the terminal.

Disk Partitioning

For impermanence, partitioning should be done as outlined in the tmpfs as root blogpost, but with /nix as a LUKS-encrypted file system. The boot partition will not be encrypted, since that is poorly supported by systemd-boot. Persistent files will be saved under /nix/persist. To find out which of our darlings will be erased on reboot do tree -x / or ncdu -x /.

The following is based on the tmpfs as root blogpost, the NixOS manual's partitioning, formatting and LUKS-Encrypted File Systems sections, ArchWiki's LVM on LUKS, the unofficial NixOS wiki Full Disk Encryption, and this GitHub gist.

We create a 1GiB EFI boot partition (/dev/sda1) and the rest will be our LUKS-encrypted volume:

# Create partition table
parted /dev/sda -- mklabel gpt

# Create /boot partition
parted /dev/sda -- mkpart ESP fat32 1MiB 1024MiB
parted /dev/sda -- set 1 esp on

# Create /nix partition
parted /dev/sda -- mkpart primary 1024MiB 100%

# Create and open LUKS-encrypted container
cryptsetup --type=luks2 luksFormat --label=crypted /dev/sda2
cryptsetup open /dev/sda2 crypted

# Create LVM volume group
pvcreate /dev/mapper/crypted
vgcreate vg /dev/mapper/crypted

# Create root logical volume
lvcreate -l 100%FREE vg -n root

# Format partitions
mkfs.fat -F32 -n BOOT /dev/sda1
mkfs.ext4 -L nix /dev/vg/root

The result should be the following (lsblk -f):

NAME          FSTYPE      FSVER            LABEL
sda
├─sda1        vfat        FAT32            BOOT
└─sda2        crypto_LUKS 2                crypted
  └─crypted   LVM2_member LVM2 001
    └─vg-root ext4        1.0              nix

Installation

Whereas the NixOS manual mounts the newly-created nixos partition to /mnt, we will follow the tmpfs as root blogpost and mount /mnt as tmpfs:

mount -t tmpfs none /mnt
mount --mkdir /dev/disk/by-label/BOOT /mnt/boot
mount --mkdir /dev/disk/by-label/nix /mnt/nix
mkdir -p /mnt/nix/persist/

The remaining installation can be done (more or less) according to the NixOS manual.

cd /mnt/nix
git clone https://git.caspervk.net/caspervk/nixos.git tmp
cd tmp/
nixos-generate-config --root /mnt --show-hardware-config
vim hosts/omega/hardware.nix
git add .  # nix sometimes ignores files outside version control
nixos-install --no-root-passwd --flake .#omega

# Make sure to set a password
mkpasswd > /mnt/nix/persist/passwordfile
chmod 400 /mnt/nix/persist/passwordfile

Hardware Configuration

hosts/*/hardware.nix, while initially generated by nixos-generate-config --show-hardware-config, is manually modified.

State Version

Nixpkgs uses stateVersion so sparingly that auditing the entire nixpkgs repo is easy enough.

Useful Commands

# upgrade system
sudo nixos-rebuild switch --flake .

# start build environment with user's default shell instead of bash
nix develop --command $SHELL

# nix shell with python packages
# https://discourse.nixos.org/t/nix-shell-for-python-packages/16575
# https://github.com/NixOS/nix/issues/5567
nix shell --impure --expr 'with builtins.getFlake "nixpkgs"; with legacyPackages.${builtins.currentSystem}; python3.withPackages (ps: with ps; [ numpy ])'

Debugging

# load flake into repl
nix repl
:lf .

# print a configuration option
:p nixosConfigurations.omega.options.services.openssh.ports.declarationPositions  # declaration
:p nixosConfigurations.omega.options.services.openssh.ports.default  # declaration default
:p nixosConfigurations.omega.options.services.openssh.ports.definitionsWithLocations  # overwrites
:p nixosConfigurations.omega.options.services.openssh.ports.value  # current value
# print derivation package names
:p builtins.map (d: d.name) outputs.nixosConfigurations.omega.options.environment.systemPackages.value

# print version of package in nixpkgs
:p inputs.nixpkgs.outputs.legacyPackages.${builtins.currentSystem}.openssh.version