Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/extrange/nixos-config

My NixOS Config
https://github.com/extrange/nixos-config

Last synced: about 1 month ago
JSON representation

My NixOS Config

Awesome Lists containing this project

README

        

# My NixOS Configuration

![screenshot](./screenshot.jpg)

Secrets are encrypted by the hosts' own SSH key via `sops-nix`.

[Useful Commands]

## Configuration

Host configuration is specified by `*.nix` files in `hosts/${hostname}`, e.g.:

- `system.nix`
- `hardware-configuration.nix` (generated by `nixos-generate-config`)
- Optionally, other files as resources e.g. `monitors.xml`

They also inherit configurations from `common/`.

See available options in `common-opt`.

When adding a new host, generate its SSH keypair in `server`'s `/home/user/keys` directory: `ssh-keygen -t ed25519 -f `

## Install

An encrypted root ([LVM over LUKS]) with zram will be setup. Root account is disabled.

> [!IMPORTANT]
> Before installing anything, back up your existing configuration:
>
> - Firefox profiles
> - `/etc/fstab` (if applicable)
> - `nm-cli` connections (if applicable)
> - VM images (if applicable)

Boot into the NixOS [installer].

Then, run:

```text
$ sudo -i
# source <(curl -s https://raw.githubusercontent.com/extrange/nixos-config/main/setup.sh)
```

Enter SSH login details when prompted.

Once installation is completed successfully, reboot.

## Post Install

- `git push` changes to `hardware-configuration.nix` for the respective host
- If necessary, add the new key to Github
- If remote access is required, add the hosts public key to `common/system.nix`'s `known_hosts` for other devices to be able to connect without prompting
- NixOS generates new host keys everytime a host is provisioned, and I do not declaratively configure that
- Pull Firefox profile
- Setup logins (these can't be declaratively set)
- Tailscale (Auth Key max expiry is 90 days)
- Telegram
- Whatsapp
- Syncthing: configure folders, add device to server
- GSConnect pairing
- VSCode settings sync (note: due to [automatic login], the keyring is not unlocked. However, it is possible to use a insecure storage and disable the [password].)

## Raspberry Pi 4

_Currently not working - GPU driver issues (`Qt Fatal: Could not open display`)._

For the initial build, build locally on another build host:

```sh
NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 nix build path:.#nixosConfigurations.rpi4.config.system.build.sdImage --impure --max-jobs 1
```

_Note: the build host requires `boot.binfmt.emulatedSystems = [ "aarch64-linux" ]` set._

[`dd` the image to the sdcard](https://nix.dev/tutorials/nixos/installing-nixos-on-a-raspberry-pi.html):

```sh
sudo dd if= of=/dev/sdX bs=4096 conv=fsync status=progress
```

Subsequent builds can be pushed to the pi remotely:

```sh
nixos-rebuild --target-host [email protected] --flake path:.#rpi4 --use-remote-sudo switch
```

## Notes

- To edit `sops` secrets, use `SOPS_AGE_KEY=$(ssh-to-age -private-key -i ~/.ssh/id_ed25519) sops secrets.yaml`.
- To add a new key for a host:
- First, get the `age` key from the SSH public key: `ssh-keygen -y -f path/to/public/key | ssh-to-age`
- Add the key to `.sops.yaml`
- Update: `SOPS_AGE_KEY=$(ssh-to-age -private-key -i path/to/private/key sops updatekeys secrets.yaml` (the private key must have previously used to encrypt the file)
- `nixos-rebuild switch --flake .#hostname` will not allow access to untracked files. To [work around] this, do `nixos-rebuild switch --flake path:.#hostname`.
- Using `read` in `curl ... | bash` doesn't work as `read` does not have access to the terminal, so `source` is used instead.
- To fix the [`TypeError: BootSpec.__init__() missing 1 required positional argument`][bootspec-error], delete [symlinks to older generations] in `/nix/var/nix/profiles`, then rerun `nixos-rebuild switch`.

## Resources

- Dotfiles: [dmadisetti], [Electrostasy], [reckenrode]
- Hyprland configs: [yurihikari], [Waayway]
- [Comparison of `git-crypt`, `agenix` and `sops-nix`][secrets]

[symlinks to older generations]: https://discourse.nixos.org/t/list-and-delete-nixos-generations/29637/6
[bootspec-error]: https://discourse.nixos.org/t/typeerror-bootspec-init-missing-1-required-positional-argument-initrdsecrets/38008
[secrets]: https://lgug2z.com/articles/handling-secrets-in-nixos-an-overview/
[Waayway]: https://github.com/Waayway/hyprland-waayway
[yurihikari]: https://github.com/yurihikari/garuda-sway-config
[electrostasy]: https://github.com/Electrostasy/dots
[reckenrode]: https://github.com/reckenrode/nixos-configs
[dmadisetti]: https://github.com/dmadisetti/.dots
[work around]: https://discourse.nixos.org/t/dirty-nixos-rebuild-build-flake-issues/30078/2
[LVM over LUKS]: https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS
[installer]: https://channels.nixos.org/nixos-23.11/latest-nixos-minimal-x86_64-linux.iso
[automatic login]: https://askubuntu.com/questions/1352398/asking-for-password-when-i-open-vscode-for-the-first-time
[password]: https://askubuntu.com/questions/24770/gnome-keyring-keeps-asking-for-a-password-that-doesnt-exist/24773#24773
[Useful Commands]: useful-commands.md