This repository holds my NixOS configuration. It is fully reproducible, flakes based, and position-independent, ...

used flakes:

• image generation: nixos-generators
• disk partitioning: disko
• secrets: sops-nix
• deployment: nixinate, see usage
• formatting: git-hooks
• install: nixos-anywhere

.
├── images       # custom image generations
├── machines     # machine definitions
├── modules      # own nix-options, to modularize services/hardware/...
├── overlays     # overlays
├── pkgs         # own packages, which are not available in nixpkgs
└── profiles     # summarize module collections into single options

• updating:

  nix flake update

• deployment/update:

  nix run .#apps.nixinate.<flake>

• secrets:

  sops ./machines/<host>/secrets.yaml

• images:

  nix build .#install-iso
  nix build .#aarch64-install --system aarch64-linux

• vms:

  nixos-rebuild build-vm --flake .#<flake>

• (re-)install:

  make sure you have ssh-root access to the machine and the ssh-key is used properly. (It does not matter what system is installed before.)

  1. generate config (only needed for new host)

     get nixos-generate-config to run via nix and execute

     nixos-generate-config --no-filesystems --root $(mktemp -d)

     reuse the hardware-configuration.nix to create a new machine with its flake.

  2. setup secrets

     1. new host

        then prepare the secrets in the following layout:

        # enter disk encryption key
        echo "my-super-safe-password" > /tmp/disk.key
        
        temp=$(mktemp -d)
        # ssh-host keys
        install -d -m755 "$temp/etc/ssh"
        ssh-keygen -o -t rsa -a 100 -N "" -b 4096 -f "$temp/etc/ssh/ssh_host_rsa_key"
        chmod 600 "$temp/etc/ssh/ssh_host_rsa_key"
        ssh-keygen -o -t ed25519 -a 100 -N "" -f "$temp/etc/ssh/ssh_host_ed25519_key"
        chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
        # initrd key
        install -d -m755 "$temp/etc/secrets/initrd"
        ssh-keygen -o -t ed25519 -a 100 -N "" -f "$temp/etc/secrets/initrd/ssh_host_ed25519_key"
        chmod 600 "$temp/etc/secrets/initrd/ssh_host_ed25519_key"

     2. existing host

        echo "my-super-safe-password" > /tmp/disk.key
        temp=$(mktemp -d)
        find $temp -printf '%M %p\n'

        should result in something looking like this

        drwx------ $temp
        drwxr-xr-x $temp/etc
        drwxr-xr-x $temp/etc/ssh
        -rw------- $temp/etc/ssh/ssh_host_rsa_key
        -rw------- $temp/etc/ssh/ssh_host_ed25519_key
        -rw-r--r-- $temp/etc/ssh/ssh_host_rsa_key.pub
        -rw-r--r-- $temp/etc/ssh/ssh_host_ed25519_key.pub
        drwxr-xr-x $temp/etc/secrets
        drwxr-xr-x $temp/etc/secrets/initrd
        -rw------- $temp/etc/secrets/initrd/ssh_host_ed25519_key
        -rw-r--r-- $temp/etc/secrets/initrd/ssh_host_ed25519_key.pub
        

  3. execute install

     now simply install by executing (this will delete all data!):

     nix run github:numtide/nixos-anywhere -- \
         --disk-encryption-keys /tmp/disk.key /tmp/disk.key \
         --extra-files "$temp" \
         --flake .#<flake> \
         root@<host>

• Nix config by Mic92
• Nix config by ambroisie
• Nix config by pborzenkov
• Nix config by nyanloutre
• Nix config by disassembler
• git-hook config