nix flake lock --update-input nixpkgs sudo nixos-rebuild dry-activate --flake .#floki sudo nixos-rebuild switch --flake .#floki home-manager build --debug --flake .#gburd@floki home-manager switch -b bkup --flake .#gburd@floki nix-build '' -A config.system.build.sdImage -I nixos-config=./sdcard/rpi2.nix # Major differences: * sops/age for secrets * persistence/impermanence * Yubikeys are great, if you use them correctly https://www.procustodibus.com/blog/2023/04/how-to-set-up-a-yubikey/ * generate age public key from host's existing SSH keypair nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age' * trigger first encryption of a secrets file EDITOR=vi sops --config .sops.yaml --encrypt --in-place nixos/_mixins/secrets.yaml * edit secrets in that file later * When SOPS complains about your ~/.gnupg/secring.pgp file not being there try: export GPG_TTY=$(tty) gpgconf --reload gpg-agent * SOPS https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-common-operations-118g export SOPS_PGP_FP="D4BB42BE729AEFBD2EFEBF8822931AF7895E82DF" sops -e /etc/ssh/ssh_host_id > hosts/floki/ * labels * btrfs * sudo btrfs filesystem label * luks * FAT * sudo fatlabel * swap (see: https://discourse.nixos.org/t/how-do-i-set-up-a-swap-file/8323/7) * udevadm trigger INSTALL: nix-env -iA nixos.pkgs.gitAndTools.gitFull export device=/dev/nvme0n1 export hostname=floki wipefs/shread/scrub ${device} sgdisk --zap-all ${device} printf "label: gpt\n,550M,U\n,,L\n" | sfdisk ${device} mkfs.fat -L ESP -F 32 ${device} cryptsetup --verify-passphrase -v luksFormat --label "${hostname}_crypt" "${device}p2" cryptsetup open "${device}p2" "${hostname}_crypt" mkfs.btrfs -L ${hostname} /dev/mapper/"${hostname}_crypt" mount -t btrfs -o subvol=root /dev/disk/by-label/${hostname} /mnt btrfs subvolume create /mnt/root btrfs subvolume create /mnt/nix btrfs subvolume create /mnt/persist btrfs subvolume create /mnt/swap btrfs subvolume create /mnt/logs mount -t btrfs -o compress=zstd,subvol=root /dev/disk/by-label/"${hostname}" /mnt mkdir /mnt/{nix,persist,swap,var/logs} mount -t btrfs -o compress=zstd,noatime,subvol=nix /dev/disk/by-label/"${hostname}" /mnt/nix mount -t btrfs -o compress=zstd,subvol=persist /dev/disk/by-label/"${hostname}" /mnt/persist mount -t btrfs -o compress=zstd,noatime,subvol=logs /dev/disk/by-label/"${hostname}" /mnt/var/logs mount -t btrfs -o noatime,subvol=swap /dev/disk/by-label/"${hostname}" /mnt/swap mkdir /mnt/boot mount /dev/nvme0n1p1 /mnt/boot mount -t proc /proc /mnt/proc mount -t sysfs /sys /mnt/sys mount --bind /dev /mnt/dev mount --bind /dev/pts /mnt/dev/pts or for i in proc sys dev; do mount -o bind $i /mnt/$i; done nixos-generate-config --root /mnt nano /mnt/etc/nixos/configuration.nix # manually add mount options or cp from USB nixos-install nixos-generate-config --show-hardware-config fileSystems = { "/".options = [ "compress=zstd" ]; "/nix".options = [ "compress=zstd" "noatime" ]; "/persist".options = [ "compress=zstd" "noatime" ]; "/logs".options = [ "compress=zstd" "noatime" ]; "/swap".options = [ "noatime" ]; }; user hashedPassword: mkpasswd -m sha-512 SWAP file btrfs: https://discourse.nixos.org/t/how-do-i-set-up-a-swap-file/8323/7 btrfs filesystem mkswapfile --size 8g --uuid clear /swap/swapfile swapon? swapDevices = [ { device = "/dev/disk/by-label/swap/swapfile"; } ]; nixos-rebulid switch export NIX_CONFIG="experimental-features = nix-command flakes" nix-env -iA nixos.pinentry nixos.git nixos.direnv eval "$(direnv hook bash)" echo pinentry-program $(which pinentry) >> ~/.gnupg/gpg-agent.conf git clone https://github.com/gburd/nix-config.git cd nix-config nix develop export GPG_TTY=$(tty) gpg-connect-agent reloadagent /bye echo test | gpg --clearsign gpg --list-keys EDITOR=vi sops --config .sops.yaml nixos/_mixins/secrets.yaml sudo nixos-install --flake .#hostname reboot home-manager switch --flake .#username@hostname gsettings reset org.gnome.desktop.input-sources xkb-options gsettings reset org.gnome.desktop.input-sources sources sudo nixos-rebuild switch --flake .#my-hostname clear; sudo nixos-rebuild dry-activate --flake .#${hostname} sudo nix --extra-experimental-features "flakes nix-command" run github:nix-community/disko -- --mode disko nixos/${hostname}/disks.nix --arg disks '[ "/dev/nvme0n1" ]' --arg config.networking.hostName ${hostname} sudo nix run github:nix-community/disko -- --mode disko nixos/${hostname}/disks.nix ------- services.pcscd.enable = true; https://mt-caret.github.io/blog/posts/2020-06-29-optin-state.html https://hoverbear.org/blog/declarative-gnome-configuration-in-nixos/ https://github.com/wimpysworld/nix-config https://github.com/Misterio77/nix-config https://github.com/Misterio77/nix-starter-configs ------------------------------------------ TODO: * agenix: alternative to sops/age for secrets agenix.url = "github:ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixpkgs"; * "yet-another-nix-helper" https://github.com/viperML/nh * declarative disk partitioning/formatting https://github.com/nix-community/disko * https://aria2.github.io/ * https://github.com/schollz/croc ------------------------------------------ EXAMPLE COMMANDS: * nh os switch --ask * nix run github:viperML/nh -- os switch --ask --nom . * clear; sudo nixos-rebuild dry-activate --flake .#floki