Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/extrange/nixos-config
My NixOS Config
https://github.com/extrange/nixos-config
Last synced: about 1 month ago
JSON representation
My NixOS Config
- Host: GitHub
- URL: https://github.com/extrange/nixos-config
- Owner: extrange
- Created: 2023-12-01T04:54:34.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2024-10-29T17:02:23.000Z (about 2 months ago)
- Last Synced: 2024-10-29T18:29:20.022Z (about 2 months ago)
- Language: Nix
- Homepage:
- Size: 8.06 MB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# My NixOS Configuration
![screenshot](./screenshot.jpg)
Secrets are encrypted by the hosts' own SSH key via `sops-nix`.
[Useful Commands]
## Configuration
Host configuration is specified by `*.nix` files in `hosts/${hostname}`, e.g.:
- `system.nix`
- `hardware-configuration.nix` (generated by `nixos-generate-config`)
- Optionally, other files as resources e.g. `monitors.xml`They also inherit configurations from `common/`.
See available options in `common-opt`.
When adding a new host, generate its SSH keypair in `server`'s `/home/user/keys` directory: `ssh-keygen -t ed25519 -f `
## Install
An encrypted root ([LVM over LUKS]) with zram will be setup. Root account is disabled.
> [!IMPORTANT]
> Before installing anything, back up your existing configuration:
>
> - Firefox profiles
> - `/etc/fstab` (if applicable)
> - `nm-cli` connections (if applicable)
> - VM images (if applicable)Boot into the NixOS [installer].
Then, run:
```text
$ sudo -i
# source <(curl -s https://raw.githubusercontent.com/extrange/nixos-config/main/setup.sh)
```Enter SSH login details when prompted.
Once installation is completed successfully, reboot.
## Post Install
- `git push` changes to `hardware-configuration.nix` for the respective host
- If necessary, add the new key to Github
- If remote access is required, add the hosts public key to `common/system.nix`'s `known_hosts` for other devices to be able to connect without prompting
- NixOS generates new host keys everytime a host is provisioned, and I do not declaratively configure that
- Pull Firefox profile
- Setup logins (these can't be declaratively set)
- Tailscale (Auth Key max expiry is 90 days)
- Telegram
- Syncthing: configure folders, add device to server
- GSConnect pairing
- VSCode settings sync (note: due to [automatic login], the keyring is not unlocked. However, it is possible to use a insecure storage and disable the [password].)## Raspberry Pi 4
_Currently not working - GPU driver issues (`Qt Fatal: Could not open display`)._
For the initial build, build locally on another build host:
```sh
NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 nix build path:.#nixosConfigurations.rpi4.config.system.build.sdImage --impure --max-jobs 1
```_Note: the build host requires `boot.binfmt.emulatedSystems = [ "aarch64-linux" ]` set._
[`dd` the image to the sdcard](https://nix.dev/tutorials/nixos/installing-nixos-on-a-raspberry-pi.html):
```sh
sudo dd if= of=/dev/sdX bs=4096 conv=fsync status=progress
```Subsequent builds can be pushed to the pi remotely:
```sh
nixos-rebuild --target-host [email protected] --flake path:.#rpi4 --use-remote-sudo switch
```## Notes
- To edit `sops` secrets, use `SOPS_AGE_KEY=$(ssh-to-age -private-key -i ~/.ssh/id_ed25519) sops secrets.yaml`.
- To add a new key for a host:
- First, get the `age` key from the SSH public key: `ssh-keygen -y -f path/to/public/key | ssh-to-age`
- Add the key to `.sops.yaml`
- Update: `SOPS_AGE_KEY=$(ssh-to-age -private-key -i path/to/private/key sops updatekeys secrets.yaml` (the private key must have previously used to encrypt the file)
- `nixos-rebuild switch --flake .#hostname` will not allow access to untracked files. To [work around] this, do `nixos-rebuild switch --flake path:.#hostname`.
- Using `read` in `curl ... | bash` doesn't work as `read` does not have access to the terminal, so `source` is used instead.
- To fix the [`TypeError: BootSpec.__init__() missing 1 required positional argument`][bootspec-error], delete [symlinks to older generations] in `/nix/var/nix/profiles`, then rerun `nixos-rebuild switch`.## Resources
- Dotfiles: [dmadisetti], [Electrostasy], [reckenrode]
- Hyprland configs: [yurihikari], [Waayway]
- [Comparison of `git-crypt`, `agenix` and `sops-nix`][secrets][symlinks to older generations]: https://discourse.nixos.org/t/list-and-delete-nixos-generations/29637/6
[bootspec-error]: https://discourse.nixos.org/t/typeerror-bootspec-init-missing-1-required-positional-argument-initrdsecrets/38008
[secrets]: https://lgug2z.com/articles/handling-secrets-in-nixos-an-overview/
[Waayway]: https://github.com/Waayway/hyprland-waayway
[yurihikari]: https://github.com/yurihikari/garuda-sway-config
[electrostasy]: https://github.com/Electrostasy/dots
[reckenrode]: https://github.com/reckenrode/nixos-configs
[dmadisetti]: https://github.com/dmadisetti/.dots
[work around]: https://discourse.nixos.org/t/dirty-nixos-rebuild-build-flake-issues/30078/2
[LVM over LUKS]: https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS
[installer]: https://channels.nixos.org/nixos-23.11/latest-nixos-minimal-x86_64-linux.iso
[automatic login]: https://askubuntu.com/questions/1352398/asking-for-password-when-i-open-vscode-for-the-first-time
[password]: https://askubuntu.com/questions/24770/gnome-keyring-keeps-asking-for-a-password-that-doesnt-exist/24773#24773
[Useful Commands]: useful-commands.md